Security Analysis of The European Citizen Card Dimitris Tolis

(...
.
.
.
2010-2011
ii

. ,
. ,
. .
. ,

. ,

. ,

,
2010-2011
iii
.
iv

,
, , .
,
, ,
,
,
. ,
,
.

, ,
, ,
,
.
,

ICAO
.
.
, : ) (
) ,
) ,
.
,
.
,
, ,

( ) (SCA)
.
,
, -
, .
vi
SECURITY ANALYSIS OF THE

EUROPEAN CITIZEN CARD
Abstract
This work was elaborated aiming at the extensive study of said identity smart cards with focus
in the European Citizen Card (ECC) and its use, its incorporated security level plus the existing
legislation frame in Greece.
More specifically, after a brief historical overview and reference to the makeup of smart cards
and their applications, we refer to the use and functions of the ECC with regards to the
requirements of Public Administration and citizen expectations. Our primary concern is always
security issues and privacy protection. Subsequently the existing legal framework of ECC in the
European and Greek legislation is analyzed.
The presentation of the physical and electrical characteristics of the ECC follows the
apposition of security requirements relatively to the printing methodology and the protection
against copying. Moreover the card personalization techniques and quality control is discussed
as well as the safety of facilities, the types of operating systems and todays cards
manufacturers.
Advancing we examine what kind of data are stored in the integrated circuit of ECC and how
are these organized in a logical data structure on the file system according to the ICAO
international organization. After a brief reference to the initial establishment of
communication between reader and card and some basic card commands the major privacy
threats follow. Suggested security mechanisms in use today like access control, data
authentication and secure messaging are presented in detail together with the necessary public
key infrastructure. Their benefits and deficiencies are explained together with some thoughts in
relation to the EU-wide interoperability.
The next important part of the survey is the electronic signatures that enable a vast range of
transactions in the eGovernment age. Their legal and regulatory framework is presented
together with the algorithms and the various types of electronic signatures, their legal validity
and the data included in the signature certificates. A more in depth analysis follows of the
vii
interactions between the secure signature creation device (citizen card) and the middleware
responsible for generating and validating electronic signatures.
Last but not least, the different implementations of citizen cards in national level inside the
European economic area are studied. The choices made and their implications are discussed
and summarized in comparative tables.
This work concludes with the authors comments on the previously presented security
mechanisms and methods as specified by the various related standards and proposals, the
nowadays tendencies and the future vision.
viii
,
. ,
,
.
, ,
.
,
, .
., ., .
, 2011
.
2
1: .................................................................................................. 13
1.1
..................................................................................................................... 13
1.2
...................................................................................................... 15
1.2.1
........................................................................................................... 15
1.2.2
....................................................................................................... 19
1.2.3
................................................................................................. 21
1.2.4
............................................................................................ 22
1.2.4.1
................................................................................ 22
1.2.4.2
................................................................... 23
1.2.4.3
........................................................................................... 24
1.2.5
(Standardization).............................................................................................. 26
2: ............................................. 28
2.1
& ECC............................................................................... 28
2.2
&
...................................................................................................................... 30
2.2.1
2.2.2
................................................................................................. 30
.................................................................................................................... 30
2.3
....................................................... 31
2.4
ECC ........................................................................ 32
2.5
ECC................................................................................................ 32
2.6
ECC .......................................................................... 33
2.7
IC .................................................................... 34
3: ........................................................ 36
3.1
MRTDs .................................................................. 36
3.2
...................................................... 39
3.3
..................................................................................... 41
3.4
..................................................................................... 43
3.4.1
...................................................................................................................... 44
3.4.2
............................................................................................................... 45
3.4.2.1
1999/93/ ........................................................................................................... 45
3.4.2.1.1 ................................... 47
3.4.2.1.2 ... ............................................................................................................. 48
3.4.2.1.3 ...................................................... 49
3.4.2.1.4 A ........................................ 50
3.4.2.1.5 ............................................... 51
3.4.3
................................................................................................................... 52
3.4.3.1
150/2001 ........................................................................................ 53
3.5
................................................................ 54
3.6
................................................................ 57
4: ECC & .............................. 60

4.1
......................................................................................... 60
4.1.1
................................................................................................................... 60
4.1.2
................................................................................................................................ 61
4.1.2.1
................................................................................................................................... 63
4.1.2.1.1 PVC () ............................................................................................... 65
4.1.2.1.2 ABS (acryl butadiene styrene) ........................................................................................... 66
4.1.2.1.3 PC () .......................................................................................................... 66
4.1.2.1.4 PET (polyethylene terephthalate - ) ................................... 68
4.1.2.1.5 PETG (Polyethylene terephthalate glycol) ........................................................................ 69
4.1.2.1.6 .................................................................................................................. 69
4.1.2.1.7 ................................................................................................................. 70
4.1.2.1.8 .................................................................................................................... 71
4.1.2.2
......................................................................................................................... 72
4.1.2.3
............................................ 78
4.1.2.3.1 ...................................................................................................... 78
4.1.2.3.2 ................................................................................ 80
4.1.2.3.3 ................................................................................. 82
4.1.2.3.4 ECC .............................................................................................. 86
4.1.2.4
........................................................................................................................... 87
4.2
4.2.1
4.2.2
4.2.3
4.3
................................................................................... 87
............................................................................................................... 87
............................................................................................................... 88
ICAO CEN .................................................................. 89
............................................................................... 92
4.3.1
.................................................................................................................. 93
4.3.1.1
offset ................................................................................................................ 93
4.3.1.2
(Rainbow colouring).............................................................................. 94
4.3.1.3
................................................................................................... 94
4.3.1.4
(Screen printing).......................................................................................... 95
4.3.1.5
........................................................................................................... 95
4.3.1.6
...................................................................................................... 96
4.3.1.7
(Form printing) ................................................................................... 96
4.3.1.8
(Numbering)...................................................................................................... 97
4.3.2
.......................................................................................... 98
4.3.3
............................................................................................................... 98
4.3.3.1
- (thermo transfer printing) ..............................................100
4.3.3.2
E - (thermo sublimation printing) ........................................103
4.3.3.3
- (thermo retransfer printing) ................................104
4.3.3.4
(laser engraving).................................................................................105
4.3.4
......................................................................................................................106
4.4
................................................................................... 107
4.5
..................................................................................................... 109
4.5.1
...............................................................................................109
4.5.2
.....................................................................................................113
4.5.2.1
Gemalto ............................................................................................................................114
4.5.2.2
Giesecke & Devrient ........................................................................................................114
4.5.2.3
Toppan Printing Co. Ltd ...................................................................................................115
4.5.2.4
Evolis.................................................................................................................................116
4.5.2.5
Sagem-orga (brand name: Morpho) ...............................................................................116
4.5.2.6
Oberthur Card Systems....................................................................................................117
4.5.2.7
CardLogix ..........................................................................................................................118
4.5.2.8
Datacard Group ................................................................................................................118
4.5.3
.........................119
5: IC ................................................ 121
5.1
& LDS ..................................................... 121
5.1.1
................................................................................................121
5.1.2
eMRTDs ............................................................................124
5.1.3
& ..........................................................................126
5.1.4
& LDS .....................................................................128
5.1.5
LDS.................................................................130
5.1.6
...................................136
5.1.7
& .........................................................................................137
5.1.8
APDUs & eMRTD .....................................................................................143
5.1.9
.......................148
5.1.9.1
UID .......................................148
5.1.9.2
...........................................................................150
5.1.9.3
......................................153
6: IC ... 155
6.1
........................................................................................ 155
6.2
PKI.......................................................................................................................... 159
6.2.1
.................................................................................................................................159
6.2.2
& .................................................................................160
6.2.3
....................................................................165
6.2.3.1
.............................................................................................................................169
6.2.4
PKI MRTDs ICAO ...................................................................................................171
6.2.4.1
...............................................................................175
6.2.5
PKI MRTDs BSI.......................................................................................................175
6.2.6
MRTD ...........................................178
6.3
ICAO ................................. 181
6.3.1
Passive Authentication () ..................................................................................181
6.3.1.1
Passive Authentication ...........................................................................182
6.3.2
Active Authentication (AA) ().............................................................................183
6.3.2.1
AA ............................................................................................................186
6.4
ICAO ...................................................... 187
6.4.1
Basic Access Control (BAC) () .............................................................................187
6.4.1.1
Secure Messaging BAC .............................................................................191
6.4.1.2
BAC ..........................................................................................................194
6.4.2
ICAO () ..................197
6.5
6.5.1
6.5.2
6.5.3
6.5.4
BSI .................................................. 199

Extended Access Control (EAC) .................................................................................................200
.........................................................................202
Secure Messaging ......................................................................................................................205
Password Authenticated Connection Establishment (PACE) ...................................................206
6.5.5
Chip Authentication (CA) ...........................................................................................................209
6.5.6
Terminal Authentication (TA) ....................................................................................................211
6.5.6.1
TA ............................................................................................................213
6.5.7
Restricted Identification (RI) ......................................................................................................214
6.6
................................................................ 216
6.7
CEN 15480 ........................................................................................ 220
6.7.1
...................................................................................................................220
6.7.2
CEN 15480-3 Card-Verifiable Certificates ...................................................222
6.7.3
CEN 15480 ...........................................................................................223
6.7.3.1
) eID ...................................................................................................................223
6.7.3.2
d) eID (IAS) ..........................................................................................................224
6.7.4
.......................................................................225
6.7.5
......................................................................................................226
6.7.5.1
() .....................................................227
6.7.5.2
........................................................................228
7: ................................................................... 230
7.1
................................................................................................................ 230
7.2
...................................................................................................... 232
7.2.1
7.2.2
7.3
7.3.1
7.3.2
7.3.3
7.3.4
7.4
....................................................................................................233
....................................................................................................234
........................... 237
...............................................................................................238
.....................................................................................238
.............................................................................241
........................241
............................................................................................. 243
7.4.1
....................................................................................243
7.4.1.1
RSA ...............................................................................................................246
7.4.1.2
DSA ...............................................................................................................247
7.4.1.3
ECDSA (Fp) ...............................................................................248
m
7.4.1.4
ECDSA (F2 )...............................................................................249
7.4.1.5
ECGDSA (Fp) .............................................................................250
m
7.4.1.6
ECGDSA F2 ................................................................................251
7.4.2
BnetzA ...........................................................251
7.5
......................................................................................... 253
7.5.1
...............................................................255
7.5.1.1
SHA-1 ................................................................................................................................255
7.5.1.2
RIPEMD160 ......................................................................................................................255
7.5.1.3
SHA 224 ............................................................................................................................256
7.5.1.4
SHA 256 ............................................................................................................................256
7.5.1.5
WHIRLPOOL ......................................................................................................................256
7.5.1.6
SHA 384 ............................................................................................................................257
7.5.1.7
SHA 512 ............................................................................................................................257
7.5.2
BnetzA .............................................................258
7.6
..................................................................................... 259
8: ...................................................................................... 260
6
8.1
.................................................................................................... 260
8.2
........................................................... 260
8.2.1
.509 ......................................................................................................................262
8.3
............................................................................... 264
8.4
....................................... 265
8.5
...................................... 269
8.6
............................................................ 270
9: eID .................... 272

9.1
.................................................................. 272
9.2
................................................................ 274
9.3
.................... 276
9.4
............................................................................ 277
9.5
.......................................... 281
9.5.1
..............................................................................................................281
9.5.1.1
.................................................................282
9.5.1.1.1 ..................................................................................285
9.5.1.2
.............................................285
9.5.1.2.1 ...............................................................................................286
9.5.1.2.2 ...............................................................................................288
9.6
ICC ......................................................................... 289
9.6.1
9.6.2
9.6.3
9.6.4
9.7
ICC IFD ........................................................................................289

ICC ........................................................................................291
ICC............................................................................292
ICC ........................................................................................293
ICC........................................................................ 295
9.7.1
................................................................................295
10: eID
.................................................................................................................................... 299
10.1
............................................................................................ 299
10.1.1
10.1.2
10.1.3
10.1.4
10.2
- eID ........................................................................... 315
10.2.1
10.2.2
10.2.3
10.3
...........................................302
..........................................................................303
, & ...................308
eIDs....................................................................................................................312
................................................................................................................................315
.................................................................................................................................317

.............................................................................................................320
- eID ............................................................................... 324
10.3.1
10.3.2
10.3.3
..............................................................................................................................324
.................................................................................................................................328
.............................................................................................................................332
10.3.4
10.3.5
10.3.6
10.3.7
10.3.8
10.3.9
10.3.10
10.3.11
10.3.12
10.3.13
..............................................................................................................................336
..................................................................................................................................340
...............................................................................................................................342
...........................................................................................................................346
............................................................................................................................349
..............................................................................................................................353
...................................................................................................................355
.........................................................................................................................356
.......................................................................................................................358
.........................................................................................................................360
11: - .............................................................. 362

11.1
.................................................................................................... 362
11.2
............................................................................................................... 366
11.2.1
..................................................................................................................367
............................................................................................................ 369
A I: ICAO DES ..................................................................... 1
A II: SECURE HASH STANDARD ...................................................................... 4
A II: ISO STANDARDS.................................................................................... 7
ISO/IEC 7810 ................................................................................................................ 7
ISO/IEC 7816 ................................................................................................................ 8
ISO/IEC 14443 ............................................................................................................ 11
ISO/IEC 19794 ............................................................................................................ 12
ISO/IEC 10373 ............................................................................................................ 14
IV: (EESSI)
...................................................................................................................................... 16
CEN CWA 14169 Secure Signature-Creation Devices, version EAL 4+....... 16
CWA 14170 Security Requirements for Signature Creation Systems ............. 16
CWA 14171-00 General guidelines for electronic signature verification......... 16
EN 14890-1, Application Interface for smart cards used as Secure Signature
Creation Devices ....................................................................................................... 17
EN 14890-2, Application Interface for smart cards used as Secure Signature
Creation Devices ....................................................................................................... 17
ETSI TS 102 176-1 Algorithms and Parameters for Secure Electronic
Signatures, ................................................................................................................. 19
EN 726 ......................................................................................................................... 19
--
1: ...................................................................................................... 21
2: ......................................... 27
3: ECC.................................................................................................................... 73
4: ECC...................................................................................................................... 74
5: ICAO ........................................................................................................... 77
6: ................................................................................................ 89
7: ............... 92
8: MRZ ................................................................................................... 123
9: eMRTDs [ICAO 9303 P3V2] ........................ 125
10: LDS ................................... 132
11: 3 ( LDS ) ..... 133
12: ISO/IEC 7816-4 .......................................................................... 140
13: EF.COM .................................................................................................. 142
14: INTERNAL AUTHENTICATE [RWEW03] ...................... 146
15: EXTERNAL AUTHENTICATE [RWEW03] ............... 147
16: PICC A [Y08] ............................. 151
17: bit Manchester (PICC ) [RWEW03] .......... 153
18: [SSG10] ..................................... 167
19: [SSG10] ............................................. 168
20: ) PKI ICAO ) ...................................... 173
21: PKI BSI [BSI-TR-03110]................................................................................................. 176
22: [BSI-TR-03110] .................................... 179
23: BAC KENC KMAC............................................................................................... 189
24: APDU [BSI-TR-03110] ................................................................. 193
25: APDU [BSI-TR-03110] ............................................................ 194
26: EAC BSI (: [DF10]) ...................................................................................... 201
27: IS ePassport [BSI-TR-03110] .. 205
28: PACE [BSI-TR-03110] ............................................................................................. 208
29: Chip Authentication ver.1 [BSI-TR-03110] ............................................................. 210
30: Terminal Authentication ver.2 [BSI-TR-03110] ...................................................... 212
31: Restricted Identification [BSI-TR-03110] ................................................................ 215
32: [CEN 15480-3] ......................................................................... 223
33: IAS-ECC, () ()......................................... 225
34: ........................................................................ 232
35:
............................................................................................................................................................................. 262
36: OBJECT IDENTIFIER ............ 266
37: MONETARY VALUE ,
........................................................................ 267
38: RETENTION PERIOD
............................................................................................... 268
39: OBJECT IDENTIFIER
SSCD .................................................................................................... 268
40: [CWA 14170] ............................................................................. 273
41: ......................................................................... 277
42: SCA SSCD 1999/31/ [EN
14890-1] .............................................................................................................................................................. 278
43: ICC ESIGN [EN 14890-1] 279
44: ................................................................................................. 280
45: ............................................................................................ 280
46: 12345
............................................................................................................................................................................. 285
47: ..................................................................................................... 288
48: ................................................................................................... 288
49: ..................................................... 290
50:
................................................................................................................................................ 296
51: .......................................... 299
52: ( ) ................... 315
53: PKI eID (: [CWP06]) ................................................... 330
54: 3DES / CBC Mode.................................................................. 2
55: MAC ................................................................................................................................. 3
56: ICC (EN 14890-2) ...................................................................... 18
57: Diffie-Hellman (EN 14890-2)....................................................... 18
1: ............................................................................... 25
2: ISO/IEC 7810 ............................................................. 61
3: ........................................................................................ 72
4: [DATACRD] ...................................................... 92
5: ....................................................... 110
6: ......................................................... 111
7: .................................. 120
8: DG2 ......................................................................................... 133
9: ........................................................... 135
10: ISO/IEC 19785 ............................................................................ 136
11: ................................................... 141
12: APDU ..................................................................................................................... 143
13: APDU ................................................................................................................. 144
14: ICAO ............................................... 180
15: BAC ............................................................. 188
16: [ICAO 9303 P3V2] ........................................................ 199
17: ICAO............................................................................ 216
18: ICAO ........................................................................... 217
19: BSI ............................................................................... 218
20: ........................................... 219
21: Primary Account Number ECC............................................................................................... 226
22: , [EN 14890-1] .............................................................. 227
23: ................................................................ 244
24:
[ETSI TS 102 176-1] .............................................................................................................. 245
25: ................................................ 252
26: ............................................................................................. 255
27: ............................................................ 257
28: K BnetzA .................................................................... 258
29: ........................................................................................... 259
30: X.509 .................................................................................................... 263
31: APDU VERIFY ...................................................................................................... 282
32: APDU VERIFY ................................................................................... 283
33: APDU Password Change ...................................................................................... 283
34: APDU Password Change................................................................... 283
35: APDU RESET RETRY COUNTER........................................................................ 283
36: APDU RESET RETRY COUNTER .................................................... 284
37: APDU x ....................................................... 287
38: APDU .................................... 287
10
39: APDU ........................................................ 289

40: APDU .................................... 289
41: APDU o ICC ................................................. 292
42: APDU o ICC ............................. 292
43: APDU o ICC.
(1/2) ....................................................................................................................... 292
44: APDU PSO:HASH.................................................................................. 293
45: APDU o ICC.
(2/2)................................................................................................................................................... 293
46: APDU PSO-COMPUTE DIGITAL SIGNATURE ................................. 293
47: APDU o ICC.
ICC (1/2) ............................................................................................................................................................. 294
48: APDU o ICC.............................. 294
49: APDU o ICC.
(2/2) ..................................................................................................................................................................... 294
50: APDU PSO-COMPUTE DIGITAL SIGNATURE ................................. 294
51: APDU ...................................................... 296
52: APDU ................................................ 297
53: APDU MSE:SET .................................................................................................... 297
54: APDU MSE:SET..................................................... 297
55: APDU VERIFY DIGITAL SIGNATURE ................................................................... 298
56: APDU DIGITAL SIGNATURE .............................. 298
57: ID eID () ..................................................... 300
58: , , eID ............................ 304
59: eID ......................................................... 305
60: , eIDs........... 311
61: SHA [FIPS 180-3] .................................................................................. 4
62: SHAs bits [NIST SP 800-107] ............................................................ 5
63: SHAs, bits [NIST SP 800-57] ........................................... 6
1:
................................................................................................................................................................ 17
2: .... 24
3: ICAO eMRTD........................................................................................................... 35
4: ...................................................................................................................................... 39
5: (polycarbonate) ........................................................ 68
6: .......................................................................................... 71
7: ........................................................................................................................... 78
8: ( ) ( ) (
) ......................................................................................................................................................... 81
9: (security background printing) ..................................................... 81
10: (polycarbonate): ...................... 82
11: UV ...................................................................................................................................... 83
12: ( )................................................................ 83
13: MLI (Multiple Laser Image) .............................................................................................................. 85
14: ............................................................................................ 86
15: offset.................................................................................................................................. 93
16: ................................................................................................................................ 94
17: ..................................................................................................................... 95
18: - & ............................. 96
19: ..................................................................................................... 97
20: ................................................................. 98
21: - ........................................................................................ 100
22: - ............ 102
11
23: .......................................................................................................... 105

24: ............................................................................................... 122
25: (ICAO)........................................................................................... 128
26: ............................................................................................................. 234
27: .............................................................................................................. 236
28: eIDs, (%) eID..................................................................... 313
29: Internet online Banking, (%), 2009 ........................................................... 313
30: E-Government, 16-74 online 20
(%), 2009.......................................................................................................................... 314
31: ID ........................................................................................................... 319
32: NO2ID ....................................................................... 322
33: eID . ..................................................................................... 324
34: , - ..................................................... 327
35: eID PC ........................................... 331
36: Kids eID............................................................................................................................. 332
37: ePassport () eID ().............................................................. 336
38: eID ......................................................................................................................... 340
39: eID ............................................................................................................................ 341
40: eID ........................... 342
41: eID .......................................................................................................................... 346
42: 2 ............................................................... 347
43: eID ( 2 ) ..................................................................................... 349
44: ......................................................... 350
45: ......................................................... 351
46: eID ........................................................................................................................ 354
47: eID ................................................................................................................... 356
48: eID ( 2 ) ........................................................................................ 357
49: eID ....................................................................................................................... 360
50: eID - : Sagem Scurit (SAFRAN Group) ..................... 361
12
1:
1.1
,
.
,
, ,
.
11 2001

. ,
, ,
, .
( )
, , .
2004 1 ,

,
,
, (
) .
, ,
2005/60/ ,

1999/93/ ,
.
Towards an electronic ID for the European Citizen, a strategic vision. CEN/ISSS. Brussels, December 2004.
13

, 3 : ,
. 3
, . , ,
,

. ,
,
. ,
, , ,
.
,
. ,
, ,
,
.
, SIM
, ,
,
.
,
,
. ,
- .
,
, / PIN . ,
. ,
/ online .
14
,
,
,
, ,
, ,
( ) ,
.
1.2

.

.

,
,
/ ( )
.
1.2.1

. ,
,
, .
- - .
; ;
,
, .
- ,
15
,
.

[Y08].
:
1.
2.
3.
(2) (3), , :
4.
5. /

,
:
,

[RE03].

.

. ,
, [JDC].
16
[RE03]. ,

,
, ,
.
1:

.
, (contact) (contactless) [JDC].

.

,

.
3 5 volt, .

proximity
couplers
.

.
17

,
, ,
(personal identification number, PIN).

/ .
, ,
.
:
(loyalty systems)
, ,
(acrylonitrile butadiene styrene)
[RE03]. .
,
(International Organization for Standardization, ISO) ISO 7810. ISO 7816
,
18
, , ,
. , ,
.
,
. (cellular) ,
,

/.

MAOSCO ( ) Microsoft.
1.2.2

70,
.
[SCH], [RE03] Jrgen Detholff Helmut Grtrupp 1968
1982.
1970 Kunitaka Arimura. ,
Roland Moreno,
1974. 1977, Michel Ugon Honeywell
Bull . 1978, Bull
SPOM (Self Programmable One-chip Microcomputer)
- . ,
CP8 Motorola.
, Bull 1200 ,
CP8 2001 Schlumberger. , Schlumberger
CP8 Axalto. 2006, Axalto
Gemplus, 2 1 ,
Gemalto.
19
, 1984
(PTT)
(Tlcarte). 1986,
. , ,
'90, SIM
.
1983.

, ISO/IEC 7816/1-4.
,
,
bytes RAM [MR+04].
MasterCard, Visa, Europay 1993

.
EMV 1994, 1998
. EMVco,
2000 2004 [SCH].
,
. Smart Card Alliance (SCA), 3,4
2001 30% (SCA,
2001).
1:
20
1: 2

,
. ,

SIM (Subscriber Identification Module) [WSC10].
, Smart Card Market 2008 2015,
8,8 2015 5,2
2009.
1.2.3
, ,
[RE03].

. /
,
, , ,
.
2
: BioSensor, LLC
21
. ,

.
/
/ .

.
. ,
.
,
.
1.2.4

,
[JDA07].

. /
(released)
.

.
. / ( ,
, )
.
, online .
1.2.4.1

.
,
22
[WM09].

.
, ,

. ,

.
1.2.4.2

,
.
. ,

:
( ).
(non-volatile memory NVM),

(.. ).
, EPROM (Erasable
Programmable Read-Only Memory) EEPROM (Electrical Erasable Programmable
Read-Only Memory). EPROM
, . EEPROM
500.000 .
.
23
2:

-
- ,
. ,
(logic) .
.
(logic),
,
. 128 bits.
1.2.4.3

. - , , RAM, ROM,
/.

.
/ ,
.
ROM
. ,
,
.
24
NVM,
,
. NVM

: EPROM, EEPROM, flash FRAM (Ferroelectric Random Access Memory).
flash EEPROM
. FRAM (low power)

100 .

.
.
,
. , ,
. , ,
//
.
/ , ,
.

(2006)
18
232
1000
2655

Personal Digital Assistants (PDA)
(PC)

1: 3
(logical)
, , de
3
: Gartner and Eurosmart for Microprocessor Cards
25
facto , ,
, [JDA07].
1.2.5
(Standardization)

.

ISO (International Organization for Standardization)
IEC (International Electrotechnical Commission).
,
ISO/IEC . ISO/IEC
[RE03].
ISO CEN4
(European Committee for Standardization)
, , ,
. .
T ISO/IEC,
CEN.

.
ISO IEC .
CEN .
26
ISO
IEC
TC 68
Banks
JTC1
Information
Technology
SC 6
Transaction cards
WG5
Messages and
data contents
WG7
Security
architecture
ISO 10202
ISO 11568
SC 17
IC Cards and
related devices
WG1
Physical
characteristics
and test
methods
ISO/IEC 7810
ISO/IEC 7811
ISO/IEC 7813
ISO/IEC 10373
ISO/IEC 15457
ISO/IEC 24789
WG4
ICC with
contacts
ISO/IEC
7816
WG8
Contactless ICC
ISO/IEC 10536
ISO/IEC 14443
ISO/IEC 15693
WG5
Registration
ISO/IEC 7812
WG9
Optical cards and
equipment
ISO/IEC 11694
WG 3
MRTD
ISO/IEC 7501
2:
,
. ISO TC68/SC6,
,
ISO/IEC JTC1/SC17, .
27
2:
(European
Citizen Card - ECC) ,
,
/ ECC
.
ECC
,

, .
2.1
& ECC
CEN 15480
( [CEN 15480-1] [CEN 15480-2]5
), (European Citizen Card,
ECC) (personalized)
ID-1, ISO/IEC 7810,
1 2 ISO/IEC 7816. ISO
A II: ISO STANDARDS.
ECC, ,

:
1) -
,
,
[CEN 15480-3] [CEN 15480-4] .
28
2) ,
3)
/ ECC
.

ECC.

,
,
micromodule.
[CEN 15480-1], ECC :
,
,

,

,

,
,
,
.
29
, ISO/IEC 7816-3
/ ISO/IEC 7816-12. ECC
(International Civil Aviation
Organization, ICAO), ECC ,
ICAO 9303,
1 3. ICAO
9303. ICAO
MRTD6 (Machine Readable Travel Document)
ICAO
.
2.2

&
2.2.1
ECC ,
:
. ECC

,

(..
).
2.2.2
ECC
:
6
MRTD eMRTD
. ICAO
MRTD MRtd ,
.
30
, ,
,
2.3
ECC
(Identification
Authentication Signature, IAS), ECC 2
CEN 15480. ECC
, .

ECC. ,
. ,
,
,
,
:
31
6: IC

,
. ,

IC .
2.4
ECC
ECC .

, .
(proof of identity)
,
,
.
,
.
ECC
, :
ECC
ECC ,
2.5
ECC
[CEN 15480-1], ECC :

1)
,
,
32
2) ,
,
3)
,
4) , ,
5) ,
6) ,
7) -,
:
a) (
ISO/IEC 7816-13),
b) ,
c) , IAS
.
2.6
ECC
,
. [CEN 15480-1] ECC
2 3 [CWA 14169],
.
. [CWA 14169]
(Secure Signature Creation Device, SSCD),
, Common
Criteria (CC). ,
[1999/93/] . 2 3
,
33
, .
CC EAL4+
Strength of Functions High.
SSCD ,

. , SSCD ,
(Side-channel) (.. : , ,
), , ,
.
4.2
(Integrated Circuit, IC) ECC
,
EAL4+ SOF-High. , [ICAO 9303 P3V2],
MRTD Active Authentication,
. ,

EAL4+ SOF-High, . ,
PKI ( 6.2)

EAL4+ SOF-High.
2.7
IC
MRTD IC [ICAO 9303

P3V2] ( 3).
. eMRTD td1 ( ID-1
ISO/IEC 7810) 1,
.
34
3: ICAO eMRTD
:
1. MRTD
32 ,
2.
ICAO (Logical Data Structure, LDS),
MRZ 1 (Data Group 1, DG1)
DG2,
3.
.
(32 KB)
,
. eID
. ,
[Y08].
35
3:
ICAO ,
/ [
2252/2004], [ 444/2009] [ 1030/2002],
[ 380/2008].
3.1
MRTDs
, 2005
(EU Counter-Terrorism Strategy)

, . [EU-CTS],
,
.

,
,
.
ICAO, ,
[ICAO 9303 P3V2] MRTDs,

, ,
.
,

/
.
ICAO ,
[ 2252/2004] [
444/2009] 36
, ,
, ,
, . , ,
- ( 1, 3 [
2252/2004] ).
[ 2252/2004]

,
, . [ 444/2009]
,
, ICAO:
,
, .
[ 444/2009] [ 2252/2004]

. ,

. [ 444/2009]

-, .
[3021/2010],
, 17 2010

, (12) .
.
,
/..., .
,
, .
37

,
. , ICAO ( )

templates.
.
, [ 380/2008],
,

.
, [ 562/2006],
,
,
. ,
.
, ,

. ,
(
)
.
. [ 11/2010],

, .
..

. ,
38
4:
3.2
.2472/1997
,
39
. 2774/1999
, . 3471/2006
2002/58/

[2002/58/],
1995/46/

,
8 .
, , ,
,
370 , 370 370 .
a priori .
,

,
, , , , , ( 95/46, 2).
,
, , ,
, , .. ,

: ,
, , (
, ,
), (,
, .) [10].
40
6 1995/46/
. ,

. ,
.

.

:

, ( ),

( .. ),
, ,
.
:
.
, , :
[10].
()
(9 101)
.
3.3
19 . 1 :

41
.

.
, .2225/1994
, .3115/2003 .. 47/2005
19

(), :
, , ,
, ,
, ,
, , ,
, ,
, ,
, , ,
, / , ,
, , ,
, , , ,
, , ,
, , , , , , ,
.

/ ,
. . , ,
,
( . 3471/06,
2002/58/), . .
42
""
IC ,
e-mail
.. 25 .3471/2006
:
"":
, .

,
.
, , .
.
2 . 3471/06 [3471/2006] :
3. :
.
, , , ,
,
, ,
, , ,
, ,
.
4. :

.
3.4
,

.
43
,
, .
,
. [1999/31/]
,
.

. [150/2001]
[1999/31/]
.

()7
(),

.
3.4.1
[UDC95]

,
.
1996 (United Nations
Commission on International Trade Law (UNCITRAL)
[UNCITRAL96], , ,
, , ,
.
& (),
http://www.eett.gr/opencms/opencms/EETT
44

,
.
, , o
( [97])
.
3.4.2
,

,
1999/93/
, 6
2000 [EK/709/2000], -,
3 4 1999/93/

.
3.4.2.1
1999/93/
: 1999/93/
13 1999
.

.
,

,
.
45
,
7.3 - ,
,
,
.

:
:

,
:
,
,
:
,
:
,
: ,
,
,
:
- ,
: ,
,
46
:

,
:
, ,
: ,

,
: ,

,

.
, : () , ()
() .
3.4.2.1.1

.
, .
.

47
.
.
3.4.2.1.2 ...
,
,

, :
, ,
,

, ,
( )
( ) .

,
.
,
.
99/93/
,
,
. ,
.
,

48
.
, .

II . :
,
.
(
) .
, 24 ,
.

( 30
), .
3.4.2.1.3
:
49
, ,
,
.
3.4.2.1.4 A
(Secure Signature Device Creation-SSCD)
.
( III ) ,
, (
) :
.

,
,
,
.
50
, ,
.

.

.
,
(..
PIN).

,
.
3.4.2.1.5
,
, :
, ,
.

.
51
3.4.3
,

, ,
:
14 2672/1998 [N2672/1998],
10 3230/2004 [3230/2004],
( )
,
, .
150/2001 [150/2001]
(1999/93) ,
,
.
342/2002 [342/2002]
, ... ...

(.. , ..)
(, .).
20 3448/06 [N3448/2006],
25 . 3536/2007 [N3536/2007],
(),
() .
52
/.60/10/21711-5-2007 [/60/10/217] ,
.
8,
, , : )

, )
,

, )
,
.
3.4.3.1
150/2001
99/93/.
.

()
,
. ,

.
.

. , ,
, ,

, .
8
, ,
, 30 .
53
,
.
, ,
,
. ,

,
,
. ,
.
, ,
. ,
,
, .
,
,

.
3.5
21385/11246
421/B/02.07.1992). ..
. 1
16 ,
, , ,
.

. , 1599/1986 ( 75)
12 , ,
54
13
, (
, , , ,
). ,
.. 127/1969,
. 1988/1991 ( 189),
()
. , . 1599/1986
. 1832/1989, . 1839/1989, . 1988/1991, . 2479/1997, . 2521/1997, . 2690/1999, .
2990/2002, . 3242/2004, .. 3021/19/53/2005
1253/25.6.2009.
,
[3021/2005] ( 1440/18.10.2005).
(3.2) .
,
,
.
,
1253/25.6.2009

. , ,

, , fax .

. , ,
,
,
.
: , , , , ,
, , , ,
. , ,
55
, 743
( ISO 843:1997).

.
.

.
:
1. ,
6 .. 127/1969
2.

3.
4. ( 1253/25.6.2009,
),
5.

,
, .
,

.
.

56
.
.../...
(...),
. ,
.
,
,
... .
, ,

.

.../...

.
3.6
. 3103/2003 ( /23/29.1.2003),
[3021/2005] [3021/2010]
.
3021

,
, .

. 12
.
[3021/2010],
:
57
1, 4:

(12) .

,
, .
,
.
1, 5: ,
, , ,

,
. 3 1
. ,
(6)
.
,
/..., .
(6)
.
2: ,
(12) ,
,
.
' ,
,
58
,
.
151 .
5
, .
:
( ),
, ,
.
59
4: ECC &

:
) ,
) ,
)
.
4.1
, .
,
.
.
.
,
.
, .
,
,
. ,
, ,
.
,
, CEN ICAO.
4.1.1
ISO/IEC 7810 4
, 2.
60
2: ISO/IEC 7810
ID-1 .
, ,
. , ID-1

. [CEN 15480-1],
ID-1 ECC.
4.1.2
,
,
[RE03]. :
(, ,
),
(signature panel),
(.. ),
.
61
, 0,76 . ,
.
.
ISO 7810, 7813 7816
1. :
X,
/,
ISO/IEC 10373
,
. , [CEN
15480-1] .
,
, .
/
.
, , ,
.
62
4.1.2.1
ECC
,
CEN ICAO. ,

/ ,
. -
ECC ,
.
, [ICAO 9303 P3V1]

.

. , [ICAO 9303 P3V1]
, :
,
,
,
,
,
,
.
[ICAO SUPPL].
63
, [HT02],
,
(foils) .

. :
/Printability
( )
/ (Anti-statics)
, [RE03], [HT02], [Y08] ,

,
:
64
4.1.2.1.1 PVC ()
(PVC)
. ,
,
. ,
/ . PVC
,
. PVC ,
/feedstock, /vinyl chloride, .
, PVC
. ,

, -
. PVC
ECC .
:
,
(furane),

65
4.1.2.1.2 ABS (acryl butadiene styrene)

PVC,
ABS.
. ,
,
. ABS
. ABS,
, , ABS
.
:
PVC, ABS , ,

4.1.2.1.3 PC ()
( , polycarbonate, PC)
.
5 10
CDs DVDs. PC
4-8 (foils) . PC
/, / (torsion),
66
UV . ,
/ hotstamp, . , ,
,
//. PC
. , /
PC
, .
:
,
(..
//punching )
PC /phosgene (.
) . .
67
5: (polycarbonate)
4.1.2.1.4 PET (polyethylene terephthalate - )
PVC
PET. ,

. /thermostable

/amorphous form (A-PET) /crystalline form (PETP).
,
. , PETP ,
.
(PETF) PET
, . , PETF
200
. PC,
. ,
/ / /
(torsion).
(polycarbonate)
coextrusion .
.
68
4.1.2.1.5 PETG (Polyethylene terephthalate glycol)

PET
PETG.
:
(, PVC)
/finishing PETG PVC
, PETG
PVC (With some processing parameters PETG has a tighter process window than
PVC)
4.1.2.1.6
:
,
- /restricted reserves
/thermostable
PVC
69
. ,
, edge impact . /
( PVC) IS0
,
. ,
.
, ,
, .
4.1.2.1.7
,
. ,
, , ,
. , ,
.
70
4.1.2.1.8
6: 9
PVC
.
: ( , ),
( ),
/ ( ),
(, , .), UV (
) ( ,
).
PC () /
, UV . ,
,
,
.
9
: [DATACRD]
71
PET (), PETP PETG

.

. ,
( )
( )
.
3: 10

[DATACRD].
4.1.2.2
, ECC ID-1. ,
ISO/IEC 7810. ,
[CEN 15480-1], 3. 3.,
.
10
: [DATACRD]
72
3: ECC
)

.
,
73
. 3. 3.,
4. 4..
4: ECC
)
74
ECC
, ,
.
, ,
.
,

( ). ,
,
. , ,
[CEN 15480-1] ECC :
, ECC
(fixed administration information),
, ..,

(fixed administrative information) ( 4.),
, ,
( ),

.
, ,
( / )
,
( 9303-1 ICAO).
MRZ ,
MRTD,
4.1.2.3,
75
ECC
,
3.
4. .
, ICAO o [ICAO 9303 P3V1] MRTD 7 ,

, , 4
V 5 . ,
/ ,
[CEN 15480-1].
Zone I
Header
Mandatory
Zone II
Personal data elements
Mandatory and optional
Zone III
Document data elements
Mandatory and optional
Zone IV
Signature or usual mark
Mandatory
Zone V
Identification feature
Mandatory
Zone VI
Data elements
Optional
Zone VII
Machine readable zone (MRZ)
Mandatory
I VI (visual inspection zone, VIZ),

VII (machine readable zone, MRZ).
,
9303 ICAO
1, 2 5 IV 5 V [ICAO 9303
P3V1].
76
5: ICAO
)
77
4.1.2.3

,
.
4.1.2.3.1
[CEN 15480-1],
:
7:
1 ( ):

2 ( 1 ):

3 ( 2 ):

78
4 ( forensic taggant):
/ , ( )
/ /
ECC 1
2. ,
. [ICAO 9303 P3V1]
/
, .

,
.
/ , ,
9303, 3,

-1 1 [ICAO 9303 P3V1].

. ,
,
.
,
, ,
ECC
:
1) ,
2) /,
79
3) .
ECC :
,
( 1
2 3),
.
4.1.2.3.2

ISO/IEC 7810 /
, .
, ECC
( 1 / 2)
, [CEN 15480-1]. ,
.
/ .

, 11.
,
.

. 8 .
11
, ,
( 2), .. ,
( 3), .. , .
80
8: ( ) (
) ( )
,
.

customer-specific .
.
9: (security background printing)

ICAO

.
81
,
.

[Y08]. 10
. (background security printing)
, .
,
.
10: (polycarbonate):

4.1.2.3.3
UV ( 2 , 3 )
ECC [CEN 15480-1], /
,
. UV
ECC ECC
ECC (, , ).
82
11: UV
(Optical Variable
Feature, OVF) ECC [CEN 15480-1]. [CEN
15480-1] OVF ,
OVF ( 1).
,
/ .
, , colour-copied
, (Optically Variable Inks, OVI).
,

(intaglio printing) (screen printing).
12: ( )
83
(IR )
[Y08] .

.
, ICAO [ICAO 9303 P3V1]
.
metallic inks
metameric inks
infrared drop-out inks
thermochromic inks
photochromic inks
infrared fluorescent inks
phosphorescent inks
tagged inks
[ICAO SUPPL]
penetrating numbering ink
invisible ink which fluoresces in different colours when exposed to different wave
lengths.

(Multiple Laser Image, MLI) [Y08],
,
. , ,
84
.
, ,
, .. - (micro photo).
,
.
13: MLI (Multiple Laser Image)

(Guilloches / fine
line patterns) [PRADO].

, :
1) (
)
2) (
)
3)
85
14:
(rainbow colouring).

, ,
(forensic) ( 3, 4).
IC , ,
,
.

need to know [ICAO 9303 P3V1].
, ,
.. .

.
4.1.2.3.4 ECC
ECC [CEN 15480-1] [CWA 14169].
,
.
86
4.1.2.4

, .
VISA MASTERCARD,
.
[Y08].
Common Criteria
FIPS. ,
EEPROM ( FLASH).
eID. ,
EEPROM 8 kilobyte 144 kilobyte.
.
.

[HT02].
4.2
4.1.1, ISO/IEC 7810

ID-1, ECC. , ,
1985,
. ,
ISO/IEC 7816 ISO/IEC 14443.
4.2.1

,
.

,
.
87
,
. ,
,

.
[CEN 15480-1] , ,
,
ISO/IEC 7816.
4.2.2

.

.

, .
,
. ,
.

. 10
,
.
ECC ,
[CEN 15480-1] ISO/IEC 14443,
(proximity cards, PICC)
ID-1. ISO/IEC 14443 ,
(proximity coupling devices, PCDs),
,
. PICC
88
13,56 MHz PCD.

ISO ,
10 .
106 Kbps ICs
212/424/848 Kbps.

( 5.1.9.2).
4.2.3
ICAO CEN
New Technologies Working Group (NTWG) ICAO

IC,
ISO/IEC 14443. 4 ,
(Half-Duplex)
: A . ICAO . ,
IC REQA REQB
ATQA ATQB (answer to request) .
, 6
, ISO/IEC 14443.
6:
[ICAO 9303 P3V2] IC

89
ICs
.
10 .
( ISO/IEC 14443) , ICAO,
IC
(electromagnetic screening)
.
,
,
.. (
, ).

(Automated Border Control System, ABC), ICAO
[ICAO GUIDL] .
1 1
(live) 3 .

, .
,
. ,
,
.
(card readers)
. 5 [DATACRD].
,
.

,
.
90
.
( 2
) ,
( UV IR ) [REG S7004].
CEN
9303 ICAO. , [CEN 15480-1]
ECC ISO/IEC 7816-3
7816-12, ECC ICAO
, ,
ISO/IEC 14443.
ECC
(dual interface). , ,

( )

.
( ).
( 4).
( ) ,
, . ,
[ 380/2008],
, -

.
.
, .

91
, 7,
.
4: [DATACRD]

(1 )
(2 )
N
N + 15-30%
N + 50-100%
N + 80-120%
7:

4.3
,
, :
1. ,
2. ,
92
3. ,
4. .
, ,
/
.
4.3.1
4.3.1.1

offset
offset
[Y08]. (plate) offset
,
(Computer to plate - CTP).
.
.
,
.
,
.
,
(foil)
.
15: offset
93
(waterless) offset
UV .
(single) , -
.
4.3.1.2
(Rainbow colouring)
split duct printing [PRADO],

offset
,
,
( ).
16:

(background printing).
4.3.1.3
(intaglio printing)
[PRADO] offset.
,
, .
()
. ,
/
94
, .
,
(oblique light).
(latent images)12.
17:
4.3.1.4
(Screen printing)
[Y08]
.
.
,
.
: , ,
.
4.3.1.5

[Y08] . ,
, ,
.
12
, (oblique light).
95

, ,
.
// (biodata/photo/signature
integration).
18: - &

(thermal
sublimation dye) (retransfer printing)
.
offset , ,
.
4.3.1.6
4.1.2.3.2 ,

.
,
[CEN 15480-1].
4.3.1.7
(Form printing)
- (micro-printing) (
) [CEN 15480-1].
96
4.3.1.8
(Numbering)
[CEN 15480-1],

.
,
.
,
[ICAO 9303 P3V1]. ,
( /
), ,
.
19:
,
[CEN 15480-1], DOVID13
( ) (
..),
,
[ICAO SUPPL].
13
DOVID ,
, ,
: (hologram), (Kinegram), (Identigram).
DOVID .
97
4.3.2
[CEN 15480-1] [ICAO 9303 P3V1]

(OVD) ,
, Visa,

(diffractive) , (DOVID),
hot-sealed (laminate) ( )
OVD , (metallised) demetallised OVD (with intaglio overprinting) .
20:
OVD layered ,
.
ID-1,
.
(diffractive) OVD
(metallised) DOVID,
.
4.3.3

. ,
( ), /
.
98
/ .

.

, ,
,
, [ICAO 9303 P3V1]. , :
(.. ),
(thermal transfer printing),
ink-jet ,
,
,
toner 14, [ICAO SUPPL]

(
, /broken face type),
, , , /
.
14
toner VISA
.
99

,
,
.
,
,

.
,
[ICAO 9303 P3V1]
[ICAO SUPPL], ,
,
[Y08], .
4.3.3.1
- (thermo transfer printing)
,
(donor ribbon)
.
pixels.
21 - (thermo transfer printing).
21: -
100

/ .
.
:
300 dpi
/ /
PVC
-:
(polycarbonate)
/ (chip module)
/ UV
(blank)
101
:
( 22)
: , ,
/, , ,
..
/ .
,
.
22:
-
:
- (..
)
. , ECC.
102
4.3.3.2
E - (thermo sublimation printing)
- -
. ,
, , (300-400 )
( ) .
,
/ UV . ,
. ,
.
-:
( )
103
, -.
.
4.3.3.3
- (thermo retransfer printing)
- . ,
(mirror-inverted), -,
. - .
30 .
.
-:
( )
(polycarbonate)
( ,
(CMYK) )
:
- .
(polycarbonate),

.
104
4.3.3.4
(laser engraving)
,
. ,
. ,
(PVC,
PC). 23 .
23:
.
.
:
UV

105
( )
:

.
,
.
4.3.4
,

[ICAO GUID].
( )
, MRZ
MRZ
,
.
() ,
(stitching),
. , /
.
(finished) ,

.
106
, ,
[ICAO 9303 P3V1].
4.4

, /
. ,
[ICAO 9303 P3V1],

()
[ICAO GUID].
.
, ,
.
[ICAO 9303 P3V1]
[ICAO SUPPL] :

,
/, .
, (,
, ) .
/
.
,
(.. ).

( ).
107
,

INTREPOL.

.
.

/ CCTV ( ).

.

:

,

/ .
, ,
.

, , .

, ,
108
,
, .

( , ..).

/

.
.
.

, .
, [ICAO GUID]
,
,
.
4.5
4.5.1
/bytes ,
[P+99]:
, /

109
, Unix, DOS
Windows,

. 3 24 kbytes.
,
-.
,

. , ISO 7816-4 EN 726-3
profiles, .
, profile ISO 7816-4
5.
Data
Structures
Commands
Transparent
Linear fixed
Linear variable
Cyclic
Read binary, update binary, no implicit selection and
maximum length up to 256 bytes
Read record, update record, without automatic selection
Append record
Select file
Verify
Internal authenticate
External authenticate
Get challenge
5:
110
STARCOS [RE03],
Giesecke & Devrient. ,
1990, ,
/ .
, COS (card operating system)
.
, STARCOS MPCOS.
..
GemXplore, GPK, MPCOS
Gemplus
STARCOS, STARSIM, STARDC

Multos
Giesecke & Devrient

Maosco
AuthentIC, SIMphonic
Micardo
Oberthur
Orga
Cyberflex, Multiflex, Payflex

CardOS
Schlumberger
Siemens
TCOS
Telesec
6: 15

, , ,

. ,
:
1. Multos
Multos
.
MEL (Multos Executable Language).
C Java, MEL. Multos
API Application Abstract
15
: [RE03]
111
Machine (AAM). ,
Multos
. AAM
. ,
MEL,
.
1: Multos
[GK06] MULTOS ( (6)
IT-SEC evaluation criteria)

.
-

.
2. Java Card
H Java Card
Java. , Java
. , Java Card
112
.
.
Java Card.
3. Windows for Smart Cards
Windows for Smart Cards
Microsoft
1998.
DOS FAT,
, , /,
API.
2: Windows for Smart Cards

,
[RE03] [Y08].
4.5.2

.
Infineon, ST microelectronics, Atmel
113
Philips, Bull, Siemens, Toshiba, Samsung Nec

.
4.5.2.1
Gemalto
http://www.gemalto.com/
Gemalto ,
, tokens
. 2006 Axalto Gemplus
International.
, Gemalto,
SIM ,
, , USB tokens. 2008,
1,4 .
400 , 300
30 ,
, .
Gemalto
, , , , , , ,
, , .. .
Gemalto 10.000 , 77
, 18 , 30 , 11 R&D
40 2009 1.65 .
4.5.2.2
Giesecke & Devrient
http://www.gi-de.com/en/index.jsp
1852 Hermann Giesecke Alphonse Devrient.
,
(banknotes) .
114
, G&D
(banknotes), ,
.
(banknotes), 8.000 , 50
$2,45 .
G&D euro (euro notes)
(banknotes) .
, (banknotes), ,
/ (bonds), ,
.
4.5.2.3
Toppan Printing
http://www.toppan.co.jp/english/
Toppan Printing

2008 $16,3 .
1997, Toppan Printing
- .
,
(stamping) ,
12 . 100
.
2006 Toppan
Printing ..

( ) ..
115
16 Toppan Printing Co, Ltd

Toppan Printing .. .
( ).
, Toppan
(AD)
2004 100.000
.
4.5.2.4
Evolis
http://www.evolis.com/
Evolis .
,

.
, ( )
.
140 ,
100 . 2009
32,7 .
4.5.2.5
Sagem-orga (brand name: Morpho)
http://www.morpho-edocs.com/
25 ,
. 1984,
, , , .
16
: http://www.toppan.co.jp/english/news/newsrelease458.html
116
Morpho 1984.
,
, , , tokens, ,
inlays modules, .
2.500 ,
, , , .
Morpho
, .
, , .
4.5.2.6
Oberthur Card Systems
http://www.oberthur.com/
Oberthur Technologies ,
, , , .
Oberthur Printing 1842 , Franois-Charles
Oberthr, 1984, Jean-Pierre Savare
Oberthur Technologies.
905 2009, Oberthur Technologies
.
Oberthur Technologies :
.

, , TV.
.
(banknotes),
.
117
.
, ,
- -
.
.
ATM.
4.5.2.7
CardLogix
http://www.cardlogix.com/
1998, CardLogix 36
. ,
,
CardLogix .
4.5.2.8
Datacard Group
http://www.datacard.com/index.jhtml
40 , Datacard
, .
,
, .
Datacard ,
.
,
.
40- ,
Datacard
. ,
10
118
, 90
.
4.5.3
119
7:
120
5: IC
5.1
5.1.1
& LDS
[ICAO 9303 P3V1]

.
VIZ
(Machine Readable Zone, MRZ)
.

VIZ .
, , .

von de la.
. ,
,
.
VIZ
[ICAO
9303 P3V1] 2 IV .

THEODORA.
,
ISO 3166-1 Alpha-3
[ICAO 9303 P3V1] 1 IV (
GRC).
ISO 8601.
121
MRZ ,
(<) .
24:
[ICAO 9303 P3V1] MRZ,
8.
( ).
VIZ: DARTAGNAN
MRZ: DARTAGNAN
VIZ: MARIE-ELISE
MRZ: MARIE<ELISE
VIZ: ERIKSSON, ANNA MARIA

MRZ: ERIKSSON<<ANNA<MARIA
VIZ: ANNA, MARIA
MRZ: ANNA<MARIA
MRZ (check
digits)
. modulus 10
MRZ 731 731
.
122
8: MRZ
[CEN 15480-1] (Annex C), ECC ID-1
ICAO
[ICAO 9303 P3V1] (Visual
Inspection Zone, VIZ). .
[REG S7004]
123
(ID-1, ID-2 ) MRZ VIZ

ICAO.
[CEN 15480-1] ECC
.
5.1.2
eMRTDs
eMRTD (
). [ICAO 9303 P3V2]

.

,
. 9 eMRTD
.
9
. ,
MRZ.
MRZ . MRZ

( CRL
) (watch list).
.

IC
( ).

.

.
124
9: eMRTDs
[ICAO 9303 P3V2]
125
5.1.3
&
(biometric identification)

[ICAO 9303 P3V2].

. 3.1
.
(biometric templates),

. -

( )
.
.
ICAO
( )
.
:
(veify) --
MRTD

.
( ) .
(identify) --
MRTD
.

.
126
.
,
MRTD,

MRTD.

Match On Card. templates

.

tamper-proof .

,
.
, templates -
[ID-CRED0210].
,
ICAO , 300 dpi
640 KB (24 bits/pixel)
90 .
ICAO 32
. JPEG17 / JPEG2000
.
15 KB 20 .
17
JPEG / ISO/IEC 10918-1:1994.
127
WSQ18 10
. 30 .
(cropping)
, 25,
. ICAO
token image.
token ISO/IEC 19794-5.
90

.
25: (ICAO)
5.1.4
& LDS
IC [ICAO 9303 P3V2]

MRZ 1 (Data Group 1, DG1)
DG2 ( ).
IC , Security Object (EF.SOD)
( hashes)
( )
Wavelet Scalar Quantization (WSQ) FBI NIST .

(http://www.nist.gov/itl/iad/ig/wsq_compliant.cfm).
18
128
. .

.
DG1 DG16 . ICAO

MRTD IC
visas
MRTD personalization .

ICAO doc 9303.
[ICAO 9303 P3V2]
(Logical Data Structure,
LDS). LDS
(
). LDS
, .

.
(random ordering scheme)

.
MRTD

MRTD LDS.

.
(3.2).
ICAO
LDS MRZ (DG1) (DG2).
129
LDS

LDS MRTDs,
,

,
.
5.1.5
LDS
(data elements)
(data groups, DGs)
:
1. /
MRTD 10.
.
2.
( LDS) 11.
. [ICAO 9303
P3V2] .
:
1. DG1
MRZ,
2. DG2
,
3. EF.COM (common elementary file) LDS
(tags) DGs ,
130
4. EF.SOD (security object)

.
.
DG1 MRZ

ID-1 ID-2 MRTD. 10 ID-1 .
DG1
1
14 10.
131
10:
LDS
132
11: 3
( LDS )
DG2, DG3 DG4
( , ).
DG2 . DG2 3 :
: DG2
01
02
03
8: DG2
01 1 Byte.
1. 02
. 03
99999 Bytes.
02 03
01.
133
|
ASN.119.
[ICAO 9303 P3V2], DG2-DG4
(nested) ISO/IEC
7816-11 ( C.10).
biometric templates Common Biometric
Exchange Formats Framework (CBEFF)20 NIST NISTR 6529a:
2004 ISO/IEC 19785 (2006-2010).
9.
8
Tag 02
Tag 7F60
. ICAO 1 9
, .
Tag 03
. Tag 82
(Biometric subtype)
( ) (
). Biometric subtypes ISO/IEC 19785 10.
19
Abstract Syntax Notation One (ASN.1)

,
, . ASN.1
ISO/IEC ITU-T X.680.
20
o CBEFF NISTIR 6529.

.
,
. CBEFF
.
134
9:
(biometric data), ,
ISO/IEC 7816-11 (Annex D)
:
135
MAC
2
.
10: ISO/IEC 19785
5.1.6
LDS
IC MRTD

.
:
. LDS

MRTD,
.
(
) .
136

MRTD (Active Authentication)
.

MRTD.

.
5.1.7
&
1 [ICAO 9303 P3V2]

,
( ISO/IEC 14443), , ,
ICAO MRTD LDS ,
.
UTF-8
Unicode Standard ISO/IEC 10646.
(ASCII),

, UTF-8.
eMRTD ISO/IEC
7816-4. ISO :
137
(secure messaging)
. (dedicated files) DFs

DFs (elementary files) EFs.
(master file) MF
12.

(DG1- DG16 10),

ICAO
.
(Application Identification, AID)
DF. AID Registered Application Identifier (RID)
ISO/IEC 7816-5
Proprietary Application Identifier Extension (PIX)
ICAO 9303. ISO/IEC 7816-5

. ISO
.
RID = 0 00 00 02 47
ICAO PIX = 1001.
138
DF1
DF A0 00 00 02 47 10 01
. (DG)
EF.DGn, n (
12).
:
ASN.1 (tag),
(short EF identifier) .
EFs
11.
139
12: ISO/IEC 7816-4
140
11:
(DG)

(Tag) . Tags
1 [ICAO 9303 P3V2]
tags (inter-industry)
ISO/IEC 7816-6.
DF1 EF.COM (common elementary file)
1. 13
:
141
LDS (LDS version number)

LDS.
(Unicode version number)

.
(AID).
(Data Group Presence Map, DGPM)

(tags)
DGs
.
HEADER
DATA GROUP PRESENCE MAP
Application Identifier (AID)
Data Group n TAG
LDS Version Number

Unicode Version Number
Data Group m TAG

Presence of TAG = DG present
Absence of TAG = DG not present
13: EF.COM
DGPM, (DG),
, Data Element Presence Map
DG.
142
5.1.8
APDUs & eMRTD

ISO/IEC 7816-4. ICAO
SELECT READ BINARY
0
AUTHENTICATE,
INTERNAL
GET
AUTHENTICATE,
CHALLENGE,
MSE,
CDS
EXTERNAL
VERIFY
CERTIFICATE.

-.
4 .

Application Protocol Data Units (APDUs).
ISO/IEC 7816-4 APDUs, 4 Bytes
( 12).
CLA INS P1 P2
[Lc field] [Data field] [Le field]
12: APDU
Lc (command length) Bytes

(Data field) APDU.
143
Le Bytes
. Le
APDU Bytes
.
class (CLA)
(Secure Messaging)
.
instruction (INS) ,
SELECT FILE 4 READ BINARY 0.
P1 P2
. P1
MF, DF, EF . P2
, , , .
,
.
2-Bytes trailer
bytes SW1-SW2. 9000
.
[Data field]
SW1 SW2
13: APDU
, SELECT
: )
(short EFID) ) DF. ICAO
MRTD
.
144
.
(reset)
MF historical bytes.
READ BINARY
EF, EF (
). EF
READ BINARY EF
. EF.

.
.

(offset) Byte
. offset .
GET CHALLENGE
).
INTERNAL AUTHENTICATE
. ( )
GET CHALLENGE .
MF,
. DF
DF
. INTERNAL AUTHENTICATE ,

. 14.

145
APDU
.

. ISO/IEC 7816-4

.

.
14: INTERNAL
AUTHENTICATE [RWEW03]
EXTERNAL AUTHENTICATE

.

.
15.
.
EXTERNAL
AUTHENTICATE .
.
.

(state machine)
146
.
.
tamper proof smart
card
.
15: EXTERNAL
AUTHENTICATE [RWEW03]
MANAGE SECURITY ENVIRONMENT (MSE)
ISO/IEC 7816-8.
.

, , ,
checksum, hash .
MSE
[RWEW03].
147
,

VERIFY CERTIFICATE
.
( CA
).

.
,
. VERIFY CERTIFICATE ,
.

(VERIFY DIGITAL SIGNATURE).
5.1.9
ICAO
MRTD
IC (ISO/IEC 14443) :
ISO/IEC 14443 1-4 ISO/IEC 10373-6
.
(Proximity Coupling Devices, PCDs) .
ISO/IEC 7816-4
.

ISO/IEC 7816 4-5.
5.1.9.1
UID
eMRTD , IC eMRTD
(UID ). ISO/IEC 14443
148
: ) MRTD
)
. ICs
.
.

.
-
(traceability) .
ICAO

UIDs [ICAO SUPPL].
.

6:
IC .

RFID- [JMW05].
(covert
channel).
r MRTD :
UID =
(r | __MRTD)
r
(
) MRTD.

(reverse engineering) [HHJ06].
149
5.1.9.2

(modulation) ,
.
PICC PCD
IDLE. PICC
REQA ( REQB) WUPA ( WUPB)
PICCs .
PICCs IDLE ,
ATQA ( ATQB ).
PICC READY
16.
150
16: PICC
A [Y08]
PICCs PCD .
PCD PICC
.
PICCs .
PICC PCD
. SELECT (NVB)
(pattern) .
PICCs

bits . bit
, ( )
PICCs
PICC ACTIVE.
151
PICC PCD SAK (Select

Acknowledge). ICAO
RATS (request for answer to select) PICC
(card identifier, CID)
ACTIVE . LDS
256 Bytes.
PICC ATS (answer to select)

.

5.1.8. EF
: ) SELECT FILE
(explicit selection)
) (implicit selection)
(SFI)
.
.
:
EFs DF MF.
17 :
1 2
(carrier)
bit .
Manchester bit
.
152
17: bit Manchester

(PICC ) [RWEW03]
5.1.9.3

, ,

.
. Answer To
Reset reset ,
.
(unexpected)
(unspecified) .

.
153

.
,

, [HHJ06].
154
6:
IC

.
,

.
ICAO, CEN
BSI

(PKI),
, .
.
,
( , ,
)
.
.
6.1

.
, , (
), ( spam ).

. :
1. :
.
155
UID
, .
2. :
.

.
. .
3. Man-in-the-middle : ,

/middleware
.
4. :
.
.

.
5.
:
.

.
6. :
6.2.3
.
.
7. :
( PIN
156
)

.
8. :
.

tamper proof ,
, (probing)
,

.
[KOKU99].
9. Side-Channel-Attacks:
, ,

. (Differential Power Analysis)
.
Simple Power Analysis.
,

- .
10. :

.
11. Skimming :
.
157
.

25

[JMW05].
.

.
12. :

. skimming.
(
smart cards )
.
,
(semantics)
,
, ,

.
13. :

, , supermarket,
, .
14. :

.

158
,
,
.

.
(5.1.9) .

,
( , 6.3.1.1, 6.3.2.1, 6.4.1.2 6.5.6.1).
eID ( 10:
eID )
. :
, ,

, ( ),

, (matchon-card), ()
, ICAO BSI
. [08].
10.1
.
6.2
6.2.1
PKI

(PKI) .
PKI
159
, ,
, VPN ,
/ . PKI

, , ,
, .
,

, .
PKI
Root-CA. PKI
(cross-certification)
.
6.2.3 ICAO PKI
.
6.2.2
&

[150/2001] [1999/93/]

.
, ,
, . , , :
160
,
.

()
.
[1999/93/]
.
:
,
,

161

, , ..

,
.

,
, .
. . 248/71
( 603/'/16-5-2002)

.
,
/ .
()
syzefxis.gov.gr
[YA2512/2006].
.....
.

()
.
.
( 99/93/) :
162
,

.
o , ,
.
.
o
.
,

.
,

150/2001. CC EAL4+.
[/60/10/217] PKI
, :
1. (),
() , 20 . 3448/2006
( 57/715-3-2006), 25 . 3536/2007
( 42/723-2-2007), ()
& ......
,
,

( 20 . 3448/2006).
163
2. () ,

......
,
.
3. () .....,

- ...
,
(). ,
, ,
,
.
4. (), (),
.

(.. )
,
.
31/12/2005 SYZEFXIS
Adacom SA. Adacom CA VeriSign
CA 2
.
ERMIS online 31/3/2009

. ERMIS

164
.
/
(Trusted Service Provider List, TSL)21
/
(CSP) /
[1999/93/].

()
, ,
. ,

. :
1. ,
(http://pki.syzefxis.gov.gr)
2. Adacom Qualified Certificate Services CA -
(http://www.adacom.com/repository)
3. ASYK
Qualified
Certificates
CA
AE
(http://www.ase.gr/repository)
6.2.3

.
21
/ TSL,
https://www.eett.gr/tsl/EL-TSL.pdf
165
. ,

.

.

.

online
;
;

.

. [SSG10]

. 18

(Identity Providers, IdPs) (Service Providers,
SPs) .
(token
mapping)
.
proxy
.
X.509 .
166
18:
[SSG10]

.

.

. [SSG10]

(IdPs)
(SPs) X.509 SAML22
22
Security Assertion Markup Language (SAML) XML,

167
(attribute assertions). 19
( ).
X.509 Proxy .

CA
.
Proxy
. SAML
,
, ,
.
19: [SSG10]

eID
.
CAs
.

,
168
,
CA .
6.2.3.1

.

. Modinis eIDM Study23
.
TLS-Federation24
.

.
GUIDE (Creating a European Identity Management Architecture for
eGovernment)25,
,
-
.
.
.
GUIDE

.
23
ModinisIDM, https://www.cosic.esat.kuleuven.be/modinis-idm/twiki/bin/view.cgi/Main/WebHome
24
Bruegger, B.P., Hhnlein, D., Schwenk, J.: TLS-Federation - a Secure and Relying-Party-Friendly Approach for Federated
Identity Management, http://porvoo14.dvla.gov.uk/documents/tls_federation_final.pdf
25
GUIDE, Creating a European Identity Management Architecture for eGovernment,

http://istrg.som.surrey.ac.uk/projects/guide/overview.html
169
STORK
(Secure idenTity acrOss boRders linKed)26.

(eIDs) .

eID
, eID .
2011.
[IDABC] 2009

.
CAs
European IDABC Bridge/Gateway CA (EBGCA)
.
/ (Trusted Service Provider
List, TSL) CAs ( 6.2.2).
ISA (Interoperability Solutions for European Public
Administrations) 2010 2015.
PEPPOL27 eSignature

,
.
Symantec VeriSign28
VeriSign Managed Public Key Infrastructure
PEPPOL
26
STORK, Secure idenTity acrOss boRders linked, http://www.eid-stork.eu
27
PEPPOL, Pan-European Public Procurement Online, http://www.peppol.eu
28Symantec's
VeriSign PKI Chosen to Secure EU Procurement System, Press Release 19/10/2010,

http://investor.symantec.com/phoenix.zhtml?c=89422&p=irol-newsArticle&ID=1484065
170
PEPPOL Access Points

.

.
SPOCS29 (Simple Procedures Online for Crossborder Services) (2009-2012)
.
,
,
.
(eDocuments, eID).
6.2.4
PKI MRTDs ICAO

.
CAs. CA
CAs
.
Root CA
. - (cross-certify)
.

(CRLs)
: ) CRL , ,
, )
CA CRL
.
PKI.
29
SPOCS, http://www.eu-spocs.eu/
171
,
MRTDs, ICAO
MRTDs .
:
1. MRTDs ,
2.
MRTD,
3. MRTD
.
ICAO , CRL

MRTD .

online
eGovernment , .
PKI MRTDs ICAO

MRTD .
PKI.
5.1.2 MRTD
IC ,
IC
.
[ICAO 9303 P3V2] PKI :
172
H (Country Signing CA, CSCA)

CCSCA
KPuCSCA.
(Inspection Systems, IS)

(CDS). KPrCSCA
.

(Document Signer, DS). CDS
CSCA IS SOD
IC . CDS
KPuDS SOD
MRTD. KPrDS
SOD .
20.
ICAO PKD
Country A
Country A
CDS A
CSCA
CDS B
DS A
DS B
CDS C
DS C
Country B
CDS A
...
...
...
CDS B
CDS C
20: ) PKI ICAO )

173
ICAO
(CDS) CDS ,
CCSCA
online (Public Key Directory, PKD), 20.
ICAO PKD

MRTD. validator
CCSCA ,
PKD. PKD
CDS
MRTDs
. PKD CRL
.
PKD 48 .
CRLs CSCA DS,
Document Security Objects Active Authentication
.
MRTD Document Security Object
(SOD) LDS (EF.SOD)
LDS (hashed)
RFC3369 Cryptographic Message Syntax, CMS. [ICAO SUPPL] (R8p1_v2_sIV_0062) SOD ICC
CDS
.
online Public Key
Directory ICAO ( 20).

MRTD SOD.
174
6.2.4.1

.
(Data Room)
,
,
( 6.2.2
[1999/93/] ).
CSCA (KPuCSCA, KPrCSCA)
(off-line). CCSCA
( ICAO PKD)
(out-of-band).
MRTD
ICAO PKD
(IS).
CCSCA IS .
6.2.5
PKI MRTDs BSI
BSI [BSI-TR-03110] ICAO,

MRTD .
MRTD MRTD.

IC MRTD. PKI
ICAO ( 20).
PKI MRTDs
. PKI
21
Extended Access Control (EAC). PKI
175
[EN 14890-1]
.

Terminal Certificate.
(Terminal) . MRTD

MRTD.

(Document
Signers)
(Document Verifiers) MRTDs.
Country Signing CA, CSCA Country Verifying CA, CVCA.
, Country CA.
21: PKI BSI [BSI-TR-03110]

176
PKI Document Verifiers, DVs.

, DV . DV
( CVCA) CA (Terminal
Certificates) . Terminal Certificates

DV DV .

MRTD , Document Verifier
CVCA DV .
DV Terminal Certificates
.
IC MRTD Terminal Certificate
IC -
CVCA. -
MRTD
.
CVCA ,
CVCA Link Certificates. CVCA
CVCA. MRTD
- .
, MRTD
IC.
DV Terminal .
MRTD CVCA Link
. MRTD
CVCA Link
DV Terminal .
177
6.2.6
MRTD
[ICAO 9303 P3V2] MRTD

.
MRTD , ICAO
.

MRTDs.

,
.
.
6.2.5

.
: ) (effective date) )
(expiration date).
. 22
.
178
22: [BSITR-03110]

.
.
CVCA Link Certificates ( 22)
, MRTD
-.
CVCA

(
) PKI
179
.
CVCA 5 .
(Terminal)
.
IS .
Terminal 10 .
14: ICAO

Country
Signing CA
.50930
3 5
Document
Signer
: CCSCA
IS
:

.509
: CDS
IS
SOD IC
:

IC MRTD
Active
Authentication
: DG15 LDS
:
30
:
MRTD (10 )
:
MRTDs 3

(10 )
RFC 3280, R. Housley, W. Polk, W. Ford, D. Solo, Internet X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile, RFC 3280, April 2002
180
6.3
ICAO
6.3.1
Passive Authentication ()
MRTD
.
IC MRTD.
SOD
LDS (EF.SOD)
LDS (hashed).
IS :
1. MRTD, SOD IC.
CDS.
2. (DS) SOD.
3. IS SOD
(KPuDS). CDS
IS ICAO PKD
ICAO IC
MRTD. SOD ,
SOD . IS
CDS
KPuCSCA.
4. IS Data Groups LDS.
5. IS Data Groups
hash SOD Data
Group .

MRTD.
181
Passive Authentication

ICAO CEN.
IV-1 [ICAO 9303 P3V2], D.2 [CEN 15480-2]
.
6.3.1.1
SOD LDS
IC
IC.
IC .

. DG1 IC
MRZ

.
hash .
hash
hash
(Birthday paradox). ,
(Document Signer) .

(Document Signer)
.

bits
. MRTD
.
MRTD
IC ( ).
182
IC

.
hash
hash . 2004 NIST31
SHA-1 2010
SHA-2.
6.3.2
Active Authentication (AA) ()
(Active Authentication, AA)

MRTD
.
KPuAA
IS.
- IS MRTD
IC MRTD.

IC chip
. cloning
IC.
ICAO Active Authentication
. KPuAA
KPrAA. IC
/
AA IC MRTD.

DG15 LDS
DGs ( hashed )
31
http://csrc.nist.gov/groups/ST/toolkit/documents/shs/hash_standards_comments.pdf
183
SOD. IS
DG15 Active Authentication.
AA APDU INTERNAL AUTHENTICATE (
5.1.8) ICC.

ISO/IEC 9796-232.
IS
IC :
1. MRZ MRTD (
BAC)
DG1. DG1
Passive Authentication MRZ
.
2. Passive Authentication
DG15 KPuAA.
3. MRZ
-.
a. IS nonce 8 Bytes RND.IFD
MRTD
INTERNAL
AUTHENTICATE ( 5.1.8).
b. IC :
32
ICAO ISO/IEC 9796-2:2002 Information Technology - Security Techniques - Digital Signature Schemes
giving message recovery - Part 2 Integer factorisation based mechanisms
2010. ISO
.
. ISO ,
.
184
i. M2 = RND.IFD
nonce M1.
ii. ( SHA1)
=SHA1(M), = 1|2. O
.
iii.
F=6A|M1|H|T.
iv. F
KPrAA. APDU
INTERNAL AUTHENTICATE IS.
c. To IS
KPuAA DG15 LDS.
d. .
M1 IC M2,
M H* H
.
4.

IC
.
Active
Authentication ISO/IEC 9796-2. ICAO
RSA Active Authentication
ECDSA. DG15 LDS.
RSA hash
ISO/IEC 9796-2.
185
ECDSA
hash
DG14 LDS
[ICAO SUPPL]. hash ECDSA

ECDSA hash .
6.3.2.1
AA
Active Authentication
cloning IC Grandmaster Chess Attack.
MRTD IC
(proxy) IC
. proxy IC ,
,
IC.

, IC

. IS
, .
IS
: E[SKIS](IDICC|||)
. IS
IS. MRTD

.

,
.
MRTD
186

.
AA
. MRTD
AA Basic Access Control. BAC

MRTD .
6.4
ICAO
IC MRTD

.
(skimming)
.
10 . .

(eavesdropped) .
6.4.1
Basic Access Control (BAC) ()
O (Basic Access Control, BAC)

ICAO .
(Document Basic Access Keys)
(KENC KMAC )
. MRTD
IS. MRZ
. .
BAC ICAO.

( ) ICC
IFD (Secure Messaging) .
187
ISO/IEC 11770-233 ( 6).

BAC Secure
Messaging
. BAC :
1. IS OCR-B MRZ
MRZ .
MRZ
MRZ_information
.
15: BAC
MRZ_information =
MRTD
MRTD
MRTD

MRTD
2. ICC (Integrated Circuit Card) IFD (Interface Device)

HSHA-1(MRZ_information) 16 Bytes
Kseed.
3. Kseed 23 64 bits Ka Kb
3DES .
32bit counter c Kseed hash
. c
KENC c KMAC.
33
ISO/IEC 11770-2:2008 Information technology Security techniques - Key management Part 2: Mechanisms using symmetric techniques 13
. 6 point-to-point
. ISO 1996.
188
23: BAC KENC KMAC

4.

ICC IFD .
-

. KENC
KMAC
.
nonces
(untraceability).
block
A I: ICAO DES.
IFD ICC :
a. IFD GET CHALLENGE ICC
nonce RND.ICC 8 Bytes.
b. IFD :
189
i.
nonce RND.IFD 8 Bytes

K.IFD 16 Bytes

.
ii.
S = RND.IFD || RND.ICC || K.IFD.
iii.
KENC
E_IFD = E[KENC](S).
iv.

KMAC M_IFD = MAC[KMAC](E_IFD).
v.
MUTUAL AUTHENTICATE
E_IFD || M_IFD.
c. ICC :
i.
M_IFD E_IFD.
ii.
E_IFD.
iii.
RND.ICC S IFD
.
iv.
IFD.
K.ICC 16 Bytes

.
v.
R = RND.ICC || RND.IFD || K.ICC
vi.
E_ICC = E[KENC](R).
190
KENC
vii.

KMAC M_ICC = MAC[KMAC](E_ICC).
viii.
E_ICC || M_ICC.
d. IFD :
i.
M_ICC E_ICC.
ii.
E_ICC.
iii.
RND.IFD S ICC
.
6.4.1.1
Secure Messaging BAC
BAC
Secure Messaging ,
( )
IFD ICC.
BAC
K.IFD K.ICC 16 Bytes
. ICC IFD :
1. Kseed= K.IFD xor K.ICC.
2. M 23
, KSENC KSMAC.
3. APDUs
APDUs. :
a. APDU (
) 3DES CBC Mode ( 54)
191
b. APDU
, Le / Lc MAC
( 55).
APDU
24 25 .
APDU Le
87 97 .
APDU
(padded)
block . padding
MAC ISO 7816-4.

( ).
block
blocks DES CBC .
MAC
. MAC ( 55)
(send sequence counter) APDUs .
192
24: APDU [BSI-TR-03110]
193
25: APDU [BSI-TR-03110]

BSI [BSI-TR-03110] Secure Messaging
3DES AES ( CBC mode).
BSI ( 6.5)
PACE Chip Authentication.
6.4.1.2
BAC
BAC MRZ .
MRTD
MRZ
ID .

194
[KMHG07].
ePassport eID.
MRZ
.
BAC
(KENC KMAC)

ICC IFD. 15
.
73 bits :
: 365 * 100 = 15 bits ( 100 )
MRTD: 365 * 10 = 12 bits ( )
MRTD: 369 = 46 bits ( 9

)
( )
MRTD
o
o
,
,
195

MRTD

50 bits (
) 40 bits (
) [BKJ09].

Brute-Force
.
BAC
MRZ
( ) .

.
.

MRZ.
Moore
18 BAC
5 . 2006 BAC
2 [KMHG07]
MRZ 20 COPACOBANA34 $10.000.
34
COPACOBANA 120 FPGAs Xilinx Spartan3 1000 2008 65

DES . http://www.sciengines.de/products/computers-and-clusters/copacobana-s31000.html
196
BAC
MRTD .
skimming
offline . (6.5.4) ICAO
PACE .
6.4.2
ICAO ()
BAC
. MRTD

( ICAO)
, .
MRTD
BAC , MRZ
MRZ
6.4.1
. ICAO
:
Extended Access Control (EAC)

. (EAC)
BAC KENC KMAC BAC.
EAC
.
( MRZ )

( ). ICC
. ICAO EAC

.
BSI [BSI-TR-03110]
.
197
ICAO
.
, .
IS
.
[ICAO 9303 P3V2].
ICAO 16

.
198
16: [ICAO 9303 P3V2]
6.5
BSI
ICAO Passive
Authentication ICAO
199

MRTD.
BSI [BSI-TR-03110].
ICAO, MRTDs.
6.5.1
Extended Access Control (EAC)
(Extended Access Control, EAC)

ICAO. BSI
(
). 2
( ICC
ICC).

. PKI
6.2.5.
EAC :
Terminal
Authentication (TA)
, . ,
( )
.
Chip Authentication
(CA) Diffie-Hellman

.

(Secure Messaging).
200
26. -
BSI PACE ( BAC)

.
SSL/TLS
EAC. TA CA EAC
.
26: EAC BSI (: [DF10])

[DF10] EAC
(Authenticated Key Exchange, ).

201

AKE .
: ) forward secrecy (. long-term

long-term ) )
long-term (key
compromise impersonation resilience). o EAC

( , MAC , ).
EAC :
Forward Secrecy: long-term

.

. long-term

long-term Diffie-Hellman
.
Leakage Resilience: r1, r2

.
EAC.
.
6.5.2
[BSI-TR-03110] : ePassport, eID

eSign.
. [BSI-TR-03110]

202
IC MRTD. :
Inspection systems, Authentication terminals Signature terminals.
ePassport ( ICAO), o BSI
27.
Standard Inspection Procedure
ICAO Basic Access Control
PACE . MRTD
BAC PACE
PACE .
:
(Inspection system, IS)

. MRTD IS
.
Standard ePassport Inspection Procedure IS
( ).
Advanced ePassport Inspection Procedure General
Authentication Procedure
(
). ePassport
Inspection system BSI
General Authentication Procedure
.
ePassport IS.
(Authentication terminal)
.
. MRTD
General Authentication
Procedure .
203
eID Authentication
terminal.
IS .
(Signature terminal)
.
. MRTD
eSign
eSign
/ Signature terminal.
eSign
Authentication terminal
.

-
Certificate Holder Authorization Template. To MRTD
terminal
(referenced) :
Document Verifier Certificate CVCA Certificate.
( Boolean AND)
. Effective
Authorization.
204
27: IS
ePassport [BSI-TR-03110]
6.5.3
Secure Messaging
Secure Messaging
MRTD .

MAC . Secure Messaging
Basic Access Control ( 6.4.1.1). Secure Messaging
BSI PACE Chip
205
Authentication. Secure Messaging

.
Secure Messaging
Secure Messaging. Secure Messaging
.
6.5.4
Password Authenticated Connection Establishment (PACE)
Password Authenticated Connection Establishment PACE

BSI Basic
Access Control ICAO
[BFK09]. MRTD
.
Secure Messaging MRTD
.
BAC
MRZ , PACE (passwords)

. PACE
password ( passwords 6 ).
passwords .
ICAO BAC (6.4.1)
[ICAO SAC] PACE BAC
. PACE
10 20 BAC
PACE.
BAC , MRZ,
PACE 4 :
206
Card Access Number (CAN)

MRTD
OLED35.
MRTD .
Personal Identification Number (PIN)

.
,
Authentication terminal eID .
Authentication terminal
PIN CAN.
PIN Unblock Key (PUK)

PIN.
MRZ MRZ .
non-blocking
PIN
blocking. PIN
PIN. PIN
CAN PIN.
PIN MRTD
PIN
PUK.
PACE (
)
Diffie-Hellman. .
35
Samsung ID RF-powered AMOLED

(Active Matrix Organic Light-Emitting Diode)
http://www.viddler.com/explore/engadget/videos/916/
207
.
28.
28: PACE [BSI-TR-03110]

Hash
, nonce, 32-bit
. MRTD nonce s ,
(domain) DPICC,
. nonce
(domain) . DPICC
MRTD .
(Proximity Integrated Circuit Card Proximity Coupling Device)
( , ) ( ,
) .
( )
208
Diffie-Hellman .
KENC
KMAC Secure Messaging.
(TPCD TPICC) .
Secure Messaging
.
PACE

Diffie-Hellman : )
)
( 6.6, 19).
6.5.5
Chip Authentication (CA)
(Chip Authentication, CA) BSI

Active
Authentication ICAO. ,
IC .
:

( )
MRTD
.
CA Diffie-Hellman
.
MRTD .
Secure Messaging.
209
H Diffie-Hellman [EN 14890-2] 57

IV:
(EESSI).
Chip Authentication ( Active Authentication)
(PKPICC , SKPICC) MRTD .

( , ) PACE .
1 29.
PACE MRTD
PKPICC . PKPICC
Passive Authentication.
29: Chip Authentication ver.1 [BSI-TR-03110]

1 Chip Authentication
Advanced Inspection Procedure MRTD
Terminal Authentication
.
210

.
MRTD . 2.
2 Chip Authentication
1 MRTD
( )
Terminal Authentication. 2 CA
TA . 2 CA Passive
Authentication Chip Authentication
PKPICC ,
PKPICC CA.
CA
27 PACE BAC

Chip Authentication Secure Messaging.
CA , Secure Messaging
.
6.5.6
Terminal Authentication (TA)
(Terminal Authentication, TA)

MRTD

.
TA Secure Messaging
PACE Chip
Authentication.
TA , ,
(PKPCD , SKPCD).
30.
211
30: Terminal Authentication ver.2 [BSI-TR-03110]

, CVCA
, MRTD . MRTD

PKCVCA .
PKPCD.
2 ,
( , ) SHA-1
MRTD . APCD

MRTD .

.
MRTD
rPICC .

.
, .
212
(IDPICC). BAC
MRTD MRZ
PACE PACE MRTD .

PACE.
, 2 Terminal Authentication
Chip Authentication .
TA
CA
. 2 .
6.5.6.1
TA
6.2.5
.

.
.

MRTDs
.

.
[HHJ06].
6.5.2 BSI,

(Inspection system, IS).

.
213
IS DV
. PKI
DV
.
/.
PKI

.
[HHJ06] on-line

GPRS
. , (back office)
( ),
.
.
on-line Terminal Authentication .

back office
o personalization.

. back office

.
6.5.7
Restricted Identification (RI)
(Restricted Identification, RI)

Chip Terminal Authentication.
MRTD
MRTDs
.
214

Document
Verifier PKI BSI o 21.
(Terminal Sector) Terminal
Certificate . Document Verifier.
Terminal Sector (PKSector).
,
(tracing)
MRTDs.
MRTDs .

.
RI MRTD (
31.
hash (SKID)
( /(pre)-personalization)
(PKSector). SKID

MRTD.
31: Restricted Identification [BSI-TR-03110]
215
6.6
ICAO
Country Signing CA,
Document Signing Active Authentication.
MRTDs
.
O 17 [ICAO 9303 P3V2]

.
( 14, . 180) MRTD.
[ICAO SUPPL]
RSA 1280 bits.
ICAO ( 17)

. (
),
18.
17: ICAO
- -
Country
Signing CA,
Document
Signer,
36
RSA
SOD:

RFC 344736

CSCA
modulus n 3072 bits
DS
modulus n 2048 bits
RFC 3447, J. Jonsson, B. Kaliski, Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications
Version 2.1, February 2003.
RSA . RSASSA-PKCS1v1.5 RSASSA-PSS. ICAO IS .
216
Document
Security
Object
Digital Signature Algorithm

(DSA)
, :
FIPS 186-337
Elliptic curve DSA (ECDSA)
,
:
ANS X9.6238
ISO/IEC 15946
CSCA modulus
p q 3072 256 bits
DS modulus p
q 2048 224 bits
CSCA
256 bits
Active
Authentication
DS
224 bits
RSA modulus n
:
1280 bits

ISO 9796-239
DSA modulus p
q 1024 160 bits
Hashing
ECDSA
160 bits
SHA-1,
SHA-224, ( A II: SECURE HASH
SHA-256,
SHA-384, STANDARD)
SHA-512
FIPS 180-3
18: ICAO

Country Signing CA
128 bits
Document Signer
112 bits
80 bits
37
FIPS 186-3, Federal Information Processing Standards Publication, Digital Signature Standard, June 2009. ICAO
FIPS 186-2 186-3.
38
ANSI X9.62, Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Standard
(ECDSA), 2005.
ECDSA DSA .
domain .
39
ICAO ISO/IEC 9796-2:2002 Information Technology - Security Techniques - Digital Signature Schemes
giving message recovery - Part 2 Integer factorisation based mechanisms
2010. ISO
.
. ISO ,
.
217
19: BSI
/
Diffie-Hellman
Elliptic Curve DiffieHellman
PKCS#340
ECKA41
SHA-1
X-
RFC 263142
ECC
2 :
MAC

PACE
3DES 112 bits

FIPS PUB 46-3
55
A I: ICAO
DES
AES 128/192/256
bits
FIPS PUB 197
Secure Messaging
3DES
CBC mode
ISO 10116
AES
CBC mode
ISO 10116
3DES
retail mode
ISO/IEC 9797-1 (
55)
AES
CMAC mode43
40
Public-Key Cryptography Standards (PKCS) #3: Diffie-Hellman Key-Agreement Standard, RSA Labaratories Technical
Note, 1993. Diffie-Hellman

.
41
BSI, Elliptic Curve Cryptography (ECC) Version 1.11, TR-03111, 2009. Elliptic Curve Key
Agreement Algorithm (ECKA) ANSI X9.63. Public Key Cryptography for the Financial Services
Industry: Key Agreement and Key Transport Using Elliptic Curve Cryptography, 2001.
ECC Brainpool domain ECC Brainpool, ECC
Brainpool Standard Curves and Curve Generation, Version 1.0, 2005 Lochter M., Merkle J., Elliptic Curve
Cryptography (ECC) Brainpool Standard Curves and Curve Generation, RFC 5639, 2010.
42
Rescorla E., Diffie-Hellman Key Agreement Method, RFC 2631, 1999. Diffie-Hellman
.
[2, p-1] small
subgroup attack.
43
NIST, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, Special Publication
800-38B, 2005.
218
BSI [BSI-TR-03110]
19.
Diffie-Hellman o BSI RFC 511444
(1024-bit modp group 160-bit prime order subgroup) (2048-bit modp group
224-bit/256-bit prime order subgroup).
BSI domain
p 192 521 bits.

ECDLP DLP
. ECDLP

DLP - .
bits
.
20:
44

RSA/DH/DSA
160
1024
80
224
2048
112
256
3072
128
384
7680
192
512
15360
256
Lepinski M., Kent S., Additional Diffie-Hellman Groups for Use with IETF Standards, RFC 5114, 2008.
219
6.7
CEN 15480
6.7.1
CEN 15480
(European Citizen Card, ECC).
[CEN 15480-1] [CEN
15480-2] [CEN 15480-3] [CEN 15480-4]
.
.
Eurosmart45 CEN
( )
. CEN 15480

.
, ,

.
. PIN .
,
. -
. online
( eGovernment, eBusiness, eVoting, eDemocracy,
eBanking, ). ECC eID .
To CEN/TS 15480 Identification card systems European Citizen Card
:
45
Part 1: Physical, electrical and transport protocol characteristics
Eurosmart: - Smart Security (

, , ). 1995
smart secure, smart security
. http://www.eurosmart.com
220
Part 2: Logical data structures and card services
Part 3: ECC interoperability using an application interface
Part 4: Recommendations for ECC issuance, operation and use
M 1 ECC,
,
ISO7810,
ISO7816, ISO14443 ICAO eMRTD ID-1.
2 , ECC
.
. ,
ECC .
.

ICAO BSI .
, (IAS services)
RSA.
.

. IAS
[EN 14890-1] [EN 14890-2]. ECC
( ID )
ECC 4.
3 CEN/TS 15480
H/Y
ECC .
middleware ECC online .
middleware ISO/IEC 24727
. middleware EEC
221
, / ECC
.
4
, .
,
,
CEN/TS 15480-4.

1 2 . 1
ID .
(OID)
, ..
/ .
middleware (
Global Profile) [EUROSM-ECC].
0 General Framework of the ECC
Standard - ECC
ISOs.

46.
6.7.2
CEN 15480-3 Card-Verifiable Certificates
[CEN 15480-3] 32.

Card-Verifiable Certificates, CVCs ( ISO
7816-8), ECC
,
.
46
Lorenzo Gaston,GEMALTO, Presentation EUROPEAN CITIZEN CARD e-ID Interoperability, 14th Porvoo Group 24
Oct 2008, http://fineid.fi/default.aspx?docid=3199&action=publish
222
32: [CEN 15480-3]

T CVC . CVC
CA.
CA , ECC
.
ECC
.
6.7.3
6.7.3.1
CEN 15480
) eID
.
ISO/IEC 14443
:
eID:
. (
)
.
223
ICAO:
, MRTD
ICAO, e-passport.
Passive Authentication, BAC, EAC Chip &
Terminal Authentication Secure Messaging.
SIG: EN
14890

personalization .
6.7.3.2
d) eID (IAS)
To ) eID,
ECC
IAS
.
33.
( ) ( ).
EAC ( backwards compatibility). H eTravel .
e-Services
. e-Services
( ).
224
33: IAS-ECC, () ()
IAS-ECC
ECC.
:
PKI , ePassport [EUROSMECC].
6.7.4
[CEN 15480-2],
, ISO/IEC 7816-4.
(5.1.7) LDS ICAO.
MF (Master File, ), DF (Dedicated Files) EF (Elementary
225
Files). To personalization ECC EF.DIR

( 2F00
30). EF.DIR .
ADF (Application Dedicated Files).
ECC . ECC
PAN (Primary Account Number).
PAN EF.SN .
(8 Bytes) SN.ICC
.
21: Primary Account Number ECC
6.7.5
[CEN 15480-2]
.
14890-1. CEN,
:
ICC
ICC,
2 ,
(
,
Secure Messaging).
226
() Secure Messaging .
ECC [CEN 15480-2]
.
6.7.5.1
()
KK
, IFD ICC.
-
SN.ICC . SN.ICC
IFD.
22.

2 .
(freshness) ( man-in-the-middle
).
22: , [EN 14890-1]
227
6.7.5.2
ECC

:
Key transport protocol: (EN 14890-1, .

8.4) CVC (6.7.2)
ICC. .
1. ICC IFD.
2.
IFD
3. IFD.
Device authentication with privacy protection: (EN

14890-1, . 8.5)
. ICC IFD
. DiffieHellman IFD. - Diffie-Hellman
.
ICC. :
1. .
2. IFD ICC.
3. IFD.
4. ICC IFD.
5. ICC.
228
Privacy constrained device authentication with non traceability based on ELC:

EAC
.

. .

.
ECC o
Secure Messaging
.
( ).
Secure Messaging 14890
ICAO ( 6.4.1.1).
229
7:
7.1

.

.
,
, .

(SA) (VA).
:
O SA VA ,
.

m M s S ,
VA(m, s) = true,
.

. .

(data integrity). , ,
,
' .

(Hash functions).

230
.
(message digest) .

. , ,
47 .
, H(x)=y,
y, x H(x)=y.
, x z H(x)=H(z).
:
x , y .
(x) .

/
, .
MD5, SHA/SHA-1.
31,
.
47
231
34:
7.2
,

, ,
,
. ,
.

,
, ,
.
232
(plaintext),
(Cipher text).
H
.

.
,
.
.
, .
7.2.1

.
, , ,
, .
, .
(IDEA, CAST5, BLOWFISH,
RC4), Data Encryption Standard (DES) 3DES,
IBM 1977
. , ,
,
AES.
.
233
26:
.
1. ,

.
2. ,
.
.
3. ,
, .
4.
5.
, ,

.
7.2.2
,

234
,
- (public) (private) , .
:
1976
Diffie Hellman [DF76], 1978 Rivest, Shamir Adleman,
, RSA,
.
,
( ).

. .
,
.
.
, .
235
27:

.
1. ,

( ). ,
.
2. ,
, .
3. .
4.
, ,
, ,
.

. , ,
, ,
236

.
, ,

. , ,
(Public Key Infrastructure - PKI). ,

.
PKI ,
. PKI
, (servers) . ,
, .
7.3

,
.
. ,
( :
)
(non-repudiation). ,
,
, i) ,
ii) iii)

( / ).
[1999/31/],
, ,
.
237
7.3.1
[1999/93/
,
.
,
,
.
,
(.. ),
(.. ,
).

.
/,

.
7.3.2

[150/2001].
,
. ,
.
,
.
,
,
,
238
, . ,
[150/2001],
. ,
()
.
,
.
A) :
X.509 .
) E :

. ,
. ,
,
(Certification Service Provider-CSP)
() .
)
:
(Signature Creation Device-SCDev)
(signature-creation data-SCD).
, , ,
/
. ,
, (Secure Signature-Creation DeviceSSCD), [1999/93/]
,
SCD ,
239

, SSCD.
,
:
i.
SCDev ,
,
.
ii.
SCDev , ,
, ,
(signature-creation applicationSCA) / .
iii.
iv.
H (key escrow) ,
SCD.
) ,
:
:
i.
.
.
ii.
.
,
. ,
(brute force) .
240
7.3.3
[1999/31/],
[150/2001],
.
3.1 [150/2001]
, .
, 2.2
,
,
:
i.
(Qualified Certificate-QC),
,
II.
ii.
,

. (
8),
,
.
iii.
iv.
,
.
7.3.4
[1999/31/],
.
5.1
241

,
. ,

.
5.1 :
i.

, ,
(, )
.

.
ii.
)
, )
, )
( ),
,
.
,
2.2 (
)
( 2.1),
( 5.2). 5.2
, , ,
.
242
7.4
,

:
7.4.1

(SCD).
(SVD) ,
,
. 20,
21
[ETSI TS
102 176-1], [ETSI SR 002 176].
RSA
=1020
DSA
01.01.2001
p=1020
q=160
243
01.01.2001
[RFC-3447]
[FIPS 186-3],
[ISO 14888-3]
ECDSA-Fp
q=160
r0=104
=200
01.01.2001
[ANSI X9.62]
ECDSA-F2m
q=160
r0=104
=200
01.01.2001
[ANSI X9.62]
ECGDSA-Fp
q=160
r0=104
=200
25.06.2001
[ISO 15946-2]
ECGDSA-F2m
q=160
r0=104
=200
25.06.2001
[ISO 15946-2]
23:
[ETSI TS 102 176-1]
244
RSA
128
128
DSA
128
128
ECDSA-Fp
128
128
ECDSA-F2m
128
128
ECGDSA-Fp
128
128
ECGDSAF2m
128
128
24:
[ETSI TS 102 176-1]
245
7.4.1.1
RSA
RSA,
Rivest, Shamir Adleman, 1978
,
(public key cryptosystems) Diffie
Hellman [DF76].
RSA
, p q, :
To modulus n= p*q
( 23).
p q .
p q (.. q
p). p q n1/2.
A p q , |p-q|
.
, p q,
.
d ( )
modulus n.
e ( )
modulus n.
RSA
(padding).
246
7.4.1.2
DSA
1994 National Institute of Standards and Technology (NIST)

Digital Signature Algorithm (DSS).
Fp. DSA
FIPS Publication 186-3 [FIPS 186-3]. ,
, [ISO 14888-3].
RSA , DSA
, RSA
, .
, ,
, .
(p, q, g)
. modulus p
p ( 1). q,
(p-1),
q ( 1). g FIPS
Publication 186-3 [FIPS 186-3].
[ISO 14888-3], :
= 1024, = 160
= 2048, = 224
= 2048, = 256
= 3072, = 256
,
FIPS 186-3 [FIPS 186-3]. , ,
SHA-1 .
247
p, q, g.
( ) x, ,
0<x<q.
( ) k, ,
0<k<q.
p, q, g, y,
y = gx mod p.
M,
.
, (hashcode) ,
2.2 [FIPS 186-2].
7.4.1.3
ECDSA (Fp)
Galois
(Fq GFq), modulo q.
(Elliptic Curve Digital Signature
Algorithm-ECDSA),
Fq, Fp (prime finite
field) 2 F2m (characteristic 2 finite field). ,
ECDSA Fp F2m.
Fp
[ANSI X9.62]. , ,
[ISO 14888-3], [IEEE P1363] [ISO 15946-2].
:
p
248
q q p
q
E Fp, n
q
P E(Fp) q
E, m, q, P
( ) x, o,
0<x<q
( ) k o, 0<k<q
E, q, P Q, E,
Q = xP.
7.4.1.4
ECDSA (F2m)
(F2m), ECDSA-F2m
[ANSI X9.62]. , ,
[ISO 14888-3], [IEEE P1363] [ISO 15946-2]. ECDSA-F2m

.
:
q q
249
E F2m n
q
F2
P E(F2m) q
E, m, q, P
( ) x, ,
0<x<q
( ) k , 0<k<q
E, q, P Q, E,
Q = xP.
7.4.1.5
ECGDSA (Fp)

(Fp), (Elliptic Curve German Digital Signature AlgorithmECGDSA-Fp48, 49). [ISO 15946-2].

.
ECDSA-Fp,
. ,
48
ecdsa ISO SC 27
ISO/IEC 15946
(Elliptic Curve based German Digital Signature Algorithm). ,
ECKDSA
49
ecdsa Siemens Corporate Technology,

.ElGamal [ELG85], V.Miller [MI86], .Kblitz [K87]. ,
. , ECGDSA
Siemens.
250
k ,
ECGDSA-Fp. ECDSA-Fp.
7.4.1.6
ECGDSA F2m
(F2m)
[ISO 15946-2].
.
ECGDSA-F2m ECDSA
, ( 7.4.1.5).
7.4.2
BnetzA

,
. [BnetzA10],
Bundesnetzagentur fr Elektrizitt, Gas, Telekommunikation, Post und Eisenbahnen (BnetzA)

,
.
, RSA n
1728 2010 2011
1976 . ,
2048 .
, :
(Data Signature Input-DSI), [ISO 97962], .
RSA,
PKCS#1-v1_5 [PKCS #1 v2.1], 8.2 9.2,
2014. , PKCS#1-v1_5
251
2016. ,
2013.
DSA, p 2048 .
2015, q 224 .
2016, q 256 .
ECDSA-Fp, 2010
p. q 224
2016 250 .
ECDSA-F2m 2010
m. q 224
2016 250 .
( 25)
.
:
2010
:
2017
RSA
1768 ()
2048 ()
1976 ()
2048 ()
p
q
p
q
m
q
2048
224*

224

224
2048
256

250

250
DSA
ECDSA-Fp
ECDSA-F2m
25:
* 2015
252
7.5
, :
i.

,
.
ii.
(Time Stamp tokens),

.
iii.

,
.
[ETSI TS 102 176-1],

( ):
i.
(Pre-image resistance):
( ) y, x
h(x)=y. ,

(backwards),
.
ii.
2 (2nd-preimage resistance):
.
, m, m
h(m) = h(m).

.
253
iii.
(collision resistance):
m, m , h(m)=h(m).
(chosen message attacks)50
.

MD5 SHA-1,
. ,
MD5
. ,

2
, , ,
.

, ,
[BR93] (random oracle). To
(Random Oracle Model)
,
. ,
,
. ,
.
26 [ETSI TS
102 176-1].
50

, .
254
sha1*
01.01.2001
ripemd160
01.01.2001
[ISO 10118-3]
sha224
2004
[FIPS 180-3]
sha256
2004
whirlpool
31.03.2007
[ISO 10118-3]
sha384
31.03.2007
[FIPS 180-3]
sha512
31.03.2007
[FIPS 180-3]
[ISO 10118-3],
[FIPS 180-3]
[ISO 10118-3],
[FIPS 180-3]
26:
7.5.1
7.5.1.1
SHA-1
Secure Hash Algorithm (SHA) National Security Agency

(NSA) SHA-0. 1993
(National Instute of Standards & Technology-NIST),
FIPS Pub 180.
, FIPS PUB 180-1 1995,
SHA-1.
160 ,
264 .
512
32- . SHA-1 [ISO 10118-3]
FIPS Publication 180-3 [FIPS 186-3].
7.5.1.2
RIPEMD160
RIPEMD RIPE (RACE

Integrity Primitives Evaluation) 1992. ,
255
Hans Dobbertin, Antoon Bosselaers Bart Preneel ,

RIPEMD-160 [DBP96].
160
512 264-1 .
, , 256 320
RIPEMD-256 RIPEMD-320, . [ISO 10118-3].
7.5.1.3
SHA 224
Secure Hash Algorithm-224, SHA-256 ,

.
SHA-224
SHA-256.
SHA-256 264
256 . FIPS Publication 180-3
[FIPS 180-3].
7.5.1.4
SHA 256
SHA-256 264
[FIPS 180-3].
7.5.1.5
WHIRLPOOL
WHIRLPOOL Vincent Rijmen Paulo S. L. M.

Barreto. 2256-1
512 .
DCA ECDSA
WHIRLPOOL (512 ), , ,
RSA . [ISO 10118-3].
256
7.5.1.6
SHA 384
, SHA-224/256, SHA-384 SHA-512

. SHA-384
, SHA-512
.
SHA-384 384
2128-1 .
1024 64- .
FIPS Publication 180-3 [FIPS 180-3].
7.5.1.7
SHA 512
SHA-512 2128
[FIPS 180-3]

.
SHA-1
SHA-224
SHA-256
SHA-384
SHA-512
RIPEMD160
WHIRLPOOL
()
160
224
256
384
512
()
()
()
<264
<264
<264
<2128
<2128
512
512
512
1024
1024
32
32
32
64
64
80
80
80
80
80
<264
512
32
160
<2256
512
512
27:
257
7.5.2
BnetzA
Bundesnetzagentur fr Elektrizitt, Gas, Telekommunikation, Post und Eisenbahnen

(BnetzA), [BnetzA10]
, :
SHA1 RIPEMD160
2015.
, SHA1
RIPEMD160 2015.
SHA-224 2015
.
, SHA-256,
SHA-384, SHA-512 [FIPS 180-3]. ,
,
, 2017.
28 .
*:

2010
SHA-1

2010

2015

2017
RIPEMD-160
SHA-224
(SHA-1,
RIPEMD-160)**
SHA-256,
SHA-384,
SHA-512
28: K BnetzA
258
* ,
(serial number) 20 ,
.
** .
7.6
,
bytes
(padding).

.
,
, ,
(salt value).
29 .
emsa-pkcs1-v1.5
[RFC 3447]
emsa-pkcs1-v2.1
[RFC 3447]
emsa-pss
Salt
[RFC 3447]
iso9796ds2
Salt
[ISO 9796-2]
iso9796-din-rn
Salt
[DIN V662911]
iso9796ds3
[ISO 9796-2]
29:
259
8:
8.1
,
.

. ,
,
. ,
.
, , ,
, ,
(non repudiation) .
8.2
(PKI)
.

(certification). ,
(public key certificates)
.

.

. ,

.
,
,
260
. ,
.
(Certification Authority).
,
,
() .
,
,
, .
,
. ,

. 35

.

.
() .509
(recommendation) (ITU)
ISO/IEC 9594-8.
261
35:

8.2.1
.509
.509
.

30, 3
(extensions) .
.509 TVL
Distinguished Encoding Rules
(DER).
262
Version
X.509. 3 X.509. 1
issuer unique identifier, subject unique identifier
2, extensions
3.
Serial number
Signature algorithm identifier
2 ,
,
.
Issuer name
Period of
validity
Subject name

,
.
.
Algorithms
Parameters
Subjects public
key
subject name.
.
Issuer unique
identifier
Subject unique
identifier

,
.
Extensions
Signature
30: X.509
263
8.3
:
1) . )
, ) () (.. )
) () (attribute certificates)
(AttributeAuthority-AA).
:
. .
.
, .
.

,
.
2) (..
servers, routers).
(web
servers). ,
domain name web server ( ),
,
SSL TLS
( ).
3) .
- (infrastructure
mode)
.
/ .
264

,

.
,
. ,
,
( 1 3 ),
.
8.4
[ETSI TS 101 862]

[99/93/].
Internet certificate profile [RFC 3739]
X.509 version 3.
A.

countryName. H
.
B. (Qualified Certificate Statements)

"qCStatements extension" .
,
.
:
265
1.
.
OID ( 36),

[99/93/] .
esi4-qcStatement-1 QC-STATEMENT ::= { IDENTIFIED

BY id-etsi-qcs-QcCompliance }
-- This statement is a statement by the issuer that this
-- certificate is issued as a Qualified Certificate according
-- Annex I and II of the Directive 1999/93/EC of the European Parliament
-- and of the Council of 13 December 1999 on a Community framework
-- for electronic signatures, as implemented in the law of the country
-- specified in the issuer field of this certificate.
id-etsi-qcs-QcCompliance
OBJECT IDENTIFIER ::= { id-etsi-qcs 1 }

2. ,
.
)
OID ) (monetary value),
.
266
esi4-qcStatement-2 QC-STATEMENT ::= { SYNTAX QcEuLimitValue IDENTIFIED

BY id-etsi-qcs-QcLimitValue }
-- This statement is a statement by the issuer which impose a
-- limitation on the value of transaction for which this certificate
-- can be used to the specified amount (MonetaryValue), according to
-- the Directive 1999/93/EC of the European Parliament and of the
-- Council of 13 December 1999 on a Community framework for
-- electronic signatures, as implemented in the law of the country
-- specified in the issuer field of this certificate.
QcEuLimitValue ::= MonetaryValue
MonetaryValue::= SEQUENCE {
currency Iso4217CurrencyCode,
amount INTEGER,
exponent INTEGER}
-- value = amount * 10^exponent
Iso4217CurrencyCode ::= CHOICE {
alphabetic PrintableString (SIZE 3), -- Recommended
numeric INTEGER (1..999) }
-- Alphabetic or numeric currency code as defined in ISO 4217
-- It is recommended that the Alphabetic form is used
id-etsi-qcs-QcLimitValue OBJECT IDENTIFIER ::= { id-etsi-qcs 2 }
37: MONETARY VALUE

,

3.
(retention period), .
, ,

,
.
) OID )
,
.
267
esi4-qcStatement-3 QC-STATEMENT ::= { SYNTAX QcEuRetentionPeriod

IDENTIFIEDBY id-etsi-qcs-QcRetentionPeriod }
-- This statement is a statement by which the issuer guarantees
-- that for the certificate where this statement appears that
-- material information relevant to use of and reliance on the certificate
-- will be archived and can be made available upon
-- request beyond the end of the validity period of the certificate
-- for the number of years as indicated in this statement.
QcEuRetentionPeriod ::= INTEGER
id-etsi-qcs-QcRetentionPeriod OBJECT IDENTIFIER ::= { id-etsi-qcs 3 }
38: RETENTION PERIOD

4.
.

, ,
OID.
esi4-qcStatement-4 QC-STATEMENT ::= { SYNTAX QcSSCD IDENTIFIED

BY id-etsi-qcs-QcSSCD }
-- This statement is a statement by which the issuer claims
-- that for the certificate where this statement appears
-- the private key associated with the public key in the certificate
-- is protected according to Annex III of the Directive 1999/93/EC of
-- the European Parliament and of the Council of 13 December 1999 on a
-- Community framework for electronic signatures.
id-etsi-qcs-QcSSCD OBJECT IDENTIFIER ::= { id-etsi-qcs 4 }

SSCD
268
C.

. :
i.
M
(Certificate Policies), 4.2.1.5 [RFC
3280],

[99/93/],
ii.

esi4-qcStatement-1 , , .
8.5

, 35,
. ,
.
.
:
.

. ,

.
.

.
269

. ,

,

. ,
,
.

.

.

. ,

.
,
. 8.3,
.

. ,

.
8.6

.
( 1 3 ),
.
270
(revocation) (suspension),
,
(.. eID
) / (..
).
(certificates serial number)
(Certificate Revocation List-CRL)
.
271
9: eID

(Signature Creation Environment-SCE)

(Signature Creation System).
,
(Signature Creation Application-SCA), (Signature Creation
Device-SCDev) -
- (SSCD)
,
.
,

(Signers Document-SD),
,
(Data Content Type) .

[1999/31/], 7.3 ,
,

-

.
9.1

, ,
, .
272
[CWA 14170]
.
40: [CWA 14170]

(SCA)
(SCS)
(SCE). ,
.
(hardware)
/
.
273
SCA SSCD
,
(Data To Be Signed-DTBS),
(Signed Data
Object).
,
(Trusted)
(Application Specific) (components) SCA. ,
SCA

. ,
40, :
SCA Manager.
,
SSCD,

.
SSCD. To SSCD SCA
SCA
DTBS,
SSCD ,
SCA.
SCA .
.
9.2
SCA [CWA 14170]

SCA. :
274
Signer Interaction Component-SIC. SCA

SCA (.
).
Signers Document Presentation-SDP. SD
, SIC.
Signature Attributes Viewer-SAV.
SIC SD.
Data To Be Signed Formatter-DTBSF.
,
(Data Hashing Component).
Signers Authentication Component-SAC.
/
, , ( 9.6). ,

SSCD.
Data Hashing Component-DHC. DTBSF (
,
9.7). SSCD,
DTBS
SSCD.
SSC-SCDev/SCA Communicator.
.
SSA-SCDev/SCA Authenticator.
.
.
275
:
SD Composer-SDC. ,
(. ) ,
.
Signed Data Object Composer-SDOC. DTBSF

SSCD
, SDO
(Signed Data Object), [ETSI TS 101 733].
Signature Logging Component.
, .
SSCD Holder Indicator-SHI. SSCD.
9.3
(
41) (SCS) .

.
SCS.

.
SCS
() .

.
276
41:
9.4
[EN 14890-1]

, (application interface)
. 42 43
(application flow)
[CWA 14170].
277
42: SCA SSCD

1999/31/ [EN 14890-1]
278
43: ICC ESIGN

[EN 14890-1]
279
42 :
. ( 44)

.
44:
( 45)

SSCD SCA,
Secure Messaging
.
45:
. ICC
(IFD) .
.
,
.
(secure messaging) ISO/IEC 7816-4.
280
:
SCA SSCD .

9.5
( 42),
,
.
[EN 14890-1] ,
,
. ,
, '
. , ,
, .
9.5.1
( 42 43).
:
1. (. ).
2. .
,
. [ISO 7816-4]

. :
VERIFY
CHANGE REFERENCE DATA
RESET RETRY COUNTER

281
9.5.1.1
,
.
.
, .
, VERIFY.
31 32 VERIFY APDU,
. , ,

(retry counter).
, (. =3).
.
CHANGE
REFERENCE DATA. 7.5.6 ISO/IEC 7816-4
33 34 APDU . ,
retry
counter
. , ISO/IEC 7816-4
RESET RETRY COUNTER,
(reset) retry counter
. (Resetting Code) 6
, . 35, 36 ,
APDU RESET RETRY
COUNTER.

CLA
INS
P1
P2
Lc

ISO/IEC 7816-4
20 VERIFY
00
<keyref> password reference
< >
< >
31: APDU VERIFY

282
SW1-SW2
ISO/IEC 7816-4
32: APDU VERIFY
CLA
INS
P1
P2
Lc

ISO/IEC 7816-4
24 CHANGE REFERENCE DATA
00

[0 |8] KID of password reference

<password>||<new password >
33: APDU Password Change

SW1-SW2
ISO/IEC 7816-4
34: APDU Password Change
CLA
INS
P1
P2
Lc

ISO/IEC 7816-4
2C RESET RETRY COUNTER
[00.. 03]
[0 |8] KID of password reference

*
35: APDU RESET RETRY COUNTER

* P1. RESET
RETRY COUNTER .
283
, ,
VERIFY. P1 :
P1 = 00

P1 = 01 (Resetting code)
P1 = 02 (New reference data)
P1 = 03 (Data field absent)

SW1-SW2
ISO/IEC 7816-4
36: APDU RESET RETRY

COUNTER
APDU P2 reference value
(key identifier-KID). [EN
14890-1] KIDs:
KID = 8x Key reference to local reference data.

. KID

(cryptographic information objects).
KID = 0x Key reference to global reference data. KID

.
284
9.5.1.1.1

46.
DF.CIA.

5 [EN 14890-1].
46: 12345

9.5.1.2

. [EN 14890-1]
:
i.
(off-card). ,
(interface device)
.
285
ii.
(on-card).

.
ICC (interface
device-IFD)
Biometric Information Template (BIT) [ISO7816-11],
, 48.
To Biometric Information Template, ,
, SCA,
DF.CIA GET DATA [ISO 7816-4].
:
To AlgID key reference

(biometric reference data)
(.. )
9.5.1.2.1
,
.
o (secure messaging), ( 6.5.3).
GET DATA Biometric Information
Template VERIFY
(biometric template).
286
:
(terminal)

, biometric
information template . H
BIT
,

- (biometric reader),
(scanning). ,
, .
.
,
.
37, 38 APDU
(Biometric Templates), ( 47 48).

CLA
INS
P1
P2
Lc

ISO/IEC 7816-4
21 VERIFY
00
xx
reference data qualifier

<biometric data template> ( . 39)
37: APDU x

SW1-SW2
ISO/IEC 7816-4
38: APDU

287
47:
48:
9.5.1.2.2
, ,

. APDU
(. 39, 40)
288
CLA
INS
ISO/IEC 7816-4
21 VERIFY
00

[0x | 8] KID of referenced password or biometric
data reference

5F2E 00 || 4D 00
P1
P2
Lc

39: APDU
SW1-SW2
ISO/IEC 7816-4
40: APDU

9.6
ICC
,
,
. ,
PSO:COMPUTE DIGITAL SIGNATURE PSO:HASH,
APDU , [ISO 7816-4].
9.6.1
ICC IFD
ICC
ICC . 49 ,

ICC,
EAL+ SOF-High, [CWA 14169].
289
,
. (intermediate)
big endian51 bit count.
49:
,
_1 ( ICC)
51
Big Endian ( ): (, ) 1 byte

. endianness. Big Endian
, byte MSByte (Most Significant Byte)
LSByte (Less Significant Byte).
290

. , :
i.
ii.
,
.
, ,
. -
Format_1 .
iii.
, ,

7.5. , _2,
:
ICC.
ICC ICC. , ,
.
ICC,
, .
iv.
Digital Signature Input ,

, Digital Signature
DS[<key>](dsi).
9.6.2
ICC
,
. ,
ICC PSO:COMPUTE DIGITAL
SIGNATURE. APDU 41, 42.
291

CLA
INS
P1
P2
Lc

Le
ISO/IEC 7816-4
2 PERFORM SECURITY OPERATION
9
COMPUTE DIGITAL SIGNATURE
9
data to be signed

data to be signed
00
41: APDU o
ICC
TLV
SW1-SW2
ISO/IEC 7816-4
42: APDU o
ICC
9.6.3
ICC
. ,
, ICC
ICC PSO:HASH,
(. 43 44).

CLA
INS
P1
P2
Lc
ISO/IEC 7816-4
90
hash
0
input template for hash computation

90 L90 <intermediate hash-code followed by big
Endian bit counter>
80 L80 <data to be hashed>
43: APDU o
ICC. (1/2)
292
SW1-SW2
ISO/IEC 7816-4
44: APDU PSO:HASH

,
PSO:COMPUTE DIGITAL SIGNATURE (. 45 46).
CLA
INS
P1
P2
Le
ISO/IEC 7816-4
9
9
data to be signed
xx
45: APDU o
ICC. (2/2)

plain signature
SW1-SW2
ISO/IEC 7816-4
46: APDU PSO-COMPUTE DIGITAL

SIGNATURE
9.6.4
ICC
, ,
ICC.
,
PSO:HASH ( 47 48)
PSO-COMPUTE DIGITAL SIGNATURE (. 49 50).
293

CLA
INS
P1
P2
Lc

ISO/IEC 7816-4
2 PSO:HASH
90
hash operation
80
plain value
xx
plain data to be hashed
47: APDU o
ICC. ICC (1/2)

SW1-SW2
ISO/IEC 7816-4
48: APDU o
ICC

CLA
INS
P1
P2
Le
ISO/IEC 7816-4
9
9
data to be signed
00
49: APDU o
ICC. (2/2)

SW1-SW2
plain signature
ISO/IEC 78164
50: APDU PSO-COMPUTE DIGITAL

SIGNATURE
294
9.7
ICC
,
. [CWA 14171-00],
. (Initial validation)
(Subsequent validation). [CWA
14171-00] .
: ,
,
.
E : ,
,
,
(Initial Verification time).

ICC,
:
DSI ( RSA )
9.7.1
50
, . PSO:
295
HASH 9.6 , MSE: SET PSO:VERIFY

DIGITAL SIGNATURE.
ICC
PSO: HASH
OK
MSE: SET
PSO:VERIFY DIGITAL
SIGNATURE
50:

50 ICC

PSO:HASH. (
ICC), APDU
, 51.
90 L90
xxxx =
80 L80 xxxx =
51: APDU
,
APDU
52.
296

L
90 L90
V
xxxx =
52: APDU
,
MSE, PSO: VERIFY SIGNATURE.
MSE :

/.
( key reference Digital

Signature Template) .
APDU 53.

CLA
INS
P1
P2
Lc

ISO/IEC 7816-4
22 MSE
81
SET for verification
B6
Digital Signature Template

54
53: APDU MSE:SET
90 L90 xxxx = DO Alg reference (for DSI format)

83 L83
xxxx = DO KeyRef of the users PK
54: APDU MSE:SET
297
APDU bytes SW1SW2 :
9000 =
6xxx= .
,
2.
VERIFY DIGITAL SIGNATURE. ARDU
55.

CLA
INS
P1
P2
Lc

ISO/IEC 7816-4
2A VERIFY DIGITAL SIGNATURE
00
SET for verification
B6
Input template for signature verification

56
55: APDU VERIFY DIGITAL SIGNATURE
9 L9
, DSI
2
56: APDU DIGITAL

SIGNATURE
APDU . status byte
.
298
10: eID

, (European Economic Area, EEA)

27 , .
,
.
51: 52
10.1

eID.
52
: Wikipedia, European Economic Area, http://en.wikipedia.org/wiki/European_Economic_Area
299
[IDABC-PEGS], [ENISA09], [FIDIS-D3.6], [EU-ID], [WIKI-ID]

.
57 . eIDs
,
.
. - .
( 6.2.3.1)
eGovernment eGovernment eCommerce
. eIDs .
57: ID eID ()
ID
eID
eID
eID
eID
( 2004)
( 2004)
,

2012
10 25
(
2010)
,
2012

24: 28.80
24:
19.80
16-18:
( 2002)
16
(
2006)
2011
ID
300
ID
ID
eID
eID
eID
eID
53
( 2008)
( 2006)
10
( 2001)
25 45
eID
(
2009)
46
(2010)
( 2009)
23,17
(
54)
15
( 2005)
42.85
,
18
( 2011)
( 2007)
12
( 2005)
42
( 2003)
:
51.47
: 25.73
53
eID (debit) , PKI

. 2008-2012 , eIDs
. http://skilriki.is/utgafa/frettir/nr/46
http://eng.forsaetisraduneyti.is/media/utgefidefni/Iceland_the_eNation.pdf
54
H LuxTrust SA, CA,

.
.
. https://www.luxtrust.lu/solutions/smcardinfos/smcardinfo
301
eID ,
eID
.
,
eID
eID .
10.1.1
(
, , , , , )
(
, , , , ) [IDABC-PEGS].

( , , , , , )
eGovernment .

.

(
TAXISnet ).
,
,
.
.
302

PKI

[OBS-EID]. :

,
.

,

.

, .
-
.

.

.

.
10.1.2
eID
( 58). ICAO
. :
, , . 59
303
ICAO BAC.
BAC PACE.
EAC

. EAC,
EAC .
UID
(, , )
5.1.9.1.
58: , , eID

personalization
PIN
ECC
ICAO
(
)
304

personalization
PIN
(
)
59: eID
ICAO
BAC
EAC
UID

ECC
ICAO
(
PACE)
(
)
(
ID
eGovernment ) personalization
, (
305
) 58.

.

eID .
PIN ( )
. PIN

( )
.
.

.
BAC MRZ
(MRZ
).

.
(
).
PKI ,
eID .

, eID

. eID

,
.
-
306

. 6.3.2.1 AA,
.
-
,
,
, .

([1995/46/] . 7).

. 58
eID
.
eID

-.
tamper
proof EAL4+ SOF-High.

, [PRADO] , online

.
eID -
[PRADO],
ID-1 .
307
10.1.3 , &

( citizenspecific UID) (cardspecific UID). citizen-specific UID

. card-specific UID ,
.

.
eGovernment
:

.

.

( 3.2).
, UID
.

.
UID
UID
.
.
308

.
-
.
. - (
)

(semantic information)

. (FINUID)
eID
. ,
(sourcePIN)

[OBS-EID].

,
.
(domain-specific UID sector-specific UID)

.
.

.
(linkability)

(
U-Prove Microsoft55
55
U-Prove Technology Overview, Microsoft Corporation, March 2010, available:

https://connect.microsoft.com/site642/Downloads/DownloadDetails.aspx?DownloadID=26953
309
Idemix IBM56).

.
eIDs
- (unlinkability)
(selective disclosure) (

).
60 UIDs
eID
. ,
,

UIDs .
60
.
PACE.

[IDABC-PEGS] - :
1 2010
,
ICAO
2 2009 ,
56
21 2009 ,
Identity Mixer, , available: http://www.zurich.ibm.com/news/07/idemix.html
310
eID 2007
templates
eID
Match-on-Card

.

ISO/IEC FCD 24745 ( Final Committee Draft)
templates.

.
60: ,
eIDs
UID
UID
UID
( )
.&.

.&.
.&.
.&.

.&.
.&.
311
UID
UID
UID
.&.

( )
.&.
.&.
.&.

(PIN)
hashed
,
.&.
template
.&.
10.1.4 eIDs
Eurostat, o eIDs
, , ( 28). :
eIDs
Internet ( 29)
eGovernment eCommerce
eID.
312
28: eIDs, (%) eID
Internet
.
(EU-27)
( )
online .
eIDs.
29: Internet online Banking, (%), 2009
313
30: E-Government, 16-74

online 20 (%), 2009
2010
18,6% 24,8%.

.
314
52:
( )57
10.2 - eID
10.2.1

58 22-11-2010 ,

,
.

.
.
57
11 , , 2010, :
http://www.observatory.gr/files/meletes/11_Broadband_report_a10.pdf
58
22-11-2010, :
http://www.opengov.gr/ypes/wp-content/uploads/downloads/2010/11/karta-politi.pdf
315
, (eID )

(eSign ).
. 12-12-2010
1361 ,
.

.
.
.

,
.
59
, ,
.

.

.
60 2011
59
, , ., 5/1/2011, :
http://avgi.gr/ArticleActionshow.action?articleID=590967
60
) , ,
29/12/2010, : http://www.tovima.gr/default.asp?pid=2&ct=32&artId=375343&dt=29/12/2010
316
.

:

/
.

,
,

.

( ).
10.2.2
(Art. 78-1 to 78-6 Code de procdure pnale)

.
.
ID , , , ,
.

) ,
& , 4/1/2011, :
http://www.ypes.gr/el/MediaCenter/Minister/Seasonable/?id=a8a1568b-1e50-4854-8f4d-6885d2f7ec90
) , &
, 29/12/2010, :
http://www.ypes.gr/el/MediaCenter/Minister/Seasonable/?id=797c2e9b-7ee8-41e9-8c3b-58e400a5d43a
317
.
ID

4 .

, .
MRZ .
.
.

.

2007.
.
INES
(carte d'identit nationale lectronique scurise)
RFID .

,
, CNIL (Commission nationale de
l'informatique et des liberts). -
:

. ID
1995 .
318

61.
ECC , (backwards
compatibility) (PKI, ePassport, - Carte
Vitale). ECC-IAS ( 6.7.3.2) [ID-CRED0210].
31: ID
61
Wikipedia, National identity card (France), http://en.wikipedia.org/wiki/French_national_identity_card
319
10.2.3
,

. ,
[ 2252/2004] [ 444/2009] (
MRTDs),
. .
,
.

2 .
To 2006 9/11
. Identity Cards Act 2006
,
.
(Labour party: Tony Blair 1997-2007, Gordon Brown 2007-2010)

.
2009
.
.

.

,
.
,
(Lipset).
.
J. Christoph
320
.
,
62.
, 23-4-2009 .
(Home Office)
-

. .
, ,
, .

.

. eID

.

:
ID

.
.
62
http://el.wikipedia.org/wiki/___
321

PA
Consultancy ( . ) stick
84.000
,
.
eIDs.

.
- (4,5.)
.
( NO2ID)

.
32: NO2ID
322
2010
Conservative-Liberal Democrat eIDs.
Conservative-Liberal Democrat David Cameron
306+57 (Labour) 258
.
(Identity Documents Act 2010)
21 2011. 15.000

30 63.
(National Identity Register)

21 2011
. . Damian Green

, , 64.
.
257.
.
IBM
(
) , .
4 1.

.
63
Newspaper Guardian, ID cards scheme to be scrapped within 100 days, Alan Travis, 27-5-2010,
http://www.guardian.co.uk/politics/2010/may/27/theresa-may-scrapping-id-cards
64
UKs Home Office, Identity & Passport Service, http://www.ips.gov.uk/cps/rde/xchg/ips_live/hs.xsl/53.htm
323
33: eID .
10.3 - eID
10.3.1
,
(citizen card) ,
.
tokens (
)
324
, /, USB tokens, (e-card65),

a-trust66, Maestro, ,
67.

( (SSCD).

online / .

, .
online
.
, :
, , . sourcePIN,
(
. email ),

(
).
sourcePIN
(3DES)
65
http://www.chipkarte.at/
66
http://www.a-trust.at/
67
Choosing a Citizen Card, http://alt.buergerkarte.at/en/aktivieren/anbieter.html
325
(CRR ) (Central Register of

Residents68) .
sourcePIN .
(SHA-1 )
/
sourcePIN.
( SA
, UW )
(non-linkability)69.
sector-specific personal identifier (ssPIN) ,
middleware .
( . , )
sourcePIN . sourcePIN
middleware .

.

(e-card)

.
PIN .
2009 70.

. (security layer)
68
http://zmr.bmi.gv.at/
69
Austrian Citizen Card, http://alt.buergerkarte.at/en/ueberblick/index.html
70
Austrian Mobile Signature, http://alt.buergerkarte.at/download/MobileSignatureSummary.pdf
326
/

. security layer middleware
.

PIN.
(server). O server (hardware security module)
.
, ( )
server.
PIN
.
server
PIN (). PIN
.

(TAN) (SMS).
.
marketing .
( 34)
-
.
34: , -
327
10.3.2
12 (
carte d'identit, identiteitskaart Personalausweis).
15
200 . .
(
, , ). ID 12
.

yy.mm.dd-xxx.xx ( yy-mm-dd
) MRZ .
.

.
- 71.
2004 eID
Infineon ( SLE66CX322P72) JavaCard Axalto.
136KB ROM, 4KB RAM 32KB EEPROM 32 KB
(EEPROM). eID
. eID 5 ,
.

, PIN
(PUK ) .
eID 10 25.
71
Belgian ID, Matrice photo, Critres dacceptation des documents didentit belges pour la photo
http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/8%20documentation/ZCA11495-matrix-BR-FRv8.pdf
72
SLE66CX322P Datasheet, http://www.datasheetcatalog.org/datasheet/infineon/1-SPI_SLE66C322P_0801.pdf
328
identity file
, address file
.
X509 .
eID RSA 1024-bit :
, .
.
SSL/TLS.

.
(RRN)

, .
PIN ,
, PIN
, PIN
.
53 PKI .
.
Citizen CA. Root
CA (Gov CA)
(RRN Cert),
(Server Code sign Certs) . Root CA
GlobalSign,

. .
329
53: PKI eID (: [CWP06])

ID ( )
FYROM, ,
.
www.checkdoc.be

( ) , ,
.
2009 Kids ID,
ID 12 . Kids ID
12 , .

330
. 36 Kids ID
. Kids ID

6 .
.

chat , .
35: eID PC
73
73
eID Internet Explorer, :

http://eid.belgium.be/nl/binaries/eID_WIN_IE_NL_tcm147-22468.pdf
331
36: Kids eID
10.3.3

.
PACE BSI eID
BAC.
BAC PACE
e-passports. 2005
ePass
.
, .

,
.
,
,
.
332
eID .
2010 2012
16 .
.

.
.
Bitkom 44% eIDs74.

, Chaos Computer Club (
)
Wolfgang Schuble Datenschleuder
2008
. ""

75.

:
ICAO,
,
online
: .
74
Business Review Europe, D. Moore, German eID Cards Spike Surveillance Fears, Nov 2010, available:
http://www.businessrevieweurope.eu/tags/german-id-cards/germans-eid-cards-spike-surveillance-fears
75
Kleinz Torsten (2008-03-31), "CCC publishes fingerprints of German Home Secretary", Heise Media UK Ltd.,
http://www.h-online.com/newsticker/news/item/CCC-publishes-fingerprints-of-German-Home-Secretary-734713.html
333
(RFID)

.

.

templates .
templates
.
NXP Semiconductors SmartMX
128KB.

4
8 10 .

.
reverse engineering laser
firewall 76.
,
.
.

.
.
.
:
.
76
http://www.nxp.com/infocus/topics/german_national_id_card/index.html
334

.
(eID)
.
,

.
(,
)
PACE
CAN MRZ ( )
PKI . eGovernment
eBusiness PKI
PIN (PACE
PIN). .
eID 6 24
10 24 .
335
37: ePassport () eID ()

150
eID. : online banking,
online shopping, check-in , online
, , .

, 77
10.3.4
2002 (: IDkaart)
FYROM, ,
. ID
15 78. 5 .
: 1 eID 79,
1,35 .
77
Germany deploys contactless national ID, 11 Feb 2011,
http://www.contactlessnews.com/2011/02/01/germany-deploys-contactless-national-id
78
http://www.politsei.ee/en/teenused/isikut-toendavad-dokumendid/id-kaart-kodanikule/taiskasvanule/
79
http://www.sk.ee/pages.php/0203
336
2000 eID
Infineon ( SLE66CX320P )
, Micardo v2.1 Sagem Orga.
136KB ROM, 4KB RAM 32KB EEPROM.
eID . .
.
(isikukood) .
GYYMMDDSSSC,
, G
( , , 1-2
19 , 3-4 20 , 5-6 21 ), SSS
C
.
-
.
(isikukood)
,
. 15/12/2000
.
(digidoc.sk.ee)
eIDs
.
.
,
.
, Trb Baltic AS
Trb AG. ,
337
PIN. ,

, (CA). CA
Trb Baltic AS
, 80 ,
. ,

PIN (RA) ,
PIN
.
eID
.
email .[.X]@eesti.ee. eesti.ee
S/MIME mailers
email .
ID
(eVoting). 2007 eVoting
30.000 .
: eID ,
,
(RSA), (RSA) .
, ,
.
eVoting
,
[OIT08].
eID X.509
(eGovernment) .
80
http://www.sk.ee/
338
, ,
( Eshop ) web 81.

eID .
eBanking (
), SMS 82.
email SMS
. eID ,
. eID
.
GSM
1 .
2007
SIM ,
.
81
Web-based services with ID-card support, http://www.id.ee/?id=11108
82
Pilet, Transport, available: https://www.pilet.ee/cgi-bin/splususer/splususer.cgi?lang=en
339
38: eID
10.3.5
(Carta d'Identit Elettronica, CIE)
2001. 1 2006
CIE . 2009
CIE 1,8 .

.

.
180 IDs83
, PKI .
CIE , 25 - 45 [AGS10].

(Codice Fiscale) 16
.
.
83
http://en.wikipedia.org/wiki/Italian_electronic_identity_card
340
32KB (EEPROM)
64. ,
online
.
1 2010
.
. CIE eGovernment .
.
Tor Vergata.
133/2008,
5 10 .
39: eID
341
10.3.6
, ,

, , ,
. 14
(Documento nacional de identidad,
DNI).
256
.
40: eID

, 2009 14 . eID
[IDABC-PEGS] 46,5 .
eID
online .
DNI ,
.

342
. .
, ,
MRZ.
. 14
,
. 30 5 .
30 70 10 . 70
84.
2006 DNI 85
STMicroelectronics, ST19WL3486 32KB.
64KB (EEPROM). .
DNI
[1999/93/EC]
.
,
(Protection Profiles) [CWA 14169],
(National Cryptologic Centre-CCN)
(Intelligence National Intelligence Centre-CNI).
,
,
. :
component
84
PRADO, , http://www.consilium.europa.eu/prado/EL/2274/docHome.html
85
DNI-e, http://www.dnielectronico.es/
86
ST19WL34 Datasheet, http://www.dnielectronico.es/PDFs/st19wl34.pdf
343
X509v3:

.
,
:
. X509v3.

.
(Spanish
Police Department-DGP) ,

. ,
,
(Validation Authority)
.
, ,
.

,
,
,
.
3
[HG10]:
344

component Diffie-Hellman .

.
RSA .
PIN .

.

(Punto de Actualization del DNIe) .

, o CA
.
EAC.
3 :
1.
PKCS#11.
2.

.
( PUK ).
3.

[EHQ07].
345
41: eID
10.3.7

16 .
16 .
72 (EEPROM)

80 (EEPROM) 87 ICAO
87
Personalisation Of Identity Documents Centre Under The Ministry Of The Interior Of The Republic Of Lithuania, Personal
Identity Card, http://www.dokumentai.lt/en/pic.php
346
[ 2252/2004] .
.
42: 2
(Population Register)
/ .

( ,
, ), ( ) .
. personalization
.
Gemalto 2009 900.000
Sealys Laser-Secured eID .
EAC
6: IC
.
347
.
online 88.

PKI
CVCA
.
DVCA
DV
CVCA .
eID

89.
88
http://www.dokumentai.lt/en/pic_ypat.php
89
http://www.dokumentai.lt/en/pic_bio.php
348
43: eID ( 2 )
10.3.8
21 2009 ID

2006
ICAO .
(Tax and Social
Security number - Sofi-number)90. 2006

( BAC ). ICAO :
BAC, Passive Active Authentication91.
ISO/IEC 19794-5
Photo Matrix 200792 ICAO.

.
90
Ministerie van Binnenlandse Zaken en Koninkrijksrelaties, Reading the chip, 2007, available:
http://www.paspoortinformatie.nl/english/Travel_documents/Reading_the_chip
91
Ministerie van Binnenlandse Zaken en Koninkrijksrelaties, Authenticity Features Model 2006, available:
http://www.paspoortinformatie.nl/english/Authenticity_features/Model_2006
92
Dutch Passport Regulations, the Photo Matrix 2007 Model, available:

http://www.paspoortinformatie.nl/dsresource?objectid=4653&type=pdf
349
.

.
5

( ).
(
)
.
44:
350
45:

. 2008

. OVchipcard
.

() (
) 93.
93
Statewatch article: RefNo# 29437, Netherlands: Biometric passport data linked to criminal databases by J van Someren and
K McGauran, Statewatch Bulletin; vol 19 no 3 July-September 2009, http://database.statewatch.org/article.asp?aid=29437
351
.

.
.

. ,

.
,

8
( ).

. ,
3 . . Peter Hustinx
94 : ,

. [...] ,
;.
Statewatch article: RefNo# 29882, Netherlands: Central databases challenged, by Kees Hudig, Statewatch Bulletin; vol 20 no
1 January-March 2010, http://database.statewatch.org/article.asp?aid=29882
94
European Data Protection Supervisor, http://www.edps.europa.eu/EDPSWEB/edps/EDPS?lang=el
352
10.3.9

18. .
:
PESEL (Powszechny Elektroniczny Spis Ewidencji Ludnoci General Electronic System for Citizens Evidence) NIP (Numer Identyfikacji
Podatkowej - Tax Identification Number) .

PESEL 11
YYMMDDZZZXQ. YYMMDD (
) , ZZZ
, X Q
.
95
. 2011

. eID IT
( ,
, ..).
PIN (polish
PIT - Personal Incoming Tax).
.
95
Centrum Projektw Informatycznych, CPI Projekty Informatyczne dla Administracji Publicznej, pl.ID - polska ID karta,
available: http://www.cpi.mswia.gov.pl/portal/cpi/38/195/plID__Elektroniczny_dowod_osobisty.html
353
46: eID
eID EN 15480
ID
96. pl.ID project
98 . 85%
97. eID ,
.
96
IDABC European eGovernment Services, eID Interoperability for PEGS, National Profile Poland, Nov 2007, available:
http://ec.europa.eu/idabc/en/document/6484/5938/
97
ePractice.eu, PL/EU: European Commission approved funding for the pl.ID project, 15 July 2010, available:
http://www.epractice.eu/en/news/327625
354
10.3.10
16
. 2007 (Carto de Cidado).

, .
( 47).
47 .
: 384KB
(ROM), 72KB / (EEPROM), 8KB
(RAM) 2KB
(crypto. RAM).
.

.
templates (
). 5 .
.
Frost & Sullivan, Yiru Zhong, Second Wave of eIDs in Europe, available:
http://www.frost.com/prod/servlet/cpo/197881723.htm
355
47: eID
10.3.11

.
. 2005
(identity fraud)
IDs .
(: nationellt id-kort)98
, 1 2005.
.
32KB (EEPROM).
eGovernment
(jpeg ) .
.

(: personnummer).
98
http://www.signguard.se/faq.aspx?faqno=9
http://www.epractice.eu/en/document/288382
356
, , (
), .
.
10
, ,
.
48: eID ( 2 )
MRZ

BAC. EAC.

.
357
10.3.12

(FINeID) 1998.
(henkilkortti/identitetskort)
. eID
[IDABC-PEGS] 2009, 250.000 eID
100.000 .
PKI .

.
PIN [FIDIS-D3.6].
2003 eID (shkinen henkilkortti/elektroniskt
identitetskort) .
6 . eID
.
.

.
52 [AGS10].
5 .
FINeID
eGovernment , emails
99. ,
(, ) .
( ) online ( eID )
.
99
Population Register Centre, Finland, http://www.intermin.fi/vrk/home.nsf/www/electronicidentity
358
(FINUID)
.
(SSIN) eGovernment .
eGovernment
.
,
, 0800
.
HelpDesk : )
online )
100.
1 2004 FINeID (Kela
card). FINeID
. ( 49)

, .
100
FINeID, Revocation Service and HelpDesk, http://fineid.fi/default.aspx?docid=2356&site=10&id=513
359
49: eID
10.3.13
.
2009 ID .
16 .
.
MRZ .
.
RFID . eID
.
360
50: eID - : Sagem Scurit

(SAFRAN Group)
361
11: -
,
-,
. .
11.1
eID e-passports
.

eIDs e-passports
.
eIDs e-passports ,
.
, ,
, , ,
. ,
,
.
.

.

. match-on-card
,
.

.
362

, ,
.
;
templates , .

;
;
[HHJ06] templates
, template
.

.
/

.

.
.
.

.

.
(
)
.
363

( - 43 49)
.

() () .
: ) , )
, )
, )
, )
( ).

.
( 10 ) .

, ( )
.

,
,
,
.

.
4.2.3
RFID.
.
eID .
364

.
,
ICAO
eMRTDs. [HHJ06]
USB ( ISO/IEC 7816-12).
General
Authentication Procedure 27
: )
(PACE), )
(Terminal
Authentication), )
(Chip Authentication), )
(Passive Authentication) )
(Secure Messaging).
CEN 15480
ICAO
ICAO
. ICAO CEN
.
CEN
( )
.
CEN , eIDs
.

( )

.
CEN (
365
[CEN 15480-2]
ICAO).
11.2
30 14 eIDs, 7
eID 6
. 3
eID .
eIDs
.

, ,
.

laptop
.

( ,
)
.
eID
(
,
), .
( 6.1)
, ,

366
( PIN
) .

.

.
(built in help)
(pre-installed, pre-configured),
.

ECC CEN 15480 1 2,
3 4,
ECC.

-
, ECC
.
.

,
ECC ,

.
11.2.1
Open
Smart Card Development Platform101, (
101
OpenSCDP, http://www.openscdp.org
367
PKI ,
),
, (
, , ). ,
RSA ,

.
368
[AGS10]
Ahlswede Sophie, Gaab Julia, Speyer Bernhard (edt), eIDS in Europe,

Research Briefing, Deutsche Bank Research, Sep 2010, available:
http://www.dbresearch.de/PROD/DBR_INTERNET_DEPROD/PROD0000000000262236.pdf
[BFK09]
Jens Bender, Marc Fischlin, Dennis Kugler, Security Analysis of the

PACE Key-Agreement Protocol, 12th International Information
Security Conference (ISC 2009), 2009.
[BKJ09]
Jens Bender, Dennis Kugler, Introducing the PACE solution, Keesing

Journal of Documents & Identity, issue 30, 2009, available
https://www.bsi.bund.de/cae/servlet/contentblob/793998/publicati
onFile/44914/Keesing_10_09_Introducing_the_PACE_solution_pdf
.pdf
[BnetzA10]
Bundesnetzagentur fr Elektrizitt, Gas, Telekommunikation, Post

und Eisenbahnen, Bekanntmachung zur elektronischen Signatur nach
dem Signaturgesetz und der Signaturverordnung (bersicht ber
geeignete Algorithmen), December 2010, available at:
http://www.bundesnetzagentur.de/cae/servlet/contentblob/192414
/publicationFile/9551/2011AlgoKatpdf.pdf
[BR93]
Mihir Bellare and Phillip Rogaway, "Random Oracles are Practical: A

Paradigm for Designing Efficient Protocols", First ACM Conference
on Computer and Communications Security, ACM, November 1993,
pp 62-73
[CWP06]
Danny De Cock, Christopher Wolf, Bart Preneel, The Belgian

Electronic Identity Card (Overview), Sicherheit, LNI, Vol. 77, pp.
298-301, GI, 2006
[DATACRD]
Datacard Group Secure ID and Card Personalization Solutions,

Durability of Smart Cards for Government eID, Part of a Series of
Datacard Group White Papers for the Secure Document Issuer,
available http://www.omniacardsystems.it/public/pdf/149.pdf
[DBP96]
Dobbertin H., Bosselaers A., Preneel B., RIPEMD-160, A

Strengthened Version of RIPEMD, 1996
369
[DF10]
zgr Dagdelen and Marc Fischlin, Security Analysis of the Extended

Access Control Protocol for Machine Readable Travel Documents,
ISC, Lecture Notes in Computer Science, Vol. 6531, pp. 54-68,
Springer, 2010
[DH76]
W. Diffie and M. E. Hellman, New directions in cryptography,

IEEE Transactions on Information Theory, 22, pp. 644-654, 1976
[DIN-SCS]
DIN German Institute for Standardization, A Survey of Card

Standards, available:
http://www.din.de/sixcms_upload/media/2896/Survey of Card
Standards.pdf
[EHQ07]
J. Espinosa Garca, L. Hernndez Encinas, A. Queiruga Dios, The

new Spanish electronic indentity card: DNI-e,. vol I: Technological
Aspects of the e-Governance and Data Protection., Int. Conf. on
Information Technologies (InfoTech-2007), Sep 2007, available:
http://hdl.handle.net/10261/15941
[ELG85]
T. ElGamal, A public-key cryptosystem and a signature scheme based

on discrete logarithms, IEEE Trans. on Information Theory IT 31
(1985), no. 4, 469472
[ENISA09]
ENISA, European Network and Information Security Agency,

Position Paper, Privacy Features of European eID Card
Specifications, Ingo Naumann, Giles Hogben, v1.0.1, Jan 27, 2009,
available: http://www.enisa.europa.eu/act/it/eid/eid-cardsen/at_download/fullReport
[EU-CTS]
COUNCIL OF THE EUROPEAN UNION, The European Union

Counter-Terrorism Strategy, 14469/4/05 REV 4, Brussels, 30
November 2005, available:
http://register.consilium.eu.int/pdf/en/05/st14/st14469re04.en05.pdf
[EU-ID]
COUNCIL OF THE EUROPEAN UNION, State of play

concerning the electronic identity cards in the EU Member States,
9949/10, Brussels, 31 May 2010, available:
http://www.statewatch.org/news/2010/jun/eu-council-ID-cards9949-10.pdf
Eurosmart, The Voice of the Smart Security Industry, Position Paper,
European Citizen Card: One Pillar of Interoperable eID Success,
October 2008, available:
http://www.eurosmart.com/images/doc/WorkingGroups/eID/Papers/ecc-position-paper-final.pdf
[EUROSM-ECC]
370
[FIDIS-D3.6]
FIDIS Consortium, Future of Identity in the Information Society,

D3.6 Study on ID Documents, Deliverable ver1.10, Dec 2006,
available: http://www.fidis.net/fileadmin/fidis/deliverables/fidiswp3-del3.6.study_on_id_documents.pdf
[GK06]
Gaurav S. Kc, Paul A. Karger, Preventing Security and Privacy

Attacks on Machine Readable Travel Documents (MRTDs), RC
23909 (W0603-079), 10 March 2006, IBM T. J. Watson Research
Center: Yorktown Heights, NY
[HG10]
Alexander Heichlinger, Patricia Gallego, A new e-ID card and online

authentication in Spain, IDIS, Volume 3, Number 1, 43-64, 2010
[HHJ06]
Hoepman, J., Hubbers, E., Jacobs, B., Oostdijk, M., and Schreur,
R.W., Crossing Borders: Security and Privacy Issues of the European
e-Passport, in Proceedings of IWSEC, 2006, pp 152-167.
[HT02]
Haghiri Yahya, Tarantino Tomas, (2002). Smart Card Manufacturing: A

Practical Guide. John Wiley & Sons. ISBN: 978-0471497677
[IDABC]
IDABC, Interoperable Delivery of European eGovernment Services

to public Administrations, Business and Citizens, 2005-2009, available:
http://ec.europa.eu/idabc/
http://ec.europa.eu/idabc/en/document/6484/5938/
[IDABC-PEGS]
IDABC, Study on eID Interoperability for PEGS: Update of Country

Profiles Analysis & assessment report, Oct 2009, available:
http://ec.europa.eu/idabc/servlets/Doc2ba1.pdf?id=32521
[ID-CRED0210]
ID CREDENTIALS, The journal of secure identity solutions, Paper,

Didier Chaudun, Bruno Benteo, Electronic Identification in Europe
Sets New Standards, Registered with the British Library ISSN 13618288, www.globalsmart.com, Feb 2010
[JDA07]
Jean-Daniel Aussel. Smart Cards and Digital Identity. ISSN 00857130Telenor ASA 2007. Available:
http://www.mytelenor.com/no/resources/images/066078_SmartCards_tcm26-36814.pdf
[JDC]
Jan De Clercq. Smart Cards. Microsoft, TechNet Library. Available:

http://technet.microsoft.com/en-us/library/dd277362.aspx
[JMW05]
Ari Juels, David Molnar, David Wagner, Security and Privacy Issues in
E-passports, Number 2005/095, Cryptology {ePrint} Archive, 2005
[K87]
N. Koblitz, Elliptic curve cryptosystems, Math. Comp. (1987), no. 48,

203209
371
[KMHG07]
Eleni Kosta, Martin Meints, Marit Hansen, Mark Gasson, An analysis

of security and privacy issues relating to RFID enabled ePassports,
SEC, IFIP, Vol. 232, pp. 467-472, Springer, 2007
[KOKU99]
Oliver Kmmerling, Markus G. Kuhn, Design Principles for TamperResistant Smartcard Processors, Proceedings of the USENIX
Workshop on Smartcard Technology (SMARTCARD-99), pp. 9-20,
USENIX Association, May 10-11 1999
[Y08]
Keith Mayes and Konstantinos Markantonakis, Smart Cards, Tokens,

Security and Applications, Springer 2008
[MI86]
V. Miller, Use of elliptic curves in cryptology, Proceedings of

CRYPTO 85, Lecture Notes in Computer Science, vol. 218, SpringerVerlag, 1986, pp. 417425
[MR+04]
L. A Mohammed, Abdul Rahman Ramli, V. Prakash, Mohamed B.

Daud (2004). Smart Card Technology: Past, Present, and Future.
International Journal of The Computer, the Internet and Management Vol. 12#1
(January April) pp 12 22
[08]
Naumann Ingo, Hogben Giles, Privacy Features of European eID

Card Specifications, Elsevier Network Security Newsletter, August
2008, ISSN 1353-48-58, pp. 9-13
[OBS-EID]
&
, , 2010,
:
http://www.observatory.gr/files/meletes/eID%20Status%20&%20C
itizen%20benefits%20v1.3%20final.pdf
[OIT08]
Monika Oit, Security from the practitioner's point of view, NATO

Science for Peace and Security Series - D: Information and
Communication Security, Volume 17, 2008, Aspects of Network and
Information Security, Edited by Evangelos Kranakis, Evgueni
Haroutunian, Elisa Shahbazian, ISBN 978-1-58603-856-4
[97]
Recommendation of the Council concerning guidelines for

cryptography policy, ver. 27 March 1997, Paris 1997 The
Wassenaar Arrangement on Export Controls for Conventional Arms
and Dual- Use Goods and Technologies Initial Elements (1996)
[P+99]
Steve Petri, Litronic, Inc. An Introduction to SMART CARDS, part1.

Messaging Magazine, September/October 1999. Available:
http://www.opengroup.org/comm/the_message/magazine/mmv5n
5/SmartCards.htm
372
[PRADO]
PRADO (Public Register of Authentic identity and travel Documents

Online), Council of the European Union,
http://www.consilium.europa.eu/prado/EL/homeIndex.html
[RE03]
Rankl Wolfgang., Effing Wolfgang., (2003). Smart Card Handbook, 3rd

edition. John Wiley & Sons. ISBN: 0-470-85668-8
[REG S7004]
DOCUMENT READER "REGULA" SERIE 7004, Regula Ltd.,

http://www.regula.ws/index.php?id=28
[SCH]
Smart Card, History. Available: http://www.smart-card.com/history/
[SSG10]
Sergio Sanchez Garcia and Ana Gomez Oliva, Improvements of

pan-European IDM Architecture to Enable Identity Delegation Based
on X.509 Proxy Certificates and SAML, P. Samarati et al. (Eds.):
WISTP 2010, LNCS 6033, pp. 183198, 2010
[WIKI-ID]
Wikipedia, Identity document,

http://en.wikipedia.org/wiki/Identity_document
[WM09]
What Makes a Smart Card Secure? Smart Card Talk, July 2009. Smart
Card Alliance. Available:
http://www.smartcardalliance.org/pages/newsletter-200907feature?issue=200907
[WSC10]
World Smart Card - Advanced Technologies, Application and Global

Forecast. Nov. 2010. RESEARCH AND MARKETS. Available:
http://www.researchandmarkets.com/research/b8d257/world_smart
_card_advanced_technologies
&
[ANSI X9.62]
AMERICAN NATIONAL STANDARDS INSTITUTE (ANSI)

"Public Key Cryptography for the Financial Services Industry: The
Elliptic Curve Digital Signature Algorithm (ECDSA)", 2005,
( ANSI X9.62-1998)
[BSI-TR-03110]
FEDERAL OFFICE FOR INFORMATION SECURITY

(BUNDESAMT FUR SICHERHEIT IN DER
INFORMATIONSTECHNIK), Advanced Security Mechanisms for
Machine Readable Travel Documents - Extended Access Control
(EAC), Password Authenticated Connection Establishment (PACE),
and Restricted Identification (RI). Technical Guideline TR-03110,
Version 2.05, 14/10/2010, available
373
https://www.bsi.bund.de/cln_183/ContentBSI/EN/Publications/Te
chguidelines/TR03110/BSITR03110.html
[CC211]
International Organization for Standardization, ISO/IEC 154081:2005 Information technology -- Security techniques -- Evaluation
criteria for IT security-- Part 1: Introduction and general model, 2009
[CC212]
criteria for IT security-- Part 2: Security functional components, 2008
[CC213]
criteria for IT security-- Part 3: Security assurance components, 2008
[CEN TC 224/WG15] EUROPEAN STANDARD, TC 224/WG 15 Technical

Specification, European Citizen Card, Part 1-4, COMIT
EUROPEN DE NORMALISATION
[CEN 15480-1]
COMIT EUROPEN DE NORMALISATION (CEN),

Identification card systems - European Citizen Card - Part 1: Physical,
electrical and transport protocol characteristics, CEN/TS 15480-1
(Technical Specification), April 2007
[CEN 15480-2]

Identification card systems - European Citizen Card - Part 2: Logical
data structures and card services, CEN/TS 15480-2 (Technical
Specification), April 2007
[CEN 15480-3]

Identification card systems - European Citizen Card - Part 3:
European Citizen Card Interoperability using an application interface,
CEN 15480-3 (Working Draft), 2008
[CEN 15480-4]

Identification card systems - European Citizen Card - Part 4:
Recommendations for European Citizen Card issuance, operation and
use, CEN 15480-4 (Working Draft), 2008
[CWA 14169]
CEN Workshop Agreement CWA 14169, Secure signature-creation

devices "EAL 4+", March 2004, available
ftp://ftp.cenorm.be/PUBLIC/CWAs/e-Europe/eSign/cwa1416900-2004-Mar.pdf
[CWA 14170]
CEN Workshop Agreement CWA 14170, Security Requirements for

Signature Creation Applications, May 2004, ( CWA
374
14170:2001), available at: ftp://ftp.cenorm.be/PUBLIC/CWAs/eEurope/eSign/cwa14170-00-2004-May.pdf

[CWA 14171-00]
CEN Workshop Agreement CWA 1417-00, General guidelines for

electronic signature verification, May 2004, ( CWA
14171:2001), available at: ftp://ftp.cenorm.be/PUBLIC/CWAs/eEurope/eSign/cwa14171-00-2004-May.pdf
[CWA 14172-1]
CEN Workshop Agreement CWA 14172-1, EESSI Conformity

Assessment Guidance - Part 1: General introduction, March 2004,
( CWA 14172-1:2001), available at:
ftp://ftp.cenorm.be/PUBLIC/CWAs/eEurope/eSign/cwa14172-012004-Mar.pdf
[DIN V66291-1]
Chipcards with digital signature application/function according to

SigG and SigV - Part 1: Application Interface, 15 December 1998,
DIN Deutsches Institut fr Normung e.V.: Berlin
[EN 14890-1]
EUROPEAN STANDARD, EN 14890-1, Application Interface for

smart cards used as Secure Signature Creation Devices - Part 1: Basic
services, COMIT EUROPEN DE NORMALISATION (CEN),
Dec 2009
[EN 14890-2]
EUROPEAN STANDARD, EN 14890-2, Application Interface for

smart cards used as Secure Signature Creation Devices - Part 2:
Additional services, COMIT EUROPEN DE
NORMALISATION (CEN), Dec 2009
[ETSI TS 101 733]
EUROPEAN TELECOMMUNICATIONS STANDARDS

INSTITUTE (ETSI), Electronic Signatures and Infrastructures
(ESI), CMS Advanced Electronic Signatures (CAdES), July 2008,
available at:
http://www.etsi.org/deliver/etsi_ts/101700_101799/101733/01.07.0
4_60/ts_101733v010704p.pdf
[ETSI TS 101 862]

INSTITUTE (ETSI), Qualified Certificate profile, June 2004,
available at:
http://www.etsi.org/deliver/etsi_ts/101800_101899/101862/01.03.0
2_60/ts_101862v010302p.pdf
[ETSI TS 102 176-1]

(ESI), Algorithms and Parameters for Secure Electronic Signatures,
Part 1: Hash functions and asymmetric algorithms, November 2007,
available at:
375
http://www.etsi.org/deliver/etsi_ts/102100_102199/10217601/02.0
0.00_60/ts_10217601v020000p.pdf
[ETSI SR 002 176]

(ESI), Algorithms and Parameters for Secure Electronic Signatures,
March 2003 , available at:
http://www.etsi.org/deliver/etsi_sr/002100_002199/002176/01.01.0
1_60/sr_002176v010101p.pdf
[FIPS 180-3]
FEDERAL INFORMATION PROCESSING STANDARDS

PUBLICATION (FIPS) Secure Hash Standard (SHS)", 2008,
available at: http://csrc.nist.gov/publications/fips/fips180-3/fips1803_final.pdf
[FIPS 186-2]

PUBLICATION (FIPS) 186-2: "Digital Signature Standard (DSS)",
2000, available at:
http://csrc.nist.gov/publications/fips/archive/fips186-2/fips1862.pdf
[FIPS 186-3]

PUBLICATION (FIPS) 186-3: "Digital Signature Standard (DSS)",
2009, available at: http://csrc.nist.gov/publications/fips/fips1863/fips_186-3.pdf
[ICAO 9303 P3V1]
INTERNATIONAL CIVIL AVIATION ORGANISATION

(ICAO), Doc 9303 Part 3 Machine Readable Official Travel
Documents, Volume 1 MRtds with Machine Readable Data Stored in
Optical Character Recognition Format, 3rd edition, 2008
[ICAO 9303 P3V2]
INTERNATIONAL CIVIL AVIATION ORGANISATION

(ICAO), Doc 9303 Part 3 Machine Readable Official Travel
Documents, Volume 2 Specifications for Electronically Enabled
MRtds with Biometric Identification Capability, 3rd edition, 2008
[ICAO GUID]
ICAO, Guide for Assessing Security of Handling and Issuance of

Travel Documents. Version 3.4, January 2010.
[ICAO GUIDL]
ICAO, Guidelines on e-MRTDs & Passenger Facilitation, ver 1.0,

April 17, 2008
[ICAO SAC]
ICAO, TAG-MRTD, Technical Report Supplemental Access Control,

2009, available:
http://www.icao.int/icao/en/atb/meetings/2009/TAGmrtd19/Doc
s/TagMrtd19-wp04.pdf
376
[ICAO SUPPL]
ICAO, Machine Readable Travel Documents, Supplement to Doc

9303, Final ver. 8, March 19, 2010
[IEEE P1363]
INSTITUTE OF ELECTRICAL AND ELECTRONICS

ENGINEERS standardization project for public-key cryptography
P1363, "Standard Specifications for Public-Key Cryptography", 2000
[ISO 7816-4]
ISO/IEC 7816-4: "Identification cards Integrated circuit cards

Part 4: Organization, security and commands for interchange", 2005
[ISO7816-11]
ISO/IEC 7816-11: " Identification cards Integrated circuit cards

Part 11: Personal verification through biometric methods", 2004
[ISO 9796-2]
ISO/IEC 9796-2: "Information technology - Security techniques Digital signature schemes giving message recovery - Part 2: Integer
factorization based mechanisms",2002, (
ISO/IEC 9796-2 (1997): Mechanisms using a hash-function)
[ISO 10118-3]
ISO/IEC 10118-3: "Information technology - Security techniques Hash functions -Part 3: Dedicated hash functions", 2nd ed., 2004
[ISO 14888-3]
ISO/IEC 14888-3: Information technology - Security techniques Digital signatures with appendix - Part 3: Discrete logarithm based
mechanisms, 2006
[ISO 15946-2]
ISO/IEC 15946-2: "Information technology - Security techniques

Cryptographic techniques based on elliptic curves - Part 2: Digital
signatures", 2002
[RFC 3280]
IETF RFC 3280 "Internet X.509 Public Key Infrastructure Certificate

and Certificate Revocation List (CRL) Profile ", April 2002. Available :
http://www.ietf.org/rfc/rfc3280.txt
[RFC 3447]
IETF RFC 3447, "Public-Key Cryptography Standards (PKCS) #1:

RSA Cryptography Specifications Version 2.1", 2003, available at:
[RFC 3739]
IETF RFC 3739, Internet X.509 Public Key Infrastructure: Qualified

Certificates Profile", March 2004, available at:

[ 11/2010]
,
,
377
, ,
. 230/10-11-2010

, . . 1954/. . 35/2010,
, 22 2010
[EK/709/2000]
, 6 2000,

[ 2252/2004]
. 2252/2004,

, 2004
[ 444/2009]
. 444/2009,
() . 2252/2004

, 2009
[ 1030/2002]
. 1030/2002,
, 2002
[ 380/2008]
. 380/2008,
() . 1030/2002
, 2008
[ 562/2006]
. 562/2006,

( ), 2006
[10]
, . , ,
, :
2010, ,
....,
[N2672/1998]
14 . 2672/1998,
(- ), 290
/28.12.1998
[3230/2004]
3230/2004, ,
, 44/11.2.2004
[N3448/2006]
20 . 2672/1998, .
, 57/15.3.2006
378
[3471/2006]
.3471/2006,

. 2472/1997, 133/28.06.2006, :
http://www.dpa.gr/pls/portal/docs/PAGE/APDPX/LAW/NOM
OTHESIA%20PROSOPIKA%20DEDOMENA/3471_2006.PDF
[N3536/2007]
25 .3536/2007,

, 42/'/23.2.2007
[150/2001]
150/2001,
99/93/
,
125/25.6.2001
[342/2002]
. 342/2002 ( 284 /22-11-2002),

,

[/60/10/217]
. . /.60/10/217
() .. & ..
.....,
, 11 2007
[3021/2005]
. 3021/19/53, , ,

, 1440/18.10.2005
[3021/2010]
3021/22/10/2862005
,
, , ,
( 932), 1298/17.8.2010
[YA248/2002]
. 248/71,
, B 603/16.5.2002
[YA2512/2006]
. 2512.
,
1654/10.11.2006
[1995/46/]
1995/46/
24 1995

379
[1999/93/]
1999/93/
13 1999

[2002/58/]
2002/58/
12 2002

[UDC95]
Utah Department of Commerce, Utah Digital Signature Law,

November 1995 46, 4
Utah Code, Uniform Electronic Transactions Act.
Electronic Signatures in Global and National Commerce Act
30 2000. Richards, J.,
The Utah Digital signature Act as "model" legislation: a critical
analysis, The John Marshal Journal of Computer & Information law
Vol XVII, Nr. 3, . 873 .
[UNCITRAL96]
United Nation Commission on International Trade Law, Planning of

future work on electronic commerce: Digital signatures, certification
authorities and related legal issues, 31 December 1996
380
A I: ICAO DES
block

.
BAC
-
ICC IFD
(Secure Messaging).
[ICAO SUPPL] [ICAO 9303 P3V2]
.
ICAO triple-DES DES.
3DES blocks CBC

( 54). 3DES
CBC IV ISO/IEC
11568-2:2005102.
54: 3DES / CBC Mode
102
ISO 11568-2:2005 Banking - Key management (retail) - Part 2: Symmetric ciphers, their key management and life
cycles
.
.

ISO/IEC 9797-1103 MAC 3 DES IV
55. blocks a
block Kb .
ciphertext.
55: MAC
103
ISO/IEC 9797-2:2002 MAC hash round

n-bit MAC m-bit.
( ).

.
bits , n ,
hash , MAC .
hash ISO/IEC 10118-3. ISO/IEC 9797-2
HMAC. ( 256 bits)
.
A II: SECURE HASH STANDARD
FIPS PUB 180-3, Secure Hash Standard (SHS), NIST October 2008,
SHA-1, SHA-224, SHA-256, SHA-384 SHA-512
,
blocks hashing
.
61: SHA [FIPS 180-3]
5
hash. :
Collision resistance,
hash
Preimage resistance,
( )
Second preimage resistance,
hash .
62 NIST SP 800-107 Recommendation for Applications Using Approved
Hash Algorithms Feb 2009, SHA .
62: SHAs bits [NIST SP 800-107]
SHA
keyed-hash MAC,
. SHA
.

.
63 NIST SP 800-57 Recommendation for Key Management Part 1: General
(revised) Mar 2007, SHA
. (bits of security)
(key derivation functions) (random number generator)

.
5
SHA-1
80
bits.
63: SHAs, bits [NIST SP
800-57]
A II: ISO STANDARDS
ISO Standards
. : [DIN-SCS]
ISO/IEC 7810
Title: Identification cards Physical characteristics
CONTENT AND SCOPE
This International Standard specifies the physical characteristics of identification cards
including card materials, construction, characteristics, and dimensions for four sizes of
cards. This International Standard specifies the requirements for cards used for
identification. It takes into consideration both human and machine aspects and states
minimum requirements. It is the purpose of this standard to provide criteria to which
cards shall perform. No consideration is given within to the amount of use, if any,
experienced by the card prior to test. Failure to conform to specified criteria should be
negotiated between the involved parties.
STATUS
In 2010, a new release of ISO/IEC 7810 is expected. It is expected to include the
amendment plus other characteristics from other International Standards which might
need transfer to this standard as they
are no longer specific to one individual card technology.
NOTES
Thin flexible cards are not within the scope of this International Standard. Thin flexible
cards are addressed by the ISO/IEC 15457 series.
PRESENT RELEASES
ISO/IEC 7810: 1985, 1995, 2003, AMD 1:2009
ISO/IEC 7816
Title: Identification cards Integrated circuit cards
CONTENT AND SCOPE
This standard consists of 14 parts:
Part 1: Cards with contacts Physical characteristics
Part 2: Cards with contacts Dimensions and location of the contact
Part 3: Cards with contacts Electrical interface and transmission protocols
Part 4: Organization, security and commands for interchange
Part 5: Registration of application providers
Part 6: Interindustry data elements for interchange
Part 7: Commands for Structured Card Query Language (SCQL)
Part 8: Commands for security operations
Part 9: Commands for card management
Part 10: Cards with contacts Electrical interface for synchronous cards
Part 11: Personal verification through biometric methods
Part 12: Cards with contacts USB electrical interface and operating procedures
Part 13: Commands for application management in multi-application environment
Part 15: Cryptographic information application
Part 1 of ISO/IEC 7816 specifies the physical characteristics of integrated circuit(s) cards
with contacts. It applies to identification cards of the ID-1 card type which may include
embossing and/or a magnetic stripe as specified in ISO/IEC 7811, parts 1 to 6. This part
of ISO/IEC 7816 applies to cards which have a physical interface with electrical contacts.
It does not, however, define the nature, number and position of the integrated circuits in
the cards.
Part 2 of ISO/IEC 7816 specifies the dimensions, locations and assignment for each of
the contacts on integrated circuit cards of an ID-1 card type.
Part 3 of ISO/IEC 7816 specifies the power and signal structures, and information
exchange between an integrated circuit(s) card and an interface device such as a
terminal. It also covers signal rates, voltage levels, current values, parity convention,
operating procedure, transmission mechanisms and communication with the card. It
does not cover information and instruction content, such as identification of issuers and
users, services and limits, security features, journaling and instruction definitions.
Part 4 of ISO/IEC 7816 specifies: the content of the messages, commands and
responses, transmitted by the interface device to the card and conversely, the
structure and content of the historical bytes sent by the card during the answer to reset,
the structure of files and data, as seen at the interface when processing interindustry
commands for interchange, access methods to files and data in the card, a security
architecture defining access rights to files and data in the card, methods for secure
messaging, access methods to the algorithms processed by the card. It does not
describe these algorithms. It does not cover the internal implementation within the card
and/or the outside world. It allows further standardization of additional inter - industry
commands and security architectures.
Part 5 of ISO/IEC 7816 specifies a numbering system for application identifiers and a
registration procedure for application provider identifiers. The numbering system
described in this standard provides a means for an application and related services
offered by a provider to identify if a given card contains the components required by its
application and related services. An application identifier (AID) is used to address an
application in the card. This part of ISO/IEC 7816 specifies the coding of application
identifiers together with means and mechanisms for addressing application parts in
cards. This part of ISO/IEC 7816 establishes the authorities and procedures to ensure
and optimize the reliability of the corresponding registration.
Part 6 of ISO/IEC 7816 specifies directly or by reference the Data Elements (DE),
including composite DEs, used in interindustry interchange, based on integrated circuit
cards (ICCs). It identifies the following characteristics of each DE: Identifier; Name;
Description and ISO reference; Format and coding (if not available in other ISO
standards or parts of ISO/IEC 7816). The layout of each DE is described as seen at the
interface between the interface device (IFD) and the ICC. This part of ISO/IEC 7816
defines the means of retrieval of the DEs in the card (historical bytes, reset, command(s)
to perform and commands defined in this international standard). This part of ISO/IEC
7816 provides the definition of DEs without consideration of any restrictions on the
usage of the DEs.
Part 7 of the standard specifies the concept of a SCQL database (SCQL = Structured
Card Query Language based on SQL, see ISO/IEC 9075) and the related interindustry
enhanced commands.
Part 8 of ISO/IEC 7816 specifies: security protocols for use in cards; secure
messaging extensions; the mapping of the security mechanisms onto the cards
security functions/services, including a description of the in-card security mechanisms;
data elements for security support; the use of algorithms implemented on the card
(though the algorithms themselves are not described in detail); the use of certificates;
security related commands. This part of ISO/IEC 7816 does not cover the internal
implementation within the card and/or the outside world. The choice and conditions of
use of cryptographic mechanisms may affect card exportability. The evaluation of the
suitability of algorithms and protocols is outside the scope of this part of ISO/IEC 7816.
Part 9 of ISO/IEC 7816 specifies: a description and coding of the life cycle of cards and
related objects; a description and coding of security attributes of card related objects;
functions and syntax of additional interindustry commands; data elements associated
with these commands; a mechanism for initiating card-originated messages. This part
of ISO/IEC 7816 does not cover the internal implementation within the card and/or the
outside world.
Part 10 of ISO/IEC 7816 specifies the power, signal structures, and the structure for the
answer to reset between an integrated circuit(s) card with synchronous transmission and
an interface device such as a terminal. The specifications in ISO/IEC 7816-3 apply
where appropriate, unless otherwise stated here. It also covers signal rates, operating
conditions, and communication with the integrated circuit(s) card. This part of ISO/IEC
7816 specifies two types of synchronous cards: type 1 and type 2.
Part 11 of ISO/IEC 7816 specifies security related interindustry commands to be used for
personal verification with biometric methods in integrated circuit(s) cards. It also defines
data elements to be used with biometric methods. Identification of persons using
biometric methods is outside the scope of this standard.
Part 12 of ISO/IEC 7816 specifies the operating conditions of an integrated circuit card
that provides a USB interface.
Part 13 of ISO/IEC 7816 specifies the multi-application environment for the card and the
commands required for Application management. This part of ISO/IEC 7816 covers the
entire Application life cycle in a multi-application card, including pre-issuance (before the
card has been issued to the cardholder) and post-issuance (after the card has been
issued to the cardholder or after the card has expired). It does not cover the internal
implementation within the card and / or the outside world.
Part 15 of ISO/IEC 7816 specifies an application in a card. This application contains
information on cryptographic functionality. This part of ISO/IEC 7816 defines a common
syntax and format for the cryptographic information and mechanisms to share this
information whenever appropriate. This International Standard does not cover the inter
nal implementation within the card and/or the outside world. It shall not be mandatory for
implementations complying with this International Standard to support all options
described.
STATUS
ISO/IEC 7816-4 is currently under review.
PRESENT RELEASES
ISO/IEC 7816-1: 1987, 1998, AMD1:2003
ISO/IEC 7816-2: 1988, 1999, AMD1:2004
ISO/IEC 7816-3: 1989, AMD1:1992, AMD2:1994,
1997, AMD1:2002, 2006
ISO/IEC 7816-4: 1995, AMD1:1997, 2005
ISO/IEC 7816-5: 1994, AMD1:1996, 2004
ISO/IEC 7816-6: 1996, 2004, AMD1:2006
ISO/IEC 7816-7: 1999
ISO/IEC 7816-8: 1999, 2004
ISO/IEC 7816-9: 2000, 2004
ISO/IEC 7816-10: 1999
ISO/IEC 7816-11: 2004
ISO/IEC 7816-12: 2005
ISO/IEC 7816-13: 2007
ISO/IEC 7816-15: 2004
10
ISO/IEC 14443
Title: Identification cards Contactless integrated circuit(s) cards Proximity
integrated circuit(s) cards
CONTENT AND SCOPE
ISO/IEC 14443 specifies the physical characteristics of proximity cards (PICC). It applies
to identification cards of the card type ID-1 and of other form factors operating in
proximity of a coupling device. This standard specifies the characteristics of the fields to
be provided for power and bidirectional communication between proximity coupling
devices (PCDs) and proximity cards (PICCs). ISO/IEC 14443 describes:
polling for proximity cards (PICCs) entering the field of a proximity coupling device
(PCD),
the byte format, the frames and timing used during the initial phase of communication
between PCDs and PICCs,
the initial Request and Answer to Request command content,
methods to detect and communicate with one PICC among several PICCs
(anticollision),
other parameters required to initialize communications between a PICC and PCD,
optional means to ease and speed up the selection of one PICC among several PICCs
based on application criteria.
ISO/IEC 14443 specifies a half-duplex block transmission protocol featuring the special
needs of a contactless environment and defines the activation and deactivation
sequence of the protocol.

Part 1: Physical characteristics
Part 2: Radio frequency interface
Part 3: Initialization and anticollision
Part 4: Transmission protocol
STATUS
ISO/IEC 14443-2 and 14443-3 are in revision, currently in FDIS status, and are expected
to be re-issued end 2010.
PRESENT RELEASES
ISO/IEC 14443-1: 2000, 2008
ISO/IEC 14443-2: 2001, AMD1:2005
ISO/IEC 14443-3: 2001, AMD1:2005, AMD3: 2006
ISO/IEC 14443-4: 2001, AMD1:2006, 2008
11
ISO/IEC 19794
Title: Information technology Biometric data interchange formats
CONTENT AND SCOPE
This standard describes the general aspects and requirements for defining biometric
data interchange formats. The notation and transfer formats provide platform
independence and separation of transfer syntax from content definition. This standard
defines what is commonly applied for biometric data formats, i.e. the standardization of
the common content, meaning, and representation of biometric data formats of biometric
types considered in the specific parts of the multipart standard.
The individual parts of this multipart standard specify for various biometric modalities a
data record interchange format for storing, recording, and transmitting the information
from one or more biometric characteristics as image or feature data within an ISO/IEC
19785-1 CBEFF data structure. This can be used for the exchange and comparison of
biometric reference data. It defines the content, format, and units of measurement for the
exchange of biometric reference data that may be used in the verification or identification
process of a subject. The information consists of a variety of mandatory and optional
items, including scanning parameters, compressed or uncompressed images and
vendor-specific information. This information is intended for interchange among
organizations that rely on automated devices and systems for identification or verification
purposes. Information compiled and formatted in accordance with this part of the
ISO/IEC 19794 standard can be recorded on machine-readable media or may be
transmitted by data communication facilities.
Part 1: Framework
Part 2: Finger minutiae data
Part 3: Finger pattern spectral data
Part 4: Finger image data
Part 5: Face image data
Part 6: Iris image data
Part 7: Signature/sign time series data
Part 8: Finger pattern skeletal data
Part 9: Vascular image data
Part 10: Hand geometry silhouette data
Part 11: Signature/sign processed dynamic data
Part 13: Voice data
Part 14: DNA data
STATUS
Parts 11,13 and 14 are at WD stage.
NOTES
The revision process has been started for Part 1, 2, 3, 4, 5, 6, 8 Conformance testing
standards are under development in SC37 WG3
Part 11 has been cancelled by ISO in 2007. The project is now restarted.
12
PRESENT RELEASES
ISO/IEC 19794-1: 2006
ISO/IEC 19794-2: 2005
ISO/IEC 19794-3: 2006
ISO/IEC 19794-4: 2005
ISO/IEC 19794-5: 2005
ISO/IEC 19794-5:2005/Cor 1:2008
ISO/IEC 19794-5:2005/Cor 2:2008
ISO/IEC 19794-5:2005/Amd 1:2007
ISO/IEC 19794-5:2005/Amd 2:2009
ISO/IEC 19794-6: 2005
ISO/IEC 19794-7: 2007
ISO/IEC 19794-8: 2006
ISO/IEC 19794-9: 2007
ISO/IEC 19794-10: 2007
13
ISO/IEC 10373
Title: Identification cards Test methods
CONTENT AND SCOPE
ISO/IEC 10373 defines test methods for characteristics of identification cards according
to the definitions given in ISO/IEC 7810, ISO/IEC 7811, ISO/IEC 7813 and ISO/IEC
7816. Each test method is cross-referenced to one or more base standards, which may
be ISO/IEC 7810 or one or more of the supplementary standards that define the
information storage technologies employed in identification cards applications.
The first part of ISO/IEC 10373 defines test methods which are common to more than
one card technology. Other parts of ISO/IEC 10373 define technology specific test
methods.
Originally the standard series ISO/IEC 10373 had been intended to encompass all the
test methods related to identification cards. However, for some standards, which are also
covered by this summary report, it was decided by SC17 to associate a test method
standard to specifically that base standard, which is mostly referenced to. Therefore,
there are further test methods standards, which are a part of the related base standard,
with equal main standard number like the base standard.
Part 1: General characteristics
Part 2: Cards with magnetic stripes
Part 3: Integrated circuit(s) cards with contacts and related interface devices
Part 5: Optical memory cards
Part 6: Proximity cards
Part 7: Vicinity cards
STATUS
A draft amendment to part 1 is in status WD which will basically consist of parts of
10373-3 which are no longer specific for cards with contacts only. ISO/IEC 10373-3 is
being under revision and will be re-issued by the end of 2009.
So is ISO/IEC 10373-6, which is under revision in CD status. The new release is
expected for 2010. That revised version will cover the Amendments 1 to 5, related to the
2001-version of 10373-6.
In order to publish the RFID interface related test methods for ePassports (compliant to
ISO/IEC 7501) as early as possible, it was decided to process an Amendment 7 to
ISO/IEC 10373-6:2001, although the revision of 10373-6 is running simultaneously. That
Amendment 7 is in FPDAM status and will be published by the end of 2009. As its first
release, its content is equal to the Parts 2 and 4 of the ICAO Technical Reports on test
methods, see 6.1. After a migration period, defined by ICAO TAG MRTD and SC17,
ISO/IEC 10373-6/Amendment 7 will totally replace those two ICAO Technical Reports
and then be further maintained and improved by SC17.
NOTES
The work on ISO/IEC 10373-4 was suspended in 2001.
PRESENT RELEASES
ISO/IEC 10373-1: 1998, 2006
ISO/IEC 10373-2: 1998, 2006
ISO/IEC 10373-3: 2001
14
ISO/IEC 10373-5: 1998, 2006

ISO/IEC 10373-6: 2001, AMD 2:2003, AMD 3:2006,
AMD 4:2006, AMD 5:2007
ISO/IEC 10373-7: 2001
15
IV:
(EESSI)

EESSI ETSI(/ESI) CEN(/ISSS),

.
CEN CWA 14169 Secure Signature-Creation Devices, version EAL

4+

(Protection Profiles-PPs),
4+, ,
(Common Criteria) [cc211], [cc212], [cc213] ISO/IEC 15408
(Bundesamtes fr
Sicherheit in der Informationstechnik -BSI).
CWA 14170 Security Requirements for Signature Creation Systems

(Secure Signatures Application-SCA)

, .
CWA 14171-00 General guidelines for electronic signature verification
16

,
IV, [99/93/EC].
EN 14890-1, Application Interface for smart cards used as Secure

Signature Creation Devices
Part 1: Basic services

.
, , ,
,
.
EN 14890-2, Application Interface for smart cards used as Secure

Signature Creation Devices
Part 2: Additional Services
SSCDs.
,
.
( 56)

. ICC

.
Diffie-Hellman (RFC 2631) 57.
yb
ZZ .
ya ( , ).
ICC .
17
56: ICC (EN 14890-2)
57: Diffie-Hellman (EN 14890-2)

18
ETSI TS 102 176-1 Algorithms and Parameters for Secure Electronic

Signatures,
Part 1: Hash functions and asymmetric algorithms
,

.
EN 726
Title: Identification card systems Telecommunications integrated circuit(s)
cards and terminals
CONTENT AND SCOPE
This European Standard defines the general concepts including the system overview,
the involved entities and the five different phases in the lifetime of a card and a card
system. It specifies the use of IC cards for telecommunication use. It describes a general
security approach. This European Standard specifies the application-independent card
characteristics of multi-application IC-cards and plug-in modules for telecommunication
applications in order to ensure interoperability for telecommunication cards with various
systems and terminals. It specifies the application independent card related
characteristics of card terminals. This European Standard specifies payment methods for
telecommunication applications, using IC cards. These payment methods are not
necessarily linked to the applications which use them, and they can be used by more
than one application. The document gives guidance on the interface between the IC card
and the external world. It considers an open system in which the payment methods will
be used. A closed system is a special case of the open system. The document defines
following telecommunication features: abbreviated dialling, last number dialing (stored
within the card), fixed number dialling. This European Standard specifies: The minimum
requirements for a Security Module (SM); the general card related functions embedded
and cryptographic processing described in annex A for the case where the SM is an ICC
should be supported if the SM is not an ICC or the configuration of the system, e.g.
where the SM handles more than one terminal/user card.
Part 1: Systems overview
Part 2: Security framework
Part 3: Application independent card requirements
Part 4: Application independent card related terminal requirements
Part 5: Payment methods
Part 6: Telecommunication features
Part 7: Security module
NOTES
19
Also published as DIN EN 726.

PRESENT RELEASES
EN 726-1: 1994
EN 726-2: 1995
EN 726-3: 1994
EN 726-4: 1994
EN 726-5: 1999
EN 726-6: 1995
EN 726-7: 1999
20
21

Security Analysis of The European Citizen Card Dimitris Tolis

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security Analysis of The European Citizen Card Dimitris Tolis

Uploaded by

Copyright:

Available Formats

(...

SECURITY ANALYSIS OF THE

4: ECC & .............................. 60

& LDS ..................................................... 121

ICAO ................................. 181

ICAO ...................................................... 187

BSI .................................................. 199

CEN 15480 ........................................................................................ 220

9: eID .................... 272

ICC ......................................................................... 289

ICC IFD ........................................................................................289

- eID ........................................................................... 315

- eID ............................................................................... 324

11: - .............................................................. 362

39: APDU ........................................................ 289

23: .......................................................................................................... 105

(non-volatile memory NVM),

: Gartner and Eurosmart for Microprocessor Cards

[CEN 15480-3] [CEN 15480-4] .

[CEN 15480-1], ECC :

MRTD IC [ICAO 9303

, [RE03], [HT02], [Y08] ,

4.1.2.1.2 ABS (acryl butadiene styrene)

4.1.2.1.5 PETG (Polyethylene terephthalate glycol)

/finishing PETG PVC

PET (), PETP PETG

, ICAO o [ICAO 9303 P3V1] MRTD 7 ,

Personal data elements

Mandatory and optional

Document data elements

Mandatory and optional

Signature or usual mark

Machine readable zone (MRZ)

I VI (visual inspection zone, VIZ),

9: (security background printing)

13: MLI (Multiple Laser Image)

4.1.1, ISO/IEC 7810

13,56 MHz PCD.

New Technologies Working Group (NTWG) ICAO

split duct printing [PRADO],

[CEN 15480-1] [ICAO 9303 P3V1]

toner 14, [ICAO SUPPL]

- (thermo transfer printing)

E - (thermo sublimation printing)

- (thermo retransfer printing)

STARCOS, STARSIM, STARDC

Giesecke & Devrient

Cyberflex, Multiflex, Payflex

2: Windows for Smart Cards

Philips, Bull, Siemens, Toshiba, Samsung Nec

Giesecke & Devrient

16 Toppan Printing Co, Ltd

Sagem-orga (brand name: Morpho)

Oberthur Card Systems

[ICAO 9303 P3V1]

VIZ: ERIKSSON, ANNA MARIA

(ID-1, ID-2 ) MRZ VIZ

JPEG / ISO/IEC 10918-1:1994.

IC [ICAO 9303 P3V2]

Wavelet Scalar Quantization (WSQ) FBI NIST .

4. EF.SOD (security object)

Abstract Syntax Notation One (ASN.1)

o CBEFF NISTIR 6529.