BS EN 419212-2:2017:2018 Edition

$215.11

Application Interface for Secure Elements for Electronic Identification, Authentication and Trusted Services – Signature and Seal Services

Published By	Publication Date	Number of Pages
BSI	2018	110

Guaranteed Safe Checkout

Categories: 35.240.15 - Identification cards. Chip cards. Biometrics, BSI

If you have any questions, feel free to reach out to our online customer service team by clicking on the bottom right corner. We’re here to assist you 24/7.
Email:[email protected]

Description

This part specifies mechanisms for SEs to be used as qualified signature creation devices covering: • Signature creation and mobile signature creation • User verification • Password based authentication The specified mechanisms are suitable for other purposes like services in the context of EU Regulation 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. The particular case of seal is also covered by the specification. The differences between seal and signature are exposed in Annex B. Annex B also explains how the mechanisms for SEs as qualified signature creation devices can be used for SEs as qualified seal creation devices. Mobile signature is an alternative to the classical signature case which is performed by a secure element. Mobile signature is encouraged by the large widespread of mobile devices and the qualification authorized by the eIDAS Regulation. The particular case of remote signature (or server signing) is covered by this specification in Annex C. In the rest of this document, except Annex B, there will be no particular notion of a seal since it technically compares to the signature.

PDF Catalog

PDF Pages	PDF Title
2	National foreword
4	European foreword European foreword
5	Introduction
9	European foreword
10	Introduction
11	1 Scope 2 Normative references
12	3 Terms and definitions 4 Symbols and abbreviations 5 Signature application 5.1 Application Flow
14	5.2 Trusted environment versus untrusted environment 5.3 Selection of ESIGN application 5.3.1 General
15	5.3.2 Exceptions for Secure Messaging 5.4 Selection of cryptographic information application
16	5.5 Concurrent usage of signature applications 5.5.1 General 5.5.2 Methods of channel selection 5.5.3 Security issues on multiple channels 5.6 Security environment selection
17	5.7 Key selection 5.8 Security Services 6 User verification 6.1 General
18	6.2 Knowledge based user verification 6.2.1 General 6.2.2 Explicit user verification
19	6.2.3 Password-based mechanisms 6.2.4 Presentation formats
20	6.2.5 Retry and Usage counters 6.2.6 Password Change
21	6.2.7 Reset of RC and setting a new password
22	6.3 Biometric user verification 6.3.1 General 6.3.2 Retrieval of the Biometric Information Template
23	6.3.3 Performing the biometric user verification
25	6.3.4 Reset of RC 7 Digital Signature Service 7.1 General 7.2 Signature generation algorithms
26	7.3 Activation of digital signature service 7.4 General aspects
27	7.5 Signature Generation 7.5.1 General 7.5.2 No hashing in Card
28	7.5.3 Partial hashing
29	7.5.4 All hashing in ICC
30	7.6 Selection of different keys, algorithms and input formats 7.6.1 General 7.6.2 Restore an existing SE
31	7.6.3 Setting the Hash Template (HT) of a current Security Environment (SE) 7.6.4 Modify the Digital Signature Template (DST) of a current Security Environment (SE)
32	7.7 Read certificates and certificate related information 7.7.1 General 7.7.2 Read certificate related CIOs
33	7.7.3 Read signer’s certificate from ICC
34	7.7.4 Retrieval of the signer’s certificate from a directory service 8 Password-based authentication protocols 8.1 General
35	8.2 Notation 8.3 Authentication steps 8.3.1 General
37	8.3.2 Step 1 — Reading the protocol relevant public parameters 8.3.3 Step 2 — Set PBM parameters and generate blinding point
38	8.3.4 Step 3 — Get encrypted nonce
39	8.3.5 Step 4.1 — Map nonce and compute generator point for generic mapping
40	8.3.6 Step 4.2 — Map nonce and compute generator point for integrated mapping
41	8.3.7 Step 5 — Generate session keys
42	8.3.8 Step 6 — Explicit key authentication
43	9 Secure Messaging 9.1 General 9.2 CLA byte 9.3 TLV coding of command and response message
44	9.4 Treatment of SM-Errors 9.5 Padding for checksum calculation 9.6 Send sequence counter (SSC) 9.7 Message structure of Secure Messaging APDUs 9.7.1 Cryptograms
46	9.7.2 Cryptographic Checksums
49	9.7.3 Final command APDU construction
50	9.8 Response APDU protection
54	9.9 Use of TDES and AES 9.9.1 TDES/AES encryption/decryption 9.9.2 CBC mode
55	9.9.3 Retail MAC with TDES 9.9.4 EMAC with AES
56	9.9.5 CMAC with AES
57	10 Key Generation 10.1 General 10.2 Signature key and certificate generation
59	11 Key identifiers and parameters 11.1 General 11.2 Key identifiers (KID) 11.2.1 General 11.2.2 Secret and private keys 11.3 Public Key parameters 11.3.1 General
60	11.3.2 RSA public key parameters 11.4 Diffie-Hellman key exchange parameters 11.5 Authentication tokens in the protocols mEACv2 and PCA 11.5.1 General 11.5.2 TDES 11.5.3 AES 11.5.4 Ephemeral Public Key Data Object
61	11.6 The compression function Comp() 11.7 DSA with ELC public key parameters 11.7.1 General
62	11.7.2 The plain format of a digital signature 11.7.3 The uncompressed encoding 11.8 ELC key exchange public parameters
63	12 AlgIDs, Hash- and DSI Formats 12.1 General 12.2 Algorithm Identifiers and OIDs 12.3 Hash Input-Formats 12.3.1 General
64	12.3.2 PSO:HASH without command chaining 12.3.3 PSO:HASH with command Chaining
65	12.4 Formats of the Digital Signature Input (DSI) 12.4.1 General 12.4.2 DSI according to ISO/IEC 14888‑2 (scheme 2)
66	12.4.3 DSI according to PKCS #1 V 1.5
67	12.4.4 Digest Info for SHA-X Hash:Digest Info SHA:Digest Info
68	12.4.5 DSI according to PKCS #1 V 2.x MGF function
70	12.4.6 DSA with DH key parameters 12.4.7 Elliptic Curve Digital Signature Algorithm — ECDSA 13 Files 13.1 General 13.2 File structure
71	13.3 File IDs 13.4 EF.DIR
72	13.5 EF.SN.ICC 13.6 EF.DH
73	13.7 EF.ELC 13.8 EF.C.ICC.AUT
74	13.9 EF.C.CAICC.CS-AUT 13.10 EF.C_X509.CH.DS 13.11 EF.C_X509.CA.CS (DF.ESIGN)
75	13.12 EF.DM 14 Cryptographic Information Application 14.1 General
77	14.2 ESIGN cryptographic information layout example 14.2.1 General
78	14.2.2 EF.CIAInfo
80	14.2.3 EF.AOD
83	14.2.4 EF.PrKD
86	14.2.5 EF.PuKD
88	14.2.6 EF.CD
89	14.2.7 EF.DCOD
94	Annex A (normative) Security environments
101	Annex B (informative) Seals and Signatures
104	Annex C (informative) Remote Signatures
107	Bibliography

Additional information

Status	Under Review
Pages	110
Publication Date	2018-01-11
ISBN	978 0 580 95128 2
Standard Number	BS EN 419212-2:2017
Title	Application Interface for Secure Elements for Electronic Identification, Authentication and Trusted Services – Signature and Seal Services
Identical National Standard Of	EN 419212-2:2017
Replaces	BS EN 419212-2:2014, BS EN 419212-1:2014
Descriptors	Integrated circuit cards, Identification methods, Data security, Computer terminals, Verification, Information exchange, Personal identification numbers, Cryptography, Data processing, Electronic signatures, Interfaces (data processing), Identity cards
Publisher	BSI
Committee	IST/17
ICS Codes	35.240.15 - Identification cards. Chip cards. Biometrics

Preview PDF


PDF Format	Searchable	Printable	Preview Now

BS EN 419212-2:2017:2018 Edition

PDF Catalog

Related products