{"id":350116,"date":"2024-10-20T00:40:29","date_gmt":"2024-10-20T00:40:29","guid":{"rendered":"https:\/\/pdfstandards.shop\/product\/uncategorized\/bs-en-419212-32017\/"},"modified":"2024-10-26T00:25:23","modified_gmt":"2024-10-26T00:25:23","slug":"bs-en-419212-32017","status":"publish","type":"product","link":"https:\/\/pdfstandards.shop\/product\/publishers\/bsi\/bs-en-419212-32017\/","title":{"rendered":"BS EN 419212-3:2017"},"content":{"rendered":"

This part specifies device authentication to be used for QSCDs in various context including Device authentication protocols Establishment of a secure channel Data structures CV-certificates Key management The device authentication protocols shall apply to sole-control signature mandated by the EU-regulation eIDAS.<\/p>\n

PDF Catalog<\/h4>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
PDF Pages<\/th>\nPDF Title<\/th>\n<\/tr>\n
2<\/td>\nNational foreword <\/td>\n<\/tr>\n
9<\/td>\n1 Scope
2 Normative references
3 Device authentication
3.1 General <\/td>\n<\/tr>\n
11<\/td>\n3.2 Asymmetric Authentication introduction
3.3 Certification authorities and certificates
3.3.1 Certificate chains <\/td>\n<\/tr>\n
12<\/td>\n3.3.2 Usage of link certificates
3.4 Authentication environments <\/td>\n<\/tr>\n
13<\/td>\n3.4.1 SCA in trusted environment
3.4.2 SCA in untrusted environment
3.4.3 Specification of the environment
3.4.4 Display message mechanism <\/td>\n<\/tr>\n
14<\/td>\n3.4.5 Additional authentication environments
3.5 Key transport and key agreement mechanisms
3.6 Device authentication with privacy protection
3.6.1 General <\/td>\n<\/tr>\n
15<\/td>\n3.6.2 Authentication steps
3.6.2.1 General <\/td>\n<\/tr>\n
18<\/td>\n3.6.2.2 Step\u00a01 \u2014 Read key exchange parameters <\/td>\n<\/tr>\n
20<\/td>\n3.6.2.3 Step\u00a02 \u2014 IFD selects the public key parameter set and sends KIFD
3.6.2.4 Step\u00a03 \u2014 ICC computes KICC <\/td>\n<\/tr>\n
23<\/td>\n3.6.2.5 Step\u00a04 \u2014 Skip reading chain certificates
3.6.2.6 Step\u00a05 \u2014 Selection of verification key PuK.(R)CAIFD.CS_AUT (conditional) <\/td>\n<\/tr>\n
24<\/td>\n3.6.2.7 Step\u00a06 \u2014 Verify Certificate C_CV.CAIFD.CS_AUT (conditional) <\/td>\n<\/tr>\n
25<\/td>\n3.6.2.8 Step\u00a07 \u2014 Selection of verification key PuK.CAIFD.AUT <\/td>\n<\/tr>\n
26<\/td>\n3.6.2.9 Step\u00a08 \u2014 Verify Certificate C_CV.IFD.AUT <\/td>\n<\/tr>\n
27<\/td>\n3.6.2.10 Step\u00a09 \u2014 Key Selection for external authentication <\/td>\n<\/tr>\n
28<\/td>\n3.6.2.11 Step\u00a010 \u2014 Get Challenge
3.6.2.12 Step\u00a011 \u2014 External authentication <\/td>\n<\/tr>\n
29<\/td>\n3.6.2.13 Step\u00a012 \u2014 Read C.CAICC.AUT (conditional) <\/td>\n<\/tr>\n
30<\/td>\n3.6.2.14 Step\u00a013 \u2014 Read ICC’s certificate C.ICC.AUT <\/td>\n<\/tr>\n
31<\/td>\n3.6.2.15 Step\u00a014 \u2014 Key selection <\/td>\n<\/tr>\n
32<\/td>\n3.6.2.16 Step\u00a015 \u2014 Internal Authentication <\/td>\n<\/tr>\n
33<\/td>\n3.7 Privacy constrained Modular EAC (mEAC) protocol with non-traceability feature
3.7.1 General
3.7.2 Example for traceability case <\/td>\n<\/tr>\n
34<\/td>\n3.7.3 Notation
3.7.4 Authentication steps
3.7.4.1 General <\/td>\n<\/tr>\n
37<\/td>\n3.7.4.2 Step\u00a01 \u2014 Reading of the protocol relevant public parameters
3.7.4.3 Step 2 \u2014 User verification (conditional)
3.7.4.4 Step\u00a03 \u2014 Selection of verification key PuK.(R)CAIFD.CS_AUT (conditional) <\/td>\n<\/tr>\n
38<\/td>\n3.7.4.5 Step\u00a04 \u2014 Verify Certificate C_CV.CAIFD.CS_AUT (conditional) <\/td>\n<\/tr>\n
39<\/td>\n3.7.4.6 Step\u00a05 \u2014 Selection of verification key PuK.CAIFD.AUT
3.7.4.7 Step\u00a06 \u2014 Verify Certificate C_CV.IFD.AUT <\/td>\n<\/tr>\n
40<\/td>\n3.7.4.8 Step\u00a07 \u2014 Key Selection for external authentication <\/td>\n<\/tr>\n
42<\/td>\n3.7.4.9 Step\u00a08 \u2014 Get Challenge
3.7.4.10 Step\u00a09 \u2014 External authentication <\/td>\n<\/tr>\n
44<\/td>\n3.7.4.11 Step\u00a010 \u2014 Reading of the public key PuK.ICC.KA (conditionally)
3.7.4.12 Step 11 \u2014 Selection of Algorithm and keys <\/td>\n<\/tr>\n
46<\/td>\n3.7.4.13 Step 12 \u2014 Key agreement <\/td>\n<\/tr>\n
47<\/td>\n3.7.4.14 Step 13 \u2014 Establishment of new secure channel
3.7.4.15 Step\u00a014 \u2014 Read and verify ICC’s certificate
3.7.5 Unlinkablity Mechanism with individual private keys
3.7.5.1 General <\/td>\n<\/tr>\n
49<\/td>\n3.7.5.2 Key derivation
3.7.5.3 Step X.1 – Request for randomization <\/td>\n<\/tr>\n
50<\/td>\n3.7.5.4 Step\u00a02.2 \u2014 GA: Get nonce <\/td>\n<\/tr>\n
51<\/td>\n3.7.5.5 PCA mechanism <\/td>\n<\/tr>\n
54<\/td>\n3.7.5.6 Step\u00a07.1 \u2014 Key Selection for external authentication <\/td>\n<\/tr>\n
55<\/td>\n3.7.5.7 Step 12.1 DH key agreement <\/td>\n<\/tr>\n
56<\/td>\n3.8 Symmetric authentication scheme
3.8.1 General
3.8.2 Authentication steps
3.8.2.1 General <\/td>\n<\/tr>\n
57<\/td>\n3.8.2.2 Step\u00a0A \u2014 Read SN.ICC <\/td>\n<\/tr>\n
58<\/td>\n3.8.2.3 Step\u00a0B \u2014 Get Challenge <\/td>\n<\/tr>\n
59<\/td>\n3.8.2.4 Step\u00a0C \u2014 Mutual authentication <\/td>\n<\/tr>\n
60<\/td>\n3.8.3 Session Key creation
3.9 Key transport protocol based on RSA
3.9.1 General <\/td>\n<\/tr>\n
62<\/td>\n3.9.2 Authentication Steps
3.9.2.1 Step\u00a0A \u2014 Skip to authentication (conditional)
3.9.2.2 Step\u00a0B \u2014 Selection of verification key PuK.RCA.AUT (conditional) <\/td>\n<\/tr>\n
63<\/td>\n3.9.2.3 Step\u00a0C \u2014 Verify Certificate C_CV.CA.CS_AUT (conditional) <\/td>\n<\/tr>\n
64<\/td>\n3.9.2.4 Step\u00a0D \u2014 Selection of verification key PuK.CAIFDAUT <\/td>\n<\/tr>\n
65<\/td>\n3.9.2.5 Step\u00a0E \u2014 Verify Certificate C_CV.IFD.AUT
3.9.2.6 Step\u00a0F \u2014 Skip reading chain certificates
3.9.2.7 Step\u00a0G \u2014 Read C.CAICC.AUT (conditional) <\/td>\n<\/tr>\n
66<\/td>\n3.9.2.8 Step\u00a0H \u2014 Read ICC’s certificate C.ICC.AUT <\/td>\n<\/tr>\n
67<\/td>\n3.9.2.9 Step\u00a0I \u2014 Key selection
3.9.2.10 Step\u00a0J \u2014 Internal Authentication <\/td>\n<\/tr>\n
68<\/td>\n3.9.2.11 Step\u00a0K \u2014 Get Challenge <\/td>\n<\/tr>\n
69<\/td>\n3.9.2.12 Step\u00a0L \u2014 External authentication <\/td>\n<\/tr>\n
70<\/td>\n3.9.3 Session Key creation
3.10 Compute Session keys from key seed KIFD\/ICC
3.10.1 General <\/td>\n<\/tr>\n
71<\/td>\n3.10.2 Generation of key data
3.10.3 Partitioning of the key data
3.10.4 Algorithm and method specific definition for key derivation
3.10.4.1 TDES <\/td>\n<\/tr>\n
72<\/td>\n3.10.4.2 AES-128 using EMAC (SHA-1 version) <\/td>\n<\/tr>\n
73<\/td>\n3.10.4.3 AES-128 using CMAC (SHA-1 version)
3.10.4.4 AES using EMAC (SHA-256 version)
3.10.4.5 AES using CMAC (SHA\u2013256 version) <\/td>\n<\/tr>\n
74<\/td>\n3.10.5 Key derivation from passwords
3.10.5.1 General
3.10.5.2 3DES Key derivation
3.10.5.3 AES-128 Key derivation
3.10.5.4 AES-192 Key derivation <\/td>\n<\/tr>\n
75<\/td>\n3.10.5.5 AES-256 Key derivation
3.11 Compute send sequence counter SSC
3.12 Post-authentication phase <\/td>\n<\/tr>\n
76<\/td>\n3.13 Ending the secure session
3.13.1 General
3.13.2 Example for ending a secure session
3.13.3 Rules for ending a secure session <\/td>\n<\/tr>\n
77<\/td>\n3.14 Reading the Display Message <\/td>\n<\/tr>\n
79<\/td>\n3.15 Updating the Display Message <\/td>\n<\/tr>\n
80<\/td>\n4 Data structures
4.1 General
4.2 CRTs
4.2.1 General
4.2.2 CRT AT for the selection of internal private authentication keys
4.2.3 CRT AT for selection of internal authentication keys <\/td>\n<\/tr>\n
81<\/td>\n4.2.4 CRT for selection of IFD’s PuK.CAIFD.CS_AUT
4.2.5 CRT for selection of IFD’s PuK.IFD.AUT <\/td>\n<\/tr>\n
82<\/td>\n4.2.6 CRT AT for selection of the public DH \/ ECDH key parameters
4.2.7 GENERAL AUTHENTICATE DH key parameters used by the Privacy Protocol
4.2.8 CRT AT for selection of ICC’s private authentication key <\/td>\n<\/tr>\n
83<\/td>\n4.2.9 CRT for selection of IFD’s PuK.IFD.AUT
4.2.10 CRT for selection of PrK.ICC.KA <\/td>\n<\/tr>\n
84<\/td>\n4.3 Key transport device authentication protocol
4.3.1 EXTERNAL AUTHENTICATE
4.3.2 INTERNAL AUTHENTICATE <\/td>\n<\/tr>\n
85<\/td>\n4.4 Privacy device authentication protocol
4.4.1 EXTERNAL AUTHENTICATE (DH case) <\/td>\n<\/tr>\n
86<\/td>\n4.4.2 EXTERNAL AUTHENTICATE (ECDH case) <\/td>\n<\/tr>\n
87<\/td>\n4.4.3 INTERNAL AUTHENTICATE (DH case)
4.4.4 INTERNAL AUTHENTICATE (ECDH case) <\/td>\n<\/tr>\n
88<\/td>\n5 CV_Certificates and Key Management
5.1 General
5.2 Level of trust in a certificate
5.3 Key Management <\/td>\n<\/tr>\n
89<\/td>\n5.4 Certificate types
5.4.1 Card Verifiable Certificates <\/td>\n<\/tr>\n
90<\/td>\n5.4.2 Signature-Certificates
5.4.3 Authentication Certificates
5.5 Use of the public key extracted from a CV-certificate
5.6 Validity of the key extracted from a CV-certificate <\/td>\n<\/tr>\n
91<\/td>\n5.7 Structure of CVC
5.7.1 General
5.7.2 Non-self-descriptive certificates <\/td>\n<\/tr>\n
92<\/td>\n5.7.3 Self-descriptive certificates
5.8 Certificate Content
5.8.1 General <\/td>\n<\/tr>\n
93<\/td>\nCPI-Certificate Profile Identifier <\/td>\n<\/tr>\n
94<\/td>\n5.8.2 CAR-Certification Authority Reference DO <\/td>\n<\/tr>\n
95<\/td>\n5.8.3 CHR-Certificate Holder Reference DO <\/td>\n<\/tr>\n
96<\/td>\n5.8.4 CHA-Certificate Holder Authorization Data Object (CHA-DO) <\/td>\n<\/tr>\n
97<\/td>\n5.8.5 Role identifier specifications
5.8.5.1 General <\/td>\n<\/tr>\n
98<\/td>\n5.8.5.2 Role ID for PuK of CA <\/td>\n<\/tr>\n
99<\/td>\n5.8.5.3 Role ID for PuK for device authentication
5.8.5.4 Processing the role ID
5.8.6 User and service provider authentication
5.8.6.1 General <\/td>\n<\/tr>\n
100<\/td>\n5.8.6.2 Specific attributes
5.8.7 CHAT-Certificate Holder Authorization Template (CHAT)
5.8.8 OID \u2014 Object identifier
5.8.9 CEDT \u2014 Certificate Effective Date Template
5.8.10 CXDT \u2014 Certificate Expiration date Template <\/td>\n<\/tr>\n
101<\/td>\n5.9 Certificate signature
5.9.1 General
5.9.2 Non self-descriptive certificates <\/td>\n<\/tr>\n
102<\/td>\n5.9.3 Self-descriptive certificates <\/td>\n<\/tr>\n
103<\/td>\n5.10 Coding of the certificate content
5.10.1 Non self-descriptive certificates
5.10.2 Self-descriptive certificates <\/td>\n<\/tr>\n
104<\/td>\n5.10.3 Self-descriptive certificates for elliptic curve cryptography
5.10.3.1 General
5.10.3.2 Structure of a self-descriptive CV certificate
5.10.3.3 Certificate content template
5.10.3.4 Certificate Profile Indicator
5.10.3.5 Certification Authority Reference Template
5.10.3.6 Certificate Holder Reference Template <\/td>\n<\/tr>\n
105<\/td>\n5.10.3.7 Certificate Holder Authorization (CHA-Template\/CHA-DO)
5.10.3.8 Optional certificate extension in self-descriptive certificates <\/td>\n<\/tr>\n
106<\/td>\n5.10.3.9 Public Key
5.10.3.10 OID1
5.10.3.11 Signature <\/td>\n<\/tr>\n
107<\/td>\n5.11 Steps of CVC verification
5.11.1 General <\/td>\n<\/tr>\n
108<\/td>\n5.11.2 First round: CVC verification from a Root PuK <\/td>\n<\/tr>\n
109<\/td>\n5.11.3 Subsequent round(s)
5.12 Commands to handle the CVC
5.13 C_CV.IFD.AUT (non self-descriptive) <\/td>\n<\/tr>\n
110<\/td>\n5.14 C_CV.CA.CS-AUT (non self-descriptive) <\/td>\n<\/tr>\n
111<\/td>\n5.15 C.ICC.AUT <\/td>\n<\/tr>\n
112<\/td>\n5.16 Self-descriptive CV Certificate (Example)
5.16.1 General
5.16.2 Public Key <\/td>\n<\/tr>\n
113<\/td>\n5.16.3 Certificate Holder Authorization Template
5.16.4 Certificate Extension <\/td>\n<\/tr>\n
114<\/td>\n5.16.5 ECDSA Signature <\/td>\n<\/tr>\n
115<\/td>\nAnnex\u00a0A (informative)Device authentication Protocol Properties <\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":"

Application Interface for Secure Elements for Electronic Identification, Authentication and Trusted Services – Device authentication protocols<\/b><\/p>\n\n\n\n\n
Published By<\/td>\nPublication Date<\/td>\nNumber of Pages<\/td>\n<\/tr>\n
BSI<\/b><\/a><\/td>\n2017<\/td>\n120<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"featured_media":350118,"template":"","meta":{"rank_math_lock_modified_date":false,"ep_exclude_from_search":false},"product_cat":[693,2641],"product_tag":[],"class_list":{"0":"post-350116","1":"product","2":"type-product","3":"status-publish","4":"has-post-thumbnail","6":"product_cat-35-240-15","7":"product_cat-bsi","9":"first","10":"instock","11":"sold-individually","12":"shipping-taxable","13":"purchasable","14":"product-type-simple"},"_links":{"self":[{"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/product\/350116","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/product"}],"about":[{"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/types\/product"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/media\/350118"}],"wp:attachment":[{"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/media?parent=350116"}],"wp:term":[{"taxonomy":"product_cat","embeddable":true,"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/product_cat?post=350116"},{"taxonomy":"product_tag","embeddable":true,"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/product_tag?post=350116"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}