Presentation is loading. Please wait.

Presentation is loading. Please wait.

27/09/2016 © 2009 PrimeKey Solutions AB 1 EAC ePassport PKI PrimeKey Solutions AB Tomas Gustavsson, Tham Wickenberg

Published byCaroline Spencer Modified over 8 years ago

Similar presentations

Presentation on theme: "27/09/2016 © 2009 PrimeKey Solutions AB 1 EAC ePassport PKI PrimeKey Solutions AB Tomas Gustavsson, Tham Wickenberg"— Presentation transcript:

1 27/09/2016 © 2009 PrimeKey Solutions AB 1 EAC ePassport PKI PrimeKey Solutions AB Tomas Gustavsson, Tham Wickenberg http://www.primekey.se tomas@primekey.setomas@primekey.se, tham@primekey.se www.ejbca.org www.signserver.org

2 27/09/2016 © 2009 PrimeKey Solutions AB 2 Electronic passports Security features Passive authentication Verify signed data from chip Active authentication Chip has it's own private/public key pair. Private key securely stored in chip. Chip proves authenticity with challenge-response. Inspection system uses public key from signed data to verify chip. Access control Controls access to signed data by requiring MRZ to read Control access to DG3 and DG4 by requiring terminal authentication

3 27/09/2016 © 2009 PrimeKey Solutions AB 3 Electronic passports Access control Basic Access Control (BAC) Deployed in most countries already Chip access to less sensitive data protected by MRZ code that is scanned by OCR (BAC) Extended Access Control (EAC) Deployed in EU before 28 th of June (should be) Access to fingerprint (DG3) and iris (DG4) requires terminal authentication where passport authenticates passport reader as authorized to read fields (EAC) Authentication infrastructure is PKI with specialized certificates (CVC – Card Verifiable Certificates)

4 27/09/2016 © 2009 PrimeKey Solutions AB 4 Electronic passports

5 27/09/2016 © 2009 PrimeKey Solutions AB 5 Electronic passports Standards ICAO BAC and passive authentication standardized by ICAO EAC v1.11 – BSI technical guideline TR-03110 Advanced Security Mechanisms for Machine Readable Travel Documents – Extended Access Control (EAC) EU standard – not standardized by ICAO EU certificate policy Requirements on PKIs for allowing foreign states to read fingerprints from EU passports

6 27/09/2016 © 2009 PrimeKey Solutions AB 6 Electronic passports PKIs Country Signing PKI X.509 certificates One Root CA per country (CSCA) 1...x subscribers per country (Document Signers) Country Verifying PKI CV certificates One Root CA per country (CVCA) 1..x Sub CAs per country (Document Verifiers, DVs) 1..x subscribers per country (Inspection Systems, IS) CSCA CVCA DV

7 27/09/2016 © 2009 PrimeKey Solutions AB 7 Signing PKI Used for passive authentication, i.e. signing of data. CSCA – Country Signing CA DS - Document Signer CSCA.se SHA256wRSA HSM X.509 Certificate Enrollment Data blob Signature Data blob and signature Document Signer

8 27/09/2016 © 2009 PrimeKey Solutions AB 8 X.509 Certificate - ASN.1 Certificate: Data: Version: 3 (0x2) Serial Number: 2a:fb:9a:89:c1:8a:b2:35 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=CSCA v1, O=Rikspolisstyrelsen, C=SE Validity Not Before: Nov 24 12:00:50 2008 GMT Not After : Nov 22 12:00:50 2018 GMT Subject: CN=AdminCA1, O=EJBCA Sample, C=SE Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:81:be:2e:8e:02:1a:e1:57:7e:c2:45:d0:fc:b9: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha1WithRSAEncryption 29:50:76:fa:8e:22:3a:04:61:94:0e:3e:3f:bf:14:15:1e:ae:

9 27/09/2016 © 2009 PrimeKey Solutions AB 9 EAC Terminal authentication Terminal authentication is the critical part of EAC (from PKI point of view) IS sends certificate chain to passport Passport verifies certificates Passport sends challenge to inspection system IS signs challenge and returns to passport Passport verifies challenge and grants access Passport Inspection system 1. Certificate chain 2. Challenge 2. Response

10 27/09/2016 © 2009 PrimeKey Solutions AB 10 EAC PKI Used for Terminal Authentication Protect biometric data in passport Uses Card Verifiable Certificates (CVC), not like ”normal” X.509 certificates. Country Verifying Certificate Authority (CVCA): Issues Document Verifier certificates Document Verifier Issues Inspection System (IS) certificates Domestic DV (DV-D) is DV in CVCAs country Foreign DV (DV-F) is DV in other country

11 27/09/2016 © 2009 PrimeKey Solutions AB 11 EAC PKI CVCA.se SHA256wRSA HSM CVCA Certificate (CVC) Production CVCA Public key CVCA Name DV-D.se SHA256wR SA IS Certificate (CVC) Inspection system DV Certificate (CVC) HSM

12 27/09/2016 © 2009 PrimeKey Solutions AB 12 CVC certificate – TLV 7f21 CV_CERTIFICATE 7f4e CERTIFICATE_BODY 5f29 PROFILE_IDENTIFIER 0 42 CA_REFERENCE SE/CVCAPK/00001 7f49 PUBLIC_KEY 6 OID 0.4.0.127.0.7.2.2.2.1.2 81 MODULUS [2048] B76DE3DBDB310FFCA85035EA70873E8... 82 EXPONENT 010001 5f20 HOLDER_REFERENCE SE/CVCAPK/00001 7f4c HOLDER_AUTH_TEMPLATE 6 OID 0.4.0.127.0.7.3.1.2.1 53 ROLE_AND_ACCESS_RIGHTS C3: CVCA/DG3+DG4 5f25 EFFECTIVE_DATE 2008-07-02 5f24 EXPIRATION_DATE 2011-03-29 5f37 SIGNATURE 20F242ED292BBD9C1E53F56FB6...

13 27/09/2016 © 2009 PrimeKey Solutions AB 13 EAC PKI

14 27/09/2016 © 2009 PrimeKey Solutions AB 14 Technical details Validity: CVCA 1-3 years, DV 1-3 months, IS 1-30 days, Passport 5-10 years Link certificates are used to update the root certificate in passports IS certificates can use the same public key if they use the same algorithm DVs can use the same private key if they use the same algorithm

15 27/09/2016 © 2009 PrimeKey Solutions AB 15 Technical details Limitations in the passports Whole certificate chain must use the same algorithm, i.e. SHA256WithRSA, 2048 bit keys or SHA256WithECDSA, secp256r1 curve. EC certificates only contains the domain parameters in the CVCA certificate.

16 27/09/2016 © 2009 PrimeKey Solutions AB 16 Validity periods

17 27/09/2016 © 2009 PrimeKey Solutions AB 17 E-passport PKI example CVCA.se SHA256wRSA DV-D.se SHA256wR SA DV-F.no ECC-a? DV-F.fi ECC-b? DV-F.dk Alg? DV-F.is Alg? IS Cert.se SHA256wR SA IS Cert.no ECC-a? IS Cert.fi ECC-a? IS Cert.dk ECC-a? IS Cert.is ECC-a? Passport.se Passport. fi Passport. no Passport. dk Passport. is IS The infrastructure located in Sweden (except non-nordic DV-Fs for simplicity..)

18 27/09/2016 © 2009 PrimeKey Solutions AB 18 EAC certificate algorithms

19 27/09/2016 © 2009 PrimeKey Solutions AB 19 EJBCA CVCA, DV-Domestic, DV-Foreign, IS and algorithms Passport issuing - CVCA and DV (with local IS in passport production for quality control) Reading domestic passports - Inspection systems Reading foreign passports - Foreign DVs signed by CVCA Reading domestic passports by foreign countries - DVs signed by foreign CVCAs - Different CVCAs use different algorithms, requires DVs using same algorithms The different steps can be handled as different projects. Epassport production steps

20 27/09/2016 © 2009 PrimeKey Solutions AB 20 Inspection system Perso system PKI CVCA certificate IS Certificate DS certificate Epassport production steps Perso QAQA

21 27/09/2016 © 2009 PrimeKey Solutions AB 21 IS requests, self signed requests (inner signature) DV requests, self signed requests authenticated with outer signature by CVCA (both inner and outer signature) CVCA link certificate a CVCA certificate signed by the previous CVCA (inner signature). Normally the name is the same but sequence changes Whole name can change as well Algorithms can be changed CVC requests and link certificates

22 27/09/2016 © 2009 PrimeKey Solutions AB 22 Passport readers PKI A function of the Inspection System to keep order of all different keys and certificates. Passport reader Local IS Central IS Passport readers ? Key Management

23 27/09/2016 © 2009 PrimeKey Solutions AB 23 Single Point Of Contact ➢ Between states ➢ Only communication between states. Inside each country is country/vendor/product specific SPOC

24 27/09/2016 © 2009 PrimeKey Solutions AB 24 This protocol is used to exchange keys and certificates, in order that: ➢ the DV can send a certification request to the foreign CVCA; ➢ the CVCA can send the issued certificate to the requesting DV; ➢ the DV and the CVCA can request for a list of valid certificates (a certificate chains) needed to read an ePassport from the foreign CVCA. The specification covers following channels to exchange data: ➢ manual exchange with the data stored on a removable media; ➢ e-mail messages; ➢ web services interface. This specification does not cover: ➢ exchanges and communication which is internal to the country (domestic DV to domestic CVCA, IS to DV); ➢ exchanges related to the initial registration process except format of the data exchanged (media format, metadata content). SPOC

25 27/09/2016 © 2009 PrimeKey Solutions AB 25 SOAP webservice using TLS authentication for all participants. ➢ RequestCertificate ➢ SendCertificates ➢ GetCACertificates SPOC – Webservice calls

26 27/09/2016 © 2009 PrimeKey Solutions AB 26 EJBCA - ePassport Tomas Gustavsson, Joakim Bågnert http://www.primekey.se tomas@primekey.setomas@primekey.se, joakim@primekey.sejoakim@primekey.se www.ejbca.org www.signserver.org

27 27/09/2016 © 2009 PrimeKey Solutions AB 27 EJBCA Enterprise PKI Audit compliance Certified against ETSI QC standards. Certified against WebTrust standards. Policies, security and demands. - EAC ePassport Conformance with EU EAC 1.11 specification. Supports the EU common certificate policy. Together with SignServer, are able to issue express passports. Supports dual authentication, when creating DV's, as example. Web service API, modelled after EU policy.

28 27/09/2016 © 2009 PrimeKey Solutions AB 28 CA node HSM X.509 CSCA CVC CVCA CVC DV Key 1 Key 2Key 3 Multiple CAs, of different types, in a single instance. Each CA uses keys with specific label in the HSM. Cost effective and easier to manage. EJBCA Enterprise PKI

29 27/09/2016 © 2009 PrimeKey Solutions AB 29 The Central Certificate Authority EJBCA Certificate Authority - CVCA and Domestic DVs - End entities can be IS or Foreign DV - Certificate profiles for type and DG3/DG4 Standards - EAC 1.11 CVC - All algorithms specified in EAC 1.11 - RSA and ECC algorithms - Web service API modelled after EU common policy - Standard SQL database to store certificates - PKCS#11 HSM interface Flexible certificate enrolment process - Web services API for integration. - Java EJB API available, custom API possible. - Web-GUI and command line for manual operations. - Automation - Central administration

30 27/09/2016 © 2009 PrimeKey Solutions AB 30 Unique features that no other open source project has. EJBCA and SignServer are unique open source products in that they support features no other open source project has. SignServer is a complete MRTD signing solution, while EJBCA provides PKI both for passport signing and EAC fingerprint protection. EJBCA PKI HSM SignServer MRTD Passport production Sign document DS Certificate (X.509) IS Certificate (CVC) Inspection system EJBCA PKI - ePassport

31 27/09/2016 © 2009 PrimeKey Solutions AB 31 EJBCA PKI SignServer MRTD DS Certificate (X.509) IS Certificate (CVC) Inspection system VPN certificates SSL certificates Logon certificates Email certificates Integrated PKI

32 27/09/2016 © 2009 PrimeKey Solutions AB 32 Swedish police solution Swedish National Police Board contributed CVC library to EJBCA. Integrated passport PKI management in passport management systems. RPS PKI RES förvaltning Border Control System WS Passport application/production EU member states

33 27/09/2016 © 2009 PrimeKey Solutions AB 33 Scalable architecture Start with simple setup for passport production Scale up for large scale passport inspection Add components for intra country certification Integrate with national administrative systems EJBCA Technical architectures

34 27/09/2016 © 2009 PrimeKey Solutions AB 34 EJBCA Technical architecture CA cluster HSM Passport production Administration and monitoring Inspection systems Initial step one, easy and fast setup. Build on for further steps.

35 27/09/2016 © 2009 PrimeKey Solutions AB 35 EJBCA Technical architecture CA cluster HSM Passport production Existing RA Administration and monitoring RA admin Inspection systems Other states Webservice If there is already an existing RA function (for example passport department using existing tools).

36 27/09/2016 © 2009 PrimeKey Solutions AB 36 EJBCA Technical architecture CA cluster HSM Passport production EJBCA External RA Administration and monitoring RA admin Inspection systems Other states If there is not an existing RA function.

37 27/09/2016 © 2009 PrimeKey Solutions AB 37 EJBCA Technical architecture SubCAs/DVs HSM Passport production Front end/KMS/ External RA Administration and monitoring RA admin Inspection systems HSM RootCA/CVCA Other states Flexible architecture. Possible to combine CVCA and DVs from different vendors

38 27/09/2016 © 2009 PrimeKey Solutions AB 38 Architecture - complete

Download ppt "27/09/2016 © 2009 PrimeKey Solutions AB 1 EAC ePassport PKI PrimeKey Solutions AB Tomas Gustavsson, Tham Wickenberg"

Similar presentations

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Technical Report PKI for Machine Readable Travel Documents offering ICC read-only access TAG_15 Montreal, 2004-05-18 Tom Kinneging.

Technical Report PKI for Machine Readable Travel Documents offering ICC read-only access TAG_15 Montreal, Tom Kinneging.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
E- passports Erik Poll Digital Security Group Radboud University Nijmegen.

E- passports Erik Poll Digital Security Group Radboud University Nijmegen.
Secure Communication Architectures.

Secure Communication Architectures.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation 23-25 May 2012, Kish Island, I.R.IRAN.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
Public Key Infrastructure from the Most Trusted Name in e-Security.

Public Key Infrastructure from the Most Trusted Name in e-Security.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.

JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.
Integrated Solutions for Secure Identity Técnicas ctiptográficas para la Protección de Datos Biométricos en el E-Passport / E-DNI f-ID Security Technologies.

Integrated Solutions for Secure Identity Técnicas ctiptográficas para la Protección de Datos Biométricos en el E-Passport / E-DNI f-ID Security Technologies.
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam

Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
Secure Electronic Transaction (SET)

Secure Electronic Transaction (SET)

Similar presentations

Ads by Google