Application Interface for smart cards used as Secure Signature Creation Devices - Part 1: Basic services

Part 1 of this series specifies the application interface to Smart Cards during the usage phase, used as Secure Signature Creation Devices (SSCD) according to the Terms of the European Directive on Electronic Signature 1999/93 to enable interoperability and usage as SSCD on a national or European level.
This document describes the mandatory services for the usage of Smart Cards as SSCDs based on CEN CWA 14890. This covers the signing function, storage of certificates, the related user verification, establishment and use of trusted path and channel, requirements for key generation and the allocation and format of resources required for the execution of those functions and related cryptographic token information.
Thereby the functionality of CWA 14890-1 is enhanced in the following areas:
- Device authentication with Elliptic Curves (ELC) for existing asymmetric authentication protocols (RSA Transport, Privacy Protocol),
- Enhancement of existing asymmetric authentication protocols due to privacy and non-traceability constraints,
- Card Verifiable (CV) Certificate Formats (self descriptive) with ELC for all types of authentication and authorization protocols,
- Secure Messaging Tags and use of commands with Odd-INS Code in compliance to the actual ISO/IEC 7816-4,
- Further hash algorithms (SHA2–family) with corresponding Object identifier and Algorithm references,
- Use of AES in authentication protocols,
- Use of AES for secure messaging.
The following items are out of scope:
1)   The physical, electrical and transport protocol characteristics of the card,
2)   The external signature creation process and signature environment,
3)   The elements required to verify an electronic signature produced by a card used as a SCCD,
4)   The error handling process.

Anwendungsschnittstelle für Chipkarten, die zur Erzeugung qualifizierter elektronischer Signaturen verwendet werden — Teil 1: Allgemeine Dienste

Teil 1 dieser Reihe legt die Anwendungsschnittstelle für Chipkarten während ihrer Verwendung zur Erzeugung
gesicherter Signaturen entsprechend den Bedingungen der Europäischen Richtlinie 1999/93 über
elektronische Signaturen zur Ermöglichung der Interoperabilität und Verwendung als sichere
Signaturerstellungseinheiten (Secure Signature Creation Devices, SSCD) auf nationaler oder europäischer
Ebene fest.
Dieses Dokument beschreibt die obligatorischen Dienste für die Verwendung von Chipkarten als SSCD auf
der Grundlage von CEN CWA 14890 (alle Teile). Dazu gehören die Signierfunktion, das Speichern von
Zertifikaten, die entsprechende Benutzerüberprüfung, die Einrichtung und Verwendung vertrauenswürdiger
Pfade und Kanäle, Anforderungen an die Schlüsselerzeugung sowie die Zuteilung und das Format von
Betriebsmitteln, die zur Ausführung dieser Funktionen erforderlich sind sowie entsprechende
kryptographische Tokeninformationen.
Somit wird die Funktionalität von CWA 14890-1 in den folgenden Bereichen verbessert:
- Geräteauthentisierung mit elliptischen Kurven (Elliptic Curves, ELC) für bestehende asymmetrische
Authentisierungsprotokolle (RSA Transport, Privacy Protocol);
- Verbesserung bestehender asymmetrischer Authentisierungsprotokolle aufgrund von Einschränkungen
im Hinblick auf den Schutz personenbezogener Daten (Privacy) und Nichtbeweisbarkeit
(Non-Traceability);
- kartenverifizierbare (Card Verifiable, CV) Zertifikatformate (selbstbeschreibend) mit ELC für alle Arten von
Authentisierungs- und Berechtigungsprotokollen;
- Tags für Secure Messaging (sichere Nachrichtenübermittlung) und Verwendung von Befehlen mit
Odd-INS-Code entsprechend ISO/IEC 7816-4;
- weitere Hash-Algorithmen (SHA2-Familie) mit entsprechendem Objektbezeichner und Algorithmenreferenzen;
- Verwendung von AES in Authentisierungsprotokollen;
- Verwendung von AES für Secure Messaging.

Interface applicative des cartes à puces utilisées comme dispositifs de création de signature numérique sécurisés - Partie 1 : Services de bases

La partie 1 de la présente série de normes spécifie l’interface applicative, pendant la phase d’utilisation, des cartes à puces utilisées comme dispositifs de création de signature sécurisés (SSCD), selon les termes de la Directive européenne 1999/93 relative aux signatures électroniques, cette interface applicative devant permettre l’interopérabilité des cartes et leur utilisation comme SSCD à un échelon national ou européen.
Le présent document décrit les services obligatoires pour l’utilisation de cartes à puce comme SSCD sur la base du CWA CEN 14890. Il couvre la fonction de signature, l’archivage de certificats, la vérification d’utilisateur associée, l’établissement et l’utilisation d’un canal et d’un chemin sécurisés, les exigences relatives à la génération de clés. Il traite également de l’allocation et du format des ressources requises pour l’exécution de ces fonctions, ainsi que des informations sur le dispositif cryptographique associé.
À ce titre, la fonctionnalité du CWA 14890-1 est améliorée dans les domaines suivants :
   l’authentification des dispositifs au moyen de courbes elliptiques (ELC) dans le cadre des protocoles d’authentification asymétrique existants (transport RSA, protocole relatif à la protection de la vie privée) ;
   l’amélioration des protocoles d’authentification asymétrique existants en fonction des contraintes de non-traçabilité et de protection de la vie privée ;
   les formats de certificats (explicites) vérifiables par la carte (CV) au moyen des ELC, pour tous les types de protocoles d’authentification et d’autorisation ;
   les étiquettes de messagerie de sécurité et l’utilisation de commandes avec un code Odd-INS, en conformité avec la norme ISO/IEC 7816-4 effective ;
   les algorithmes de hachage supplémentaires (famille SHA2) avec l’identifiant d’objet et les références d’algorithmes correspondants ;
   l’utilisation d’AES dans les protocoles d’authentification ;
   l’utilisation d’AES pour la messagerie de sécurité.

Uporabniški vmesnik za pametne kartice, ki se uporabljajo kot naprave za izdelovanje varnega podpisa - 1. del: Osnovne storitve

General Information

Status
Withdrawn
Publication Date
02-Dec-2008
Withdrawal Date
13-Apr-2025
ICS
35.240.15 - Identification cards. Chip cards. Biometrics
Technical Committee
CEN/TC 224 - Machine-readable cards, related device interfaces and operations
Drafting Committee
CEN/TC 224/WG 16 - Application Interface for smart cards used as Secure Signature Creation Devices
Current Stage
9960 - Withdrawal effective - Withdrawal
Start Date
10-Dec-2014
Completion Date
14-Apr-2025
Ref Project
SIST EN 14890-1:2009 - Application Interface for smart cards used as Secure Signature Creation Devices - Part 1: Basic services

Relations

Replaced By
EN 419212-1:2014 - Application Interface for smart cards used as Secure Signature Creation Devices - Part 1: Basic services
Effective Date
24-Oct-2011

Frequently Asked Questions

EN 14890-1:2008 is a standard published by the European Committee for Standardization (CEN). Its full title is "Application Interface for smart cards used as Secure Signature Creation Devices - Part 1: Basic services". This standard covers: Part 1 of this series specifies the application interface to Smart Cards during the usage phase, used as Secure Signature Creation Devices (SSCD) according to the Terms of the European Directive on Electronic Signature 1999/93 to enable interoperability and usage as SSCD on a national or European level. This document describes the mandatory services for the usage of Smart Cards as SSCDs based on CEN CWA 14890. This covers the signing function, storage of certificates, the related user verification, establishment and use of trusted path and channel, requirements for key generation and the allocation and format of resources required for the execution of those functions and related cryptographic token information. Thereby the functionality of CWA 14890-1 is enhanced in the following areas: - Device authentication with Elliptic Curves (ELC) for existing asymmetric authentication protocols (RSA Transport, Privacy Protocol), - Enhancement of existing asymmetric authentication protocols due to privacy and non-traceability constraints, - Card Verifiable (CV) Certificate Formats (self descriptive) with ELC for all types of authentication and authorization protocols, - Secure Messaging Tags and use of commands with Odd-INS Code in compliance to the actual ISO/IEC 7816-4, - Further hash algorithms (SHA2–family) with corresponding Object identifier and Algorithm references, - Use of AES in authentication protocols, - Use of AES for secure messaging. The following items are out of scope: 1) The physical, electrical and transport protocol characteristics of the card, 2) The external signature creation process and signature environment, 3) The elements required to verify an electronic signature produced by a card used as a SCCD, 4) The error handling process.

Part 1 of this series specifies the application interface to Smart Cards during the usage phase, used as Secure Signature Creation Devices (SSCD) according to the Terms of the European Directive on Electronic Signature 1999/93 to enable interoperability and usage as SSCD on a national or European level. This document describes the mandatory services for the usage of Smart Cards as SSCDs based on CEN CWA 14890. This covers the signing function, storage of certificates, the related user verification, establishment and use of trusted path and channel, requirements for key generation and the allocation and format of resources required for the execution of those functions and related cryptographic token information. Thereby the functionality of CWA 14890-1 is enhanced in the following areas: - Device authentication with Elliptic Curves (ELC) for existing asymmetric authentication protocols (RSA Transport, Privacy Protocol), - Enhancement of existing asymmetric authentication protocols due to privacy and non-traceability constraints, - Card Verifiable (CV) Certificate Formats (self descriptive) with ELC for all types of authentication and authorization protocols, - Secure Messaging Tags and use of commands with Odd-INS Code in compliance to the actual ISO/IEC 7816-4, - Further hash algorithms (SHA2–family) with corresponding Object identifier and Algorithm references, - Use of AES in authentication protocols, - Use of AES for secure messaging. The following items are out of scope: 1) The physical, electrical and transport protocol characteristics of the card, 2) The external signature creation process and signature environment, 3) The elements required to verify an electronic signature produced by a card used as a SCCD, 4) The error handling process.

EN 14890-1:2008 is classified under the following ICS (International Classification for Standards) categories: 35.240.15 - Identification cards. Chip cards. Biometrics. The ICS classification helps identify the subject area and facilitates finding related standards.

EN 14890-1:2008 has the following relationships with other standards: It is inter standard links to EN 419212-1:2014. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.

EN 14890-1:2008 is available in PDF format for immediate download after purchase. The document can be added to your cart and obtained through the secure checkout process. Digital delivery ensures instant access to the complete standard document.

Standards Content (Sample)


2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Uporabniški vmesnik za pametne kartice, ki se uporabljajo kot naprave za izdelovanje varnega podpisa - 1. del: Osnovne storitveAnwendungsschnittstelle für Chipkarten, die zur Erzeugung gesicherter Signaturen verwendet werden — Teil 1: Basis-AnforderungenInterfaces applicatives des cartes à puce utilisées pour le création de signatures électroniques sécurisées - Partie 1: Services de baseApplication Interface for smart cards used as Secure Signature Creation Devices - Part 1: Basic services35.240.15Identifikacijske kartice in sorodne napraveIdentification cards and related devicesICS:Ta slovenski standard je istoveten z:EN 14890-1:2008SIST EN 14890-1:2009en,de01-april-2009SIST EN 14890-1:2009SLOVENSKI
STANDARD
EUROPEAN STANDARDNORME EUROPÉENNEEUROPÄISCHE NORMEN 14890-1December 2008ICS 35.240.15Supersedes CWA 14890-1:2004
English VersionApplication Interface for smart cards used as Secure SignatureCreation Devices - Part 1: Basic servicesInterface applicative des cartes à puces utilisées commedispositifs de création de signature numérique sécurisés -Partie 1 : Services de basesAnwendungsschnittstelle für Chipkarten, die zur Erzeugungqualifizierter elektronischer Signaturen verwendet werden -Teil 1: Allgemeine DiensteThis European Standard was approved by CEN on 27 September 2008.CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this EuropeanStandard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such nationalstandards may be obtained on application to the CEN Management Centre or to any CEN member.This European Standard exists in three official versions (English, French, German). A version in any other language made by translationunder the responsibility of a CEN member into its own language and notified to the CEN Management Centre has the same status as theofficial versions.CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland,France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal,Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland and United Kingdom.EUROPEAN COMMITTEE FOR STANDARDIZATIONCOMITÉ EUROPÉEN DE NORMALISATIONEUROPÄISCHES KOMITEE FÜR NORMUNGManagement Centre: rue de Stassart, 36
B-1050 Brussels© 2008 CENAll rights of exploitation in any form and by any means reservedworldwide for CEN national Members.Ref. No. EN 14890-1:2008: ESIST EN 14890-1:2009

Device authentication — Cryptographic view.175 A.1 Algorithms for authentication with key exchange or key negotiation.175 A.2 Device authentication with key transport.175 A.2.1 Conformance to ISO/IEC 11770-3.175 A.2.2 Using min(SIG, N-SIG) for the signature token.177 A.3 Device authentication with key negotiation.178 A.3.1 Diffie-Hellman Key Exchange.179 A.4 Device authentication with privacy protection.181 A.4.1 The authenticity of the public DH parameters.183 A.5 Device authentication with non traceability.185 A.5.1 Diffie-Hellman Key Exchange.185 A.6 The “Grandmaster Chess Attack”.187 Annex B (informative)
Personalization scenarios.189 Annex C (informative)
Build scheme for mEAC Object Identifiers.191 Bibliography.193
3.1 Answer-to-Reset file elementary file which indicates operating characteristics of the card 3.2 command-response pair set of two messages: a command followed by a response 3.3 data element item of information seen at the interface for which are defined a name, a description of logical content, a format and a coding SIST EN 14890-1:2009

NOTE In this specification, data objects are referred to as BER-TLV data objects. 3.5 data unit smallest set of bits which can be unambiguously referenced 3.6 dedicated file file containing file control information and, optionally, memory available for allocation
NOTE It may be the parent of EFs and/or DFs. 3.7 DF name string of bytes which uniquely identifies a dedicated file in the card 3.8 elementary file set of data units or records which share the same file identifier
NOTE It cannot be the parent of another file. 3.9 file control parameters logical, structural and security attributes of a file 3.10 file identifier 2-bytes binary value used to address a file 3.11 master file mandatory unique dedicated file representing the root of the file structure 3.12 message string of bytes transmitted by the interface device to the card or vice-versa, excluding transmission-oriented characters as defined in ISO/IEC 7816-3 3.13 parent file dedicated file immediately preceding a given file within the hierarchy 3.14 password data which may be required by the application to be presented to the card by its user
NOTE A password in the context of this specification is a string of numbers and/or ASCII characters. 3.15 path concatenation of file identifiers without delimitation
NOTE If the path starts with the identifier of the master file, it is an absolute path. SIST EN 14890-1:2009

NOTE If the object (e.g. password entry) was used correctly (correct password entered) then the retry counter is reset to its initial value. A typical value of a retry counter is 3. 3.21 secret key either a symmetrical key or private part of a public key pair 3.22 trusted channel means by which a TSF and a remote trusted IT product can communicate with necessary confidence to support the TSP 3.23 trusted environment operating environment that avoids the fraud with data that is seen at the communication interface by the definition of its physical location, physical security protection or physical access conditions or other measures to protect from tampering or intrusion of data
NOTE
See 8.2.3. 3.24 trusted path means by which a user and a TSF can communicate with necessary confidence to support the TSP 3.25 untrusted environment operating environment that allows tampering and intrusion of data available at the communication interface
NOTE The decision whether an environment is trusted cannot always be made at the system level and therefore might have to be taken by the card holder. 3.26 usage counter counter updated each time a related object is used
NOTE Opposite to retry counters, usage counters are not reset to their initial value after the object was successfully used. SIST EN 14890-1:2009
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...