Already a subscriber? 
MADCAD.com Free Trial
Sign up for a 3 day free trial to explore the MADCAD.com interface, PLUS access the
2009 International Building Code to see how it all works.
If you like to setup a quick demo, let us know at support@madcad.com
or +1 800.798.9296 and we will be happy to schedule a webinar for you.
Security check
Please login to your personal account to use this feature.
Please login to your authorized staff account to use this feature.
Are you sure you want to empty the cart?
BS EN 419212-2:2014 Application Interface for smart cards used as Secure Signature Creation Devices - Additional services, 2014
- Contents
- Foreword
- 1 Scope
- 2 Normative references
- 3 Terms and definitions
- 4 Abbreviations and notation
- 5 Additional Service Selection
- 6 Client/Server Authentication [Go to Page]
- 6.1 Client/Server protocols
- 6.2 Steps preceding the client/server authentication
- 6.3 Padding format [Go to Page]
- 6.3.1 PKCS #1 v 1-5 Padding
- 6.3.2 PKCS #1 V 2.x (PSS) Padding
- 6.3.3 Building the DSI on ECDSA
- 6.4 Client/Server protocol [Go to Page]
- 6.4.1 Step 1 — Read certificate
- 6.4.2 Step 2 — Set signing key for client/server internal authentication
- 6.4.3 Step 3 — Internal authentication
- 6.4.4 Client/Server authentication execution flow
- 6.4.5 Command data field for the client server authentication [Go to Page]
- 6.4.5.1 RSA
- 6.4.5.2 ECDSA
- 6.4.5.3 Other algorithms
- 7 Role Authentication [Go to Page]
- 7.1 Role Authentication of the card
- 7.2 Role Authentication of the server
- 7.3 Symmetrical external authentication [Go to Page]
- 7.3.1 Protocol [Go to Page]
- 7.3.1.1 Keys definition
- 7.3.1.2 Naming rules
- 7.3.1.3 Step 1 — Read key exchange parameters
- 7.3.1.4 Step 2 — Select Key for symmetrical external authentication
- 7.3.1.5 Step 3 — Challenge generation
- 7.3.1.6 Step 4 — External authentication
- 7.3.2 Description of the cryptographic mechanisms
- 7.3.3 Role description
- 7.4 Asymmetric external authentication [Go to Page]
- 7.4.1 Protocol based on RSA [Go to Page]
- 7.4.1.1 Step 1 — Success certificate verification
- 7.4.1.2 Step 2 — Selection of verification key PuK.IFD.RA
- 7.4.1.3 Step 3 — Get Challenge
- 7.4.1.4 Step 4 — External authentication
- 7.4.1.5 Role description
- 7.4.2 Protocol based on modular Enhanced Role Authentication (mERA) [Go to Page]
- 7.4.2.1 Step A — Set the cryptographic context
- 7.4.2.2 Step B – Get challenge
- 7.4.2.3 Step C – GENERAL AUTHENTICATE (C1)
- 7.4.2.4 Stage 3 – Internal authentication of the ICC (C2)
- 7.4.2.5 Step D – Certificate verification
- 7.4.2.6 Step E – Retrieval of public parameters for key agreement
- 7.4.2.7 Step F – Key Agreement
- 7.4.2.8 Cryptographic suites
- 7.4.2.9 Certificate format
- 8 Symmetric key transmission between a remote server and the ICC [Go to Page]
- 8.1 Steps preceding the key transport
- 8.2 Key encryption with RSA [Go to Page]
- 8.2.1 PKCS#1 v1.5 padding
- 8.2.2 OAEP padding
- 8.2.3 Execution flow [Go to Page]
- 8.2.3.1 Step 1 — Set deciphering key
- 8.2.3.2 Step 2 — Decipher key
- 8.3 Diffie-Hellman key exchange for key encipherment [Go to Page]
- 8.3.1 Execution flow [Go to Page]
- 8.3.1.1 Step 1: Select DH encryption key
- 8.3.1.2 Step 2: Derivation of the shared secret.
- 9 Signature verification [Go to Page]
- 9.1 Signature verification execution flow [Go to Page]
- 9.1.1 Step 1: Receive Hash
- 9.1.2 Step 2: Select verification key
- 9.1.3 Step 3: Verify digital signature
- 10 Certificates for additional services [Go to Page]
- 10.1 File structure
- 10.2 EF.C_X509.CH.DS
- 10.3 EF.C.CH.AUT
- 10.4 EF.C.CH.KE
- 10.5 Reading Certificates and the public key of CAs
- 11 Privacy Context functions [Go to Page]
- 11.1 Introduction
- 11.2 Auxiliary Data Comparison [Go to Page]
- 11.2.1 Presentation of the auxiliary data
- 11.2.2 Age Verification
- 11.2.3 Document Validation
- 11.3 Restricted Identification [Go to Page]
- 11.3.1 Command APDU for Step RI:1
- 11.3.2 Command APDU for Step RI:2
- 11.4 eServices with trusted third party protocol [Go to Page]
- 11.4.1 mERA-based eServices with trusted third party protocol [Go to Page]
- 11.4.1.1 Authentication steps
- 11.4.1.2 Step 2: Verify PIN
- 11.4.1.3 Step 3: Get Data / General Authenticate
- 11.4.2 mEAC-based eServices with trusted third party [Go to Page]
- 11.4.2.1 Stage 1: Loading a profile on to the ICC
- 11.4.2.2 Stage 2: The Identity Provider completes the profile
- 11.4.2.3 Stage 3: the SP retrieves the completed profile from the ICC
- 11.5 eServices with two party protocols [Go to Page]
- 11.5.1 mEAC-based eServices with on-line two party protocol
- 11.5.2 mEAC-based eServices with off-line two party protocol
- 12 APDU data structures [Go to Page]
- 12.1 Algorithm Identifiers
- 12.2 CRTs [Go to Page]
- 12.2.1 CRT DST for selection of ICC’s private client/server auth. key
- 12.2.2 CRT AT for selection of ICC’s private client/server auth. key
- 12.2.3 CRT CT for selection of ICC’s private key
- 12.2.4 CRT DST for selection of IFD’s public key (signature verification)
- Annex A (normative)Security Service Descriptor Templates [Go to Page]
- A.1 Security Service Descriptor Concept
- A.2 SSD Data Objects [Go to Page]
- A.2.1 DO Extended Header List, tag ‘4D’
- A.2.2 DO Instruction set mapping (ISM), tag ‘80’
- A.2.3 DO Command to perform (CTP), tag ‘52’ (refer to ISO/IEC 7816-6)
- A.2.4 DO Algorithm object identifier (OID), tag ‘06’ (refer to ISO/IEC 7816-6)
- A.2.5 DO Algorithm reference, tag ‘81’
- A.2.6 DO Key reference, tag ‘82’
- A.2.7 DO FID key file, tag ‘83’
- A.2.8 DO Key group, tag ‘84’
- A.2.9 DO FID base certificate file, tag ‘85’
- A.2.10 DO FID adjoined certificate file, tag ‘86’
- A.2.11 DO Certificate reference, tag ‘87’
- A.2.12 DO Certificate qualifier, tag ‘88’
- A.2.13 DO FID for file with public key of the certification authority PK(CA), tag ‘89’
- A.2.14 DO PIN usage policy, tag ‘5F2F’
- A.2.15 DO PIN reference, tag ‘8A’
- A.2.16 DO Application identifier (AID), tag ‘4F’ (refer to ISO/IEC 7816-6)
- A.2.17 DO CLA coding, tag ‘8B’
- A.2.18 DO Status information (SW1-SW2), tag ‘42’ (refer to ISO/IEC 7816-6)
- A.2.19 DO Discretionary data, tag ‘53’ (refer to ISO/IEC 7816-6)
- A.2.20 DO SE number, tag ‘8C’
- A.2.21 DO SSD profile identifier, tag ‘8D’
- A.2.22 DO FID mapping, tag ‘8E’
- A.3 Location of the SSD templates
- A.4 Examples for SSD templates
- Annex B (informative)Security environments [Go to Page]
- B.1 Definition of CRTs (examples) [Go to Page]
- B.1.1 CRT for Authentication (AT)
- B.1.2 CRT for Cryptographic Checksum (CCT)
- B.1.3 CRT for Digital Signature (DST)
- B.1.4 CRT for confidentiality (CT)
- B.2 Security Environments (example) [Go to Page]
- B.2.1 Security Environment #10
- B.2.2 Security Environment #11
- B.3 Coding of access conditions (example) [Go to Page]
- B.3.1 Access Conditions
- B.3.2 Access rule references
- B.3.3 Access conditions for EF.ARR
- B.3.4 EF.ARR records
- Annex C (normative) Algorithm Identifiers — Coding and specification
- Annex D (informative) Example of DF.CIA
- Annex E (informative)Build scheme for object identifiers defined by EN 14890
- Bibliography [Go to Page]
