1 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 1 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 ActivIdentity Digital Identity Applet Suite v1/v2 on OCS ID-One Cosmo 64 v5 FIPS140-2 Cryptographic Module Security Policy Version 1.9 ActivIdentity Inc 6623 Dumbarton Circle Fremont, CA 94555 (510)-574-0100 2 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 2 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 Table of Contents 1. INTRODUCTION .............................................................................................................................. 4 2. OVERVIEW ...................................................................................................................................... 4 2.1 THE OCS ID-ONE COSMO 64 V5 ..................................................................................................... 4 2.2 ACTIVIDENTITY DIGITAL IDENTITY APPLET SUITE V1/V2 ON OCS ID-ONE COSMO 64 V5 .................... 5 3. SECURITY LEVEL ........................................................................................................................... 6 4. CRYPTOGRAPHIC MODULE SPECIFICATION............................................................................. 6 4.1 MODULE INTERFACES...................................................................................................................... 8 4.1.1 ISO/IEC 7816 Physical Interface (contact mode).................................................................... 8 4.1.2 Transmission Protocol and Speed .......................................................................................... 9 4.2 LOGICAL INTERFACE DESCRIPTION .................................................................................................. 9 4.3 ISO/IEC 14443 RF INTERFACE (CONTACTLESS MODE)................................................................... 10 4.3.1 Interface Physical Specifications .......................................................................................... 10 4.3.2 Interface Electrical Specifications ......................................................................................... 10 4.3.3 Transmission protocol........................................................................................................... 11 5. ROLES & SERVICES..................................................................................................................... 11 5.1 IDENTIFICATION ............................................................................................................................. 11 5.2 ROLES .......................................................................................................................................... 11 5.2.1 User Roles: ........................................................................................................................... 11 5.2.2 Cryptographic Officers roles: ................................................................................................ 11 5.3 ROLE AUTHENTICATION ................................................................................................................. 12 5.3.1 User Role Authentication ...................................................................................................... 12 5.3.2 Cryptographic Officer Role Authentication............................................................................ 12 5.4 SERVICES ..................................................................................................................................... 12 5.4.1 CSC (Card Manager and Security Domain) Role Services................................................... 12 5.4.2 Application Operator Role..................................................................................................... 13 5.4.3 Card Holder Role .................................................................................................................. 14 5.4.4 No Role ................................................................................................................................. 14 5.5 RELATIONSHIP BETWEEN ROLES AND SERVICES ............................................................................ 15 6. MODULE CRYPTOGRAPHIC FUNCTIONS.................................................................................. 16 6.1 CRYPTOGRAPHIC ALGORITHMS, MODE AND KEY LENGTH ................................................................. 16 6.2 RANDOM NUMBER GENERATOR ..................................................................................................... 17 7. SELF TESTS .................................................................................................................................. 17 7.1 POWER-UP SELF TESTS ................................................................................................................ 17 7.2 CONDITIONAL TESTS ..................................................................................................................... 18 7.3 CRITICAL SECURITY PARAMETERS: ................................................................................................ 18 8. ACCESS TO CSPS VS SERVICES ............................................................................................... 19 9. SECURITY RULES ........................................................................................................................ 19 9.1 APPROVED MODE OF OPERATION................................................................................................... 19 9.2 AUTHENTICATION SECURITY RULES ............................................................................................... 20 9.3 APPLET LIFE CYCLE SECURITY RULES ........................................................................................... 20 9.4 ACCESS CONTROL SECURITY RULES ............................................................................................. 20 9.5 KEY MANAGEMENT SECURITY POLICY............................................................................................ 21 9.5.1 Cryptographic Key Generation.............................................................................................. 21 9.5.2 Cryptographic Key Entry ....................................................................................................... 21 3 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 3 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 9.5.3 Cryptographic Key Storage................................................................................................... 21 9.5.4 Cryptographic Key Zerorization ............................................................................................ 21 9.6 MITIGATION OF ATTACKS................................................................................................................ 21 9.6.1 Power Analysis (SPA/DPA) .................................................................................................. 21 9.6.2 Timing Analysis..................................................................................................................... 22 9.6.3 Fault Induction ...................................................................................................................... 22 9.6.4 Flash Gun ............................................................................................................................. 22 10. SECURITY POLICY CHECK LIST TABLES ................................................................................. 23 10.1 ROLES AND REQUIRED AUTHENTICATION.................................................................................... 23 10.2 STRENGTH OF AUTHENTICATION MECHANISMS............................................................................ 23 10.3 SERVICES AUTHORIZED FOR ROLES............................................................................................ 23 10.4 ACCESS RIGHTS WITHIN SERVICES ............................................................................................. 23 10.5 MITIGATION OF OTHER ATTACKS ................................................................................................ 23 11. REFERENCES ............................................................................................................................... 24 12. ACRONYMS................................................................................................................................... 25 4 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 4 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 1. INTRODUCTION This document defines the Security Policy for “ActivIdentity Digital Identity Applet Suite v1/v2 on OCS ID- One Cosmo 64 v5” cryptographic module, submitted for validation, in accordance with FIPS140-2 Level 2 requirements. Included are a description of the security requirements for the module, and a qualitative description of how each security requirement is achieved. In particular, this security policy specifies the security rules under which the cryptographic module must operate. 2. OVERVIEW 2.1 THE OCS ID-ONE COSMO 64 V5 The Oberthur Card Systems ID-One Cosmo 64 v5 Chip Platform is a single chip multiple-application cryptographic JavaCard module with dual interface (contact and contactless) specifically designed for identity and government market needs. The cryptographic module loads and runs applets written in the Java programming language. It includes a native implementation of the latest Java Card TM (version 2.2) and Global platform (version 2.1.1A) specifications, with full support for Delegated Management and DAP/mandated DAP that define a secure infrastructure for post-issuance programmable platforms. Additional features include biometric extensions as defined by the JavaCard Forum and Logical Channels. The Oberthur Card Systems ID-One Cosmo 64 v5 combines the advantages of the JavaTM programming language and cryptographic services with those of a dual interface micro module. The same security level is achieved with both contact and contactless interfaces due to carefully designed hardware and software features. In addition, whether embedded into a plastic card or into an electronic passport, the Oberthur Card Systems ID-One Cosmo 64 v5 cryptographic module hardware provides tamper- resistance and tamper evidence features that meet FIPS 140-2 LEVEL 3 physical requirements. Either contact or contactless interface can be disabled during manufacturing depending on market specific requirements. The photo, Figure 1, shows an example of the target of validation. The photo, Figure # 1, shows an example of the target of evaluation. Figure 1: Example embodiment of the target of validation 5 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 5 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 Figure 2: Example of the micro-controller and the golden wires underneath the epoxy resin The diagram, Figure 2, shows an example the integrated Circuit (micro-controller) and the golden wires underneath the epoxy resin. The red dotted line shows the module cryptographic boundary. The epoxy glue and the support on which the crypto module is glued (contact plate or antenna) are not part of the crypto module boundary. The module contains a microprocessor and EEPROM to provide processing capabilities and data storage and offers Java Card™ Technology and Global platform services to applets on the chip. This document addresses the submission for validation of the module in accordance with FIPS 140-2 Level 2 standard. Included are a description of the basic security requirements for the module and a qualitative description of how each security requirement is achieved. In particular, this security policy specifies the security rules under which the cryptographic module must operate. The Chip platform directly provides all the low-level services such as memory management, I/O control, cryptographic algorithms and physical security. It also contains a native implementation of the Java Card ™ specification (JC) version 2.2 and of the Global platform (GP) version 2.1.1A specification, which define a secure infrastructure for post-issuance programmable platforms. These services can be accessed by the applets instantiated from code loaded onto the chip EEPROM or ROM using the Java Card™ Application Programming Interface (API). The Card Manager provides the Global Platform services that are both internal (accessible by applets) and external services (accessible by either external or non-chip applications). 2.2 ACTIVIDENTITY DIGITAL IDENTITY APPLET SUITE V1/V2 ON OCS ID-ONE COSMO 64 V5 The ActivIdentity Digital Identity Applet Suite v1/v2 on OCS ID-One Cosmo 64 v5: • Allows the configuration of ActivIdentity Digital Identity Applet Suite v1, • Or the configuration of ActivIdentity Digital Identity Applet Suite v2, but not both. • Access to the services in the v1 suite is allowed from both contact and contactless interfaces. • Access to the services in the v2 suite from contactless interface is restricted according to table 2. The v1 applet suite consists of four applets: • ID applet package - This applet offers Card Holder Verification (CHV) services to external application. • PKI applet package - This applet offers PKI cryptographic services to external application. • GC applet package - This applet offers secure storage services to external application. • SKI applet package - The applet offers DES or TDES based one-time password service. The v2 applet suite consists of three applets: • Access Control Applet (ACA) – this applet is responsible for Access Control Rules (ACR) definition, access control rules enforcement and secure-messaging processing for all card IC Epoxy glue Contact Plate or antenna connection Connection Wires 6 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 6 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 services. Three off-card entity authentication methods – GP secure messaging, PIN, and ActivIdentity External Authentication are included by default in the ACA applet. • PKI/Generic Container (PKI/GC) Applet – The PKI/GC/SKI Applet can be used to provide secure storage for both PKI and SKI credentials, and other data that are required for implementation of card services including single sign-on applications, identity, and benefits information. This applet is responsible for RSA-based cryptographic operations using the RSA private key stored in the PKI buffer, Internal Authentication using TDES challenge response, or One-time password generation using the SKI key stored in the SKI object. • ASC Library package – this is the library package that implements functions required by other applets. The library functions are not directly accessible via the cryptographic module command interface. The exact version of each applet packages are described in section 4. Only one version of the applet suite can be instantiated at a time. 3. SECURITY LEVEL The ActivIdentity Digital Identity Applet Suite v1/v2 on OCS ID-One Cosmo 64 v5 is designed and implemented to meet the overall Level 2 requirements of FIPS140-2. This document describes the module FIPS 140-2 Level 2 security policy. The Card Security Controller (CSC) should obtain the hardmask and softmask version via the Answer-To-Reset (ATR) command and, the applet version via the GET PROPERTIES command. The CSC should set the Access Control Rule (ACR) according to table 2 to put the module into the Approved mode of operation. The individual security requirements specified for FIPS 140-2 meet the level specifications indicated in the following table. Security Requirements Section Level Cryptographic module specification 2 Cryptographic module ports and interfaces 2 Roles, services, and authentication 3 Finite state model 2 Physical security 3 Operational environment N/A Cryptographic key management 2 EMI/EMC 3 Self tests 2 Design assurance 2 Mitigation of other attacks 2 4. CRYPTOGRAPHIC MODULE SPECIFICATION The ActivIdentity Digital Identity Applet Suite v1/v2 on OCS ID-One Cosmo 64 v5 supports identity-based authentication of the Card Holder, Application Operators, and Cryptographic Officers, using PIN or TDES keys. All services provided by the cryptographic module are protected by an identity based access control policy following the result of the authentication. This validation effort is aimed at the systems software, virtual machines, Card Manager applications, and ActivIdentity applets. If additional applets are loaded into this cryptographic module, then these additional 7 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 7 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 applets require a separate validation, and they must be FIPS 140-2 validated. The cryptographic module checks all validated applets, and will not load any applets that do not have the correct MAC. The ID-One Cosmo 64 V5 Module submitted for this validation includes the following 6 commercial configurations: 1. ID-One Cosmo 64 v5.1 FIPS o Hardware Platform # “77” with Firmware “E302” and contact only interface. 2. ID-One Cosmo 64 D v5.1 FIPS o Hardware Platform # “77” with Firmware “E302” and dual (or contactless only) interface. 3. ID-One Cosmo 64 v5.2 FIPS with Optional Code R3 Generic o Hardware Platform # “77” with Firmware “E303-063683” and contact only interface. 4. ID-One Cosmo 64 D v5.2 FIPS with Optional Code R3 Generic o Hardware Platform # “77” with Firmware “E303-063683” and dual (or contactless only) interface. 5. ID-One Cosmo 64 v5.2 FIPS with Optional Code R2 Basic o Hardware Platform # “77” with Firmware “E303-063792” and contact only interface. 6. ID-One Cosmo 64 D v5.2 FIPS with Optional Code R2 Basic o Hardware Platform # “77” with Firmware “E303-063792” and dual (or contactless only) interface. The ActivIdentity Digital Identity Applet Suite v1/v2 on OCS ID-One Cosmo 64 v5 is composed of the following elements: V1 suite (v1.1.6) • ID applet package version 1.0.0.23 • PKI applet package version 1.0.0.29 • GC applet package version 1.0.0.27 • SKI applet package version 1.0.0.16 V1 suite (v1.1.6p) • ID applet package version 1.0.0.25 • PKI applet package version 1.0.0.32 • GC applet package version 1.0.0.29 • SKI applet package version 1.0.0.18 V2 suite (v2.6.1) • ACA applet package version 2.6.1 • PKI/GC applet package version 2.6.1 • ASC library package version 2.6.1 V2 suite (v2.6.2) • ACA applet package version 2.6.2 • PKI/GC applet package version 2.6.2 • ASC library package version 2.6.2 The applet and library package byte code is loaded in the cryptographic module memory. Note that the ASC library package consists of static utility classes only accessed by the applet, and the library cannot be accessed directly by off-card entity. The applets offer services to external applications, relying on key management, secure memory management and cryptographic services, provided by the cryptographic module. The services are activated with “APDU commands” sent to the cryptographic module. 8 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 8 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 Applets depend on a unique security domain (SD) for the security configuration. This SD can be either the Card Manager or a separate security domain. The Card Manager is itself a security domain with additional services, and applets. Every security domain holds one or more security domain key sets composed of TDES keys. The ownership of a key set allows for establishing a Secure Channel (SC) between the host and either the security domain or the security domain applets. Generally, the SC is used for administrative operations such as entering the application keys in the applet instances belonging to the security domain, or entering new key sets in the security domain itself. Note that a security domain key set can be used to enter a replacement key set in the same security domain – the replacement involves the deletion of the original key set. This is how a Card Security Controller role (CSC), which solely owns the replacement key set, can take control of the personalization of all applet instances belonging to a security domain. Card OS Java Card Virtual Machine Card Manager Or Security Domain I/O Cryptographic services Memory Mgmt services Reset Power CHIP I/O Services Applet Suite v1 applet Java Card API Open Platform API Applet Suite v2 applet Java Card API Open Platform API Access Control API ASC lib Java Card API Open Platform API Figure 3: Functional block diagram 4.1 MODULE INTERFACES The integrated circuit used in the ID-One Cosmo 64 v5 can support the following interfaces: • ISO/IEC 7816: Identification Cards – Integrated Circuit Cards with Contacts • ISO/IEC 14443: Identification Cards – Contactless Integrated Circuit Cards – Proximity cards The ActivIdentity Digital Identity Applet Suite v1/v2 on OCS ID-One Cosmo 64 v5 is validated both on the ISO/IEC 7816 and ISO/IEC 14443 interfaces. 4.1.1 ISO/IEC 7816 Physical Interface (contact mode) 4.1.1.1 Interface Physical Specifications In this contact mode, communication to and from the cryptographic module is done through a printed circuit (contact plate) that provides the electrical connection required. Five electric wires connect the 9 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 9 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 module to the printed circuit, and from there, to the outside world. The printed circuit itself is outside of the module cryptographic boundaries and is mentioned only for illustration purposes. The ID-One Cosmo 64 v5 operates in both ISO 7816-3 class A and class B. Class A requires a power supply voltage between 4.5 Volt and 5.5 Volt. Class B requires a power supply voltage between 2.7 Volt and 3.3 Volt. This provides the opportunity for a new range of applications using lower voltage portable readers. 4.1.1.2 Interface Electrical Specifications The following picture shows an example of the printed circuit and the location were the five electrical connections from the module are wire bonded to the contact plate. Figure 4: Contact plate used to provide electrical communication with the cryptographic module The five electrical signals transmitted to the module through the contact mode wires coming from the contact plate are as follows: • VCC: Supply Voltage Power supply input. (1.62V to 5.5V) • GND: Ground (reference voltage) • RST: External reset signal from the interface device (card read / write device) • CLK: External clock (1MHz to 10MHz). This clock is just for data transmission as both processor and coprocessors are driven independently by an internal oscillator at a much higher frequency. • I/O: Input or output for serial data to / from the processor These five electronic signals are in full compliance with the ISO/IEC 7816-3 standard. 4.1.2 Transmission Protocol and Speed The transmission protocols with the ID-One Cosmo 64 v5 comply with ISO/IEC 7816-3 (half duplex character oriented transmission protocols ISO T=0 and T=1). Characters can be exchanged in either direct convention (Z level corresponds to a logical 1 and LSB is sent first) or in inverse convention (Z level corresponds to a logical 0 and LSB is sent first). The Oberthur ID-One Cosmo 64 v5 supports the Protocol and Parameter Selection to select a new protocol type or change the transmission baud rate. Up to 256 data bytes can be exchanged within one command. The maximum communication speed in contact mode is 614,400 bauds (with a clock of 4.9Mhz). 4.2 LOGICAL INTERFACE DESCRIPTION Once communication is established between the reader and the platform. The platform functions as a “slave” processor to implement and respond to the reader commands. The platform adheres to a well- defined set of state transitions. Within each state, a specific set of commands is accessible. The I/O VCC RST CLK GND I/O (Bi-directional) 10 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 10 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 ports of the platform (either physical in contact mode or virtual in the case of RF transmission) provide the following logical interfaces: ISO 7816 ISO 14443 Data In: I/O Pin I/O Pins Data Out: I/O Pin I/O Pins Status Out: I/O Pin I/O Pins Control In: I/O, Clk and Reset Pins I/O Pins 4.3 ISO/IEC 14443 RF INTERFACE (CONTACTLESS MODE) 4.3.1 Interface Physical Specifications In the contactless mode, the cryptographic module uses only two electrical connections, LA and LB, to close the loop of an external antenna, as illustrated in the following picture. The two electrical connections LA and LB, used in contactless mode are physically different from the electrical connections used in contact mode. The antenna is not within the cryptographic boundaries of the module. Figure 5: Example of connection of the cryptographic module to the antenna for the contactless mode 4.3.2 Interface Electrical Specifications Power and data are transmitted to the module from the antenna using a modulation signal at 13.56 MHz. The proximity coupling device (reader) produces an energizing RF field that couples to the Proximity Mounted Chip Assembly (ID-One Cosmo 64 v5 module) to transfer power. Data communication is achieved through a modulation of the energizing RF field, using amplitude shift keying (ASK) type of modulation. The module operates independently of the external clock applied on the interfaces. The main processor and all three cryptographic co-processors (TDES, RSA, AES) are driven independently of the external clock by an uninterrupted internal oscillator. During contactless communication, an on-chip capacitor provides all power to the internal oscillator. A low frequency sensor monitors the external frequency applied to the interfaces. If the frequency is out of the specified range, the chip is reset. RF signal and power interface are fully compliant with ISO/IEC 14443 part 2: radio frequency power and signal interface for contactless integrated circuit cards – proximity cards. LB LA 11 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 11 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 Initialization and anti-collision that define start of communication and card select are fully compliant with ISO/IED 14443 part 3. A transmission protocol that defines data exchange between reader and cards are fully compliant with ISO/IEC 14443 part 4. An anti-collision mechanism compliant with ISO/IEC 14443 is provided by the interface to ensure trouble free communication with the cryptographic module, and to protect from interferences due to the presence of multiple modules or readers within the communication range. The contactless communication range of the ID-One Cosmo 64 v5 dual interface module is about 10 cm. More information on this interface can be found in the above-mentioned ISO/IEC standard. 4.3.3 Transmission protocol Communications with the ID-One Cosmo 64 v5 in contactless mode is based on a fully standardized (ISO/IEC 14443), half-duplex transmission protocol, called T=CL. 5. ROLES & SERVICES 5.1 IDENTIFICATION The ActivIdentity Digital Identity Applet Suite v1/v2 on OCS ID-One Cosmo 64 v5 performs identity- based authentication using PIN and cryptographic keys. A unique index value is associated with the PIN or the cryptographic key to uniquely identify the off-card entity performing the authentication. 5.2 ROLES The ActivIdentity Digital Identity Applet Suite v1/v2 on OCS ID-One Cosmo 64 v5 defines three distinct roles that are supported by the on-module cryptographic system; the Card Security Controller (CSC) role, the Application Operator role, and the Card Holder role. 5.2.1 User Roles: • Card Holder Role (CH) - The Card Holder role is responsible for ensuring the ownership of his cryptographic module, and for not communicating his PIN to other parties. An applet authenticates the Card Holder by verifying his PIN. • Application Operator Role (AO) – The Application Operator role represents an external application requesting the services offered by the applets. An applet authenticates the Application Operator role by verifying possession of the Application External Authenticate (XAUT) TDES key. 5.2.2 Cryptographic Officers roles: • Card Security Controller (CSC) Role: This role is responsible for managing the security configuration of the card manager and security domains. The CSC role authenticates to the cryptographic module by demonstrating to the Card Manager application that he possesses the knowledge of a GP secure channel TDES key set stored within the Card Manager. By successfully executing the OP secure channel mutual authentication protocol, the CSC role establishes a secure channel to the Card Manager and execute services allowed to the CSC role in a secure manner. The CSC role is also responsible for unblocking the PIN using a specific unblock PIN XAUT key with ActivIdentity external authentication protocol. 12 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 12 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 5.3 ROLE AUTHENTICATION The ActivIdentity Digital Identity Applet Suite v1/v2 on OCS ID-One Cosmo 64 v5 cryptographic module supports identity based role authentication using the following scheme. 5.3.1 User Role Authentication • The Card Holder role is authenticated with a PIN o PIN: The Card Holder role must send a Verify CHV APDU to the module to access services protected with PIN access control rules. The APDU corresponding to the applet service protected by the PIN, can access the service before the cryptographic module is removed or a reset command is sent to the cryptographic module. • The Application Operator role is authenticated by the possession of a TDES key. o Application External Authentication (XAUT) key: The Application Operator role must prove the possession of a particular TDES key to access the PKI/GC buffer read, or update service protected with the External Authentication protocol using this particular key. An 8-byte challenge is first obtained from the applet. The application controlled by the operator encrypts the challenge with a 112-bit TDES key, and submits the resulting cryptogram to the module for verification. The APDU corresponding to the particular applet service protected by the XAUT key, can access the service before the cryptographic module is removed or a reset command is sent to the cryptographic module. 5.3.2 Cryptographic Officer Role Authentication • The Cryptographic Officer role is authenticated by a TDES key set in the case of secure channel key set, or a TDES key in the case of XAUT key. o Secure Channel key set: The Cryptographic Officer (CSC) role must prove the possession of a key set composed of three TDES keys. Two keys (KMAC, KENC) are used to generate session keys according to Global Platform specification. The session keys ensure the confidentiality of the command payload, allow the mutual authentication of the parties and protect the APDU command integrity. A third key (KKEK) is used to wrap keys transported within the APDU command. o Unblock PIN XAUT key: The Cryptographic Officer (CSC) role performs the ActivIdentity external authentication protocol using the XAUT TDES key. The PIN is unblocked if the CSC role is successfully authenticated. 5.4 SERVICES This section describes the services each role can perform. When the APDU only applies to v1 or v2 applet suite, it is explicitly stated within the APDU description. Otherwise, the APDU applies to both v1 and v2 applet suite. 5.4.1 CSC (Card Manager and Security Domain) Role Services The following APDUs are sent to card manager: • INSTALL: this APDU is used to instruct either a security domain, or the Card Manager as to which installation/instantiation step it shall perform during an applet installation process. • LOAD: this APDU is used to load the byte-codes of the Load File (package) defined in the previously issued INSTALL command. • DELETE: this APDU is used by the CSC role to delete a Load File (package) or an applet (applet instance). • GET STATUS: this APDU is used to get the life cycle state of the cryptographic module or the life cycle state of an application 13 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 13 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 • SET STATUS: This APDU is sent when the applet instance life cycle needs to be changed. The applet instance life cycle can be: SELECTABLE, BLOCKED, and PERSONALIZED. • INITIALIZE UPDATE: this APDU is used to initiate an GP Secure Channel with the Card Manager or a security domain. Cryptographic module and host session data are exchanged, and the cryptographic module and host upon completion of this APDU generates session keys. However, the Secure Channel is considered open upon completion of a successful EXTERNAL AUTHENTICATE command that must immediately follow the INITIALIZE UPDATE command. • EXTERNAL AUTHENTICATE: this APDU is used by the cryptographic module to authenticate the host, to establish the Secure Channel, and to determine the level of security required for all subsequent commands within the Secure Channel. A previous and successful execution of the INITIALIZE UPDATE command is required prior to processing this command. • STORE DATA: this APDU is used to store or replace one tagged data object provided in the command data field. • PUT 3DES KEY: this APDU is used to add or replace security domain key sets. • PUT PUBLIC KEY: this APDU is used to load RSA public keys such as the Token Verification Key or the DAP Verification Key. These keys are used for Delegated Management and DAP verification as specified by Global Platform. • DELEGATE MANAGEMENT: Delegated Management gives the Card Issuer (CSC) the possibility of empowering partnered Application Provider (Users) the ability to initiate approved and pre-authorized Card Content changes (loading, installation, extradition or deletion). The following APDUs are sent to ActivIdentity applets: • UNBLOCK: This APDU is used by v1 applet suite to allow the CSC role to unblock the cardholder PIN with a new counter value if the CSC role is authenticate successfully. • RESET RETRY COUNTER: This APDU is used by v2 applet suite to unblock the cardholder PIN and restore the VERIFY PIN service with a new counter value if the CSC role is authenticated successfully. • RESET PIN: This APDU is used by v1 applet suite to reset the PIN to the default value when the card is initialized with the default value. • PUT KEY: This APDU is used to enter the XAUT key used to unblock the PIN, and must be used with a secure channel established by CSC role. The APDU format is compliant with GP specifications. • REGISTER APPLET: This APDU is used by applet suite v2 to register applet instances to the ACA instance so that the access control and secure message service can be provided. • REGISTER ACR: This APDU is used by applet suite v2 to manage the mapping between ACRID and actual APDU instruction. • SET APPLICATION UID: This APDU is sent when the UID associated with the applet instance needs to be changed. • READ CERTIFICATE / STATIC BUFFER: This APDU is used to read the data from the selected buffer. • UPDATE CERTIFICATE / STATIC BUFFER: This APDU is used to update the data stored in the selected buffer. • GENERATE KEY PAIR: This APDU is used to generate an RSA Key Pair in the cryptographic module. The Private Key is associated with a PKI Applet instance. The public key is output as the response of this command and not stored on the card. • PRIVATE SIGN / DECRYPT. This APDU uses the RSA private key in the PKI buffer to sign data. • CSSD SIGN: This APDU is used by applet suite v1 to perform a CSSD signature. 5.4.2 Application Operator Role • AC EXTERNAL AUTHENTICATE: This APDU is used in combination with a Get Challenge to authenticate the Application Operator using the AC external authenticate protocol 14 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 14 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 • READ CERTIFICATE / STATIC BUFFER: This APDU is used to read the data from the selected buffer. • READ BINARY: This APDU is used by applet suite v2 to read the data from selected buffer. • UPDATE CERTIFICATE / STATIC BUFFER: This APDU is used to update the data stored in the selected buffer. 5.4.3 Card Holder Role • VERIFY PIN: This APDU checks the PIN presented by the cardholder against the current PIN. • CHANGE PIN: This APDU is used by v1 applet suite to allow the cardholder to change the cardholder PIN if the cardholder is authenticated successfully. • CHANGE REFERENCE DATA: This APDU is used by applet suite 2 to change the cardholder PIN if the Card Holder is correctly authenticated. • GENERATE KEY PAIR: This APDU is used to generate an RSA Key Pair in the cryptographic module. The Private Key is associated with a PKI Applet instance. The public key is output as the response of this command and not stored on the card. • PRIVATE SIGN / DECRYPT. This APDU uses the RSA private key in the PKI buffer to sign data. • CSSD SIGN: This APDU is used by applet suite v1 to perform a CSSD signature. • GET CODE: This command is used by applet suite v1 to generate a cryptogram by encrypting and returning the input string. If no string is input, an internal counter value is substituted. • READ CERTIFICATE / STATIC BUFFER: This APDU is used to read the data from the selected buffer. • READ BINARY: This APDU is used by applet suite v2 to read the data from selected buffer. • UPDATE CERTIFICATE / STATIC BUFFER: This APDU is used to update the data stored in the selected buffer. 5.4.4 No Role • SELECT: this command is used for selecting an application (Card Manager, security domain or Applet). The Card Manager may be selected either for the loading of a Load File or for installing a previously loaded application (or security domain) • GET DATA: this command is used to retrieve a single data object, such as the Card Identification data. • GET RESPONSE: this command is restricted to T=0 ISO protocol for an incoming command which has data to send back. That data is received with the GET RESPONSE command sent immediately after the command to which it is related. • GET PROPERTIES: This APDU is used to obtain information about applet instance configuration. • GET ACR: This APDU is used to retrieve the ACR definition for the services. • READ CERTIFICATE / STATIC BUFFER: This APDU is used to read the data from the selected buffer. • READ BINARY: This APDU is used by applet suite v2 to read binary data stored on the card. • GET CHALLENGE: This APDU is the first step of the SMA protocol and is used to get a card generated random challenge OR is used in combination with AC external authenticate to perform an external authentication of the Application Operator in order to unblock the PIN. • GET CODE: This command generates a cryptogram by encrypting and returning the input string. If no string is input, an internal counter value is substituted. • GET CERTIFICATE: This APDU is used to obtain the certificate corresponding to RSA private key stored in the corresponding object. • LOGOUT: To logout all authenticated roles. 15 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 15 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 5.5 RELATIONSHIP BETWEEN ROLES AND SERVICES For the Card Manager services, the access rules are listed in Table 1. Roles/Services CSC Role (Card Manager) CSC Role (Security Domain) No Role (Unauthenticat ed) INSTALL X LOAD X DELETE X GET DATA X GET STATUS X SET STATUS X X INITIALIZE UPDATE X EXTERNAL AUTHENTICATE X STORE DATA X PUT 3DES KEY X X PUT PUBLIC KEY X SELECT X DELEGATE MANAGEMENT X Table 1: Role and possible ACR configuration for Card Manager For applets suite v1 and v2, the access rules are listed in Table 2. V2.6.1 V2.6.2 Role / Authentication Method Vs. Services No Role / None Cryptographic Officer (CSC) / SECURE CHANNEL Application Operator / XAUT Card Holder / PIN V1.1.6 V1.1.6p ISO 7816 ISO 14443 CSC Roles UNBLOCK PIN X X RESET RETRY COUNTER X X RESET PIN X X CHANGE REFERENCE DATA (Initial PIN) X X PUT KEY X X X REGISTER APPLET X X REGISTER ACR X X SET APPLICATION UID X X X Application Operator 16 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 16 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 AC EXTERNAL AUTHENTICATE X X X Card Holder VERIFY PIN X X X CHANGE PIN X X CHANGE REFERENCE DATA X X No Role SELECT X X X X GET RESPONSE X X X X GET PROPERTIES X X X X GET ACR X X GET CHALLENGE X X X LOGOUT X X UPDATE CHANGE PIN AFTER FIRST USE X X Configurable GENERATE KEY PAIR X X X X PRIVATE SIGN / DECRYPT X X X X X CSSD SIGN X X X UPDATE CERTIFICATE / STATIC BUFFER X X X X X READ CERTIFICATE / STATIC BUFFER X X X X X X X GET CERTIFICATE X X X X X X READ BINARY X X X X X X GET CODE X X X Table 2: Role and possible ACR configuration for Applet 6. MODULE CRYPTOGRAPHIC FUNCTIONS The purpose of the ActivIdentity Digital Identity Applet Suite v1/v2 on OCS ID-One Cosmo 64 v5 is to provide a FIPS approved platform that in turn provides cryptographic services to end-user applications. The keys represent the roles involved in controlling the cryptographic module. A variety of FIPS 140-2 validated algorithms are used in the ActivIdentity Digital Identity Applet Suite v2.6 on OCS ID-One Cosmo 64 v5 to provide cryptographic services. 6.1 CRYPTOGRAPHIC ALGORITHMS, MODE AND KEY LENGTH These include: • TDES, (2 keys TDES CBC/ECB) • TDES MAC • SHA-1 17 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 17 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 • RSA PKCS1 (1024, 2048 bit keys signature generation and decrypt for key establishment) • DES (transitional phase only – valid until May 19, 2007; for legacy systems only, not available for use) • DES MAC (transitional phase only – valid until May 19, 2007; for legacy systems only, not available for use) • RNG • AES (not utilized by module applications, i.e. AES is not used at any time by this module) The TDES (CBC mode) algorithm is used for both authenticating the CSC (EXTERNAL AUTH command) and encrypting data flow from the external application to the cryptographic module environment. The reverse direction is not encrypted (i.e. the status words returned in response to an APDU are not encrypted). 6.2 RANDOM NUMBER GENERATOR The cryptographic module offers the services of a FIPS 140-2 approved DRNG (Deterministic Random Number Generator). The random number generation algorithm is compliant with the FIPS PUB 86-2 standard. More precisely, the method used is “Constructing the function G from the DES”, taken from the FIPS 186-2 appendix 3, section 3.4. The cryptographic module also offers the services of a hardware based NDRNG (Non Deterministic Random Number Generator), which can be used to generate a seed to feed the DRNG and increase its quality. 7. SELF TESTS 7.1 POWER-UP SELF TESTS Each time the ActivIdentity Digital Identity Applet Suite v1/v2 on OCS ID-One Cosmo 64 v5 is powered by a reader (contact or contactless), a “reset” signal is sent from the reader to the module. The module then performs a series of GO/NO-GO tests to validate that the cryptographic module is in good working order before it answers to the reset signal with an Answer To Reset (ATR) packet of information as specified by ISO/IEC 7816 (for contact mode) or with an Answer To Select (ATS) as defined in ISO/IEC 14443 (for contactless mode). The power-up self tests include: • EEPROM integrity check using CRC-16 algorithm for: o System Data o Optional codes (firmware extensions), if any o Uploaded application packages (Executable Load Files), if any • Cryptographic Known Answer Tests for o DES – Encryption and decryption in ECB mode o Triple DES – Encryption and decryption in CBC mode o SHA-1 Hashing o RSA signature generation and signature verification o RSA encryption and decryption o AES – Encryption and decryption in CBC mode o Deterministic Random Number Generator (DRNG) per FIPS 186-2 Appendix 3. • Critical Function Tests: o CRC-16 KAT o RAM functional test o Sensor bit test o Audit log scan 18 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 18 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 o Resident applet life cycle Additional tests to protect against new types of attacks such as SPA, DPA, “flash gun”, etc, are also performed at this stage. Audit data is read using GET DATA command. No data of any type (except error status) is transmitted from the cryptographic module to the reading device while the self-tests are being performed. If any of the above tests fail, the card enters an error state in which further APDU’s are not processed. Depending on the test that fails, the module may return the ATR/ATS with an error status before becoming mute. 7.2 CONDITIONAL TESTS • RSA key generation: After generating an RSA key pair, the module performs a double pair wise consistency check to validate that the generated key pair is correct for both signature/verification and encryption/decryption. • Random Number Generator: Continuous testing is performed on every output of the Random Number Generator. Checks on the non-deterministic (Hardware) component are made on 16 bits and checks on deterministic part (FIPS approved) are ade on 160 bits. • Credentials, keys and PINs: Each time a credential is used, whether a TDES, AES or RSA key or a PIN, a signature of the credential value is computed and compared to the expected signature stored in the EEPROM along with the object itself. If these values are the same, the test is successful and the object can be used safely. If the values are different, the object cannot be used. The problem is recorded into a special “audit file” and a security exception is thrown, causing the execution to abort. • Software (applet) load tests: A TDES CBC MAC on the applet executable load file is verified each time an applet is loaded onto the cryptographic module since applet loading always take place within a Secure Channel. 7.3 CRITICAL SECURITY PARAMETERS: • Initialization key set Kint: used to secure the card during its transportation from the manufacturer site to the issuance site. This key set is generated out side of the cryptographic module and then loaded into the card manager security domain during the card manufacturing and initialization process. This key set is zeroized via the Put 3DES Key command. • CSC Card Manager / Security Domain key set: • Kenc: used to generate session keys for the encrypted mode of the secure channel • Kmac: used to generate session keys for CSC authentication and MAC mode of the secure channel. This key is used to authenticate the CSC to the card • Kkek: used to wrap keys to be loaded onto the cryptographic module This key set is generated out side of the cryptographic module in an HSM, and the loaded protected with a Global Platform secure channel using the key set that already exists in the card manager security domain (for example, Kinit). This key set is zeroized via the Put 3DES Key command. • External Authentication Keys (XAUT): TDES keys that enable the authentication of either Application Operators (PKI/GC read or PKI/GC Update) or Cryptographic Officers (Reset Retry Counter and Unblock PIN). These keys are generated out side of the cryptographic module in an HSM, and then are loaded protected with a Global Platform secure channel using the CSC Card Manager / Security Domain key set. • RSA private keys: managed (generated or unwrapped) from the PKI/GC/SKI applet using the Java Card cryptographic services. These keys are used to generate signatures. They are either generated on the card or outside of the cryptographic module in an HSM, and then loaded 19 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 19 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 protected with a Global Platform secure channel using the CSC Card Manager / Security Domain key set. • Personal Identification Numbers (PIN): PINs and PIN attributes are managed from the ACA Applet, which relies on Java Card PIN management service. The initial PIN is loaded protected with Global Platform secure channel using the CSC Card Manager / Security Domain key set, and can be changed later by the user after a successful user authentication event. • Access Control Rule: These data elements define the Authentication Method that is permanently set for the service. Several services offer a configurable Authentication Method. For such services, the authentication method should be set according to table 2. The Access Control Rule are set by the Card Security Controller via a Global Platform secure channel using the CSC Card Manager / Security Domain key set. • SKI key Kski: This is a DES or TDES key used to perform internal authentication or generate a One-time Password. The DES key is only used for legacy support purposes. This key is generated out side of the cryptographic module, and then loaded protected with Global Platform secure channel using the CSC Card Manager / Security Domain key set. 8. ACCESS TO CSPS VS SERVICES The following matrix identifies how different services access CSPs defined above. CSP Service Role Type of Access INSTALL/INSTANTIATE CSC Write ACR REGISTER ACR CSC Execute RESET RETRY COUNTER CSC Write CHANGE REFERENCE DATA Card Holder Write PIN VERIFY CHV Card Holder Execute PUT KEY CSC Write XAUT Key GET CHALLENGE & AC EXT AUTH AO Execute PUT 3DES KEY CSC Write CSC GP key set INIT UPDATE & EXT AUTH CSC Execute PUT KEY CSC Write GENERATE KEY Card Holder/ CSC Create PRIVATE SIGN/DECRYPT Card Holder Execute RSA private key OPEN SESSION No role Execute PUT KEY CSC Write SKI key Kski GET CODE Card Holder/No role Execute Table 3: Access to CSPs and the Services 9. SECURITY RULES 9.1 APPROVED MODE OF OPERATION To maintain the module in an approved mode of operation, the operator must restrict usage of the module as follows: • The operator of the cryptographic module sends ATR, GET PROPERTIES to the module to validate that the hardware and software version are the same as those listed in table 2. • The operator of the cryptographic module sends GET ACR to the module to validate that module service Access Control Rules are configured per table 2. • The module follows all security rules outlined in section 10 to maintain in FIPS mode. 20 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 20 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 9.2 AUTHENTICATION SECURITY RULES The module implements specific methods for identifying and authenticating the different roles. The implementation consists of binding a role-based ACR to each service. • All CSPs are entered into the cryptographic module encrypted except the card holder PIN. • A PIN ID represents the identity of the Card Holder. • The key ID of the XAUT key represents the identity of the Application Operator. • The key ID of the OP secure channel key represents the identity of the CSC. • The module provides the following distinct operator roles: Card Holder role, Application Operator role, and Card Security Controller role. • The applets provides role-based authentication: o The Card Holder is identified by a PIN ID and authenticated by the knowledge of a PIN o The CSC is identified by a key ID and authenticated via a GP secure channel mutual authentication protocol using the card manager/security domain key set that is composed of three TDES double length keys. Two keys are used to authenticate and MAC the command payload. A third key is used to wrap keys transported within the APDU command (Initialize Update and External Authenticate commands). o The Application Operator role is identified by a key ID and authenticated via AC external authenticate protocol using the application XAUT TDES key. • Cryptographic services are restricted to authenticated roles. • The role authentication methods (ACRs) for each service are set by the CSC during applet instantiation and can only be modified by the CSC. • When authentication of the role cannot be performed because the related key or PIN attributes are missing, the corresponding service must not be available. • The results of authentication must be set in transient memory and therefore cleared when the module is powered down. • Applet instance configuration may require the combined authentication of different roles to access a particular service. For instance the Application Operator, or the Cryptographic Officer, must both authenticate to access the Update Certificate / Static Buffer service. 9.3 APPLET LIFE CYCLE SECURITY RULES The ActivIdentity Digital Identity Applet Suite v1/v2 on OCS ID-One Cosmo 64 v5 only permits loading of FIPS approved applets. Applets can only be loaded through a GP secure channel (i.e. they pass from the external application to the cryptographic module in an encrypted and MACed form). • The Card Holder must take the necessary measures to ensure that the terminal and/or Card Acceptance Device are controlled by a valid role; Card Holder, Application Operator or CSC. • Management of applet life cycles (load, install, delete, personalize keys), follows the Global platform standard. • Applet and key APDU command management (i.e. download, install, delete, put key) are protected by secure channel MAC (TDES-CBC). Their origin is authenticated, and their integrity verified. In particular this protects the applet byte code against tampering when downloaded at post-issuance. • The download of validated applet packages, and the installation of applet instances, may occur either at pre-issuance, issuance or post-issuance. • There may be as many instances of each applet as there are cryptographic module resources available. 9.4 ACCESS CONTROL SECURITY RULES • Keys must be loaded through a GP secure channel. Consequently, keys are always loaded in the encrypted form. 21 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 21 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 • The password or PIN that is used by the applet to authenticate the Card Holder must not be divulged to parties other than the Card Holder. • The ACA applet must be configured by the cryptographic officer so that: o After 1 <= N <= 255 consecutive unsuccessful PIN code validation attempts, the Card Holder services must be disabled. (eg. the PIN is blocked) o The PIN length L verifies the following rules: ƒ 6 <= L <= 255 for PIN composed with random numeric (0-9) and 4<= L <= 255 for PIN composed with alpha-numeric (0-9, a - z, A – Z) characters 9.5 KEY MANAGEMENT SECURITY POLICY 9.5.1 Cryptographic Key Generation • TDES Session key generation using FIPS140-2 approved ANSI X9.31 DRNG for Secure Channel Opening. • RSA key pair generation using FIPS140-2 approved ANSI X9.31 DRNG. 9.5.2 Cryptographic Key Entry Keys shall always be input in wrapped format, using the Put Key command within an GP secure channel. During this process, the keys are double wrapped (using the Session Key and the Kkek Key). 9.5.3 Cryptographic Key Storage The Keys are structured to contain the following parameters: • Key set version • Key index, which is the ID of the key, • Algo ID, which determines which algorithm to be used, • Integrity Mechanisms The cryptographic keys storage integrity mechanism is described in a separate confidential document called Self Test Description. 9.5.4 Cryptographic Key Zerorization The cryptographic module zerorizes cryptographic keys by reloading either a zero-valued key set for a CSC GP secure channel key set, or an Application Operator XAUT key with PUT KEY command, or closing of secure channel for session keys. The Card Holder PIN is zerorized by setting it to zero value via the CHANGE REFERENCE DATA command. The RSA private key is zerorized by reloading a zero- valued key using PUT KEY. Key Management Details can be found in a specific proprietary document. 9.6 MITIGATION OF ATTACKS 9.6.1 Power Analysis (SPA/DPA) Power analysis attacks use information gathered from non-invasive measurements to cryptanalyse and extract keys from tamper resistant devices. Simple Power Analysis (SPA) attacks use direct observation of a device’s power consumption. Because power consumption often varies significantly with computations performed by the crypto module, SPA 22 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 22 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 observations can identify sensitive computational processes, reveal the presence of cryptographic subroutines, and significantly accelerate reverse engineering. Differential Power Analysis (DPA) attacks use statistical analysis and error correction techniques to extract information leaked across multiple operations. This aggregation of data allows extremely small differences in power consumption to be isolated, including effects that are many orders of magnitude smaller than “noise”. The ID-One Cosmo 64 v5 has been designed to mitigate both Simple Power Analysis (SPA) and Differential Power Analysis (DPA). The module includes protections against SPA and DPA attacks for all embedded cryptographic algorithms involving secret elements. The chip protection level was evaluated against state-of-the art attacks (at the time of design). The cryptographic module mitigates Simple Power Analysis (SPA) and Differential Power Analysis (DPA) attacks using a combination of hardware and software design that makes differentiation of key values impractical by equalizing or scrambling current consumption of the card during algorithm cryptographic computation. Based on the algorithm used, the defense mechanisms vary, as the internal hardware implementations of these algorithms do not use the same underlying hardware. 9.6.2 Timing Analysis Timing attacks are non-invasive attacks that relie on the variation in computation time required for the microprocessor to perform its secret calculation. All cryptographic algorithms as well as Java Card API comparison functions offered by the chip are designed to be protected against Timing Analysis. This is done by enforcing the fact that any sensitive operation is achieved in a constant time regardless of the value of keys or data involved. 9.6.3 Fault Induction This type of attack is based on the theoretical possibility of flipping some random bits of the secret key, stored in RAM or EEPROM, before or during the computation done by the module. Another fault induction attack is to induce decoding error during the execution of one instruction. The ID-One Cosmo 64 v5 includes a combination of software and hardware protections in order for the chip not to operate in extreme conditions that may cause processing errors that could lead to revealing the values of cryptographic keys or secret elements. Extreme conditions refer to abnormal temperature, external power supply and external clock supply. In addition, every keys and PINs are protected by a signature that is checked prior to every use of the keys or PINs. 9.6.4 Flash Gun The ID-One Cosmo 64 v5 includes a combination of software and hardware protections in order to detect “Flash Gun” type of attacks and abort any current processing before becoming mute. 23 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 23 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 10. SECURITY POLICY CHECK LIST TABLES 10.1 ROLES AND REQUIRED AUTHENTICATION Role Type of authentication Authentication data Card Security Controller GP secure channel mutual authentication protocol OP secure channel TDES key set of three Application Operator AC External Authenticate protocol Application XAUT TDES key Card Holder Verify CHV service PIN 10.2 STRENGTH OF AUTHENTICATION MECHANISMS Authentication Mechanism Strength of Mechanism TDES authentication > 1:2 112 PIN > 1:1,000,000 for decimal PIN 10.3 SERVICES AUTHORIZED FOR ROLES Role Authorized Services Card Security Controller The Card Security Controller role services are listed in Section 5.2 Application Operator The Application Operator role services are listed in Section 5.2 Card Holder The Card Holder role services are listed in Section 5.2 10.4 ACCESS RIGHTS WITHIN SERVICES Service CSP Types of Access (i.e. Read, Write, Execute) CSC (CSC) Service GP secure channel TDES key set of three or Unblock PIN XAUT TDES key Execute (encrypt, decrypt), write (put key) Application Operator Service Application XAUT TDES key Execute (encrypt, decrypt) Card Holder Service PIN Execute (Verify CHV), write (Change Reference Data) 10.5 MITIGATION OF OTHER ATTACKS Other Attacks Mitigation Mechnism Specific Limitations Simple Power Analysis Counter Measures against SPA N/A Differential Power Analysis Counter Measures against DPA N/A Timing Analysis Counter Measures against TA N/A 24 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 24 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 Fault Induction Counter Measures against FI N/A Flash Gun Counter Measures against FG N/A 11. REFERENCES • Java Card ™ 2.2 Virtual Machine Specification, June 2002, Sun Microsystems • Java Card ™ 2.2 Application Programming Interface, revision 1.1, September 2002, Sun Microsystems • Java Card ™applet developer’s guide • Java Card ™ 2.2 Runtime Environment (JCRE) Specification, June 2002, Sun Microsystems • Global platform Card Specification, v2.1.1, March 2003, Global Platform • Global platform Card Specification, v2.1.1, Amendment A, February 2004, Global Platform • “Integrated circuit(s) cards with contacts – Part 2 Dimension and Location of the contacts.” ISO/IEC 7816-2 (1999) • “Integrated circuit(s) cards with contacts – Part 3 Electronic signal and transmission protocols.” ISO/IEC 7816-3, AMD1 (2002) • “Integrated circuit(s) cards with contacts – Part 4 Inter industry commands for interchange.” ISO/IEC 7816-4, AMD1 (1997) • American Bankers Association, Digital Signatures using Reversible Public Key Cryptography for the Financial Services Industry (rDSA), ANSI X9.31-1998, Washington, D.C., 1998. • “Security Requirements for Cryptographic Modules”, FIPS PUB140-2, May 2001, National Institute of Standards and Technology • “FIPS 140-2 Annex A: Approved Security Functions”, May 2001,National Institute of Standards and Technology • “FIPS 140-2 Annex C: Approved Random Number Generators”, May 2001, National Institute of Standards and Technology • “FIPS 140-2 Annex D: Approved Key Establishment Techniques”, May 2001, National Institute of Standards and Technology • “FIPS PUB 46-3: Data Encryption Standard”, October 25, 1999, National Institute of Standards and Technology • “FIPS PUB 81: DES Modes of Operation”, December 2, 1980, National Institute of Standards and Technology 25 ActivIdentity Digital Identity Applet Suite V1/V2 Security Policy Revision: 1.9 Page : 25 / 25 This document can only be reproduced in its entirety without revision Copyright ActivIdentity Inc. 2006 12. ACRONYMS Acronyms Definitions ACR Access Control Rule AO Application Operator AP Application Provider APDU Application Protocol Data Unit API Application Programming Interface ASC ActivIdentity Smart Card ATR Answer To Reset CBC Cipher Block Chaining CO Cryptographic Officer CH Card Holder CSP Critical Security Parameter CSC Card Security Controller DES Data Encryption Standard ECB Electronic Code Book EEPROM Electrically Erasable and Programmable Read Only Memory GC Generic Container GSC-IS Government Smart Card Interoperability Standard JCRE Java Card ™ Runtime Environment PKI Public Key Infrastructure MAC Message Authentication Code GP Global platform PIN Personal Identification Number RAM Random Access Memory ROM Read only Memory SD Security Domain SC Secure Channel SKI Symmetric Key Infrastructure TDES Triple DES (112-bit length keys) XAUT External Authentication SMA Secure Messaging ActivIdentity Applet / Protocol