Design and Implementation of Public Key Infrastructure on Smart Card Operating System by Aditi Gupta Department of Computer Science and Engineering Indian Institute of Technology Kanpur { 208 016 MAY 2008 Design and Implementation of Public Key Infrastructure on Smart Card Operating System A Thesis Submitted in partial fulfilment of the requirements for the Degree of Master of Technology by Aditi Gupta to the Department of Computer Science and Engineering Indian Institute of Technology Kanpur { 208 016 MAY 2008 Abstract Smart cards are an ideal medium for use in secure applications. Such applications require mechanisms for cryptographic authentication, password based authenti- cation, confidential data exchange, detection of data tampering and verification of origin integrity. Cryptographic techniques based on symmetric key algorithms and/or public key cryptography can be used to address these issues. In this the- sis, we focus on development of public key infrastructure on smart cards. Public key cryptography provides easier key management since keys are assigned on per user basis as opposed to per communication pair basis as in the case of symmetric key cryptography. Further, the public key cryptography can be used to perform key exchange for symmetric key and then the symmetric key cryptography can be used to perform further cryptographic operations. Smart cards are secure devices since the keys are kept in it securely and only the operations using such keys are permitted to be performed. We propose a comprehensive design for development of public key infrastructure on smart cards. This design is compliant to ISO/IEC-7816 international standards for smart cards [2{9] and the SCOSTA-CL specification [1]. We have implemented features like encryption/decryption schemes, storage and retrieval of cryptographic information etc. on the smart card operating system as per our design specifica- tions. ii Acknowledgements I would like to express my gratitude towards my thesis supervisor, Dr. Rajat Moona, for his invaluable guidance and support in completing this thesis work. His enthusiasm, innovative suggestions and deep insight into technical matter were instrumental in the conceptualization of this work. Working under his supervision was a great learning experience. I would also like to thank him for initiating my interest in the areas of operating system and system security. I would like to thank all the people who have been a part of SCOSTA lab for their assistance during various phases of the project. I would like to thank my friends Srishti and Pragya for their patience in reviewing my report and providing valuable feedback. I truly enjoyed working with them. I would like to thank all my friends for always being by my side and making my stay here truly enjoyable and memorable. I'll always cherish the moments I spent with them. I would also like to thank my institute and my department for providing me with the best facilities and a wonderful work environment. I would like to thank all my professors for their words of wisdom and guidance throughout my stay here. Finally, I would like to express my gratitude towards my parents and my brother for their love, support and encouragement in all my endeavours. iii Contents Certificatei Abstract ii Acknowledgements iii List of Figures viii List of Tables ix Abbreviationsx 1 Introduction1 1.1 Motivation................................2 1.2 Related Work..............................4 1.3 Thesis Objective............................5 1.4 Thesis Organization...........................6 2 Background7 2.1 Smart Card Communication Structure................8 2.2 File System............................... 10 2.3 Security Architecture.......................... 11 2.3.1 Security Status......................... 11 2.3.2 Security Attributes....................... 11 2.3.3 Security Environment...................... 12 2.3.4 Security Algorithms....................... 13 2.3.5 Security Mechanisms...................... 14 2.4 Password and Key Repository..................... 15 2.5 Security Mechanisms in SCOSTA-CL.................. 16 2.5.1 Encryption and Decryption.................. 16 2.5.2 Cryptographic Checksum.................... 16 2.5.3 Secure Messaging........................ 17 2.5.4 Session Key Derivation..................... 17 2.5.5 Authentication......................... 17 2.6 Overview of Public Key Cryptography................ 18 iv Contents v 2.6.1 RSA Cryptosystem....................... 19 2.6.2 Primitive Cryptographic Operations.............. 19 2.6.3 Encryption and Decryption Operations............ 20 2.6.4 Digital Signature........................ 21 2.6.5 Certificate Verification..................... 22 3 Design for PKI Support 23 3.1 PKI-related Operations......................... 23 3.1.1 Authentication......................... 23 3.1.2 Session Key Establishment................... 24 3.1.3 Authentication with Session Key Establishment....... 24 3.1.4 Computation of Digital Signature............... 24 3.1.5 Encryption and Decryption.................. 24 3.1.6 Certificate Verification..................... 25 3.2 PKI-related Data Structure...................... 25 3.2.1 Overview............................ 25 3.2.2 Directory of Applications (EF.DIR).............. 27 3.2.3 Cryptographic Information Application (DF.CIA)...... 28 3.2.3.1 Overview....................... 28 3.2.3.2 CIA Information File (CIAInfo EF)......... 28 3.2.3.3 Object Directory File (EF.OD)........... 29 3.2.3.4 CIO Directory Files................. 30 3.3 Application Identification and Selection................ 33 3.3.1 Application Identification................... 33 3.3.2 Application Selection...................... 34 3.3.3 Common Scenarios....................... 34 3.4 Key/Password Storage and Retrieval................. 34 3.4.1 Passwords and Symmetric keys................ 34 3.4.2 Private Keys.......................... 36 3.4.3 Public Keys........................... 37 3.4.3.1 Retrieval of Public Key for VERIFY CERTIFI- CATE command................... 37 3.4.3.2 Retrieval of Public Key for Other Commands... 41 3.4.4 Common Scenarios....................... 41 3.5 Operations Supported in SCOSTA-PKI................ 42 3.5.1 Authentication......................... 42 3.5.1.1 External Authentication............... 42 3.5.1.2 Internal Authentication............... 44 3.5.1.3 Mutual Authentication................ 45 3.5.2 Session Key Establishment................... 47 3.5.3 Authentication and Session Key Establishment........ 48 3.6 Cryptographic Algorithms in SCOSTA-PKI............. 49 3.6.1 Algorithms for Confidentiality................. 51 3.6.2 Algorithms for Authentication................. 51 Contents vi 3.6.3 Algorithms for Digital Signature................ 52 3.7 SCOSTA-CL Commands Requiring Modifications in SCOSTA-PKI 52 3.7.1 ENVELOPE.......................... 53 3.7.2 GET CHALLENGE...................... 53 3.7.3 EXTERNAL/ INTERNAL/ MUTUAL AUTHENTICATE. 55 3.7.4 MSE SET for key derivation.................. 57 3.7.5 PSO DECIPHER........................ 59 3.7.6 PSO ENCIPHER........................ 60 3.7.7 PSO COMPUTE DIGITAL SIGNATURE.......... 61 3.7.8 PSO VERIFY CERTIFICATE................ 62 3.8 Additional Support for APDU in SCOSTA-PKI........... 63 4 Implementation 64 4.1 Support for Generic Data Objects................... 65 4.2 Extended Lc and Le.......................... 66 4.3 Application Identification and Selection................ 67 4.4 Storage and Retrieval of Cryptographic Information......... 68 4.5 Cryptographic Operations....................... 70 4.5.1 Encryption Schemes...................... 71 4.5.1.1 RSAES-PKCS1-v1 5 Scheme............ 71 4.5.1.2 RSAES-OAEP Scheme................ 72 4.6 Security Commands Modified..................... 72 4.7 Other Implementation Details..................... 72 4.7.1 Conversion from 2-byte EEPROM Address to a Generic EEPROM Address....................... 72 4.7.2 DES in Hardware........................ 73 5 Testing 74 6 Conclusion and Future Work 77 A ASN.1 module 81 A.1 Common Data Types.......................... 81 A.1.1 Path Data Type......................... 81 A.1.2 ObjectValue Data Type.................... 81 A.1.3 RSAPublicKey Data Type................... 82 A.1.4 RSAPrivateKey Data Type.................. 82 A.1.5 AlgorithmIdentifier Data Type................. 82 A.1.6 Name Data Type........................ 83 A.2 The CIO Type............................. 83 A.3 Keys................................... 84 A.3.1 Private Keys.......................... 85 A.3.2 Public Keys........................... 85 Contents vii A.3.3 Secret Keys........................... 86 A.4 Authentication Objects......................... 86 A.5 Certificates............................... 87 Bibliography 91 List of Figures 3.1 Chain certificate verification...................... 26 3.2 BER-TLV encoded structure of a DDO................ 28 3.3 Sample file structure.......................... 36 3.4 Protocol for authentication with session key establishment..... 50 4.1 Code organization............................ 64 viii List of Tables 3.1 Tags in application template...................... 27 3.2 Elementary files in DF.CIA...................... 28 3.3 Tags contained in a key template (tag `0xA0')............ 31 3.4 Mechanism for retrieval of Symmetric Keys and Passwords..... 35 3.5 Mechanism to obtain key reference for a private key......... 38 3.6 Mechanism to obtain key reference for a public key......... 39 3.7 Algorithm reference for confidentiality algorithms.......... 51 3.8 Algorithm reference