DEVHIDE
Login Or Sign up

How to perform Terminal Authentication on smart card?

493 Views Asked by At

I am trying to digitally sign document using the smart card eSign application. It is a national ID card, and I am following ICAO 9303 and TR-03110 specifications. If I am not mistaken, before selecting the eSign application I should perform Terminal Authentication as Signature Terminal beforehand.

In ICAO 9303 it is stated:

The following sequence of commands SHALL be used with secure messaging to implement Terminal Authentication:

MSE:Set DST
PSO:Verify Certificate
MSE:Set AT
Get Challenge
External Authenticate

Steps 1 and 2 are repeated for every CV certificate to be verified (CVCA Link Certificates, DV Certificate, Terminal Certificate).

To Perform MSE:Set DST the following APDU should be used:

INS - 0x22
P1/P2 - 0x81B6
Data - 0x83 Reference of a public key, ISO 8859-1 encoded name of the public key to be set

It is the Data part I do not understand. What exactly do I need to provide there? How do I find the public key or its name?

nfc digital-signature smartcard apdu contactless-smartcard
Original Q&A
2

There are 2 best solutions below

5
nvf On

What exactly do I need to provide there? How do I find the public key or its name?

Before start TA you should be sure that terminal has its own valid chain of CV-certificates + proper private key:

  1. DV cetitificate
  2. IS certificate of the terminal
  3. private key corresponding to IS certificate

Initial step of TA is certificate chain verificattion:

  1. Read EF.CVCA and find CHRs of root certificates known to chip
  2. Select one that is a parent of the terminal's DV certificate. CHR from EF.CVCA must be equal to CAR from DV certificate.
  3. Send MSE:Set DST with chosen CHR
  4. Send PSO:Verify Certificate with terminal's DV certificate
  5. Send MSE:Set DST with CHR of terminal's DV certificate (it must be equal to CAR from IS certificate)
  6. Send PSO:Verify Certificate with terminal's IS certificate Now chip knows terminal's public key and can use it to verify a cryptogram signed by terminal with its private key.

Certificate holder reference (CHR) and certificate authourity reference (CAR) are IDs encoded as string values.

0
Nadin Martini On

JMRTD Library Can help:

JMRTD: An Open Source Java Implementation of Machine Readable Travel Documents

The steps in simple words to complete the terminal authentication is like following:

  • First IS (Inspection System) send the chain of terminal certificates to the IC (Chip).
  • IC verifies the chain of certificates and extracts the public key of terminal.
  • IC send a challenge to terminal.
  • IS sign the challenge with its private key.
  • IC verify the signature.

In this way the IC authenticate the terminal and grant access to sensitive data groups.

Related Questions in NFC

Related Questions in DIGITAL-SIGNATURE

Related Questions in SMARTCARD

Related Questions in APDU

Related Questions in CONTACTLESS-SMARTCARD

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

.

Copyright © 2021 Jogjafile Inc.