Smartcard HSM built-in root CA?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Smartcard HSM built-in root CA?

Daniel Pocock-2


Hi all,

I was looking at the specs for Smartcard HSM:

http://www.smartcard-hsm.com/features.html#devaut

and it suggests that a "Scheme Root CA maintained by CardContact issues
certificates for Device Issuer CAs, which in turn issue an unique device
certificate for each SmartCard-HSM produced."

Does this mean the card has some dependency on the manufacturer/vendor?
 Is this typical?

Regards,

Daniel

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Smartcard HSM built-in root CA?

Andreas Schwier (ML)
Hi Daniel,

the purpose of the SmartCard-HSM PKI is to allow a relying party to
authenticate public keys for private keys generated on the device. It
does both, proof of possession and proof of correspondence.

It also allows using the public key without a certificate, because the
internally generated certificate signing request is signed by the device
authentication key. In some applications like the n-of-m scheme [1] this
is sufficient, i.e. there is no need for another separate PKI to issue
certificates that bind the public key to a identity (each SmartCard-HSM
has an identity asserted by the device certificate and linked to the
device authentication key).

This means, that if someone relies on this PKI, he must rely on the
device issuer and the correct operation of the systems at the two PKI
layers.

This is not limited to ourselves, as we have customers that are
operating their own root and production CA.

Having a full PKI for public key authentication is something that - as
far as I know - only the SmartCard-HSM provides for. Other schemes
provide key attestation, but typically with a key shared amongst all
devices.

Andreas


[1]
http://www.smartcard-hsm.com/docs/SmartCard-HSM_n-of-m_Authentication_V1.0_2015-03-25.pdf

On 01/12/2016 11:08 PM, Daniel Pocock wrote:

>
>
> Hi all,
>
> I was looking at the specs for Smartcard HSM:
>
> http://www.smartcard-hsm.com/features.html#devaut
>
> and it suggests that a "Scheme Root CA maintained by CardContact issues
> certificates for Device Issuer CAs, which in turn issue an unique device
> certificate for each SmartCard-HSM produced."
>
> Does this mean the card has some dependency on the manufacturer/vendor?
>  Is this typical?
>
> Regards,
>
> Daniel
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Sch├╝lerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Smartcard HSM built-in root CA?

Daniel Pocock-2


On 12/01/16 23:38, Andreas Schwier wrote:

> Hi Daniel,
>
> the purpose of the SmartCard-HSM PKI is to allow a relying party to
> authenticate public keys for private keys generated on the device. It
> does both, proof of possession and proof of correspondence.
>
> It also allows using the public key without a certificate, because the
> internally generated certificate signing request is signed by the device
> authentication key. In some applications like the n-of-m scheme [1] this
> is sufficient, i.e. there is no need for another separate PKI to issue
> certificates that bind the public key to a identity (each SmartCard-HSM
> has an identity asserted by the device certificate and linked to the
> device authentication key).
>
> This means, that if someone relies on this PKI, he must rely on the
> device issuer and the correct operation of the systems at the two PKI
> layers.
>
> This is not limited to ourselves, as we have customers that are
> operating their own root and production CA.
>
> Having a full PKI for public key authentication is something that - as
> far as I know - only the SmartCard-HSM provides for. Other schemes
> provide key attestation, but typically with a key shared amongst all
> devices.
>

Can you please be more specific about some aspects of this PKI:

a) if CardContact goes out of business for any reason, what is the
impact on people using the cards?  Will people using the intermediate
certificates signed by your root be able to keep using them until they
expire?  How long are they valid?

b) if the CardContact root certificate is compromised (private key
stolen, etc), what is the impact on people using the cards?

c) you say that some customers operate their own root, does that mean
they can completely eliminate or replace the "device authentication key"
you create at the factory?

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Smartcard HSM built-in root CA?

Andreas Schwier (ML)
Sure

> Can you please be more specific about some aspects of this PKI:
>
> a) if CardContact goes out of business for any reason, what is the
> impact on people using the cards?  Will people using the intermediate
> certificates signed by your root be able to keep using them until they
> expire?  How long are they valid?
If CardContact goes out of business, then the Scheme Root CA will stop
operating and will not issue new device issuer certificates. Existing
device issuer can of course continue to operate their CA instance and
can produce legitimate SmartCard-HSMs.

A device issuer certificate is valid for 8 years. Device certificates
have a validity date, which does not exceed the expiration date of the
device issuer CA certificate. But remember that these certificates are
card-verifiable-certificates not suitable for X.509 based applications.
We are not operating a X509 PKI.
>
> b) if the CardContact root certificate is compromised (private key
> stolen, etc), what is the impact on people using the cards?
The Scheme Root CA private key is - of course - stored on a
SmartCard-HSM with dual-control for both, operation and recovery. The CA
is an offline CA.

We do our best to protect the Scheme Root CA, but if it would be
compromised, a relying party could no longer trust public keys generated
in the device. The impact would need to be evaluated in the actual
application scenario.

Any customer is of course free to become a device issuer himself and
even operate his own scheme root CA. This is common for customers that
have additional security requirements that we can't (or don't want to)
fulfil.
>
> c) you say that some customers operate their own root, does that mean
> they can completely eliminate or replace the "device authentication key"
> you create at the factory?
The device authentication key is generated during SmartCard-HSM
personalization, which can be done by any device issuer.

Our business model with the SmartCard-HSM is to license the applet to
device issuer and to provide the required infrastructure to produce the
devices. At the same time we are a device issuer for the USB and MicroSD
based form factor.

>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Sch├╝lerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel