Course Wireless Identity Module security environment

1.     SCOPE
2.     DOCUMENT STATUS
2.1       COPYRIGHT NOTICE
2.2       ERRATA
2.3       COMMENTS
3.     REFERENCES
3.1       NORMATIVE REFERENCES
3.2       INFORMATIVE REFERENCES
4.     DEFINITIONS AND ABBREVIATIONS
4.1       DEFINITIONS
4.2       ABBREVIATIONS
5.     ARCHITECTURAL OVERVIEW
6.     WAP SECURITY OPERATIONS
6.1       WTLS OPERATIONS
6.2       WAP APPLICATION SECURITY OPERATIONS
6.2.1        Unwrapping a Key
6.2.2        Digital Signature
7.     SERVICE INTERFACE DEFINITION
7.1       NOTATIONS USED
7.1.1        Definition of Service Primitives and Parameters
7.1.2        Primitive Types
7.1.3        Service Parameter Tables
7.2       DESCRIPTION OF PRIMITIVES
7.2.1        Device Control Primitives
7.2.1.1      WIM-OpenService
7.2.1.2      WIM-CloseService
7.2.2        Verification Related Primitives
7.2.2.1      WIM-PerformVerification
7.2.2.2      WIM-DisableVerificationRequirement
7.2.2.3      WIM-EnableVerificationRequirement
7.2.2.4      WIM-ChangeReferenceData
7.2.2.5      WIM-UnblockReferenceData
7.2.3        Data Access Primitives
7.2.3.1      WIM-OpenFile
7.2.3.2      WIM-CloseFile
7.2.3.3      WIM-ReadBinary
7.2.3.4      WIM-UpdateBinary
7.2.4        Cryptography Primitives
7.2.4.1      WIM-ComputeDigitalSignature
7.2.4.2      WIM-VerifySignature
7.2.4.3      WIM-GetRandom
7.2.4.4      WIM-KeyTransport
7.2.4.5      WIM-KeyAgreement
7.2.4.6      WIM-DeriveMasterSecret
7.2.4.7      WIM-PHash
7.2.4.8      WIM-Decipher
7.2.5        Exceptions
7.2.5.1      WIM-Exception
8.     WIM OPERATIONS IN WTLS
8.1       RSA HANDSHAKE
8.2       ECDH_ECDSA HANDSHAKE
8.3       ABBREVIATED HANDSHAKE
8.4       OPTIMISED ECDH_ECDSA HANDSHAKE
9.     INFORMATION FORMAT
9.1       CONTENTS OF THE FILES
9.2       WTLS BITMASK TYP
9.3       ISO OBJECT IDENTIFIERS
9.4       PKCS#15 APPLICATION DIRECTORY CONTENTS
9.4.1        EF(ODF)
9.4.2        Private Key Directory Files (PrKDFs)
9.4.3        Public Key Directory Files (PuKDFs)
9.4.4        Certificate Directory Files (CDFs)
9.4.5        Data Object Directory Files (DODFs)
9.4.6        Authentication Object Directory Files (AODFs)
9.4.7        EF(TokenInfo)
9.4.8        EF(UnusedSpace)
9.4.9        Other elementary files in the PKCS#15 directory
9.4.10      ‘Peers’ Data Object
9.4.11      ‘Sessions’ Data Object
9.5       AN EXAMPLE WIM LAYOUT
10.       SECURITY ENVIRONMENTS
10.1     SECURITY ENVIRONMENT DEFINITION
10.2     WTLS SECURITY ENVIRONMENTS
10.2.1      WTLS_RSA Security Environment
10.2.1.1         DST
10.2.1.2         CT
10.2.1.3         CCT
10.2.2      WTLS_ECDH SECURITY ENVIRONMENT
10.2.2.1         DST
10.2.2.2         CT
10.2.2.3         CCT
10.3     GENERIC SECURITY ENVIRONMENTS
10.3.1      WIM_GENERIC_RSA Security Environment
10.3.1.1         DST
10.3.1.2         CT
10.3.2      WIM_GENERIC_ECC Security Environment
11.       SMART CARD IMPLEMENTATION
11.1     PHYSICAL CHARACTERISTICS
11.2     ELECTRONIC SIGNALS AND TRANSMISSION PROTOCOLS
11.2.1      Answer to Reset
11.2.1.1         Protocol
11.2.1.2         Transfer Rate
11.2.1.3         Supply Voltage
11.2.1.4         Logical Channels
11.2.1.5         Clock Stop Mode
11.2.2      SIM/WIM implementation
11.2.3      WIM Only or WIM with Other Applications
11.3     DESCRIPTION OF CARD COMMANDS
11.3.1      Mapping Service Primitives to Card Commands
11.3.2      Managing Logical Channel
11.3.2.1         MANAGE CHANNEL Open
11.3.2.2         MANAGE CHANNEL Close
11.3.3      Application selection
11.3.3.1         SELECT Application, Direct Method
11.3.3.2         SELECT Application, Indirect Method
11.3.4      Verification Related Operations
11.3.4.1         VERIFY
11.3.4.2         DISABLE VERIFICATION REQUIREMENT
11.3.4.3         ENABLE VERIFICATION REQUIREMENT
11.3.4.4         CHANGE REFERENCE DATA
11.3.4.5         RESET RETRY COUNTER
11.3.5      Operations Related to Data Storage
11.3.5.1         SELECT FILE
11.3.5.2         READ BINARY
11.3.5.3         UPDATE BINARY
11.3.6      Cryptographic Operations
11.3.6.1         MANAGE SECURITY ENVIRONMENT
11.3.6.2         MSE – RESTORE
11.3.6.3         MSE – SET
11.3.6.4         PERFORM SECURITY OPERATION
11.3.6.5         PSO – ENCIPHER, Key Transport
11.3.6.6         PSO – ENCIPHER, Key Agreement
11.3.6.7         PSO – DECIPHER, Application Level
11.3.6.8         PSO – COMPUTE DIGITAL SIGNATURE
11.3.6.9         PSO – VERIFY DIGITAL SIGNATURE
11.3.6.10       PSO – COMPUTE CRYPTOGRAPHIC CHECKSUM
11.3.6.11       MSE – DERIVE KEY
11.3.6.12       ASK RANDOM
11.3.6.13       GENERATE PUBLIC KEY PAIR
11.3.7      Other Commands
11.3.7.1         GET RESPONSE
11.3.8      Status Words
11.4     USAGE OF THE COMMANDS
11.4.1      Open Logical Channel
11.4.2      Select Application
11.4.3      Read Configuration
11.4.4      Perform WTLS RSA handshake
11.4.5      Perform WTLS ECDH_ECDSA Handshake
11.4.6      Perform Application Level Signature
11.4.7      Perform Application Related Deciphering
12.       WIM ELECTRONIC IDENTIFICATION PROFILE OF PKCS#15
12.1     PKCS#15 OBJECTS
12.1.1      Private Keys
12.1.2      Certificates
12.1.3      Data Objects
12.1.4      Authentication Objects
12.1.4.1         Recommended PIN Format
12.2     ACCESS CONTROL RULES
12.3     ATTRIBUTE FORMATS
13.       IMPLEMENTATION NOTES
13.1     IMPLEMENTING WIM IN A GSM SIM CARD
13.2     WIM FOR NETWORKS NOT UTILIZING A SMARTCARD BASED SIM
13.3     USING LOGICAL CHANNELS
13.4     SAVING CERTIFICATES
13.5     USAGE OF PINS
13.6     USING THE WIM FOR NON-WAP APPLICATIONS
13.6.1      Signing
13.6.2      Private Key Decryption
13.6.3      Certificate Storage
14.       WIM STATIC CONFORMANCE REQUIREMENT
14.1     WIM OPTIONS
14.1.1      General WIM Options
14.1.2      WIM ICC Options
14.2     ME OPTIONS
14.2.1      General ME Options
14.2.2 ME Use of WIM ICC

Scope

The Wireless Application Protocol (WAP) is a result of continuous work to define an industry-wide specification for developing applications that operate over wireless communication networks. The scope for the WAP Forum is to define a set of specifications to be used by service  applications. The wireless market is growing very quickly, and reaching new customers and services. To enable operators and manufacturers to meet the challenges in advanced services, differentiation and fast/flexible service creation WAP Forum defines a set of protocols in transport, security, transaction, session and application players. For additional information on the WAP architecture, please refer to “Wireless Application Protocol Architecture Specification” [WAPARCH].

Document Status

This document is available online in the following formats:
•PDF format at http://www.wapforum.org/.
Copyright Notice
© Copyright Wireless Application Forum, Ltd, 1999. All rights reserved.
Errata
Known problems associated with this document are published at http://www.wapforum.org/.
Comments
Comments regarding this document can be submitted to WAP Forum in the manner published at http://www.wapforum.org/.

References

Normative References
[WAPARCH] “WAP Architecture Specification, WAP Forum, 30-April-1998.
URL: http://www.wapforum.org/
[WAPWTLS] “Wireless Transport Layer Security Specification”, WAP Forum, 30-April-1998.
URL: http://www.wapforum.org/
[WAPWCMP] “Wireless Control Message Protocol Specification”, WAP Forum, 30-April-1998.
URL: http://www.wapforum.org/
[ISO 7816-1] Identification Cards – Integrated Circuit(s) Cards with Contacts – Part 1: Physical characteristics.
[ISO 7816-2] Identification Cards – Integrated Circuit(s) Cards with Contacts – Part 2: Dimensions and location of the contacts.
Informative References
[WMLScript] “WMLScript Language Specification”, WAP Forum, 30-April-1998.
URL: http://www.wapforum.org/
[S/MIME] “S/MIME Version 2 Message Specification”, Dusse, S., Hoffman, P., Ramsdell, B., Lundblade, L.,Repka, L., March 1998.
URL: ftp://ftp.isi.edu/in-notes/rfc2311.txt
[SSL] « The SSL 3.0 Protocol », Netscape Communications Corp., November 1996.
[TLS] “The TLS Protocol”, Dierks, T. and Allen, C., January 1999.
URL: ftp://ftp.isi.edu/in-notes/rfc2246.txt

Definitions And Abbreviations

Definitions
For the purposes of this specification the following definitions apply.
Integrated Circuit Card
See Smart card
Smart card
A device with an embedded microprocessor chip. A smart card is used for storing data and performing typically security related (cryptographic) operations. In WAP context, a smart card may be the GSM Subscriber Identity Module (SIM) or a card used in a secondary card reader of a WAP phone.
WAP Identity Module
A tamper-resistant device which is used in performing WTLS and application level security functions, and especially,to store and process information needed for user identification and authentication.

Architectural Overview

A model of layering the protocols in WAP is illustrated Figure 1: Wireless Application Protocol Reference Model. The layering of WAP protocols and their functions is similar to that of the ISO OSI Reference Model [ISO7498] for upper layers. Layer Management Entities handle protocol initialisation, configuration, and error conditions (such as loss of connectivity due to the mobile terminal roaming out of coverage) that are not handled by the protocol itself.The WIM is a tamper-resistant device. It is used to enhance security of the implementation of the Security Layer and certain functions of the Application Layer. The WIM-SAP is defined in order to describe the WIM functionality that is common to all kind of WIM implementations.

WAP Security Operations

This chapter presents how implementation of WAP security functionality may be supported in the WIM. The specific implementation may expect additional functionality and services being present. Those services are described in relevant standards.
WTLS Operations
For WTLS, the WIM is used for the following purposes
•performing cryptographic operations during the handshake, especially those that are used for client authentication
•securing long-living WTLS secure sessions
The WIM is used to protect permanent, typically certified, private keys. The WIM stores these keys and performs operations using these keys. The operations are
•signing operation (eg, ECDSA or RSA) for client authentication when needed for the selected handshake scheme
•key exchange operation using a fixed client key (eg, ECDH key, in ECDH_ECDSA handshake) So, the private keys never leave the WIM.

……

Si le lien ne fonctionne pas correctement, veuillez nous contacter (mentionner le lien dans votre message)
Course Wireless Identity Module security environment (409 KO) (Cours PDF)
Course Wireless Identity

Télécharger aussi :

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *