[F1 [F2ANNEX I B U.K. REQUIREMENTS FOR CONSTRUCTION, TESTING, INSTALLATION AND INSPECTION
Textual Amendments
Appendix 11 COMMON SECURITY MECHANISMS
1. GENERALITIES U.K.
This appendix specifies the security mechanisms ensuring:
the mutual authentication between VUs and tachograph cards, including session key agreement,
the confidentiality, integrity and authentication of data transferred between VUs and tachograph cards,
the integrity and authentication of data downloaded from VUs to external storage media,
the integrity and authentication of data downloaded from tachograph cards to external storage media.
1.1. References U.K.
The following references are used in this Appendix:
National Institute of Standards and Technology (NIST). FIPS Publication 180-1: Secure Hash Standard. April 1995
RSA Laboratories. PKCS # 1: RSA Encryption Standard. Version 2.0. October 1998
National Institute of Standards and Technology (NIST). FIPS Publication 46-3: Data Encryption Standard. Draft 1999
ANSI X9.52, Triple Data Encryption Algorithm Modes of Operation. 1998
Information Technology — Identification cards — Integrated circuit(s) cards with contacts — Part 4: Interindustry commands for interexchange. First edition: 1995 + Amendment 1: 1997
Information Technology — Identification cards — Integrated circuit(s) cards with contacts — Part 6: Interindustry data elements. First edition: 1996 + Cor 1: 1998
Information Technology — Identification cards — Integrated circuit(s) cards with contacts — Part 8: Security related interindustry commands. First edition 1999
Information Technology — Security techniques — Digital signature schemes giving message recovery — Part 2: Mechanisms using a hash function. First edition: 1997
Information Technology — Security techniques — Entity authentication mechanisms — Part 3: Entity authentication using a public key algorithm. Second edition 1998
Road vehicles — Tachograph systems — Part 3: Motion sensor interface.
1.2. Notations and abbreviated terms U.K.
The following notations and abbreviated terms are used in this Appendix:
a key bundle for use by the triple data encryption algorithm
Certification authority
Certification authority reference
Cryptographic checksum
Cryptogram
Command header
Certificate holder authorisation
Certificate holder reference
Decryption with DES
Data element
Data object
RSA private key, private exponent
RSA public key, public exponent
Encryption with DES
Equipment
hash value, an output of hash
hash function
Key identifier
TDES key. Master Key defined in ISO 16844-3
TDES key inserted in vehicle units
TDES key inserted in workshop cards
message representative an integer between 0 and n -1
RSA keys, modulus
Padding bytes
Padding indicator byte (for use in cryptogram for confidentiality DO)
Plain value
signature representative, an integer between 0 and n -1
Send sequence counter
Secure messaging
TDEA cipher block chaining mode of operation
Triple data encryption algorithm
Tag length value
Vehicle unit
the certificate of user X issued by a certification authority
a certification authority of user X
the operation of unwrapping a certificate to extract a public key. It is an infix operator, whose left operand is the public key of a certification authority, and whose right operand is the certificate issued by that certification authority. The outcome is the public key of the user X whose certificate is the right operand,
public key of a user X
RSA encipherment of some information I, using the public key of user X
RSA private key of a user X
RSA encipherment of some information I, using the private key of user X
a Hexadecimal value
concatenation operator.
2. CRYPTOGRAPHIC SYSTEMS AND ALGORITHMS U.K.
2.1. Cryptographic systems U.K.
[CSM_001] Vehicle units and tachograph cards shall use a classical RSA public-key cryptographic system to provide the following security mechanisms:
authentication between vehicle units and cards,
transport of Triple-DES session keys between vehicle units and tachograph cards,
digital signature of data downloaded from vehicle units or tachograph cards to external media.
[CSM_002] Vehicle units and tachograph cards shall use a Triple DES symmetric cryptographic system to provide a mechanism for data integrity during user data exchange between vehicle units and tachograph cards, and to provide, where applicable, confidentiality of data exchange between vehicle units and tachograph cards.
2.2. Cryptographic algorithms U.K.
2.2.1. RSA algorithm U.K.
[CSM_003] The RSA algorithm is fully defined by the following relations:
A more comprehensive description of the RSA function can be found in reference (PKCS1).
[F3Public exponent, e, for RSA calculations is an integer between 3 and n-1 satisfying gcd(e, lcm(p-1, q-1))=1.]
Textual Amendments
2.2.2. Hash algorithm U.K.
[CSM_004] The digital signature mechanisms shall use the SHA-1 hash algorithm as defined in reference (SHA-1).
2.2.3. Data encryption algorithm U.K.
[CSM_005] DES based algorithms shall be used in Cipher Block Chaining mode of operation.
3. KEYS AND CERTIFICATES U.K.
3.1. Keys generation and distribution U.K.
3.1.1. RSA keys generation and distribution U.K.
[CSM_006] RSA keys shall be generated through three functional hierarchical levels:
European level,
Member State level,
Equipment level.
[CSM_007] At European level, a single European key pair (EUR.SK and EUR.PK) shall be generated. The European private key shall be used to certify the Member States public keys. Records of all certified keys shall be kept. These tasks shall be handled by a European certification authority, under the authority and responsibility of the European Commission.
[CSM_008] At Member State level, a Member State key pair (MS.SK and MS.PK) shall be generated. Member States public keys shall be certified by the European Certification Authority. The Member State private key shall be used to certify public keys to be inserted in equipment (vehicle unit or tachograph card). Records of all certified public keys shall be kept with the identification of the equipment to which it is intended. These tasks shall be handled by a Member State certification authority. A Member State may regularly change its key pair.
[CSM_009] At equipment level, one single key pair (EQT.SK and EQT.PK) shall be generated and inserted in each equipment. Equipment public keys shall be certified by a Member State certification authority. These tasks may be handled by equipment manufacturers, equipment personalisers or Member State authorities. This key pair is used for authentication, digital signature and encipherement services
[CSM_010] Private keys confidentiality shall be maintained during generation, transport (if any) and storage.
The following picture summarises the data flow of this process:
3.1.2. RSA test keys U.K.
[CSM_011] For the purpose of equipment testing (including interoperability tests) the European certification authority shall generate a different single European test key pair and at least two Member State test key pairs, the public keys of which shall be certified with the European private test key. Manufacturers shall insert, in equipment undergoing type approval tests, test keys certified by one of these Member State test keys.
3.1.3. Motion sensor keys U.K.
The confidentiality of the three TDES keys described below shall be appropriately maintained during generation, transport (if any) and storage.
In order to support recording equipment compliant with ISO 16844, the European certification authority and the Member State certification authorities shall, in addition, ensure the following:
[CSM_036] The European certification authority shall generate Km VU and Km WC , two independent and unique Triple DES keys, and generate Km as:
The European certification authority shall forward these keys, under appropriately secured procedures, to Member States certification authorities at their request.
[CSM_037] Member States certification authorities shall:
use Km to encrypt motion sensor data requested by motion sensor manufacturers (data to be encrypted with Km is defined in ISO 16844-3),
forward Km VU to vehicle unit manufacturers, under appropriately secured procedures, for insertion in vehicle units,
ensure that Km WC will be inserted in all workshop cards ( SensorInstallationSecData in Sensor_Installation_Data elementary file) during card personalisation.
3.1.4. T-DES session keys generation and distribution U.K.
[CSM_012] Vehicle units and tachograph cards shall, as a part of the mutual authentication process, generate and exchange necessary data to elaborate a common Triple DES session key. This exchange of data shall be protected for confidentiality through an RSA crypt-mechanism.
[CSM_013] This key shall be used for all subsequent cryptographic operations using secure messaging. Its validity shall expire at the end of the session (withdrawal of the card or reset of the card) and/or after 240 use (one use of the key = one command using secure messaging sent to the card and associated response).
3.2. Keys U.K.
[CSM_014] RSA keys shall have (whatever the level) the following lengths: modulus n 1024 bits, public exponent e 64 bits maximum, private exponent d 1024 bits.
[CSM_015] Triple DES keys shall have the form (K a , K b , K a ) where K a and K b are independent 64 bits long keys. No parity error detecting bits shall be set.
3.3. Certificates U.K.
[CSM_016] RSA Public key certificates shall be ‘ non self-descriptive ’‘ Card Verifiable ’ certificates (Ref.: ISO/IEC 7816-8)
3.3.1. Certificates content U.K.
[CSM_017] RSA Public key certificates are built with the following data in the following order:
| Data | Format | Bytes | Obs |
|---|---|---|---|
| CPI | INTEGER | 1 | Certificate profile identifier (′01′ for this version) |
| CAR | OCTET STRING | 8 | Certification authority reference |
| CHA | OCTET STRING | 7 | Certificate holder authorisation |
| EOV | TimeReal | 4 | Certificate end of validity. Optional, ′FF′ padded if not used |
| CHR | OCTET STRING | 8 | Certificate holder reference |
| n | OCTET STRING | 128 | Public key (modulus) |
| e | OCTET STRING | 8 | Public key (public exponent) |
| 164 |
Notes: U.K.
1. The ‘ Certificate Profile Identifier ’ (CPI) delineates the exact structure of an authentication certificate. It can be used as an equipment internal identifier of a relevant headerlist which describes the concatenation of Data Elements within the certificate. U.K.
The headerlist associated with this certificate content is as follows:
2. The ‘ Certification Authority Reference ’ (CAR) has the purpose of identifying the certificate issuing CA, in such a way that the data element can be used at the same time as an authority key identifier to reference the public key of the certification authority (for coding, see Key Identifier below). U.K.
3. The ‘ Certificate Holder Authorisation ’ ((CHA) is used to identify the rights of the certificate holder. It consists of the Tachograph Application ID and of the type of equipment to which the certificate is intended (according to EquipmentType data element, ‘ 00 ’ for a Member State). U.K.
4. ‘ Certificate Holder Reference ’ (CHR) has the purpose of identifying uniquely the certificate holder, in such a way that the Data Element can be used at the same time as a Subject Key Identifier to reference the Public Key of the certificate holder. U.K.
5. Key Identifiers uniquely identify certificate holder or certification authorities. They are coded as follows: U.K.
Equipment (VU or Card):
| Data | Equipment serial number | Date | Type | Manufacturer |
|---|---|---|---|---|
| Length | 4 Bytes | 2 Bytes | 1 Byte | 1 Byte |
| Value | Integer | mm yy BCD coding | Manufacturer specific | Manufacturer code |
In the case of a VU, the manufacturer, when requesting certificates, may or may not know the identification of the equipment in which the keys will be inserted.
In the first case, the manufacturer will send the equipment identification with the public key to its Member State authority for certification. The certificate will then contain the equipment identification, and the manufacturer must ensure that keys and certificate are inserted in the intended equipment. The Key identifier has the form shown above.
In the later case, the manufacturer must uniquely identify each certificate request and send this identification with the public key to its Member State authority for certification. The certificate will contain the request identification. The manufacturer must feed back its Member State authority with the assignment of key to equipment (i.e. certificate request identification, equipment identification) after key installation in the equipment. The key identifier has the following form:
Certification Authority:
| Data | Authority identification | Key serial number | Additional info | Identifier |
|---|---|---|---|---|
| Length | 4 Bytes | 1 Byte | 2 Bytes | 1 Byte |
| Value | 1 Byte nation numerical code | Integer | additional coding (CA specific) | ′01′ |
| 3 Bytes nation alphanumerical code | ′FF FF′ if not used |
The key serial number is used to distinguish the different keys of a Member State, in the case the key is changed.
Editorial Information
6. Certificate verifiers shall implicitly know that the public key certified is an RSA key relevant to authentication, digital signature verification and encipherement for confidentiality services (the certificate contains no Object Identifier to specify it). U.K.
3.3.2. Certificates issued U.K.
[CSM_018] The certificate issued is a digital signature with partial recovery of the certificate content in accordance with ISO/IEC 9796-2 [F4except for its Annex A.4] , with the ‘ Certification Authority Reference ’ appended.
Textual Amendments
With certificate content
Notes: U.K.
1. This certificate is 194 bytes long. U.K.
2. CAR, being hidden by the signature, is also appended to the signature, such that the public key of the certification authority may be selected for the verification of the certificate. U.K.
3. The certificate verifier shall implicitly know the algorithm used by the certification authority to sign the certificate. U.K.
4. The headerlist associated with this issued certificate is as follows: U.K.
3.3.3. Certificate verification and unwrapping U.K.
Certificate verification and unwrapping consists in verifying the signature in accordance with ISO/IEC 9796-2, retrieving the certificate content and the public key contained: X.PK = X.CA.PK o X.C, and verifying the validity of the certificate.
[CSM_019] It involves the following steps:
verify signature and retrieve content:
from X.C retrieve Sign, C n ′ and CAR′:
from CAR′ select appropriate Certification Authority Public Key (if not done before through other means)
open Sign with CA Public Key: Sr′ = X.CA.PK [Sign],
check Sr′ starts with ′6A′ and ends with ′BC′
compute Cr′ and H′ from:
Recover certificate content C′ = C r ′ || C n ′,
check Hash (C′) = H′
If the checks are OK the certificate is a genuine one, its content is C′.
Verify validity. From C′:
if applicable, check End of validity date,
Retrieve and store public key, Key Identifier, Certificate Holder Authorisation and Certificate End of Validity from C′:
X.PK = n || e
X.KID = CHR
X.CHA = CHA
X.EOV = EOV.
4. MUTUAL AUTHENTICATION MECHANISM U.K.
Mutual authentication between cards and VUs is based on the following principle:
Each party shall demonstrate to the other that it owns a valid key pair, the public key of which has been certified by a Member State certification authority, itself being certified by the European certification authority.
Demonstration is made by signing with the private key a random number sent by the other party, who must recover the random number sent when verifying this signature.
The mechanism is triggered at card insertion by the VU. It starts with the exchange of certificates and unwrapping of public keys, and ends with the setting of a session key.
[CSM_020] The following protocol shall be used (arrows indicate commands and data exchanged (see Appendix 2)):
5. VU-CARDS DATA TRANSFER CONFIDENTIALITY, INTEGRITY AND AUTHENTICATION MECHANISMS U.K.
5.1. Secure messaging U.K.
[CSM_021] VU-cards data transfers integrity shall be protected through Secure Messaging in accordance with references (ISO/IEC 7816-4) and (ISO/IEC 7816-8).
[CSM_022] When data need to be protected during transfer, a cryptographic checksum data object shall be appended to the data objects sent within the command or the response. The cryptographic checksum shall be verified by the receiver.
[CSM_023] The cryptographic checksum of data sent within a command shall integrate the command header, and all data objects sent (= > CLA = ′0C′, and all data objects shall be encapsulated with tags in which b1 = 1).
[CSM_024] The response status-information bytes shall be protected by a cryptographic checksum when the response contains no data field.
[CSM_025] Cryptographic checksums shall be four bytes long.
The structure of commands and responses when using secure messaging is therefore the following:
The DOs used are a partial set of the Secure Messaging DOs described in ISO/IEC 7816-4:
Tag Mnemonic Meaning ′81′ T PV Plain Value not BER-TLV coded data (to be protected by CC) ′97′ T LE Value of Le in the unsecured command (to be protected by CC) ′99′ T SW Status-Info (to be protected by CC) ′8E′ T CC Cryptographic Checksum ′87′ T PI CG Padding Indicator Byte || Cryptogram (Plain Value not coded in BER-TLV) Given an unsecured command response pair:
Command header Command body CLA INS P1 P2 (L c -field) (Data field) (L e -field) four bytes L bytes, denoted as B 1 to B L Response body Response trailer (Data field) SW1 SW2 L r data bytes two bytes The corresponding secured command response pair is:
Secured command:
Command header (CH) Command body CLA INS P1 P2 (New L c field) (New Data field) (New L e field) ′OC′ Length of new data field T PV L PV PV T LE L LE L e T CC L CC CC ′00′ ′81′ L c Data field ′97′ ′01′ L e ′8E′ ′04′ CC Data to be integrated in checksum = CH || PB || T PV || L PV || PV || T LE || L LE L e || PB
[X1PB = padding bytes (80.. 00) in accordance with ISO-IEC 7816-4 and ISO 9797 method 2]
DOs PV and LE are present only when there is some corresponding data in the unsecured command.
Secured response:
1.Case where response data field is not empty and needs not to be protected for confidentiality:
Response body Response trailer (New data field) new SW1 SW2 T PV L PV PV T CC L CC CC ′81′ L r Data field ′8E′ ′04′ CC Data to be integrated in checksum = T PV || L PV || PV || PB
2.Case where response data field is not empty and needs to be protected for confidentiality:
Response body Response trailer (New data field) new SW1 SW2 T PI CG L PI CG PI CG T CC L CC CC ′87′ PI || CG ′8E′ ′04′ CC Data to be carried by CG: non BER-TLV coded data and padding bytes.
Data to be integrated in checksum = T PI CG || L PI CG || PI CG PB
3.Case where response data field is empty:
Response body Response trailer (New data field) new SW1 SW2 T SW L SW SW T CC L CC CC ′99′ ′02′ New SW1 SW2 ′8E′ ′04′ CC Data to be integrated in checksum = T SW || L SW || SW || PB
5.2. Treatment of secure messaging errors U.K.
[CSM_026] When the tachograph card recognises an SM error while interpreting a command, then the status bytes must be returned without SM. In accordance with ISO/IEC 7816-4, the following status bytes are defined to indicate SM errors:
:
verification of cryptographic checksum failed,
:
expected SM data objects missing,
:
SM data objects incorrect.
[CSM_027] When the tachograph card returns status bytes without SM DOs or with an erroneous SM DO, the session must be aborted by the VU.
5.3. Algorithm to compute cryptographic checksums U.K.
[CSM_028] Cryptographic checksums are built using a retail MACs in accordance with ANSI X9.19 with DES:
initial stage: the initial check block y0 is E(Ka, SSC).
sequential stage: the check blocks y1, …, yn are calculated using Ka.
final stage: the cryptographic checksum is calculated from the last check block yn as follows: E(Ka, D(Kb, yn)).
where E() means encryption with DES, and D() means decryption with DES.
The four most significant bytes of the cryptographic checksum are transferred
[CSM_029] The send sequence counter (SSC) shall be initiated during key agreement procedure to:
Initial SSC: Rnd3 (4 least significant bytes) || Rnd1 (4 least significant bytes).
[CSM_030] The send sequence counter shall be increased by 1 each time before a MAC is calculated (i.e. the SSC for the first command is Initial SSC + 1, the SSC for the first response is Initial SSC + 2).
The following figure shows the calculation of the retail MAC:
5.4. Algorithm to compute cryptograms for confidentiality DOs U.K.
[CSM_031] Cryptograms are computed using TDEA in TCBC mode of operation in accordance with references (TDES) and (TDES-OP) and with the Null vector as Initial Value block.
The following figure shows the application of keys in TDES:
6. DATA DOWNLOAD DIGITAL SIGNATURE MECHANISMS U.K.
[CSM_032] The intelligent dedicated equipment (IDE) stores data received from an equipment (VU or card) during one download session within one physical data file. This file must contain the certificates MS i .C and EQT.C. The file contains digital signatures of data blocks as specified in Appendix 7 Data Downloading Protocols.
[CSM_033] Digital signatures of downloaded data shall use a digital signature scheme with appendix such, that downloaded data may be read without any decipherment if desired.
6.1. Signature generation U.K.
[CSM_034] Data signature generation by the equipment shall follow the signature scheme with appendix defined in reference (PKCS1) with the SHA-1 hash function:
Signature = EQT.SK[′00′ || ′01′ || PS || ′00′ || DER(SHA-1(Data))]
=
Padding string of octets with value ′FF′ such that length is 128.
DER(SHA-1( M )) is the encoding of the algorithm ID for the hash function and the hash value into an ASN.1 value of type DigestInfo (distinguished encoding rules):
′30′||′21′||′30′||′09′||′06′||′05′||′2B′||′0E′||′03′||′02′||′1A′||′05′||′00′||′04′||′14′|| Hash Value.
6.2. Signature verification U.K.
[CSM_035] Data signature verification on downloaded data shall follow the signature scheme with appendix defined in reference (PKCS1) with the SHA-1 hash function.
The European public key EUR.PK needs to be known independently (and trusted) by the verifier.
The following table illustrates the protocol an IDE carrying a Control card can follow to verify the integrity of data downloaded and stored on the ESM (external storage media). The control card is used to perform the decipherement of digital signatures. This function may in this case not be implemented in the IDE.
The equipment that has downloaded and signed the data to be analysed is denoted EQT.
