IAS-ECC

The French trade association for electronic components, systems, and smart card industries,  GIXEL, created a common smart card specification IAS-ECC (Identification Authentication Signature – European Citizen Card) that will be used to develop the next French National Identity Card.

IAS-ECC cards comply with the Advanced Electronic Signature EU Directive 1999/93/EC and the  European Citizen Card specification created by CEN in June 2007 to ensure interoperability of e-Services cards throughout Europe. The interoperability of the cards means that every card is compatible with all IAS-ECC middleware, including middleware developed for the French government.

The base of the IAS-ECC technical specification contains multiple ISO-7816 series, including ISO-7816-15. The specification anticipates the coexistence of multiple cryptographic card (PKCS#15) applications. (see Note 01).

Support of IAS-ECC cards in OpenSC includes:

IAS/ECC card manufacturer independence

compatibility with existing IAS/ECC card middleware

independence from personalization profile in card usage and easy configuration for the particular personalization profile in card administration

Secure Messaging for the administration of "protected" applications, "Qualified Signature," and PIN operations

PIN-pad support

support for External Authentication

Currently, cards from the following manufacturers are supported:

Gemalto  MultiApp ID IAS ECC

Oberthur  ID-ONE IAS-ECC

Sagem "ypsID S3"

Oberthur "COSMO v7" with PKI applet "AuthentIC v3"

IAS/ECC cards with three  Adele profiles (from Gemalto)

The IAS/ECC card from Gemalto thoroughly implements specification  IAS/ECC v1.0.1. The card is formatted with generic PKI application and SM protected application eID.

IAS/ECC card from Oberthur has some minor deviations from  IAS/ECC v1.0.1. The card is formatted with one generic PKI application.

The "ypsID S3" card from Sagem is not the final version of Sagem's IAS/ECC card. It is formatted with one Adele Generic profile, as suggested by the token's label, but there are some differences with the "generic" profile defined in  Adele personalization profiles.

Oberthur's Java-card "COSMO v7" with PKI applet "AuthentIC v3" is not an IAS/ECC card, but native format of this card, based on PKCS#15 specification, is not far from the IAS/ECC. Global Platform Secure Messaging can be used to protect the access to the on-card objects. One of the motivations to support this card here is an attempt to generalize implementation of SM and External Authentication - both differ from the definitions in the IAS/ECC specification.

IAS/ECC cards with "Adele" profiles are not general purpose cards. They were produced for the interoperability tests of the IAS/ECC cards and middleware from the different producers.

Test Procedure

During active development of this branch, the test procedures consist of tests with OpenSC tools (pkcs15-crypto, pkcs15-init, pkcs11-tool, and opensc-explorer) and tests of the OpenSC PKCS#11 module with OpenSC tools, Firefox 3.6.3, and Thunderbird 2.0.0.24. The test platforms are openSUSE 10.3 and WinXP SP3. Visual Studio 9.0 is used for compilation of the OpenSC middleware on WinXP platform.

Tested compatibility with the other middleware (for Windows 32):

IAS Middleware v2.0 Beta 6  from ANTS

AWP 4.4 from Oberthur

Smart Security Interface 4.8.1 from Charismathics

experimental middleware from Sagem

To get the latest source code: 

svn co https://www.opensc-project.org/svn/opensc/branches/vtarasov/opensc-sm.trunk

Advancement 

2010.05.15: 
Primary support has been implemented and tested with Gemalto card ''MultiApp ID IAS-ECC'' formated with 'IAM' personalization profile. 
This profile contains ''generic PKI'' and ''eID'' applications. Administration of the ''eID'' application is protected by ''Secure Messaging''.

Support of multiple on-card applications in usage and administration of ''generic PKI'' is currently supported.
For the moment, there is no support for ''Secure Messaging'' that is necessary for administration of ''eID''.


2010.05.22:
Added support for Oberthur's ID-ONE IAS/ECC cards. 
Tested compatibility with the Oberthur's native middleware (AWP v.4.4 beta) on WinXP SP3 - crypto objects created in OpenSC can be used with Oberthur's middleware and vice-versa. 

2010.06.30:
Added support of the Oberthur's "COSMO v7" java-card with the PKI applet "AuthentIC v3." For now, support does not include "External Authentication" and SM.
For now, CSP data are not created by OpenSC module.
Tested compatibility with middleware AWP v4.4 on WinXP SP3. 
Test procedures consist of card enrollment with FireFox (with PKCS#11 modules from OpenSC and AWP) 
and card using FireFox and Thunderbird (with PKCS#11 modules from AWP and OpenSC).

2010.07.26:
Implemented "local" secure messaging module that has an access to the SM keysets.
Implemented ''Secure Messaging'' for the IAS/ECC cards. Tested SM protected file operations create/update/read/delete, 
key operations generate/update/QSign, and PIN operations verify/unlock. 
Implemented "Global Platform SCP01" for the "AuthentIC v3." Tested SM protected file operations.

2010.07.27:
PIN-pad support: 'Verify' and 'Set' PIN tested with Gemalto's "PC Pinpad Reader."

2010.07.29:
Tested Sagem's "ypsID S3" card. The card enrolled with OpenSC is compatible with middleware (for Windows 32) from ANTS "IAS Middleware version 2.0 Beta 6" and from Charismathics "Smart Security Interface 4.8.1."

References

Notes

Note 01

For the interoperability tests, the three IAS/ECC card producers have used  Adele personalization profiles where three profiles are defined. For the first Generic profile, the administration and usage of the cryptographic objects is protected by User PIN. For the next two profiles, Administration-2 and Administration-1, all operations that change the card content are protected by Secure Messaging. The Administration-1 application holds the non-repudiation sign key for which the 'COMPUTE SIGNATURE' operation is protected by Sign PIN and Secure Messaging.

Back to Index