idnits 2.17.1 draft-urien-tls-im-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 678 has weird spacing: '...c final byte[...' == Line 691 has weird spacing: '... static short...' == Line 692 has weird spacing: '... static short...' == Line 693 has weird spacing: '... static short...' == Line 696 has weird spacing: '... static short...' == (3 more instances...) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Missing Reference: 'PIN-Value' is mentioned on line 415, but not defined == Missing Reference: 'PSK-Value' is mentioned on line 423, but not defined == Missing Reference: 'Messages' is mentioned on line 481, but not defined == Missing Reference: 'Data' is mentioned on line 509, but not defined == Missing Reference: 'DHE' is mentioned on line 606, but not defined == Missing Reference: 'Key-Length' is mentioned on line 618, but not defined == Missing Reference: 'Number-Of-Bytes' is mentioned on line 630, but not defined -- Looks like a reference, but probably isn't: '32' on line 754 -- Looks like a reference, but probably isn't: '5' on line 1221 -- Looks like a reference, but probably isn't: '6' on line 1221 -- Looks like a reference, but probably isn't: '4' on line 1348 Summary: 0 errors (**), 0 flaws (~~), 14 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 TLS Working Group P. Urien 3 Internet Draft Telecom Paris 4 Intended status: Experimental 6 January 16 2021 7 Expires: June 2021 9 Identity Module for TLS Version 1.3 10 draft-urien-tls-im-04.txt 12 Abstract 14 TLS 1.3 will be deployed in the Internet of Things ecosystem. In 15 many IoT frameworks, TLS or DTLS protocols, based on pre-shared key 16 (PSK), are used for device authentication. So PSK tamper resistance, 17 is a critical market request, in order to prevent hijacking issues. 18 If DH exchange is used with certificate bound to DH ephemeral public 19 key, there is also a benefit to protect its signature procedure. The 20 TLS identity module (im) MAY be based on secure element; it realizes 21 some HKDF operations bound to PSK, and cryptographic signature if 22 certificates are used. Secure Element form factor could be 23 standalone chip, or embedded in SoC like eSIM. 25 Requirements Language 27 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 28 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 29 document are to be interpreted as described in RFC 2119. 31 Status of this Memo 33 This Internet-Draft is submitted in full conformance with the 34 provisions of BCP 78 and BCP 79. 36 Internet-Drafts are working documents of the Internet Engineering 37 Task Force (IETF). Note that other groups may also distribute 38 working documents as Internet-Drafts. The list of current Internet- 39 Drafts is at http://datatracker.ietf.org/drafts/current/. 41 Internet-Drafts are draft documents valid for a maximum of six 42 months and may be updated, replaced, or obsoleted by other documents 43 at any time. It is inappropriate to use Internet-Drafts as reference 44 material or to cite them other than as "work in progress." 46 This Internet-Draft will expire on June 2021. 48 . 50 Copyright Notice 52 Copyright (c) 2021 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (http://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with 60 respect to this document. Code Components extracted from this 61 document must include Simplified BSD License text as described in 62 Section 4.e of the Trust Legal Provisions and are provided without 63 warranty as described in the Simplified BSD License. 65 Identity Module for TLS Version 1.3 January 2021 67 Table of Contents 68 Abstract........................................................... 1 69 Requirements Language.............................................. 1 70 Status of this Memo................................................ 1 71 Copyright Notice................................................... 2 72 1 Overview......................................................... 5 73 2 Protecting the Key Schedule for PSK.............................. 5 74 2.1 Context..................................................... 5 75 2.2 Identity Module Procedures.................................. 6 76 2.3 KSGS: Keys Secure Generation and Storage.................... 6 77 2.4 Identity Module Key Procedures (IMKP)....................... 6 78 2.4.1 CETS: Client Early Traffic Secret .................... 6 79 2.4.2 EEMS: Early Exporter Master Secret ................... 7 80 2.4.3 HEDSK: HKDF-Extract from Derived Secret Key .......... 7 81 2.4.4 HBSK: HMAC from Binder Key Secret .................... 7 82 3. Asymmetric Signature............................................ 7 83 3.1 GENKEY...................................................... 8 84 3.2 GETPUB...................................................... 8 85 3.3 SIGN........................................................ 8 86 4 Optional Procedures.............................................. 8 87 4.1 GENDHE...................................................... 8 88 4.2 GETEPK...................................................... 8 89 4.3 RAND........................................................ 8 90 5 Identity Module Procedures Summary............................... 9 91 6. Secure Element as Identity Module.............................. 10 92 6.1 Administrator mode......................................... 10 93 6.2 User Mode.................................................. 10 94 6.3 KSGS: Keys Secure Generation and Storage................... 10 95 6.3.1 Example ............................................. 11 96 6.4 CETS: Client Early Traffic Secret.......................... 11 97 6.4.1 Example ............................................. 11 98 6.5 EEMS: Early Exporter Master Secret......................... 11 99 6.5.1 Example ............................................. 12 100 6.6 HEDSK: HKDF-Extract from Derived Secret Key................ 12 101 6.6.1 Example ............................................. 12 102 6.7 HBSK: HMAC from Binder Key Secret.......................... 12 103 6.7.1 Example ............................................. 12 104 6.8 Signature Procedures....................................... 12 105 6.8.1 Keys Generation ..................................... 12 106 6.8.2 Keys Setting ........................................ 13 107 6.8.3 Signature ........................................... 14 108 6.9 GENDHE..................................................... 14 109 6.9.1 Example ............................................. 14 110 6.10 GETEPK.................................................... 14 111 6.10.1 Example ............................................ 14 112 6.11 RAND...................................................... 14 113 6.11.1 Example ............................................ 15 114 7. A simple Identity Module code for Javacard 3.04................ 15 115 8 IANA Considerations............................................. 32 116 9 Security Considerations......................................... 32 117 10 References..................................................... 32 118 Identity Module for TLS Version 1.3 January 2021 120 10.1 Normative References...................................... 32 121 10.2 Informative References.................................... 32 122 11 Authors' Addresses............................................. 32 123 Identity Module for TLS Version 1.3 January 2021 125 1 Overview 127 TLS 1.3 [RFC8446] will be deployed in the Internet of Things 128 ecosystem. In many IoT frameworks, TLS or DTLS protocols, based on 129 pre-shared key (PSK), are used for device authentication. So PSK 130 tamper resistance, is a critical market request, in order to prevent 131 hijacking issues. If DH exchange is used with certificate bound to 132 DH ephemeral public key, there is also a benefit to protect its 133 signature procedure. The TLS identity module (im) MAY be based on 134 secure element [ISO7816]; it realizes some HKDF [RFC5869] operations 135 bound to PSK, and cryptographic signature if certificates are used. 136 Secure Element form factor could be standalone chip or embedded in 137 SOC like eSIM. 139 +-----------+ +----------+ 140 | Processor | | Identity | 141 | TLS 1.3 +------+ Module | 142 | | | im | 143 +-----------+ +----------+ 145 Figure 1. TLS 1.3 Identity Module (im) 147 The ISO7816 standards specify the binary encoding for ISO7816-4 148 commands and responses, refereed as Application Protocol Data Unit 149 (APDU). APDUs can be exchanged with secure elements according to 150 various transport protocols [GP-SPI-I2C] such as ISO7816-3 T=0, 151 ISO7816-3 T=1, Inter Integrated Circuit (I2C) or Serial Peripheral 152 Interface (SPI) 154 2 Protecting the Key Schedule for PSK 156 2.1 Context 158 According to [RFC8446] external PSKs MAY be provisioned outside of 159 TLS. 161 The Early Secret (ESK) is computed according to relation: 162 ESK =HKDF-Extract(salt=0s,PSK) = HMAC(salt=0s,PSK) 164 The Binder Key (BSK) for outside provisioning is computed according 165 to the relation: 166 BSK = Derive-Secret(ESK, "ext binder", "") 168 The Derived Secret (DSK) is computed according to the relation: 169 DSK= Derive-Secret(ESK, "derived", "") 171 The Finished External Key (FEK) is computed according to the 172 relation: 173 FEK = KDF-Expand-Label(BSK, "finished", "", Hash.length) 174 Identity Module for TLS Version 1.3 January 2021 176 For Derive-Secret procedures, "" is equivalent to the value 177 hash(empty), whose size is hash-length. 179 2.2 Identity Module Procedures 181 The identity module MUST provide a "Keys Secure Generation and 182 Storage" (KSGS) procedure, which computes and securely stores ESK, 183 BSK and FEK keys. 185 The KSGS procedure MUST require administrative rights. 187 A set "Identity Module Key Procedures" (IMKP) of four procedures is 188 required, in order to protect from public exposure ESK, BSK, and 189 FEK: 191 - CETS: Client Early Traffic Secret 192 - EEMS: Early Exporter Master Secret 193 - HEDSK: HKDF-Extract from Derived Secret Key 194 - HBSK: HMAC from Binder Key Secret 196 These procedures MAY require user rights. 198 2.3 KSGS: Keys Secure Generation and Storage 200 The Identity module MUST provide a KSGS procedure, requiring 201 administrative rights, which computes and securely stores ESK, BSK, 202 DSK, and FEK. The KSGS procedure uses with a hash function (for 203 example SHA256) identifies by an AlgoId attribute. 205 Input: AlgoId, salt, PSK 206 Output: Success or Failure 208 ESK, DSK, and BSK secret values are stored in the identity module. 210 HL16 : hash Length, 16 bits 211 HL8 : hash length, 8 bits 212 H0 : hash(empty) 214 ESK= HMAC(salt=0s,PSK) 215 DSK= HMAC(ESK,HL16||0d746c7331332064657269766564||HL8||H0||01) 216 BSK= HMAC(ESK,HL16||10746c733133206578742062696e646572||HL8||H0||01) 217 FEK= HMAC(BSK,HL16||0E746C7331332066696E69736865640001) 219 2.4 Identity Module Key Procedures (IMKP) 221 2.4.1 CETS: Client Early Traffic Secret 223 Input: Length, Message 224 Output: Client Early Traffic Secret or Failure 225 Identity Module for TLS Version 1.3 January 2021 227 CETS(ClientHello) = Derive-Secret(ESK, "c e traffic", Message) 228 = HMAC(ESK, Length || 11746c733133206320652074726166666963 || 229 Message || 01) 231 Message is a hash value. 233 2.4.2 EEMS: Early Exporter Master Secret 235 Input: Length, Message 236 Output: Early Exporter Master Secret or Failure 238 EEMS(ClientHello) = Derive-Secret(ESK, "e exp master", Message) 239 = HMAC(ESK, Length || 12746c733133206520657870206d6173746572 || 240 Message || 01) 242 Message is a hash value 244 2.4.3 HEDSK: HKDF-Extract from Derived Secret Key 246 Input: DHE value 247 Output: Handshake Secret or Failure 249 HEDSK(DHE)= HKDF-Extract(salt=DSK,DHE) = HMAC(salt=DSK, DHE) 251 2.4.4 HBSK: HMAC from Binder Key Secret 253 Input: data 254 Output: HMAC(BSK, data) or Failure 256 HBSK(data) = HMAC(FEK, data) 258 Data is a hash value 260 3. Asymmetric Signature 262 The identity module MUST provide a "Generate Key" (GENKEY) 263 procedure, in order to store or generate private asymmetric key and 264 associated public key. This procedure MUST require administrative 265 rights. 267 The procedure "Get Public Key" (GETPUB:) is required in order to 268 read the public key value. This procedure MAY require user rights. 270 The procedure "Signature" (SIGN) is required in order to perform a 271 raw signature for a digest value, computed from certificate. This 272 procedure MAY require user rights. 274 The symmetric algorithm is identified by the AlgoId attribute. The 275 key is identified by the KeyId attribute. 277 Identity Module for TLS Version 1.3 January 2021 279 3.1 GENKEY 281 Input: AlgoId, KeyId 282 Output: Success or Failure 284 A private key is generated and stored in the identity module. A 285 public key is computed from the private key. 287 3.2 GETPUB 289 Input: KeyId 290 Output: Public Key Value or Failure 292 3.3 SIGN 294 Input: KeyId, DigestValue 295 Output: Signature Value or Failure 297 4 Optional Procedures 299 In IoT context, the computing resources needed for supporting 300 cryptographic procedures such as elliptic curves or true random 301 number generators can be an issue. Optional procedures facilitate 302 TLS1.3 support in such devices. 304 4.1 GENDHE 306 Input: AlgoId, PublicKey, KeyId 307 Output: The DHE value 309 A DHE is computed according to an input public key, and an algorithm 310 identifier. 311 An ephemerous public key EPK is generated, which is identified by 312 the KeyId attribute and can be retrieved by the GETEPK procedure. 314 4.2 GETEPK 316 Input: KeyId 317 Output: Error or ephemerous public key 319 This procedure returns the ephemerous public key (EPK), identified 320 by the KeyId attribute, previously computed by GENDHE. 322 4.3 RAND 324 Input: Number of random bytes, Nr 325 Output: Nr bytes 327 This procedure generates Nr random bytes 328 Identity Module for TLS Version 1.3 January 2021 330 5 Identity Module Procedures Summary 332 First column: The procedure name 333 Second column: The procedure status Mandatory (M) or Optional (O) 334 for PSK or PKI (e.g. signature generation) 335 Third column: Input parameters 336 Fourth column: Output vale 337 Fifth column: The mode, ADMinistrator or USER 339 +--------+-------+-----------------+---------+---------------+----+ 340 | Name |Status | Comment | Input | Output |Mode| 341 +--------+-------+-----------------+---------+---------------+----+ 342 | KSGS | M PSK | Compute Secrets | AlgoId | none | ADM| 343 | | | from PSK | Salt | | | 344 | | | | PSK | | | 345 +--------+-------+-----------------+---------+---------------+----+ 346 | GENKEY | M PKI | Generate Private| AlgoId | none | ADM| 347 | | | and Public Key | KeyId | | | 348 +--------+-------+-----------------+---------+---------------+----+ 349 | CETS | M PSK | Compute Early | Length | Client Early |USER| 350 | | | Traffic Secret | Message |Traffic Secret | | 351 +--------+-------+-----------------+---------+---------------+----+ 352 | EEMS | M PSK | Compute | Length | Early Exporter|USER| 353 | | | Early Exporter | Message | Master Secret | | 354 | | | Master Secret | | | | 355 +--------+-------+-----------------+---------+---------------+----+ 356 | HEDSK | M PSK | Compute | DHE | Handshake | | 357 | | | Handshake Secret| | Secret |USER| 358 +--------+-------+-----------------+---------+---------------+----+ 359 | HBSK | M PSK | Compute HMAC For| Data | HMAC For | | 360 | | | Identity Binder | |Identity Binder|USER| 361 +--------+-------+-----------------+---------+---------------+----+ 362 | GETPUB | M PKI | Read Public Key | KeyId | Public Key |USER| 363 +--------+-------+-----------------+---------+---------------+----+ 364 | SIGN | M PKI | Compute | KeyId | Public Key |USER| 365 | | | Signature | Data | | | 366 +--------+-------+-----------------+---------+---------------+----+ 367 | GENDHE | O | Generate Pub.Key| AlgoID | DH Value |USER| 368 | | | Compute DH | PUB.Key | | | 369 | | | | KeyId | | | 370 +--------+-------+-----------------+---------+---------------+----+ 371 | GETEPK | O | Read Ephemeris | KeyId | Public Key |USER| 372 | | | Public Key | | | | 373 +--------+-------+-----------------+---------+---------------+----+ 374 | RAND | O | Generate | Number | Random Bytes |USER| 375 | | | Random Bytes |of Bytes | | | 376 +--------+-------+-----------------+---------+---------------+----+ 377 Identity Module for TLS Version 1.3 January 2021 379 6. Secure Element as Identity Module 381 Secure elements are defined according to [ISO7816] standards. They 382 support hash functions (sha256, sha384, sha512) and associated HMAC 383 procedures. They also provide DH procedures in Z/pZ* groups, and 384 elliptic curves. Open software can be released thanks to the 385 Javacard standards, such as JC3.04, JC3.05, JC3.1. 387 This section is an illustration of binary encoding rules for secure 388 element according to the T=1 ISO7816 protocol. 390 An ISO7816 command (TAPDU) is a set of bytes comprising a five bytes 391 header and an optional payload (up to 255 bytes) 393 The header comprises the following five bytes 394 - CLA, Class 395 - INS, Instruction code 396 - P1, P1 byte 397 - P2, P2 byte 398 - P3, length of the payload, or number of expected bytes 400 The response comprises a payload (up to 255 bytes) and a two bytes 401 status word SW=(SW1, SW2), 9000 meaning successful operation. 403 6.1 Administrator mode 405 The [ISO7816] command VERIFY (INS=0x20) SHOULD be used to enter the 406 administrative mode. 408 Tx: CLA=00 INS=20 P1=00 P2=Adm P3=PIN-Length [PIN-Value] 409 Rx: 9000 411 6.2 User Mode 413 The [ISO7816] command VERIFY SHOULD be used to enter the user mode 415 Tx: CLA=00 INS=20 P1=00 P2=User P3=PIN-Length [PIN-Value] 416 Rx: 9000 418 6.3 KSGS: Keys Secure Generation and Storage 420 Length= 2 + Salt-Length + PSK-Length 422 Tx: CLA=00 INS=TLS13 P1=AlgoId P2=KSGS P3=Length Salt-Length [Salt- 423 Value] PSK-Length [PSK-Value] 424 Rx: 9000 426 This procedure computes and stores ESK, BSK DSK and FEK. 428 Identity Module for TLS Version 1.3 January 2021 430 6.3.1 Example 432 PSK=0102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20 434 Tx: CLA=00 INS=85 P1=00 P2=0A P3=23 01 00 20 435 0102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20 436 Rx:9000 438 Sha256(empty) = 439 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 441 ESK= HMAC-SHA256(0,PSK) 442 ESK= 23499E7EDF0FBE6BAA137DF0F23BECAEF722AD19FC262855409DE8CD8B3C897 444 DSK= HMAC-SHA256(ESK,0020 0d746c7331332064657269766564 20 445 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 01) 446 DSK=E8E7AC087158FC8440E41A12989F9194783764CD5FC36564028037F2C8206E96 448 BSK = HMAC-SHA256(ESK,0020 10746c733133206578742062696e646572 20 449 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 01) 450 BSK=4351F8A53AA85AC394AB04C516464CAB96E9340C269632D09899537887EE651F 452 FEK= HMAC-256(BSK, 0020 0E746C7331332066696E6973686564 00 01) 453 FEK=FCA24690D17DDE3F727D29D2186A5F83E1AEBD4889A4841793139168A65BFCB0 455 6.4 CETS: Client Early Traffic Secret 457 Length = 2 + Messages-Length 458 Hash-Length: the hash length (2 bytes) 460 Tx: CLA INS=TLS13 P1=CETS P2=ESK P3=Length Hash-Length Messages- 461 Length [Messages] 462 Rx:[Client Early Traffic Secret] SW 464 6.4.1 Example 466 Tx: CLA=00 INS=85 P1=00 P2=0B P3=03 0020 00 467 Rx: 0738A2B6F6FAA2AF5CDD9B6F0F2B232F19B3256A5926EAC600B911F91E98D2D4 468 9000 470 Message= NULL = 0s 471 [Client Early Traffic Secret] = 472 HMAC-SHA256(ESK, 0020 11746c733133206320652074726166666963 00 01) 474 6.5 EEMS: Early Exporter Master Secret 476 Length = 2 + Messages-Length 477 Hash-Length: the hash length (2 bytes) 478 Identity Module for TLS Version 1.3 January 2021 480 Tx: CLA INS=TLS13 P1=EEMS P2=ESK P3=Length Hash-Length Messages- 481 Length [Messages] 482 Rx: [Early Exporter Master Secret] SW 484 6.5.1 Example 486 Tx: CLA=00 INS=85 P1=01 P2=0B P3=03 0020 00 487 Rx: 9B7FC6A8F854C16A301DFC566859931DB5EE9A22793142A0C67159C445E7BEAB 488 9000 490 Message= NULL = 0s 491 [Early Exporter Master Secret] = 492 HMAC-SHA256(ESK, 0020 12746c733133206520657870206d6173746572 00 01) 494 6.6 HEDSK: HKDF-Extract from Derived Secret Key 496 Tx: CLA INS=TLS13 P1=0 P2=HEDSK P3=Data-Length [Data] 497 Rx: [HMAC(Data,DSK)] SW 499 6.6.1 Example 501 Tx: CLA=00 INS=85 P1=00 P2=0E P3=01 00 502 Rx: 7092C2117D67E6AEB5C5FDF5E6D9C70FBDC69B374E914C26AB08A122483D0E73 504 DHE=NULL=0s 505 HMAC-256(DSK,DHE)= HMAC-256(DSK,0s) 507 6.7 HBSK: HMAC from Binder Key Secret 509 Tx: CLA INS=TLS13 P1=0 P2=HBSK P3=Data-Length [Data] 510 Rx: [HMAC(FEK,data)] SW 512 6.7.1 Example 514 Tx: CLA=00 INS=85 P1=00 P2=0C P3=01 00 515 Rx: 3E015D850B89C2470D4C49D4BD8E7C76F2B74175DDD85F393569315DA15480A4 517 Data=NULL=0s 518 HMAC-256(FEK,Data)= HMAC-256(DSK,0s) 520 6.8 Signature Procedures 522 6.8.1 Keys Generation 524 Select Identity Module Application (AID= 010203040500) 525 Tx: CLA=00 INS=A4 P1=04 P2=00 P3=06 01 02 03 04 05 00 526 Rx: 9000 528 Verify Administrator PIN (PIN= "00000000") 529 Identity Module for TLS Version 1.3 January 2021 531 Tx: CLA=00 INS=20 P1=00 P2=01 P3=08 30 30 30 30 30 30 30 30 532 Rx: 9000 534 Clear Key (P2=KeyId=0) 535 Tx: CLA=00 INS=81 P1=00 P2=00 P3=00 536 Rx: 9000 538 Init Curve secp256r1 (P1 = idCurve, P2=KeyId) 539 Tx: CLA=00 INS=89 P1=00 P2=00 P3=00 540 Rx: 9000 542 GenKey (P2=KeyId) 543 Tx: CLA=00 INS=82 P1=00 P2=00 P3=00 544 Rx:9000 546 Read PublicKey (P2=KeyId) 547 Tx: CLA=00 INS=84 P1=06 P2=00 P3=00 548 Rx: 0041049E92726E24A548BB69ADA51103F265AA9B9F304E25971427D79EFAF471 549 889CCC52FD8B05A729A400105C06AF99592535A4EDF338B5A37BB6089D3B11E7 550 1B847B 9000 552 Read PrivateKey (P2= KeyId) 553 Tx: CLA=00 INS=84 P1=07 P2=00 p3=00 554 Rx: 00208E8793D5C399659D8A35B585534B5D9D0FAB37AD3FC7E8B43373C4BAD81E 555 9000 557 6.8.2 Keys Setting 559 Select Identity Module Application (AID= 010203040500) 560 Tx: CLA=00 INS=A4 P1=04 P2=00 P3=06 01 02 03 04 05 00 561 Rx: 9000 563 Verify Administrator PIN (PIN= "00000000") 564 Tx: CLA=00 INS=20 P1=00 P2=01 P3=08 30 30 30 30 30 30 30 30 565 Rx: 9000 567 Clear Key (P2=KeyId=0) 568 Tx: CLA=00 INS=81 P1=00 P2=00 P3=00 569 Rx: 9000 571 Init Curve secp256r1 (P1 = idCurve, P2=KeyId) 572 Tx: CLA=00 INS=89 P1=00 P2=00 P3=00 573 Rx: 9000 575 Set PrivateKey (P2=KeyId) 576 Tx: CLA=00 INS=88 P1=07 P2=00 P3=20 577 2e86bdd6d3b241ddbd00999f6a0ac1cb546d2bfb55744dca40f0268ac2bf7338 578 Rx: 9000 580 Set PublicKey (P2=KeyId) 581 Identity Module for TLS Version 1.3 January 2021 583 Tx: CLA=00 INS=88 P1=06 P2=00 P3=41 584 045c8c90d0859dd96c722a589c4b62047ff01323cc74383e0e8eb80bea4ea45e55b8 585 5499abd39d719885e874ed3f6327960d519ba25423c3fbdc14e6fd0cd5edee 586 Rx: 9000 588 6.8.3 Signature 590 Select Identity Module Application (AID= 010203040500) 591 Tx: CLA=00 INS=A4 P1=04 P2=00 P3=06 01 02 03 04 05 00 592 Rx: 9000 593 Verify User PIN (PIN= "0000") 594 CLA=00 INS=20 P1=00 P2=00 P3=04 30 30 30 30 596 ECDSA secp256r1 Signature (P2=KeyId) 597 Tx: CLA=00 INS=80 P1=00 P2=00 P3=20 598 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF 599 Rx: 0047304502206BB1B02742C90B5FEAD3EF34F87B49D2A87F846F0368D0DBB3A 600 0E9D9F3ABC450022100A0178CDE84FB9ACA4662ECC68638437D46EC27B69657 601 8F8080E43ACCA4B35586 603 6.9 GENDHE 605 Tx: CLA INS=GENDHE P1=AlgoId P2=KeyId P3=Key-Length [Public Key] 606 Rx: [DHE] SW 608 6.9.1 Example 610 Tx: CLA=00 INS=8A P1=00=Secp256r1 P2=FF P3=41 611 4104C4B5F7682C374AAD1C9125C2F225D343A8986C8E0A475E4003F6C98DA13F99 612 9E80A55E66F0644E84F7F6503615B9EC4CB7C2844AF6BE7F9091BF319B0291A2D8 613 Rx: 1BEE561B95F9EC99EE0E49F28E415D4F74580ACB8D9E0019BD3A7974FF3148E5 615 6.10 GETEPK 617 Tx: CLA INS=GETEPK P1=06 P2=KeyId P3=2+Key-length 618 Rx: [Key-Length] [Public Key] SW 620 6.10.1 Example 622 Tx: CLA=00 INS=84 P1=06 P2=FF P3=43 623 Rx: 004104CD8EF9695FAC953D89B9C91B994DC77F3140BDEDF54AABF63521548AB9 624 8031942C829FC5D958F143AA09E622E6CB190D7A91773E1794F792E1D4D7E1B84603 625 FF9000 627 6.11 RAND 629 Tx: CLA INS=RAND P1=00 P2=00 P3=[Number-Of-bytes] 630 Rx: [Number-Of-Bytes] SW 631 Identity Module for TLS Version 1.3 January 2021 633 6.11.1 Example 635 Tx: CLA=00 INS=8B P1=00 P2=00 P3=20 636 Rx: 85DEE2DD24BF79D8CCB6D21C1F515CE040A2E13B8C98177822BD3B66876CD9A1 637 9000 639 7. A simple Identity Module code for Javacard 3.04 641 An example of TLS-IM code is available at [IM-JC]. 643 Identity Module for TLS Version 1.3 January 2021 645 package im; 647 import javacard.framework.*; 648 import javacard.security.* ; 649 import javacardx.crypto.* ; 651 public class im extends Applet 652 { 653 final static byte INS_SIGN = (byte) 0x80 ; 654 final static byte INS_CLEAR_KEYPAIR = (byte) 0x81 ; 655 final static byte INS_GEN_KEYPAIR = (byte) 0x82 ; 656 final static byte INS_GET_KEY_PARAM = (byte) 0x84 ; 657 final static byte INS_HMAC = (byte) 0x85 ; 658 final static byte INS_GET_STATUS = (byte) 0x87 ; 659 final static byte INS_SET_KEY_PARAM = (byte) 0x88 ; 660 final static byte INS_INIT_CURVE = (byte) 0x89 ; 661 final static byte INS_SELECT = (byte) 0xA4 ; 662 public final static byte INS_VERIFY = (byte) 0x20 ; 663 public final static byte INS_CHANGE_PIN = (byte) 0x24 ; 665 public final static short N_KEYS = (short) 16; 666 public final static byte[] VERSION= {(byte)1,(byte)0}; 668 KeyPair[] ECCkp = null ; 669 Signature ECCsig = null ; 670 MessageDigest sha256 = null ; 672 short status=0 ; 673 byte [] DB = null ; 674 public final static short DBSIZE = (short)320 ; 676 private static OwnerPIN UserPin=null; 678 private static final byte[] MyPin = 679 {(byte)0x30,(byte)0x30,(byte)0x30,(byte)0x30, 680 (byte)0xFF,(byte)0xFF,(byte)0xFF,(byte)0xFF}; 682 private static OwnerPIN AdminPin=null; 684 private static final byte[] OpPin = 685 {(byte)0x30,(byte)0x30,(byte)0x30,(byte)0x30, 686 (byte)0x30,(byte)0x30,(byte)0x30,(byte)0x30}; 688 private final static short SW_VERIFICATION_FAILED = (short)0x6300; 689 private final static short SW_PIN_VERIFICATION_REQUIRED = 690 (short)0x6380; 691 final static short SW_KPUB_DEFINED = (short)0x6401; 692 final static short SW_KPRIV_DEFINED = (short)0x6402; 693 final static short SW_KPRIV_UNDEFINED = (short)0x6403; 694 Identity Module for TLS Version 1.3 January 2021 696 final static short SW_GENKEY_ERROR = (short)0x6D10; 697 final static short SW_SIGN_ERROR = (short)0x6D20; 698 final static short SW_DUMP_KEYS_PAIR = (short)0x6D30; 699 final static short SW_SET_KEY_PARAM = (short)0x6D40; 701 private final static byte [] ParamA1 = 702 {(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0x00,(byte)0x00, 703 (byte)0x00,(byte)0x01,(byte)0x00,(byte)0x00,(byte)0x00,(byte)0x00, 704 (byte)0x00,(byte)0x00,(byte)0x00,(byte)0x00,(byte)0x00,(byte)0x00, 705 (byte)0x00,(byte)0x00,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff, 706 (byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff, 707 (byte)0xff,(byte)0xfc}; 709 private final static byte [] ParamB1 = 710 {(byte)0x5a,(byte)0xc6,(byte)0x35,(byte)0xd8,(byte)0xaa,(byte)0x3a, 711 (byte)0x93,(byte)0xe7,(byte)0xb3,(byte)0xeb,(byte)0xbd,(byte)0x55, 712 (byte)0x76,(byte)0x98,(byte)0x86,(byte)0xbc,(byte)0x65,(byte)0x1d, 713 (byte)0x06,(byte)0xb0,(byte)0xcc,(byte)0x53,(byte)0xb0,(byte)0xf6, 714 (byte)0x3b,(byte)0xce,(byte)0x3c,(byte)0x3e,(byte)0x27,(byte)0xd2, 715 (byte)0x60,(byte)0x4b}; 717 private final static byte [] ParamField1= 718 {(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0x00,(byte)0x00, 719 (byte)0x00,(byte)0x01,(byte)0x00,(byte)0x00,(byte)0x00,(byte)0x00, 720 (byte)0x00,(byte)0x00,(byte)0x00,(byte)0x00,(byte)0x00,(byte)0x00, 721 (byte)0x00,(byte)0x00,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff, 722 (byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff, 723 (byte)0xff,(byte)0xff}; 725 private final static byte [] ParamG1= 726 {(byte)0x04,(byte)0x6b,(byte)0x17,(byte)0xd1,(byte)0xf2,(byte)0xe1, 727 (byte)0x2c,(byte)0x42,(byte)0x47,(byte)0xf8,(byte)0xbc,(byte)0xe6, 728 (byte)0xe5,(byte)0x63,(byte)0xa4,(byte)0x40,(byte)0xf2,(byte)0x77, 729 (byte)0x03,(byte)0x7d,(byte)0x81,(byte)0x2d,(byte)0xeb,(byte)0x33, 730 (byte)0xa0,(byte)0xf4,(byte)0xa1,(byte)0x39,(byte)0x45,(byte)0xd8, 731 (byte)0x98,(byte)0xc2,(byte)0x96,(byte)0x4f,(byte)0xe3,(byte)0x42, 732 (byte)0xe2,(byte)0xfe,(byte)0x1a,(byte)0x7f,(byte)0x9b,(byte)0x8e, 733 (byte)0xe7,(byte)0xeb,(byte)0x4a,(byte)0x7c,(byte)0x0f,(byte)0x9e, 734 (byte)0x16,(byte)0x2b,(byte)0xce,(byte)0x33,(byte)0x57,(byte)0x6b, 735 (byte)0x31,(byte)0x5e,(byte)0xce,(byte)0xcb,(byte)0xb6,(byte)0x40, 736 (byte)0x68,(byte)0x37,(byte)0xbf,(byte)0x51,(byte)0xf5}; 738 private final static short ParamK1 = (short) 0x0001; 740 private final static byte [] ParamR1= 741 {(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0x00,(byte)0x00, 742 (byte)0x00,(byte)0x00,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff, 743 (byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xbc,(byte)0xe6, 744 (byte)0xfa,(byte)0xad,(byte)0xa7,(byte)0x17,(byte)0x9e,(byte)0x84, 745 (byte)0xf3,(byte)0xb9,(byte)0xca,(byte)0xc2,(byte)0xfc,(byte)0x63, 746 (byte)0x25,(byte)0x51}; 747 Identity Module for TLS Version 1.3 January 2021 749 private byte [] ESK = new byte[32]; // Early Secret Key 750 private byte [] HSK = new byte[32]; // Handshake Secret Key 751 private byte [] eBSK = new byte[32]; // Binder Secret Key 752 private byte [] rBSK = new byte[32]; // Binder Secret Key 753 private byte [] feBSK = new byte[32]; // Finished Binder Secret Key 754 private byte [] frBSK = new byte[32]; // Finished Binder Secret Key 756 private final static byte EXTRACT_EARLY = (byte)0x0A; 757 private final static byte EXPAND_EARLY = (byte)0x0B; 758 private final static byte HMAC_EBSK = (byte)0x0C; 759 private final static byte HMAC_RBSK = (byte)0x0D; 760 private final static byte EXTRACT_HANDSHAKE = (byte)0x0E; 762 private byte [] derived = 763 {(byte)0x00,(byte)32,(byte)13,(byte)'t',(byte)'l',(byte)'s', 764 (byte)'1',(byte)'3',(byte)' ',(byte)'d',(byte)'e',(byte)'r', 765 (byte)'i',(byte)'v',(byte)'e',(byte)'d', 766 (byte)0x20,(byte)0xE3,(byte)0xB0,(byte)0xC4,(byte)0x42,(byte)0x98, 767 (byte)0xFC,(byte)0x1C,(byte)0x14,(byte)0x9A,(byte)0xFB,(byte)0xF4, 768 (byte)0xC8,(byte)0x99,(byte)0x6F,(byte)0xB9,(byte)0x24,(byte)0x27, 769 (byte)0xAE,(byte)0x41,(byte)0xE4,(byte)0x64,(byte)0x9B,(byte)0x93, 770 (byte)0x4C,(byte)0xA4,(byte)0x95,(byte)0x99,(byte)0x1B,(byte)0x78, 771 (byte)0x52,(byte)0xB8,(byte)0x55,(byte)1}; 773 private byte [] ext_binder = 774 {(byte)0x00,(byte)32,(byte)16,(byte)'t',(byte)'l',(byte)'s', 775 (byte)'1',(byte)'3',(byte)' ',(byte)'e',(byte)'x',(byte)'t', 776 (byte)' ',(byte)'b',(byte)'i',(byte)'n',(byte)'d',(byte)'e', 777 (byte)'r',(byte)0x20,(byte)0xE3,(byte)0xB0,(byte)0xC4,(byte)0x42, 778 (byte)0x98,(byte)0xFC,(byte)0x1C,(byte)0x14,(byte)0x9A,(byte)0xFB, 779 (byte)0xF4,(byte)0xC8,(byte)0x99,(byte)0x6F,(byte)0xB9,(byte)0x24, 780 (byte)0x27,(byte)0xAE,(byte)0x41,(byte)0xE4,(byte)0x64,(byte)0x9B, 781 (byte)0x93,(byte)0x4C,(byte)0xA4,(byte)0x95,(byte)0x99,(byte)0x1B, 782 (byte)0x78,(byte)0x52,(byte)0xB8,(byte)0x55,(byte)0x01}; 784 private byte [] res_binder = 785 {(byte)0x00,(byte)32,(byte)16,(byte)'t',(byte)'l',(byte)'s', 786 (byte)'1',(byte)'3',(byte)' ',(byte)'r',(byte)'e',(byte)'s', 787 (byte)' ',(byte)'b',(byte)'i',(byte)'n',(byte)'d',(byte)'e', 788 (byte)'r',(byte)0x00,(byte)0x01}; 790 private byte [] c_e_traffic = 791 {(byte)17,(byte)'t',(byte)'l',(byte)'s',(byte)'1',(byte)'3', 792 (byte)' ',(byte)'c',(byte)' ',(byte)'e',(byte)' ',(byte)'t', 793 (byte)'r',(byte)'a',(byte)'f',(byte)'f',(byte)'i',(byte)'c'}; 794 Identity Module for TLS Version 1.3 January 2021 796 private byte [] c_exp_master = 797 {(byte)18,(byte)'t',(byte)'l',(byte)'s',(byte)'1',(byte)'3', 798 (byte)' ',(byte)'e',(byte)' ',(byte)'e',(byte)'x',(byte)'p', 799 (byte)' ',(byte)'m',(byte)'a',(byte)'s',(byte)'t',(byte)'e', 800 (byte)'r'}; 802 private byte [] finished = 803 {(byte)0x00,(byte)32,(byte)14,(byte)'t',(byte)'l',(byte)'s', 804 (byte)'1',(byte)'3',(byte)' ',(byte)'f',(byte)'i',(byte)'n', 805 (byte)'i',(byte)'s', (byte)'h',(byte)'e',(byte)'d',(byte)0, 806 (byte)1}; 808 public void process(APDU apdu) throws ISOException 809 { short adr=0,len=0,index=0,readCount=0; 811 byte[] buffer = apdu.getBuffer() ; 813 byte cla = buffer[ISO7816.OFFSET_CLA]; 814 byte ins = buffer[ISO7816.OFFSET_INS]; 815 byte P1 = buffer[ISO7816.OFFSET_P1] ; 816 byte P2 = buffer[ISO7816.OFFSET_P2] ; 817 byte P3 = buffer[ISO7816.OFFSET_LC] ; 819 adr = Util.makeShort(P1,P2) ; 820 len = Util.makeShort((byte)0,P3) ; 822 switch (ins) 823 { 825 case INS_SELECT: 826 readCount = apdu.setIncomingAndReceive(); 827 return; 829 case INS_GET_STATUS: 830 Util.arrayCopyNonAtomic(VERSION,(short)0,buffer,(short)0,(short)VERS 831 ION.length); 832 Util.setShort(buffer,(short)VERSION.length,status); 833 apdu.setOutgoingAndSend((short)0,(short)(2+VERSION.length)); 834 break; 836 case INS_VERIFY: 837 readCount = apdu.setIncomingAndReceive(); 838 if (P2 == (byte)1) 839 { if (readCount != (short)8) 840 ISOException.throwIt(ISO7816.SW_WRONG_LENGTH); 841 verify(AdminPin,buffer) ; 842 if(AdminPin.isValidated()) UserPin.resetAndUnblock(); 843 Identity Module for TLS Version 1.3 January 2021 845 else if (P2 == (byte)0xFF) 846 { if (readCount != (short)8) 847 ISOException.throwIt(ISO7816.SW_WRONG_LENGTH); 848 verify(AdminPin,buffer) ; 849 if(AdminPin.isValidated()) 850 { UserPin.resetAndUnblock(); 851 UserPin.update(MyPin,(short)0,(byte)8) ; 852 } 853 } 854 } 855 else if (P2 == (byte)0) 856 { if (readCount > (short)8) 857 ISOException.throwIt(ISO7816.SW_WRONG_LENGTH); 858 verify(UserPin,buffer); 859 } 860 else 861 ISOException.throwIt(ISO7816.SW_WRONG_P1P2); 862 break; 864 case INS_CHANGE_PIN: 865 readCount = apdu.setIncomingAndReceive() ; 866 if (readCount != (short)16) 867 ISOException.throwIt(ISO7816.SW_WRONG_LENGTH); 868 buffer[4]=(byte)8; 869 if (P2 == (byte)1) 870 { verify(AdminPin,buffer) ; 871 AdminPin.update(buffer,(short)13,(byte)8); 872 } 873 else if (P2 == (byte)0) 874 { verify(UserPin,buffer) ; 875 UserPin.update(buffer,(short)13,(byte)8); 876 } 877 else 878 ISOException.throwIt(ISO7816.SW_WRONG_P1P2); 879 break; 881 case INS_HMAC: 883 readCount = apdu.setIncomingAndReceive(); 884 len = Util.makeShort((byte)0,buffer[(short)4]); 886 if (len != readCount) 887 ISOException.throwIt(ISO7816.SW_CORRECT_LENGTH_00); 889 else if ( (!AdminPin.isValidated()) && (!UserPin.isValidated()) ) 890 ISOException.throwIt(SW_PIN_VERIFICATION_REQUIRED); 891 Identity Module for TLS Version 1.3 January 2021 893 if (P2 == (byte)2) // Compute HMAC 894 { len = Util.makeShort((byte)0,buffer[(short)5]) ; 895 hmac(buffer, (short)6, len, buffer, (short)(7+len), 896 Util.makeShort((byte)0, buffer[(short)(6+len)]), 897 sha256, buffer,(short)0,true); 898 apdu.setOutgoingAndSend((short)0,(short)sha256.getLength()); 899 } 901 else if (P2 == EXTRACT_EARLY) 902 { len = Util.makeShort((byte)0,buffer[(short)5]); //HMAC: key-length 903 hmac(buffer,(short)6,len,buffer,(short)(7+len), 904 Util.makeShort((byte)0,buffer[(short)(6+len)]), 905 sha256, buffer,(short)0,true); 906 Util.arrayCopyNonAtomic(buffer,(short)0,ESK,(short)0, 907 (short)ESK.length); 908 Util.arrayCopyNonAtomic(buffer,(short)0,buffer,(short)32, 909 (short)32); 911 hmac(ESK,(short)0,(short)ESK.length, 912 derived,(short)0,(short)derived.length, 913 sha256, 914 buffer,(short)0,true); 915 Util.arrayCopyNonAtomic(buffer,(short)0,HSK,(short)0, 916 (short)HSK.length); 917 Util.arrayCopyNonAtomic(buffer,(short)0,buffer,(short)64, 918 (short)32); 920 hmac(ESK,(short)0,(short)ESK.length, 921 ext_binder,(short)0,(short)ext_binder.length, 922 sha256, 923 buffer,(short)0,true); 924 Util.arrayCopyNonAtomic(buffer,(short)0,eBSK,(short)0, 925 (short)eBSK.length); 926 Util.arrayCopyNonAtomic(buffer,(short)0,buffer,(short)96, 927 (short)32); 929 hmac(ESK,(short)0,(short)ESK.length, 930 res_binder,(short)0,(short)res_binder.length, 931 sha256, 932 buffer,(short)0,true); 933 Util.arrayCopyNonAtomic(buffer,(short)0,rBSK,(short)0, 934 (short)rBSK.length); 935 Util.arrayCopyNonAtomic(buffer,(short)0,buffer,(short)128, 936 (short)32); 937 Identity Module for TLS Version 1.3 January 2021 939 hmac(eBSK,(short)0,(short)eBSK.length, 940 finished,(short)0,(short)finished.length, 941 sha256, 942 buffer,(short)0,true); 943 Util.arrayCopyNonAtomic(buffer,(short)0,feBSK,(short)0, 944 (short)feBSK.length); 945 Util.arrayCopyNonAtomic(buffer,(short)0,buffer,(short)160, 946 (short)32); 948 hmac(rBSK,(short)0,(short)rBSK.length, 949 finished,(short)0,(short)finished.length, 950 sha256, 951 buffer,(short)0,true); 952 Util.arrayCopyNonAtomic(buffer,(short)0,frBSK,(short)0, 953 (short)frBSK.length); 954 Util.arrayCopyNonAtomic(buffer,(short)0,buffer,(short)192, 955 (short)32); 957 If (P1==(byte)0xFF) 958 apdu.setOutgoingAndSend((short)32,(short)192); 959 return ; 960 } 962 else if (P2 == EXPAND_EARLY) 963 { len = Util.makeShort((byte)0,buffer[(short)7]); // data length 964 if (P1 == (byte)0) 965 { 966 Util.arrayCopyNonAtomic(buffer,(short)5,buffer,(short)0, 967 (short)2); 968 Util.arrayCopyNonAtomic(buffer,(short)7, 969 buffer,(short)(2+ c_e_traffic.length), 970 (short)(readCount-2)); 971 Util.arrayCopyNonAtomic(c_e_traffic,(short)0,buffer,(short)2, 972 (short)c_e_traffic.length); 973 buffer[(short)(readCount + c_e_traffic.length)] = (byte)0x01; 974 hmac(ESK,(short)0,(short)ESK.length, 975 buffer,(short)0,(short)(readCount+c_e_traffic.length+1), 976 sha256, 977 buffer,(short)0,true); 978 apdu.setOutgoingAndSend((short)0,(short)32); 979 return; 980 } 981 else if (P1 == (byte)1) 982 { 983 Util.arrayCopyNonAtomic(buffer,(short)5,buffer,(short)0, 984 (short)2); 985 Util.arrayCopyNonAtomic(buffer,(short)7,buffer, 986 short)(2+ c_exp_master.length), 987 (short)(readCount-2)); 988 Identity Module for TLS Version 1.3 January 2021 990 Util.arrayCopyNonAtomic(c_exp_master,(short)0,buffer,(short)2, 991 (short)c_exp_master.length); 992 buffer[(short)(readCount + c_exp_master.length)] = (byte)0x01; 993 hmac(ESK,(short)0,(short)ESK.length, 994 buffer,(short)0,(short)(readCount+c_exp_master.length+1), 995 sha256, 996 buffer,(short)0,true); 997 apdu.setOutgoingAndSend((short)0,(short)32); 998 return; 999 } 1000 else 1001 ISOException.throwIt(ISO7816.SW_INCORRECT_P1P2); 1003 else if ( P2 == HMAC_RBSK) 1004 { hmac(frBSK,(short)0,(short)rBSK.length, 1005 buffer,(short)5,readCount, 1006 sha256, 1007 buffer,(short)0,true); 1008 apdu.setOutgoingAndSend((short)0,(short)sha256.getLength()); 1009 } 1011 else if (P2 == HMAC_EBSK) 1012 { hmac(feBSK,(short)0,(short)eBSK.length, 1013 buffer,(short)5,readCount, 1014 sha256, 1015 buffer,(short)0,true); 1016 apdu.setOutgoingAndSend((short)0,(short)sha256.getLength()); 1017 } 1019 else if (P2 == EXTRACT_HANDSHAKE ) 1020 { hmac(HSK,(short)0,(short)HSK.length, 1021 buffer,(short)5,readCount, 1022 sha256, 1023 buffer,(short)0,true); 1024 apdu.setOutgoingAndSend((short)0,(short)32); 1025 } 1027 else 1028 ISOException.throwIt(ISO7816.SW_INCORRECT_P1P2); 1029 break; 1031 case INS_SIGN: 1032 readCount = apdu.setIncomingAndReceive(); 1033 if ( (!AdminPin.isValidated()) && (!UserPin.isValidated()) ) 1034 ISOException.throwIt(SW_PIN_VERIFICATION_REQUIRED); 1036 index= Util.makeShort((byte)0,P2); 1037 if ( (index <0) || (index >= N_KEYS)) 1038 ISOException.throwIt(ISO7816.SW_CONDITIONS_NOT_SATISFIED); 1039 if (!ECCkp[index].getPublic().isInitialized()) 1040 Identity Module for TLS Version 1.3 January 2021 1042 ISOException.throwIt(SW_KPUB_DEFINED); 1043 if (!ECCkp[index].getPrivate().isInitialized()) 1044 ISOException.throwIt(SW_KPRIV_DEFINED); 1046 switch (P1) 1047 { 1048 case (byte)0: // RAW 256 bits 1049 case (byte)33:// ALG_ECDSA_SHA_256 1050 len= EccSign(ECCkp[index],buffer,P1) ; 1051 apdu.setOutgoingAndSend((short)0,len); 1052 break; 1053 default: 1054 ISOException.throwIt(ISO7816.SW_INCORRECT_P1P2); 1055 break; 1056 } 1057 break; 1059 case INS_CLEAR_KEYPAIR: 1061 if ( !AdminPin.isValidated()) 1062 ISOException.throwIt(SW_PIN_VERIFICATION_REQUIRED); 1063 index= Util.makeShort((byte)0,P2); 1064 if ( (index <0) || (index >= N_KEYS)) 1065 ISOException.throwIt(ISO7816.SW_CONDITIONS_NOT_SATISFIED); 1066 if (ECCkp[index].getPublic().isInitialized()) 1067 ECCkp[index].getPublic().clearKey(); 1068 if (ECCkp[index].getPrivate().isInitialized()) 1069 ECCkp[index].getPrivate().clearKey(); 1070 break; 1072 case INS_GEN_KEYPAIR: // Generate KeyPair 1074 if ( !AdminPin.isValidated()) 1075 ISOException.throwIt(SW_PIN_VERIFICATION_REQUIRED); 1076 index= Util.makeShort((byte)0,P2); 1077 if ( (index <0) || (index >= N_KEYS)) 1078 ISOException.throwIt(ISO7816.SW_CONDITIONS_NOT_SATISFIED); 1079 if (ECCkp[index].getPublic().isInitialized()) 1080 ISOException.throwIt(SW_KPUB_DEFINED); 1081 if (ECCkp[index].getPrivate().isInitialized()) 1082 ISOException.throwIt(SW_KPRIV_DEFINED); 1083 len=this.GenECCkp(ECCkp[index]); 1084 break; 1086 case INS_GET_KEY_PARAM: 1088 if ( (!AdminPin.isValidated()) && (!UserPin.isValidated()) ) 1089 ISOException.throwIt(SW_PIN_VERIFICATION_REQUIRED); 1090 index= Util.makeShort((byte)0,P2); 1091 if ( (index <0) || (index >= N_KEYS)) 1092 Identity Module for TLS Version 1.3 January 2021 1094 ISOException.throwIt(ISO7816.SW_CONDITIONS_NOT_SATISFIED); 1095 if ( (P1 == (byte)7) && !AdminPin.isValidated()) 1096 ISOException.throwIt(SW_PIN_VERIFICATION_REQUIRED); 1097 if ( (P1 == (byte)6) && !ECCkp[index].getPublic().isInitialized()) 1098 ISOException.throwIt(SW_KPUB_DEFINED); 1099 if ( (P1 == (byte)7) && !ECCkp[index].getPrivate().isInitialized()) 1100 ISOException.throwIt(SW_KPRIV_DEFINED) 1101 try 1102 { switch (P1) 1103 { case 0: 1104 len= ((ECPublicKey)ECCkp[index].getPublic()) 1105 .getA(buffer,(short)(2)); 1106 Util.setShort(buffer,(short)0,len); 1107 apdu.setOutgoingAndSend((short)0,(short)(len+2)); 1108 break; 1110 case 1: 1111 len= ((ECPublicKey) ECCkp[index].getPublic()) 1112 .getB(buffer,(short)(2)); 1113 Util.setShort(buffer,(short)0,len); 1114 apdu.setOutgoingAndSend((short)0,(short)(len+2)); 1115 break; 1117 case 2: 1118 len= ((ECPublicKey) ECCkp[index].getPublic()) 1119 .getField(buffer,(short)(2)); 1120 Util.setShort(buffer,(short)0,len); 1121 apdu.setOutgoingAndSend((short)0,(short)(len+2)); 1122 break; 1124 case 3: 1125 len= ((ECPublicKey)ECCkp[index].getPublic()) 1126 .getG(buffer,(short)(2)); 1127 Util.setShort(buffer,(short)0,len); 1128 apdu.setOutgoingAndSend((short)0,(short)(len+2)); 1129 break; 1131 case 4: 1132 len= ((ECPublicKey) ECCkp[index].getPublic()).getK(); 1133 Util.setShort(buffer,(short)2,len); 1134 Util.setShort(buffer,(short)0,(short)2); 1135 apdu.setOutgoingAndSend((short)0,(short)4); 1136 break; 1138 case 5: 1139 len= ((ECPublicKey) ECCkp[index].getPublic()) 1140 .getR(buffer,(short)(2)); 1141 Util.setShort(buffer,(short)0,len); 1142 apdu.setOutgoingAndSend((short)0,(short)(len+2)); 1143 break; 1144 Identity Module for TLS Version 1.3 January 2021 1146 case (byte)6: 1147 len= ((ECPublicKey) ECCkp[index].getPublic()) 1148 .getW(buffer,(short)(2)); 1149 Util.setShort(buffer,(short)0,len); 1150 apdu.setOutgoingAndSend((short)0,(short)(len+2)); 1151 break; 1153 case (byte)7: 1154 len= ((ECPrivateKey)ECCkp[index].getPrivate()) 1155 .getS(buffer,(short)(2)); 1156 Util.setShort(buffer,(short)0,len); 1157 apdu.setOutgoingAndSend((short)0,(short)(len+2)); 1158 break; 1160 default: 1161 ISOException.throwIt(ISO7816.SW_INCORRECT_P1P2); 1162 break; 1163 } 1164 } 1165 catch (CryptoException e) 1166 {ISOException.throwIt(SW_DUMP_KEYS_PAIR); 1167 break; 1168 } 1170 break; 1172 case INS_SET_KEY_PARAM: 1174 readCount = apdu.setIncomingAndReceive(); 1176 if ( !AdminPin.isValidated()) 1177 ISOException.throwIt(SW_PIN_VERIFICATION_REQUIRED); 1178 index= Util.makeShort((byte)0,P2); 1179 if ( (index <0) || (index >= N_KEYS)) 1180 ISOException.throwIt(ISO7816.SW_CONDITIONS_NOT_SATISFIED); 1181 if ( (P1 == (byte)6) && ECCkp[index].getPublic().isInitialized()) 1182 ISOException.throwIt(SW_KPUB_DEFINED); 1183 if ( (P1 == (byte)7) && ECCkp[index].getPrivate().isInitialized()) 1184 ISOException.throwIt(SW_KPRIV_DEFINED); 1186 try 1187 { switch (P1) 1188 { case (byte)0: 1189 ((ECPublicKey)ECCkp[index].getPublic()) 1190 .setA(buffer,(short)5,len); 1191 ((ECPrivateKey)ECCkp[index].getPrivate()) 1192 .setA(buffer,(short)5,len); 1193 break; 1194 Identity Module for TLS Version 1.3 January 2021 1196 case (byte)1: 1197 ((ECPublicKey)ECCkp[index].getPublic()) 1198 .setB(buffer,(short)5,len); 1199 ((ECPrivateKey)ECCkp[index].getPrivate()) 1200 .setB(buffer,(short)5,len); 1201 break; 1203 case (byte)2: 1204 ((ECPublicKey)ECCkp[index].getPublic()) 1205 .setFieldFP(buffer,(short)5,len) ; 1206 ((ECPrivateKey)ECCkp[index].getPrivate()) 1207 .setFieldFP(buffer,(short)5,len); 1208 break; 1210 case (byte)3: 1211 ((ECPublicKey)ECCkp[index].getPublic()) 1212 .setG(buffer,(short)5,len) ; 1213 ((ECPrivateKey)ECCkp[index].getPrivate()) 1214 .setG(buffer,(short)5,len); 1215 break; 1217 case (byte)4: 1218 ((ECPublicKey)ECCkp[index].getPublic()) 1219 .setK(Util.makeShort(buffer[5],buffer[6])) ; 1220 ((ECPrivateKey)ECCkp[index].getPrivate()) 1221 .setK(Util.makeShort(buffer[5],buffer[6])); 1222 break; 1224 case (byte)5: 1225 ((ECPublicKey)ECCkp[index].getPublic()) 1226 .setR(buffer,(short)5,len); 1227 ((ECPrivateKey)ECCkp[index].getPrivate()) 1228 .setR(buffer,(short)5,len); 1229 break; 1231 case (byte)6: 1232 ((ECPublicKey)ECCkp[index].getPublic()) 1233 .setW(buffer,(short)5,len) ; 1234 break; 1236 case (byte)7: 1237 ((ECPrivateKey)ECCkp[index].getPrivate()) 1238 .setS(buffer,(short)5,len); 1239 break; 1241 default: 1242 ISOException.throwIt(ISO7816.SW_INCORRECT_P1P2); 1243 break; 1244 } 1245 } 1246 Identity Module for TLS Version 1.3 January 2021 1248 catch (CryptoException e) 1249 {ISOException.throwIt(SW_SET_KEY_PARAM); 1250 break; 1251 } 1253 break; 1255 case INS_INIT_CURVE: 1257 if ( !AdminPin.isValidated()) 1258 ISOException.throwIt(SW_PIN_VERIFICATION_REQUIRED); 1259 index= Util.makeShort((byte)0,P2); 1260 if ( (index <0) || (index >= N_KEYS)) 1261 ISOException.throwIt(ISO7816.SW_CONDITIONS_NOT_SATISFIED); 1262 if ( (P1 == (byte)6) && ECCkp[index].getPublic().isInitialized() ) 1263 ISOException.throwIt(SW_KPUB_DEFINED); 1264 if ((P1 == (byte)7) && ECCkp[index].getPrivate().isInitialized()) 1265 ISOException.throwIt(SW_KPRIV_DEFINED); 1267 switch((byte)P1) 1268 { case (byte)0: 1269 case (byte)1: 1270 (ECPublicKey)ECCkp[index].getPublic()) 1271 .setA(ParamA1,(short)0,(short)ParamA1.length) ; 1272 ((ECPrivateKey)ECCkp[index].getPrivate()) 1273 .setA(ParamA1,(short)0,(short)ParamA1.length); 1274 ((ECPublicKey)ECCkp[index].getPublic()) 1275 .setB(ParamB1,(short)0,(short)ParamB1.length) ; 1276 ((ECPrivateKey)ECCkp[index].getPrivate()) 1277 .setB(ParamB1,(short)0,(short)ParamB1.length); 1278 ((ECPublicKey)ECCkp[index].getPublic()) 1279 .setFieldFP(ParamField1,(short)0,(short)ParamField1.length); 1280 ((ECPrivateKey)ECCkp[index].getPrivate()) 1281 .setFieldFP(ParamField1,(short)0,(short)ParamField1.length); 1282 ((ECPublicKey)ECCkp[index].getPublic()) 1283 .setG(ParamG1,(short)0,(short)ParamG1.length) ; 1284 ((ECPrivateKey)ECCkp[index].getPrivate()) 1285 .setG(ParamG1,(short)0,(short)ParamG1.length); 1286 ((ECPublicKey)ECCkp[index].getPublic()) 1287 .setK(ParamK1) ; 1288 ((ECPrivateKey)ECCkp[index].getPrivate()) 1289 .setK(ParamK1); 1290 ((ECPublicKey)ECCkp[index].getPublic()) 1291 .setR(ParamR1,(short)0,(short)ParamR1.length) ; 1292 ((ECPrivateKey)ECCkp[index].getPrivate()) 1293 .setR(ParamR1,(short)0,(short)ParamR1.length); 1294 break; 1295 Identity Module for TLS Version 1.3 January 2021 1297 default: 1298 ISOException.throwIt(ISO7816.SW_INCORRECT_P1P2); 1299 break; 1300 } 1301 break; 1303 default: 1304 ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED); 1305 } 1307 } 1309 public short EccSign(KeyPair ECCkeyPair, byte [] buf, byte mode) 1310 { short len,sLen=(short)0; 1311 len= Util.makeShort((byte)0,buf[4]); 1312 Util.arrayCopy(buf,(short)5,buf,(short)2,len) // Sign 1313 try 1314 { if (mode == (byte)0)// default 1315 { ECCsig.init(ECCkeyPair.getPrivate(),Signature.MODE_SIGN); 1316 sLen = ECCsig.signPreComputedHash(buf,(short)2,len buf, 1317 (short)(2+len)); 1318 } 1319 else 1320 { ECCsig.init(ECCkeyPair.getPrivate(),Signature.MODE_SIGN); 1321 sLen = ECCsig.sign(buf, (short)2, len, buf, (short)(2+len)); 1322 } 1323 } 1324 catch (CryptoException e) 1325 {ISOException.throwIt(SW_SIGN_ERROR); 1326 return (short)0; 1327 } 1329 Util.arrayCopy(buf,(short)(2+len),buf,(short)2,sLen); 1330 Util.setShort(buf,(short)0,sLen); 1331 return(short)(sLen+2); 1332 } 1334 public short GenECCkp(KeyPair ECCkeyPair) 1335 { short len; 1336 try 1337 { ECCkeyPair.genKeyPair(); } 1338 catch (CryptoException e) 1339 { ISOException.throwIt(SW_GENKEY_ERROR); 1340 return (short)0; 1341 } 1342 return 0; 1343 } 1344 Identity Module for TLS Version 1.3 January 2021 1346 public void verify(OwnerPIN pin,byte [] buffer) throws ISOException 1347 {short i,x; 1348 x = Util.makeShort((byte)0,buffer[4]); 1349 for(i=x;i<(short)8;i=(short)(i+1)) 1350 buffer[(short)(5+i)]=(byte)0xFF; 1351 if ( pin.check(buffer, (short)5,(byte)8) == false ) 1352 ISOException.throwIt((short)((short)SW_VERIFICATION_FAILED | 1353 (short)pin.getTriesRemaining())); 1354 } 1356 public static final short DB_off = (short)0 ; 1358 public void hmac 1359 ( byte [] k,short k_off, short lk, // Secret key 1360 byte [] d,short d_off,short ld, // data 1361 MessageDigest md, 1362 byte out[], short out_off, boolean init) 1363 { 1364 short i,DIGESTSIZE, DIGESTSIZE2=(short)64,BLOCKSIZE=(short)128; 1365 DIGESTSIZE=(short)md.getLength(); 1366 if (md.getAlgorithm() == md.ALG_SHA_512) 1367 { DIGESTSIZE2= (short)64; BLOCKSIZE = (short)128; } 1368 else if (md.getAlgorithm() == md.ALG_SHA_256) 1369 { DIGESTSIZE2= (short)32; BLOCKSIZE = (short)64;} 1371 if (init) 1372 { if (lk > (short)BLOCKSIZE ) 1373 { md.reset(); 1374 md.doFinal(k,k_off,lk,k,k_off); 1375 lk = DIGESTSIZE ; 1376 } 1377 for (i = 0 ; i < lk ; i=(short)(i+1)) 1378 DB[(short)(i+DB_off+BLOCKSIZE+DIGESTSIZE2)] = 1379 (byte)(k[(short)(i+k_off)] ^ (byte)0x36) ; 1380 Util.arrayFillNonAtomic ( 1381 DB,(short)(BLOCKSIZE+DIGESTSIZE2+lk+DB_off), 1382 (short)(BLOCKSIZE-lk),(byte)0x36); 1383 for (i = 0 ; i < lk ; i=(short)(i+1)) 1384 DB[(short)(i+DB_off)] = (byte)(k[(short)(i+k_off)] ^ (byte)0x5C); 1385 Util.arrayFillNonAtomic(DB,(short)(lk+DB_off), 1386 (short)(BLOCKSIZE-lk),(byte)0x5C); 1387 } 1388 md.reset(); 1389 md.update(DB,(short)(DB_off+BLOCKSIZE+DIGESTSIZE2),BLOCKSIZE); 1390 md.doFinal(d, d_off,ld,DB,(short)(DB_off+BLOCKSIZE)); 1391 md.reset(); 1392 md.doFinal(DB,DB_off,(short)(DIGESTSIZE+BLOCKSIZE),out,out_off); 1393 } 1394 Identity Module for TLS Version 1.3 January 2021 1396 protected im(byte[] bArray,short bOffset,byte bLength) 1397 { init(); 1398 register(); 1399 } 1401 public void init() 1402 { short i=0; 1403 status = (short)0; 1404 ECCkp = new KeyPair[N_KEYS]; 1405 UserPin = new OwnerPIN((byte)3,(byte)8); // 3 tries, 4=Max Size 1406 AdminPin = new OwnerPIN((byte)10,(byte)8); // 10 tries 8=Max Size 1407 UserPin.update(MyPin,(short)0,(byte)8) ; 1408 AdminPin.update(OpPin,(short)0,(byte)8); 1409 for(i=0;i. 1466 [ISO7816] ISO 7816, "Cards Identification - Integrated Circuit Cards 1467 with Contacts", The International Organization for Standardization 1468 (ISO). 1470 [GP-SPI-I2C] GlobalPlatform Technology, APDU Transport over SPI/I2C 1471 Version 0.0.0.39, July 2019 1473 10.2 Informative References 1475 [IM-JC] https://github.com/purien/TLS-SE/blob/master/im/im.java 1477 11 Authors' Addresses 1479 Pascal Urien 1480 Telecom Paris 1481 19 place Marguerite Perey 1482 91120 Palaiseau Phone: NA 1483 France Email: Pascal.Urien@telecom-paris.fr