wiki:IAS-ECC
Last modified 9 months ago

IAS-ECC

The French trade association for electronic components, systems, and smart card industries,  GIXEL, created a common smart card specification IAS-ECC (Identification Authentication Signature – European Citizen Card) that will be used to develop the next French National Identity Card.

IAS-ECC cards comply with the Advanced Electronic Signature EU Directive 1999/93/EC and the  European Citizen Card specification created by CEN in June 2007 to ensure interoperability of e-Services cards throughout Europe. The interoperability of the cards means that every card is compatible with all IAS-ECC middleware, including middleware developed for the French government.

The base of the IAS-ECC technical specification contains multiple ISO-7816 series, including ISO-7816-15. The specification anticipates the coexistence of multiple cryptographic card (PKCS#15) applications. (see Note 01).

Support of IAS-ECC cards in OpenSC includes:

IAS/ECC card manufacturer independence
compatibility with existing IAS/ECC card middleware
independence from personalization profile in card usage and easy configuration for the particular personalization profile in card administration
Secure Messaging for the administration of "protected" applications, "Qualified Signature," and PIN operations
PIN-pad support
support for External Authentication

Currently, cards from the following manufacturers are supported:

Gemalto  MultiApp ID IAS ECC
Oberthur  ID-ONE IAS-ECC
Sagem "ypsID S3 IAS/ECC"
Oberthur "COSMO v7" with PKI applet "AuthentIC v3"
IAS/ECC cards with three  Adele profiles (from Gemalto)

The IAS/ECC card from Gemalto thoroughly implements specification  IAS/ECC v1.0.1. The card is formatted with generic PKI application and SM protected application eID.
(Some notes, that concerns the usage of this card.)

IAS/ECC card from Oberthur is formatted with one generic PKI application.

The "ypsID S3 IAS/ECC" is the multi-application card from Sagem and contains two profiles, Generic and protected ECC-eID. The second one contains one slot for the Qualified Signature.

Oberthur's Java-card "COSMO v7" with PKI applet "AuthentIC v3" is not an IAS/ECC card, but native format of this card, based on PKCS#15 specification, is not far from the IAS/ECC. Global Platform Secure Messaging can be used to protect the access to the on-card objects. One of the motivations to support this card here is an attempt to generalize implementation of SM and External Authentication - both differ from the definitions in the IAS/ECC specification.

IAS/ECC cards with "Adele" profiles are not general purpose cards. They were produced for the interoperability tests of the IAS/ECC cards and middleware from the different producers.

Test Procedure
During active development of this branch, the test procedures consist of tests with OpenSC tools (pkcs15-crypto, pkcs15-init, pkcs11-tool, and opensc-explorer) and tests of the OpenSC PKCS#11 module with OpenSC tools, Firefox 3.6.3, and Thunderbird 2.0.0.24. The test platforms are openSUSE 10.3 and WinXP SP3. Visual Studio 9.0 is used for compilation of the OpenSC middleware on WinXP platform.

Tested compatibility with the other middleware (for Windows 32):

IAS Middleware v2.0 Beta 6  from ANTS
AWP 4.4 from Oberthur
Smart Security Interface 4.8.1 from Charismathics
YpsID v4.2.0.rc1 Sagem

To get the latest source code: 

svn co https://www.opensc-project.org/svn/opensc/branches/vtarasov/opensc-sm.trunk

MSI installation package for Windows 32 can be found here:
 OpenSC-SM-r4856.msi

References

Notes

Note 01

For the interoperability tests, the three IAS/ECC card producers have used  Adele personalization profiles where three profiles are defined. For the first Generic profile, the administration and usage of the cryptographic objects is protected by User PIN. For the next two profiles, Administration-2 and Administration-1, all operations that change the card content are protected by Secure Messaging. The Administration-1 application holds the non-repudiation sign key for which the 'COMPUTE SIGNATURE' operation is protected by Sign PIN and Secure Messaging.