Chip card management in the Electra Client Program

printable version

To our knowledge, chip cards are the most secure digital signature generation devices available to a wide range of users as a consequence of their ease of use, simple structure and comparatively small price. The Electra system is capable of using chip cards and thereby provide the highest possible level of security to both banks and their customers.

By definition, a chip card is a hardware device integrated into a plastic card of the size of traditional bank cards, consisting of integrated circuits with preprogrammed encryption algorithms and complete with certain memory capacity. Some of the bank cards currently in use also contain such chips. Users cannot access the information stored on their chip cards directly; they must use special peripherals (e.g. card readers connected to a computer) for that purpose. Very few computers are equipped with such a peripheral today, therefore, workstations must be prepared for the use of chip cards prior to starting to generate signatures in the Electra Client Program.

The Electra Client Program uses the PKCS #11 standard for the management of chip cards. As the interface provided by this standard allows using other crypto tokens as well, our client program is capable of using a wide range of devices. The eToken, for example, is one of the most popular devices besides chip cards. It has a standard USB connector and so it has the great advantage of not needing any special peripheral (card reader) to connect to a computer.

Chip cards represent the highest level of security at present. We can say that because the data stored in their memory and qualifying as 'confidential' information from an encryption point of view cannot be accessed directly under any circumstances. The private part of the encryption key stored on a chip card cannot be retrieved from the card and is not required for making a digital signature at all. Cards can only be instructed to run some encryption algorithm (e.g. RSA) using the key stored in their memory and to return the final result. The encryption algorithm is, in fact, executed in the chip integrated into the card, so no data or partial result is transferred to the computer controlling the card (and running the Electra Client Program). Security is further enhanced by the fact that 'confidential' data are not transferred to the chip card memory from some external source but are generated by the chip itself. A chip card can be instructed to generate e.g. an RSA key of a specific size in its internal memory. When it receives such a command, the chip card will generate both the private and the public parts of the RSA key but grant access only to the public part. Apart from that, the chip card will accept any execution instruction only from those who know the PIN code of the device. This user PIN code needs to be entered before trying to use any chip card function. The chip card will then verify this code and execute the requested encryption operation only if the code entered matches the one stored in its memory. Obviously, chip cards do not grant access to any stored PIN code data. If a user fails to enter the valid PIN code in three attempts, the chip card will be blocked and cannot be used until the block is lifted. Blocks can be lifted using a special function, which, however, requires an administrator PIN code. If the administrator PIN code also gets locked, the data stored on the chip card will no longer be available as the deletion of the administrator PIN code also results in the deletion of all data stored on the chip card.

If an Electra user wants his chip card to generate a digital signature in the Electra system, he must first be associated with the signature keys stored on the chip card. This can be done in two ways:

  • registration of the PKCS #11 device
  • PKI-based association using a X.509 certificate

PKCS #11 device registration is an embedded administration function in the Electra system, which allows assigning the public part of a specific RSA key stored on a specific chip card to a user. The registration procedure must be completed using the Administrator program on the Electra server or the client-side administration function in the Electra Client Program. The user-chip card assignment is input into the system through a digitally signed command in both cases.

You can replace PKCS #11 device registration by using PKI-based X.509 certificates in the Electra system. The Electra system can read not only RSA keys but also any standard X.509 certificate associated with them. In such cases the connection with the user is defined based on the Electra user ID (userid) entered into the subject field of the certificate. The client program recieves the CA certificates required to verify the certificates through the Electra server and so the connection is established based on the links between the userid, certificate subject, certificate signature and CA certificate. PKI-based PKCS #11 assignment can only be performed if using special certificates which already contain the Electra user ID either directly or through a well-defined mapping function.

The Electra Client Program uses chip cards only for generating digital signatures but does not verify these signatures. Verification is done by the Electra server using the private part of the RSA key previously registered in it using one of the methods mentioned earlier. When using PKI-based association, the Electra server can also use further PKI tools, e.g. it can verify certificate chains and revocation lists.

 Related articles