WIXLIB

ROM (10K bytes)E2pROM (8K bytes)BOOTSTRAP CODE (11()COMMAND INTERPRETER( 11()PRIMITIVE FUNCTIONS{4.SK)RS-232 serial communications connection between thesmartcard and the host computer. RS-232 was chosenbecause a serial port is standard equipment on themajority of computers. Therefore. the reader/writercan be connected. to most computers without the needfor a custom interface or hardware modifications.PUBLIC/PRIVATEKEY STORAGESACS Reader/WriterSECRET KEY STORAGEThe SACS reader/writer is a relatively unsophisticateddevice which simply serves as a direct I/0 interfacebetween the smartcard and a host It cannot performany processing itself since it does not contain amicroprocessor. Its main purpose is to providepower, ground, clock and I/0 signals to a SACS or anASACS smartcard. To interface the smartcard to thehost, the reader/writer performs level coqversionbetween the 12V RS-232 I/0 signals used by the hostand the SV I/0 signals used by the card. See [11] fora more detailed description of the SACS reader/writer.ASACS COMMANDS (2K)SACS COMMANDS(4.51()PUBLIC KEY PRIMmves(41()Figure 3: ASACS smartcard memory layout.Rivest-Shamir-Adleman (RSA) [8] cryptographicalgorithm have been implemented in the ASACSsrnartcard firmware.The SACS reader/writer features an ISO standardsmartcard receptacle, external power and dataindicator lights, and an RS-232 port for connecting toa host. In addition, the SACS reader/writer's cardreceptacle features a locking mechanism which holdsthe card internally after insertion into thereader/writer, and an automatic ejection mechanism toremove the card from the reader/writer.Figure 3 depicts the layout of the ASACS smartcardmemory from a high level perspective. The majorityof the firmware is stored in ROM, including abootstrap routine and code for the commands from theSACS smartcard The Data Encryption Standard(DES) [9] algorithm is also located in ROM. TheEEPROM contains the firmware for the public keyalgorithms, a command interpreter, and a jump tablewhich points to the finnware routines associated witheach command. Since the addresses in the jump tablecan be modified, new firmware routines can be loadedinto EEPROM to replace existing routines and to addnew functions. Specific locations in EEPROM arereserved for the storage of symmetric and asymmetrickey components. In addition, a number of generalpurpose data storage zones are available in EEPROM.An RS-232 cable is required to attach the SACSreader/writer to a host, whereupon it functions as datacommunications equipment (DCE). Signals are sentby the reader/writer to the host which indicate that thereader/writer is powered-up and that a card isinserted. The SACS reader/writer is a rectangular boxapproximately 2 1/2 inches high, 5 inches deep, andS inches wide. An ISO smartcard receptacle andindicator lights are located on the front of thereader/writer, and the power cord and RS-232 jacks inthe rear. The power supply for the SACSreader/writer is internal.See [10] for a more detailed description of theASACS public key smartcard.The SACS reader/writer is designed to accept asmartcard whose physical c teristics, dimensionsand contact locations· adhere,; io ISO InternationalStandard 7816, Parts 1 and 2 [4,12]. The electricalsignals that the SACS reader/writer supplies to thesmartcard also meet most of the requirementsspecified in ISO International Standard 7816. Part 3[13]. with the exception of the initial clock.(CLK}SMARTCARD READER/WRITERThe ASACS public key smartcard can be interfacedto a workstation using either the SACS reader/writeror the new ASACS portable reader/writer. Both theSACS and the ASACS reader/writers provide an128

Toe reader/writer supports a set of commands that areexecuted directly on the reader/writer, as opposed toon the smartcard. These commands use the sameprotocol that is used for smartcard commands.Several of the reader/writer commands allow the hostto load the default parameters into the reader/writer'snon-volatile memory to control such things as baudrate, and the date/time. These same default values canalso be specified manually from the keypad bypressing the Fl key to access the reader/writer's set up menu. Another command can be used by the hostto determine if a smartcard is inserted into thereader/writer. Two commands can be used totemporarily put the reader/writer in manual keypadentry mode. The first of these two commands, asdiscussed above, is used by the host to allow the userto enter their PIN to the smartcard via thereader/writer's keypad. The latter command can becalled to allow the user to perform a manualThechallenge/response with a remote host.remaining reader/writer commands can be used by thehost to utilize the ASACS reader/writer'scommunications buffer for more efficient :.: ESencryption, DES decryption or MAC calculation withthe smartcard.frequency, which is 10MHz as opposed to 3.5795.ASACS Portable Reader/WriterThe ASACS portable reader writer was built toprovide functionality not offered by the earliell' SACSreader/writer. As a portable device, it allows usersthe option to authenticate themselves using hosts notequipped with a smartcard reader/writer. Severalsignificant improvements have been made to thedesign of the reader/writer. The overall size has beenreduced to less than half that of the SACSreader/writer. so that the device can easily be carriedfor use at remote sites. The new reader/writer ispowered by rechargeable batteries, and includes atransformer for use with 110V line power. The frontpanel has a keypad and liquid crystal display whichallow the user to interact directly with the smartcard.This feature is useful in situations where thereader/writer cannot be connected to the user'sworkstation. A protocol has been developed whichallows the user to perform authentications manuallyvia the keypad and display. A remote host computercan then require manual ASACS authentication evenif the user's workstation is a dumb terminal. In thiscase, all interactions with the card are through thekeypad and display. After the user personalidentification number (PIN) has been submitted to thecard, the remote host will generate a randomchallenge and send this to the user's workstation.The user reads this challenge from the screen andtypes it on the reader/writer keypad. 1be smartcardencrypts the challenge and displays the encryptedresult, so that the user can submit it to the remotehost. When a serial connection to the workstation isavailable, the user still has the option of entering thePIN through the keypad on the reader/ writer. Sincetheuser's PIN does not travel through theworkstation, system security is enhanced.SMARTCARD LAYERED INTERFACEThe ASACS host system software is comprised of aset of four interface layers. Each layer corresponds toa specific set of functions needed to integrate theASACS system into a software application on a hostsystem (see Figure 2).Smart.card Applications Program InterfaceThe Smartcard Application Program Interface(SCAPO [15] was developed to provide a consistent,but. robust interface designed to ease the integrationof smartcard technology into applications. TheSCAPI is intended to insulate applications from thedifferences among the various smartcards, as well asdifferences likely to appear as smartcard technologyevolves.The SCAPI is not tied to specificsmartcards 1or to specific capabilities (e.g., memorycapacity) of smartcards. In fact, the SCAPI can be,and has been\. completely implemented in software,thus providing a simple, but useful tool for integratingsmartcard tecbnology into applications.Toefunctional capabilities of a particular smartcardToe AS ACS reader/writer has an 8-bit microprocessorwiih 256 bytes of internal RAM. In addition, thereader/writer has 256 bytes of EEPROM used for dataand setup parameter storage, 32K bytes of RAM usedfor scratch pad and data buffering, and an industrystandard 32K byte EPROM chip which holdsfirmware implementing the internal logic and extemalcommands. The EPROM chip can be easily removedfor custom firmware development. See [14] fordetailed specifications for the ASACS portablereader/writer and firmware.129

Communications Protocol and Hardware 1/0Interfacedetermines how much of the SCAPI functionality isimplemented in software on the host computer andhow much is performed on the smartcard. Thus, astechnology advances, more of the SCAPI functionalitymay be directly implemented on the card or on thereader/writer while leaving applications unaffected.Toe Smartcard Communications Protocol Layertransmits the data assembled by the Command SetInterface Layer to the ASACS portable reader/writerand the public lcey smartcard. The data is transmittedaccording to the communications protocol used byboth the reader/writer and the smartcard. TheCommunications Protocol Layer interacts with theHardware 1/0 Interface in order to send and receiveeach byte of theThe SCAPI currently defines four types of functions: Initialization Functions,Account Functions,Cryptographic Functions, andFile and Directory Functions.dataToe Hardware 1/0 layer consists of a software driverwhich provides low-level input/output routines forcommunicating with the smartcards. Currently, theHardware 1/0 Layer consists of a serial interface,since both the SACS and ASACS reader/writersemploy serial interfaces. This layer can support othertypes of hardware interfaces for reader/writers that donot employ an RS-232 interface.The SCAPI is intended to be consistent with theANSI C standard. The file functions are designed tomap directly upon those defined by Kernighan andRitchie [16]. Since C is known for its ponability, itmakes sense to extend this platform independence tosmartcard systems.Further, this flexibility andconsistent feel for C programmers is likely to promotethe use of the SCAPI. Toe directory functions reflectwidely used operating system calls. Unfortunately,ANSI C does not address the cryptographicfunctionality to which smartcard technology is sowell-suited. Therefore, the SCAPI defines a set ofcryptographic functions which provide an algorithm independent interface for cryptographic operationswhich may be implemented on a smartcardThe Serial 1/0 Interface is written to be as portable aspossible across a broad range of hardware/softwareplatforms, such as SUNOS (Sun's UNIX OperatingSystem) and MSDOS. However. some systems mayrequire that this layer be customfaed. The interfaceto this layer is clearly defined, and can be modifiedwith minimaJ effort.Smartcard and Reader/Writer Command SetInterfacesAPPLICATIONS SOFfWAREThe Command Set Interface Layer consists of Clanguage object module libraries. The libraries eachprovide a set of C function calls, each directlycorresponding to a command from the firmwarecommand sets for the public key smartcard [17] andthe ponable reader/writer [18]. The function whichrepresents a particular command is called with theappropriate input data for that command asarguments. The function returns the output data fromthe command and a status code. Status codes aremapped onto a set of error messages defined in aheader file. This layer is called indirectly through theSCAPI, thus making the choice of reader/writerinvisible to the application.Security Officer ::amtenance ProgramThe Security Officer Maintenance (SOMAINf)Program (19] provides functions which are used by asecurity officer or system manager. These functionsinclude the initialization of cards for new users,synchronization and maintenance of key databasesstored on the cards and host computers, deactivationof cards, and reactivation of cards which have beeninadvertently deactivated or corrupted. The programswhich support the system management functions arerestricted to use by autho1ized security managersthrough the swidard UNIX operating system fileprotections.130

Signature Utility ProgramPrivacy Enhanced MallThe DSS Signature Utility Program [20]wasdeveloped to demonstrate the generation andvmification of digital signatures using the ASACSpublic key smartcard. The program utilizes thealgorithm proposed by the Standard Hash Standard{SHS) (21] to calculate a hash value on a file ofarbitrary size. The hash value is transmitted by thehost computer to the smartcard, which applies theDigital Signature Algorithm (DSA) to this value togenerate a digital signature with the cardholder' sprivate key. The signature can then be verified by thehost computer or the smartcard using the card.holder'spublic key.The Internet Privacy Enhanced Mail (PEM) protocolsare an extension to the existing Internet electronicmail protocol (RFC 822) which provide simple end to-end security services including optional messageconfidentiality, message integrity, and sourceauthentication with non-repudiation. The protocolsare specified in a 4 part series of specifications[23,24,25,26] which are cmrently published asInternet Drafts, and are targeted to be published asInternet Request For Comments (RFCs) withProposed Standard status.The PEM security services are provided through theuse of standard cryptographic techniques, includingmessage encryption using the DES in the CipherBlock Chaining (CBC) mode of operation to protectmessage text and the RSA algorithm to provide fordistribution of DES keys, digital signatures usingRSA algorithm in conjunction with either MessageAuthentication Code (MAC), Message DigestAlgorithm MD2 [27], or the Message DigestAlgorithm :MD5 [28). RSA public keys are managedas public key certificates using a distributedcertification hierarchy based on CCTIT X.509 [29].Login ManagerThe ASACS Login Manager [22] is a collection ofprograms which control login access to hostcomputers. These programs manage the series ofauthentications between the user, the smartcard, anda host computer. When a user requests access to thehost. the login manager establishes communicationswith the user's card through the reader/writer. Thelogin manager prompts the user for the user PIN, andtransmits it to the card in order to authenticate theuser to the card. The card and host will thenauthenticate to each other using a random challenge response protocol based on the Data EncryptionStandard (DES). This protocol provides a means forrapid authentication of two parties with protectionfrom wiretapping and playback attacks. If theauthentications are successful, the user is granted asession on the host.The TIS Privacy Enhanced Mail (TIS/PEM) Systemis a UNIX·based implementation of PEM. At thecore of the TIS/PEM system is the Local KeyManager (LKM), which, as its name implies, isresponsible for all the local key management activitieson a multi-user host system. This includes (1)maintaining a database for local users' private keys,(2) controlling the use of private keys to computedigital signatures and decrypt message tokens(encrypted message encryption keys), (3) maintaininga database for local and remote users' public keycertificates, and (4) pr,viding access to validatedpublic key certificates. In addition, the LKM sharesthe responsibility for the registration of a local user,that is, the generation of a public/private key pair andthe construction and digital signing of a certificateembodying the public key.The login demonstration software also supports loginauthentication to remote host computers. When asystem user wishes to access a remote computer, theuser executes a program which communicates withthe user's card t o obtain a list of host computers withwhich the card shares authentication keys. This listof host computer names is displayed in a menu, sothat the user can select the particular host to access.Toe software establishes a connection with theASACS authentication server process running on theremote host selected by the user. The remote host . then performs the challenge-response authenticationwith the user's card in order to verify the identity ofthe user.The ASACS system was integrated with the TIS/PEMsystem by integrating it with the LKM. In particular,a user's private key is generated by the LKM andthen stored on the smartcard, where it remains in theprotected confines of the smartcard When calledupon to perform the cryptographic operationsinvolving the users private key, the LKM, instead of131

of Commerce, Washington, D.C., September1988.perfonning those operations directly, now invokes thefunctions of the smartcard via the SCAPI. Thesmartcard then perfonns the necessary computation ofa digital signature or decryption of a message token,using the private kt;y stored on the smart.cardThe storage of a user's private key provides addedprotection that cannot be achieved in a shareddatabase. The inherent security features of the smartcard allow for limiting access to the private key to theuser, who must be authenticated to the card before theprivate key can be used.ACKNOWLEDGEMENTSLots of people at NIST, Datakey, and TIS havecontributed to the design and development of ASACS.Some of the developers deserving special thanksinclude Tom Cain, Paul Clarie, Steve Crocker, MlkeIndovina, Gary Ostrem, Miles Smid, and RobertWarnar.6.American National Standard X9.26-1990,Financial Institution Sign-on Authenticationfor Wholesale Financial Systems, AmericanBankers Association, Washington, D.C.,1990.7.Proposed. Digital Signature Standard (DSS),National Institute of Standards andTechnology, U.S. Department ofCommerce,Washington, D.C., August 30, 1991.8.Ronald L. Rivest and Adi Shamir andLeonard M. Adleman, A Method forObtaining Digital Signatures and Public KeyCryptosystems, Communications of theACM, Volume 21, Number 2, February1978, pp. 120-126.9.Federal Information Processing StandardPublication (FIPS PUB) 46-1, DataEncryption Standard, National Institute ofStandards and Technology, U.S. Departmentof Commerce, Washington, D.C., ReaffirmedJanuacy 22, 1988 (Supersedes FIPS PUB 46,Januaey 15, 1977).REFERENCES1.2.Dray, James F., Miles E. Smid and RobertB. J. Warnar, Implementing an AccessControl System with Smart TokenTechnology, National Institute of Standardsand Technology, U.S. Deparnnent ofCommerce, Washington, D.C., April 12,1989.10.ASACS Smartcard Specification, Datakey,Inc., Report #06S-0130-000, April 24, 199211.NIST SACS Smartcard Specification,Datake:;, Inc., Report #065.0097-000, July11, 19Yl.NIST SACS Reader/Writer Specification,Datakey, Inc., Report #065-0098.Q00, July11, 1991.12.International Standard 7816-1, IdentificationCar k - Integrated Circuit(s) Cards withContacts - Part 1: Physical Characteristics,Int e rn a ti o n al Org a n iza ti o n f o rStandardization, 1987.13.International Standard 7816-3, IdentificationCards - Integrated Circuit(s) Cards withContacts - Part 3: Electronic Signals andTransmission Protocols, InternationalOrganization for Standardization, 1989.14.A S A C S P ortable R e ader/Wri t e rSpecification, Datakey, Inc., Report#065-0131-000, April 24, 1992.3.Hitachi HS/310 ·ingle-Chip Microcomputer,Hitachi, Ltd. Tokyo, Japan, 1989.4.International Standard 7816-2, IdentificationCards - Integrated Circuit(s) Cards withContacts - Part 2: Dimensions and Locationof the Contacts, International Organizationfor Standardization, 1988.s.Haykin, Martha E., and Robert B. J. Warnar,Smart Card Technology: New Methods forComputer Access Control, NIST SpecialPublication 500-157, National Institute ofStandards and Technology, U.S. Department132

15.Smartcard Application Program Interface forthe Advanced Smartcard Access ControlSystem (ASACS), Trusted InformationSystems, Inc., Glenwood, :MD, October1992.16.Kernigan, B. and D. Ritchie, The CProgramming Language, 2nd Edition,Prentice Hall, 1988.17.Advanced Smartcard Access Control System(ASACS): Smartcard Comm.and SetInterface, National Institute of Standards andTechnology, U.S. Department of CODlClerce,Washington, D.C., 1992.18.Advanced Smartcard Access Control System(ASACS): Reader/Writer Command SetInterface, National Institute of Standards andTechnology, U.S. Department of Commerce,Washington, D.C., 1992.19.Security Officer Maintenance (SOMAINT)Program User's Manual, National Institute ofStandards and Technology, U.S. Departmentof Commerce, Washington, D.C., 1992.20.Advanced Smartcard Acc

The SACS and ASACS smart cards contain a Hitachi HS/310 integrated circuit, designed specifically for smart card applications [3]. The HS is configured with 256 bytes of RAM, l0K bytes of ROM, and 8K bytes of EEPROM. In order to meet ISO requirements for contact spacing and arrangement, the H8 die bas pads for power ( SV), ground, clock