Monthly Archives: March 2016

Chip Authentication Version 3 (CAv3)

3 Replies

This post describes a new version 3 of well-known protocol Chip Authentication, which is used in context of eID to authenticate the chip and to establish a strong secure channel between chip and terminal.

In context of the European eIDAS regulation, the German BSI and the French ANSSI have specified in TR-03110 a new version 3 of protocol Chip Authentication (CAv3). It bases on ephemeral-static Diffie-Hellman key agreement, that provides both secure communication and also unilateral authentication of the chip. This new protocol is an alternative to Chip Authentication Version 2 and Restricted Identification (RI) providing additional features. CAv3 provides the following benefits (see TR-03110 part 2):

  • message-deniable strong explicit authentication of the eIDAS token and of the provided sector-specific identifiers towards the terminal,
  • pseudonymity of the eIDAS token without the need of using the same keys on several chips,
  • possibility of whitelisting eIDAS token (even in case of a compromised group key),
  • implicit authentication of stored data by performing Secure Messaging using new session keys derived during CAv3.

Before CAv3 is started the well-known protocol Terminal Authentication Version 2 (TAv2) must performed because the terminal’s ephemeral key pair generated during TAv2 is used during CAv3. It is also recommend that Passive Authentication is performed before CAv3 to assure the authenticity of chip’s public key.

Following table describes the command during CAv3 respective PSA (Source ISO/IEC 19286):

Command description of Chip Authentication V3 (CAv3) protocol (Source ISO/IEC 19286)

Command description of CAv3 protocol (Source ISO/IEC 19286)

The protocol CAv3 consists of the following two steps (where terminal and eIDAS token are involved):

  1. Perform Key Agreement (based on Anonymous Diffie Hellman (ADH))
    • Kee Agreement is performed in this step of the protocol:
      • MSE:SET AT with CA-OID and reference to private key
      • GENERAL AUTHENTICATE with dynamic authentication data (ephemeral public key)
  2. Perform Pseudonymous Signature Authentication (PSA)
    • Pseudonymous Signature is computed in this step of the protocol:
      • MSE:SET AT with PSA-OID and reference to private key
      • GENERAL AUTHENTICATE with dynamic authentication data (public key for domain-specific identifier)

Additionally, the received sector-specific identifier can be checked if it is black-listed (or white-listed).

On this way the new protocol CAv3 can be used in addition to sign data under a chip and sector specific pseudonym as an alternative to Restricted Identification.