4 Security Architecture
4 安全架构
Well-designed security architectures are crucial to protecting the structure and function of cards within the GlobalPlatform system.
This chapter outlines:
• The security goals behind the architecture;
• The specific responsibilities of the Card Issuer as the owner of the card;
• The Application Providers as the owners of the Applications;
• The Controlling Authority;
• The security requirements for the on-card components;
• The cryptographic support provided by GlobalPlatform
GlobalPlatform系统中,精心设计的安全架构是确保卡片结构和功能安全的关键,本章包括以下内容:
架构后面安全目标;
作为卡片所有者的发卡方的特殊安全职责;
应用提供方的安全职责;
授权管理者的安全职责;
卡片组件的安全要求;
GlobalPlatform提供的加密支持
4.1 Goals
4.1目标
The primary goal of the GlobalPlatform is to ensure the security and integrity of the card's components for the life of the card. These components are
• The runtime environment;
• The OPEN;
• The Issuer Security Domain;
• Supplementary Security Domains;
• The Applications.
GlobalPlatform卡片架构的首要目标是确保在卡片生命周期内卡片各组件的安全性和完整性,这些组件包括:
运行时环境;
OPEN;
发卡方安全域;
补充安全域;
应用
To ensure card security and integrity, the GlobalPlatform is designed to support a range of secure mechanisms for:
• Data integrity;
• Resource availability;
• Confidentiality;
• Authentication.
为了确保安全性和完整性,GlobalPlatform设计了一系列的机制:
数据完整性;
资源可用性;
机密性;
鉴别认证
The choice of security policy and cryptography is assumed to be industry and product specific. Because the cards are only part of a larger card system involving multiple parties and off-card components, the GlobalPlatform also relies upon non-cryptographic, procedural means of protection, such as code testing and verification, physical security, and secure key handling. However, these aspects are out of scope for this card specification
安全策略和加密技术的选择根据行业和产品的不同而有所不同。
由于卡片仅仅是包含了许多不同组成部分和卡外组件的更大的卡系统的一个组成部分,GlobalPlatform对安全的保障还依赖于许多非加密学的、程序性的途径,例如代码检测与认证、物理安全特性、密钥处理等等。但是这些方面的内容都超出了本规范的范围。
4.2 Security Responsibilities and Requirements
4.2 安全职责和要求
4.2.1 Card Issuer's Security Responsibilities
4.2.1 发卡方的职责
The Card Issuer is responsible for:
• Generating and loading the Issuer Security Domain keys;
• Enforcing standards and policies for Application Providers governing all aspects of Applications to be provided to the Card Issuer or operated on the Card Issuer's cards;
• Working with Application Providers to create and initialize Security Domains other than the Issuer Security Domain;
• Determining policy with regards to card and Application Life Cycle management, velocity checking levels, privileges, and other security parameters;
• Managing the application code loading and installing both on a Pre-Issuance and Post-Issuance basis, and
• Cryptographically authorizing load, install, and extradition to be performed by Application
Providers.
发卡方的职责包括:
产生和加载发卡方安全域的密钥;
贯彻发卡方向执行应用提供方提出的标准和策略,以便对提交给发卡方或运行在发卡方卡片上的应用的各个方面进行监管;
协同应用提供方,创建和初始化除了发卡方安全域之外其他安全域;
决定与卡片和应用生命周期管理、频度检测级别、权限及其他安全参数相关的策略;
管理发卡前和发卡后应用代码的加载和安装;
对应用提供方的加载、安装、迁移等操作进行加密授权
4.2.3 Controlling Authority's Security Responsibilities
A Controlling Authority is responsible for:
• Generating the keys for its own Security Domain or obtaining Security Domain keys from a trusted third party;
• Working with the Card Issuer to load generated keys into the Controlling Authority's Security Domain;
• Providing load file data block signatures according to its own security policy for integrity and source authenticity.
4.2.3 授权管理者的职责
授权管理者的职责包括:
创建自己安全域的密钥或是从可信任的第三方获取安全域密钥;
协同发卡方向自己的安全域加载已经创建的安全域密钥;
根据自己制定的安全策略提供加载文件数据块的数字签名,以保证数据完整性和来源的可信性;
4.2.4 On-Card Components' Security Requirements
4.2.4.1 Runtime Environment Security Requirements
The runtime environment is responsible for:
• Providing an interface to all Applications that ensures that the runtime environment security mechanisms cannot be bypassed, deactivated, corrupted or otherwise circumvented;
4.2.4 卡片组件的安全性要求
4.2.4.1 运行时环境的安全性要求
对运行时环境的安全性要求包括:
向所有应用提供一套接口,以确保运行时环境自身的安全机制不会被规避、无效、崩溃以及遭到其他任何危害;
• Performing secure memory management to ensure that:
进行内存的安全性管理,以确保:
- Each application's code and data (including transient session data) as well as the runtime environment itself and its data (including transient session data) is protected from unauthorized access from within the card;
每个应用的代码和数据(包括瞬时会话数据)和运行时环境自身的代码和数据(包括瞬时会话数据)一样不会遭受任何来自卡内的未经授权的访问;
- When more than one logical channel is supported, each concurrently selected Application's code and data (including transient session data) as well as the runtime environment itself and its data (including transient session data) is protected from unauthorized access from within the card;
当卡片支持超过一个以上的逻辑通道时,每个被并行选择的应用的代码和数据(包括瞬时会话数据)和运行时环境自身的代码和数据(包括瞬时会话数据)一样不会遭受任何来自卡内的未经授权的访问;
- The previous contents of the memory is not accessible when that memory is reused;
当内存被回收重复使用时,该内存之前驻留的内容应该不能被访问到;
- The memory recovery process is secure and consistent in case of a loss of power or withdrawal of the card from the card reader while an operation is in progress;
当正在进行操作时卡片断电或是从读卡器上取走的情况下,内存的恢复过程应能保证数据的安全性和一致性;
• Providing communication services with off-card entities that ensures the proper transmission (according to the specific communication protocol rules) of unaltered command and response messages. (See the appropriate runtime environment documentation for more details).
提供给卡片和卡外实体的通信服务(依据特定的通信协议规则)应确保命令和响应消息未经篡改地正确传送(详情请参阅相应的运行时环境文档)。
4.2.4.2 Trusted Framework Requirements
Each Trusted Framework present on the card shall:
4.2.4.2 可信任框架的安全性要求
对每个可信任框架的安全性要求包括:
• Check the application access rules of the inter-acting Applications according to their respective privileges;
根据各个应用被赋予的权限,检查进行互操作的应用的访问规则;
• Enforce the Trusted Framework security rules for inter-application communication, including the rules; defined in appendix G;
在处理应用间通信时,贯彻附录G中定义的可信任框架安全规则;
• Ensure that incoming messages are properly routed unaltered to their intended destinations;
确保发送出来的消息未经篡改地正确路由到其相应的目标;
• Ensure that any response messages are properly returned unaltered (except for any
cryptographic protection) to the original receiver of the incoming message.
确保返回的响应未经篡改(正常的保护性加密处理除外)地正确返回到其相应的目标
4.2.4.3 OPEN Security Requirements
The OPEN shall:
4.2.4.3 OPEN的安全性要求
对OPEN的安全性要求包括:
• Provide an interface to all Applications that ensures that the GlobalPlatform security mechanism cannot be bypassed, deactivated, corrupted or otherwise circumvented;
向所有应用提供一套接口,以确保GlobalPlatform自身的安全机制不会被规避、无效、崩溃以及遭到其他任何危害;
• Check application access rules according to the Applications' privileges;
根据各个应用被赋予的权限,检查该应用的访问规则;
• Manage card and Application Life Cycle (see chapter 5 - Life Cycle Models);
管理卡片和应用的生命周期(参见第五章 生命周期模型);
• Ensure that the Card Content changes are authorized by the Card Issuer;
确保卡片内容的任何变化都经过了发卡方的合法授权;
• Ensure that application code has been signed by the Controlling Authority represented on the card;
确保应用代码经过了授权管理者的签名;
• Ensure that application code has been signed by Application Providers represented on the card, if required.
如果需要的话,确保应用代码经过了应用提供方的签名
4.2.4.4 Security Domain Security Requirements
Security Domains enforce the security policies of their off-card Security Domain Provider.
When applicable a Security Domain shall:
4.2.4.4 安全域的的安全性要求
安全域负责贯彻其卡外安全域提供者制定的安全策略。当安全域可用时,必须负责:
• Communicate with off-card entities in accordance with its Security Domain Provider's security policy in Pre-Issuance and Post-Issuance;
在发卡前或者发卡后,根据其卡外安全域提供者制定的安全策略,与卡外实体进行通信;
• Manage on-card data securely;
管理卡片数据的安全性
• Provide cryptographic protection services for its own Applications during their personalization and optionally during their subsequent operation;
为其相关联的应用在个人化或接下来的操作中,提供加密保护服务;
• Request the OPEN to load, install, extradite, and delete card content;
请求OPEN进行加载、安装、迁移、删除卡片内容的操作;
• Return to the off-card entity any receipt for load, install, extradition, and delete;
向卡外实体返回加载、安装、让渡、删除等操作的收条;
• Verify the authorization for Card Content changes initiated by an off-card authority;
验证卡外机构发起的改变卡片内容的操作是否经过了合法授权;
• Generate receipts for load, install, extradition, and delete;
创建加载、安装、迁移、删除等操作的收条
• Verify the load file data block signature when requested by the OPEN.
根据OPEN的要求,验证加载文件数据块的数字签名
4.2.4.5 Global Services Application Security Requirements
A Global Services Application shall:
• Be able to provide services to other Applications, such as CVM services;
• Hold the Global Services application-related data securely;
• Perform internal security measures as required by the service.
4.2.4.5 全局服务应用的安全性要求
一个全局服务应用必须:
能够向其他应用提供CVM之类的服务;
安全地持有全局服务应用相关的数据;
提供服务时,执行内部的安全评估
4.2.4.6 Application Security Requirements
Applications should:
• Expose only data and resources that are necessary for proper application functionality and;
• Perform internal security measures required by the Application Provider.
4.2.4.6 应用的安全性要求
应用应该:
只暴露完成功能所必须的数据和资源;
执行应用提供方要求的内部安全评估
4.2.5 Back-End System Security Requirements
4.2.5 后台系统的安全性要求
Despite the best efforts of the card and the loading processes to provide a stable and secure environment, these components alone cannot ensure total security. The back-end systems (multiple back-end systems may exist for a single card), which communicate with the cards, perform the verifications, and manage the off-card key databases, also shall be trusted. Responsible personnel, secure operating systems, system security policies, and audit procedures are all essential components that secure the back-end systems. These requirements are beyond the scope of this Specification.
Information on GlobalPlatform's off-card requirements relating to card management can be found in the GlobalPlatform Key Management System Functional Requirements, GlobalPlatform Smart Card Management System Functional Requirements and GlobalPlatform Messaging Specification.
尽管卡片及其初始化过程尽可能地提供了一个稳定而安全的环境;但仅有这些组件,还不足以单独提供全面的安全性。负责与进行卡片通信、执行安全验证、管理卡外密钥数据块等功能的后台系统(也许针对单独的卡片就存在多个后台系统)本身,也必须是可信的。尽责的操作人员,安全的操作系统,系统级的安全策略,安全审计程序,所有这些组件对一个安全的后台系统来说,都是不可或缺的。对它们的具体要求已经超出了本规范的内容范围。GlobalPlatform的卡外系统中,与卡片管理相关的内容请参阅《GlobalPlatform密钥管理系统功能需求》和《GlobalPlatform智能卡管理系统功能需求》,以及《GlobalPlatform消息规范》。
4.3 Cryptographic support
One of the major requirements for a GlobalPlatform card is the ability to provide a minimum level of cryptographic functionality. This cryptography is, for example, used for the generation of signatures, and is available for use by the Applications present on the card.
4.3 加密支持
对GlobalPlatform卡片的最主要的要求之一就是要有能力提供最起码的加密支持功能。这里说的加密支持,包括数字签名的创建,而且要能够为卡上的应用所使用
The Issuer Security Domain shall implement one Secure Channel Protocol. A Security Domain other than the Issuer Security Domain shall implement [at least] one Secure Channel Protocol. A GlobalPlatform card should support symmetric cryptography such as the Data Encryption Standard (DES) algorithm. A GlobalPlatform card may also support asymmetric cryptography such as the Rivest / Shamir / Adleman(RSA) algorithm.
发卡方安全域必须实现一种安全通道协议,其他安全域必须至少实现一种安全通道协议。GlobalPlatform卡片应该支持DES之类的对称加密算法,以及RSA之类的非对称加密算法。
The following cryptographic services are described in this section:
• Integrity and authentication;
• Secure messaging.
本节描述的加密服务包括:
数据完整性和可信性;
安全消息传递。
When present, services to encrypt and decrypt any pattern of data using these algorithms shall be available to Applications.
It is the responsibility of the Card Issuer or the Controlling Authority to set up the appropriate off-card procedures to comply with the governmental restrictions upon cryptography. Features to disable or restrict cryptography usage by Applications on a card are beyond the scope of this Specification.
如果某种加密服务存在于卡上,则必须向调用这些服务的应用支持与其对应的各种加解密模式。
发卡方或者授权管理者必须负责制定恰当的流程以符合政府部门对加密领域的各类约束。对卡片上应用所调用的加密算法进行的禁止或限制的内容,已超出了本规范的范围。
4.3.1 Secure Card Content Management
The concepts of integrity and authentication represent an additional value associated with a message or a block of data.
The purpose of this additional value is to provide a method of verifying the source and/or the integrity of particular block of code or data.
The following describes the different usages of integrity and authentication for Card Content management in this Specification.
4.3.1 安全的卡片内容管理
完整性和可信性的概念是和消息或数据块的附加的数据值相关联的。这个附加的数据值的目的,是提供一种验证数据来源的可信性及数据本身完整性的方法。下面的内容描述了在卡片内容管理中,本规范采用的确保完整性和可信性一些方式。
4.3.1.1 Load File Data Block Hash
The Load File Data Block Hash is intended to verify the integrity of a complete Load File Data Block when loaded to a GlobalPlatform card.
The Load File Data Block Hash is used in the computation of:
• The Load File Data Block Signature (see section 4.3.1.2 - Load File Data Block Signature); and
• The Load Token (see section 4.3.1.3 - Delegated Management Tokens).
4.3.1.1 加载文件数据块散列值
加载文件数据块散列值用来在向GlobalPlatform卡加载数据时,验证加载文件数据块的完整性。
加载文件数据块散列值用在下列的计算过程:
加载文件数据块签名(参见4.3.1.2 加载文件数据签名);
加载令牌(参见4.3.1.3 委托管理令牌)
4.3.1.2 Load File Data Block Signature (DAP)
The Load File Data Block Signature is an authentication value generated by an off-card entity (an Application Provider or a Controlling Authority). This is the signature of the Load File Data Block Hash and is included in the DAP Block of the Load File. One or more DAP Blocks may be included in a Load File.
4.3.1.2 加载文件数据块签名(DAP)
加载文件数据块签名是由一个卡外实体(应用提供方或授权管理者)产生的认证数据值,它是加载文件数据块散列值的数字签名并附着在加载文件的数据鉴别块中。每个加在文件附有一个或多个数据鉴别块。
When present during the loading of a Load File to the card, each signature shall be verified by the appropriate Security Domain. The verification operation is referred to as Data Authentication Pattern (DAP) Verification.
当在向卡片加载文件时,每个存在的数字签名必须由恰当的安全域进行验证。该验证被称为数据鉴别模式(DAP)验证。
4.3.1.3 Delegated Management Tokens
Delegated Management Tokens are signatures of one or more Delegated Management functions (loading, installing, extraditing and deleting) generated by the Card Issuer and used to provide the Card Issuer the control over these Card Content changes. Tokens shall be verified by the appropriate Security Domain.
4.3.1.3 委托管理令牌
委托管理令牌是发卡方对一个或多个委托管理操作(加载、安装、让渡、删除)创建的签名,作用是让发卡方能对其发行卡片的内容变化有所控制。该令牌必须由恰当的安全域进行验证。
4.3.1.4 Receipts
The appropriate Security Domain may generate Receipts during Delegated Management. A Receipt is proof that an Application Provider has modified the Card Content.
4.3.1.4 收条
委托管理时,恰当的安全域可以创建收条,作为应用提供方已经对卡片内容进行了改变的证据。
4.3.2 Secure Communication
4.3.2 安全通信
A GlobalPlatform card may provide security services related to information exchanged between the card and an off-card entity. The security level of the communication with an off-card entity does not necessarily apply to each individual message being transmitted but can only apply to the environment and/or context in which messages are transmitted. The concept of the Life Cycle of the card (see section 5.1 - Card Life Cycle) may be used to determine the security level of the communication between the card and an off-card entity.
GlobalPlatform卡可以为卡片和卡外实体的信息交换提供对应的安全服务。与卡外实体的通信安全级别没有必要应用于每个单独的消息传输过程,但是却可以用在进行内部消息传输的环境或上下文中。卡片生命周期的概念(参见5.1节 卡片生命周期)可用来确定卡片和卡外实体的通信安全级别。安全通信的加密算法取决于不同的行业和产品。
The choice of cryptographic algorithms for secure communication is assumed to be industry and product specific.
A GlobalPlatform card offers the following security services associated with messages and defined within a Secure Channel Protocol (see chapter 10 - Secure Communication):
GlobalPlatform卡提供了下列与消息交换相关的安全服务,且在安全通道协议中有定义(参见第10章 安全通信):
• Entity authentication - in which the card or the off-card entity proves its authenticity to the other entity through a cryptographic exchange;
实体认证-通过这种方式,卡片和卡外实体能够通过加密的消息交换,验证对方的可信性;
• Integrity and authentication - in which the receiving entity (the card or off-card entity) ensures that the data being received from the sending entity (respectively the off-card entity or card) actually came from an authenticated entity in the correct sequence and has not been altered;
完整性认证-通过这种方式,接收方(卡片或卡外实体)可以确保从发送方(对应的卡外实体或卡片)收到的数据是来自通过了合法认证的实体,且消息序列正确无误,未遭篡改;
• Confidentiality - in which data being transmitted from the sending entity (the off-card entity or
card) to the receiving entity (respectively the card or off-card entity) is not viewable by an
unauthenticated entity.
机密性-通过这种方式,可以确保数据从发送方(卡外实体或卡片) 传送到接收方(对应的卡片或卡外实体)的过程中,不会遭到未经认证的实体窥探。
Authentication of the off-card entity combined with the card Life Cycle State allows the card to assume its environment and/or context.
卡片能够通过对卡外实体的认证连和卡片的生命周期状态,来确定其所处的环境和上下文。