© 2011 ecsec GmbH >>

1

Service-Access-Layer

Identity-Layer

Terminal-Layer

Application-Layer

eCard-Interface

GRTool, Border

Control ...

eHealth-Application

ePA-Application

JobCard ELSTER ...

ISO24727-3-Interface

ePassport CardInfo

ePA CardInfo

eGK/HBA CardInfo

ePassportConvenience

Support Services

Support-Interface

Generic Card Services

...

Management Services

Mgmt-Interface

Encryption Services

Signature ServicesIdentity Services

IFD-Interface

SCARD-Interface

PC/SC 2.0 IFD-Handler

IFD-Handler

IFDSICCT

CT-API-Interface

MKT, B1 etc.

SICCT-Interface

ePAConvenience

eHealthConvenience

JobCardConvenience

eID

Manage-ment

ManagementConvenience

ELSTERConvenience ...

eCard-API-Framework

© 2011 ecsec GmbH >>

2

ISO/IEC 24727-Architecture

© 2011 ecsec GmbH >>

3

Example: MSE for Signature Generation

© 2011 ecsec GmbH >>

4

CardInfo

© 2011 ecsec GmbH >>

5

Signaturen mit dem eCard-API-Framework

© 2011 ecsec GmbH

Signature

App eSign SAL

SignRequest(DIDName,Doc) Hash(DIDName,Doc)

SignResponse(SigObject)

1

ACLList(DIDName)

CardInfo

h

<HashGenerationInfo>

IFD

possibly Transmit(...)

<DIDACL>

DIDAuthenticate(PIN)

2

<ACL>

3

evaluate <ACL>

<PinCompareMarker>

VerifyUser (...)

4

Sign(DIDName,h)<CryptoMarker>

Sequ. of Transmit(...)

5

6

possibly create AdES

7

9

TV

ShowViewer(VID,Doc)

8

>>

6

© 2011 ecsec GmbH

dss:SignRequest

>>

7

1

© 2011 ecsec GmbH

Hash / HashResponse

>>

8

2

© 2011 ecsec GmbH

HashGenerationInfo@CardInfo

>>

9

2

© 2011 ecsec GmbH

HashGenerationInfo

>>

10

2

© 2011 ecsec GmbH

ACLList

>>

11

3

© 2011 ecsec GmbH

DIDACL@CardInfo

>>

12

3

© 2011 ecsec GmbH

AccessRule

>>

13

3

© 2011 ecsec GmbH >>

14

ACL auswerten

>>

14

4

1. Determine available DIDs with CardApplicationPath and ACLList, CardApplicationConnect, DIDList od CardInfo-Access

2. Normalisation of ACL3. Perform appropriate Authentication Steps

© 2011 ecsec GmbH >>

15

ShowViewer

>>

15

5

© 2011 ecsec GmbH >>

16

DIDAuthenticate

>>

16

6

© 2011 ecsec GmbH >>

17

CardInfo-Ausschnitt für PinCompareMarker 6

© 2011 ecsec GmbH

VerifyUser

>>

18

6

© 2011 ecsec GmbH

iso:Sign / iso:SignResponse

>>

19

7

© 2011 ecsec GmbH

SignatureGenerationInfo@CardInfo

>>

20

7

© 2011 ecsec GmbH

SignatureGenerationInfo

>>

21

7

© 2011 ecsec GmbH

StateInfo@CardInfo

>>

22

7

© 2011 ecsec GmbH >>

23

StateInfo

>>

23

7

© 2011 ecsec GmbH >>

24

State

>>

24

7

© 2011 ecsec GmbH

dss:SignResponse

>>

25

9