Smart Tachograph: Cryptographic keys and digital certificates sample set

In order to aid manufacturers, component personalisers, certification authorities and other Digital Tachograph stakeholders with the development and testing of equipment and systems complying with the Generation-2 Smart Tachograph specifications, a comprehensive set of Generation-2 sample cryptographic keys and digital certificates has been developed. This document serves to detail the contents of this sample set and the values chosen for individual fields in the certificates. It also explains which kind of tests can be done using the cryptographic material in the set, as well as identifying some tests that cannot be done with this set.JRC.E.3-Cyber and Digital Citizens' Securit

Smart Tachograph: User manual for the sample cryptographic keys and digital certificates Generation Tool

In order to aid manufacturers, component personalisers, certification authorities and other Digital Tachograph stakeholders with the development and testing of equipment and systems complying with the Generation-2 Smart Tachograph specifications, a tool has been developed that can be used to generate sample cryptographic keys and digital certificates. Stakeholders may use this tool to generate keys and certificates with specific properties for their testing purposes.JRC.E.3-Cyber and Digital Citizens' Securit

Doubly-refined enumeration of Alternating Sign Matrices and determinants of 2-staircase Schur functions

We prove a determinantal identity concerning Schur functions for 2-staircase diagrams lambda=(ln+l',ln,l(n-1)+l',l(n-1),...,l+l',l,l',0). When l=1 and l'=0 these functions are related to the partition function of the 6-vertex model at the combinatorial point and hence to enumerations of Alternating Sign Matrices. A consequence of our result is an identity concerning the doubly-refined enumerations of Alternating Sign Matrices.Comment: 23 pages, 3 figure

Smart Tachograph - Instructions for using the Test Service for MSCA – ERCA interactions

In the context of the Smart Tachograph cryptographic infrastructure the ERCA (European Root Certificate Authority) provides a service to test the implementation of MSCA (Member State Certificate Authorities) applications. This document contains instructions for MSCAs wishing to use the Test Service for MSCA – ERCA interactions. The service consists of two separate sub-services, one for testing MSCA – ERCA interactions for the issuance of Production cryptographic keys and certificates and one for testing MSCA – ERCA interactions for the issuance of Interoperability Testing cryptographic keys and certificates. The Test Service allows an MSCA to verify that the format and contents of Certificate Signing Requests (CSR) and Key Distribution Messages (KDR) generated by their MSCA software are correct. Additionally, the MSCA may use the test MSCA certificates and Key Distribution Messages (KDM) returned by the ERCA to verify that their software is capable of importing and processing these messages.JRC.E.3-Cyber and Digital Citizens' Securit

Smart Tachograph - Certificate signing requests, key distribution requests and key distribution messages sample set

The second generation Digital Tachograph system, called Smart Tachograph, has been introduced by Regulation (EU) No 165/2014 of the European Parliament and of the Council. Annex 1C of the Commission Implementing Regulation (EU) 2016/799 [2] lays down the technical requirements for the construction, testing, installation, operation and repair of Smart Tachographs and their components. In particular Appendix 11 (Common Security Mechanisms) of Annex 1C specifies the security mechanisms of the Smart Tachograph, which are based on public-key and symmetric key cryptographic systems. A Public Key Infrastructure (PKI) has been designed to support the public-key cryptographic systems, while the symmetric cryptographic systems rely on master keys that have to be delivered to the relevant actors. In particular an infrastructure consisting of three layers has been set up. At the European level, the European Root Certification Authority (ERCA) is responsible for the generation and management of root public-private key pairs, with the respective certificates, and symmetric master keys. The ERCA issues certificates to Member State Certification Authorities (MSCAs) and distributes symmetric master keys to the MSCAs. The format of messages used to request and to distribute certificates and keys between the MSCAs and the ERCA, namely certificate signing requests (CSRs), key distribution requests (KDRs) and key distribution messages (KDMs), is specified in the ERCA Policy. The present document describes a sample set of CSRs, KDRs and KDMs that can be used by the Smart Tachograph stakeholders as reference material for the implementation of their systems.JRC.E.3-Cyber and Digital Citizens' Securit

Smart Tachograph - European Root Certificate Policy and Symmetric Key Infrastructure Policy

The second generation Digital Tachograph system, called Smart Tachograph, has been introduced by Regulation (EU) No 165/2014 of the European Parliament and of the Council. Annex 1C of the Commission Implementing Regulation (EU) 2016/799 [2] lays down the technical requirements for the construction, testing, installation, operation and repair of Smart Tachographs and their components. In particular Appendix 11 (Common Security Mechanisms) of Annex 1C specifies the security mechanisms of the Smart Tachograph, which are based on public-key and symmetric key cryptographic systems. A Public Key Infrastructure (PKI) has been designed to support the public-key cryptographic systems, while the symmetric cryptographic systems rely on master keys that have to be delivered to the relevant actors. In particular an infrastructure consisting of three layers has been set up. At the European level, the European Root Certification Authority (ERCA) is responsible for the generation and management of root public-private key pairs, with the respective certificates, and symmetric master keys. The ERCA issues certificates to Member State Certification Authorities (MSCAs) and distributes symmetric master keys to the MSCAs. The MSCAs are responsible for the issuance of Smart Tachograph equipment certificates, as well as for the distribution of symmetric master keys and other data derived from the master keys to be installed in Smart Tachograph equipment. This document forms the Certificate Policy (CP) for the PKI at the ERCA level. It lays down the policy at ERCA level for key generation, key management and certificate signing for the Smart Tachograph system. For the ERCA to issue certificates to an MSCA or to distribute symmetric keys to an MSCA, the MSCA shall comply with requirements also laid down in this document.JRC.E.3-Cyber and Digital Citizens' Securit

Cybersecurity, our digital anchor: A European perspective

The Report ‘Cybersecurity – Our Digital Anchor’ brings together research from different disciplinary fields of the Joint Research Centre (JRC), the European Commission's science and knowledge service. It provides multidimensional insights into the growth of cybersecurity over the last 40 years, identifying weaknesses in the current digital evolution and their impacts on European citizens and industry. The report also sets out the elements that potentially could be used to shape a brighter and more secure future for Europe’s digital society, taking into account the new cybersecurity challenges triggered by the COVID-19 crisis. According to some projections, cybercrime will cost the world EUR 5.5 trillion by the end of 2020, up from EUR 2.7 trillion in 2015, due in part to the exploitation of the COVID-19 pandemic by cyber criminals. This figure represents the largest transfer of economic wealth in history, more profitable than the global trade in all major illegal drugs combined, putting at risk incentives for innovation and investment. Furthermore, cyber threats have moved beyond cybercrime and have become a matter of national security. The report addresses relevant issues, including: - Critical infrastructures: today, digital technologies are at the heart of all our critical infrastructures. Hence, their cybersecurity is already – and will become increasingly – a matter of critical infrastructure protection (see the cases of Estonia and Ukraine). - Magnitude of impact: the number of citizens, organisations and businesses impacted simultaneously by a single attack can be huge. - Complexity and duration of attacks: attacks are becoming more and more complex, demonstrating attackers’ enhanced planning capabilities. Moreover, attacks are often only detected post-mortem . - Computational power: the spread of malware also able to infect mobile and Internet of Things (IoT) devices (as in the case of Mirai botnet), hugely increases the distributed computational power of the attacks (especially in the case of denial of services (DoS)). The same phenomenon makes the eradication of an attack much more difficult. - Societal aspects: cyber threats can have a potentially massive impact on society, up to the point of undermining the trust citizens have in digital services. As such services are intertwined with our daily life, any successful cybersecurity strategy must take into consideration the human and, more generally, societal aspects. This report shows how the evolution of cybersecurity has always been determined by a type of cause-and-effect trend: the rise in new digital technologies followed by the discovery of new vulnerabilities, for which new cybersecurity measures must be identified. However, the magnitude and impacts of today's cyber attacks are now so critical that the digital society must prepare itself before attacks happen. Cybersecurity resilience along with measures to deter attacks and new ways to avoid software vulnerabilities should be enhanced, developed and supported. The ‘leitmotiv’ of this report is the need for a paradigm shift in the way cybersecurity is designed and deployed, to make it more proactive and better linked to societal needs. Given that data flows and information are the lifeblood of today’s digital society, cybersecurity is essential for ensuring that digital services work safely and securely while simultaneously guaranteeing citizens’ privacy and data protection. Thus, cybersecurity is evolving from a technological ‘option’ to a societal must. From big data to hyperconnectivity, from edge computing to the IoT, to artificial intelligence (AI), quantum computing and blockchain technologies, the ‘nitty-gritty’ details of cybersecurity implementation will always remain field-specific due to specific sectoral constraints. This brings with it inherent risks of a digital society with heterogeneous and inconsistent levels of security. To counteract this, we argue for a coherent, cross-sectoral and cross-societal cybersecurity strategy which can be implemented across all layers of European society. This strategy should cover not only the technological aspects but also the societal dimensions of ‘behaving in a cyber-secure way’. Consequently, the report concludes by presenting a series of possible actions instrumental to building a European digital society secure by design.JRC.E.3-Cyber and Digital Citizens' Securit

Weakening ePassports through Bad Implementations

Different countries issue an electronic passport embedding a contactless chip that stores the holder data (ePassport). Due to the sensitive nature of the information present on such chip, the relative data do not have to be accessible without authorization. That being so an access control mechanism based on symmetric cryptography called Basic Access Control (BAC) has been introduced to regulate the chip access and encrypt its communication. In this work we present the flaws we have found out in some implementations of the software hosted on ePassport chips and how they affect BAC reducing its keys space and opening a door for a MITM attacks. The results of this paper could be exploited as a first guide for reviewing and refining existing ePassport implementations.JRC.G.7-Digital Citizen Securit

“Internet of Smart Cards”: a Pocket Attacks Scenario

Smart cards are secure devices used to store people sensitive data and to regulate important operations like identity proofs and payment transactions. For years people have been used to contact smart cards but in the last decade we have seen the massive introduction of contactless smart cards. At the same time we have seen a growing number of mobile phones equipped with a NFC interface in circulation, which are capable of interacting with contactless smart cards. Under different circumstances the user’s contactless cards and mobile phone are kept close together at a distance that should enable them to interact each other, for instance in pockets and bags. We describe an architecture to attack the contactless cards of a user through his NFC-equipped mobile phone. The user’s mobile phone, here defined as smart-mole, is infected and connected to the NFC-equipped one of the attacker, the proxy. The victim’s phone capabilities are exploited to run local attacks against a contactless card in its range, for instance to recover the card PIN that is then sent back to the attacker. Subsequently the attacker remotely uses the victim’s card through a relay attack putting his phone in front of a reader and providing the PIN of the victim card when needed, basically impersonating the cardholder. Infecting several phones an attacker could have under his control a large set of cards, a sort of “Internet of Smart Cards”. We show that surveying a decade of research and development in the contactless cards field such attacks look feasible according the current social context and the level of technology. We also discuss how they could be methodologically applied by an attacker to defeat the different measures currently adopted to secure contactless cards.JRC.E.3-Cyber and Digital Citizens' Securit