Skip to content

Aventra MyEID PKI card

Hannu Honkanen edited this page Nov 11, 2016 · 9 revisions

Aventra MyEID PKI card

Aventra MyEID PKI Card is a cryptographic smart card conforming to common Public Key Infrastructure standards like ISO7816 and PKCS#15. It can be used for various tasks requiring strong cryptography, e. g. logging securely to Windows, encrypting e-mail, authentication, and electronic signatures. The card is also available as a Dual Interface version, compatible with T=CL protocol and also emulating Mifare™. The card is a JavaCard with Aventra MyEID applet that implements the functionality.

The card material is PVC as standard, making it suitable for visual personalisation using thermal transfer or dye sublimation printers. Customer specific layouts can be delivered in offset and silk screen printing. Optional features include magnetic stripe, signature panel, holograms, security printing etc.

The cards can be personalised both visually and electrically by Aventra according to customer specifications, or the customers can personalise the cards themselves using ActivePerso Manager developed by Aventra, or software from other parties.

MyEID is certified by Microsoft and supports Smart Card Plug and Play.

NEW: MyEID version 4 has been released, adding support for Elliptic Curve Cryptography and many other new features.

Aventra MyEID PKI applet

The MyEID applet implements all the basic functionality of a Public Key Infrastructure (PKI) token specified in the most common international PKI standards, such as PKCS#15. Users optionally have a choice between different authentication methods to the token. Besides the standard PIN number, there are currently two other authentication mechanisms available. The GrIDsure® one time PIN is based on a pop-up challenge grid that is used to form a onetime PIN that cannot be used by outsiders watching the authentication. MyEID tokens are also compatible with PalmSecure™ biometric technology, which is based on the unique blood vein patterns in the palm of the user’s hand replacing the PIN.

Technical details

Platform

  • JavaCard™ from 2.2.1 and above, Global Platform 2.1.1

Supported standards and specifications

  • ISO/IEC 7816-4 to 7816-9
  • ISO/IEC 14443 T=CL and Mifare™
  • PKCS#15
  • FINEID S4-1 and S4-2

Other features

  • 512 bit to 2048 bit RSA cryptographic operations with on card key generation
  • Secure random number generator (FIPS 140-2)
  • DES, 3DES, AES128, AES256 symmetric encryption algorithms
  • 80K EEPROM memory
  • Since MyEID 4: ECDSA and ECDH operations.

Compatible software

  • OpenSC
  • Aventra MyEID Minidriver for Windows
  • Aventra ActiveSecurity™ MyClient
  • Fujitsu mPollux DigiSign™ middleware
  • Large number of third party software products that support CSP for Microsoft™ CryptoAPI or PKCS#11 Token Interface

OpenSC support

OpenSC 0.11.4 was the first version that had support for the MyEID card. At that time the patch required was provided by Aventra when requested. Since the version 0.11.10 support for the MyEID card is included to the official release. OpenSC initialization is supported from version 0.12.

MyEID supports 1024 and 2048 bit RSA keys in OpenSC. In OpenSC only normal PIN codes can be used. GrIDsure® and PalmSecure technologies are not supported. These require Aventra ActiveSecurity MyClient software.

Initialization

Cards can be initialized with OpenSC. The myeid.profile file defines the cards structure and access conditions. After initialization the card should be finalized to activate the card (PINs).

The initialization does not create the User PIN (PIN 1). This is done separately. During initialization OpenSC will ask for the Security Officer PIN and PUK and will also create it (can also be specified as parameters with the options “—so-pin” and “—so-puk”).
TIP: When initializing cards, specify the PIN and PUK (with “—pin” and “—puk” parameters) to prevent OpenSC from unnecessarily asking for it several times. You can use any values, because the PIN is not created here.

pkcs15-init -C --pin 1111 --puk 1111
PINs are created in the following way (add at least PIN nbr 1 (User PIN), the SO-PIN was created in the previous step). OpenSC will ask for PIN and related PUK if not specified as parameters. The card supports up to 14 PINs.
pkcs15-init -P -a 1 -l "Basic PIN"
and
pkcs15-init -P -a 2 -l "Sign PIN"

NOTE: When done creating PIN codes, finalize (activate) the card. After this all access conditions (PINs) are in effect. This is not mandatory, but before this is done card elements can be accessed without satisfying specified access conditions (without entering PIN codes).
pkcs15-init -F

0.13.0 myeid.profile error

If you get the following error when using MyEID cards with OpenSC 0.13.0 you unfortunately need to make a small fix to the file myeid.profile.

Couldn't bind to the card: Syntax error

The file-id for “data” should be changed to something else, e.g. 4601:

...
                EF privdata {
                    file-id   = 4501;
                    structure = transparent;
                    acl       = READ=$PIN, UPDATE=$PIN, DELETE=$PIN;
                }
                EF data {
                    file-id   = 4601;
                    structure = transparent;
                    acl       = READ=NONE, UPDATE=$PIN, DELETE=$PIN;
                }
...

Smart card reader configuration

MyEID card uses T=1 protocol. This basically means that the response data is sent with the answer to the command/request. With T=0 protocol the smart card will first answer to the command and tell how much data it will send. Data is then requested separately.

In some environments there has been issues when reading files that exceed some threshold. If you encounter problems when reading larger files from the card (e.g. certificates) with no apparent reason, try to set the readers max_recv_size (max receive size) to e.g. 192, to be on the safe side. You can then try to iterate to find the maximum for your environment.

The setting in the opensc.conf (usually in /etc or /etc/opensc) config file is the following:

...
	reader_driver pcsc {
		# This sets the maximum send and receive sizes.
		# Some reader drivers have limitations, so you need
		# to set these values. For usb devices check the
		# properties with lsusb -vv for dwMaxIFSD
		#
		# max_send_size = 254;
		# max_recv_size = 254;
		max_recv_size = 192;
...		
	}

	reader_driver openct {
...
		# max_send_size = 252;
		# max_recv_size = 252;
		max_recv_size = 192;
...
	};

Links & other information

Card details: Reference manual

Cards can be bought from Aventra as blank cards or according to customer specifications regarding appearance etc. Small quantities of cards and readers can be easily bought from the web shop. For larger quantities contact Aventra sales for a quote.

Aventra Ltd.
Web shop

About Aventra

Aventra is a high tech company specialising in information security products and services. We are especially focusing on Public Key Infrastructure technologies. Most of our products are developed in house.

Aventra offers a complete portfolio of card products ranging from simple plastic cards to high security smart cards and tokens. Our most recent product line features security solutions for mobile applications. We also provide complete services and systems for issuing and managing cards and secure tokens, including card printers and materials.

Aventra logo

Speed

  • RSA 1024 key generation: 0m8.280s
  • RSA 2048 key generation: 0m41.037s

Notes

  • Card requires a PUK code when creating a PIN code (fails to create a PIN without a PUK)
  • Aventra’s MyEID minidriver has passed Microsoft Windows Hardware Certification and it will soon be available from Windows Update (Smart Card Plug and Play). You can also download it here. (2013-01-11)
  • You can not upload custom Java-Applets like the openpgpcard-applet to the Aventra MyEID-card because the card is locked and Aventra refuses to hand out the required PIN.
Clone this wiki locally
You can’t perform that action at this time.