View
215
Download
0
Category
Tags:
Preview:
Citation preview
1 1
Update:
ISO/IEC 24727- Identification Cards - Integrated circuit cards programming interfaces
Teresa Schwarzhoff,
U.S. Department of Commerce
Porvoo-12: Grossetto ITALY
2 2
Topics
Background/overview ISO/IEC 24727
Part 1 Part 2 Part 3 Part 4 Part 5
Conclusion
3 3
Topics
Background/overview ISO/IEC 24727
Part 1 Part 2 Part 3 Part 4 Part 5
Conclusion
4 4
ISO/IEC JTC 1 SC 17/WG 4/TF 9 ISO/IEC Joint Technical Committee 1 Sub Committee 17
ISO/IEC JTC1 SC 17/ WG 4 ISO/IEC 24727 work assigned to WG4 - Task Force 9 (TF9)
ISO/IEC 24727 built upon NIST smart card ‘interoperability’ specification
TF9 chaired by U.S. (NIST) and ANSI secretary
TF9 scope Standardization of a set of structured programming interfaces for
interactions between integrated circuit cards and external applications to include generic services for multi-sector use
Good technical expert representation in TF 9 -- includes Australia, France, Germany, Japan, UK, US, and TC 224/WG15
5 5
ISO/IEC 24727 multi-part standard
ISO/IEC 24727 – Identification Cards - Integrated circuit cards programming interfaces
Builds upon ISO/IEC 7816
Focuses on services and interfaces
Card type neutral
Contact and contactless agnostic
eID: identification, authentication, and signature services
Goal: Independent implementations that are interchangeable
6 6
Why ISO/IEC 24727? Existing standards
Too many options Focus on physical card Lack of interface standardization
Simplification Simplify developer’s life Improve portability
Interoperability Ubiquitous interoperability: what we are all trying to achieve but must be kept simple
Interoperability and security
and
Conformance testing and privacy:
“two” sides of the same coin
7 7
ISO/IEC 24727: A Standard in 5* Parts
TestClient-
App
API Layer Implementation
GCI Layer Implementation
Card Service APIs cf ISO/IEC 24727-3
Generic Card Interface cf ISO/IEC 24727-2
Interface Device Access MechanismInterface Device Configuration Selection
ISO
/IE
C 2
4727
-4S
ecu
rity
& A
PI
Ad
min
istr
atio
n
Generic Card Interface cf ISO/IEC 24727-2
Physical Card Services
ClientApp
1
ClientApp
2
ClientApp
3
ClientApp
4
TestCardApp
CardApp
3
CardApp
2
CardApp
1
Multi-application ICCs
Interface Connectivity
Interface Connectivity
Interface Connectivity
Card Service APIs cf ISO/IEC 24727-3
Testing IS O/IEC24727-2
cf ISO/IE C 24727-5
Testing IS O/IEC24727-3
cf ISO/IE C 24727-5
ISO /IEC 24727-1Architecture
Part 1 - Architecture
T esting
Part 4 - APIAdm instration
Part 3 - ApplicationProgram m ing Interface
Part 2 - G eneric CardInterface
Application
* To be discussed in future slide
8 8
Topics
Background/overview ISO/IEC 24727
Part 1 Part 2 Part 3 Part 4 Part 5
Conclusion
9 9
ISO/IEC 24727-1
ISO/IEC 24727 Identification Cards - Integrated circuit cards programming interfaces – Part 1: Architecture Overarching framework Common terminology Logical architecture for framework
Status Published, available for purchase via your national
body standards group or the ISO on-line store
10 10
ISO/IEC 24727-2 ISO/IEC 24727 Identification Cards - Integrated circuit
cards programming interfaces – Part 2: Generic card interface
Common card interface 7816 toolkit fine-tuning Discovery mechanism
Card capability description (CCD) Application capability description (ACD)
ISO/IEC 20060 ISO/IEC 7816-15
Status FDIS ballot anticipated November 2007 Anticipate IS Spring 2008
11 11
ISO/IEC 24727-3 ISO/IEC 24727 Identification Cards - Integrated circuit cards programming
interfaces – Part 3: Application interface New territory for smart card standards Normative API/middleware Normative authentication protocols
Normative Services Connection Card application discovery and retrieval Identity Cryptographic Authorization
Status Learning curve for committee technical experts: not about the ‘card’ but rather
card-applications FCD ballot launched last Friday, 14 September Anticipate FDIS in Spring 2008
12 12
Example of actions for a service found in ISO/IEC 24727-3:
Connection service
Initialize
Terminate
CardApplicationPath
CardApplicationConnect
CardApplicationDisconnect
CardApplicationStartSession
CardApplicationEndSession Authentication protocols
PIN
password
symmetric key
asymmetric key
digital certificate
biometric image or template
pair of symmetric keys; e.g., one for encryption and one for message authentication code (MAC) generation
13 13
Name of authentication protocol General definition of protocol
ASYMMETRIC INTERNAL AUTHENTICATE Fetch certificateSend challenge to be signed (on-card)
Validate (off-card) signature based on certificate
ASYMMETRIC EXTERNAL AUTHENTICATE Fetch challengeSign (off-card) and validate signature (on-card)
SYMMETRIC INTERNAL AUTHENTICATE Send challenge to be signed (on-card)Validate signature (off-card)
SYMMETRIC EXTERNAL AUTHENTICATE Fetch challengeSign challenge (off-card)
Validate signature (on-card)
COMPARE Match input parameter with marker
PIN COMPARE Match input parameter with marker and limiting number of incorrect compares – reset on successful compare
BIOMETRIC COMPARE Translate input parameter to template form and compare with base template
SYMMETRIC KEY NONCE Mutual authenticate of card-application and client-application plus generation of session keys
ANYBODY NULL authentication protocol
14 14
ISO/IEC 24727-4
ISO/IEC 24727 Identification Cards - Integrated circuit cards programming interfaces – Part 4: API administration
Implementation details of Part 2 and Part 3 interactions Normative security architecture and stack configurations Normative IFD API TLS protocol
Status FCD launched October 2007 FDIS anticipated Spring 2008
15 15
ISO/IEC 24727-5
ISO/IEC 24727 Identification Cards - Integrated circuit cards programming interfaces – Part 5: Testing
Test requirements as technical text is developed Testing levels and modular approach Status
Parts 2, 3, and 4 maturity/stability prerequisite has been met Part 5 WD under modification to reflect recent decisions on
the three parts TF 9 meeting - November Goal: CD late Spring 2008
16 16
NEW: ISO/IEC 24727-6
ISO/IEC 24727 Identification Cards - Integrated circuit cards programming interfaces – Part 6: Registration authority procedures for the authentication protocols for interoperability
Decision taken at recent WG 4 meeting to establish a RA for future ISO/IEC 24727 authentication protocols
RA streamlines introduction of new normative authentication protocols
Lead: Standards Australia
17 17
Topics
Background/overview ISO/IEC 24727
Part 1 Part 2 Part 3 Part 4 Part 5
Conclusion
18 18
ISO/IEC 24727 interoperability goals
Re-use of middleware and tokens Independence of middleware Independence of tokens Independence of token administration Independence of component certification
19
Challenges Existing investments, application neutrality
Maintaining progress ISO process Learning curve – have reached the right side of the bell curve!
Sustain simple forward looking, verifiable approach Avoid options; think beyond the ‘plastic’ Conformance testing
Global standard synchronization Global eID projects Standard activities in other areas
20 20
Who is using the standard?
Australia Australian access card for social services Queensland drivers license (trailblazer, beginning in
2005) Europe
EU Citizen Card German health card
US Future migration for federal government credential
mandated by FIPS 201 (PIV)
21 21
Contact Information:
Teresa Schwarzhoff
U.S. Department of Commerce, NIST
schwarzhoff@nist.gov
301.975.5727
Thank you.
Questions….
The best standard is one in which everyone is
equally happy
(and unhappy).
Recommended