Upload
nguyentu
View
218
Download
0
Embed Size (px)
Citation preview
Global Standards Jeff Stapleton
OASIS – February 9, 2012
Agenda
• International and Domestic Organizations
‒ ISO, CEN, ANSI, NIST, PCI, IETF, others…
• Standards Consensus Process
‒ NWIP, CD, WD, Draft Standard, Standard…
• Security and Standards
‒ ISO TC68, CEN, X9
‒ X9F1 Cryptographic Tools
‒ X9F4 Cryptographic Protocols and Application Security
‒ X9F6 Cardholder Authentication
International and Domestic Organizations
3
ISO: (1946)
• 172 countries
• 248 Technical Committees
• ~3000 standards
TC68: Financial Services (1948)
• 63 countries
• 11 Subgroups
• 50 standards
JTC1: ICT Standards (1987)
• 85 countries
• 19 Subgroups
• 357standards
ANSI: USA National Body (1918)
• 820 organizations
• 284 accredited groups
X9: Financial Services (1984)
• 150 organizations
• 15 subgroups
• 115 standards
INCITS: IT Standards (1961)
• 1700 organizations
• 40 subgroups
• (?) standards
IETF: Internet (1986)
• Thousands individuals
• 118 subgroups
• 5734 specifications
NIST: Federal (1901)
• ~30 subgroups
• +10,000 documents
• Formerly NBS
PCI SSC (2006)
• 520 members
• 3 standards
• ~24 documents
CEN: European (1991)
• 27 countries of EU + 4
• 390+ Subgroups
• ~1000 standards
Self-Recognized Internationally Recognized Organizations
ISO
TC68
JTC1
ANSI
X9
INCITS
NIST
IETF
PCI
USA Member
US TAG
US TAG
CEN
OASIS
Standards Consensus Process
4
NWIP
WD
CD
DS
New Work Item Proposal –
• Five (5) Board Level Sponsors
X9 Ballot Approved – Assigned X9 number and workgroup
Working Draft
X9F4 vote
X9F Ballot
X9 Ballot
ANSI Review
Committee Draft
ANS
Draft Standard
American National Standard
Comment Resolution
Comment Resolution(s)
Comment Resolution
ANSI and X9
Procedures
ISO US submission
to ISO TC68
Security and Standards
5
Security Area International Domestic
Mobile Commerce TC68/SC7: Core Banking X9AB Payments
X9F
X9F1
X9F4
X9F6
TC68/SC2: Security
TC/68/SC2/WG11: Crypto
TC68/SC2/WG8: PKI
TC68/SC2/WG13: Retail
Crypto Algorithms
PKI
PIN, Debit, Payment
Wireless
Biometrics
Timestamps
Mutual Authentication
TC/68/SC2/WG10: Biometrics
JTC1/SC27: Timestamps
Securities TC68/SC4: Securities X9D
PPI CEN/WS XFS
ICT ISO/IEC JTC1 INCITS
TC68/SC7/WG10: Mobile
Cloud Security X9.125
X9.117
X9.112
X9.95
ISO 12812
X9.84
X9F Data and Information Security Subcommittee
X9F1 Cryptographic Tools
• X9.31 RSA Digital Signatures
• X9.42 DH Key Agreement
• X9.44 RSA Key Transport
• X9.62 ECDSA
• X9.63 ECC Key Agreement
• X9.80 Prime Number Generation
• X9.82 Random Number Generation
• X9.92 ECPVS Signatures
• X9.98 LBP Key Establishment
• X9.102 Key Wrapping
• X9 Registry
• X9.123 ECC Implicit Certificates
• X9.124 FPE
Published Standards Works in Progress
Topics
Symmetric Algorithms
Asymmetric Algorithms
Digital Signatures
Hashing Algorithms
Number Generation
Key Establishment
• Key Transport
• Key Agreement
6
X9F Data and Information Security Subcommittee
X9F4 Cryptographic Protocols and Application Security
• X9.69 Key Management Extensions
• X9.73 CMS – ASN.1 and XML
• X9.79 Public Key Infrastructure
‒ Part 1: Policy and Practices
• X9.84 Biometric Security
• X9.95 Trusted Time Stamp
• X9.112 Wireless Security ‒ Part 1: General Requirements
• X9.111 Penetration Testing
• TR-37 Migration from DES
• X9.117 Secure Remote Access
• X9.79 Public Key Infrastructure
‒ Part 3: Certificate Management
‒ Part 4: Asymmetric Key Management
• X9.112 Wireless Security
‒ Part 2: ATM and POS
‒ Part 3: Mobile Security
• X9.125 Cloud Security
Published Standards Works in Progress
• ISO 15782 Certificates
• ISO 12812 Mobile
• ISO 19092
• ISO 21188 PKI
ISO Standardization
7
X9F Data and Information Security Subcommittee
X9F6 Cardholder Authentication and ICC
• X9.8 PIN Security
• X9.24 Key Management
‒ Part 1: Symmetric Keys
‒ Part 2: Asymmetric Keys
• TR-39 (TG-3) PIN Audit
‒ Part 1: Acquirer Assessment
• X9.97 Cryptographic Devices
• TR-31 Key Block
• TR-34 RSA Key Transport
• TR-39 (TG-3) PIN Audit
‒ Part 2: Issuer Assessment
• X9.119 Sensitive Payment Data
‒ Part 1: Encryption
‒ Part 2: Tokenization
• X9.122 Consumer Authentication
Published Standards Works in Progress
• ISO 9564 PIN Security
• ISO 11568 Key Management
• ISO 13491 Cryptographic Devices
ISO Standardization
8
Authentication Standards
• PIN Management and Security ‒ ISO 9564 PIN Management and Security
‒ X9.8 (ANSI version of ISO 9564 with 12 USA notes)
• Password Management and Security no ANSI or ISO standard ‒ DoD CSC-STD-002-85 Green Book
‒ FIPS 112 (withdrawn 2005)
‒ FIPS 181 Automated Password Generator
‒ NIST Special Pub 800-63 Electronic Authentication
• Payment Cards ‒ ISO/IEC 7812 Identification cards -- Identification of Issuers (Track 1, Track 2)
‒ ISO/IEC 4909 Identification cards – Magnetic Stripe Data Content for Track 3
‒ ISO/IEC 7816 Identification Cards -- Integrated Circuit Cards (ICC)
• Biometric Information Management and Security ‒ ISO 19092 Financial Services – Biometrics – Security Framework
‒ X9.84 Biometric Information Management and Security
ISO and ANSI Standard 9
X9F6
JTC1
X9F4
Cryptography Standards
• Symmetric Algorithms ‒ FIPS 46-3 Data Encryption Standard (DES) (withdrawn 1999)
‒ NIST Special Pub 800-67 Recommendations for TDEA Block Cipher
(2004)
‒ FIPS 197 Advanced Encryption Standard (AES)
• Hash Algorithms ‒ FIPS 180-3 Secure Hash Standard (SHA)
‒ FIPS 198-1 Keyed Hash Message Authentication (HMAC)
• Asymmetric Algorithms ‒ FIPS 186-3 Digital Signature Standard (DSA)
‒ X9.31 Digital Signatures Using Reversible Cryptography (rDSA)
‒ X9.62 Elliptic Curve Digital Signature Algorithm (ECDSA)
‒ ISO/IEC 9798 Digital Signature Schemes Giving Message Recovery
‒ ISO/IEC 14888 Digital Signatures With Appendix
• Number Generation Algorithms ‒ X9.80 Prime Number Generation
‒ X9.82 Random Number Generation
ISO and ANSI Standard 10
NIST
NIST
NIST JTC1
X9F1
Key Management Standards
• Key Establishment Schemes ‒ X9.42 Agreement of Symmetric Keys Using Discrete Logarithm Cryptography
(Diffie-Hellman)
‒ X9.44 Key Establishment Using Integer Factorization Cryptography (RSA)
‒ X9.63 Key Agreement and Key Transport Using Elliptic Curve Cryptography
• Key Management Protocols (focused on PIN transactions) ‒ X9.24 Symmetric Key Management – Part 1: Using Symmetric Keys
‒ X9.24 Symmetric Key Management – Part 2: Using Asymmetric Techniques fro
the Distribution of Symmetric Keys
‒ TR-31 Interoperable Secure Key Exchange Key Block Specification
‒ TR-34 Interoperable Method for Distribution of Symmetric Keys Using
Asymmetric Techniques – Part 1: Using Factoring-Based Public Key
Cryptography Unilateral Key Transport
‒ TR-39 (TG-3) PIN Security and Key Management Guideline
‒ TR-37 Migration from DES (generic key management topics)
‒ Key Management Interoperability Protocol (KMIP)
ISO and ANSI Standard 11
X9F1
X9F6
X9F4
OASIS
Application Security Standards
• Public Key Infrastructure (PKI) ‒ ISO 15782 Certificate Management for Financial Services
• Originally X9.57, to be replaced by X9.79 Part 3
‒ ISO 21188 PKI for Financial Services – Practices and Policy Framework • Originally X9.79 PKI – Part 1, evolved to Webtrust for CA auditing standard
‒ X9.79 PKI for Financial Services – Part 3: Certificate Management (WIP)
‒ X9.79 PKI – Part 4: Asymmetric Key Management (consideration)
• Time Stamp Management and Security ‒ ISO/IEC 18014 Security Techniques – Time Stamping Services
‒ X9.95 Trusted Time Stamp Management and Security
‒ RFC 3161 Internet X.509 Time-Stamp Protocol
• Wireless Management and Security ‒ X9.112 Wireless – Part 1: General Requirements
‒ X9.112 Wireless – Part 2: POS and ATM (work in progress)
‒ X9.112 Wireless – Part 3: Mobile Commerce (work in progress)
• Penetration Testing ‒ X9.111 Penetration Testing for Financial Services
ISO and ANSI Standard 12
X9F4
X9F4
X9F4
X9F4
References
• www.iso.org
• www.ansi.org
• www.x9.org
• www.ietf.org
• www.incits.org
• www.pcisecuritystandards.org
• http://csrc.nist.gov/publications/PubsFIPS.html
13
Questions