Global Standards Jeff Stapleton

OASIS – February 9, 2012

Agenda

• International and Domestic Organizations

‒ ISO, CEN, ANSI, NIST, PCI, IETF, others…

• Standards Consensus Process

‒ NWIP, CD, WD, Draft Standard, Standard…

• Security and Standards

‒ ISO TC68, CEN, X9

‒ X9F1 Cryptographic Tools

‒ X9F4 Cryptographic Protocols and Application Security

‒ X9F6 Cardholder Authentication

International and Domestic Organizations

3

ISO: (1946)

• 172 countries

• 248 Technical Committees

• ~3000 standards

TC68: Financial Services (1948)

• 63 countries

• 11 Subgroups

• 50 standards

JTC1: ICT Standards (1987)

• 85 countries

• 19 Subgroups

• 357standards

ANSI: USA National Body (1918)

• 820 organizations

• 284 accredited groups

X9: Financial Services (1984)

• 150 organizations

• 15 subgroups

• 115 standards

INCITS: IT Standards (1961)

• 1700 organizations

• 40 subgroups

• (?) standards

IETF: Internet (1986)

• Thousands individuals

• 118 subgroups

• 5734 specifications

NIST: Federal (1901)

• ~30 subgroups

• +10,000 documents

• Formerly NBS

PCI SSC (2006)

• 520 members

• 3 standards

• ~24 documents

CEN: European (1991)

• 27 countries of EU + 4

• 390+ Subgroups

• ~1000 standards

Self-Recognized Internationally Recognized Organizations

ISO

TC68

JTC1

ANSI

X9

INCITS

NIST

IETF

PCI

USA Member

US TAG

US TAG

CEN

OASIS

Standards Consensus Process

4

NWIP

WD

CD

DS

New Work Item Proposal –

• Five (5) Board Level Sponsors

X9 Ballot Approved – Assigned X9 number and workgroup

Working Draft

X9F4 vote

X9F Ballot

X9 Ballot

ANSI Review

Committee Draft

ANS

Draft Standard

American National Standard

Comment Resolution

Comment Resolution(s)

Comment Resolution

ANSI and X9

Procedures

ISO US submission

to ISO TC68

Security and Standards

5

Security Area International Domestic

Mobile Commerce TC68/SC7: Core Banking X9AB Payments

X9F

X9F1

X9F4

X9F6

TC68/SC2: Security

TC/68/SC2/WG11: Crypto

TC68/SC2/WG8: PKI

TC68/SC2/WG13: Retail

Crypto Algorithms

PKI

PIN, Debit, Payment

Wireless

Biometrics

Timestamps

Mutual Authentication

TC/68/SC2/WG10: Biometrics

JTC1/SC27: Timestamps

Securities TC68/SC4: Securities X9D

PPI CEN/WS XFS

ICT ISO/IEC JTC1 INCITS

TC68/SC7/WG10: Mobile

Cloud Security X9.125

X9.117

X9.112

X9.95

ISO 12812

X9.84

X9F Data and Information Security Subcommittee

X9F1 Cryptographic Tools

• X9.31 RSA Digital Signatures

• X9.42 DH Key Agreement

• X9.44 RSA Key Transport

• X9.62 ECDSA

• X9.63 ECC Key Agreement

• X9.80 Prime Number Generation

• X9.82 Random Number Generation

• X9.92 ECPVS Signatures

• X9.98 LBP Key Establishment

• X9.102 Key Wrapping

• X9 Registry

• X9.123 ECC Implicit Certificates

• X9.124 FPE

Published Standards Works in Progress

Topics

Symmetric Algorithms

Asymmetric Algorithms

Digital Signatures

Hashing Algorithms

Number Generation

Key Establishment

• Key Transport

• Key Agreement

6

X9F Data and Information Security Subcommittee

X9F4 Cryptographic Protocols and Application Security

• X9.69 Key Management Extensions

• X9.73 CMS – ASN.1 and XML

• X9.79 Public Key Infrastructure

‒ Part 1: Policy and Practices

• X9.84 Biometric Security

• X9.95 Trusted Time Stamp

• X9.112 Wireless Security ‒ Part 1: General Requirements

• X9.111 Penetration Testing

• TR-37 Migration from DES

• X9.117 Secure Remote Access

• X9.79 Public Key Infrastructure

‒ Part 3: Certificate Management

‒ Part 4: Asymmetric Key Management

• X9.112 Wireless Security

‒ Part 2: ATM and POS

‒ Part 3: Mobile Security

• X9.125 Cloud Security

Published Standards Works in Progress

• ISO 15782 Certificates

• ISO 12812 Mobile

• ISO 19092

• ISO 21188 PKI

ISO Standardization

7

X9F Data and Information Security Subcommittee

X9F6 Cardholder Authentication and ICC

• X9.8 PIN Security

• X9.24 Key Management

‒ Part 1: Symmetric Keys

‒ Part 2: Asymmetric Keys

• TR-39 (TG-3) PIN Audit

‒ Part 1: Acquirer Assessment

• X9.97 Cryptographic Devices

• TR-31 Key Block

• TR-34 RSA Key Transport

• TR-39 (TG-3) PIN Audit

‒ Part 2: Issuer Assessment

• X9.119 Sensitive Payment Data

‒ Part 1: Encryption

‒ Part 2: Tokenization

• X9.122 Consumer Authentication

Published Standards Works in Progress

• ISO 9564 PIN Security

• ISO 11568 Key Management

• ISO 13491 Cryptographic Devices

ISO Standardization

8

Authentication Standards

• PIN Management and Security ‒ ISO 9564 PIN Management and Security

‒ X9.8 (ANSI version of ISO 9564 with 12 USA notes)

• Password Management and Security no ANSI or ISO standard ‒ DoD CSC-STD-002-85 Green Book

‒ FIPS 112 (withdrawn 2005)

‒ FIPS 181 Automated Password Generator

‒ NIST Special Pub 800-63 Electronic Authentication

• Payment Cards ‒ ISO/IEC 7812 Identification cards -- Identification of Issuers (Track 1, Track 2)

‒ ISO/IEC 4909 Identification cards – Magnetic Stripe Data Content for Track 3

‒ ISO/IEC 7816 Identification Cards -- Integrated Circuit Cards (ICC)

• Biometric Information Management and Security ‒ ISO 19092 Financial Services – Biometrics – Security Framework

‒ X9.84 Biometric Information Management and Security

ISO and ANSI Standard 9

X9F6

JTC1

X9F4

Cryptography Standards

• Symmetric Algorithms ‒ FIPS 46-3 Data Encryption Standard (DES) (withdrawn 1999)

‒ NIST Special Pub 800-67 Recommendations for TDEA Block Cipher

(2004)

‒ FIPS 197 Advanced Encryption Standard (AES)

• Hash Algorithms ‒ FIPS 180-3 Secure Hash Standard (SHA)

‒ FIPS 198-1 Keyed Hash Message Authentication (HMAC)

• Asymmetric Algorithms ‒ FIPS 186-3 Digital Signature Standard (DSA)

‒ X9.31 Digital Signatures Using Reversible Cryptography (rDSA)

‒ X9.62 Elliptic Curve Digital Signature Algorithm (ECDSA)

‒ ISO/IEC 9798 Digital Signature Schemes Giving Message Recovery

‒ ISO/IEC 14888 Digital Signatures With Appendix

• Number Generation Algorithms ‒ X9.80 Prime Number Generation

‒ X9.82 Random Number Generation

ISO and ANSI Standard 10

NIST

NIST

NIST JTC1

X9F1

Key Management Standards

• Key Establishment Schemes ‒ X9.42 Agreement of Symmetric Keys Using Discrete Logarithm Cryptography

(Diffie-Hellman)

‒ X9.44 Key Establishment Using Integer Factorization Cryptography (RSA)

‒ X9.63 Key Agreement and Key Transport Using Elliptic Curve Cryptography

• Key Management Protocols (focused on PIN transactions) ‒ X9.24 Symmetric Key Management – Part 1: Using Symmetric Keys

‒ X9.24 Symmetric Key Management – Part 2: Using Asymmetric Techniques fro

the Distribution of Symmetric Keys

‒ TR-31 Interoperable Secure Key Exchange Key Block Specification

‒ TR-34 Interoperable Method for Distribution of Symmetric Keys Using

Asymmetric Techniques – Part 1: Using Factoring-Based Public Key

Cryptography Unilateral Key Transport

‒ TR-39 (TG-3) PIN Security and Key Management Guideline

‒ TR-37 Migration from DES (generic key management topics)

‒ Key Management Interoperability Protocol (KMIP)

ISO and ANSI Standard 11

X9F1

X9F6

X9F4

OASIS

Application Security Standards

• Public Key Infrastructure (PKI) ‒ ISO 15782 Certificate Management for Financial Services

• Originally X9.57, to be replaced by X9.79 Part 3

‒ ISO 21188 PKI for Financial Services – Practices and Policy Framework • Originally X9.79 PKI – Part 1, evolved to Webtrust for CA auditing standard

‒ X9.79 PKI for Financial Services – Part 3: Certificate Management (WIP)

‒ X9.79 PKI – Part 4: Asymmetric Key Management (consideration)

• Time Stamp Management and Security ‒ ISO/IEC 18014 Security Techniques – Time Stamping Services

‒ X9.95 Trusted Time Stamp Management and Security

‒ RFC 3161 Internet X.509 Time-Stamp Protocol

• Wireless Management and Security ‒ X9.112 Wireless – Part 1: General Requirements

‒ X9.112 Wireless – Part 2: POS and ATM (work in progress)

‒ X9.112 Wireless – Part 3: Mobile Commerce (work in progress)

• Penetration Testing ‒ X9.111 Penetration Testing for Financial Services

ISO and ANSI Standard 12

X9F4

X9F4

X9F4

X9F4

References

• www.iso.org

• www.ansi.org

• www.x9.org

• www.ietf.org

• www.incits.org

• www.pcisecuritystandards.org

• http://csrc.nist.gov/publications/PubsFIPS.html

13

Questions