Upload
dangminh
View
223
Download
5
Embed Size (px)
Citation preview
1
Perspectives of Interoperable Card Content Management using GlobalPlatform Card Specification V2.2
Klaus P. GunglGlobalPlatform Card Committee Chair
2
Topics
How did we get to GPCS 2.2?Highlights summaryPrivilegesOver-The-Air Content ManagmentGlobal ServicePKI based Secure Channel Protocol
3
Compliance Program
Standardized and secure card and application management
Card Specifications
Standardized back-end systems: smart card
management environmentMessaging,
key managementIssuance, post issuance
Systems Specifications
Device SpecificationsEnable the acceptance of cards and services
through multiple devices
Interoperability for an End-To-End Infrastructure
GlobalPlatform delivers the complete set of specifications for an end to end smart card infrastructure
DEVICES
SYSTEMS
CARDS
4
Collaboration on Card Specification 2.2
Mobile Telecom StandardsETSI: GSM 03.48, TS 23.048ETSI & 3G Smart Card Platform (SCP): TS 102.225, 102.226Objective : Convergence on Over The Air technologies update
NICSS CollaborationConvergence with GP Card SpecificationObjective: dual compliance for cards
Common Press Release in November 2005
eEurope and CENContribution of CEN eSign (area K) CWA 14890Integration of CEN TC 224 requirementConvergence with GP Card Specification
Department of Defense CollaborationSupport of some requirements of the CAC project
5
A Powerful Platform
6
From GP 2.1.1 to GP 2.2Feature Spec 2.1.1 Spec 2.2 Usage
Secure Channel Protocol (SCP)
Symmetric key based SCP
Symmetric key based SCP
PKI based SCP
Extended business models for service providers
SIM / wireless - Over-the-Air Support for OTA based content management
Privileges Fixed features Extended Privileges Flexible on-card enforcement mechanisms for new business relationships
RTE API JavaCard API JavaCard APIC API
JavaCard support,Multos support
Dual interface - Explicit contactless support
Support for dual interface cards
On-card services Fixed services Global Service client-server on card
Key Management Fixed key usage Extended key management
Separation of application service keys and administration keys
7
Players on a Multi-Application Smart Card
8
Privileges...
9
...PrivilegesPrivileges enforce policies:
You can load your own applicationsDelegated Management assigned to SD andToken Verification is assigned to the corresponding ISD.
The Card Issuer does not need a tokenAuthorized Management assigned to ISD
Any application or package may be deletedGlobal Delete is assigned to an entity's Security Domain
A receipt is needed from Delegated ManagementReceipt Calculation is assigned to a Security Domain
An on-card application can provide services to other on-card applicationsGlobal Service is assigned to the server application
An application needs to trust its Security Domain during OTA personalization
Trusted Path is assigned to the Security Domain
10
Application Management for Telco
11
Global Service
General idea:An application can do something that is useful to the other applications on the card.Share this capability andProvide this to the other application as a Global ServiceExample: signing and signature verification can be seen as a Global Service
Required: Global Service Privilege
12
Global Service cont.
A Global Services Application:Service Family:
Offer several services anyone that might want to use one of them.Unique Service:
Offer a specific service present only once on the card.
Consider the additional responsibilities of Issuer, Controlling entity,Server Application provider, andClient Application provider.
13
Global Service Privilege
14
PKI based Secure Channel: SCP10
SCP 01 and SCP 02:SCP Initiation using symmetric keysInitiated Channel uses Secure Messaging with symmetric session keysProvider must have Security Domain on the card
SCP10 Business RequirementExtend business model to include participants not present on card with Security Domain Card external infrastructure
Technical backgroundInitiate Secure Channel using PKIInitiated Channel uses Secure Messaging with symmetric session keys
PKI extends the content management capabilities of GlobalPlatform to additional business models
E.g. Service Providers
15
On-Demand Model
16
Visit our website @ www.globalplatform.org
Find information about becoming a member of GlobalPlatform
Download GlobalPlatform Specifications ‘royalty free’