1

Perspectives of Interoperable Card Content Management using GlobalPlatform Card Specification V2.2

Klaus P. GunglGlobalPlatform Card Committee Chair

2

Topics

How did we get to GPCS 2.2?Highlights summaryPrivilegesOver-The-Air Content ManagmentGlobal ServicePKI based Secure Channel Protocol

3

Compliance Program

Standardized and secure card and application management

Card Specifications

Standardized back-end systems: smart card

management environmentMessaging,

key managementIssuance, post issuance

Systems Specifications

Device SpecificationsEnable the acceptance of cards and services

through multiple devices

Interoperability for an End-To-End Infrastructure

GlobalPlatform delivers the complete set of specifications for an end to end smart card infrastructure

DEVICES

SYSTEMS

CARDS

4

Collaboration on Card Specification 2.2

Mobile Telecom StandardsETSI: GSM 03.48, TS 23.048ETSI & 3G Smart Card Platform (SCP): TS 102.225, 102.226Objective : Convergence on Over The Air technologies update

NICSS CollaborationConvergence with GP Card SpecificationObjective: dual compliance for cards

Common Press Release in November 2005

eEurope and CENContribution of CEN eSign (area K) CWA 14890Integration of CEN TC 224 requirementConvergence with GP Card Specification

Department of Defense CollaborationSupport of some requirements of the CAC project

5

A Powerful Platform

6

From GP 2.1.1 to GP 2.2Feature Spec 2.1.1 Spec 2.2 Usage

Secure Channel Protocol (SCP)

Symmetric key based SCP

Symmetric key based SCP

PKI based SCP

Extended business models for service providers

SIM / wireless - Over-the-Air Support for OTA based content management

Privileges Fixed features Extended Privileges Flexible on-card enforcement mechanisms for new business relationships

RTE API JavaCard API JavaCard APIC API

JavaCard support,Multos support

Dual interface - Explicit contactless support

Support for dual interface cards

On-card services Fixed services Global Service client-server on card

Key Management Fixed key usage Extended key management

Separation of application service keys and administration keys

7

Players on a Multi-Application Smart Card

8

Privileges...

9

...PrivilegesPrivileges enforce policies:

You can load your own applicationsDelegated Management assigned to SD andToken Verification is assigned to the corresponding ISD.

The Card Issuer does not need a tokenAuthorized Management assigned to ISD

Any application or package may be deletedGlobal Delete is assigned to an entity's Security Domain

A receipt is needed from Delegated ManagementReceipt Calculation is assigned to a Security Domain

An on-card application can provide services to other on-card applicationsGlobal Service is assigned to the server application

An application needs to trust its Security Domain during OTA personalization

Trusted Path is assigned to the Security Domain

10

Application Management for Telco

11

Global Service

General idea:An application can do something that is useful to the other applications on the card.Share this capability andProvide this to the other application as a Global ServiceExample: signing and signature verification can be seen as a Global Service

Required: Global Service Privilege

12

Global Service cont.

A Global Services Application:Service Family:

Offer several services anyone that might want to use one of them.Unique Service:

Offer a specific service present only once on the card.

Consider the additional responsibilities of Issuer, Controlling entity,Server Application provider, andClient Application provider.

13

Global Service Privilege

14

PKI based Secure Channel: SCP10

SCP 01 and SCP 02:SCP Initiation using symmetric keysInitiated Channel uses Secure Messaging with symmetric session keysProvider must have Security Domain on the card

SCP10 Business RequirementExtend business model to include participants not present on card with Security Domain Card external infrastructure

Technical backgroundInitiate Secure Channel using PKIInitiated Channel uses Secure Messaging with symmetric session keys

PKI extends the content management capabilities of GlobalPlatform to additional business models

E.g. Service Providers

15

On-Demand Model

16

Visit our website @ www.globalplatform.org

Find information about becoming a member of GlobalPlatform

Download GlobalPlatform Specifications ‘royalty free’