Your SlideShare is downloading. ×
0
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Neumann 24727 B10.12 Update 20091029 AM R3

5,272

Published on

Published in: Technology
1 Comment
1 Like
Statistics
Notes
  • Thanks for posting, Mike.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
5,272
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
1
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • HSPD-12 said,“it is the policy of the United States…establish a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (and their employees)” NIST is directed to issue “a Federal standard for secure and reliable forms of identification not later than 6 months after the date of this directive”
  • Transcript

    • 1. ISO/IEC 24727 and INCITS #2094: Bringing it Together<br />Mike Neumann<br />President<br />Agile Set, LLC<br />
    • 2. ISO/IEC 24727<br />A Framework for Interoperable IAS Systems<br />Something Old, Some things New, and not a moment too soon.<br />
    • 3. Interoperability, Yes<br />Six Part Standard Covering<br />End-to-end security<br />Application Interface<br />Testing<br />Authentication Protocols<br />Command and Procedural Translation<br />Not covering<br />On-card command sets<br />
    • 4. Haven’t we been here before?<br />Not exactly. Previous standards/specifications were developed either “client-down” or “card-up”<br />“client-down”, e.g.<br />PKCS #11 – general, but uncoordinated across API<br />CSP – Single function of a single application view<br />“card-up”, e.g.<br />All of ISO/IEC 7816 series<br />(Nearly?) all middleware based on ISO/IEC 7816.<br />ISO/IEC 24727 is the first series of standards to be designed with both in mind.<br />
    • 5. Organization<br />
    • 6. <ul><li>Card-Application
    • 7. Service
    • 8. Action
    • 9. Target
    • 10. Access Control List (client-application centric)
    • 11. Access Control Rule (card-application centric)</li></ul>Model of Computation Semantics<br />A well defined language syntax<br />
    • 12. ISO/IEC 24727-3 Basic Entity Relationships<br />
    • 13. Generic IAS Card-Application<br />
    • 14. Common Infrastructure Semantics<br /><ul><li>Card-application uniquely identifiable across a network environment
    • 15. Client-application to card-application “path” uniquely identifiable
    • 16. Mapping between client-application & card-application name spaces
    • 17. Security state establishment through differential-identity
    • 18. Information storage / retrieval through named data service
    • 19. Information and process protection via access control lists</li></li></ul><li>Authentication Protocols<br /><ul><li>Existing ISO standards are very general re APs (ISO/IEC 9798, and some in the 7816 series)
    • 20. Existing Industry specifications are very explicit re: APs (EMV, GlobalPlatform, etc. )
    • 21. Previous to the publication of ISO/IEC 24727-3, there was no generic methodology for describing a smartcard (or any other) AP
    • 22. MOST interoperability problems related to smartcards are due to subtle discrepancies between APs
    • 23. Most people think that APs and cryptographic algorithms/ciphers are the same thing – they are not</li></li></ul><li>Authentication Protocol Example<br />MarkerAP007 ::= SEQUENCE {<br /> encryptionAlgorithm <br /> AlgorithmIDParameters,<br /> hashAlgorithm <br /> AlgorithmIDParameters,<br /> keySize INTEGER,<br /> secretKey OCTET STRING,<br /> nonceSize INTEGER<br />}<br />
    • 24. ISO/IEC 24727-4: Path Environment<br />Address: Interface Device / Card-Application<br />Client-Application<br />Address: SCAI Address / Interface Device / Card-Application<br />Address: NCI Address / Card-Application<br />ISO/IEC 24727StackConfigurations<br />DNS<br />Smart CardAccess Interface<br />PC/SC Resource Manager<br />Network ConnectionInterface<br />Interface DeviceDriver<br />Interface DeviceDriver<br />Network Card<br />Contact Card<br />Contactless Card<br />
    • 25. Proxy and Agent Architecture<br />Application<br />Application<br />API<br />API<br />Marshall<br />API Proxy<br />APIService Layer<br />APIService Layer<br />Unmarshall<br />API<br />API Agent<br />
    • 26. Summary<br />An International Standard to connect IAS systems to secure tokens<br />Speaks semantics of IAS Client-Applications, with<br />Means to map to constrained devices<br />Flexible, standardized, mechanism to specify and identify new Authentication Protocols<br />Testing; methodology and practice<br />Multiple stack configurations to support legacy (APDU-constrained) devices and modern “connected” secure devices<br />
    • 27. Publication Status<br />Part 1: Architecture [January 2007]<br />Part 2: Generic card interface [September 2008]<br />Part 3: Application interface [November 2008]<br />Part 4: API administration [October 2008]<br />Part 5: Testing [FCD ballot to close in March]<br />Part 6: Authentication Protocol Registration Authority [FDIS to close in December] <br /><ul><li>COR 1: primarily ASN.1 [ballot closes 19-Dec]
    • 28. COR 1: ASN.1 [ballot closes Jan]</li></li></ul><li>Work Ahead<br /><ul><li>Amendments to support XML marshalling
    • 29. allows more direct support for “Web Service”-based applications.
    • 30. Specifically, update
    • 31. Part 1 to reflect 2008 publications and 2011 (est.) amendments
    • 32. Part 2 to enhance discovery mechanism
    • 33. Part 3 to include XML bindings for API and 7816-15 mapping guidance
    • 34. Part 4 to update stack configurations to support “web services” and related security
    • 35. Scope statements drafted at October 2009 WG4 mtg.</li></li></ul><li>GICS<br />Generic Identity Command Set<br />We have PIV, why do we need GICS?<br />
    • 36. PIV “Answered the Mail”“We’ll do exactly that, Mr. President”<br />Identity Verification on a Smart Card<br />An Application – runtime, not personalization<br />With Data – minimum required for FIPS 201<br />Not<br />A Framework – remember GSC-IS ?<br />A Flexible Data model<br />
    • 37. GICSGovernment and Industry in INCITS B10.12<br />Industry wants to be able to re-use PIV products and services for<br />Corporate ID<br />Local govt.<br />Other IAS applications<br />Cannot simply “just use PIV”<br />Based on PIV and existing ISO/IEC standards for<br />Data personalization<br />Application management<br />
    • 38. GICSINCITS Project #2094<br />Multi-part U.S. National Standard<br />Part 1: Card Application Command Set<br />Part 2: Card Administrative Command Set<br />Part 3: Testing<br />Part 4: Card Application Profile Template<br />Contributions (Pts 1 and 2) produced in June, comments resolved in July B10.12<br />Formal Drafts (Pts 1, 2 and 4) produced end of July, comments resolved in August B10.12<br />2nd Drafts produced in September, ballot closed 10-Oct, B10.12 meeting 9-10 November.<br />
    • 39. GICS and ISO/IEC 24727they work together, for growth<br />ISO/IEC 24727 defines a new framework for providing card-application service access to client-applications<br />GICS provides for PIV Interoperable and PIV Compatible card-applications to be built from a single product<br />Including flexible data models<br />Application data personalization<br />Application management<br />ISO/IEC 24727 defines the system interfaces<br />GICS defines the card commands<br />
    • 40. Thank you. Questions?<br />Mike NeumannAgile Set, LLCmike.neumann at agileset dot net<br />twitter.com/agileset<br />slideshare.net/agileset<br />

    ×