ISO/IEC 24727 and INCITS #2094: Bringing it Together<br />Mike Neumann<br />President<br />Agile Set, LLC<br />
ISO/IEC 24727<br />A Framework for Interoperable IAS Systems<br />Something Old, Some things New, 	and not a moment too so...
Interoperability, Yes<br />Six Part Standard Covering<br />End-to-end security<br />Application Interface<br />Testing<br ...
Haven’t we been here before?<br />Not exactly. Previous standards/specifications were developed either “client-down” or “c...
Organization<br />
<ul><li>Card-Application
Service
Action
Target
Access Control List  (client-application centric)
Access Control Rule (card-application centric)</li></ul>Model of Computation Semantics<br />A well defined language syntax...
ISO/IEC 24727-3 Basic Entity 						Relationships<br />
Generic IAS Card-Application<br />
Common Infrastructure Semantics<br /><ul><li>Card-application uniquely identifiable across a network environment
Client-application to card-application “path” uniquely identifiable
Mapping between client-application & card-application name spaces
Security state establishment through differential-identity
Information storage / retrieval through named data service
Information and process protection via access control lists</li></li></ul><li>Authentication Protocols<br /><ul><li>Existi...
Existing Industry specifications are very explicit re: APs (EMV, GlobalPlatform, etc. )
Previous to the publication of ISO/IEC 24727-3, there was no generic methodology for describing a smartcard (or any other) AP
MOST interoperability problems related to smartcards are due to subtle discrepancies between APs
Upcoming SlideShare
Loading in …5
×

Neumann 24727 B10.12 Update 20091029 AM R3

6,233 views

Published on

Published in: Technology
1 Comment
1 Like
Statistics
Notes
  • Thanks for posting, Mike.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
6,233
On SlideShare
0
From Embeds
0
Number of Embeds
4,169
Actions
Shares
0
Downloads
0
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide
  • HSPD-12 said,“it is the policy of the United States…establish a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (and their employees)” NIST is directed to issue “a Federal standard for secure and reliable forms of identification not later than 6 months after the date of this directive”
  • Neumann 24727 B10.12 Update 20091029 AM R3

    1. 1. ISO/IEC 24727 and INCITS #2094: Bringing it Together<br />Mike Neumann<br />President<br />Agile Set, LLC<br />
    2. 2. ISO/IEC 24727<br />A Framework for Interoperable IAS Systems<br />Something Old, Some things New, and not a moment too soon.<br />
    3. 3. Interoperability, Yes<br />Six Part Standard Covering<br />End-to-end security<br />Application Interface<br />Testing<br />Authentication Protocols<br />Command and Procedural Translation<br />Not covering<br />On-card command sets<br />
    4. 4. Haven’t we been here before?<br />Not exactly. Previous standards/specifications were developed either “client-down” or “card-up”<br />“client-down”, e.g.<br />PKCS #11 – general, but uncoordinated across API<br />CSP – Single function of a single application view<br />“card-up”, e.g.<br />All of ISO/IEC 7816 series<br />(Nearly?) all middleware based on ISO/IEC 7816.<br />ISO/IEC 24727 is the first series of standards to be designed with both in mind.<br />
    5. 5. Organization<br />
    6. 6. <ul><li>Card-Application
    7. 7. Service
    8. 8. Action
    9. 9. Target
    10. 10. Access Control List (client-application centric)
    11. 11. Access Control Rule (card-application centric)</li></ul>Model of Computation Semantics<br />A well defined language syntax<br />
    12. 12. ISO/IEC 24727-3 Basic Entity Relationships<br />
    13. 13. Generic IAS Card-Application<br />
    14. 14. Common Infrastructure Semantics<br /><ul><li>Card-application uniquely identifiable across a network environment
    15. 15. Client-application to card-application “path” uniquely identifiable
    16. 16. Mapping between client-application & card-application name spaces
    17. 17. Security state establishment through differential-identity
    18. 18. Information storage / retrieval through named data service
    19. 19. Information and process protection via access control lists</li></li></ul><li>Authentication Protocols<br /><ul><li>Existing ISO standards are very general re APs (ISO/IEC 9798, and some in the 7816 series)
    20. 20. Existing Industry specifications are very explicit re: APs (EMV, GlobalPlatform, etc. )
    21. 21. Previous to the publication of ISO/IEC 24727-3, there was no generic methodology for describing a smartcard (or any other) AP
    22. 22. MOST interoperability problems related to smartcards are due to subtle discrepancies between APs
    23. 23. Most people think that APs and cryptographic algorithms/ciphers are the same thing – they are not</li></li></ul><li>Authentication Protocol Example<br />MarkerAP007 ::= SEQUENCE {<br /> encryptionAlgorithm <br /> AlgorithmIDParameters,<br /> hashAlgorithm <br /> AlgorithmIDParameters,<br /> keySize INTEGER,<br /> secretKey OCTET STRING,<br /> nonceSize INTEGER<br />}<br />
    24. 24. ISO/IEC 24727-4: Path Environment<br />Address: Interface Device / Card-Application<br />Client-Application<br />Address: SCAI Address / Interface Device / Card-Application<br />Address: NCI Address / Card-Application<br />ISO/IEC 24727StackConfigurations<br />DNS<br />Smart CardAccess Interface<br />PC/SC Resource Manager<br />Network ConnectionInterface<br />Interface DeviceDriver<br />Interface DeviceDriver<br />Network Card<br />Contact Card<br />Contactless Card<br />
    25. 25. Proxy and Agent Architecture<br />Application<br />Application<br />API<br />API<br />Marshall<br />API Proxy<br />APIService Layer<br />APIService Layer<br />Unmarshall<br />API<br />API Agent<br />
    26. 26. Summary<br />An International Standard to connect IAS systems to secure tokens<br />Speaks semantics of IAS Client-Applications, with<br />Means to map to constrained devices<br />Flexible, standardized, mechanism to specify and identify new Authentication Protocols<br />Testing; methodology and practice<br />Multiple stack configurations to support legacy (APDU-constrained) devices and modern “connected” secure devices<br />
    27. 27. Publication Status<br />Part 1: Architecture [January 2007]<br />Part 2: Generic card interface [September 2008]<br />Part 3: Application interface [November 2008]<br />Part 4: API administration [October 2008]<br />Part 5: Testing [FCD ballot to close in March]<br />Part 6: Authentication Protocol Registration Authority [FDIS to close in December] <br /><ul><li>COR 1: primarily ASN.1 [ballot closes 19-Dec]
    28. 28. COR 1: ASN.1 [ballot closes Jan]</li></li></ul><li>Work Ahead<br /><ul><li>Amendments to support XML marshalling
    29. 29. allows more direct support for “Web Service”-based applications.
    30. 30. Specifically, update
    31. 31. Part 1 to reflect 2008 publications and 2011 (est.) amendments
    32. 32. Part 2 to enhance discovery mechanism
    33. 33. Part 3 to include XML bindings for API and 7816-15 mapping guidance
    34. 34. Part 4 to update stack configurations to support “web services” and related security
    35. 35. Scope statements drafted at October 2009 WG4 mtg.</li></li></ul><li>GICS<br />Generic Identity Command Set<br />We have PIV, why do we need GICS?<br />
    36. 36. PIV “Answered the Mail”“We’ll do exactly that, Mr. President”<br />Identity Verification on a Smart Card<br />An Application – runtime, not personalization<br />With Data – minimum required for FIPS 201<br />Not<br />A Framework – remember GSC-IS ?<br />A Flexible Data model<br />
    37. 37. GICSGovernment and Industry in INCITS B10.12<br />Industry wants to be able to re-use PIV products and services for<br />Corporate ID<br />Local govt.<br />Other IAS applications<br />Cannot simply “just use PIV”<br />Based on PIV and existing ISO/IEC standards for<br />Data personalization<br />Application management<br />
    38. 38. GICSINCITS Project #2094<br />Multi-part U.S. National Standard<br />Part 1: Card Application Command Set<br />Part 2: Card Administrative Command Set<br />Part 3: Testing<br />Part 4: Card Application Profile Template<br />Contributions (Pts 1 and 2) produced in June, comments resolved in July B10.12<br />Formal Drafts (Pts 1, 2 and 4) produced end of July, comments resolved in August B10.12<br />2nd Drafts produced in September, ballot closed 10-Oct, B10.12 meeting 9-10 November.<br />
    39. 39. GICS and ISO/IEC 24727they work together, for growth<br />ISO/IEC 24727 defines a new framework for providing card-application service access to client-applications<br />GICS provides for PIV Interoperable and PIV Compatible card-applications to be built from a single product<br />Including flexible data models<br />Application data personalization<br />Application management<br />ISO/IEC 24727 defines the system interfaces<br />GICS defines the card commands<br />
    40. 40. Thank you. Questions?<br />Mike NeumannAgile Set, LLCmike.neumann at agileset dot net<br />twitter.com/agileset<br />slideshare.net/agileset<br />

    ×