Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Neumann 24727 B10.12 Update 20091029 AM R3


Published on

Published in: Technology
  • Thanks for posting, Mike.
    Are you sure you want to  Yes  No
    Your message goes here

Neumann 24727 B10.12 Update 20091029 AM R3

  1. 1. ISO/IEC 24727 and INCITS #2094: Bringing it Together<br />Mike Neumann<br />President<br />Agile Set, LLC<br />
  2. 2. ISO/IEC 24727<br />A Framework for Interoperable IAS Systems<br />Something Old, Some things New, and not a moment too soon.<br />
  3. 3. Interoperability, Yes<br />Six Part Standard Covering<br />End-to-end security<br />Application Interface<br />Testing<br />Authentication Protocols<br />Command and Procedural Translation<br />Not covering<br />On-card command sets<br />
  4. 4. Haven’t we been here before?<br />Not exactly. Previous standards/specifications were developed either “client-down” or “card-up”<br />“client-down”, e.g.<br />PKCS #11 – general, but uncoordinated across API<br />CSP – Single function of a single application view<br />“card-up”, e.g.<br />All of ISO/IEC 7816 series<br />(Nearly?) all middleware based on ISO/IEC 7816.<br />ISO/IEC 24727 is the first series of standards to be designed with both in mind.<br />
  5. 5. Organization<br />
  6. 6. <ul><li>Card-Application
  7. 7. Service
  8. 8. Action
  9. 9. Target
  10. 10. Access Control List (client-application centric)
  11. 11. Access Control Rule (card-application centric)</li></ul>Model of Computation Semantics<br />A well defined language syntax<br />
  12. 12. ISO/IEC 24727-3 Basic Entity Relationships<br />
  13. 13. Generic IAS Card-Application<br />
  14. 14. Common Infrastructure Semantics<br /><ul><li>Card-application uniquely identifiable across a network environment
  15. 15. Client-application to card-application “path” uniquely identifiable
  16. 16. Mapping between client-application & card-application name spaces
  17. 17. Security state establishment through differential-identity
  18. 18. Information storage / retrieval through named data service
  19. 19. Information and process protection via access control lists</li></li></ul><li>Authentication Protocols<br /><ul><li>Existing ISO standards are very general re APs (ISO/IEC 9798, and some in the 7816 series)
  20. 20. Existing Industry specifications are very explicit re: APs (EMV, GlobalPlatform, etc. )
  21. 21. Previous to the publication of ISO/IEC 24727-3, there was no generic methodology for describing a smartcard (or any other) AP
  22. 22. MOST interoperability problems related to smartcards are due to subtle discrepancies between APs
  23. 23. Most people think that APs and cryptographic algorithms/ciphers are the same thing – they are not</li></li></ul><li>Authentication Protocol Example<br />MarkerAP007 ::= SEQUENCE {<br /> encryptionAlgorithm <br /> AlgorithmIDParameters,<br /> hashAlgorithm <br /> AlgorithmIDParameters,<br /> keySize INTEGER,<br /> secretKey OCTET STRING,<br /> nonceSize INTEGER<br />}<br />
  24. 24. ISO/IEC 24727-4: Path Environment<br />Address: Interface Device / Card-Application<br />Client-Application<br />Address: SCAI Address / Interface Device / Card-Application<br />Address: NCI Address / Card-Application<br />ISO/IEC 24727StackConfigurations<br />DNS<br />Smart CardAccess Interface<br />PC/SC Resource Manager<br />Network ConnectionInterface<br />Interface DeviceDriver<br />Interface DeviceDriver<br />Network Card<br />Contact Card<br />Contactless Card<br />
  25. 25. Proxy and Agent Architecture<br />Application<br />Application<br />API<br />API<br />Marshall<br />API Proxy<br />APIService Layer<br />APIService Layer<br />Unmarshall<br />API<br />API Agent<br />
  26. 26. Summary<br />An International Standard to connect IAS systems to secure tokens<br />Speaks semantics of IAS Client-Applications, with<br />Means to map to constrained devices<br />Flexible, standardized, mechanism to specify and identify new Authentication Protocols<br />Testing; methodology and practice<br />Multiple stack configurations to support legacy (APDU-constrained) devices and modern “connected” secure devices<br />
  27. 27. Publication Status<br />Part 1: Architecture [January 2007]<br />Part 2: Generic card interface [September 2008]<br />Part 3: Application interface [November 2008]<br />Part 4: API administration [October 2008]<br />Part 5: Testing [FCD ballot to close in March]<br />Part 6: Authentication Protocol Registration Authority [FDIS to close in December] <br /><ul><li>COR 1: primarily ASN.1 [ballot closes 19-Dec]
  28. 28. COR 1: ASN.1 [ballot closes Jan]</li></li></ul><li>Work Ahead<br /><ul><li>Amendments to support XML marshalling
  29. 29. allows more direct support for “Web Service”-based applications.
  30. 30. Specifically, update
  31. 31. Part 1 to reflect 2008 publications and 2011 (est.) amendments
  32. 32. Part 2 to enhance discovery mechanism
  33. 33. Part 3 to include XML bindings for API and 7816-15 mapping guidance
  34. 34. Part 4 to update stack configurations to support “web services” and related security
  35. 35. Scope statements drafted at October 2009 WG4 mtg.</li></li></ul><li>GICS<br />Generic Identity Command Set<br />We have PIV, why do we need GICS?<br />
  36. 36. PIV “Answered the Mail”“We’ll do exactly that, Mr. President”<br />Identity Verification on a Smart Card<br />An Application – runtime, not personalization<br />With Data – minimum required for FIPS 201<br />Not<br />A Framework – remember GSC-IS ?<br />A Flexible Data model<br />
  37. 37. GICSGovernment and Industry in INCITS B10.12<br />Industry wants to be able to re-use PIV products and services for<br />Corporate ID<br />Local govt.<br />Other IAS applications<br />Cannot simply “just use PIV”<br />Based on PIV and existing ISO/IEC standards for<br />Data personalization<br />Application management<br />
  38. 38. GICSINCITS Project #2094<br />Multi-part U.S. National Standard<br />Part 1: Card Application Command Set<br />Part 2: Card Administrative Command Set<br />Part 3: Testing<br />Part 4: Card Application Profile Template<br />Contributions (Pts 1 and 2) produced in June, comments resolved in July B10.12<br />Formal Drafts (Pts 1, 2 and 4) produced end of July, comments resolved in August B10.12<br />2nd Drafts produced in September, ballot closed 10-Oct, B10.12 meeting 9-10 November.<br />
  39. 39. GICS and ISO/IEC 24727they work together, for growth<br />ISO/IEC 24727 defines a new framework for providing card-application service access to client-applications<br />GICS provides for PIV Interoperable and PIV Compatible card-applications to be built from a single product<br />Including flexible data models<br />Application data personalization<br />Application management<br />ISO/IEC 24727 defines the system interfaces<br />GICS defines the card commands<br />
  40. 40. Thank you. Questions?<br />Mike NeumannAgile Set, LLCmike.neumann at agileset dot net<br /><br /><br />