1 1

Update:

ISO/IEC 24727- Identification Cards - Integrated circuit cards programming interfaces

Teresa Schwarzhoff,

U.S. Department of Commerce

Porvoo-12: Grossetto ITALY

2 2

Topics

Background/overview ISO/IEC 24727

Part 1 Part 2 Part 3 Part 4 Part 5

Conclusion

3 3

Topics

Background/overview ISO/IEC 24727

Part 1 Part 2 Part 3 Part 4 Part 5

Conclusion

4 4

ISO/IEC JTC 1 SC 17/WG 4/TF 9 ISO/IEC Joint Technical Committee 1 Sub Committee 17

ISO/IEC JTC1 SC 17/ WG 4 ISO/IEC 24727 work assigned to WG4 - Task Force 9 (TF9)

ISO/IEC 24727 built upon NIST smart card ‘interoperability’ specification

TF9 chaired by U.S. (NIST) and ANSI secretary

TF9 scope Standardization of a set of structured programming interfaces for

interactions between integrated circuit cards and external applications to include generic services for multi-sector use

Good technical expert representation in TF 9 -- includes Australia, France, Germany, Japan, UK, US, and TC 224/WG15

5 5

ISO/IEC 24727 multi-part standard

ISO/IEC 24727 – Identification Cards - Integrated circuit cards programming interfaces

Builds upon ISO/IEC 7816

Focuses on services and interfaces

Card type neutral

Contact and contactless agnostic

eID: identification, authentication, and signature services

Goal: Independent implementations that are interchangeable

6 6

Why ISO/IEC 24727? Existing standards

Too many options Focus on physical card Lack of interface standardization

Simplification Simplify developer’s life Improve portability

Interoperability Ubiquitous interoperability: what we are all trying to achieve but must be kept simple

Interoperability and security

and

Conformance testing and privacy:

“two” sides of the same coin

7 7

ISO/IEC 24727: A Standard in 5* Parts

TestClient-

App

API Layer Implementation

GCI Layer Implementation

Card Service APIs cf ISO/IEC 24727-3

Generic Card Interface cf ISO/IEC 24727-2

Interface Device Access MechanismInterface Device Configuration Selection

ISO

/IE

C 2

4727

-4S

ecu

rity

& A

PI

Ad

min

istr

atio

n

Generic Card Interface cf ISO/IEC 24727-2

Physical Card Services

ClientApp

1

ClientApp

2

ClientApp

3

ClientApp

4

TestCardApp

CardApp

3

CardApp

2

CardApp

1

Multi-application ICCs

Interface Connectivity

Interface Connectivity

Interface Connectivity

Card Service APIs cf ISO/IEC 24727-3

Testing IS O/IEC24727-2

cf ISO/IE C 24727-5

Testing IS O/IEC24727-3

cf ISO/IE C 24727-5

ISO /IEC 24727-1Architecture

Part 1 - Architecture

T esting

Part 4 - APIAdm instration

Part 3 - ApplicationProgram m ing Interface

Part 2 - G eneric CardInterface

Application

* To be discussed in future slide

8 8

Topics

Background/overview ISO/IEC 24727

Part 1 Part 2 Part 3 Part 4 Part 5

Conclusion

9 9

ISO/IEC 24727-1

ISO/IEC 24727 Identification Cards - Integrated circuit cards programming interfaces – Part 1: Architecture Overarching framework Common terminology Logical architecture for framework

Status Published, available for purchase via your national

body standards group or the ISO on-line store

10 10

ISO/IEC 24727-2 ISO/IEC 24727 Identification Cards - Integrated circuit

cards programming interfaces – Part 2: Generic card interface

Common card interface 7816 toolkit fine-tuning Discovery mechanism

Card capability description (CCD) Application capability description (ACD)

ISO/IEC 20060 ISO/IEC 7816-15

Status FDIS ballot anticipated November 2007 Anticipate IS Spring 2008

11 11

ISO/IEC 24727-3 ISO/IEC 24727 Identification Cards - Integrated circuit cards programming

interfaces – Part 3: Application interface New territory for smart card standards Normative API/middleware Normative authentication protocols

Normative Services Connection Card application discovery and retrieval Identity Cryptographic Authorization

Status Learning curve for committee technical experts: not about the ‘card’ but rather

card-applications FCD ballot launched last Friday, 14 September Anticipate FDIS in Spring 2008

12 12

Example of actions for a service found in ISO/IEC 24727-3:

Connection service

Initialize

Terminate

CardApplicationPath

CardApplicationConnect

CardApplicationDisconnect

CardApplicationStartSession

CardApplicationEndSession Authentication protocols

PIN

password

symmetric key

asymmetric key

digital certificate

biometric image or template

pair of symmetric keys; e.g., one for encryption and one for message authentication code (MAC) generation

13 13

Name of authentication protocol General definition of protocol

ASYMMETRIC INTERNAL AUTHENTICATE Fetch certificateSend challenge to be signed (on-card)

Validate (off-card) signature based on certificate

ASYMMETRIC EXTERNAL AUTHENTICATE Fetch challengeSign (off-card) and validate signature (on-card)

SYMMETRIC INTERNAL AUTHENTICATE Send challenge to be signed (on-card)Validate signature (off-card)

SYMMETRIC EXTERNAL AUTHENTICATE Fetch challengeSign challenge (off-card)

Validate signature (on-card)

COMPARE Match input parameter with marker

PIN COMPARE Match input parameter with marker and limiting number of incorrect compares – reset on successful compare

BIOMETRIC COMPARE Translate input parameter to template form and compare with base template

SYMMETRIC KEY NONCE Mutual authenticate of card-application and client-application plus generation of session keys

ANYBODY NULL authentication protocol

14 14

ISO/IEC 24727-4

ISO/IEC 24727 Identification Cards - Integrated circuit cards programming interfaces – Part 4: API administration

Implementation details of Part 2 and Part 3 interactions Normative security architecture and stack configurations Normative IFD API TLS protocol

Status FCD launched October 2007 FDIS anticipated Spring 2008

15 15

ISO/IEC 24727-5

ISO/IEC 24727 Identification Cards - Integrated circuit cards programming interfaces – Part 5: Testing

Test requirements as technical text is developed Testing levels and modular approach Status

Parts 2, 3, and 4 maturity/stability prerequisite has been met Part 5 WD under modification to reflect recent decisions on

the three parts TF 9 meeting - November Goal: CD late Spring 2008

16 16

NEW: ISO/IEC 24727-6

ISO/IEC 24727 Identification Cards - Integrated circuit cards programming interfaces – Part 6: Registration authority procedures for the authentication protocols for interoperability

Decision taken at recent WG 4 meeting to establish a RA for future ISO/IEC 24727 authentication protocols

RA streamlines introduction of new normative authentication protocols

Lead: Standards Australia

17 17

Topics

Background/overview ISO/IEC 24727

Part 1 Part 2 Part 3 Part 4 Part 5

Conclusion

18 18

ISO/IEC 24727 interoperability goals

Re-use of middleware and tokens Independence of middleware Independence of tokens Independence of token administration Independence of component certification

19

Challenges Existing investments, application neutrality

Maintaining progress ISO process Learning curve – have reached the right side of the bell curve!

Sustain simple forward looking, verifiable approach Avoid options; think beyond the ‘plastic’ Conformance testing

Global standard synchronization Global eID projects Standard activities in other areas

20 20

Who is using the standard?

Australia Australian access card for social services Queensland drivers license (trailblazer, beginning in

2005) Europe

EU Citizen Card German health card

US Future migration for federal government credential

mandated by FIPS 201 (PIV)

21 21

Contact Information:

Teresa Schwarzhoff

U.S. Department of Commerce, NIST

schwarzhoff@nist.gov

301.975.5727

Thank you.

Questions….

The best standard is one in which everyone is

equally happy

(and unhappy).