perspectives of interoperable card content management …klaus_gungl-perspectives_of... · rte api...
TRANSCRIPT
![Page 1: Perspectives of Interoperable Card Content Management …Klaus_Gungl-Perspectives_of... · RTE API JavaCard API JavaCard API C API JavaCard support, Multos support Dual interface](https://reader031.vdocuments.site/reader031/viewer/2022022005/5ab53c5d7f8b9a156d8c9151/html5/thumbnails/1.jpg)
1
Perspectives of Interoperable Card Content Management using GlobalPlatform Card Specification V2.2
Klaus P. GunglGlobalPlatform Card Committee Chair
![Page 2: Perspectives of Interoperable Card Content Management …Klaus_Gungl-Perspectives_of... · RTE API JavaCard API JavaCard API C API JavaCard support, Multos support Dual interface](https://reader031.vdocuments.site/reader031/viewer/2022022005/5ab53c5d7f8b9a156d8c9151/html5/thumbnails/2.jpg)
2
Topics
How did we get to GPCS 2.2?Highlights summaryPrivilegesOver-The-Air Content ManagmentGlobal ServicePKI based Secure Channel Protocol
![Page 3: Perspectives of Interoperable Card Content Management …Klaus_Gungl-Perspectives_of... · RTE API JavaCard API JavaCard API C API JavaCard support, Multos support Dual interface](https://reader031.vdocuments.site/reader031/viewer/2022022005/5ab53c5d7f8b9a156d8c9151/html5/thumbnails/3.jpg)
3
Compliance Program
Standardized and secure card and application management
Card Specifications
Standardized back-end systems: smart card
management environmentMessaging,
key managementIssuance, post issuance
Systems Specifications
Device SpecificationsEnable the acceptance of cards and services
through multiple devices
Interoperability for an End-To-End Infrastructure
GlobalPlatform delivers the complete set of specifications for an end to end smart card infrastructure
DEVICES
SYSTEMS
CARDS
![Page 4: Perspectives of Interoperable Card Content Management …Klaus_Gungl-Perspectives_of... · RTE API JavaCard API JavaCard API C API JavaCard support, Multos support Dual interface](https://reader031.vdocuments.site/reader031/viewer/2022022005/5ab53c5d7f8b9a156d8c9151/html5/thumbnails/4.jpg)
4
Collaboration on Card Specification 2.2
Mobile Telecom StandardsETSI: GSM 03.48, TS 23.048ETSI & 3G Smart Card Platform (SCP): TS 102.225, 102.226Objective : Convergence on Over The Air technologies update
NICSS CollaborationConvergence with GP Card SpecificationObjective: dual compliance for cards
Common Press Release in November 2005
eEurope and CENContribution of CEN eSign (area K) CWA 14890Integration of CEN TC 224 requirementConvergence with GP Card Specification
Department of Defense CollaborationSupport of some requirements of the CAC project
![Page 5: Perspectives of Interoperable Card Content Management …Klaus_Gungl-Perspectives_of... · RTE API JavaCard API JavaCard API C API JavaCard support, Multos support Dual interface](https://reader031.vdocuments.site/reader031/viewer/2022022005/5ab53c5d7f8b9a156d8c9151/html5/thumbnails/5.jpg)
5
A Powerful Platform
![Page 6: Perspectives of Interoperable Card Content Management …Klaus_Gungl-Perspectives_of... · RTE API JavaCard API JavaCard API C API JavaCard support, Multos support Dual interface](https://reader031.vdocuments.site/reader031/viewer/2022022005/5ab53c5d7f8b9a156d8c9151/html5/thumbnails/6.jpg)
6
From GP 2.1.1 to GP 2.2Feature Spec 2.1.1 Spec 2.2 Usage
Secure Channel Protocol (SCP)
Symmetric key based SCP
Symmetric key based SCP
PKI based SCP
Extended business models for service providers
SIM / wireless - Over-the-Air Support for OTA based content management
Privileges Fixed features Extended Privileges Flexible on-card enforcement mechanisms for new business relationships
RTE API JavaCard API JavaCard APIC API
JavaCard support,Multos support
Dual interface - Explicit contactless support
Support for dual interface cards
On-card services Fixed services Global Service client-server on card
Key Management Fixed key usage Extended key management
Separation of application service keys and administration keys
![Page 7: Perspectives of Interoperable Card Content Management …Klaus_Gungl-Perspectives_of... · RTE API JavaCard API JavaCard API C API JavaCard support, Multos support Dual interface](https://reader031.vdocuments.site/reader031/viewer/2022022005/5ab53c5d7f8b9a156d8c9151/html5/thumbnails/7.jpg)
7
Players on a Multi-Application Smart Card
![Page 8: Perspectives of Interoperable Card Content Management …Klaus_Gungl-Perspectives_of... · RTE API JavaCard API JavaCard API C API JavaCard support, Multos support Dual interface](https://reader031.vdocuments.site/reader031/viewer/2022022005/5ab53c5d7f8b9a156d8c9151/html5/thumbnails/8.jpg)
8
Privileges...
![Page 9: Perspectives of Interoperable Card Content Management …Klaus_Gungl-Perspectives_of... · RTE API JavaCard API JavaCard API C API JavaCard support, Multos support Dual interface](https://reader031.vdocuments.site/reader031/viewer/2022022005/5ab53c5d7f8b9a156d8c9151/html5/thumbnails/9.jpg)
9
...PrivilegesPrivileges enforce policies:
You can load your own applicationsDelegated Management assigned to SD andToken Verification is assigned to the corresponding ISD.
The Card Issuer does not need a tokenAuthorized Management assigned to ISD
Any application or package may be deletedGlobal Delete is assigned to an entity's Security Domain
A receipt is needed from Delegated ManagementReceipt Calculation is assigned to a Security Domain
An on-card application can provide services to other on-card applicationsGlobal Service is assigned to the server application
An application needs to trust its Security Domain during OTA personalization
Trusted Path is assigned to the Security Domain
![Page 10: Perspectives of Interoperable Card Content Management …Klaus_Gungl-Perspectives_of... · RTE API JavaCard API JavaCard API C API JavaCard support, Multos support Dual interface](https://reader031.vdocuments.site/reader031/viewer/2022022005/5ab53c5d7f8b9a156d8c9151/html5/thumbnails/10.jpg)
10
Application Management for Telco
![Page 11: Perspectives of Interoperable Card Content Management …Klaus_Gungl-Perspectives_of... · RTE API JavaCard API JavaCard API C API JavaCard support, Multos support Dual interface](https://reader031.vdocuments.site/reader031/viewer/2022022005/5ab53c5d7f8b9a156d8c9151/html5/thumbnails/11.jpg)
11
Global Service
General idea:An application can do something that is useful to the other applications on the card.Share this capability andProvide this to the other application as a Global ServiceExample: signing and signature verification can be seen as a Global Service
Required: Global Service Privilege
![Page 12: Perspectives of Interoperable Card Content Management …Klaus_Gungl-Perspectives_of... · RTE API JavaCard API JavaCard API C API JavaCard support, Multos support Dual interface](https://reader031.vdocuments.site/reader031/viewer/2022022005/5ab53c5d7f8b9a156d8c9151/html5/thumbnails/12.jpg)
12
Global Service cont.
A Global Services Application:Service Family:
Offer several services anyone that might want to use one of them.Unique Service:
Offer a specific service present only once on the card.
Consider the additional responsibilities of Issuer, Controlling entity,Server Application provider, andClient Application provider.
![Page 13: Perspectives of Interoperable Card Content Management …Klaus_Gungl-Perspectives_of... · RTE API JavaCard API JavaCard API C API JavaCard support, Multos support Dual interface](https://reader031.vdocuments.site/reader031/viewer/2022022005/5ab53c5d7f8b9a156d8c9151/html5/thumbnails/13.jpg)
13
Global Service Privilege
![Page 14: Perspectives of Interoperable Card Content Management …Klaus_Gungl-Perspectives_of... · RTE API JavaCard API JavaCard API C API JavaCard support, Multos support Dual interface](https://reader031.vdocuments.site/reader031/viewer/2022022005/5ab53c5d7f8b9a156d8c9151/html5/thumbnails/14.jpg)
14
PKI based Secure Channel: SCP10
SCP 01 and SCP 02:SCP Initiation using symmetric keysInitiated Channel uses Secure Messaging with symmetric session keysProvider must have Security Domain on the card
SCP10 Business RequirementExtend business model to include participants not present on card with Security Domain Card external infrastructure
Technical backgroundInitiate Secure Channel using PKIInitiated Channel uses Secure Messaging with symmetric session keys
PKI extends the content management capabilities of GlobalPlatform to additional business models
E.g. Service Providers
![Page 15: Perspectives of Interoperable Card Content Management …Klaus_Gungl-Perspectives_of... · RTE API JavaCard API JavaCard API C API JavaCard support, Multos support Dual interface](https://reader031.vdocuments.site/reader031/viewer/2022022005/5ab53c5d7f8b9a156d8c9151/html5/thumbnails/15.jpg)
15
On-Demand Model
![Page 16: Perspectives of Interoperable Card Content Management …Klaus_Gungl-Perspectives_of... · RTE API JavaCard API JavaCard API C API JavaCard support, Multos support Dual interface](https://reader031.vdocuments.site/reader031/viewer/2022022005/5ab53c5d7f8b9a156d8c9151/html5/thumbnails/16.jpg)
16
Visit our website @ www.globalplatform.org
Find information about becoming a member of GlobalPlatform
Download GlobalPlatform Specifications ‘royalty free’