4/27/2006 1Smartcard ID Summit - March 2006
GlobalPlatform Global PlatformA Standard serving Government ID market
Thierry Deffontaines – Gemplus
Smartcard ID Summit - March 2006 2
Agenda
What is GlobalPlatform?Organization overviewAn introduction to GlobalPlatform standardsOverview of GlobalPlatform implementation in ID
Global Platform a system infrastructure
GlobalPlatform and standardsUpdate on the GlobalPlatform work with ISO and ETSI, in developing suitable working standards
Card Specification highlights
Effective Collaboration results : the GlobalPlatform Card Specification 2.2
Overview of new features
New opportunities for the standardization of ID cards
Smartcard ID Summit - March 2006 3
Introduction to the Organization
Smartcard ID Summit - March 2006 4
An organization that:
Creates
Foundation for future growth
Defines
Requirements and technology
standardsfor smart cards,
devices and systems
Promotes
Smart card usage and adoption
What is GlobalPlatform ?
Smartcard ID Summit - March 2006 5
Mission Statement
“Establish, maintain and drive adoption of standards to enable an open and interoperable infrastructure for smart cards, devices and systems that simplifies and
accelerates development, deployment and management of applications across industries “
Smartcard ID Summit - March 2006 6
Membership Driven Organization
Matsushita Electric Industrial Co LtdDAI NIPPON PRINTING CO.,LTD
Approximately 50 Members Worldwide….
Smartcard ID Summit - March 2006 7
Practical Applications of Technology
Vision and standards are in practiceFinancial, Mobile Telecom, Government, Security/ID/Authentication, Healthcare
Over 75 million cards deployed worldwideAdditional 650+ million GSM cards globally use GlobalPlatform technology for over-the-air (OTA) application download
20,00
0,000
40,00
0,000
60,00
0,000
20022002200320032004200420052005
2006+2006+
80,00
0,000
100,0
00,00
0
120,0
00,00
0
20 million20 million55 million55 million
65 million65 million75 million75 million
160 million160 million
140,0
00,00
0
160,0
00,00
0
Smartcard ID Summit - March 2006 8
ID implementation
Smartcard ID Summit - March 2006 9
Implementations
US Department of Defence – (Government)Common Access Card – ID card for active military, selected reserves, DoD civilians, and contractors.Contains physical and logical access controlsUtilizes biometric technology and PINOver 10 million cards issued
Macau SAR Project – (Government, ID)Multifunctional identification card solution enabling e-governmentDistribution to Macau’s 460,000 citizensSolution providers include Bell ID, G&D, and NEC
Sultanate of Oman National ID Card – (Government, ID)National ID program for Oman’s 2.7 Million citizens1st smart card deployed in Middle EastUtilizes GlobalPlatform Card and Systems technologySolution providers include Gemplus, Datacard Group,and Sagem
Smartcard ID Summit - March 2006 10
Implementations Cont….
Singapore e-passport (Government ID program)Highly secure passport: facial & fingerprint biometry, data page with electronic inlay laminated insideActual deployment of electronic passports (# 250ku passports peryear)Utilizes GlobalPlatform Card & Systems technology3 leading companies : SNP, NEC and Gemplus
Moscow Social Card – (Government, Transit, ID)Dual interface (contact/contactless) chipIncludes transit application, social benefits and discounts, medical benefits, government ID dataVisa Electron payment application, benefits and transit applications for qualified individuals through Bank of Moscow
Smartcard ID Summit - March 2006 11
GlobalPlatform Technology
Overview
Smartcard ID Summit - March 2006 12
Compliance Program
End-To-End Infrastructure
GlobalPlatform delivers the complete set of specifications for an end to end smart card infrastructure
Standardized and secure card and application management
Card Specifications
Standardized back-end systems: smart card
management environmentMessaging,
key managementIssuance, post issuance
Systems Specifications
Device SpecificationsEnable the acceptance of cards and services
through multiple devices
CARDS
DEVICES
SYSTEMS
Smartcard ID Summit - March 2006 13
Device Specifications
Smartcard ID Summit - March 2006 14
GlobalPlatform Device Overview
Smartcard ID Summit - March 2006 15
GlobalPlatform Device Mission
Enable a multi-application environment on devices
Enable coordinated development of card and device portions of smart card based applications
Enable development of portable device applications based on standard architecture:
STIP Common Core and APIsSTIP ProfilesGlobalPlatform Abstraction APIs
Smartcard ID Summit - March 2006 16
GlobalPlatform Device Framework Architecture
Smartcard ID Summit - March 2006 17
Global Platform Device Specification use cases
Multi Agencies Government CaseMake possible sharing of terminals applicationsProvide Agency-A to Agency-B mutually agreed interoperability beyond the scope of global interoperability standard.
Cross boarder interoperabilityFramework to exchange devices application between countriesEases Cross boarder ID cards recognition.
Smartcard ID Summit - March 2006 18
System Infrastructure
Specifications
Smartcard ID Summit - March 2006 19
Global Platform System Infrastructure
Four technologiesMessagingProfile and Scripting
CPS: Common Perso Specification, Standard Interoperable Personalization
Key Management System (KMS)Smart Card Management System concept (SCMS)
One compliance program
Smartcard ID Summit - March 2006 20
System Infrastructure: Messaging
GlobalPlatform Messaging specification definesThe Roles that will existThe Responsibilities of the RoleA language in common (.xml)
ApplicationOwner
AO
ApplicationDeveloper
AD
Card Enabler
CE
IC Manufacturer
IM
ApplicationProvider
AP
Card IssuerIC
CardManufacturer
CM
PlatformDeveloper
PD
Collator/Decollator
CD
LoaderLO
Card HolderCH
PlatformSpecification
Owner PS
Smartcard ID Summit - March 2006 21
For the Roles of CardIssuer and Application
Provider, GlobalPlatform Messaging Specification
will tell me what my responsibilities are Application
OwnerAO
ApplicationDeveloper
AD
Card Enabler
CE
IC Manufacturer
IM
ApplicationProvider
AP
Card IssuerIC
CardManufacturer
CM
PlatformDeveloper
PD
Collator/Decollator
CD
LoaderLO
Card HolderCH
PlatformSpecification
Owner PS
System Infrastructure Messaging:Roles and Responsibilities
Framework that helps to define deployment of new applications
Smartcard ID Summit - March 2006 22
System Infrastructure: Profiles & Scripting
GP System supporting
GP Profile and GP scripting
Card Profiles are generated by the smart card manufacturer
Key Profiles are generated by the application developer and/or under the control of the issuer
Application Profiles are generated by the application developer
Issuers data stream(Card per card data)
Standardized processPerso environment
interoperability
Smartcard ID Summit - March 2006 23
Compliance Program
End-To-End Infrastructure
GlobalPlatform delivers the complete set of specifications for an end to end smart card infrastructure
Standardized and secure card and application management
Card Specifications
Standardized back-end systems: smart card
management environmentMessaging,
key managementIssuance, post issuance
Systems Specifications
Device SpecificationsEnable the acceptance of cards and services
through multiple devices
CARDS
DEVICES
SYSTEMS
Smartcard ID Summit - March 2006 24
Links with other
standardization bodies
Smartcard ID Summit - March 2006 25
AICFAPSCAETSI EurosmartFINREADGlobal Collaboration ForumINCITSJCFNICSSNISTOMTPSCA
Collaborative Partners
Smartcard ID Summit - March 2006 26
ISO 7816-13
Application to ISO for official ‘Liaison Member’Liaison Member to SC17/WG4Approved by ISO (March ’05)
7816-13 - New smart card standardScope: commands for application management in multi-application environment
3 commands : Application management request, Load, DeleteA subset of GP Card Spec v2.1.1 proposed via as “Fast track”
Second draft (CD): Approved January 20
Pre-standard (FDIS) if approved at WG4 March meeting
Smartcard ID Summit - March 2006 27
Global Collaboration Forum
Today three regional frameworks exist:European
CWA 15264 eAuthentication and CEN 224_15 ECCJapanese
NICSS-Framework V1.0- Next e-Japan Strategies have been approved by Strategic
Headquarters for the Promotion of an Advanced Information and Telecommunications Network Society in Prime Minister's Office on 18 january,2006.
North AmericanGSC-Framework V2.1 and PIV/FIPS 201
Global Collaboration Forum is working on creating a convergence road map
Technical advisors: Global Platform & EuroSmart
Smartcard ID Summit - March 2006 28
ETSI
ETSI's Smart Card Platform (SCP) Committee and GlobalPlatform collaborated and aligned their specifications
ETSI's UMTS Integrated Circuit Card (UICC) Specifications (TS 102 225 & 226) GlobalPlatform Card (2.1.1) Specification
New Work Item for ETSI Release 7USSM : UICC Security Service ModuleLike a Key Management System in a cardSpecification in ETSI on going based on GlobalPlatform 2.2 Card Specification
Link with
Telecom
industry
Smartcard ID Summit - March 2006 29
Card Specifications
Smartcard ID Summit - March 2006 30
Focus on
Overview of smart card architecture
Security Domains
GP card 2.2 overview
Smartcard ID Summit - March 2006 31
Card Architecture
Smartcard ID Summit - March 2006 32
Card Manager Responsibilities
Managing application loading, installing and deleting
Application life cycle management
Independent of the card life cycle
Security Services
Issuer Security Domain
Represent Authority of the
card Issuer
Smartcard ID Summit - March 2006 33
Security Domain
Provide a secure in-card support for different business relationship between Issuer and Application provider
4 business models are available todayIssuer Centric ModelDAP Verification ModelApplication Empowerment ModelControlling Authority Model
Apply to issuance and post issuance
Smartcard ID Summit - March 2006 34
Controlling Authority Model
Smartcard ID Summit - March 2006 35
Controlling Authority Model
Smartcard ID Summit - March 2006 36
Multiple Security Domains: use cases & combinations
“RSA mandated DAP” verification (available since GP 2.1)usable for certification control scheme
Security domain crypto services to appletA basic SD attached to the applet provides GP standard Secure Channel to the application: Perso., post Issuance, …Allows application personalization compatible with GP system framework.
Multiple Security Domains can be combined:Represent the respective different roles or authorities.Multiple mandated DAP Security Domains possible:
Applet integrity checking, registration checking, Certification authority control
Can be combined with Security Domains associated to applets for personalization.
Smartcard ID Summit - March 2006 37
Security DomainsThe key to understanding security domains,
is understanding the concept of…
TRUST VS. CONTROL
ControllingAuthority
IssuerCentric
DAPVerification
ApplicationProvider Empowerment
Smartcard ID Summit - March 2006 38
Latest Card Specifications
GP 2.2 now published
Smartcard ID Summit - March 2006 39
Collaboration on Card Specification 2.2
Mobile Telecom StandardsETSI: GSM 03.48, TS 23.048ETSI & 3G Smart Card Platform (SCP): TS 102.225, 102.226Objective : Convergence on Over The Air technologies update
NICSS CollaborationConvergence with GP Card SpecificationObjective: dual compliance for cards
Common Press Release in November 2005
eEurope and CENContribution of CEN eSign (area K) CWA 14890Integration of CEN TC 224 requirementConvergence with GP Card Specification
Department of Defense CollaborationSupport of some requirements of the CAC project
Smartcard ID Summit - March 2006 40
Card Specification 2.2 overview
Re-engineering of GlobalPlatform Card FrameworkArchitectural extensions with Privileges and Security Domainhierarchies to support additional business modelsNew Global Services i.e. on-card client-server supportEnhancement for contactless interfaces Improved logical channel support
Over-The-Air card content management
Support for the Multos™ run-time environment
Secure Channel protocol based on Public Key Infrastructure
Backward compatibility
Smartcard ID Summit - March 2006 41
Card 2.2 overview: PK SCP
PK card managementIntegrability in a certificate based system
Secret key management and card management “on-line” with Card Issuer is no more necessary
Will permit fully controlled card management operations under initiative of the card holder.
Already planed for Japanese ID deployment.
PK secure channel protocol principleInitialization of secure channel protocol with PK certificatesSecure messaging with DES session keys2 models for DES session keys: real-time / pushUnique card interface: standardized APDUs
Certificate contents & formatMinimum contents requirements
PK services on-card API for applications
Smartcard ID Summit - March 2006 42
Focus on e IDNew opportunities for the standardization of ID cards
Smartcard ID Summit - March 2006 43
Road to Success
Governments are eager to secure a unified infrastructure for an interoperable ID program
encouraging public acceptance and usage of eID programs
By offering additional services outside the conventional ID application, governments intend to demonstrate the advantages a smart card program offers
e-government applicationsnon-government applications, such as transit cards and ATMcash withdrawal
In order to leverage investment in such schemes, multi-application programs require a platform that is flexible and offers post-issuance capabilities
Smartcard ID Summit - March 2006 44
GlobalPlatform Value Proposal in ID
GlobalPlatform infrastructure proposes a set of ready-to-use solutions for managing an ID application
On-Card Application management See previous slides
Systems specifications provide accurate tools for Issuance, post issuance, Key management
The Common Perso Approach can provide a standard personalization extension to the Logical Data Structure conceptThe Messaging Specification can provide a standard data exchange with the new actor or systems in the issuance (and post issuance) flow
Device managementDevice application management framework for cross border or cross domain (Government and private) application deployment
Based on this multi-application infrastructureOnly the business part or the application/scheme has to be standardized by ad hoc committee
Smartcard ID Summit - March 2006 45
Benefits of GlobalPlatform Standards
Greatly simplified smart card management environment
Need for specialized knowledge and training reducedMigration to post-issuance personalization greatly simplifiedSame technology for E-Passport and E-Government program
Lower costs to implement single and multi-application smart card programs
Achieved through standardizationEconomies of scale
Standards promote accelerated growth of applications
“Time to market” is reducedCardholder value proposition increases
Smartcard ID Summit - March 2006 46
Visit our website @ www.globalplatform.org
Find information about becoming a member of GlobalPlatform
Download GlobalPlatform Specifications ‘royalty free’
Global Platform Day
At CardTech 2006
May 2d , 2006 , FT03
San Francisco, CA