1 / 21

U.S. Government Smart Card Program: Interoperability Features of the GSC-IS

U.S. Government Smart Card Program: Interoperability Features of the GSC-IS . John Wack NIST Smart Card Interoperability Workshop, CTST 2003 2 PM, May 12, 2003. Overview. Some basic terminology GSC-IS interoperability GSC-IS architecture The Basic Services Interface

marrim
Download Presentation

U.S. Government Smart Card Program: Interoperability Features of the GSC-IS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. U.S. Government Smart Card Program: Interoperability Features of the GSC-IS John Wack NIST Smart Card Interoperability Workshop, CTST 2003 2 PM, May 12, 2003

  2. Overview • Some basic terminology • GSC-IS interoperability • GSC-IS architecture • The Basic Services Interface • The Card Edge for File System Cards • The Card Edge for VM Cards

  3. GSC-IS Terminology • SPS – Service Provider Software • Talks to client apps and to smart card reader • Includes smart card reader driver (e.g., PC/SC) • BSI – Basic Services Interface • Client application API • XSI – Extended Services Interface • Vendor-specific • For card reader connects, non-interoperable functions • CEI – Card Edge Interface • For File System and Virtual Machine cards • CCC – Card Capability Container

  4. What Is Interoperable Here? • File reads and updates with access control • Internal Authentication • External Authentication • PIN verification • Signature generation • And, an APDU pass-thru capability for sending raw, card-specific APDUs

  5. Client Application Client Application Basic Services Interface (BSI) Extended Service Interface(s) ( Basic Services Interface (BSI) Extended Service Interface (XSI) Host Host PC PC Service Service Virtual Card Edge Interface (VCEI) Virtual Card Edge Interface (VCEI) Provider Provider Software Software Card Reader Driver Card Reader Driver (SPS) (SPS) Smart Card Smart Card Card Reader Card Reader Reader Reader GSC GSC - - IS Compliant Smart Card IS Compliant Smart Card Card Capabilities Container Card Capabilities Container (CCC) (CCC) Smart Card Smart Card Data Model Object (DM Data Model Object (DMO) Data Model Object (DMO) GSC-IS Architecture

  6. Basic Services Interface • A simple API, 21 functions • Interface used by client applications to communicate with the card • 3 categories • Utility – card connect, status, properties, pass-thru • Container – read, update, delete, properties • Access Control/Crypto – authentication, signature • Only what is necessary, simple • C and Java bindings available

  7. BSI Utility Functions • gscBsiUtilAcquireContext() • gscBsiUtilConnect() • gscBsiUtilDisconnect() • gscBsiUtilGetVersion() • gscBsiUtilGetCardProperties() • gscBsiUtilGetCardStatus() • gscBsiUtilGetExtendedErrorText() • gscBsiUtilGetReaderList() • gscBsiUtilPassthru() • gscBsiUtilReleaseContext()

  8. BSI Container Functions • gscBsiGcDataCreate() • gscBsiGcDataDelete() • gscBsiGetContainerProperties() • gscBsiGcReadTagList() • gscBsiGcReadValue() • gscBsiGcUpdateValue()

  9. BSI Authentication/Crypto Functions • gscBsiGetChallenge() • gscBsiSkiInternalAuthenticate() • gscBsiPkiCompute() • gscBsiPkiGetCertificate() • gscBsiGetCryptoProperties()

  10. Extended Services Interface • For functions outside the scope of GSC-IS interoperability • For vendor-specific functions • Examples include • Card reader power-up • Card initialization • Secure messaging

  11. What Happens Next? • The BSI functions “talk” to the Card Edge Interface, which talks to the card reader driver • BSI-packaged data must be repackaged into APDU commands and vice versa • As necessary, default APDUs must be mapped to card-specific APDUs

  12. The Card Edge Interface • The CEI is where card interoperability occurs • 2 CEIs: • File system cards – 13 default ISO 7816-compliant APDUs • Virtual machine, Java cards – 12 APDUs • CEI passes APDUs to card reader driver and card, and vice versa • CEI must format the APDUs correctly according to which card is in use

  13. Data Models • 2 defined data models, GSC and CAC • Others can be defined • Models are composed of containers (files) with associated access-control conditions • Containers are in SIMPLE TLV format • Containers are accessed by client applications via AIDs • AIDs are composed of RID + FID

  14. Card Capabilities Container • Only required container for a conformant card • Contains various version information • Contains encoded description of how card APDUs differ in syntax and operation from defaults for file system cards • Includes access control requirements for containers • Includes credential mappings

  15. APDU Mapping – File System Cards • There are 12 ISO 7816 default APDUs • Card vendor encodes differences between default and card’s native APDUs in the CCC • APDUs can differ in syntax as well as operation • Encoding uses the CCC Grammar rules • Grammar contains mechanisms for dealing with operational differences

  16. CCC Grammar Features • Native APDUs are encoded as 2-byte Tuples, as many as necessary for each APDU • Only differences between native and default need to be encoded • Pre- and post-command APDUs can be encoded, e.g., For Internal Authentication, Verify must precede and Get Challenge must follow • Operational differences are encoded for APDU parameters and data fields

  17. Descriptor Codes • Encoded in Tuples to describe differences in APDU operation and execution • Used to map differences in APDU parameter values and meanings • Used to map differences in APDU input and output data fields • Requires use of pre-defined table of descriptor codes with well-defined meanings

  18. VM Card Edge • VM cards can use either CEI, VM or FS • APDU encoding is not applicable for VM • VM-specific APDUs • TLV containers on VM cards are split: • A TL buffer containing only the tags and lengths • A V buffer containing only the values • Corresponding APDUs for reading and updating each buffer

  19. CEI Initialization • Occurs when a GSC-IS-conformant SPM loads • SPM locates the CCC and reads it according to following: • Detect whether VM or file system card; • If file system card edge being used, • If APDU encoding present, • Begin APDU mapping;

  20. 3 5 7 1 Smart Card 4 6 2 CCC How Does It Work? APDU Translation & Construction GSC APDU CCC BSI CEI Reader Driver Reader

  21. Contact Information John Wack U.S. Government Smart Card Program, NIST Voice: 301.975.3411 email: john.wack@nist.gov Website: http://smartcard.nist.gov (NISTIR 6887)

More Related