1 / 30

Business Seminar - Technical Overview & Roadmap

Business Seminar - Technical Overview & Roadmap. August 21, 2002 – Toronto Marc Kekicheff GlobalPlatform Technical Director. GlobalPlatform Device Committee. GlobalPlatform Card Committee. GlobalPlatform Security Architecture & Business Relationship Models. GlobalPlatform Systems Committee.

aulii
Download Presentation

Business Seminar - Technical Overview & Roadmap

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Business Seminar - Technical Overview & Roadmap August 21, 2002 – Toronto Marc Kekicheff GlobalPlatform Technical Director

  2. GlobalPlatform Device Committee GlobalPlatform Card Committee GlobalPlatform Security Architecture & Business Relationship Models GlobalPlatform Systems Committee GlobalPlatform Technical Road-Map Agenda

  3. Device Committee GlobalPlatform Device Framework Specification 2.0 • Release of version 2.0 of GlobalPlatform Device Framework Specification • MOU with STIP Consortium announced at Cartes 2001 • Objective is to offer a complete solution with the GPDF framework • STIP endorses GlobalPlatform application management definition • Dynamic device application management will be integrated in next release of GPDF specification

  4. Select SID Service Business Logic Layer CLC Services Device Application … CardDirectory Services Core Logic Layer CLC Module 1 CLC Module n API for Environment & Platform Independent Services Utilities Card Slot Mag. Stripe PIN Procesing Printer Communications User Interface Cryptography Storage Environt. Services Layer API for Environment & Platform Dependent Services Platform Layer GP Device Framework

  5. GP Compliance Card Committee GlobalPlatform Card Specification 2.1 GP Security Requirements Specification

  6. Any Application, Any Time, Any Where • Multiple Applications on a single card: • Market Segment of One • Cross-industry and card schemes interoperability • Any type of Application • Multiple Application Providers on a single card: • Multiple business partnerships • Any type of business models • Dynamic pre-issuance or post-issuance load / removal of Applications: • Anytime, Anywhere Access • Freedom and choice for cardholders

  7. Multi-Application Card Management • Portability of Applications across chip-cards: • “Write Once, Run Anywhere”TM • Lower costs and faster time to market • Issuer has ultimate liability and responsibility towards cardholder: • Minimum on-card Issuer Control • Standardization of Smart Card Management Systems (application load, personalization, issuance, etc.) • Any type of Operating System/Platform • Lower costs and faster time to market • Backward compatibility with existing terminals & back-end systems • Interoperability

  8. Choice of Applications • Choice of Runtime Environment • Choice of Chip Platform • Choice of Operating System Standardized Back-Office Procedures e-Purse Credit e-Com Authent. Access Loyalty GlobalPlatform GlobalPlatform Card WFSC WfSC API Java Card VM & API Manager VM & API VM & API Java Card Proprietary Card Vendor WFSC Proprietary Card Vendor WfSC OS OS OS OS OR Integrated Circuit Chips Flexibility & Choice

  9. Application Management Framework • Portability across OS/Platforms • Standardized processes and commands for load, install, removal • Files and data structures are application dependent, independent of OS/Platforms • Application lifecycle independent of card lifecycle • Load, install, removal at any time • Application lifecycle independent of each other • Separate lifecycle status • Separate application files and data store • One Loader/Personalizer per application (or set of applications) • Manages the coexistence of multiple applications on the same card

  10. Card Management Framework • Generic process for pre and post-issuance with: • Different level of security requirements • Different delivery channels • Allow Issuance and Personalization process • In Centralized Personalization Bureau • In walk-in situations (“instant issuance”) • Over open networks (at home over the Net, over the air, etc.) • By multiple entities and multiple Application Providers • Define a range of card and application management models: • From: Issuer Centric Model • To: Application Provider Empowered Model (“Delegated Management”) • Incl.: Controlling Authority Model

  11. Secure Management Framework • Augment the Platform Runtime Environment security features: • Secure communication to the card = Secure Channel Protocol • Can’t load/remove an application without proper authority • Authenticity and integrity of application code verified during loading • Treat on-card applications as untrusted • Applications deploy their own security features • Establish clearly roles and responsibilities on-card and off-card: • Card Issuer • Application Providers • etc.

  12. GlobalPlatform Security Architecture Roles and Responsibilities for: • Card Issuer • Application Provider • Runtime Environment • Card Manager • Security Domain • Applications • Back-Office Systems • GP Security Requirements

  13. Card Manager = On-card representative of the primary Issuer Issuer Centric Model Card Manager manages secure applet load, install, deletion

  14. Application Provider Security Domain performs secure load, install, deletion of pre-approved applets Delegated Management Model

  15. Controlling Authority Security Domain verifies all loads of all applets Controlling Authority Model

  16. Business Relationship Models • Allow a multiplicity of trust models: • Controlling Authority Model • Issuer Centric Model • Application Provider Empowered Model • Optional on-card “global” Cardholder Verification Method(s) • Allow a multiplicity of privacy models: • Centralized back-office systems (SCMS, transactions, data capture, etc) • Distributed back-office systems (SCMS, transactions, data capture, etc) • Separation of applications by default (lifecycle, transactions, etc) • Limited secured on-card registry • Open to a multiplicity of business relationships • Card Issuer <-> Application Providers • Card Issuer / Application Providers <-> Cardholders

  17. SCMS System v. 3.4 Document System Committee

  18. Card & App. Management System Flow

  19. GP 2.1 • Memory • Space • Chip Req. • GP 2.1 • Memory Space • Chip Req. • GP 2.1 • Memory Space • Chip Req. • GP 2.1 • Memory • Space • Chip Req. R C ELA TIONSHIP ARD R C ELA TIONSHIP ARD CV SCMS 1989 00/00 GOOD V ALID Card Profile THRU FROM R C ELA TIONSHIP ARD CV 1989 00/00 GOOD V ALID THRU FROM 4000 1234 5678 9010 R C ELA TIONSHIP ARD CV 1989 00/00 GOOD V ALID Application Profiles THRU FROM CV 1989 00/00 GOOD V ALID THRU FROM Card Configuration Card Manufacturer Application Developer Compatible Compatible ?? Applications Code Cards Profile Specification Overview

  20. Issuer Load Script App. Perso. Script SCMS R C ELA TIONSHIP ARD R C ELA TIONSHIP ARD CV 1989 00/00 GOOD V ALID THRU FROM R C ELA TIONSHIP ARD CV 1989 00/00 GOOD V ALID THRU FROM 4000 1234 5678 9010 R C ELA TIONSHIP ARD CV 1989 00/00 GOOD V ALID THRU Card Issuer FROM CV 1989 00/00 GOOD V ALID THRU FROM Application Providers Personalization Applications Code Processing Processing ?? App. KMS Issuer KMS Applications Data Cards Issuer & App. Scripts Interpret & Execute App. Database Scripting Specification Overview

  21. GP Application Profile + GP Load File Profile Application Development GP Script GP Card Profile Interpreter Card Manufacturer Personalization Data Preparation Data Prep. External XML Parser Updated GP Script Data Card Configuration Card Profile 1 SCMS Perso Perso . Data File . Data File and/or Specific (i.e., P3 file) (i.e., P3 file) Card Information 2 Interface Card Creation Script Profiles Card Updated GP Personalization GP Application Profile + Card Profile 1 Personalized GP Load File Profile and/or Specific Smart Cards GP Card Profile Card Information 2 Data Verification Script Personalization Validation Personalized Card Customization Smart Cards Messaging 3 Application Specific Scripts Post Issuance Personalization Personalized Smart Cards Card Issuance and Post-Issuance Process

  22. Card Manufacturer Chip. Mfg. Production Enablement Application Loading (Mask) Post issuance load can be done by the the Issuer using the Card Manager keys or can be delegated to an Application Provider using Security Domains. Personalization Issuer Card Manager Master Keys Card is then personalized by service provider or by card manufacturer. There is no license fee to add or delete applications from the Issuer’s Card Card is enabled by loading appropriate Issuer keys. The Issuer can also opt for Delegated Management of certain applications. Integrity of the application that gets loaded is insured by the delegated management features of GlobalPlatform Specification Orders cards, selects applications and has the option to partner with other Service / Application Providers Depending on volume and application stability, the Issuer has option to have applications masked into ROM. Application Provider Post Issue load Typical Card Issuance and Post-Issuance

  23. GlobalPlatform Device Committee GlobalPlatform Card Committee GlobalPlatform Security Architecture & Business Relationship Models GlobalPlatform Systems Committee GlobalPlatform Technical Road-Map Agenda

  24. Compliance Requirements Specifications Activities Inventory

  25. Activities Road-Map (1)

  26. Activities Road-Map (2)

  27. Activities Road-Map (3)

  28. Activities Road-Map (4)

  29. Activities Road-Map (5)

  30. THANK YOU kekichef@globalplatform.org

More Related