|
|
|
|
|
|
| Loading and managing card applications represent crucial security points during the lifecycle of the card. During these processes, the system could be compromised, which could affect the entire population of issued cards – in essence, rendering the entire system suspect and unusable. It is extremely important that the security of the protocols and systems that manage the on-card applications be sound and well evaluated. Many multi-application smart cards are only as secure as the card application that is running on them. If that card application were replaced, intentionally or inadvertently, an opportunity might occur for an on-card Trojan horse. There would be the potential for attackers to locate secret backdoors into which they could gain unauthorized access to card content once the cards were fielded. In the past, card manufacturers relied on highly secretive and proprietary methods for managing card applications. More recently, standards have focused on card application management – for example, GlobalPlatform (previously, Open Platform). GlobalPlatform provides a standard mechanism for loading and managing card applications and the associated security policies. These standards also provide a mechanism to securely authenticate and exchange encrypted messages with the card so that remote management might be possible. Even more recently, many of the methods defined in GlobalPlatform have become the basis for a new International Organization for Standardization (ISO) specification : ISO/IEC 7816-13 Identification cards – Integrated circuit cards – Part 13: Commands for application management in multi-application environment. The new ISO/IEC 7816 part 13 standard was developed in response to a request from Japan, which was approved in March 2004. The scope of this new standard is dedicated to multi-application cards and application management. It is intended to standardize the card interface for multi-application card management and will apply to the entire application life cycle, both before and after card issuance. GlobalPlatform (GP) is an international, non-profit association, with a goal to create and promote global smart card technology specifications, including specifications for smart cards, smart card devices, and smart card systems. Throughout the world, approximately 20 million individuals currently use smart cards that are implemented using Global Platform specifications. The strategy of GlobalPlatform is to create systems that are interoperable, backwards compatible, and standards-based, while serving the retail, health care, government, transit, financial, and mobile telecom industries. GlobalPlatform first became actively involved in the development of the new ISO standard in November 2004, when the organization made a significant technical contribution to the ISO 7816-13 standard, based on the GlobalPlatform Card Specification v2.1.1. The contribution was supported by the US InterNational Committee for Information Technology Standards (INCITS), the American National Standards Institute (ANSI) committee responsible for smart card technology, while experts from other countries such as Japan, Germany and France also provided valuable input during development in ISO/IEC Joint Technical Committee 1 Sub Committee 17, Working Group 4. The Final Committee Draft was posted for ISO ballot on 16 October 2006, and approved without negative votes 14 February 2007. ISO/IEC 7816-13:2007 Identification cards – Integrated circuit cards – Part 13: Commands for application management in multi-application environment was published 1 March 2007.
|
|
|
International Card Manufacturers Association © 2007 This site is Designed and Maintained By Creative Marketing Alliance |