Global Standards Jeff Stapleton. OASIS February 9, 2012

Transcription

1 Global Standards Jeff Stapleton OASIS February 9, 2012

2 Agenda International and Domestic Organizations ISO, CEN, ANSI, NIST, PCI, IETF, others Standards Consensus Process NWIP, CD, WD, Draft Standard, Standard Security and Standards ISO TC68, CEN, X9 X9F1 Cryptographic Tools Cryptographic Protocols and Application Security X9F6 Cardholder Authentication

3 International and Domestic Organizations Internationally Recognized Organizations Self-Recognized ISO USA Member ANSI IETF PCI CEN TC68 US TAG X9 NIST JTC1 US TAG INCITS OASIS ISO: (1946) 172 countries 248 Technical Committees ~3000 standards TC68: Financial Services (1948) 63 countries 11 Subgroups 50 standards JTC1: ICT Standards (1987) 85 countries 19 Subgroups 357standards CEN: European (1991) 27 countries of EU Subgroups ~1000 standards ANSI: USA National Body (1918) 820 organizations 284 accredited groups X9: Financial Services (1984) 150 organizations 15 subgroups 115 standards INCITS: IT Standards (1961) 1700 organizations 40 subgroups (?) standards IETF: Internet (1986) Thousands individuals 118 subgroups 5734 specifications PCI SSC (2006) 520 members 3 standards ~24 documents NIST: Federal (1901) ~30 subgroups +10,000 documents Formerly NBS 3

4 Standards Consensus Process NWIP New Work Item Proposal Five (5) Board Level Sponsors X9 Ballot Approved Assigned X9 number and workgroup vote WD Working Draft Comment Resolution ANSI and X9 Procedures ISO X9F Ballot X9 Ballot US submission to ISO TC68 CD ANSI Review Committee Draft Comment Resolution(s) DS Draft Standard Comment Resolution ANS American National Standard 4

5 Security and Standards Security Area International Domestic Mobile Commerce TC68/SC7: Core Banking X9AB Payments ISO TC68/SC7/WG10: Mobile Crypto Algorithms Biometrics PKI TC68/SC2: Security TC/68/SC2/WG11: Crypto TC/68/SC2/WG10: Biometrics TC68/SC2/WG8: PKI X9.84 X9F X9F1 Timestamps JTC1/SC27: Timestamps X9.95 Wireless X9.112 Mutual Authentication X9.117 Cloud Security X9.125 PIN, Debit, Payment TC68/SC2/WG13: Retail X9F6 Securities TC68/SC4: Securities X9D ICT ISO/IEC JTC1 INCITS PPI CEN/WS XFS 5

6 X9F Data and Information Security Subcommittee X9F1 Cryptographic Tools Published Standards X9.31 RSA Digital Signatures X9.42 DH Key Agreement X9.44 RSA Key Transport X9.62 ECDSA X9.63 ECC Key Agreement X9.80 Prime Number Generation X9.82 Random Number Generation X9.92 ECPVS Signatures X9.98 LBP Key Establishment X9.102 Key Wrapping X9 Registry X9.123 ECC Implicit Certificates X9.124 FPE Works in Progress Topics Symmetric Algorithms Asymmetric Algorithms Digital Signatures Hashing Algorithms Number Generation Key Establishment Key Transport Key Agreement 6

7 X9F Data and Information Security Subcommittee Cryptographic Protocols and Application Security Published Standards X9.69 Key Management Extensions X9.73 CMS ASN.1 and XML X9.79 Public Key Infrastructure Part 1: Policy and Practices X9.84 Biometric Security X9.95 Trusted Time Stamp X9.112 Wireless Security Part 1: General Requirements X9.111 Penetration Testing TR-37 Migration from DES Works in Progress X9.117 Secure Remote Access X9.79 Public Key Infrastructure Part 3: Certificate Management Part 4: Asymmetric Key Management X9.112 Wireless Security Part 2: ATM and POS Part 3: Mobile Security X9.125 Cloud Security ISO Standardization ISO Certificates ISO Mobile ISO ISO PKI 7

8 X9F Data and Information Security Subcommittee X9F6 Cardholder Authentication and ICC Published Standards X9.8 PIN Security X9.24 Key Management Part 1: Symmetric Keys Part 2: Asymmetric Keys TR-39 (TG-3) PIN Audit Part 1: Acquirer Assessment X9.97 Cryptographic Devices Works in Progress TR-31 Key Block TR-34 RSA Key Transport TR-39 (TG-3) PIN Audit Part 2: Issuer Assessment X9.119 Sensitive Payment Data Part 1: Encryption Part 2: Tokenization X9.122 Consumer Authentication ISO Standardization ISO 9564 PIN Security ISO Key Management ISO Cryptographic Devices 8

9 Authentication Standards PIN Management and Security ISO 9564 PIN Management and Security X9.8 (ANSI version of ISO 9564 with 12 USA notes) Password Management and Security DoD CSC-STD Green Book FIPS 112 (withdrawn 2005) FIPS 181 Automated Password Generator NIST Special Pub Electronic Authentication Payment Cards JTC1 no ANSI or ISO standard ISO/IEC 7812 Identification cards -- Identification of Issuers (Track 1, Track 2) ISO/IEC 4909 Identification cards Magnetic Stripe Data Content for Track 3 ISO/IEC 7816 Identification Cards -- Integrated Circuit Cards (ICC) Biometric Information Management and Security ISO Financial Services Biometrics Security Framework X9.84 Biometric Information Management and Security X9F6 9 ISO and ANSI Standard

10 Cryptography Standards Symmetric Algorithms FIPS 46-3 Data Encryption NIST Standard (DES) (withdrawn 1999) NIST Special Pub Recommendations for TDEA Block Cipher (2004) FIPS 197 Advanced Encryption Standard (AES) Hash Algorithms FIPS Secure NIST Hash Standard (SHA) FIPS Keyed Hash Message Authentication (HMAC) Asymmetric Algorithms FIPS Digital Signature NIST Standard JTC1 (DSA) X9.31 Digital Signatures Using Reversible Cryptography (rdsa) X9.62 Elliptic Curve Digital Signature Algorithm (ECDSA) ISO/IEC 9798 Digital Signature Schemes Giving Message Recovery ISO/IEC Digital Signatures With Appendix Number Generation Algorithms X9.80 Prime Number Generation X9.82 Random Number Generation X9F1 10 ISO and ANSI Standard

11 Key Management Standards Key Establishment Schemes X9.42 Agreement of Symmetric Keys Using Discrete Logarithm Cryptography (Diffie-Hellman) X9.44 Key Establishment Using Integer Factorization Cryptography (RSA) X9.63 Key Agreement and Key Transport Using Elliptic Curve Cryptography Key Management Protocols (focused on PIN transactions) X9.24 Symmetric Key Management Part 1: Using Symmetric Keys X9.24 Symmetric Key Management Part 2: Using Asymmetric Techniques fro the Distribution of Symmetric Keys TR-31 Interoperable Secure Key Exchange Key Block Specification TR-34 Interoperable Method for Distribution of Symmetric Keys Using Asymmetric Techniques Part 1: Using Factoring-Based Public Key Cryptography Unilateral Key Transport TR-39 (TG-3) PIN Security and Key Management Guideline TR-37 Migration from DES (generic key management topics) X9F1 Key Management Interoperability Protocol (KMIP) OASIS X9F6 11 ISO and ANSI Standard

12 Application Security Standards Public Key Infrastructure (PKI) ISO Certificate Management for Financial Services Originally X9.57, to be replaced by X9.79 Part 3 ISO PKI for Financial Services Practices and Policy Framework Originally X9.79 PKI Part 1, evolved to Webtrust for CA auditing standard X9.79 PKI for Financial Services Part 3: Certificate Management (WIP) X9.79 PKI Part 4: Asymmetric Key Management (consideration) Time Stamp Management and Security ISO/IEC Security Techniques Time Stamping Services X9.95 Trusted Time Stamp Management and Security RFC 3161 Internet X.509 Time-Stamp Protocol Wireless Management and Security X9.112 Wireless Part 1: General Requirements X9.112 Wireless Part 2: POS and ATM (work in progress) X9.112 Wireless Part 3: Mobile Commerce (work in progress) Penetration Testing X9.111 Penetration Testing for Financial Services 12 ISO and ANSI Standard

13 References Questions 13