Global Standards Jeff Stapleton
OASIS – February 9, 2012 Agenda
• International and Domestic Organizations ‒ ISO, CEN, ANSI, NIST, PCI, IETF, others… • Standards Consensus Process ‒ NWIP, CD, WD, Draft Standard, Standard… • Security and Standards ‒ ISO TC68, CEN, X9 ‒ X9F1 Cryptographic Tools ‒ X9F4 Cryptographic Protocols and Application Security ‒ X9F6 Cardholder Authentication International and Domestic Organizations
Internationally Recognized Organizations Self-Recognized
IETF ISO USA Member ANSI PCI
CEN TC68 US TAG X9 NIST
JTC1 US TAG INCITS OASIS
ISO: (1946) CEN: European (1991) ANSI: USA National Body (1918) IETF: Internet (1986) • 172 countries • 27 countries of EU + 4 • 820 organizations • Thousands individuals • 248 Technical Committees • 390+ Subgroups • 284 accredited groups • 118 subgroups • ~3000 standards • ~1000 standards • 5734 specifications X9: Financial Services (1984) TC68: Financial Services (1948) • 150 organizations PCI SSC (2006) • 63 countries • 15 subgroups • 520 members • 11 Subgroups • 115 standards • 3 standards • 50 standards • ~24 documents INCITS: IT Standards (1961) NIST: Federal (1901) JTC1: ICT Standards (1987) • 1700 organizations • 85 countries • ~30 subgroups • 40 subgroups • +10,000 documents • 19 Subgroups • (?) standards • 357standards • Formerly NBS
3 Standards Consensus Process
New Work Item Proposal – NWIP • Five (5) Board Level Sponsors X9 Ballot Approved – Assigned X9 number and workgroup
WD Working Draft X9F4 vote Comment Resolution
CD Committee Draft ANSI and X9 X9F Ballot Comment Resolution(s) Procedures X9 Ballot DS Draft Standard ANSI Review Comment Resolution US submission ISO ANS to ISO TC68 American National Standard
4 Security and Standards
Security Area International Domestic
Mobile Commerce TC68/SC7: Core Banking X9AB Payments ISO 12812 TC68/SC7/WG10: Mobile TC68/SC2: Security X9F Crypto Algorithms TC/68/SC2/WG11: Crypto X9F1
Biometrics TC/68/SC2/WG10: Biometrics X9.84 PKI TC68/SC2/WG8: PKI X9F4
Timestamps JTC1/SC27: Timestamps X9.95 Wireless X9.112 Mutual Authentication X9.117
Cloud Security X9.125
PIN, Debit, Payment TC68/SC2/WG13: Retail X9F6 Securities TC68/SC4: Securities X9D ICT ISO/IEC JTC1 INCITS
PPI CEN/WS XFS
5 X9F Data and Information Security Subcommittee X9F1 Cryptographic Tools
Published Standards Works in Progress • X9.31 RSA Digital Signatures • X9.123 ECC Implicit Certificates • X9.42 DH Key Agreement • X9.124 FPE • X9.44 RSA Key Transport • X9.62 ECDSA • X9.63 ECC Key Agreement Topics • X9.80 Prime Number Generation Symmetric Algorithms • X9.82 Random Number Generation Asymmetric Algorithms Digital Signatures • X9.92 ECPVS Signatures Hashing Algorithms • X9.98 LBP Key Establishment Number Generation • X9.102 Key Wrapping Key Establishment • X9 Registry • Key Transport • Key Agreement
6 X9F Data and Information Security Subcommittee X9F4 Cryptographic Protocols and Application Security
Published Standards Works in Progress • X9.69 Key Management Extensions • X9.117 Secure Remote Access • X9.73 CMS – ASN.1 and XML • X9.79 Public Key Infrastructure • X9.79 Public Key Infrastructure ‒ Part 3: Certificate Management ‒ Part 1: Policy and Practices ‒ Part 4: Asymmetric Key Management • X9.84 Biometric Security • X9.112 Wireless Security • X9.95 Trusted Time Stamp ‒ Part 2: ATM and POS • X9.112 Wireless Security ‒ Part 3: Mobile Security ‒ Part 1: General Requirements • X9.125 Cloud Security • X9.111 Penetration Testing • TR-37 Migration from DES ISO Standardization • ISO 15782 Certificates • ISO 12812 Mobile • ISO 19092 • ISO 21188 PKI
7 X9F Data and Information Security Subcommittee X9F6 Cardholder Authentication and ICC
Published Standards Works in Progress • X9.8 PIN Security • TR-31 Key Block • X9.24 Key Management • TR-34 RSA Key Transport ‒ Part 1: Symmetric Keys • TR-39 (TG-3) PIN Audit ‒ Part 2: Asymmetric Keys ‒ Part 2: Issuer Assessment • TR-39 (TG-3) PIN Audit • X9.119 Sensitive Payment Data ‒ Part 1: Acquirer Assessment ‒ Part 1: Encryption • X9.97 Cryptographic Devices ‒ Part 2: Tokenization • X9.122 Consumer Authentication
ISO Standardization • ISO 9564 PIN Security • ISO 11568 Key Management • ISO 13491 Cryptographic Devices
8 Authentication Standards
• PIN Management and Security X9F6 ‒ ISO 9564 PIN Management and Security ‒ X9.8 (ANSI version of ISO 9564 with 12 USA notes) • Password Management and Security no ANSI or ISO standard ‒ DoD CSC-STD-002-85 Green Book ‒ FIPS 112 (withdrawn 2005) ‒ FIPS 181 Automated Password Generator ‒ NIST Special Pub 800-63 Electronic Authentication • Payment Cards JTC1 ‒ ISO/IEC 7812 Identification cards -- Identification of Issuers (Track 1, Track 2) ‒ ISO/IEC 4909 Identification cards – Magnetic Stripe Data Content for Track 3 ‒ ISO/IEC 7816 Identification Cards -- Integrated Circuit Cards (ICC) • Biometric Information Management and Security X9F4 ‒ ISO 19092 Financial Services – Biometrics – Security Framework ‒ X9.84 Biometric Information Management and Security
9 ISO and ANSI Standard Cryptography Standards
• Symmetric Algorithms ‒ FIPS 46-3 Data EncryptionNIST Standard (DES) (withdrawn 1999) ‒ NIST Special Pub 800-67 Recommendations for TDEA Block Cipher (2004) ‒ FIPS 197 Advanced Encryption Standard (AES) • Hash Algorithms ‒ FIPS 180-3 SecureNIST Hash Standard (SHA) ‒ FIPS 198-1 Keyed Hash Message Authentication (HMAC) • Asymmetric Algorithms ‒ FIPS 186-3 Digital SignatureNIST Standard JTC1 (DSA) ‒ X9.31 Digital Signatures Using Reversible Cryptography (rDSA) ‒ X9.62 Elliptic Curve Digital Signature Algorithm (ECDSA) ‒ ISO/IEC 9798 Digital Signature Schemes Giving Message Recovery ‒ ISO/IEC 14888 Digital Signatures With Appendix • Number Generation Algorithms ‒ X9.80 Prime Number Generation X9F1 ‒ X9.82 Random Number Generation
10 ISO and ANSI Standard Key Management Standards
• Key Establishment Schemes X9F1 ‒ X9.42 Agreement of Symmetric Keys Using Discrete Logarithm Cryptography (Diffie-Hellman) ‒ X9.44 Key Establishment Using Integer Factorization Cryptography (RSA) ‒ X9.63 Key Agreement and Key Transport Using Elliptic Curve Cryptography
• Key Management Protocols (focused on PIN transactions) X9F6 ‒ X9.24 Symmetric Key Management – Part 1: Using Symmetric Keys ‒ X9.24 Symmetric Key Management – Part 2: Using Asymmetric Techniques fro the Distribution of Symmetric Keys ‒ TR-31 Interoperable Secure Key Exchange Key Block Specification ‒ TR-34 Interoperable Method for Distribution of Symmetric Keys Using Asymmetric Techniques – Part 1: Using Factoring-Based Public Key Cryptography Unilateral Key Transport ‒ TR-39 (TG-3) PIN Security and Key Management Guideline ‒ TR-37 Migration from DES (generic key management topics) X9F4
‒ Key Management Interoperability Protocol (KMIP) OASIS
11 ISO and ANSI Standard Application Security Standards
• Public Key Infrastructure (PKI) X9F4 ‒ ISO 15782 Certificate Management for Financial Services • Originally X9.57, to be replaced by X9.79 Part 3 ‒ ISO 21188 PKI for Financial Services – Practices and Policy Framework • Originally X9.79 PKI – Part 1, evolved to Webtrust for CA auditing standard ‒ X9.79 PKI for Financial Services – Part 3: Certificate Management (WIP) ‒ X9.79 PKI – Part 4: Asymmetric Key Management (consideration)
• Time Stamp Management and Security X9F4 ‒ ISO/IEC 18014 Security Techniques – Time Stamping Services ‒ X9.95 Trusted Time Stamp Management and Security ‒ RFC 3161 Internet X.509 Time-Stamp Protocol • Wireless Management and Security X9F4 ‒ X9.112 Wireless – Part 1: General Requirements ‒ X9.112 Wireless – Part 2: POS and ATM (work in progress) ‒ X9.112 Wireless – Part 3: Mobile Commerce (work in progress) • Penetration Testing X9F4 ‒ X9.111 Penetration Testing for Financial Services
12 ISO and ANSI Standard References
• www.iso.org • www.ansi.org • www.x9.org • www.ietf.org • www.incits.org • www.pcisecuritystandards.org • http://csrc.nist.gov/publications/PubsFIPS.html
Questions
13