Sydney, Australia, November 2010:
Smart Cards are increasing in use worldwide. They play a growing role in the effective delivery of critical services such as healthcare, banking and transport and in the protection of most nations’ core IT and access control systems securing card holders identity.
The ISO/IEC 24727 Standard provides a unified global approach to the widely recognised need for consistency in the way Smart Card technology – specifically, their crucial authentication protocols – are standardized. The new Registration component is contained in Part 6 of the Standard. It offers a world first: a central repository where any authentication protocol can be publicly registered under a single ISO/IEC Registration Authority. From that point on, the specific authentication protocol can be explicitly referenced by its unique ISO/IEC compliant Object Identifier (OID).
Prior to the advent of ISO/IEC 24727, and the new registration authority, most Smart Card authentication protocols were either proprietary, not publicly documented, or there was no definitive publicly available reference document for them. Minor protocol differences are causing major interoperability issues.
This new approach has been long awaited and is welcomed by both developers and adopters of Smart Card technology. It has been designed to provide greater extensibility, efficiency and interoperability for Smart Card schemes – with associated benefits to the entire international community. This is especially the case for governments and other major organizations, which are looking for ways to interoperate between local, national and international Smart Card schemes in an increasingly global world. Because new authentication protocols can be registered in real-time the registration authority also opens the door for the latest and most innovative technology to come to market sooner.
"There are perhaps thousands of variants on hundreds of Smart Card authentication protocols in use globally. For the first time, ISO/IEC 24727 provides a standardized but flexible language for explicitly describing these authentication protocols. The new registration authority further improves interoperability by providing a methodology for rapidly communicating the details of both existing and new authentication protocols via the web site. End users can even register their use of particular protocols so that other parties can determine which protocols they must support in order to authenticate with them. The methodology provides certainty about interoperability and integrity that is very much needed in our global society," said Graeme Freedman, a leading international expert in Smart Card and related technology and the ISO editor for the Standard.
"In the last few years’ reliance on the obscurity of many protocols, lack of standardization, and even uncertainty about how proprietary protocols actually work, has led to an increase in the likelihood of successful systematic attacks. Having to evaluate and accredit the myriad of proprietary protocols has been a significant waste of money and resources, and may be beyond the capability of many projects or even certification laboratories. Weak authentication protocols leave potential for major disruptions to essential services across the globe, and a quick search of the internet shows a number have recently been breached. The methodology of documenting authentication protocols via a public registration authority means they can be openly evaluated by the best minds on the planet, and if weak, those weaknesses can be publicised in an open fashion on the internet. End-users can therefore evaluate the risks and countermeasures with full knowledge."
This does not mean there is no place for proprietary protocols; the registration authority also provides the commercial, licensing and patent contact details for each authentication protocol so potential end-users can contact the owner to arrange a licence. Authentication protocols which attract no licensing costs, such as those developed for ISO/IEC Standards, and ones contributed by supporting companies and industry organizations are also available on the Registry.
"For developers, there has been a lack of clarity around intellectual property issues when it comes to using or trying to develop better protocols, because no one knows which protocols are already are in use, are owned by companies or are in the public domain," said Graeme Freedman.
The Register component of the Standard addresses these critical issues.
"The ability to publicly register Smart Card authentication protocols enables open review and selection, protects the intellectual property of developers and provides them with an established, credible forum to showcase their protocols to potential licensees," explained Denis Dawkins, from SAI Global, the authorized Registration Authority called for in Part 6 of the Standard ISO/IEC 24727.
"At the same time, it assures technology adopters that the protocols registered within it have been tested for compliance to ISO/IEC 24727 and are available to be openly evaluated. They can see how popular a protocol is and where and how else it is used – a very strong indicator of its value."
"Up until now, with so many organizations developing their own protocols in their own way and without any common way to describe them, there’s been a real problem establishing interoperability," said Denis Dawkins.
Using the Register gives adopters of Smart Card technology certainty about whether, for example, a driver’s licence from one state is interoperable with the traffic authority or law enforcement protocols used in another; or an ID Smart Card used in one country can be read by other country’s immigration and security authorities.
Only protocols that have first been evaluated against and met the requirements of the ISO/IEC 24727 Standard via a self-check process described in Part 5 of the Standard can be registered.
To find out more about the Standard and how the Registration component works, including answers to Frequently Asked Questions, visit www.saiglobal.com/ISO24727-6. Once a protocol meets the requirements of the Standard, registration is a simple process that can be carried out online at the Authentication Protocol Registration Authority Website www.saiglobal.com/ISO24727-6.
ISO/IEC 24727-6 can be purchased online.
