KISA - PowerPoint PPT Presentation

1 / 36
About This Presentation
Title:

KISA

Description:

A piece of IC chip and a plastic body. ? Exceptions : Plug-In ... Crypto. Engine. I/O. BUS. 9. Solutions for Real World. I. Health. Access. Electronic. Commerce ... – PowerPoint PPT presentation

Number of Views:57
Avg rating:3.0/5.0
Slides: 37
Provided by: hall5
Category:
Tags: kisa | crypto

less

Transcript and Presenter's Notes

Title: KISA


1
?????? ???
Pilyong Kang, Ph.D. (kangpy_at_kisa.or.kr)
2
Contents
Introduction
Security
Evaluation Certification
Conclusion Remarks
3
What is a Smart Card ?
A piece of IC chip and a plastic body
? Exceptions Plug-In Type SIM, etc.
4
What is it for ?
The Smart Card stores data and programs
- Protection by advanced security features -
Memory Micro Processor
Application Field
- Any field where secured data storage is
necessary
5
Types
6
Contact Smart Card
Source Gemplus
Communication through electrical contacts
7
Contactless Smart Card
Source Gemplus
Communication over the air
8
Internal Structure
ROM (160KB)
CPU 32bit,4MHz
EEPROM (64KB)
RAM (6.5KB)
BUS
I/O
Crypto Engine
9
Solutions for Real World
Transportation Card
SIM / USIM / R-UIM
Membership Card
Smart Card
Subscriber Authentication
ID Card
Health Care Card
Set-Top Box
10
Software Characteristics
Past
Single Application Controlled by Card
Manufacturer Inflexible
Applications
Card OS
Now
IC Chip
Virtual Machine Multi-Application Possible Very
Flexible
11
Native Platform
A single application specification
But several application developments
12
Open Platform
A single application specification
A single application development
13
Existing Open Platforms
14
Security in Smart Cards
Why can we trust a Smart Card ?
- What are the needs ? - How is it implemented ?
15
Authentication
Authentication - What for ?
- To verify a card or terminal is genuine
Transaction
Transaction
IS it a real transaction ?
Is it a real card ?
Is it a real terminal ?
16
Identification
Identification - What for ?
- To verify the identity of the card ? serial
number, cardholders identity, etc.
Transaction
It is my card, make the transaction.
Am I talking with the real cardholder ?
17
Integrity
Integrity - What for ?
- To ensure the message has not been modified
How much do you have ?
20
20
100
Was the message modified ?
18
Non-Repudiation
Non-Repudiation - What for ?
- To prevent the denial of a transaction
Transaction
Transaction
What was the exact content of the transaction ?
I never made this transaction !
19
Confidentiality / Privacy
Confidentiality - What for ?
- To keep information secret from all but those
authorized
_at_A/
?
Message
Message
20
How are those needs implemented in the card ?
Different level of security
- Physical protection of the chip - Security
during the manufacturing process - Security
during transaction
21
The Players
Electronic Circuit
Initialization Personalization
Card Distribution (Personalization)
22
Initialization / Personalization
Initialization
- Card associated with issuer - Security features
loaded
Personalization
- Application profile loaded - Cardholder profile
loaded
23
Card Personalization
Electrical Personalization
Downloading of data (application cardholder)
Graphical Personalization
Printing text or artwork on the card body
Making each Card Unique !
24
Data Loading (Ex SIM Card)
  • OS coded in ROM
  • Chip Number
  • Card serial number
  • Filters/Patches
  • Root directory
  • GSM files
  • Specific files
  • Operator data
  • Subscriber data
  • phone numbers, etc.
  • Post Perso OTA

Chip Data
Card Data
Network Data
Subscriber Data
25
Security Threats
Timing Attacks
Power Analysis
Simple Power Analysis Differential Power Analysis
Invasive Attacks
Probe Stations Focused Ion Beam
26
Security Evaluation Certification
Objective
- To provide assurance based on an evaluation of
TOE ? TOE Target of Evaluation (Ex IT
Product or System)
Evaluation Criteria
- EMV 1996, EVM 2000 - ITSEC(IT Security
Criteria) - CC(Common Criteria)
27
EMV (EUROPAY MasterCard VISA)
What is purpose of EMV ?
- Specifies the requirements for
interoperability - EMV 1996 V3.1.1, EMV 2000 V4.0
Test Approvals
- Level 1 Approved Interface Module - Level 2
Approved Application Kernels
28
ITSEC / CC (1/2)
Orange Book (TCSEC) 1985
Canadian Criteria (CTCPEC) 1993
Federal Criteria Draft 1993
CC v1.0 1996 v2.0 1998 v2.1 1999 v2.2 2004
UK Confidence Levels 1989
ITSEC 1991
German Criteria
Common Criteria (ISO 15408)
IT Security Criteria
French Criteria
29
ITSEC / CC (2/2)
EAL1
Functional Tested
E1
EAL2
Structural Tested
E2
EAL3
Methodically Tested Proofed
E3
EAL4
Methodically Developed, Tested Proofed
E4
EAL5
Semiformal Developed Tested
E5
EAL6
Semiformal Verification of the Design
E6
EAL7
Formal Verification of the Design
30
CC based Evaluation Certification Processes
- PP Protection Profile - ST Security Target
Security Objectives (PP/ST)
Evaluation Scheme
Security Requirements (PP/ST)
Evaluation Methodology
Evaluate IT Security of TOE
Certify Evaluation Results
Evaluation Results
Security Specification (ST)
Preliminary Evaluation Results
TOE Implementation
Evaluation Criteria (CC)
TOE Target of Evaluation
31
CCRA (Common Criteria Recognition Arrangement)
International Recognition of Test Results
Interim Arrangement (October 1997, March 1998)

Full Arrangement (October 1998)

Harmonized Arrangement (May 2000, Currently 812)
- CAP (Certificate Authorising Participant) 7
Countries (1) - CCP (Certificate Consuming
Participant) 7 Countries (5)
32
Security Evaluation Certification in Korea
Launched Evaluation Certification Program
(August 2002)
Adopted CC August 2002
Applied for Joining CCRA (September 2004)
Smart Card PP Published (December 2004)
Target of Evaluation Open Platform (COS
API) Evaluation Assurance Level EAL4
33
Conclusion Remarks (1/2)

2005/3/17 ?????? ???
34
Conclusion Remarks (2/2)
2005/3/17 ?????? ???
35
Question Answer
36
Thank You !!!
Write a Comment
User Comments (0)
About PowerShow.com