The appointment of a worldwide registration authority for smart card authentication protocols conforming to the ISO/IEC 24727 standard will ensure greater interoperability and security in this technology which plays such a vital role in establishing identity so that services such as healthcare, banking and transport go to the right person. Smart cards are also used by governments and by public and private sector organizations for identification in critical areas such as security access and border controls.
From now on, there is a central repository where any authentication protocol can be publicly registered. From this point on, the specific authentication protocol can be explicitly referenced by its unique ISO/IEC compliant object identifier (OID).
Prior to the advent of ISO/IEC 24727, and the new registration authority, most smart card authentication protocols were either proprietary, not publicly documented, or there was no definitive publicly available reference document for them. Minor protocol differences can cause major interoperability issues.
This new approach has been long awaited and is welcomed by both developers and adopters of smart card technology. It has been designed to provide greater extensibility, efficiency and interoperability for smart card schemes – with associated benefits to the entire international community.
This is especially the case for governments and other major organizations that are looking for ways to inter-operate between local, national and international smart card schemes in an increasingly globalized world.
Because new authentication protocols can be registered in real time, the registration authority also opens the door for the latest and most innovative technology to come to market sooner.
“There are perhaps thousands of variants on hundreds of smart card authentication protocols in use globally,” comments Graeme Freedman, a leading international expert in smart card and related technology and the ISO editor of the standard.
“For the first time, ISO/IEC 24727 provides a standardized, but flexible language for explicitly describing these authentication protocols. The new registration authority further improves interoperability by providing a methodology for rapidly communicating the details of both existing and new authentication protocols via its Website.
“End users can even register their use of particular protocols so that other parties can determine which protocols they must support in order to authenticate with them. The methodology provides certainty about interoperability and integrity that is very much needed in our global society.
“In the last few years, lack of standardization, and even uncertainty about how proprietary protocols actually work, has led to an increase in the likelihood of successful systematic attacks. Having to evaluate and accredit the myriad of proprietary protocols has been a significant waste of money and resources and may be beyond the capability of many projects, or even certification organizations. Weak authentication protocols leave potential for major disruptions to essential services across the globe and a quick search of the Internet shows a number have recently been breached.
“The methodology of documenting authentication protocols via a public registration authority means they can be openly evaluated by the top specialists in this area and, if weak, those weaknesses can be publicised in an open fashion on the Internet. End-users can therefore evaluate the risks and countermeasures in possession of all the information they need.”
This does not mean there is no place for proprietary protocols. The registration authority also provides the commercial, licensing and patent contact details for each authentication protocol so that potential end-users can contact the owner to arrange a licence. Authentication protocols which attract no licensing costs, such as those developed for ISO/IEC standards, and ones contributed by supporting companies and industry organizations, are also available from the registration authority.
“For developers, there has been a lack of clarity around intellectual property issues when it comes to using or trying to develop better protocols, because no one knows which protocols are already are in use, are owned by companies. or are in the public domain,” says Graeme Freedman. “The register component of the standard has been developed to address these critical issues.”
ISO/IEC 24727-6:2010, Identification cards - Integrated circuit card programming interfaces - Part 6: Registration authority procedures for the authentication protocols for interoperability, was developed by subcommittee SC 17, Cards and personal information, of the joint technical committee ISO/IEC JTC 1, Information technology, and is available from ISO national member institutes (see the complete list with contact details). It may also be obtained directly from the ISO Central Secretariat, price 106 Swiss francs through the ISO Store or by contacting the Marketing, Communication & Information department (see right-hand column).
- Cards and security devices for personal identification
- ISO/IEC 24727-1:2007 [Withdrawn]Identification cardsIntegrated circuit card programming interfacesPart 1: Architecture
- Identification cardsIntegrated circuit card programming interfacesPart 2: Generic card interface
- Identification cardsIntegrated circuit card programming interfacesPart 3: Application interface
- Identification cardsIntegrated circuit card programming interfacesPart 4: Application programming interface (API) administration
- Identification cardsIntegrated circuit card programming interfacesPart 5: Testing procedures
- Identification cardsIntegrated circuit card programming interfacesPart 6: Registration authority procedures for the authentication protocols for interoperability