tm 1 enhancing trust for governments using the latest globalplatform standards dongyan wang...
TRANSCRIPT
TM
1
Enhancing Trust for Governments using the Latest GlobalPlatform Standards
Dongyan Wang
GlobalPlatform Technical Program Manager
Thursday 20 March
GP Confidential©2013
@GlobalPlatform_ www.linkedin.com/company/globalplatform
TM
GlobalPlatform Positioning
Across several market sectors and in converging sectors
GlobalPlatform is the standard for managing applications on secure chip technology
TrustedExecution
Environment
Secure Element
AND
PremiumContent
TM
Our Collaborative Industry Partners
TM
Some Regulations
Legal Act Scope
Regulation (EC) 45/2001 On the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data
Commission Decision 2001/497/EC
On standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC
Directive 2002/58/EC Concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
Commission Decision 2002/16/EC On standard contractual clauses for the transfer of personal data to processors established in third countries, under Directive 95/46/EC
Commission Decision 2004/915/EC
Amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries
Directive 2006/24/EC On the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC
COM(2007) 228 final On Promoting Data Protection by Privacy Enhancing Technologies (PETs)
COM(2007) 87 final On the follow-up of the Work Program for better implementation of the Data Protection Directive
COM(2012) 10 final 2012/0010 (COD)
On the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data
TM
Other Initiatives
• PIA working in practice globally
– China’s legislature passed an amendment to the country’s Consumer Rights Protection Law (the ‘Amendment’),
which introduces new data privacy protections in amended Consumer Protection Law, effective on March 15, 2014
– ICO (Information Commissioner Office) published Conducting privacy impact assessments code of practice - Data
Protection Act v1.0 (effective February 25, 2014)
– French Data Protection Authority (‘CNIL’) adopted several amendments to its Single Authorization AU-004
regarding the processing of personal data in the context of whistleblowing schemes (the ‘Single Authorization’) as
published on February 11, 2014.
• ANR(Agence Nationality Research) Workshop on Privacy by Design in April 2012.
– The Treasury Board of Canada Secretariat’s (TBS) Directive on Privacy Impact Assessment (effective April 1,
2010).
– US Department Of Commerce PIA requirement based on Homeland Security Presidential Directive 12 (HSPD-12),
Policy for a Common, Identification Standard for Federal Employees and Contractors (August 27, 2004).
– South Korea’s new Personal Information Protection Act came into force on September 30, 2011.
– …
• Privacy Control Catalog, (Appendix J of Security Controls for Federal Information Systems and Organizations,
NIST Special Publication 800-53, Revision 4).
• ENISA position paper, Privacy Features of European eID Card
Specifications, Jan 27, 2009, Version 1.0.1, European Network&Information Security Agency.
• More…
TM
GlobalPlatform and Privacy
• Multi-application platform introduces additional privacy challenges
• Different applications may have different privacy policies and levels, some of which may require remote management
• Cannot have leakage of data across applications and also from one application publishing the sensitive data
• In a multi-application provider context, privacy paradigm is contingent on providers adhering to a common framework
So…
• There is a need for a platform approach to this privacy framework
TM
Anonymity Properties (1 of 2)
Un-traceability – Ability to prevent user identification even if the secure platform issuer and the identity provider
(IdP) or the service provider collude
Un-linkability – Ability to prevent the establishment of a link between different attributes presented by the same
user: two credentials cannot be linked to the same user, even if issued by the same issuer (or IdP), at the same time and for the same purposes
Selective disclosure– Ability to disclose only the minimal amount of user identification data necessary for a selected
action. e.g. user consent required upon each criterion
Usage confidentiality– The communicated data does not reveal the nature and details of the transaction, such as
identification data, application identifier, execution success or failure
Pseudonym– Ability to generate a unique pseudonym which will identify the user in a unique way without
disclosing his/her data
Forward secrecy
– Limited risk in case of attack: ability to protect the secure channel exchange even if the service
provider key is compromised at a later date
TM
Limited use
– Ability to limit the use of credentials over a determined period of time or to restrict their use to a
determined number of presentations
Predicate computation (proving computation on attributes)
– Ability to prove computations on the attributes rather than disclosing the attributes themselves.
The actual value of user identification attributes is not disclosed whereas the user can prove
some computation on these attributes
Trusted third party disclosure
– Ability to protect an attribute by allowing its disclosure only by a trusted third party (e.g. by
encoding the attribute in the credential). The credentials can contain some verifiable encrypted
attributes that can be checked by the service provider
Revocation
– Ability to revoke a credential. This procedure MAY resort to authorized exchange of information
leading to user identification in some cases
Secure messaging
– Ability to provide secure messaging to protect commands exchange
Anonymity Properties (2 of 2)
TM
Summary of Main Requirements
• GlobalPlatform’s Government Task Force has developed a set of requirements including: – Support of a list of anonymity properties
– Protection against card / user tracking
– Protection against application identifier-based profiling
– Registration with declared privacy level(s)
– Protection against unauthorized inter-application data exchange
– Privacy level implemented by GPP (Platform Global Privacy Protocol) and SPP (Application Specific Privacy Protocol)
TM
Privacy Framework Requirements Released
• For the use by anyone developing to GlobalPlatform Specifications
• Useful for defining additional features to enable privacy sensitive applications on GlobalPlatform cards
• Government agencies benefit by knowing what can be expected from GlobalPlatform cards in the future in respect to privacy
https://www.globalplatform.org/documents/GP_PrivacyFrameworkRequirements_v1.0.pdf
TM
GlobalPlatform Privacy by Design Architecture
The value proposition aims to define a migration path where the card platform provides:
• Support of current GlobalPlatform functions and secure channel protocols
• Card content management
• Incremental improvements– Reusing existing blocks
– Not building a platform from scratch
• Privacy enforcement – Privacy enhanced services offered to all applications within a security domain
– Choice of standalone privacy-enhanced protocols (host, card, and / or user authentication)
– A privacy manager on-board confirming the platform meets the privacy rules established for it
• Lightweight solution– Easy migration for existing applications
– Preventing environment complexity
• User consent scheme – User consent MAY be requested before or after authentication
• Privacy ecosystem – A platform that addresses privacy requirements and a deployment infrastructure
TM
Market Impact
• Assessment of the impact of privacy is needed on all steps– When creating, loading, installing, using and deleting applications
• To allow further role separation of application providers, issuers and system providers by extending the separation to the privacy area, that is, avoid sharing privacy relevant data between these roles
• To guarantee that a given platform meets the necessary privacy requirements and thus establish a reference in terms of privacy levels
• GlobalPlatform Card Framework will facilitate implementation of applications with privacy requirements on a GlobalPlatform card, e.g.– Government applications– Machine readable travel documents– Driving licenses– National ID cards, etc.