BS ISO IEC 18013-3-2017 Information technology Personal identification ISO-compliant driving licence Access control authentication and integrity validation《信息技术 个人身份 ISO标准的驾驶执照 访问控.pdf

1、Information technology Personal identification ISO-compliant driving licencePart 3: Access control, authentication and integrity validationBS ISO/IEC 180133:2017BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06Information technology Personal identification ISO-complia

2、nt driving licence Part 3:Access control, authentication and integrity validationTechnologies de linformation Identification des personnes Permis de conduire conforme lISO Partie 3: Contrle daccs, authentification et validation dintgritINTERNATIONALSTANDARDISO/IEC18013-3Reference numberISO/IEC 18013

3、-3:2017(E)Second edition2017-04 ISO/IEC 2017National forewordThis British Standard is the UK implementation of ISO/IEC 18013-3:2017. It supersedes BS ISO/IEC 18013-3:2009+A2:2014, which is withdrawn.The UK participation in its preparation was entrusted to Technical Committee IST/17, Cards and person

4、al identification.A list of organizations represented on this committee can be obtained on request to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2017 Publi

5、shed by BSI Standards Limited 2017ISBN 978 0 580 96008 6ICS 35.240.15Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 July 2017.Amendments/corrigenda issued s

6、ince publicationDate Text affectedBRITISH STANDARDBS ISO/IEC 180133:2017Information technology Personal identification ISO-compliant driving licence Part 3: Access control, authentication and integrity validationTechnologies de linformation Identification des personnes Permis de conduire conforme lI

7、SO Partie 3: Contrle daccs, authentification et validation dintgritINTERNATIONAL STANDARDISO/IEC18013-3Reference numberISO/IEC 18013-3:2017(E)Second edition2017-04 ISO/IEC 2017BS ISO/IEC 180133:2017ii ISO/IEC 2017 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO/IEC 2017, Published in Switzerland

8、All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested

9、 from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCh. de Blandonnet 8 CP 401CH-1214 Vernier, Geneva, SwitzerlandTel. +41 22 749 01 11Fax +41 22 749 09 47copyrightiso.orgwww.iso.orgISO/IEC 18013-3:2017(E)BS ISO/IEC 180133:2017ii ISO/IEC 2017

10、 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO/IEC 2017, Published in SwitzerlandAll rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the

11、 internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCh. de Blandonnet 8 CP 401CH-1214 Vernier, Geneva, SwitzerlandTel. +41 22 749 01 11Fax +41 22 749 09 47

12、copyrightiso.orgwww.iso.orgISO/IEC 18013-3:2017(E)ISO/IEC 18013-3:2017(E)Foreword vIntroduction vi1 Scope . 12 Normative references 13 Terms and definitions . 34 Abbreviated terms 65 Conformance . 86 Functional requirements . 86.1 Access control 86.2 Document authentication 86.3 Data integrity valid

13、ation . 87 Mapping of mechanisms to requirements and technologies .118 Mechanisms 128.1 Passive authentication . 128.1.1 Purpose . 128.1.2 Applicability 128.1.3 Description .128.1.4 Hash function .138.1.5 Signing method 148.2 Active authentication 178.2.1 Purpose . 178.2.2 Applicability 178.2.3 Desc

14、ription .178.2.4 Mechanism .178.3 Scanning area identifier . 198.3.1 Applicability 198.3.2 Description .198.4 Non-match alert 308.4.1 Purpose . 308.4.2 Applicability 308.4.3 Description .308.4.4 Mechanism .318.5 Basic access protection . 328.5.1 Purpose . 328.5.2 Applicability 328.5.3 Description .3

15、28.5.4 Mechanism .338.6 Extended Access Control v1 . 348.6.1 Purpose . 348.6.2 Applicability 348.6.3 Description and mechanism . 348.7 PACE 358.7.1 Purpose . 358.7.2 Applicability 358.7.3 Description and mechanism . 358.7.4 PACE relative to BAP 359 Security mechanism indicator 3610 SIC LDS 3710.1 Ge

16、neral 3710.2 EF.SOD Document security object (short EF identifier = 1D, Tag = 77) .39 ISO/IEC 2017 All rights reserved iiiContents PageBS ISO/IEC 180133:2017ISO/IEC 18013-3:2017(E)10.3 EF.DG12 Non-match alert (short EF identifier= 0C, Tag = 71) .3910.4 EF.DG13 Active authentication (short EF identif

17、ier = 0D, Tag = 6F) .3910.5 EF.DG14 EACv1 (short EF identifier = 0E, Tag = 6E) .4010.6 EF.CardAccess if PACE is supported (short EF identifier = 1C) .40Annex A (informative) Public key infrastructure (PKI) .41Annex B (normative) Basic access protection 51Annex C (normative) PACE .67Annex D (normativ

18、e) Extended Access Control v1 72Annex E (normative) SIC command set .76Annex F (normative) List of tags used 78Bibliography .80iv ISO/IEC 2017 All rights reservedBS ISO/IEC 180133:2017ISO/IEC 18013-3:2017(E)10.3 EF.DG12 Non-match alert (short EF identifier= 0C, Tag = 71) .3910.4 EF.DG13 Active authe

19、ntication (short EF identifier = 0D, Tag = 6F) .3910.5 EF.DG14 EACv1 (short EF identifier = 0E, Tag = 6E) .4010.6 EF.CardAccess if PACE is supported (short EF identifier = 1C) .40Annex A (informative) Public key infrastructure (PKI) .41Annex B (normative) Basic access protection 51Annex C (normative

20、) PACE .67Annex D (normative) Extended Access Control v1 72Annex E (normative) SIC command set .76Annex F (normative) List of tags used 78Bibliography .80iv ISO/IEC 2017 All rights reserved ISO/IEC 18013-3:2017(E)ForewordISO (the International Organization for Standardization) and IEC (the Internati

21、onal Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields

22、 of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joi

23、nt technical committee, ISO/IEC JTC 1.The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document w

24、as drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or a

25、ll such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents).Any trade name used in this document is information given for the convenience of users

26、 and does not constitute an endorsement.For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following UR

27、L: www .iso .org/ iso/ foreword .html.The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 17, Cards and personal identification.This second edition cancels and replaces the first edition (ISO/IEC 18013-3:2009), which has been technically revised. It also incorpor

28、ates the Amendments ISO/IEC 18013-3:2009/Amd 1:2012 and ISO/IEC 18013-3:2009/Amd 2:2014, and the Technical Corrigenda ISO/IEC 18013-3:2009/Cor 1:2011 and ISO/IEC 18013-3:2009/Cor 2:2013.The most significant changes are the following: In the interest of interoperability of cards used for personal ide

29、ntification, the authentication protocols for the IDL are simplified. Active Authentication is harmonised with other ISO standards and thus BAP configurations 2, 3 and 4, as well as EAP are no longer supported by this document. Replacing EAP, the optional EACv1 protocol is defined for the IDL, enabl

30、ing access control to sensitive biometric data stored on an integrated circuit. EACv1 may be used in conjunction with either BAP configuration 1 or PACE. The optional PACE protocol enables access control to the data stored on an integrated circuit. The PACE protocol is a password authenticated Diffi

31、e Hellman key agreement protocol based on a (short) input string that provides secure communication between a secure integrated circuit on an IDL and a terminal and allows various implementation options (mappings, input strings, algorithms). The PACE protocol implementation for the IDL is restricted

32、 to Elliptic Curve Diffie Hellman (ECDH) generic mapping and can be used as a stand-alone protocol or in combination with the EACv1 protocol.A list of all the parts in the ISO/IEC 18013 series can be found on the ISO website. ISO/IEC 2017 All rights reserved vBS ISO/IEC 180133:2017ISO/IEC 18013-3:20

33、17(E)IntroductionThis document prescribes requirements for the implementation of mechanisms to control access to data recorded in the machine-readable technology on an ISO-compliant driving licence (IDL), verifying the origin of an IDL, and confirming data integrity.One of the functions of an IDL is

34、 to facilitate international interchange. While storing data in machine-readable form on the IDL supports this function by speeding up data input and eliminating transcription errors, certain machine-readable technologies are vulnerable to being read without the knowledge of the card holder and to o

35、ther means of unauthorized access by unintended persons that is other than driving licence or law enforcement authorities. Controlling access to IDL data stored in machine-readable form protects the data on the card from being read remotely by electronic means without the knowledge of the card holde

36、r.Identifying falsified driving licences or an alteration to the human-readable data on authentic driving licences present a major problem for driving licence and law enforcement authorities, both domestically and in the context of international interchange. Verifying the authenticity of an IDL and

37、confirming the integrity of the data recorded on an IDL provide driving licence and law enforcement authorities with a means to identify an authentic IDL from a falsified or altered one in the interests of traffic law enforcement and other traffic safety processes.vi ISO/IEC 2017 All rights reserved

38、BS ISO/IEC 180133:2017ISO/IEC 18013-3:2017(E)IntroductionThis document prescribes requirements for the implementation of mechanisms to control access to data recorded in the machine-readable technology on an ISO-compliant driving licence (IDL), verifying the origin of an IDL, and confirming data int

39、egrity.One of the functions of an IDL is to facilitate international interchange. While storing data in machine-readable form on the IDL supports this function by speeding up data input and eliminating transcription errors, certain machine-readable technologies are vulnerable to being read without t

40、he knowledge of the card holder and to other means of unauthorized access by unintended persons that is other than driving licence or law enforcement authorities. Controlling access to IDL data stored in machine-readable form protects the data on the card from being read remotely by electronic means

41、 without the knowledge of the card holder.Identifying falsified driving licences or an alteration to the human-readable data on authentic driving licences present a major problem for driving licence and law enforcement authorities, both domestically and in the context of international interchange. V

42、erifying the authenticity of an IDL and confirming the integrity of the data recorded on an IDL provide driving licence and law enforcement authorities with a means to identify an authentic IDL from a falsified or altered one in the interests of traffic law enforcement and other traffic safety proce

43、sses.vi ISO/IEC 2017 All rights reserved Information technology Personal identification ISO-compliant driving licence Part 3: Access control, authentication and integrity validation1 ScopeISO/IEC 18013 establishes guidelines for the design format and data content of an ISO-compliant driving licence

44、(IDL) with regard to human-readable features (ISO/IEC 18013-1), machine-readable technologies (ISO/IEC 18013-2), and access control, authentication and integrity validation (ISO/IEC 18013-3). It creates a common basis for international use and mutual recognition of the IDL without impeding individua

45、l countries/states to apply their privacy rules and national/community/regional motor vehicle authorities in taking care of their specific needs.This document is based on the machine-readable data content specified in ISO/IEC 18013-2; specifies mechanisms and rules available to issuing authorities (

46、IAs) for: access control (i.e. limiting access to the machine-readable data recorded on the IDL), document authentication (i.e. confirming that the document was issued by the claimed IA), and data integrity validation (i.e. confirming that the data has not been changed since issuing).This document d

47、oes not address issues related to the subsequent use of data obtained from the IDL, e.g. privacy issues.2 Normative referencesThe following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the

48、edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.ISO 1831:1980, Printing specifications for optical character recognitionISO/IEC 7816-4:2013, Identification cards Integrated circuit cards Part 4: Organization, security an

49、d commands for interchangeISO/IEC 8859-1:1998, Information technology 8-bit single-byte coded graphic character sets Part 1: Latin alphabet No. 1ISO 9796-2, Information technology Security techniques Digital signature schemes giving message recovery Part 2: Integer factorization based mechanismsISO/IEC 9797-1:19991), Information technology Security techniques Message Authentication Codes (MACs) Part 1: Mechanisms using a block ciph