Standardisation

Global Platform: Global Platform (GP) is an important standard coping with the way applications are securely managed on the security element. Together with Java Card, it offers a good basis for industrial development and remote issuance of secure applications in the smartphone context, and consequently these environments will be the target of LYRICS.

GP is broadly used for SIMs which are typical multi-applicative secure elements (SE). Aspects dealt with by GP are secure download, activation, disable and removal of applications with their code, data and their secret material (keys, parameters, etc…) while preserving the right policy for doing these operations which can involve various entities: mobile network operators, the security element issuer, the application provider, and some trusted third party. There are clearly some concerns with privacy in tasks like secure code and keys downloading, since it could result for example in some problems of traceability.  These aspects will be addressed in LYRICS in order to provide an analysis of mechanisms provided by GP2.2 and the work being done on “remote application management” topic to verify adequacy with the goals of LYRICS regarding privacy, describe relevant measures concerning remote management & privacy, and eventually define and propose some technical adaptations of GP protocols, and if necessary contribute to the GP standardization body.

ISO/IEC: Several standardization bodies have been involved over the last ten years in attempts to develop an information privacy protection standard. ISO/IEC JTC1/SC27 has vested interests in standardizing “information technology-security techniques”. This includes standards for privacy-enhancing technologies and especially for credential-based solutions. The subject of anonymous authentication mechanisms intersects with standardization works in two SC27 working groups, WG2 and WG5. WG2 develops standards based on algorithms such as group signatures and WG5 elaborates on requirements and guidelines. An initiative is currently being undertaken by SC27 WG5:

-       The project ISO/IEC 29191 provides a model for partially anonymous unlinkable authentication mechanisms where a designated agent can revoke anonymity, and defines requirements thereof.

The WG5 is responsible for other privacy standards. The most advanced are ISO/IEC 29100 Privacy Framework and ISO/IEC 29101 Privacy Reference Architecture:

-       The Privacy Framework serves as a basis for a technical reference architecture, for the implementation and use of specific privacy technologies and overall privacy management, for privacy controls for outsourced data processes, for privacy risk assessment or for specific engineering specifications.

-       The Privacy Reference Architecture guides the implementation of controls associated with a privacy framework to ensure the proper handling of personally identifiable information within an information and communication technology environment.

NEC and France Telecom are actively involved in these two working groups WG2 and WG5. More precisely, NEC is the editor in charge of the ISO/IEC 29191 project. NEC, France Telecom as well as Microsoft also hold several patents on Privacy-Enhancing Cryptographic (PEC) mechanisms such as blind signatures, DAA and k-TAA and on applications making use of these anonymous signatures schemes such as e-cash, e-voting and e-auctions.