Information technology — Automatic identification and data capture techniques — Data structures — Digital signature meta structure

ISO/IEC 20248:2018 is an ISO/IEC 9594‑8 (Public Key Infrastructure: digital signatures and certificates) application specification for automated identification services. It specifies a method whereby data stored within a barcode and/or RFID tag are structured, encoded and digitally signed. ISO/IEC 9594‑8 is used to provide a standard method for key and data description management and distribution. It is worth noting that the data capacity and/or data transfer capacity of Automated Identification Data Carriers are restricted. This restricts the normal use of a Digital Signature as specified in ISO/IEC 9594‑8 within automated identification services. The purpose of this document is to provide an open and interoperable method, between automated identification services and data carriers, to read data, verify data originality and data integrity in an offline use case. ISO/IEC 20248:2018 specifies - the meta data structure, the DigSig, which contains the Digital Signature and encoded structured data, - the public key certificate parameter and extension use, the DigSig Certificate, which contains the certified associated public key, the structured data description, the read methods and private containers, - the method to specify, read, describe, sign, verify, encode and decode the structured data, the DigSig Data Description, - the DigSig EncoderGenerator which generates the relevant asymmetric key pairs, keeps the Private Key secret and generates the DigSigs, and - the DigSig DecoderVerifier which, by using to the DigSig Certificate, reads the DigSig from the set of Data Carriers, verifies the DigSig and extracts the structured data from the DigSig. A successful verification of the DigSig signifies the following: - the data was not tampered with; - the source of the data is as indicated on the DigSig Certificate used to verify the DigSig with; - if a secured identifier of the data carrier is included in the DigSig it contains, then the data stored on the data carrier can be considered as the original issued copy of the data; the secure identifier will be able to guarantee that the data carrier is authentic. ISO/IEC 20248:2018 does not specify - cryptographic methods, nor - key management methods. ISO/IEC 20248:2018 is used in conjunction with standard risk assessments of the use environment.

Technologies de l'information — Techniques d'identification automatique et de capture de données — Structures de données — Méta-structure de signature numérique

General Information

Status
Withdrawn
Publication Date
03-Apr-2018
Current Stage
9599 - Withdrawal of International Standard
Completion Date
10-Jun-2022
Ref Project

Relations

Buy Standard

Standard
ISO/IEC 20248:2018 - Information technology -- Automatic identification and data capture techniques -- Data structures -- Digital signature meta structure
English language
81 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

INTERNATIONAL ISO/IEC
STANDARD 20248
First edition
2018-03
Information technology — Automatic
identification and data capture
techniques — Data structures —
Digital signature meta structure
Technologies de l'information — Techniques d'identification
automatique et de capture de données — Structures de données —
Méta-structure de signature numérique
Reference number
ISO/IEC 20248:2018(E)
©
ISO/IEC 2018

---------------------- Page: 1 ----------------------
ISO/IEC 20248:2018(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 20248:2018(E)

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 2
3 Terms and definitions . 2
4 Field and data definitions, abbreviations and symbols . 4
4.1 Field and data definitions . 4
4.2 Abbreviations . 4
4.3 Symbols . 5
5 Conformance . 5
5.1 Specification version . 5
5.2 Claiming conformance . 5
5.3 Test authority . 6
5.4 Test specification . 6
6 DigSig use architecture . 6
6.1 General . 6
6.2 DigSig Certificate process . 7
6.3 DigSig generation process . 8
6.4 DigSig verification process . 9
6.5 Error codes . 9
7 DigSig Certificate . 9
7.1 General . 9
7.2 ISO/IEC 20248 Object Identifier . 9
7.3 DigSig Certificate parameter use . 9
7.4 DigSig cryptography .10
7.4.1 General.10
7.4.2 Digital Signatures .10
7.4.3 Private containers .10
7.5 DigSig Domain Authority identifier .10
7.6 DigSig Certificate identifier (CID) .12
7.7 DigSig validity .12
7.8 DigSig Certificate management.12
7.9 DigSig revocation .12
7.10 Online verification .13
8 DigSig Data Description (DDD) .13
8.1 General .13
8.2 DDD derived data structures .14
8.2.1 General.14
8.2.2 DDDdata .14
8.2.3 SigData .15
8.2.4 DDDdataTagged .15
8.2.5 DDDdataDisplay .15
8.3 DigSig format .16
8.3.1 General.16
8.3.2 Snips .16
8.3.3 Envelope format .17
8.3.4 AIDC specific construction of a DigSig .17
8.4 The DigSig physical data path .18
8.5 DDD syntax .20
8.6 DigSig information fields .20
8.7 Data fields .21
© ISO/IEC 2018 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 20248:2018(E)

8.7.1 Compulsory data fields .21
8.7.2 Application data fields .21
8.8 Data field object syntax .22
8.9 DDD field types and associate settings .23
8.9.1 General.23
8.9.2 Special field values .23
8.9.3 Field types .24
8.9.4 Special types .29
9 Pragmas .29
9.1 General .29
9.2 entertext .29
9.3 structjoin .30
9.4 readmethod . .31
9.5 privatecontainer .32
9.6 startonword .33
9.7 cidsniptext.33
Annex A (normative) Test methods .34
Annex B (informative) Example DigSigs .37
Annex C (informative) DigSig use in IoT .43
Annex D (informative) Typical DigSig EncoderGenerator device architecture .46
Annex E (informative) Typical DigSig DecoderVerifier device architecture .48
Annex F (normative) DigSig error codes .50
Annex G (informative) Digital Signature use considerations .52
Annex H (informative) Example of a DigSig Certificate .53
Annex I (informative) Example DDD for a physical certificate .54
Annex J (normative) DigSig revocation specifications .60
Annex K (normative) 2D bar code symbologies — Encoding and decoding the DigSig .62
Annex L (normative) ISO/IEC 18000‑3 Mode 1 RFID protocol and DigSigs .70
Annex M (normative) ISO/IEC 18000‑63 RFID protocol and DigSigs .75
Bibliography .80
iv © ISO/IEC 2018 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 20248:2018(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/ iso/ foreword .html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 31, Automatic identification and data capture techniques.
© ISO/IEC 2018 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC 20248:2018(E)

Introduction
This document specifies a “language” which is used to specify data constructs with; how the data
constructs can be read from one or more AIDC; and how to decode and verify such data.
This document is an ISO/IEC 9594-8 (Public Key Infrastructure: digital signatures and certificates)
application specification for automated identification services. Data capacity and/or data transfer
capacity of Automated Identification Data Carriers are limited. This restricts the normal use of a digital
signature as specified in ISO/IEC 9594-8 within automated identification services.
This document specifies an effective and interoperable method to specify, read, decode and verify data
stored in automated identification data carriers, independent from real-time remote control. Meta
parameters included in a digital certificate are used to achieve
— offline integrity verification of the data source and data originality,
— a verifiable data structure description to enable interoperability of deployment, domain authority
and automated identification data carriers,
— a verifiable data encoding method to achieve compact data to be stored in data constrained
automated identification data carriers (the JSON data format is used for both input and output of
the encoder and decoder),
— a verifiable automated identification data carrier read method description allowing for the data of a
read event to be distributed over more than one carrier of the same and of different technologies, and
— a verifiable method to support key management of cryptographically enabled automated
identification data carriers.
The user of this document may use any suitable hashing and asymmetric cryptography method. The
choice of cryptography method should be considered carefully and it is advised that only internationally
recognized or standardized methods, for example FIPS PUB 186-4 and IEEE P1363, be used.
This document should be used in conjunction with standard risk assessments of the use case and
environment.
NOTE Many transport applications rely on a secure non-transferable unique identifier to ensure that
the data are bound to the tag and/or the vehicle. For such functionality, please refer to ISO/IEC 29167. This
specification provides a mechanism to ensure the integrity and authenticity of the data themselves in order to
protect against alterations or insertion of false data into the system. It does not provide any means to defend
against replay attacks. Including the secure non-transferable unique identifier of a tag, as signed data, allows for
the unrefutable link between the tag and the data and provides a means to determine if the data were read from
the tag. The reader can place the read DigSig in another DigSig, effectively signing the read transaction. A third
party can then verify that the read transaction happened at a given place and time, as well as the data read.
vi © ISO/IEC 2018 – All rights reserved

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 20248:2018(E)
Information technology — Automatic identification and
data capture techniques — Data structures — Digital
signature meta structure
1 Scope
This document is an ISO/IEC 9594-8 (Public Key Infrastructure: digital signatures and certificates)
application specification for automated identification services. It specifies a method whereby data
stored within a barcode and/or RFID tag are structured, encoded and digitally signed. ISO/IEC 9594-
8 is used to provide a standard method for key and data description management and distribution. It
is worth noting that the data capacity and/or data transfer capacity of Automated Identification Data
Carriers are restricted. This restricts the normal use of a Digital Signature as specified in ISO/IEC 9594-
8 within automated identification services.
The purpose of this document is to provide an open and interoperable method, between automated
identification services and data carriers, to read data, verify data originality and data integrity in an
offline use case.
This document specifies
— the meta data structure, the DigSig, which contains the Digital Signature and encoded structured
data,
— the public key certificate parameter and extension use, the DigSig Certificate, which contains the
certified associated public key, the structured data description, the read methods and private
containers,
— the method to specify, read, describe, sign, verify, encode and decode the structured data, the DigSig
Data Description,
— the DigSig EncoderGenerator which generates the relevant asymmetric key pairs, keeps the Private
Key secret and generates the DigSigs, and
— the DigSig DecoderVerifier which, by using to the DigSig Certificate, reads the DigSig from the set of
Data Carriers, verifies the DigSig and extracts the structured data from the DigSig.
A successful verification of the DigSig signifies the following:
— the data was not tampered with;
— the source of the data is as indicated on the DigSig Certificate used to verify the DigSig with;
— if a secured identifier of the data carrier is included in the DigSig it contains, then the data stored on
the data carrier can be considered as the original issued copy of the data; the secure identifier will
be able to guarantee that the data carrier is authentic.
This document does not specify
— cryptographic methods, nor
— key management methods.
This document is used in conjunction with standard risk assessments of the use environment.
© ISO/IEC 2018 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO/IEC 20248:2018(E)

2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
1)
ISO/IEC 8824-1 , Information technology — Abstract Syntax Notation One (ASN.1): Specification of basic
notation — Part 1
2)
ISO/IEC 9594-1 , Information technology — Open Systems Interconnection — The Directory — Part 1:
Overview of concepts, models and services
3)
ISO/IEC 9594-8 , Information technology — Open Systems Interconnection — The Directory — Part 8:
Public-key and attribute certificate frameworks
ISO/IEC 9899, Information technology — Programming languages — C
ISO/IEC 18004, Information technology — Automatic identification and data capture techniques — QR
Code bar code symbology specification
ISO/IEC IEEE 9945, Information technology — Portable Operating System Interface (POSIX®) Base
Specifications, Issue 7
IETF 3986, Uniform Resource Identifier (URI): Generic Syntax
4)
IETF RFC 5646 , Tags for Identifying Languages
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http://www.electropedia.org/
— ISO Online browsing platform: available at https://www.iso.org/obp
3.1
authenticity
quality or condition of being authentic, trustworthy, or genuine
3.2
Base64url
Base64 encoding with the URL and Filename Safe Alphabet
Note 1 to entry: See IETF RFC 4648.
3.3
CIDSnip
singular continuous bit or text stream portion of a Data Carrier transmission which contains the CID as
the first part
1) ITU-T X.680 is equivalent to ISO/IEC 8824-1.
2) ITU X.500 is equivalent to ISO/IEC 9594-1, and is the commonly used reference for standard and terminology.
3) ITU X.509 is equivalent to ISO/IEC 9594-8, and is the commonly used reference for standard and terminology.
4) IEFT RFC 5646 is the reference specification of the IETF BCP 47.
2 © ISO/IEC 2018 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC 20248:2018(E)

3.4
Data Carrier
device used to store data as a relay mechanism in an AIDC system
EXAMPLE Barcodes, RFID tags and even human memory.
3.5
Data Carrier construct rule
process to prepare the DigSig Envelope for encoding in a particular Data Carrier
3.6
DataSnip
singular continuous bit or text stream portion of a Data Carrier transmission containing data for
DDD fields
3.7
Digital Certificate
certificate
data construct that contains the Public Key, integrity parameters and use parameters of the DigSig
Note 1 to entry: The data construct shall be as specified in ISO/IEC 9594-8.
3.8
Digital Signature
signature
result of an asymmetric encryption method on a data construct
Note 1 to entry: The asymmetric encryption method and data construct shall be as specified in ISO/IEC 9594-8.
Note 2 to entry: In typical legal terminology, this term is the equivalent of an advanced electronic signature.
3.9
DigSig
data construct assembled according to this document which contains verifiable information obtained
from one or more AIDC
3.10
DigSig Envelope
envelope
data construct assembled according to this document by the EncoderGenerator
3.11
Domain Authority
entity, operating as a trusted third party, responsible for the Digital Signature integrity of a jurisdiction
3.12
integrity
reliability of data that are as they were created according to the required verification parameters
3.13
jurisdiction
independent domain of control in terms of the business or legal (or both) scope of the parties concerned
EXAMPLE Independent countries, separate ministries or departments of a government, or independent
companies each with their own legal or business (or both) framework.
3.14
nibble
four-bit aggregation
© ISO/IEC 2018 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO/IEC 20248:2018(E)

3.15
Private Key
key that is kept in secret and is used to generate a Digital Signature by encrypting data that will be
verified by its associated Public Key
3.16
protocol
communication specification
3.17
Public Key
key that is publicly available and is used to verify data that were encrypted by its associated Private Key
3.18
Snip
singular continuous bit or text stream portion of a Data Carrier transmission
3.19
Time Zone
time zone code
Note 1 to entry: See ISO 8601.
3.20
UTF-64
64 bit variable-width encoding
Note 1 to entry: See ISO 10646.
3.21
WORD
media physical memory grouping of bits
4 Field and data definitions, abbreviations and symbols
4.1 Field and data definitions
Field and data objects are defined in Clause 8.
4.2 Abbreviations
AFI Application Family Identifier
AIDC Automatic Identification
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.