Information technology -- Automatic identification and data capture techniques -- Data structures -- Digital signature meta structure

ISO/IEC 20248:2018 is an ISO/IEC 9594‑8 (Public Key Infrastructure: digital signatures and certificates) application specification for automated identification services. It specifies a method whereby data stored within a barcode and/or RFID tag are structured, encoded and digitally signed. ISO/IEC 9594‑8 is used to provide a standard method for key and data description management and distribution. It is worth noting that the data capacity and/or data transfer capacity of Automated Identification Data Carriers are restricted. This restricts the normal use of a Digital Signature as specified in ISO/IEC 9594‑8 within automated identification services. The purpose of this document is to provide an open and interoperable method, between automated identification services and data carriers, to read data, verify data originality and data integrity in an offline use case. ISO/IEC 20248:2018 specifies - the meta data structure, the DigSig, which contains the Digital Signature and encoded structured data, - the public key certificate parameter and extension use, the DigSig Certificate, which contains the certified associated public key, the structured data description, the read methods and private containers, - the method to specify, read, describe, sign, verify, encode and decode the structured data, the DigSig Data Description, - the DigSig EncoderGenerator which generates the relevant asymmetric key pairs, keeps the Private Key secret and generates the DigSigs, and - the DigSig DecoderVerifier which, by using to the DigSig Certificate, reads the DigSig from the set of Data Carriers, verifies the DigSig and extracts the structured data from the DigSig. A successful verification of the DigSig signifies the following: - the data was not tampered with; - the source of the data is as indicated on the DigSig Certificate used to verify the DigSig with; - if a secured identifier of the data carrier is included in the DigSig it contains, then the data stored on the data carrier can be considered as the original issued copy of the data; the secure identifier will be able to guarantee that the data carrier is authentic. ISO/IEC 20248:2018 does not specify - cryptographic methods, nor - key management methods. ISO/IEC 20248:2018 is used in conjunction with standard risk assessments of the use environment.

Technologies de l'information -- Techniques d'identification automatique et de capture de données -- Structures de données -- Méta-structure de signature numérique

General Information

Status
Published
Publication Date
03-Apr-2018
Current Stage
9092 - International Standard to be revised
Start Date
15-Jun-2020
Ref Project

Buy Standard

Standard
ISO/IEC 20248:2018 - Information technology -- Automatic identification and data capture techniques -- Data structures -- Digital signature meta structure
English language
81 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO/IEC
STANDARD 20248
First edition
2018-03
Information technology — Automatic
identification and data capture
techniques — Data structures —
Digital signature meta structure
Technologies de l'information — Techniques d'identification
automatique et de capture de données — Structures de données —
Méta-structure de signature numérique
Reference number
ISO/IEC 20248:2018(E)
ISO/IEC 2018
---------------------- Page: 1 ----------------------
ISO/IEC 20248:2018(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2018

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 20248:2018(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 2

3 Terms and definitions ..................................................................................................................................................................................... 2

4 Field and data definitions, abbreviations and symbols ............................................................................................... 4

4.1 Field and data definitions .............................................................................................................................................................. 4

4.2 Abbreviations ........................................................................................................................................................................................... 4

4.3 Symbols ......................................................................................................................................................................................................... 5

5 Conformance ............................................................................................................................................................................................................. 5

5.1 Specification version .......................................................................................................................................................................... 5

5.2 Claiming conformance ...................................................................................................................................................................... 5

5.3 Test authority ........................................................................................................................................................................................... 6

5.4 Test specification ................................................................................................................................................................................... 6

6 DigSig use architecture .................................................................................................................................................................................. 6

6.1 General ........................................................................................................................................................................................................... 6

6.2 DigSig Certificate process .............................................................................................................................................................. 7

6.3 DigSig generation process ............................................................................................................................................................. 8

6.4 DigSig verification process ........................................................................................................................................................... 9

6.5 Error codes ................................................................................................................................................................................................. 9

7 DigSig Certificate .................................................................................................................................................................................................. 9

7.1 General ........................................................................................................................................................................................................... 9

7.2 ISO/IEC 20248 Object Identifier .............................................................................................................................................. 9

7.3 DigSig Certificate parameter use ............................................................................................................................................. 9

7.4 DigSig cryptography ........................................................................................................................................................................10

7.4.1 General...................................................................................................................................................................................10

7.4.2 Digital Signatures .........................................................................................................................................................10

7.4.3 Private containers ........................................................................................................................................................10

7.5 DigSig Domain Authority identifier ...................................................................................................................................10

7.6 DigSig Certificate identifier (CID) ........................................................................................................................................12

7.7 DigSig validity .......................................................................................................................................................................................12

7.8 DigSig Certificate management..............................................................................................................................................12

7.9 DigSig revocation ...............................................................................................................................................................................12

7.10 Online verification .............................................................................................................................................................................13

8 DigSig Data Description (DDD) ...........................................................................................................................................................13

8.1 General ........................................................................................................................................................................................................13

8.2 DDD derived data structures ...................................................................................................................................................14

8.2.1 General...................................................................................................................................................................................14

8.2.2 DDDdata ...............................................................................................................................................................................14

8.2.3 SigData ...................................................................................................................................................................................15

8.2.4 DDDdataTagged .............................................................................................................................................................15

8.2.5 DDDdataDisplay ............................................................................................................................................................15

8.3 DigSig format .........................................................................................................................................................................................16

8.3.1 General...................................................................................................................................................................................16

8.3.2 Snips ........................................................................................................................................................................................16

8.3.3 Envelope format ............................................................................................................................................................17

8.3.4 AIDC specific construction of a DigSig .......................................................................................................17

8.4 The DigSig physical data path .................................................................................................................................................18

8.5 DDD syntax ..............................................................................................................................................................................................20

8.6 DigSig information fields .............................................................................................................................................................20

8.7 Data fields .................................................................................................................................................................................................21

© ISO/IEC 2018 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 20248:2018(E)

8.7.1 Compulsory data fields ............................................................................................................................................21

8.7.2 Application data fields .............................................................................................................................................21

8.8 Data field object syntax ................................................................................................................................................................22

8.9 DDD field types and associate settings ...........................................................................................................................23

8.9.1 General...................................................................................................................................................................................23

8.9.2 Special field values ......................................................................................................................................................23

8.9.3 Field types ..........................................................................................................................................................................24

8.9.4 Special types .....................................................................................................................................................................29

9 Pragmas ......................................................................................................................................................................................................................29

9.1 General ........................................................................................................................................................................................................29

9.2 entertext ....................................................................................................................................................................................................29

9.3 structjoin ...................................................................................................................................................................................................30

9.4 readmethod ......... ....................................................................................................................................................................................31

9.5 privatecontainer .................................................................................................................................................................................32

9.6 startonword ............................................................................................................................................................................................33

9.7 cidsniptext................................................................................................................................................................................................33

Annex A (normative) Test methods ....................................................................................................................................................................34

Annex B (informative) Example DigSigs .........................................................................................................................................................37

Annex C (informative) DigSig use in IoT ........................................................................................................................................................43

Annex D (informative) Typical DigSig EncoderGenerator device architecture .....................................................46

Annex E (informative) Typical DigSig DecoderVerifier device architecture ............................................................48

Annex F (normative) DigSig error codes .......................................................................................................................................................50

Annex G (informative) Digital Signature use considerations ...................................................................................................52

Annex H (informative) Example of a DigSig Certificate ..................................................................................................................53

Annex I (informative) Example DDD for a physical certificate ...............................................................................................54

Annex J (normative) DigSig revocation specifications ....................................................................................................................60

Annex K (normative) 2D bar code symbologies — Encoding and decoding the DigSig ................................62

Annex L (normative) ISO/IEC 18000‑3 Mode 1 RFID protocol and DigSigs ..............................................................70

Annex M (normative) ISO/IEC 18000‑63 RFID protocol and DigSigs ..............................................................................75

Bibliography .............................................................................................................................................................................................................................80

iv © ISO/IEC 2018 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 20248:2018(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work. In the field of information technology, ISO and IEC have established a joint technical committee,

ISO/IEC JTC 1.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following

URL: www .iso .org/ iso/ foreword .html.

This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 31, Automatic identification and data capture techniques.
© ISO/IEC 2018 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC 20248:2018(E)
Introduction

This document specifies a “language” which is used to specify data constructs with; how the data

constructs can be read from one or more AIDC; and how to decode and verify such data.

This document is an ISO/IEC 9594-8 (Public Key Infrastructure: digital signatures and certificates)

application specification for automated identification services. Data capacity and/or data transfer

capacity of Automated Identification Data Carriers are limited. This restricts the normal use of a digital

signature as specified in ISO/IEC 9594-8 within automated identification services.

This document specifies an effective and interoperable method to specify, read, decode and verify data

stored in automated identification data carriers, independent from real-time remote control. Meta

parameters included in a digital certificate are used to achieve
— offline integrity verification of the data source and data originality,

— a verifiable data structure description to enable interoperability of deployment, domain authority

and automated identification data carriers,

— a verifiable data encoding method to achieve compact data to be stored in data constrained

automated identification data carriers (the JSON data format is used for both input and output of

the encoder and decoder),

— a verifiable automated identification data carrier read method description allowing for the data of a

read event to be distributed over more than one carrier of the same and of different technologies, and

— a verifiable method to support key management of cryptographically enabled automated

identification data carriers.

The user of this document may use any suitable hashing and asymmetric cryptography method. The

choice of cryptography method should be considered carefully and it is advised that only internationally

recognized or standardized methods, for example FIPS PUB 186-4 and IEEE P1363, be used.

This document should be used in conjunction with standard risk assessments of the use case and

environment.

NOTE Many transport applications rely on a secure non-transferable unique identifier to ensure that

the data are bound to the tag and/or the vehicle. For such functionality, please refer to ISO/IEC 29167. This

specification provides a mechanism to ensure the integrity and authenticity of the data themselves in order to

protect against alterations or insertion of false data into the system. It does not provide any means to defend

against replay attacks. Including the secure non-transferable unique identifier of a tag, as signed data, allows for

the unrefutable link between the tag and the data and provides a means to determine if the data were read from

the tag. The reader can place the read DigSig in another DigSig, effectively signing the read transaction. A third

party can then verify that the read transaction happened at a given place and time, as well as the data read.

vi © ISO/IEC 2018 – All rights reserved
---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 20248:2018(E)
Information technology — Automatic identification and
data capture techniques — Data structures — Digital
signature meta structure
1 Scope

This document is an ISO/IEC 9594-8 (Public Key Infrastructure: digital signatures and certificates)

application specification for automated identification services. It specifies a method whereby data

stored within a barcode and/or RFID tag are structured, encoded and digitally signed. ISO/IEC 9594-

8 is used to provide a standard method for key and data description management and distribution. It

is worth noting that the data capacity and/or data transfer capacity of Automated Identification Data

Carriers are restricted. This restricts the normal use of a Digital Signature as specified in ISO/IEC 9594-

8 within automated identification services.

The purpose of this document is to provide an open and interoperable method, between automated

identification services and data carriers, to read data, verify data originality and data integrity in an

offline use case.
This document specifies

— the meta data structure, the DigSig, which contains the Digital Signature and encoded structured

data,

— the public key certificate parameter and extension use, the DigSig Certificate, which contains the

certified associated public key, the structured data description, the read methods and private

containers,

— the method to specify, read, describe, sign, verify, encode and decode the structured data, the DigSig

Data Description,

— the DigSig EncoderGenerator which generates the relevant asymmetric key pairs, keeps the Private

Key secret and generates the DigSigs, and

— the DigSig DecoderVerifier which, by using to the DigSig Certificate, reads the DigSig from the set of

Data Carriers, verifies the DigSig and extracts the structured data from the DigSig.

A successful verification of the DigSig signifies the following:
— the data was not tampered with;

— the source of the data is as indicated on the DigSig Certificate used to verify the DigSig with;

— if a secured identifier of the data carrier is included in the DigSig it contains, then the data stored on

the data carrier can be considered as the original issued copy of the data; the secure identifier will

be able to guarantee that the data carrier is authentic.
This document does not specify
— cryptographic methods, nor
— key management methods.

This document is used in conjunction with standard risk assessments of the use environment.

© ISO/IEC 2018 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO/IEC 20248:2018(E)
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 8824-1 , Information technology — Abstract Syntax Notation One (ASN.1): Specification of basic

notation — Part 1

ISO/IEC 9594-1 , Information technology — Open Systems Interconnection — The Directory — Part 1:

Overview of concepts, models and services

ISO/IEC 9594-8 , Information technology — Open Systems Interconnection — The Directory — Part 8:

Public-key and attribute certificate frameworks
ISO/IEC 9899, Information technology — Programming languages — C

ISO/IEC 18004, Information technology — Automatic identification and data capture techniques — QR

Code bar code symbology specification

ISO/IEC IEEE 9945, Information technology — Portable Operating System Interface (POSIX®) Base

Specifications, Issue 7
IETF 3986, Uniform Resource Identifier (URI): Generic Syntax
IETF RFC 5646 , Tags for Identifying Languages
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— IEC Electropedia: available at http://www.electropedia.org/
— ISO Online browsing platform: available at https://www.iso.org/obp
3.1
authenticity
quality or condition of being authentic, trustworthy, or genuine
3.2
Base64url
Base64 encoding with the URL and Filename Safe Alphabet
Note 1 to entry: See IETF RFC 4648.
3.3
CIDSnip

singular continuous bit or text stream portion of a Data Carrier transmission which contains the CID as

the first part
1) ITU-T X.680 is equivalent to ISO/IEC 8824-1.

2) ITU X.500 is equivalent to ISO/IEC 9594-1, and is the commonly used reference for standard and terminology.

3) ITU X.509 is equivalent to ISO/IEC 9594-8, and is the commonly used reference for standard and terminology.

4) IEFT RFC 5646 is the reference specification of the IETF BCP 47.
2 © ISO/IEC 2018 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC 20248:2018(E)
3.4
Data Carrier
device used to store data as a relay mechanism in an AIDC system
EXAMPLE Barcodes, RFID tags and even human memory.
3.5
Data Carrier construct rule
process to prepare the DigSig Envelope for encoding in a particular Data Carrier
3.6
DataSnip

singular continuous bit or text stream portion of a Data Carrier transmission containing data for

DDD fields
3.7
Digital Certificate
certificate

data construct that contains the Public Key, integrity parameters and use parameters of the DigSig

Note 1 to entry: The data construct shall be as specified in ISO/IEC 9594-8.
3.8
Digital Signature
signature
result of an asymmetric encryption method on a data construct

Note 1 to entry: The asymmetric encryption method and data construct shall be as specified in ISO/IEC 9594-8.

Note 2 to entry: In typical legal terminology, this term is the equivalent of an advanced electronic signature.

3.9
DigSig

data construct assembled according to this document which contains verifiable information obtained

from one or more AIDC
3.10
DigSig Envelope
envelope
data construct assembled according to this document by the EncoderGenerator
3.11
Domain Authority

entity, operating as a trusted third party, responsible for the Digital Signature integrity of a jurisdiction

3.12
integrity

reliability of data that are as they were created according to the required verification parameters

3.13
jurisdiction

independent domain of control in terms of the business or legal (or both) scope of the parties concerned

EXAMPLE Independent countries, separate ministries or departments of a government, or independent

companies each with their own legal or business (or both) framework.
3.14
nibble
four-bit aggregation
© ISO/IEC 2018 – All rights reserved 3
---------------------- Page: 9 ----------------------
ISO/IEC 20248:2018(E)
3.15
Private Key

key that is kept in secret and is used to generate a Digital Signature by encrypting data that will be

verified by its associated Public Key
3.16
protocol
communication specification
3.17
Public Key

key that is publicly available and is used to verify data that were encrypted by its associated Private Key

3.18
Snip
singular continuous bit or text stream portion of a Data Carrier transmission
3.19
Time Zone
time zone code
Note 1 to entry: See ISO 8601.
3.20
UTF-64
64 bit variable-width encoding
Note 1 to entry: See ISO 10646.
3.21
WORD
media physical memory grouping of bits
4 Field and data definitions, abbreviations and symbols
4.1 Field and data definitions
Field and data objects are defined in Clause 8.
4.2 Abbreviations
AFI Application Family Identifier
AIDC Automatic Identification
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.