Generic Identity Device Specification (GIDS) for smart card authentication
GIDS sets out the functionality of a physical identity device that can be used for authentication, such as a smart card or USB token.
GIDS is a standard for smart cards that enables them to be used for authentication. Smart cards and other devices that include a smart card chip, such as USB Security Keys, can support GIDS as long as they are fully ISO-7816 compliant.
While it is not the only standard for smart card authentication, GIDS is a serious alternative to others like PIV, a US federal government mandated standard.
GIDS support is built in to Windows 7 SP1 onwards, with no extra software installation required.
GIDS Smart Card Functionality
GIDS smart cards can be integrated into an organisation's Public Key Infrastructure (PKI) and can perform a common set of cryptographic operations.
GIDS smart cards can generate and store key-pairs of the common asymmetric algorithms RSA and ECC. They can also store symmetric keys for AES and 3DES.
Cards can use these keys for crypto operations such as signing and encryption/decryption following successful user PIN entry.
They can also store X509 certs and other supplemental data. Such objects are created on the card during a provisioning operation.
A key feature of GIDS is that a provisioning operation can be performed with the user PIN, rather than in a special administrator environment/state. This enables self-service functions to be provided in applications which can help reduce the burden on IT support.
Some examples of what can be enabled using a GIDS smart card include:
- Smart card login to Windows
- TLS client authentication
- VPN authentication
Note that while we mention Windows several times here, GIDS is not Windows-specific. It is notable (and convenient) that Windows has built in support for GIDS out of the box. Support on other operating systems is available via OpenSC.
GIDS uses the APDU command-response structure of ISO-7816 to define a set of commands that enables software to use the card for identity applications in a consistent manner. The command set is referred to as the "card edge" in the specification.
GIDS also specifies the on-card data model to be used. The data model and the command set are tightly linked and together they form the GIDS profile.
Note that GIDS does not mandate which particular card technology is used. Any ISO-7816 compliant smart card can be a GIDS card whether the card platform is native, JavaCard, Multos or .NET for example.
Benefits of GIDS
GIDS expects to further develop the market for identity smart cards for several reasons:
- A common, well-defined command set will encourage both card manufacturers and application developers to support GIDS.
- Better interoperability between applications due to standardization and increased support, thus reducing costs.
- Further potential for cost reduction and performance improvement by hardcoding the stable command set in ROM.
- Improved card eco-system (personalization tools, card management systems etc) due to third-party adoption and interoperability.
- More sources from which customers can purchase cards with the assurance of compatibility.
GIDS Smart Cards from Microcosm
Please contact us to discuss your GIDS smart card requirements in more detail.