8/9/2019 Javacard as Govtid 100206130505 Phpapp01
1/25
Govt. Citizen ID
withJava CardTM PlatformEmphasis on the role and relevance of Java Card andSun Identity Management Technologies
Ramesh Nagappan
Security Technologist, ISV-E
http://www.coresecuritypatterns.com/blogs
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
2/25
Sun Microsystems 2009Slide 2
Undisputed Market Leader inMulti-Application Smart Cards
Finance
Government/Healthcare
Last name
First name, Initial
Issue Date
Expiration Date
IdentificationCard
Organization
Seal
Photograph
U.S.Navy
DoD Civilian
Chip
ArmedForces of theUnitedStates
ParkerIV,
ChristopherJ.
Septem
ber30 2001
October 1 2001
Telecom
CorporateLoyalty
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
3/25
Sun Microsystems 2007Slide 3
Introduction to Java Card Technology
A Programmable Runtime engine for Smart cards> Open & Standards-based
> Built for multi-application
> Proven security (Enabling on-card PKI/Biometrics credentials based
Physical/Logical Access Control) A future-proof platform for Smart card based services
> Dynamic application loading
> Test-suite enforced interoperability
> Cryptography and Biometrics support
A reference technology for Smart card issuers> Market leader in Security for Government and Citizen ID
> Market leader in reliability for wireless, banking, ID
> Choice of multi-sourcing Obtain cards from multiple vendors
Security and Portability with Reliability as Core Value Proposition
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
4/25
Sun Microsystems 2007Slide 4
Java Card Adoption
6 Billion Java Card Units deployed> Variety of form factors
Leader in market segments> Telecom (Defacto for SIM card !)
> Banking (Payment card)
> ID (Citizen/Govt/Defence/Intelligence)
> PayTV (Cable/Dish Subscriber card)
> Transport, Healthcare...
Passports
Contactless
USB Tokens
Smart Cards
SIM CardsSecure Flash
Memory
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
5/25
Sun Microsystems 2009Slide 5
Java Card vs MULTOS
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
6/25
Sun Microsystems 2007Slide 6
Java Card as Cryptographic Token
PKI enabled Smart cards
A credit card sized computing device acts as aCryptographic token.
> Contact / Contactless cards
Allows performing core PKI functions
> Key generation
> Public/Private key operations
> PIN/Biometric authentication
> Challenge/response authentication
Supports the use of Public-key infrastructure toverify the Identity claim.
> PKI credential issuance.
> Credential validation/verification via OCSP,CRLs
Defends against tampering and hacking.
> PKI/Private key protection
Standards
ISO-7816
Java Card, Multos
Global Platform
PC/SC
FIPS-201/PIV, CAC
PKCS#11, PKCS#15
GSM/PCS
EMV(Europay/Mastercard/Visa)
Using Smart card based PKI as an Authentication Credential
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
7/25 Sun Microsystems 2007Slide 7
Java Card as Biometric Token
Using Smart card based Biometrics as an Authentication Credential
Java Card based Biometric Identity
Matching to Physiological or Behavioralcharacteristics to identify a person.
> High degree of assurance with proof ofpresence + proof of possession
> Fingerprints, Facial image/geometry, Irisimages can be stored on card.
> Match on-card samples to live humansamples.
Biometric templates can be stored on Smartcard for personal identification.
> Fingerprint template is ~200 bytes
> Iris template is 500 bytes
Biometric credential must be exchanged in asecure network channel (Trusted path)
Standards
INCITS 378 / CBEFF (Fingerprints) INCITS 379 (Iris)
OASIS BIAS
BioAPI
JavaCard BioAPI
FIPS-201 / PIV
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
8/25 Sun Microsystems 2009Slide 8
Managing Govt ID Issuance Life-cycleIdentity Management life-cycle events
IdentityRegistration
Identity Enrollment &
Adjudication
Physical & LogicalAccess Control
Card/Credential Issuance
Identity
Termination
Credential
Maintenance
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
9/25 Sun Microsystems 2009Slide 9
Managing Govt ID Issuance LifecycleSmartcard issuance life-cycle using Sun Identity Management Suite
Sun
I D M S
Demographic
Data
Biometrics
P K I
Identity
Proofing
Verified
Credentials
( Smartcard
/ Biometrics)
Logical
Access
Control
Physical
Access
Control
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
10/25 Sun Microsystems 2009Slide 10
Sun IDM Authorization Workflow
Applicant
Registration
Biometrics
Breeder Documents
Enrollment
Identity
Proofing &
Adjudication
Card Issuance &
Activation
Retirement /
Termination
Physical &
Logical Access
Provisioning
Credential
Maintenance
Hiring
ManagerApproval/Denial
Enrollment
OfficerApproval/Denial
HR
Officer
Approval/Denial
HR
Manager
Approval/Denial
Enrollment
Officer
Approval/Denial
Hiring
Manager
Approval/Denial
Sun IDM manages the authorization workflow and authorityapproval and denials.
Sun IDM facilitates digitally signed approvals using Smart card
based credentials verified against a PKI provider.
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
11/25
Sun Confidential: Sun Employees and Immersion Week 2008 Partner AttendeesOnly. 11
Smart card based Credentials -Logical Access Control
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
12/25 Sun Microsystems 2009Slide 12
Security
Manageability
Reliability
Mobility
Value
Sun Rays In a Govt eID Environment
Sun Ray supports the use of most eID and
CAC/PIV Cards
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
13/25 Sun Microsystems 2009Slide 13
Logical Deployment of Sun RaysSmartcard based authentication Virtual/Remote Desktop/Applicationenvironment
Firewall
Data CenterSun Rays
Firewall
Native protocolsare used to accessapps.
No modification ofthe OS or appsrequired.
Each user desktopenvironment runson a virtual machinelocated in thecorporate datacenter.
All desktop andapplicationcommunicationremains in thedata center.
The access tiersupports standardAuthenticationmechanisms:
LDAPv3
Active Directory
NIS
MS WindowsDomain
Access layercontrols the useraccess andapplication profiles.
It maintains auditlogs of user andapp usage.
It provides thedisplay engine to theuser desktop.
PC & Thin Client users cansecurely access their remotedesktops & applications fromany location using PIV Cards.
Once PIV authenticated, theaccess tier establishes adisplay connection to the userdevice and a protocolconnection to the back-end
desktop OS andapplications.
PIVCredential Authentication
Secure remoteaccess from anylocation
Combine existingauthenticationand authorizationmechanismsusing Sun IDMS
Windows XP / 2003DesktopVirtualizationusing Sun Raysand Sun VDI
Sun Access Tier Identity/Auth. ESX Virtualization Applications
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
14/25 Sun Microsystems 2009Slide 14
Sun UltraSPARC T2 offers industry-leading cryptography performance forPIV environments.> On-chip Crypto threads virtually eliminates large
workloads with PKI & Cryptography.
> Out-performs competition on SSL and Public-keycrypto opertaions
> Over30x greater RSA1024 performance than 2-socket IBM p510
Support common used ciphers for
Public-key encryption and securehashing functions> Public-key cryptography (RSA, DSA, Diffie-Hellman, ECC)
> Bulk encryption (RC4, DES, 3DES, AES)
> Secure hash (MD5, SHA-1, SHA-256)
Sun CMT Servers: Wire-speed SecurityUltraSPARC T2 offers On-chip Cryptographic Acceleration for PKI Applications
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
15/25 Sun Microsystems 2009Slide 15
Mandatory Access Control andSecurity Labels (Solaris TX)
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
16/25 Sun Microsystems 2009Slide 16
U.S. Department of Defense Military ID and Geneva Convention Card
> Common credentials for verified identity
> DoD-wide health benefits ID card
> Physical access and manifesting
> Logical access with PKI/digital signature
Well established security certification platform with numerouscards with FIPS-140 ratings
>High-degree of Security and Assurance
Supports additional military branch-specific applications atissuance and post-issuance
Flexible to support original CAC format, CAC transitionalformat and PIV format (evolution of requirements)
Deployment: +3M active duty units. Over 12M units to date.Issuing +30K units a day at peek war periods
Last name
First name, Initial
Issue Date
Expiration Date
Identification Card
OrganizationSeal
Photograph
U.S. NavyDoD Civilian
Chip
Armed Forces of theUnited States
Parker IV,
Christopher J.
September 30 2001
October 1 2001
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
17/25 Sun Microsystems 2009Slide 17
US Federal Employee PIV Card
Presidential Directive 12 (HSPD-12) mandated aFederal Government-wide smart card ID program.
> Use of combined PKI and Biometric credentials
Dual interfaces for both for Physical and Logicalaccess
> Secure Contact/Contactless access to targetresources
To date, all deployed PIV cards are Java Card
> Conformance to Java Card 2.2.1
By 2013 over 12 million PIV cards will have beenissued
The PIV model is being replicated in the US FederalGovt in programs such as Travel Worker Identity
Program (TWIC), First Responder ID, ImmigrationCards and potentially Drivers Licensees
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
18/25 Sun Microsystems 2009Slide 18
Taiwan Healthcare ID
National health insurance ID card
Multi-application smart card> Identification, medical profile
and benefits> E-Purse capable
> Restricted use by other governmentalagencies to protect privacy
Supports open standards andpost-issuance of new applications
40M Java Cards deployed
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
19/25 Sun Microsystems 2009Slide 19
Belgium National ID
First country in EU to deploy citizen IDcard to entire population
Multi-application Java Card> Identification, e-Government Services,
e-Voting, etc.> Filing Tax Returns, Birth Certs, Civil Records
> Digital Certificates: Authentication, DigitalSignature
PKCS15 Conformance
> Commercial Applications: e-Banking, e-Ticketing
Common Criteria EAL 5+ Certified
Deployment: 40+ Million Java Cards
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
20/25 Sun Microsystems 2009Slide 20
Thailand National ID Card
National Citizen ID card to entire population> Multi-application Java Card-based Smart Card> Personal ID, fingerprints, tax, social welfare and social
security numbers, agricultural data and healthcare data.> Citizens will be able to access eGovernment services ate-government kiosks nationwide and by smart cardreaders integrated into desktop computers.
60M+ Java Cards deployed
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
21/25
Sun Microsystems 2009Slide 21
Oman National ID Card
First country in Middle East to start deploying large-scale citizen ID Card to entire population
> Multi-application Java Card-based smart card
> Provides positive identification with digital photograph, digitalcertificates and biometrics authentication
> Have plans to add drivers license, emergency medical dataand border control applications
Deployment: 3M+ Java Cards
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
22/25
Sun Microsystems 2009Slide 22
United Arab Emirates National ID
National Citizen ID Card to Entire Population> Multi-application Java Card-based Smart Card
> Positive Identification with Digital Photograph, DigitalCertificates and Fingerprint Biometrics Authentication
> Enabled e-Government Services
> Plans to add Drivers License, Emergency Medical Data andBorder Control Applications
Deployment: +4.5 Million Java Cards
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
23/25
Sun Microsystems 2009Slide 23
Macau Government ID Card
Multi-application Java Card-based Smart Card> Identification, Border Control, E-Government, E-Commence
and Public Services Access
> Driver's License and E-Purse Envisioned in Future
Secure Laser Engraved Java Cards> Facial Image,Signature, and Fingerprint Biometrics
> PKI/Certificates
GlobalPlatform-compatible Card Mgt. System
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
24/25
Sun Microsystems 2009Slide 24
More...Java Card's Govt ID Successes
UK NHS and MoD
Canadian ePassports
Portugal National ID
Qatar National IDAzerbaijan National ID
Morocco National ID
Finland National ID
Italy National ID
Queensland Australia Drivers License
And approximately 20 other countries exploring Java Card
8/9/2019 Javacard as Govtid 100206130505 Phpapp01
25/25
Thank You !
Ramesh [email protected]
http://www.coresecuritypatterns.com/blogs
Brian KowalHead, Java Card Marketing & Sales
mailto:ramesh.nagappan@sumailto:ramesh.nagappan@su