CMU - Workshop on ID Cards November 28th, 2001
www.gemplus.com 1Gemplus © 2001
Your Passport to the Digital Age
™
27/11/2001www.gemplus.com
Workshop onID Cards
Carnegie Mellon University
November 28th, 2001
Gilles Lisimaque
CMU - Workshop on ID Cards 2
™
The Goals and the Challenges Individual Identification
Required to prevent somebody of impersonating someone elseRequired to get information allowing recourse in case of bad behavior
Transfer of trustWe have multiple roles in our lives (citizen, tax payer, employee, driver, church member, etc.) reporting to multiple authorities
PrivacyIs a right which needs to be protected but the solution is very variable depending on the culture
Europe: personal information belongs by law to the private personUS: personal private information belongs by fact to who ever collects it
SecurityConsists of three elements: Prevention, Detection, ReactionRisk management is required to balance costs and convenience
CMU - Workshop on ID Cards November 28th, 2001
www.gemplus.com 2Gemplus © 2001
CMU - Workshop on ID Cards 3
™
The Weakest Link
Security of a system is as high as its least secure link
The American people should be not be fooled: a "traveler's ID" is not an effective way of protecting against terrorism. Someone planning a terrorist attack would get one if, like Timothy McVeigh or most of the September 11 hijackers, there are no red flags in their record. Even when there are, the cards are still only as good as the documents and procedures used to decide who should get one. It remains extremely easy in this country to steal another person's identity.
Statement of Barry Steinhardt, Associate DirectorAmerican Civil Liberties Union - Thursday, November 8, 2001
CMU - Workshop on ID Cards 4
™
Biometric is not Mind reading
"There is no sign that biometrics will be a be-all end-all, Fingerprints will play a role in identifying someone and enrolling them in the system. To my knowledge, none of the Sept. 11 terrorists were in the FBI's database.“
Michael Kirkpatrick, assistant director in charge of the FBI's Criminal Justice Information Service Division.
CMU - Workshop on ID Cards November 28th, 2001
www.gemplus.com 3Gemplus © 2001
CMU - Workshop on ID Cards 5
™
Checking an ID or a behavior ?
“… Two of the hijackers managed to board planes on Sept. 11 despite having been on a government watch list. The two hijackers whose addresses aroused Visa's suspicion had to pay cash for their plane tickets after their credit cards were rejected.”
New York Times, 11/20/01 “For Air Safety, an E-ZPass Using Retinas”
By JOHN TIERNEY
CMU - Workshop on ID Cards 6
™
Technology requirements for ID’s
Three technologies are of help regarding ID’sPKI: transfer of trust (or proof)
Refers to the authority which verified the identity claim of a given individual in a given role (citizen, driver, gun owner, resident alien, tax payer, etc.)
Biometrics: who we areUnique individual reference
Used to verify another identity as not been already claimed by the same individualUsed to verify if the physical person now claiming a given role (or identity) is the same person initially checked by the trusted authority
Tokens (or Cards): the temper resistant proof of the “role” we claim to be in, at a given time, anywhere, to nearly anybody
Allows to show the proof of the “role” we play when we need to interact with an unknown person or entity, on a network, or in real life
CMU - Workshop on ID Cards November 28th, 2001
www.gemplus.com 4Gemplus © 2001
CMU - Workshop on ID Cards 7
™
An ID is as good as what is proves
Applying for an ID in a given “role” by the person
Verification done by an authorityFor the person’s true identity (e.g. not already enrolled)
If the “role” the person is applying for is legitimate
Certification by the AuthorityDelivery of the proof of role/ID signed by the authority
Storage of the “proof” by the userOn paper, plastic or better, on a digital media
CMU - Workshop on ID Cards 8
™
Registration & Issuance: 4 ModelsCard Issuance
Remote On Site
Credit Card- Phone, mail or log in, register - Receive card in mail
Bank CardsHealth Care Cards
Will Call- Phone, mail or log in, register - Walk in, bring credentials- pick up card
Not used for ID’s
Driver’s License- Walk in, register- Receive card, leave
Driver’s LicensesMilitary IDsStudent IDs
Passport- Walk in, register - Receive card in mail
Passports
Reg
istr
atio
nO
n Si
teR
emot
e
CMU - Workshop on ID Cards November 28th, 2001
www.gemplus.com 5Gemplus © 2001
CMU - Workshop on ID Cards 9
™
The Card Technology Challenges
Low to Medium
Medium to High
Yes update
Yes, by Card
High, in card
32K to 64K bytes today
Smart Card
Very high
HighData added
In terminal
MediumVery high (Mbytes)
Optical
Low if no PKI
LowNo, card Replace
In terminal
Low to Medium
Low to Medium
Bar Code
Low if no PKI
LowNo, card replace
In terminal
Low to Medium
Low forbank cards
Mag-stripe
NoneVery Low
No, card replace
NoneLowQuite lowPlastic
Reader Cost
CardCost
Upgra-dable
PrivacySecurityMemorySize
Type
CMU - Workshop on ID Cards 10
™
Three Technologies Working Together
• Secure Storage• Portable• Personalized•• Privacy Privacy • Processing• - Crypto • -Matching• Low-cost
infrastructure• Transactions
world
• Personal : you• Present • Difficult to forge• Convenience• Solves multi-pins
problem• Hard to steal
• Public Notary• Digital information• Usable on networks
CMU - Workshop on ID Cards November 28th, 2001
www.gemplus.com 6Gemplus © 2001
CMU - Workshop on ID Cards 11
™
Two Are not Enough
Requires Central Data base
Requires Trusted Terminals
Weak User-to-Card Authentication
PIN and multi-PINs issues
Lacks of Key Management
Weak User-To-Remote Site Authentication
It may only take 2 to tango, But 3 legs are required to create a stable platform
CMU - Workshop on ID Cards 12
™
Convergence Challenges
Policy ChallengesSecurityPrivacyLiabilityOwnership
Card, Keys, Credentials
Acceptance ChallengesTrustAffordabilityConvenienceManagement
Card, Keys, Credentials
Technology ChallengesArchitecture
COTS Solutions
Standards
Accommodating the Physical World
Interoperability
Planning for change
CMU - Workshop on ID Cards November 28th, 2001
www.gemplus.com 7Gemplus © 2001
CMU - Workshop on ID Cards 13
™
Baby Steps toward a Solution
The Driving License standard being developed by NCITS B10.8 gives an idea of the data to manageExample:
Name, Address, Driving license #,expiration date, delivering authority,color picture, weight, height, sex,date of birth, etc.
An ID system starts by storing a piece of digital information signedpiece of digital information signed by the delivering authority
Magnetic stripeOptical trackMulti-dimensional bar codeSmart card
•Personal InformationName, DoB, Address, etc.
•Personal identificationPicture, weight,Fingerprint, etc.
•Authority’s signatureDigital certificate
CMU - Workshop on ID Cards 14
™
Going Step by Step is easier
Smart Card technology allows to deploy electronic readers able to work with all type of smart cards
Germany decided in 1994 to deploy 80 million Health Insurance cards.
They started with simple integrated circuit memory cards (one simple data file per smart card with a user PIN)
They deployed smart card readers able to read all other smart cards (same hardware) with a simple software to start with
The same readers can now accommodate sophisticated multi-application smart cards able to process Public Keys
CMU - Workshop on ID Cards November 28th, 2001
www.gemplus.com 8Gemplus © 2001
CMU - Workshop on ID Cards 15
™
Smart Card levels of sophistication
Start simple, but keep the ultimate goal in mind!
MoreLess
Data File - PersonalIdentification
Multi-applicationPrivacy protection
BiometricMatching on card
ArchitecturalElement
Done by the network or the card …..
0 1 2 3Security level
FourOptions
CMU - Workshop on ID Cards 16
™
Card levels of sophistication Level Zero : No Card
Identification on paper (or plastic Ids)Centralized DBNeed for attended terminals
Issue of counterfeited of documentsDocuments hard to modify (e.g. address)Very hard to use digital certificates on the IDDocument cannot be used by user on InternetPrivacy concerns
The user has no control on who is accessing his information and what is stored in the back end
Data File - PersonalIdentification
Multi-applicationPrivacy protection
BiometricMatching on card
ArchitecturalElement
CMU - Workshop on ID Cards November 28th, 2001
www.gemplus.com 9Gemplus © 2001
CMU - Workshop on ID Cards 17
™
Card levels of sophistication Level One: On Card Digital Storage
Personal Information is digitally signed
Protected from unauthorized modifications
Allows update of the information with the proper credentials
Enhanced individual privacyCard holds all requiredidentity information
No need for central Data Base
Data File - PersonalIdentification
Multi-applicationPrivacy protection
BiometricMatching on card
ArchitecturalElement
CMU - Workshop on ID Cards 18
™
Card levels of sophistication Level 2 : Multi-Application Card
Personal Information (PI) is digitally stored, signed and ciphered with application session keys (allows to use the card over open networks)Protected from:
unauthorized modificationsunauthorized access
Allows update of the information in the card (including security keys) with the proper credentials for each application domainEnhanced individual privacy
Card holds all required Personal information for all applications in separate domainsNo need for access to a central Data Base for PICard authenticates its user (PIN or Password)
Example of implementation today:Department of Defense - Common Access Card
Data File - PersonalIdentification
Multi-applicationPrivacy protection
BiometricMatching on card
ArchitecturalElement
CMU - Workshop on ID Cards November 28th, 2001
www.gemplus.com 10Gemplus © 2001
CMU - Workshop on ID Cards 19
™
Card levels of sophistication Level 3 : Multi-Application & Biometry
Same advantages as Level 2+
Card authenticates its true user (biometrics)
Personal Information is digitally stored, signed and ciphered with application session keys (allows use over open networks)Protected from:
unauthorized modificationsunauthorized access
Allows update of the information & keys with the proper credentials for each application domainEnhanced individual privacy
Card holds all required Personal Information for all applications in separate domainsNo need for access to a central Data BaseBiometric information never leaves the card
Terminals are simpler and less “security involved”
Data File - PersonalIdentification
Multi-applicationPrivacy protection
BiometricMatching on card
ArchitecturalElement
CMU - Workshop on ID Cards 20
™
Biometric Terminal
BiometricSmart Card
101 on Biometric Verification
X.509 BIOcertificateStorage
X.509 Parsing& Verification
ProcessingParameters
MatchingParameters
BiometricProcessing
“Livescan”BiometricTemplate
BiometricMatching
“Stored”BiometricTemplate
BiometricCapture
image MatchingScore
CMU - Workshop on ID Cards November 28th, 2001
www.gemplus.com 11Gemplus © 2001
CMU - Workshop on ID Cards 21
™
Biometric Verification Architecture
Start simple, but keep the ultimate goal in mind!
MoreLess
BiometricStorage
BiometricMatching
BiometricCapture
ArchitecturalElement
Done by the terminal or the card …..
0 1 2 3Security level
FourOptions
CMU - Workshop on ID Cards 22
™
Level Zero : No Smart Card
BiometricStorage
BiometricMatching
BiometricCapture
ArchitecturalElement
Biometric templates stored in database
Centralized DBReplicated Local DBs
Subject to attacksPrivacy concernsInfrastructure issues
CMU - Workshop on ID Cards November 28th, 2001
www.gemplus.com 12Gemplus © 2001
CMU - Workshop on ID Cards 23
™
Level One: On Card Storage
BiometricStorage
BiometricMatching
BiometricCapture
ArchitecturalElement
Biometric template stored on smart cardProtected from:
ModificationUnauthorized readReplay attacksRepeated attempts
Enhanced individual privacyCard holds all requiredidentity information
No need for Data BaseNo private information needs to be given to the third parties
CMU - Workshop on ID Cards 24
™
Level 2 : On Card Matching
BiometricStorage
BiometricMatching
BiometricCapture
ArchitecturalElement
Biometric template matching performed by smart card All Benefits of on card storage
+Further enhances security and individual privacy
Card directly authenticates cardholderStored biometric data never leaves cardEliminates need for secure session with biometric matching device (reducing cost)
Previous Implementations:1987: Dynamic hand signature France1995: Hand geometry for access control USA1996: Voice recognition Europe2000: Fingerprint matching USA/France
CMU - Workshop on ID Cards November 28th, 2001
www.gemplus.com 13Gemplus © 2001
CMU - Workshop on ID Cards 25
™
Option 3: On Card CaptureBiometric capture performed by smart cardAll benefits of on card storage & matching
+Ultimate architecture
Biometric presented directly to cardCard directly authenticates cardholderBiometric never leaves card
BiometricStorage
BiometricMatching
BiometricCapture
ArchitecturalElement
Grade A+
CMU - Workshop on ID Cards 26
™
Architecture Choice for Private Keys
KeyStorage
AlgorithmCalculation
KeyGeneration
ArchitecturalElement Done by the terminal or the card …..
MoreLess0 1 2 3
Security levelA smart card architecture allows to start simple (rely on the terminal) and
increase the level of security when the infrastructure is in place
FourOptions
CMU - Workshop on ID Cards November 28th, 2001
www.gemplus.com 14Gemplus © 2001
CMU - Workshop on ID Cards 27
™
Accommodating the Physical World
FAR > 0FRR > 0
Tamper resistant, nottamper proofLost or stolenMechanical failures
Requires significant computational powerComponent failures
Each Technology has Limitations
As goodas the
Issuancesystem
CMU - Workshop on ID Cards 28
™
The Convergence ChallengeArchitecture
Accommodating the Physical World
Affordability
TrustLiability
Privacy
StandardsInteroperability
The acceptable solution(s) will be a compromise of competing priorities
CMU - Workshop on ID Cards November 28th, 2001
www.gemplus.com 15Gemplus © 2001
CMU - Workshop on ID Cards 29
™
Smart Card Taxonomy
Plastic Card
Memory
Contactless
MPEMV
Proprietary
JavaCardMultos
Open
Secret Key
GPKGemSAFE
Proprietary
JavaCard PKMultos
Open
Public Key
Contact Twin Combi
Microprocessor
Chip Card
Card
Smart Cardmay mean either
1. Integrated Circuit Card, or
2. Microprocessor CardDecision Points
Chip?
Processor?
Interface(s):
Cryptography:
Platform:
Memory:8K, 16K, 32K, 64K, …
CMU - Workshop on ID Cards 30
™
Trends in Smart Cards
Move to open platformssupporting PKI
GovernmentBankingHealthcareMobile Phones (GSM)
Intent to deploy multiple applicationsDemand for more memory(EEPROM or Flash)
16 K , 32 K , 64K bytes …
Plans for post issuance(i.e. to deploy or upgrade
applets in the field.)
Card Size PK COSJavaCardGemXpresso Lite ~14K JavaGemXpresso211 ~23K JavaGemXpresso211pk ~19K JavaGemExpressoPro ~64K JavaLegacy CardsMPEMV 8K 8K Prop.MPEMV16K 16K Prop.GPK8000 8K Prop.GPK16000 16K Prop.
CMU - Workshop on ID Cards November 28th, 2001
www.gemplus.com 16Gemplus © 2001
CMU - Workshop on ID Cards 31
™
Contact ReadersGemPC 400 - PCMCIA Reader
GemPC 410 - Serial Port Reader
GemPC 410-SL - Serial Reader (Slim Line)
GemPC 430 - USB Port Reader
GemPC-Touch 430 - USB Fingerprint Reader
GemPC-Touch 440 - Fingerprint Reader
Contactless ReadersGemEasyAccess608 - ISO 14443 Card Reader
GemPC 410
GemPC 430
GemPC 400
GemPC-Touch
GemPC 410-SL
Smart Card Readers
CMU - Workshop on ID Cards 32
™
Smart Cards are used as IDs ….
Military or Student Multi-Application ID CardsUnited StatesPeruEuropeAsia
Immigration Clearance and Residency CardsAsiaColombiaMexico
Driver’s LicensesArgentinaEl Salvador
CMU - Workshop on ID Cards November 28th, 2001
www.gemplus.com 17Gemplus © 2001
CMU - Workshop on ID Cards 33
™
Baby Steps for cards
Single data file in a card, digitally signed by an authority (one role per card)Multiple data sets in a single card signed by multiple authorities (multiple roles per card)Smart Card with Public Key microprocessor able to:
Check the credential of the requestor (protects privacy)Update application security keys without re-issuing new cards
Smart Card with biometric matching on board (maximum security and privacy)
CMU - Workshop on ID Cards 34
™
Baby Steps for Biometry
Digital picture stored in the card, signed by an authority
Biometric template stored in the card (e.g. fingerprint or hand geometry) and digitally signed
Biometric template matched in the card (protect against bogus terminals)
Biometry captured and matched by the card
CMU - Workshop on ID Cards November 28th, 2001
www.gemplus.com 18Gemplus © 2001
CMU - Workshop on ID Cards 35
™
Baby Steps on Public Key Infrastructure
Passive signature (CVV on bank cards) on all information stored on an ID card (prevents from data tempering)
Multiple PK authorities and certificates for interchange
Change of security keys every so often with smart cards
Risk management and verifications levels based on requestor’s credential
Personal Private Information protected by the user’s card with a trusted Public Key for data escrowing
CMU - Workshop on ID Cards 36
™
Shooting for the Stars ?
Card
Public
Key
Infra
struc
ture
Biometry
IdentificationCertification
Goal
Smart C
ard
The foundation of a Secure ID is the Issuance System
CMU - Workshop on ID Cards November 28th, 2001
www.gemplus.com 19Gemplus © 2001
CMU - Workshop on ID Cards 37
™
Security and Risk Management
Using an active intelligent device allows to manage some of the risk depending on the context
Examples of Risk management rules for travel:If the ID card has not been checked for the last month the card will ask the terminal to go online for tighter controls
If the picture stored in the card is too old, ask for another identification mean (in case visual display is used)
If the ticket is one way and the home address in the card is not in line with the ticket destination, ask more questions
Etc.
CMU - Workshop on ID Cards 38
™
Security is an attitude, not a status
Whatever is secure today might not be tomorrow
100% security cannot be achieved
High Security is not a friend of convenience
When a security level is breached it is important to:Have detection mechanisms
Have a reaction plan
Upgrade the system
A Smart Card is the only active security ID card able to adapt to the future