OPACITY – secure and private contactless identity for the cloud

Philip Hoyer – Senior Architect CTO Office

24th September 2010

Table of Content

• Privacy and the cloud, strongly proving identity with privacy– Business problem– Privacy problem– The cloud identity assurance trust chain

• Provide a high-level introduction into OPACITY– What is OPACITY– Use cases, what can we do with OPACITY– OPACITY modes of operation– Status and where can you find OPACITY

• Conclusion

Business Problem

User convenience is driving the increase in contactless applications– Tap and authenticate, tap & sign, leverage existing issued credentials from

new service access terminals (e.g. iPad, mobile phones, etc)

Business Problem

For cloud services to encompass high security OMB-04-04 LoA 4 services we need to be able to leverage strong credentials via the contactless interface– Potential to leverage existing estate of strong credentials such as PIV / CAC cards to access

cloud services

• Convergence of all access (Cloud, Logical, Physical) from one credential set

• Market currently lack protocols (either commercial or via existing standards) which provide for cryptographically stronger, faster and more private contactless communication

Privacy Problem

• Current contactless protocols leak Personally Identifiable Information (PIIs)

• Current contactless protocols do NOT authenticate that reader is genuine party

• Current contactless protocols are not cryptographically strong to last the next 20-30 years

The cloud identity assurance trust chain

• Strong identity assurance is based on a strong security anchor (LoA 4)– Proof of identity happens based on at least 2 factors:

– Something you have (Keys held in secure key store – FIPS certified)– Something you know (PIN to access keys)

• Identity transfer into the cloud via federation standards– SAML requiring holder of key assertion (need to access keys –

see above)

• Cloud service requires non repudiation proof of identity – going back to security anchor– Signature of transaction approval or data using keys

• All via an unknown number of intermediaries and contact and potentially contactless interfaces

The cloud identity assurance trust chain – weakest link

Security is only as strong as the weakest link:

Currently the contactless interface!

What is OPACITY?

Open Protocol for Access Control Identification and Ticketing with privacY

A initiative to allow secure transactions over the AirOPACITY is designed to allow the removal of usage restrictions on contactless transactions. With OPACITY high performance security and privacy enhancements, sensitive or privileged information can now be exchanged over the air with assurance.

A protocol suite of standard, open and generic protocols– NIST 800-56A compliant (FIPS 140-2 enabled) and NSA suite B based

(ECC, AES, etc)– Constitute a stable target (20/30 years) in terms of security – Covered by an Apache 2.0 license. Provided royalty free

OPACITY protocol technological breakthroughs

2 modes of operation: Forward Secrecy (FS) & Zero Key Management (ZKM)– FS: Full privacy, the response emitted by OPACITY recipient appears as

ever changing, anonymous and random information over the air. The identity of the cardholder is never compromised with End-to-end protection even after the transaction or the session is completed

– ZKM: Does not require storage of secret keys in terminals

The protocol includes technological breakthroughs allowing:– Full privacy (no open usage if unique identifiers) and no identity leaks.– Speed and optimizations (persistent binding)– Security (Forward Secrecy).– Full mutual authentication between credential carrier and terminal– Simplicity of integration (one command/one response)– Simplicity of the Key Life Cycle management ( on chip key generation

no secret key distribution, full PKI based)

Use Cases – what can we do with OPACITY

• Strong authentication to cloud services via trusted terminals (desktops, laptops, tablets, phones and kiosks)– Use of secure messaging to provide an end-to-end protected path for

identity proofing and cloud service transaction signing

• Strong authentication to desktops, laptops and kiosks for logical access– Use of secure messaging to provide an end-to-end protected path for

document or transaction decryption and signature using a secure element or a smart card

• Strong authentication to the door or door controller for physical access– Return encrypted code in one fast contactless transaction– Use of end-to-end secure messaging to transport PIN or biometrics or

PACS credential via a contactless communication

• Strong authentication and ticketing for transit applications

Status and where can you find OPACITY

• Standardization :– Reviewed by NIST cryptography technology group

- 800-56A compliance

– Contributed to ANSI GICS (INCITS B10.12)– ISO 24727-6 registered

• Published to SCA http://www.smartcardalliance.org/pages/smart-cards-contributions-opacity

• Reference Implementation and specification – (http://Sourceforge.net/projects/opacity ):– Includes applet code and a SAM integrated within the terminal/client

– All cryptography is implemented in the FIPS boundary of the SAM reference (as per NIST guidelines) facilitating and accelerating integration

Conclusion

• OPACITY allows for the first time a complete strong end-to-end (credential to cloud) trust chain over contact and contactless interfaces

• OPACITY allows secure contactless transactions without leaking personally identifiable information

• OPACITY is built from PKI cryptography approved for the next 20-30 years

• OPACITY is contributed by Actividentity but is open source and free to use. For more information please contact elesaint@actividentity.com.

• Enjoy OPACITY to finally secure your sensitive transactions over the air!