government citizen id using java card platform

Govt. Citizen ID with Java CardTM PlatformEmphasis on the role and relevance of Java Card and Sun Identity Management Technologies

Ramesh NagappanSecurity Technologist, [email protected]://www.coresecuritypatterns.com/blogs

© Sun Microsystems 2009Slide 2

Undisputed Market Leader in Multi-Application Smart Cards

Finance

Government/Healthcare

Last name First name, Initial

Issue Date

Expiration Date

Identification Card

Organization Seal

Photograph

U.S. NavyDoD Civilian

Chip

Armed Forces of the United States

Parker IV,Christopher J.

September 30 2001

October 1 2001

Telecom

CorporateLoyalty


Introduction to Java Card Technology• A Programmable Runtime engine for Smart cards

> Open & Standards-based> Built for multi-application> Proven security (Enabling on-card PKI/Biometrics credentials based

Physical/Logical Access Control)• A future-proof platform for Smart card based services

> Dynamic application loading> Test-suite enforced interoperability> Cryptography and Biometrics support

• A reference technology for Smart card issuers> Market leader in Security for Government and Citizen ID> Market leader in reliability for wireless, banking, ID> Choice of multi-sourcing – Obtain cards from multiple vendors

Security and Portability with Reliability as Core Value Proposition


Java Card Adoption

• 6 Billion Java Card Units deployed > Variety of form factors

• Leader in market segments > Telecom (Defacto for SIM card !)> Banking (Payment card)> ID (Citizen/Govt/Defence/Intelligence)> PayTV (Cable/Dish Subscriber card)> Transport, Healthcare...

Passports

Contactless

USB Tokens

Smart Cards

SIM CardsSecure Flash

Memory


Java Card vs MULTOS


Java Card as Cryptographic TokenPKI enabled Smart cards• A credit card sized computing device acts as a

Cryptographic token.> Contact / Contactless cards

• Allows performing core PKI functions> Key generation> Public/Private key operations> PIN/Biometric authentication> Challenge/response authentication

• Supports the use of Public-key infrastructure to verify the Identity claim.

> PKI credential issuance.> Credential validation/verification via OCSP,

CRLs• Defends against tampering and hacking.

> PKI/Private key protection

Standards• ISO-7816• Java Card, Multos• Global Platform• PC/SC• FIPS-201/PIV, CAC• PKCS#11, PKCS#15• GSM/PCS• EMV

(Europay/Mastercard/Visa)

Using Smart card based PKI as an Authentication Credential


Java Card as Biometric Token

Using Smart card based Biometrics as an Authentication Credential

Java Card based Biometric Identity• Matching to Physiological or Behavioral

characteristics to identify a person.> High degree of assurance with proof of

presence + proof of possession> Fingerprints, Facial image/geometry, Iris

images can be stored on card.> Match on-card samples to live human

samples.• Biometric templates can be stored on Smart

card for personal identification.> Fingerprint template is ~200 bytes> Iris template is 500 bytes

• Biometric credential must be exchanged in a secure network channel (Trusted path)

Standards• INCITS 378 / CBEFF (Fingerprints)• INCITS 379 (Iris)• OASIS BIAS• BioAPI• JavaCard BioAPI• FIPS-201 / PIV


Managing Govt ID Issuance Life-cycle Identity Management life-cycle events

Identity Registration

Identity Enrollment &Adjudication

Physical & Logical Access Control

Card/ Credential Issuance

Identity Termination

Credential

Maintenance


Managing Govt ID Issuance LifecycleSmartcard issuance life-cycle using Sun Identity Management Suite

SunI D M S

DemographicData

Biometrics

P K I

IdentityProofing

VerifiedCredentials

( Smartcard/ Biometrics)

LogicalAccessControl

PhysicalAccessControl


Sun IDM Authorization Workflow

ApplicantRegistration

BiometricsBreeder Documents

Enrollment

IdentityProofing &

Adjudication

Card Issuance &Activation

Retirement /Termination

Physical &Logical Access

Provisioning

CredentialMaintenance

Hiring Manager

Approval/Denial

EnrollmentOfficer

Approval/Denial

HROfficer

Approval/Denial

HR Manager

Approval/Denial

EnrollmentOfficer

Approval/Denial

Hiring Manager

Approval/Denial

• Sun IDM manages the authorization workflow and authority approval and denials.

• Sun IDM facilitates digitally signed approvals using Smart card based credentials verified against a PKI provider.

Sun Confidential: Sun Employees and Immersion Week 2008 Partner Attendees Only. 11

Smart card based Credentials - Logical Access Control


SecurityManageability

ReliabilityMobilityValue

Sun Rays In a Govt eID Environment

Sun Ray supports the use of most eID and CAC/PIV Cards


Logical Deployment of Sun RaysSmartcard based authentication – Virtual/Remote Desktop/Application environment

Fire

wal

l

Data CenterSun Rays

Fire

wal

l

Native protocols are used to access apps.No modification of the OS or apps required.

Each user desktop environment runs on a virtual machine located in the corporate data center. All desktop and application communication remains in thedata center.

The access tier supports standard Authentication mechanisms:LDAPv3 Active DirectoryNISMS Windows Domain

Access layer controls the user access and application profiles. It maintains audit logs of user and app usage. It provides the display engine to the user desktop.

PC & Thin Client users can securely access their remote desktops & applications from any location using PIV Cards.

Once PIV authenticated, the access tier establishes a display connection to the user device and a protocol connection to the back-end desktop OS and applications.

PIV Credential Authentication

Secure remote access from any location

Combine existingauthenticationand authorizationmechanismsusing Sun IDMS

Windows XP / 2003Desktop Virtualizationusing Sun Raysand Sun VDI

Sun Access Tier Identity/Auth. ESX Virtualization Applications


• Sun UltraSPARC T2 offers industry-leading cryptography performance for PIV environments.> On-chip Crypto threads virtually eliminates large

workloads with PKI & Cryptography.> Out-performs competition on SSL and Public-key

crypto opertaions> Over 30x greater RSA1024 performance than 2-socket IBM p510

• Support common used ciphers for Public-key encryption and secure hashing functions> Public-key cryptography (RSA, DSA, Diffie-Hellman, ECC)> Bulk encryption (RC4, DES, 3DES, AES)> Secure hash (MD5, SHA-1, SHA-256)

Sun CMT Servers: Wire-speed Security UltraSPARC T2 offers On-chip Cryptographic Acceleration for PKI Applications


Mandatory Access Control and Security Labels (Solaris TX)


U.S. Department of Defense• Military ID and Geneva Convention Card

> Common credentials for verified identity> DoD-wide health benefits ID card> Physical access and manifesting> Logical access with PKI/digital signature

• Well established security certification platform with numerous cards with FIPS-140 ratings

>High-degree of Security and Assurance• Supports additional military branch-specific applications at issuance and post-issuance• Flexible to support original CAC format, CAC transitional format and PIV format (evolution of requirements)• Deployment: +3M active duty units. Over 12M units to date. Issuing +30K units a day at peek war periods

Last name First name, Initial

Issue Date

Expiration Date

Identification Card

Organization Seal

Photograph

U.S. NavyDoD Civilian

Chip

Armed Forces of the United States

Parker IV,Christopher J.

September 30 2001

October 1 2001


US Federal Employee PIV Card• Presidential Directive 12 (HSPD-12) mandated a

Federal Government-wide smart card ID program.> Use of combined PKI and Biometric credentials

• Dual interfaces for both for Physical and Logical access

> Secure Contact/Contactless access to target resources

• To date, all deployed PIV cards are Java Card> Conformance to Java Card 2.2.1

• By 2013 over 12 million PIV cards will have been issued

• The PIV model is being replicated in the US Federal Govt in programs such as Travel Worker Identity Program (TWIC), First Responder ID, Immigration Cards and potentially Drivers Licensees

•


Taiwan Healthcare ID

• National health insurance ID card• Multi-application smart card

> Identification, medical profileand benefits

> E-Purse capable> Restricted use by other governmental

agencies to protect privacy• Supports open standards andpost-issuance of new applications• 40M Java Cards deployed


Belgium National ID• First country in EU to deploy citizen ID card to entire population• Multi-application Java Card

> Identification, e-Government Services, e-Voting, etc.

> Filing Tax Returns, Birth Certs, Civil Records> Digital Certificates: Authentication, Digital

Signature – PKCS15 Conformance

> Commercial Applications: e-Banking, e-Ticketing

• Common Criteria EAL 5+ Certified • Deployment: 40+ Million Java Cards


Thailand National ID Card• National Citizen ID card to entire population

> Multi-application Java Card-based Smart Card> Personal ID, fingerprints, tax, social welfare and social

security numbers, agricultural data and healthcare data. > Citizens will be able to access eGovernment services at

e-government kiosks nationwide and by smart card readers integrated into desktop computers.

• 60M+ Java Cards deployed


Oman National ID Card• First country in Middle East to start deploying large-scale citizen ID Card to entire population

> Multi-application Java Card-based smart card> Provides positive identification with digital photograph, digital

certificates and biometrics authentication > Have plans to add driver’s license, emergency medical data

and border control applications• Deployment: 3M+ Java Cards


United Arab Emirates National ID

• National Citizen ID Card to Entire Population> Multi-application Java Card-based Smart Card

> Positive Identification with Digital Photograph, Digital Certificates and Fingerprint Biometrics Authentication

> Enabled e-Government Services > Plans to add Driver’s License, Emergency Medical Data and

Border Control Applications• Deployment: +4.5 Million Java Cards


Macau Government ID Card• Multi-application Java Card-based Smart Card

> Identification, Border Control, E-Government, E-Commence and Public Services Access

> Driver's License and E-Purse Envisioned in Future• Secure Laser Engraved Java Cards

> Facial Image,Signature, and Fingerprint Biometrics> PKI/Certificates

• GlobalPlatform-compatible Card Mgt. System


More...Java Card's Govt ID Successes

•UK NHS and MoD•Canadian ePassports•Portugal National ID•Qatar National ID

•Azerbaijan National ID•Morocco National ID•Finland National ID

•Italy National ID•Queensland Australia Drivers License

•And approximately 20 other countries exploring Java Card

Thank You !

Ramesh [email protected]://www.coresecuritypatterns.com/blogs

Brian KowalHead, Java Card Marketing & [email protected]

mailto:ramesh.nagappan@su