smart cards: technology, applications and security workshop by cacr 04/19/01 20:07john moore -...
TRANSCRIPT
04/19/01 20:07 John Moore - GSA Page 1
Smart Cards: Technology, Applications and Security Workshop by CACR
Update on Government Smart Cards7th Information Security Workshop
Smart Cards: Technology, Applications and SecurityCentre for Applied Cryptographic Research
Sheraton Reston - Reston VA - April 25, 2001
Presentation by John G MooreGSA Office of Electronic Government 18th & F St NWWashington DC [email protected]
04/19/01 20:07 John Moore - GSA Page 2
Smart Cards: Technology, Applications and Security Workshop by CACR
Trends Driving Government Transformation
GovernmentGovernment
Internet
Increased outsourcingand privatization
Globalization
Increased public expectations
Performancemeasurement and
accountability
IT skill shortage and aging of workforce
04/19/01 20:07 John Moore - GSA Page 3
Smart Cards: Technology, Applications and Security Workshop by CACR
Smart eGov TechnologiesThe Tech Side of Entrepreneurial Government
“In the Age of Global Positioning (GPS) Without a Map!”
In this age, the role of Government is to identify where progress might be made through Government involvement, and then take the steps necessary for the
progress to occur. With regard to Smart Cards, that means Interoperability.
04/19/01 20:07 John Moore - GSA Page 4
Smart Cards: Technology, Applications and Security Workshop by CACR
GSA Office of Electronic Government
• The mission of GSA Office of Electronic Government is strategic leadership in identification and deployment of eGov Technologies
• www.ec.fed.gov
04/19/01 20:07 John Moore - GSA Page 5
Smart Cards: Technology, Applications and Security Workshop by CACR
Driving Towards eGov
ConvergenceHi Tech Call Centers
eMarketplacesBuying, selling,
auctioning
Smart Cards ID, Security, Convenience
XMLContent management
architecture
Mobile Computing Wireless e-Business
Policy SettingStandards and Guidelines
Partnering - Agency/IndustryAgency Pilots
Task Forces and User Groups
Authenti-cation
CA CrossCertification
DigitalSignatures
SecureWeb GPEA E-Sign A-130 Sect 508PDD-63
FirstGov
FederalBizOpps
FederalCommons
FedSales
ARNetAcquisition
ReformNetwork
Intergov CouncilsIT Leaders Forums
White Papers / Talks
Business Case AnalysesBest Practices
Bill Holcombe GSA
04/19/01 20:07 John Moore - GSA Page 6
Smart Cards: Technology, Applications and Security Workshop by CACR
The Big “Chunks” of Smart eGov Technologies
• The Technology Side of eGov Technologies • Smart Card, eCert • Interactive eForms / eTransactions
• Wireless / Mobile
• Seat Management
• Voice and Speech Technologies, Video, Increased Bandwidth
• Increasing re-systematization toward web-based and miniaturized Technology Platforms
• The People Side of eGov Technologies• Knowledge Management - Distance Learning - Telework / Future - Customer
Relationship Management (CRM)
• Distance Learning / Increased Leverage <Implosion Effect - Traffic - Stress>
• Remote Help Desk
• Workforce / Increasing Population / More Diverse / Increasingly Mobile / Larger Remote Technology Training Burden / Talent Bank Shortage Crisis
04/19/01 20:07 John Moore - GSA Page 7
Smart Cards: Technology, Applications and Security Workshop by CACR
Smart eGov Technologies
• * Smart Cards
• * ACES – Automated Certificates for Electronic Services
• E-Certs / Digital Signature
• E-Forms
• E-Marketplaces
• GPEA
• PKI
• XML
• Internet
• Enhanced Search Engines
• Format Compatibilizers
• Video Cams
•Parametric Graphic User Interfaces•Emerging Technologies •Wireless / Mobile•Bandwidth and Storage Capacity•Combined Phone and PDAs•TV - Video Sequences•Voice and Speech Technology •Portable Handheld Scanners •Channel Convergence•Data Warehousing•Business Intelligence•Aggregation•Globalization
One reason these technologies are difficult is the degree they penetrate the general population
04/19/01 20:07 John Moore - GSA Page 8
Smart Cards: Technology, Applications and Security Workshop by CACR
What Need Does Gov’t Smart Card Fill? What do “Smart” eGov Technologies Do?
• Convenience • Mobility / Ease of use
• Makes your life simpler
• Functionality • Actually does something
• Solves a real problem
• Protection of privacy and security• Protection from hackers and cyber-terrorists
• “Data Cleanliness”• Keeps your “clean” from questionable data
04/19/01 20:07 John Moore - GSA Page 9
Smart Cards: Technology, Applications and Security Workshop by CACR
What is a Smart Card for Gov’t?
Authentication ArchitectureDigital Photo, Biometrics, Finger Print, Voice Print, Hand Geometry, Iris Scan, Keyboard Dynamics, Digitized Signature, Signature Dynamics, Personal ID, Electronic Signature
Encryption, CompressionPublic/Private Key, Digital Signature (DSS), RSA for Off-line, Wireless, Telephony
Hardware/Software Based, Crypto Co-Processor
UsesPre-paid Money, Credit, Debit,
Authorizations, ID, CertificateSecure eMail, eForms, Digital signature
* Proximity / Combi Chip are imminent - combining smart card and radio frequency into one chip
* RF indicates Radio Frequency Chip
Mag Stripe on back
SmartCardChip *
Digital Photo
Barcode
A Multi-Application, Multi-Tech Proximity Smart CardA Hybrid / Composite Card
04/19/01 20:07 John Moore - GSA Page 10
Smart Cards: Technology, Applications and Security Workshop by CACR
Smart Card Applications
• Account Information
• eForms - Contact Information
• Rostering / Email / Internet / eSign
• Physical Access / Authentication / ID
• Logical Access / Crypto / PKI
• Proximity / Transit
• Financial / Payment / Travel / Phone
04/19/01 20:07 John Moore - GSA Page 11
Smart Cards: Technology, Applications and Security Workshop by CACR
Card Functionality in GSACommon Access ID Procurement
• Rostering
• Identification
• Physical Access
• Computer Access
• Digital Signature
• Electronic Purse
• Medical Information
• Biometrics Capability
• Property Management
• Training/Certifications
• Electronic Forms Generation
• Potential Commercial Aplets
04/19/01 20:07 John Moore - GSA Page 12
Smart Cards: Technology, Applications and Security Workshop by CACR
• Government Smart Card Architecture contains:
• J8 (Personal Contact Data) – Social Security Number, etc.
• G8 (Veterans Medical Data Elements)– VA G8 Health & Government Service Delivery
• http://www.open.gov.uk/govoline/golintro.htm
• Services interactive eForms Fillforms.gov
• Transactions
• Screen-Scrapers / XML
Government Smart Card Fills Out eForm Does Rostering
04/19/01 20:07 John Moore - GSA Page 13
Smart Cards: Technology, Applications and Security Workshop by CACR
Interactive eFormsSmart Card Fills Out eForms (cont’d)
• Web-based Form Inventory• www.fillforms.gov
• Smart Card automatically fills in your personal J8 data into the eForm, can eSign it and submit it electronically
• Name / Address / Organization
• SSN / Acct #s and other Contact Information
• PKI eCert• Your eligibility for various service and encryption for secure eMail
and non-repudiation
04/19/01 20:07 John Moore - GSA Page 14
Smart Cards: Technology, Applications and Security Workshop by CACR
Legislative Mandates
and Contracts
04/19/01 20:07 John Moore - GSA Page 15
Smart Cards: Technology, Applications and Security Workshop by CACR
Related Legislation and GSA Contracts
• Web-based Smart PKI – Card Interoperability
– Public Key Infrastructure Criteria for Limited Competition on Smart Cards between 5 prime vendors and 42 sub-contractors for 2 year window.
• ACES – eCert / Digital Signature
• Government Paperwork Elimination Act GPEA
• E-Signature / Interactive eForms
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• GSA Smart Card Policy Guidelines
• Business Case for PKI on Smart Card
04/19/01 20:07 John Moore - GSA Page 16
Smart Cards: Technology, Applications and Security Workshop by CACR
What is it?
New legislation passed that requires agencies to provide: • eForms alternative to paper• eSignatures to authenticate sender• eReceipts for acknowledgment
For more information:
www.ec.fed.gov/gpea
Government Paperwork Elimination Act
04/19/01 20:07 John Moore - GSA Page 17
Smart Cards: Technology, Applications and Security Workshop by CACR
Purpose of GPEA
GPEA seeks to "preclude agencies or courts from systematically
treating electronic documents and signatures less favorably
than their paper counterparts", so that citizens can interact with the
Federal government electronically. It requires Federal agencies, by
October 21, 2003, to provide individuals or entities that deal
with agencies the option to submit information or transact with
the agency electronically, and to maintain records electronically, when
practicable. GPEA states that electronic records and their related electronic
signatures are not to be denied legal effect, validity, or enforceability merely
because they are in electronic form. It also encourages Federal government
use of a range of electronic signature alternatives.
Government Paperwork Elimination Act (GPEA)
04/19/01 20:07 John Moore - GSA Page 19
Smart Cards: Technology, Applications and Security Workshop by CACR
GSA Government Smart Card ContractCommon Access ID Smart Card
• Valued at $1.5 billion
• Is being used by: – DOD for DOD Common Access ID Smart Card
• Army / Navy / Marine Corps / Air Force / Military Academies
– Veterans Affairs
– Department of State
– FDIC
• Interoperability – Contract features Smart Card Interoperability - First nation to require
vendor smart cards to interoperate
04/19/01 20:07 John Moore - GSA Page 20
Smart Cards: Technology, Applications and Security Workshop by CACR
Smart Card Interoperability
• Interoperability definition - Any card / any reader / common application interface to basic card services
• Architecture - Card / Reader / Host / Software
• Physical Access, Authorization, ID Issuance
• Logical Access, Crypto / Public Key Infrastructure (PKI), Basic Services Interface
• Biometric Templates for multiple biometrics
• NIST-supported Conformance Test Suite
04/19/01 20:07 John Moore - GSA Page 21
Smart Cards: Technology, Applications and Security Workshop by CACR
Smart Card Interoperability
Fitting the Pieces of SC Interoperability
• Interoperability Components– PHYS Physical/authentication/ID– LOGI Logical/Crypto/PKI– BIOM Biometric Templates– ARCH Architecture Basic Service Interface & Application Profile Interface
– TEST Conformance Testing
LOGIPHYS BIOM
ARCH APIBSI
TEST
Getting agencies to read and process cards
from different vendorsAgency 1 Agency 2
Agency 3 Agency 4
Card makes major impact toward E-Gov and E-Commerce with access to buildings, internet,
transport, purchases, authorizations,email and e-documents.
04/19/01 20:07 John Moore - GSA Page 22
Smart Cards: Technology, Applications and Security Workshop by CACR
Government Smart Card Implementation Initiatives
• Many Agencies– DOD Common Access Smart Card / Navy ATM @ Sea, Army,
Air Force– Veterans Affairs – State Department– Federal Depositors Insurance Corporation (FDIC)– DC Metro Transit Proximity Card– Treasury Smart Card Managers Group
• Many Applications / Multi-Application Card– Common Access ID Smart Card – DOD Troop Readiness– Financial “Pay” Card – Medical– Transit– Electronic Benefit Transfer / Public Assistance
04/19/01 20:07 John Moore - GSA Page 23
Smart Cards: Technology, Applications and Security Workshop by CACR
• Active duty military
• Selected Reserve/National Guard
• DoD civilian employees
• DoD contractors inside the firewall
(Approximately 4 million people)
WHO GETS A DOD SMART CARD?
Mary Dixon DOD
04/19/01 20:07 John Moore - GSA Page 24
Smart Cards: Technology, Applications and Security Workshop by CACR
CHARACTERISTICS OF DOD SMART CARD
• Crypto co-processor (for PKI)
• 16K to 32K (availability/cost)
• ~ $6 per card
• Interoperability Goal: any operating system, any card, any reader
• Compliant with and document in Joint Technical Architecture (JTA)
Mary Dixon DOD
04/19/01 20:07 John Moore - GSA Page 25
Smart Cards: Technology, Applications and Security Workshop by CACR
AfterBefore
Government ID
Travel Card
American AirlinesTicketing
Phone Card
Purchase Card
Willow Wood All-in-one CardWillow Wood All-in-one Card
Bill Holcombe GSA
04/19/01 20:07 John Moore - GSA Page 26
Smart Cards: Technology, Applications and Security Workshop by CACR
APPLICATIONS MAJOR PLAYERS
• Travel
• Building access
• Smart purchase
• Personal property
• Phone card
• Boarding pass
• Digital signature
• GSA• Citibank• IBM• Visa• 3GI• GTE• Sandia Labs
Willow Wood All-in-one CardWillow Wood All-in-one Card
Bill Holcombe GSA
Phase 2 for GSA FTS is now underway, other GSA efforts being explored
04/19/01 20:07 John Moore - GSA Page 27
Smart Cards: Technology, Applications and Security Workshop by CACR
Where are we now re: “Smart” Technologies in the US?
• Smart Cards / 16K / 32K
• Smart Card Readers
• Certificates / PKI / ACES on or off card
• Software / Infrastructure
• Combi Chips / Proximity nearly ready
• Enhanced capacity and security
• Risk Management
• GSA Contract
• DOD Issuance 2002 ** Starting Now **
04/19/01 20:07 John Moore - GSA Page 29
Smart Cards: Technology, Applications and Security Workshop by CACR
(4.00%) (4.00%)
(4.00%) (6.00%)
(65.00%)
(17.00%)
• 3 million -- Total North American Chip Cards - 1995
• 100 million -- Total North American Chip Cards - 2000
• Chip Cards In Use - U.S. vs Other Nations
– 65% -- Western Europe– 17% -- Latin America– 4% -- U.S.– 4% -- Asian Rim– 4% -- Eastern Europe– 6% -- Rest of World
US Chip Card Use
04/19/01 20:07 John Moore - GSA Page 30
Smart Cards: Technology, Applications and Security Workshop by CACR
Federal Smart Card Market Maturity
Many indicator show market readiness
• Number of Chip Cards Increased
• Smart Card Membership Increased
• Price per Card Decreased
• Response Time Reduced
• Memory Capacity from 1 to 32 K
• Legislation encourages interoperability for EBT
– S-1733 and HR 2709
Many of barriers for US implementation have been removed
04/19/01 20:07 John Moore - GSA Page 31
Smart Cards: Technology, Applications and Security Workshop by CACR
Potential Smart Card Market Penetration
All too often when we judge technology introduction, we do not properly take into account the size and complexity.
The full market for smart cards should be taken into account. It must penetrate further than TV– Several in the pockets of each person
– (97% of the people) times several cards
– The access token of choice
– The digital signature of choice
04/19/01 20:07 John Moore - GSA Page 32
Smart Cards: Technology, Applications and Security Workshop by CACR
eGov Project Life Cycle
1. Conceptualize/formulate
2. Identify partners
3. Educate and train
4. Develop plan/strategy
5. Establish governmentwide group
6. Set up portal, develop tools
7. Foster pilots
8. Issue policy
9. Transfer implementation to agencies
10. Monitor implementation of policy
eBusiness ArchGPEA
Privacy Policy
Grants
PKI-Bridge
FedBizOpps
Smart Cards
PortalsTrng&Ed
Less Mature
More Mature
PKI-ACES eCerts
PHASES PROJECTS
Bill Holcombe - GSA
04/19/01 20:07 John Moore - GSA Page 33
Smart Cards: Technology, Applications and Security Workshop by CACR
eGov Life CycleTime to Market and Expected Impact Targets
EGov Life Cycle Dimension-Time to reach the market
Impact on US in:Number of people influenced Number of business & orgn’s Number of transactionsProductivityDollars savedEffect on National Economy
Smart Cards eCerts
EGov Technologies Mobile
04/19/01 20:07 John Moore - GSA Page 34
Smart Cards: Technology, Applications and Security Workshop by CACR
How Smart Cards Will Emerge &Some Barriers to Overcome
• Smart Cards and eCert / Digital Signature / PKI will begin to appear as part of large enterprise or Agency applications, such as Departments of Defense, State, Treasury, and Veterans Affairs, but also at the State Government level for Health and Welfare, and be lead by Transit and University applications.
• As applications such as standard Extensible Markup Language (XML) eForms become available, Smart Card implementation will accelerate.
• Federal Agency Smart Cards need to contain a Basic Services Interface (BSI) in accordance with the Government Smart Card specification
– This helps puts to rest their concern about expensive retrofits, and accelerates deployment.
– Agencies need to get the word to avoid expensive retrofits so that Smart Card applications can flourish.
• Partnership is needed between Government and Business to agree on a practical Smart Card implementation convention and practice to arrive at a meeting place between GOTS and COTS (off-the-shelf software for Government and Commercial.
• Backward and forward compatibility between card, reader and card operating systems is a vital issue.
04/19/01 20:07 John Moore - GSA Page 35
Smart Cards: Technology, Applications and Security Workshop by CACR
Websites for Smart E-Gov Technologies Access America for Seniors http://www.ssa.gov Access America Online Magazine http://www.accessamerica.govCardTech / SecurTech http://www.ctst.comCHCS II DODComb’d Health Care Service http://www.cba.ha.osd.mil/index.htmElectronic Benefits Transfer http://ec.fed.gov/ebt.htmElectronic Funds Transfer Association http://www.efta.orgElectronic Privacy Information Center http://www.epic.orgFederal Security Infrastructure PMO http://www.gsa.gov/fsiFinancial Services Technology Consortium http://www.fstc.org*** FirstGov.gov http://www. http://www.FirstGov.govGlobal Chip Card Alliance http://www.chipcard.org*** GSA Egov / eCom Site http://ec.fed.govGSA Office of Governmentwide Policy http://policyworks.govGSA Office of Intergovt’l Affairs http://policyworks.gov/org/main/mg/intergov/*** GSA Smart Card Policy http://www.smart.gov*** GSA Center-Smart Card Solutions http://smartcard.gsa.gov*** GSA Access Certificates http://gsa.gov/aces/International Card Manufacturers Assn http://www.icma.comInternational Standards Organization http://www.iso.chJava Card Forum http://www.javacardforum.orgNACHA EBT Natl Clearing Houses http://www.nacha.org/ebtNatl Assn Campus Card Users http://www.naccu.orgNat'l Auto'd Clearing House Association http://www.nacha.org/ebt*** Navy Smart Base Project http://www.n4.hq.navy.mil/smartbase/default2.htmPC/SC Workgroup http://www.smartcardsys.comSmart Card Forum http://www.smartcrd.comSmart Card Industry Association http://www.scia.org'Smart Card' Technology International' http://www.globalsmart.com US Budget FY 2001 http://w3.access.gpo.gov/usbudget/fy2001/pdf/budget.pdf*** VA Card Site http://www.va.gov/card*** VA G8 Health & Govt Service Delivery http://www.open.gov.uk/govoline/golintro.htm *** VA PKI site http://www.va.gov/vapki.htm*** VHA Health eVet - Home Page http://www.health-evet.va.gov/WGA Annual Meeting http://www.westgov.org/wga/annual_meeting.htmWGA Annual Meeting Agenda http://www.westgov.org/wga/am_hi_agenda.htmWGA Health Passport http://www.westgov.org/wga/initiatives/hpp/default.htmWGA Western Governors Association http://www.westgov.org
04/19/01 20:07 John Moore - GSA Page 36
Smart Cards: Technology, Applications and Security Workshop by CACR
Contact Information
The 7th CACR Information Security Workshop
“Smart Cards: Technology, Applications and Security”
Wednesday,April 25, 2001
Sheraton Reston Virginia
Hosted by Certicom Corporation, and
Centre for Applied Cryptographic Research
www.cacr.math.uwaterloo.ca
Update on Government Smart CardsPresentation by John G MooreGSA Office of Electronic Government 18th & F St NWWashington DC [email protected]