workshop on id cards - carnegie mellon universityyuan.ecom.cmu.edu/trust/cd/presentations/gemplus id...

CMU - Workshop on ID Cards November 28th, 2001

www.gemplus.com 1Gemplus © 2001

Your Passport to the Digital Age

™

27/11/2001www.gemplus.com

Workshop onID Cards

Carnegie Mellon University

November 28th, 2001

Gilles Lisimaque

CMU - Workshop on ID Cards 2

™

The Goals and the Challenges Individual Identification

Required to prevent somebody of impersonating someone elseRequired to get information allowing recourse in case of bad behavior

Transfer of trustWe have multiple roles in our lives (citizen, tax payer, employee, driver, church member, etc.) reporting to multiple authorities

PrivacyIs a right which needs to be protected but the solution is very variable depending on the culture

Europe: personal information belongs by law to the private personUS: personal private information belongs by fact to who ever collects it

SecurityConsists of three elements: Prevention, Detection, ReactionRisk management is required to balance costs and convenience




™

The Weakest Link

Security of a system is as high as its least secure link

The American people should be not be fooled: a "traveler's ID" is not an effective way of protecting against terrorism. Someone planning a terrorist attack would get one if, like Timothy McVeigh or most of the September 11 hijackers, there are no red flags in their record. Even when there are, the cards are still only as good as the documents and procedures used to decide who should get one. It remains extremely easy in this country to steal another person's identity.

Statement of Barry Steinhardt, Associate DirectorAmerican Civil Liberties Union - Thursday, November 8, 2001


™

Biometric is not Mind reading

"There is no sign that biometrics will be a be-all end-all, Fingerprints will play a role in identifying someone and enrolling them in the system. To my knowledge, none of the Sept. 11 terrorists were in the FBI's database.“

Michael Kirkpatrick, assistant director in charge of the FBI's Criminal Justice Information Service Division.




™

Checking an ID or a behavior ?

“… Two of the hijackers managed to board planes on Sept. 11 despite having been on a government watch list. The two hijackers whose addresses aroused Visa's suspicion had to pay cash for their plane tickets after their credit cards were rejected.”

New York Times, 11/20/01 “For Air Safety, an E-ZPass Using Retinas”

By JOHN TIERNEY


™

Technology requirements for ID’s

Three technologies are of help regarding ID’sPKI: transfer of trust (or proof)

Refers to the authority which verified the identity claim of a given individual in a given role (citizen, driver, gun owner, resident alien, tax payer, etc.)

Biometrics: who we areUnique individual reference

Used to verify another identity as not been already claimed by the same individualUsed to verify if the physical person now claiming a given role (or identity) is the same person initially checked by the trusted authority

Tokens (or Cards): the temper resistant proof of the “role” we claim to be in, at a given time, anywhere, to nearly anybody

Allows to show the proof of the “role” we play when we need to interact with an unknown person or entity, on a network, or in real life




™

An ID is as good as what is proves

Applying for an ID in a given “role” by the person

Verification done by an authorityFor the person’s true identity (e.g. not already enrolled)

If the “role” the person is applying for is legitimate

Certification by the AuthorityDelivery of the proof of role/ID signed by the authority

Storage of the “proof” by the userOn paper, plastic or better, on a digital media


™

Registration & Issuance: 4 ModelsCard Issuance

Remote On Site

Credit Card- Phone, mail or log in, register - Receive card in mail

Bank CardsHealth Care Cards

Will Call- Phone, mail or log in, register - Walk in, bring credentials- pick up card

Not used for ID’s

Driver’s License- Walk in, register- Receive card, leave

Driver’s LicensesMilitary IDsStudent IDs

Passport- Walk in, register - Receive card in mail

Passports

Reg

istr

atio

nO

n Si

teR

emot

e




™

The Card Technology Challenges

Low to Medium

Medium to High

Yes update

Yes, by Card

High, in card

32K to 64K bytes today

Smart Card

Very high

HighData added

In terminal

MediumVery high (Mbytes)

Optical

Low if no PKI

LowNo, card Replace

In terminal

Low to Medium

Low to Medium

Bar Code

Low if no PKI

LowNo, card replace

In terminal

Low to Medium

Low forbank cards

Mag-stripe

NoneVery Low

No, card replace

NoneLowQuite lowPlastic

Reader Cost

CardCost

Upgra-dable

PrivacySecurityMemorySize

Type


™

Three Technologies Working Together

• Secure Storage• Portable• Personalized•• Privacy Privacy • Processing• - Crypto • -Matching• Low-cost

infrastructure• Transactions

world

• Personal : you• Present • Difficult to forge• Convenience• Solves multi-pins

problem• Hard to steal

• Public Notary• Digital information• Usable on networks




™

Two Are not Enough

Requires Central Data base

Requires Trusted Terminals

Weak User-to-Card Authentication

PIN and multi-PINs issues

Lacks of Key Management

Weak User-To-Remote Site Authentication

It may only take 2 to tango, But 3 legs are required to create a stable platform


™

Convergence Challenges

Policy ChallengesSecurityPrivacyLiabilityOwnership

Card, Keys, Credentials

Acceptance ChallengesTrustAffordabilityConvenienceManagement

Card, Keys, Credentials

Technology ChallengesArchitecture

COTS Solutions

Standards

Accommodating the Physical World

Interoperability

Planning for change




™

Baby Steps toward a Solution

The Driving License standard being developed by NCITS B10.8 gives an idea of the data to manageExample:

Name, Address, Driving license #,expiration date, delivering authority,color picture, weight, height, sex,date of birth, etc.

An ID system starts by storing a piece of digital information signedpiece of digital information signed by the delivering authority

Magnetic stripeOptical trackMulti-dimensional bar codeSmart card

•Personal InformationName, DoB, Address, etc.

•Personal identificationPicture, weight,Fingerprint, etc.

•Authority’s signatureDigital certificate


™

Going Step by Step is easier

Smart Card technology allows to deploy electronic readers able to work with all type of smart cards

Germany decided in 1994 to deploy 80 million Health Insurance cards.

They started with simple integrated circuit memory cards (one simple data file per smart card with a user PIN)

They deployed smart card readers able to read all other smart cards (same hardware) with a simple software to start with

The same readers can now accommodate sophisticated multi-application smart cards able to process Public Keys




™

Smart Card levels of sophistication

Start simple, but keep the ultimate goal in mind!

MoreLess

Data File - PersonalIdentification

Multi-applicationPrivacy protection

BiometricMatching on card

ArchitecturalElement

Done by the network or the card …..

0 1 2 3Security level

FourOptions


™

Card levels of sophistication Level Zero : No Card

Identification on paper (or plastic Ids)Centralized DBNeed for attended terminals

Issue of counterfeited of documentsDocuments hard to modify (e.g. address)Very hard to use digital certificates on the IDDocument cannot be used by user on InternetPrivacy concerns

The user has no control on who is accessing his information and what is stored in the back end








™

Card levels of sophistication Level One: On Card Digital Storage

Personal Information is digitally signed

Protected from unauthorized modifications

Allows update of the information with the proper credentials

Enhanced individual privacyCard holds all requiredidentity information

No need for central Data Base






™

Card levels of sophistication Level 2 : Multi-Application Card

Personal Information (PI) is digitally stored, signed and ciphered with application session keys (allows to use the card over open networks)Protected from:

unauthorized modificationsunauthorized access

Allows update of the information in the card (including security keys) with the proper credentials for each application domainEnhanced individual privacy

Card holds all required Personal information for all applications in separate domainsNo need for access to a central Data Base for PICard authenticates its user (PIN or Password)

Example of implementation today:Department of Defense - Common Access Card








™

Card levels of sophistication Level 3 : Multi-Application & Biometry

Same advantages as Level 2+

Card authenticates its true user (biometrics)

Personal Information is digitally stored, signed and ciphered with application session keys (allows use over open networks)Protected from:

unauthorized modificationsunauthorized access

Allows update of the information & keys with the proper credentials for each application domainEnhanced individual privacy

Card holds all required Personal Information for all applications in separate domainsNo need for access to a central Data BaseBiometric information never leaves the card

Terminals are simpler and less “security involved”






™

Biometric Terminal

BiometricSmart Card

101 on Biometric Verification

X.509 BIOcertificateStorage

X.509 Parsing& Verification

ProcessingParameters

MatchingParameters

BiometricProcessing

“Livescan”BiometricTemplate

BiometricMatching

“Stored”BiometricTemplate

BiometricCapture

image MatchingScore




™

Biometric Verification Architecture

Start simple, but keep the ultimate goal in mind!

MoreLess

BiometricStorage

BiometricMatching

BiometricCapture


Done by the terminal or the card …..

0 1 2 3Security level

FourOptions


™

Level Zero : No Smart Card

BiometricStorage

BiometricMatching

BiometricCapture


Biometric templates stored in database

Centralized DBReplicated Local DBs

Subject to attacksPrivacy concernsInfrastructure issues




™

Level One: On Card Storage

BiometricStorage

BiometricMatching

BiometricCapture


Biometric template stored on smart cardProtected from:

ModificationUnauthorized readReplay attacksRepeated attempts

Enhanced individual privacyCard holds all requiredidentity information

No need for Data BaseNo private information needs to be given to the third parties


™

Level 2 : On Card Matching

BiometricStorage

BiometricMatching

BiometricCapture


Biometric template matching performed by smart card All Benefits of on card storage

+Further enhances security and individual privacy

Card directly authenticates cardholderStored biometric data never leaves cardEliminates need for secure session with biometric matching device (reducing cost)

Previous Implementations:1987: Dynamic hand signature France1995: Hand geometry for access control USA1996: Voice recognition Europe2000: Fingerprint matching USA/France




™

Option 3: On Card CaptureBiometric capture performed by smart cardAll benefits of on card storage & matching

+Ultimate architecture

Biometric presented directly to cardCard directly authenticates cardholderBiometric never leaves card

BiometricStorage

BiometricMatching

BiometricCapture


Grade A+


™

Architecture Choice for Private Keys

KeyStorage

AlgorithmCalculation

KeyGeneration

ArchitecturalElement Done by the terminal or the card …..

MoreLess0 1 2 3

Security levelA smart card architecture allows to start simple (rely on the terminal) and

increase the level of security when the infrastructure is in place

FourOptions




™


FAR > 0FRR > 0

Tamper resistant, nottamper proofLost or stolenMechanical failures

Requires significant computational powerComponent failures

Each Technology has Limitations

As goodas the

Issuancesystem


™

The Convergence ChallengeArchitecture


Affordability

TrustLiability

Privacy

StandardsInteroperability

The acceptable solution(s) will be a compromise of competing priorities




™

Smart Card Taxonomy

Plastic Card

Memory

Contactless

MPEMV

Proprietary

JavaCardMultos

Open

Secret Key

GPKGemSAFE

Proprietary

JavaCard PKMultos

Open

Public Key

Contact Twin Combi

Microprocessor

Chip Card

Card

Smart Cardmay mean either

1. Integrated Circuit Card, or

2. Microprocessor CardDecision Points

Chip?

Processor?

Interface(s):

Cryptography:

Platform:

Memory:8K, 16K, 32K, 64K, …


™

Trends in Smart Cards

Move to open platformssupporting PKI

GovernmentBankingHealthcareMobile Phones (GSM)

Intent to deploy multiple applicationsDemand for more memory(EEPROM or Flash)

16 K , 32 K , 64K bytes …

Plans for post issuance(i.e. to deploy or upgrade

applets in the field.)

Card Size PK COSJavaCardGemXpresso Lite ~14K JavaGemXpresso211 ~23K JavaGemXpresso211pk ~19K JavaGemExpressoPro ~64K JavaLegacy CardsMPEMV 8K 8K Prop.MPEMV16K 16K Prop.GPK8000 8K Prop.GPK16000 16K Prop.




™

Contact ReadersGemPC 400 - PCMCIA Reader

GemPC 410 - Serial Port Reader

GemPC 410-SL - Serial Reader (Slim Line)

GemPC 430 - USB Port Reader

GemPC-Touch 430 - USB Fingerprint Reader

GemPC-Touch 440 - Fingerprint Reader

Contactless ReadersGemEasyAccess608 - ISO 14443 Card Reader

GemPC 410

GemPC 430

GemPC 400

GemPC-Touch

GemPC 410-SL

Smart Card Readers


™

Smart Cards are used as IDs ….

Military or Student Multi-Application ID CardsUnited StatesPeruEuropeAsia

Immigration Clearance and Residency CardsAsiaColombiaMexico

Driver’s LicensesArgentinaEl Salvador




™

Baby Steps for cards

Single data file in a card, digitally signed by an authority (one role per card)Multiple data sets in a single card signed by multiple authorities (multiple roles per card)Smart Card with Public Key microprocessor able to:

Check the credential of the requestor (protects privacy)Update application security keys without re-issuing new cards

Smart Card with biometric matching on board (maximum security and privacy)


™

Baby Steps for Biometry

Digital picture stored in the card, signed by an authority

Biometric template stored in the card (e.g. fingerprint or hand geometry) and digitally signed

Biometric template matched in the card (protect against bogus terminals)

Biometry captured and matched by the card




™

Baby Steps on Public Key Infrastructure

Passive signature (CVV on bank cards) on all information stored on an ID card (prevents from data tempering)

Multiple PK authorities and certificates for interchange

Change of security keys every so often with smart cards

Risk management and verifications levels based on requestor’s credential

Personal Private Information protected by the user’s card with a trusted Public Key for data escrowing


™

Shooting for the Stars ?

Card

Public

Key

Infra

struc

ture

Biometry

IdentificationCertification

Goal

Smart C

ard

The foundation of a Secure ID is the Issuance System




™

Security and Risk Management

Using an active intelligent device allows to manage some of the risk depending on the context

Examples of Risk management rules for travel:If the ID card has not been checked for the last month the card will ask the terminal to go online for tighter controls

If the picture stored in the card is too old, ask for another identification mean (in case visual display is used)

If the ticket is one way and the home address in the card is not in line with the ticket destination, ask more questions

Etc.


™

Security is an attitude, not a status

Whatever is secure today might not be tomorrow

100% security cannot be achieved

High Security is not a friend of convenience

When a security level is breached it is important to:Have detection mechanisms

Have a reaction plan

Upgrade the system

A Smart Card is the only active security ID card able to adapt to the future