Smart Card ForumMay 21st, 2009
New trends in smart-cards technology
Reference, date
Agenda
Biometrics on Computers
Gemalto introduction
Smart Card, Biometrics and Convenience
Computer Authentication Solutions
Reference, date
Making people’s everyday interactions with the
digital world secure and easy
Gemalto provides end-to-end solutions for digital security,
from the development of software applications,
through the design and production of secure personal devices
such as smart cards, e-passports and secure tokens,
to the deployment of managed services for our customers
Reference, date
Source: (1) Gartner 2006; (2) Frost & Sullivan 2006; (3) The Nilson Report 2007; (4) Keesing Journal of Identity 2007; (5) Gemalto 2007
€ 1.7 billion revenue 2008
Innovation investment:
10 R&D sites worldwide
1,300 engineers
Global footprint:
19 production sites
31 personalization centers
85 sales & marketing offices
Experienced team:
10,000 employees
90 nationalities
40 countries
Introducing Gemalto
Key figures:World Leader:
• World’s #1 for SIM (2)
• World’s #1 for chip payment cards (3)
• World’s #1 reference for e-passports (4)
• World’s #1 install-base of over-the-air
(OTA) platforms for GSM networks (5)
• Pioneer and patent holder of high-speed
SIM for mobile Internet, multimedia and
mobile contactless applications
• Pioneer of the .NET card, the first
Microsoft Vista compatible smart card
solution
Reference, date
Gemalto's worldwide presence
Reference, date
Agenda
Biometrics on Computers
Gemalto introduction
Smart Card, Biometrics and Convenience
Computer Authentication Solutions
Reference, date 7
Computer Authentication Solutions
There are many ways to authenticate to a computer:
Username/Password
Tokens storing credentials
Tokens storing digital certificates
Biometrics unlocking credentials or digital certificates stored on PC
Dynamic passwords (OTP), challenge & response
... to name a few
Multifactor is recognised as necessary
Something you know, something you are, something you own
Simplicity is key
Complex solutions lead users to look for shortcuts!
Strong link to users is necessary
Avoid credential passing/borrowing
Enables non-repudiation
Reference, date 8
The need for strong authentication
High profile cases
UK aide to Gordon Brown gets blackberry stolen
– http://www.timesonline.co.uk/tol/news/politics/article4364353.ece
– “Downing Street BlackBerrys are password-protected but security officials said
most are not encrypted”
FBI loses 3-4 laptops a month (2007)
– AP, http://www.msnbc.msn.com/id/17115660/
– “"Perhaps most troubling, the FBI could not determine in many cases whether
the lost or stolen laptop computers contained sensitive or classified information”
Regulatory compliance
Non repudiation
Strong Authentication is an enabler
High mobility
Home office
Trust management
Real Strong authentication is mutual!
Not only user to computer/network, but also the other way around
Reference, date 9
Strong Authentication on computers
What is “Strong Authentication” ?
Multifactor
Mutual
Secure
Digital certificates on smart cards/tokens enable all three
Only solution today
Remaining issues
Strong but not absolute binding with user (lending of smart card)
Potential day to day issues
– Lost cards
– Blocked cards
Enter biometrics
Enables 3rd factor if needed
Makes it more convenient!
Boosts user adoption
Reference, date
Agenda
Biometrics on Computers
Gemalto introduction
Smart Card, Biometrics and Convenience
Computer Authentication Solutions
Reference, date 11
Biometrics and Identity
Remains constant over time – mostly
Public – most of the time
Difficult to revoke
Sensitive – cultural bias
→ Needs to be considered carefully before using!
“Any distinguishing element of a physical person/entity that can be considered as unique”
Principle of Psychological Acceptability:
A security mechanism should not make accessing a resource, or
taking some action more difficult than it would be if security
mechanism were not present.
Reference, date 12
What type of biometrics ?
Linked to
User acceptance
Technology maturity
Performance
Fingerprint recognition is the only prevalent type of biometrics
on regular computers
Does not mean other types won't catch up quickly!
Swipe readers are now common
Source: JF Mainguet
Reference, date 13
Fingerprint authentication
Good maturity – standards and evaluation campaigns
Large-scale deployments – National ID schemes
Good user acceptance
Can be achieved in “Match On Card” mode
Performance is a tradeoff between:
Quality (FAR) – Typical figures are well below 0.001%
Convenience (FRR) – Typical figures are below 2%
Accessibility (FTE) – Below 1%
Reference, date 14
Biometrics on computers
Almost all corporate notebook brands embed a fingerprint
reader either as option or standard
Mostly swipe readers, varying quality
Surface readers emerging
Government standards (FIPS201) as driver
61 Million fingerprint readers to be shipped in 2009
Cumulative 300 Million to date
(F&S WW Silicon Chip fingerprint market, 2007)
Reference, date 15
Biometrics and regulations
The use of biometrics needs to take local regulations into
account
CNIL in France
European data privacy directives (data protection working party Art 29)
UK Data Protection Act
Regulations mostly require
Justification of means
Appropriate protection of biometric data
16
Biometric Technologies : Reliability vs Convenience
Face
Behavioral
User friendliness
Signature
Gait
Keystroke
User friendliness
Fingerprint
Hand
Iris/Retina
Physiological
Voice
+
++ -
-
-
17
Fingerprint Recognition
Strengths
Long experience
Good user acceptance
Good reliability
Easy to use
Weaknesses
Criminality-related image
Leaves traces (latent prints)
Reference, date
Agenda
Biometrics on Computers
Gemalto introduction
Smart Card, Biometrics and Convenience
Computer Authentication Solutions
Reference, date 19
Merging Biometrics & Smart Card
Mutual & Strong authentication
Using X509 certificates
Portable device
Personal, linked to user, “regulator friendly”
Biometrics establish a strong link to user
Multifactor security
Convenience
User adoption
Evolutivity
Can adapt to rapidly evolving technology
Reference, date 20
Existing implementations
Standalone Match On Card not linked to certificates
Used with ad hoc software
Standalone 3rd authentication factor
Can be used for identification purposes
Standalone Match On Card protecting PIN code and credential
storage
Enables biometric-protected credential storage
Enables biometric-protected PKI certificate usage by PIN replay
Match Off Card with fingerprints stored on card
Compatible with every existing PKI smart card
“Regulator-friendly”
Enables both credential storage & PKI cert usage by PIN replay
PKI Smart card accepting PIN and/or Match On Card
Most secure implementation
Enables card-enforced authentication policy (2 to 3 factor)
Reference, date 21
Current limitations and way forward OS Architecture can lead to limitations
MS Crypto API was not written for anything else than PIN code
Even though there are openings in future Windows versions
Practical Workarounds are available
PKCS#11 API has better support for biometrics natively
Wrappers for ill-behaving applications are possible
Most important limitation
A lof of software assumes the use of PIN code for smart cards
Practical approach
Test and validation !
OK Cancel
Please swipe your finger OR enter your PIN
Biometric Verification
Biometric Authentication
PIN or Fingerprint Authentication
PIN
PIN Authentication
SWIPE FINGER
Select Finger Click here for more information
23
Why Smart Card with Biometrics?
Provides «Something you have» to the authentication scheme
& smart card PIN code provides «something you know»
Provides privacy
No centralized database
You carry your own biometric template
Provides trust between Authority & End User
Mutual authentication
Provides simplification of operations
One to one matching
24
Process : Template Extraction & Storage
25
Process : Matching
27
Pin vs Bio
Biometrics
PinCode
Secret Public
Fixed (Template)
No delegation
Not possible
Very difficult
Match not trivial
Not Yet
Modifiable
Delegation
Exhaustive attacks
Perso very easy
Match very simple
Very efficient counter measures(for example against physical &
logical attacks)
28
Conclusion : Smart Cards / Biometrics ?
Smart-Card + PIN & Biometrics have to be considered as
complementary technologies.
Smart cards & pin-code need Biometrics
Card holder authentication
Non repudiable transaction
Biometrics need Smart cards & pin-code
Privacy
Large volume opportunity
Simplification : One to One matching
The ultimate solution :
Smart card & Pin-code + Biometrics + PKI
THANK YOU