identité et securité : perspectives et...
TRANSCRIPT
Identité et Securité : Perspectives et applications
Crypto’puces - Porquerolles18 Avril 2007
Olivier [email protected]
CryptoPuces 2007 2
Smartcard Markets (Eurosmart)
At the cross road of various
markets :
Mobile telephony
Payments
Identity and Access Management
Boundaries are fluctuating
New form factors
New services
Pervasivness of the technology
CryptoPuces 2007 3
Ever increasing fraud on traditional ID documents …combined with new (or old) Security threats….. are threatening our Identity(ies)
Equipment now available for producing fake ID papers
A large number of non-secure ID documents
Fake passports: a serious threat
With an increase in numbers of ID documents, it’s harder to pick out the fakes
On the Internet, nobody knows you’re a dog… (New Yorker, July 1993)
Fourteen years later, the problem still existsIn fact it has become even more complex with
Password SnoopingMan-in-the-middleKeyboard loggersSpoofingPhishing attacks PharmingTrojans
CryptoPuces 2007 4
A common problem to solve Providing an individual with a recognized credential that is:
The result of a trusted process to confirm identityEffective and efficient at proving identity in person or over a network
Identification : 1 to Many Authentification : 1 to 1
CryptoPuces 2007 5
Multiple methods and form factors
Physical devicesPaper and plastic with photoIDPaper and Plastic with Bar-code, mag-stripe, optical-stripePaper and plastic with Chip contact, contactlessPaper and plastic with BiometricsUSB keys unconnected and connectedAny combination of those
Software PasswordDynamic PasswordSymetric EncryptionPKIBiometrics
And combination of all these
1, 2 or 3 factors
2475 8312
CryptoPuces 2007 6
Very High
HighMedium
ModerateLow
Employee Screening for a High Risk Job
Getting an Official
ID
Applying for a Loan Online
Access to Protected Website
Surfing the Internet
Authentication methodsCost/Risk/Benefit Analysis
Increased€ Cost
Increased Need for Authentication Assurance
CryptoPuces 2007 7
Advantages of smartcard technologiesVery High Security
Card body security featuresHardware & Software protection
Interactive & cost-effective Store, update, delete, add and compute data Enables on-line Identification and Digital signature Enables off-line authentication and operationsBest quality/reliability to cost ratio
Bridges physical and digital world“traditional” visual and secret security printed features“new” on-line digital ID and eServices
Durable and flexibleMulti-applications and post-issuance capabilitiesHigh durability material and technologies
Protects citizens’ privacyUsers have full control of their dataAccess to certain data for certain authenticated applications
Convenient and easy to useWell-known and broadly accepted formatMixing of contact and contactless usages
2475 8312
CryptoPuces 2007 8
ID & Security Segmentation/Applications
InternalID&Security
Employee ID
EnterpriseSecurity
Physical Access controlLogical Access ControlCombined (physical & logical)Combined + corporateservices
Government ID
BtoBID&Security
Enterprise ID
Gov to CitizensID&Security
Citizen ID
IdentrusGovernment on-line secured services(eg: TeleTVA)General BtoB
National ID HealthCarePassport & VisaDriver’s licenceCar RegistrationWeapon permitse-Government securedservices (Authentication& Digital Signatures)
Internet ServicesSecurity
BtoCID&Security
Consumer ID
SecuOn-Line secure banISPs acE-commerce
re access to Portalsking
cess
CryptoPuces 2007 9
Government are issuing secured documents with smartcard based technologies
TravelDocuments
PassportVisa
Secure border controland travelingControl immigration
IDNational IDDriving LicenseRegistration Certificate
HealthcareHealth Insurance CardHealth Professional Card
Reduce ID theft & fraudEnable eGovernment servicesImprove road safetyand fine collection
Secure and efficientdistribution of Health welfarePrescriptions, emergencymedical data,shared medical file…
CryptoPuces 2007 10
Deployments are well underway
ePassport: 30+ countries in 2007ICAO standard finalized since 200426 VWP and more to adopt ePassportsEU to adopt EAC-secured biometry in 09
ID pushed by legislation & standardsOver 15 countries have adopted a Nat eID
– WW: Ecuador, Sweden, S. Arabia, China…Standard initiatives on National eID
– Europe (ECC), Gulf Cooperation Council…Legislation (EU, US, Japan…) and standards (ISO) on eDL
eHealthcare: proven business modelFrance, Germany, China, Slovenia…New projects: Algeria, Mexico…
CryptoPuces 2007 11
Cryptography & Privacy : ePassport example
Cryptography & Smartcard technology enables state issuers to protect privacy of ePassport holder
Basic Access AuthenticationA specific secret code can provide access to data
This code is revealed ONLY under user consent/approval
Granularity and different access control rules can be offered Based on role and specific situations
Necessary Optional 3 possible security schemes•Logical Data structure: basic data (name,…)
•Facial image•Contactless 32KB min, ISO 14443
•Fingerprint: full picture•Iris
•Passive Authentication (Mandatory)
•Basic Access•Active Authentication
CryptoPuces 2007 12Biometric credentials
Barcode & Magnetic Swipe encoding
PKI Certificates
NT Login
Tflynnletmein
SAPPohogox4Lo19b
C. Schwab
Tommyecho2
FinanceRP1echo1
Photos
Physical Access Controls
Data ManagementApplications
Enterprise : one device for multiple usages
Static Passwords & Dynamic passwords
2475 8312
CryptoPuces 2007 13
Examples
Authentication to PC and networks– WIndows Smartcard logon
E-Mail Security– Integration of PKi & Smartcard into Outlook
Secure web access– Integration with SSL & TLS
Secure VPN– EAP-TLS
CryptoPuces 2007 14
On-Line consumer authenticationconsolidating multiple identities into a single trusted device
End-Usershopping
…shopping
…
Any End-User PC
Internet
Strong authentication for consumers accessing web based services
Portals, On-line banking, Stock broker, ….
Protect against :o Password Snoopingo Man-in-the-middleo Keyboard loggerso Spoofingo Phishing attacks o Pharmingo Trojans
Portable and Secure, Easy-to-install, low cost integration, multi-platformsOne device = multiple identities
CryptoPuces 2007 15
Main technology trends : power, convenience and pervasive
Move to open platforms supporting PKI– Government ID, Banking, Healthcare– Mobile Phones (GSM)
Dual Interface with Contactless support– ICAO, High speed
Demand for more memory (EEPROM or Flash)– 64K, 128KBytes, 512Kbytes up to 1Go …
More computation power – Digital signature, PKI, Biometrics (MOC)…
New protocols– TCP/IP, UFD, USB,MMC
Security certification– FIPS, CC EAL 4+
Support for multiple applications and plans for post issuance (i.e. to deploy or upgrade applications in the field.)
– SIM OTPSecurity printing, packaging and technology integrationMultiple form factors : USB tokens, Passport, Visa, TPMs, ….
CryptoPuces 2007 16
What need to be improved….
Continue to work on standardization and interoperability
– Government ID – Network and Entreprise Security
Increase work on convenience and ease of use
– Protocols– Hands-free tokens
Strenghten contactless security
Combination of security & storage
Develop innovative business models– Security and ROI– Leverage installed base of tokens– Post-activation, life cycle management
Thank you.