identité et securité : perspectives et...

Identité et Securité : Perspectives et applications

Crypto’puces - Porquerolles18 Avril 2007

Olivier [email protected]

CryptoPuces 2007 2

Smartcard Markets (Eurosmart)

At the cross road of various

markets :

Mobile telephony

Payments

Identity and Access Management

Boundaries are fluctuating

New form factors

New services

Pervasivness of the technology

CryptoPuces 2007 3

Ever increasing fraud on traditional ID documents …combined with new (or old) Security threats….. are threatening our Identity(ies)

Equipment now available for producing fake ID papers

A large number of non-secure ID documents

Fake passports: a serious threat

With an increase in numbers of ID documents, it’s harder to pick out the fakes

On the Internet, nobody knows you’re a dog… (New Yorker, July 1993)

Fourteen years later, the problem still existsIn fact it has become even more complex with

Password SnoopingMan-in-the-middleKeyboard loggersSpoofingPhishing attacks PharmingTrojans

CryptoPuces 2007 4

A common problem to solve Providing an individual with a recognized credential that is:

The result of a trusted process to confirm identityEffective and efficient at proving identity in person or over a network

Identification : 1 to Many Authentification : 1 to 1

CryptoPuces 2007 5

Multiple methods and form factors

Physical devicesPaper and plastic with photoIDPaper and Plastic with Bar-code, mag-stripe, optical-stripePaper and plastic with Chip contact, contactlessPaper and plastic with BiometricsUSB keys unconnected and connectedAny combination of those

Software PasswordDynamic PasswordSymetric EncryptionPKIBiometrics

And combination of all these

1, 2 or 3 factors

2475 8312

CryptoPuces 2007 6

Very High

HighMedium

ModerateLow

Employee Screening for a High Risk Job

Getting an Official

ID

Applying for a Loan Online

Access to Protected Website

Surfing the Internet

Authentication methodsCost/Risk/Benefit Analysis

Increased€ Cost

Increased Need for Authentication Assurance

CryptoPuces 2007 7

Advantages of smartcard technologiesVery High Security

Card body security featuresHardware & Software protection

Interactive & cost-effective Store, update, delete, add and compute data Enables on-line Identification and Digital signature Enables off-line authentication and operationsBest quality/reliability to cost ratio

Bridges physical and digital world“traditional” visual and secret security printed features“new” on-line digital ID and eServices

Durable and flexibleMulti-applications and post-issuance capabilitiesHigh durability material and technologies

Protects citizens’ privacyUsers have full control of their dataAccess to certain data for certain authenticated applications

Convenient and easy to useWell-known and broadly accepted formatMixing of contact and contactless usages

2475 8312

CryptoPuces 2007 8

ID & Security Segmentation/Applications

InternalID&Security

Employee ID

EnterpriseSecurity

Physical Access controlLogical Access ControlCombined (physical & logical)Combined + corporateservices

Government ID

BtoBID&Security

Enterprise ID

Gov to CitizensID&Security

Citizen ID

IdentrusGovernment on-line secured services(eg: TeleTVA)General BtoB

National ID HealthCarePassport & VisaDriver’s licenceCar RegistrationWeapon permitse-Government securedservices (Authentication& Digital Signatures)

Internet ServicesSecurity

BtoCID&Security

Consumer ID

SecuOn-Line secure banISPs acE-commerce

re access to Portalsking

cess

CryptoPuces 2007 9

Government are issuing secured documents with smartcard based technologies

TravelDocuments

PassportVisa

Secure border controland travelingControl immigration

IDNational IDDriving LicenseRegistration Certificate

HealthcareHealth Insurance CardHealth Professional Card

Reduce ID theft & fraudEnable eGovernment servicesImprove road safetyand fine collection

Secure and efficientdistribution of Health welfarePrescriptions, emergencymedical data,shared medical file…

CryptoPuces 2007 10

Deployments are well underway

ePassport: 30+ countries in 2007ICAO standard finalized since 200426 VWP and more to adopt ePassportsEU to adopt EAC-secured biometry in 09

ID pushed by legislation & standardsOver 15 countries have adopted a Nat eID

– WW: Ecuador, Sweden, S. Arabia, China…Standard initiatives on National eID

– Europe (ECC), Gulf Cooperation Council…Legislation (EU, US, Japan…) and standards (ISO) on eDL

eHealthcare: proven business modelFrance, Germany, China, Slovenia…New projects: Algeria, Mexico…

CryptoPuces 2007 11

Cryptography & Privacy : ePassport example

Cryptography & Smartcard technology enables state issuers to protect privacy of ePassport holder

Basic Access AuthenticationA specific secret code can provide access to data

This code is revealed ONLY under user consent/approval

Granularity and different access control rules can be offered Based on role and specific situations

Necessary Optional 3 possible security schemes•Logical Data structure: basic data (name,…)

•Facial image•Contactless 32KB min, ISO 14443

•Fingerprint: full picture•Iris

•Passive Authentication (Mandatory)

•Basic Access•Active Authentication

CryptoPuces 2007 12Biometric credentials

Barcode & Magnetic Swipe encoding

PKI Certificates

NT Login

Tflynnletmein

SAPPohogox4Lo19b

C. Schwab

Tommyecho2

FinanceRP1echo1

Photos

Physical Access Controls

Data ManagementApplications

Enterprise : one device for multiple usages

Static Passwords & Dynamic passwords

2475 8312

CryptoPuces 2007 13

Examples

Authentication to PC and networks– WIndows Smartcard logon

E-Mail Security– Integration of PKi & Smartcard into Outlook

Secure web access– Integration with SSL & TLS

Secure VPN– EAP-TLS

CryptoPuces 2007 14

On-Line consumer authenticationconsolidating multiple identities into a single trusted device

End-Usershopping

…shopping

…

Any End-User PC

Internet

Strong authentication for consumers accessing web based services

Portals, On-line banking, Stock broker, ….

Protect against :o Password Snoopingo Man-in-the-middleo Keyboard loggerso Spoofingo Phishing attacks o Pharmingo Trojans

Portable and Secure, Easy-to-install, low cost integration, multi-platformsOne device = multiple identities

http://www.tutorialblog.org/magnified/magnifying-glass.jpg

CryptoPuces 2007 15

Main technology trends : power, convenience and pervasive

Move to open platforms supporting PKI– Government ID, Banking, Healthcare– Mobile Phones (GSM)

Dual Interface with Contactless support– ICAO, High speed

Demand for more memory (EEPROM or Flash)– 64K, 128KBytes, 512Kbytes up to 1Go …

More computation power – Digital signature, PKI, Biometrics (MOC)…

New protocols– TCP/IP, UFD, USB,MMC

Security certification– FIPS, CC EAL 4+

Support for multiple applications and plans for post issuance (i.e. to deploy or upgrade applications in the field.)

– SIM OTPSecurity printing, packaging and technology integrationMultiple form factors : USB tokens, Passport, Visa, TPMs, ….

CryptoPuces 2007 16

What need to be improved….

Continue to work on standardization and interoperability

– Government ID – Network and Entreprise Security

Increase work on convenience and ease of use

– Protocols– Hands-free tokens

Strenghten contactless security

Combination of security & storage

Develop innovative business models– Security and ROI– Leverage installed base of tokens– Post-activation, life cycle management

Thank you.