26 July 2006

1
Automatic Identification Data CaptureTechnical
Institute

• 26 July 2006
• Ross College of Engineering and Technology
• Center for Automatic Identification
• Ohio University
• Athens, Ohio

2
Smart Cards In A World ofPrivacy, Security,and
Information Sharing

• Mark G. McGovern
• Chief Technologist
• Smart Cards, Cryptography, Steganography,
  Biometrics, PKI
• Lockheed Martin TSS
• Chief Technologist Defensive Information
  Operations
• Horizontal Integration Team
• Lockheed Martin

3
What Are We Really Talking About?

• There will be two primary subjects in our
  discussion today
• The use of Smart Cards and how they are evolving
  to meet todays demanding and exacting
  requirements.
• Physical and Logical Control
• The emerging areas of
• Identity Management Protection
• Information Sharing
• The Smart Card is specifically poised and ready
  to assume a critical role and help advance these
  emerging requirements.

4
What Do We Mean By Smart Card?

• The real core of our discussion is the use of
  integrated Circuit Chips (ICs) that perform
  programmed responses and instructions as directed
  by coded applications.
• Since the physical form factors vary depending on
  the needs and requirements, the global term is
  changing to Smart Object.
• The word Smart describes the capabilities of
  the Integrated Circuit Chip
• The work Card describes the use of a card. It
  is most commonly used since it has space on the
  card for a great deal of information and other
  information sharing technologies, for instance, a
  magnetic stripe, bar codes, etc.

5
An Abbreviated Look at History

• Plastic cards were introduced in the US in the
  early 1950s with the Diners Club card
• Chip cards using an internal file system were
  created and became quite popular in the early
  1970s in Europe primarily
• 1974 - as a SIM (Subscriber Identity Module) for
  use with the telephone system
• 1984 - a financial mediator and bank card armed
  with a EMV (Europay, MasterCard, and Visa)
  application to be used between countries.
• European companies grew quite large, popular, and
  profitable.

6
Coming To America

• In the late 1990s the smart card manufacturers
  came to the US in search of new markets and
  opportunities.
• The US essentially said that there was no market
  for their current wares but, since the IC had now
  evolved with evolving intelligent capabilities
  there was a possibility for use in the field of
  security.
• The requirements were to find a common operating
  system that allowed
• A common platform for interoperability
• The capability to be entrepreneurs.

7
Smart Card Market Size

• Market growth by year

Source Frost Sullivan 2005
Source Frost Sullivan 2005
8
Percentages by Market Segment

• Market growth by segment

Source Frost Sullivan 2005
9
What Do We Do Now?

• The size, complexities, and capabilities of the
  Smart Card industry is increasing at a very fast
  pace.
• Simultaneously, the size, complexities, and
  requirements for security and privacy are ever
  evolving and morphing into entirely new designs
  and shapes.
• Demands and expectations for solutions are
  appearing that are making the security industry
  count more and more on this technology.
• By far, the largest and most complicated demands
  for smart object technology is in the world of
  access control and identity. These are not
  trivial events

10
What Makes The ICC Smart?
11
Smartcard Interfaces
12
Smart Card Types
Contactless Card
Close Coupling ISO 10536
Proximity Coupling ISO 14443
Processor Card
Memory Card
Processor Card
Used with Permission Giesecke Devrient
13
Dual Interface Card
Used with Permission Giesecke Devrient
14
Physical and Logical Access Control
15
Physical Access Control
16
Physical Access Control Technologies

• Guards
• Fences
• Flood Lights
• Man Traps
• Keys to the door
• Spin Dial
• Touch Pad
• Magnetic Stripe Cards
• Smart Cards
• 25 KHz RFID most popular
• Contactless with ICC starting to appear

17
3 Primary Contactless Technologies

• Proximity Card
• Operated at 125 KHz
• Read range 3-4 inches
• Smart Cards
• ISO/IEC 14443 and 15693
• Intelligent read/write devices
• Capabilities
• Authenticate persons identity
• Determine appropriate level of access
• Can include multiple authentication factors
• Operates at 13.56 MHz
• ISO/IEC 14443
• Read range 3-4 inches
• ISO/IES 15693
• Read range 1 meter

18
Physical Access Control
. . .
Reader
19
Physical Access Control
. . .
Chain of Trust
Reader
20
Logical Access Control
21
User Authentication an evolution
Attack
Response
Pretender
Passwords
22
Passwords

• Initial response by security and programming
  experts to deny access to unauthorized persons to
  the PC and/or network
• Most fundamental and commonly used access control
  and authentication technique
• General evolution of events
• User turns on PC or touches keyboard to wake-up
  system
• User enters User Name and Password into dialogue
  box and hits Enter
• Information sent to Identification flat file and
  compares user name to password
• Acceptance or denial returned to PC
• Advantages
• Relatively simple to implement
• Logical and efficient for the user
• Disadvantages
• To maintain security, must be
• Memorized
• Complicated to deter guessing
• Changed Periodically
• Requirements part of Security Policy

23
Clear Text Passwords

• Password authentication was designed to includes
  two separate distinct parts
• USER ID specific identification of the user
  attempting access
• Password something only the user should know

24
User Authentication
Attack
Response
Pretender
Passwords
Hash, MAC Cryptography
Password Theft
25
Password Conversions

• In order to mitigate the security implications of
  the transmission and storage of clear text
  passwords, three simple and effective approaches
  have been implemented
• Hashing
• Message Authentication Codes
• Cryptography

26
Password Hashing

• Sometimes referred to as a Message Digest, a hash
  is a one-way mathematical algorithm which
  produces a fixed length result from a document of
  almost any size
• Its fundamental purpose is to produce a digital
  fingerprint to verify the integrity of
  information.

27
Passwords in MAC Format

• The Message Authentication Code, or MAC, takes
  the password, hashes it and then encrypts it

NOTE The above example is not a real MAC of
the Password. It is a copy of the Hash example.
28
User Authentication
Attack
Response
Pretender
Passwords
Hash, MAC Cryptography
Password Theft
Keyboard Sniffing
OTP
Sophisticated Network Attacks
Smart Cards, Biometrics, PKI/PKE
29
Smart Cards

• The card format offers visible information for
  flash badge capabilities in addition to the
  embedded IC chip
• Offers significant information security and
  processing power for authentication
• Is a portable token which allows for
  sophisticated access control or part of a
  multi-factor access capability.
• Perfectly adaptable to both logical and physical
  access control standards and requirements
• Contact card usually preferred for direct
  interaction with the reader/network.
• Contact less capabilities also offer some
  advantages
• Logical Access
• No requirement to physically put card in reader
• PC opens up when card in vicinity and closes down
  when it leaves
• Physical Access
• Card can be presented in vicinity of reader
• No wear on the card excellent for outdoor
  environments
• Poised to become a significant player in
  Information Warfare environment.

30
Biometrics

• A quickly maturing technology that is invaluable
  in the identifying unique characteristics of an
  individual
• Biometric technologies include
• Fingerprint
• Vein
• Facial Recognition
• Iris
• Palm
• Signature
• Voice
• Gait
• Effectively used as a primary or secondary
  control for access
• Fingerprint biometrics are particularly powerful
  when used with a smart card through match on
  card which verifies that the card and the person
  are presenting at the same time

31
Public Key CryptographyPublic Key Infrastructure
(PKI)Public Key Enablement (PKE)

• Public Key Cryptography answers the key quandary
  of symmetric key distribution with the creation
  of 2 keys (one public and one private) which are
  related through one-way mathematical functions.
• Public Key Infrastructure (PKI) is a combination
  of standards, protocols, hardware and software
  designed and architected to maximize the security
  and power of Public Key Cryptography such as
  certificates and the ability to offer
  cryptographic services such as encryption for
  date and email, digital signatures, and access
  control using extraordinarily complicated keys.
• Public Key Enablement (PKE) is the enabling of
  applications to use Public Key Cryptography tools
  over the Public Key Infrastructure for security.
• The Smart Card is uniquely capable of using this
  power in a portable and secure format on demand.

32
Physical Logical Access Control

• Separate functions but intrinsically related
• The edge of the chain of trust
• Smart Cards are the most secure and flexible
  credential for both
• Not easy to socially combine since physical and
  logical security have traditionally been separate
  and different
• Data into information and information into
  action

33
Identity and Access Control
34
Understanding Authentication and Authorization

• There is a common misconception that these two
  words are intrinsically related
• Authentication is who you are (identity)
• Authorization is what you are allowed to do (your
  roles or privileges).
• Looking at this from an intellectual view
• Identity is a global event.
• Roles are a local event.
• They are separate and distinct and only joined by
  a process and policy that creates a strong level
  of trust.

35
The Issue of Trust
Trust (trust), n. firm belief in reliability,
honesty, veracity, justice, good faith, in the
intent of another party to conduct a deal,
transaction, pledge, contract, etc. in accordance
with agreed principles, rules, laws,
expectations, undertakings, etc. It is useful
to remember some things that trust is not.
Trust is NOT Transitive (cannot be passed
from person to person) Distributive (cannot be
shared) Associative (cannot be linked to
another trust or added together) Symmetric (I
trust you does not equal you trust me)
Self-declared (trust me why?)
36
AUTHENTICATION
Authentication is the certification, to whatever
degree of certainty you have investigated, of a
persons identity and nothing more.
37
Authorization Techniques

• Models for Controlling Access through
  Authorization
• Mandatory Access Control
• Discretionary Access Control
• Non-Discretionary Access Control
• Most popular model is Role Based Access Control
  or RBAC
• Privacy and data integrity requirements have
  created a requirement to have a capability that
  is much more granular than RBAC
• Privilege, or Permissions, Management
• Content Management
• The Smart Card is a very powerful and logical
  tool to help support this requirement.

38
Identity Management Protection
Identity Management Protection is the
juxtaposition of authentication and authorization
into a cohesive and appropriate integrated system
of business processes, policies and technologies
that enable organizations to facilitate and
control their users' access to critical online
applications and resources while protecting
confidential personal and business information
from unauthorized users. It represents a category
of interrelated solutions that are employed to
administer user authentication, access rights,
access restrictions, account profiles, and other
attributes supportive of users' roles/profiles on
one or more applications or systems.
39
The Evolution of Information Sharing

• The creation, sharing, and protecting of
  secrets has been going on throughout history
• It has changed with the evolution of societies
  and technologies
• Cryptography and steganography
• Cryptography
• Manual (substitution and transposition)
• Digitized communications (manipulation of binary
  code)
• Steganography (based on available requirements)
• Communications Security (COMSEC)
• Information Security (INFOSEC)
• NetCentric Information Sharing
• IC GIG has declared the internet a hostile
  network

40
Federal Government Initiatives

• The Patriot Act
• The Aviation Transportation Security Act
• The Maritime Transportation Security Act
• Personal Identity Verification (HSPD-12 / FIPS
  201)
• Transportation Workers Identity Credential
  (TWIC)
• Trusted Traveler / Registered Traveler
• PASS Card
• RealID

41
Federated Identity

• One of the newest additions to the arsenal of
  shared security is the introduction of
  federated identity.
• It has been around in government agencies for
  many years but only recently have these needs
  been able to be addressed.
• The smart card is a significant part of the
  thought process for these requirements.

42
Conclusion

• Smart Objects, primarily in the form factor of
  cards, are becoming more and more an essential
  part of our business and financial fabric.
• Portable security based identity tokens allow for
  a dramatic efficiencies, cost reduction,
  paperwork, and individual securities.
• Their evolution is persistent, intellectual,
  consistent, and flexible for most challenges.

43
Thank You!