Govt. Citizen ID with Java Card TM Platform Emphasis on the role and relevance of Java Card and Sun Identity Management Technologies Ramesh Nagappan Security Technologist, ISV-E [email protected] http://www.coresecuritypatterns.com/blogs
Govt. Citizen ID with Java CardTM PlatformEmphasis on the role and relevance of Java Card and Sun Identity Management Technologies
Ramesh NagappanSecurity Technologist, [email protected]://www.coresecuritypatterns.com/blogs
© Sun Microsystems 2009Slide 2
Undisputed Market Leader in Multi-Application Smart Cards
Finance
Government/Healthcare
Last name First name, Initial
Issue Date
Expiration Date
Identification Card
Organization Seal
Photograph
U.S. NavyDoD Civilian
Chip
Armed Forces of the United States
Parker IV,Christopher J.
September 30 2001
October 1 2001
Telecom
CorporateLoyalty
© Sun Microsystems 2007Slide 3
Introduction to Java Card Technology• A Programmable Runtime engine for Smart cards
> Open & Standards-based> Built for multi-application> Proven security (Enabling on-card PKI/Biometrics credentials based
Physical/Logical Access Control)• A future-proof platform for Smart card based services
> Dynamic application loading> Test-suite enforced interoperability> Cryptography and Biometrics support
• A reference technology for Smart card issuers> Market leader in Security for Government and Citizen ID> Market leader in reliability for wireless, banking, ID> Choice of multi-sourcing – Obtain cards from multiple vendors
Security and Portability with Reliability as Core Value Proposition
© Sun Microsystems 2007Slide 4
Java Card Adoption
• 6 Billion Java Card Units deployed > Variety of form factors
• Leader in market segments > Telecom (Defacto for SIM card !)> Banking (Payment card)> ID (Citizen/Govt/Defence/Intelligence)> PayTV (Cable/Dish Subscriber card)> Transport, Healthcare...
Passports
Contactless
USB Tokens
Smart Cards
SIM CardsSecure Flash
Memory
© Sun Microsystems 2009Slide 5
Java Card vs MULTOS
© Sun Microsystems 2007Slide 6
Java Card as Cryptographic TokenPKI enabled Smart cards• A credit card sized computing device acts as a
Cryptographic token.> Contact / Contactless cards
• Allows performing core PKI functions> Key generation> Public/Private key operations> PIN/Biometric authentication> Challenge/response authentication
• Supports the use of Public-key infrastructure to verify the Identity claim.
> PKI credential issuance.> Credential validation/verification via OCSP,
CRLs• Defends against tampering and hacking.
> PKI/Private key protection
Standards• ISO-7816• Java Card, Multos• Global Platform• PC/SC• FIPS-201/PIV, CAC• PKCS#11, PKCS#15• GSM/PCS• EMV
(Europay/Mastercard/Visa)
Using Smart card based PKI as an Authentication Credential
© Sun Microsystems 2007Slide 7
Java Card as Biometric Token
Using Smart card based Biometrics as an Authentication Credential
Java Card based Biometric Identity• Matching to Physiological or Behavioral
characteristics to identify a person.> High degree of assurance with proof of
presence + proof of possession> Fingerprints, Facial image/geometry, Iris
images can be stored on card.> Match on-card samples to live human
samples.• Biometric templates can be stored on Smart
card for personal identification.> Fingerprint template is ~200 bytes> Iris template is 500 bytes
• Biometric credential must be exchanged in a secure network channel (Trusted path)
Standards• INCITS 378 / CBEFF (Fingerprints)• INCITS 379 (Iris)• OASIS BIAS• BioAPI• JavaCard BioAPI• FIPS-201 / PIV
© Sun Microsystems 2009Slide 8
Managing Govt ID Issuance Life-cycle Identity Management life-cycle events
Identity Registration
Identity Enrollment &Adjudication
Physical & Logical Access Control
Card/ Credential Issuance
Identity Termination
Credential
Maintenance
© Sun Microsystems 2009Slide 9
Managing Govt ID Issuance LifecycleSmartcard issuance life-cycle using Sun Identity Management Suite
SunI D M S
DemographicData
Biometrics
P K I
IdentityProofing
VerifiedCredentials
( Smartcard/ Biometrics)
LogicalAccessControl
PhysicalAccessControl
© Sun Microsystems 2009Slide 10
Sun IDM Authorization Workflow
ApplicantRegistration
BiometricsBreeder Documents
Enrollment
IdentityProofing &
Adjudication
Card Issuance &Activation
Retirement /Termination
Physical &Logical Access
Provisioning
CredentialMaintenance
Hiring Manager
Approval/Denial
EnrollmentOfficer
Approval/Denial
HROfficer
Approval/Denial
HR Manager
Approval/Denial
EnrollmentOfficer
Approval/Denial
Hiring Manager
Approval/Denial
• Sun IDM manages the authorization workflow and authority approval and denials.
• Sun IDM facilitates digitally signed approvals using Smart card based credentials verified against a PKI provider.
Sun Confidential: Sun Employees and Immersion Week 2008 Partner Attendees Only. 11
Smart card based Credentials - Logical Access Control
© Sun Microsystems 2009Slide 12
SecurityManageability
ReliabilityMobilityValue
Sun Rays In a Govt eID Environment
Sun Ray supports the use of most eID and CAC/PIV Cards
© Sun Microsystems 2009Slide 13
Logical Deployment of Sun RaysSmartcard based authentication – Virtual/Remote Desktop/Application environment
Fire
wal
l
Data CenterSun Rays
Fire
wal
l
Native protocols are used to access apps.No modification of the OS or apps required.
Each user desktop environment runs on a virtual machine located in the corporate data center. All desktop and application communication remains in thedata center.
The access tier supports standard Authentication mechanisms:LDAPv3 Active DirectoryNISMS Windows Domain
Access layer controls the user access and application profiles. It maintains audit logs of user and app usage. It provides the display engine to the user desktop.
PC & Thin Client users can securely access their remote desktops & applications from any location using PIV Cards.
Once PIV authenticated, the access tier establishes a display connection to the user device and a protocol connection to the back-end desktop OS and applications.
PIV Credential Authentication
Secure remote access from any location
Combine existingauthenticationand authorizationmechanismsusing Sun IDMS
Windows XP / 2003Desktop Virtualizationusing Sun Raysand Sun VDI
Sun Access Tier Identity/Auth. ESX Virtualization Applications
© Sun Microsystems 2009Slide 14
• Sun UltraSPARC T2 offers industry-leading cryptography performance for PIV environments.> On-chip Crypto threads virtually eliminates large
workloads with PKI & Cryptography.> Out-performs competition on SSL and Public-key
crypto opertaions> Over 30x greater RSA1024 performance than 2-socket IBM p510
• Support common used ciphers for Public-key encryption and secure hashing functions> Public-key cryptography (RSA, DSA, Diffie-Hellman, ECC)> Bulk encryption (RC4, DES, 3DES, AES)> Secure hash (MD5, SHA-1, SHA-256)
Sun CMT Servers: Wire-speed Security UltraSPARC T2 offers On-chip Cryptographic Acceleration for PKI Applications
© Sun Microsystems 2009Slide 15
Mandatory Access Control and Security Labels (Solaris TX)
© Sun Microsystems 2009Slide 16
U.S. Department of Defense• Military ID and Geneva Convention Card
> Common credentials for verified identity> DoD-wide health benefits ID card> Physical access and manifesting> Logical access with PKI/digital signature
• Well established security certification platform with numerous cards with FIPS-140 ratings
>High-degree of Security and Assurance• Supports additional military branch-specific applications at issuance and post-issuance• Flexible to support original CAC format, CAC transitional format and PIV format (evolution of requirements)• Deployment: +3M active duty units. Over 12M units to date. Issuing +30K units a day at peek war periods
Last name First name, Initial
Issue Date
Expiration Date
Identification Card
Organization Seal
Photograph
U.S. NavyDoD Civilian
Chip
Armed Forces of the United States
Parker IV,Christopher J.
September 30 2001
October 1 2001
© Sun Microsystems 2009Slide 17
US Federal Employee PIV Card• Presidential Directive 12 (HSPD-12) mandated a
Federal Government-wide smart card ID program.> Use of combined PKI and Biometric credentials
• Dual interfaces for both for Physical and Logical access
> Secure Contact/Contactless access to target resources
• To date, all deployed PIV cards are Java Card> Conformance to Java Card 2.2.1
• By 2013 over 12 million PIV cards will have been issued
• The PIV model is being replicated in the US Federal Govt in programs such as Travel Worker Identity Program (TWIC), First Responder ID, Immigration Cards and potentially Drivers Licensees
•
© Sun Microsystems 2009Slide 18
Taiwan Healthcare ID
• National health insurance ID card• Multi-application smart card
> Identification, medical profileand benefits
> E-Purse capable> Restricted use by other governmental
agencies to protect privacy• Supports open standards andpost-issuance of new applications• 40M Java Cards deployed
© Sun Microsystems 2009Slide 19
Belgium National ID• First country in EU to deploy citizen ID card to entire population• Multi-application Java Card
> Identification, e-Government Services, e-Voting, etc.
> Filing Tax Returns, Birth Certs, Civil Records> Digital Certificates: Authentication, Digital
Signature – PKCS15 Conformance
> Commercial Applications: e-Banking, e-Ticketing
• Common Criteria EAL 5+ Certified • Deployment: 40+ Million Java Cards
© Sun Microsystems 2009Slide 20
Thailand National ID Card• National Citizen ID card to entire population
> Multi-application Java Card-based Smart Card> Personal ID, fingerprints, tax, social welfare and social
security numbers, agricultural data and healthcare data. > Citizens will be able to access eGovernment services at
e-government kiosks nationwide and by smart card readers integrated into desktop computers.
• 60M+ Java Cards deployed
© Sun Microsystems 2009Slide 21
Oman National ID Card• First country in Middle East to start deploying large-scale citizen ID Card to entire population
> Multi-application Java Card-based smart card> Provides positive identification with digital photograph, digital
certificates and biometrics authentication > Have plans to add driver’s license, emergency medical data
and border control applications• Deployment: 3M+ Java Cards
© Sun Microsystems 2009Slide 22
United Arab Emirates National ID
• National Citizen ID Card to Entire Population> Multi-application Java Card-based Smart Card
> Positive Identification with Digital Photograph, Digital Certificates and Fingerprint Biometrics Authentication
> Enabled e-Government Services > Plans to add Driver’s License, Emergency Medical Data and
Border Control Applications• Deployment: +4.5 Million Java Cards
© Sun Microsystems 2009Slide 23
Macau Government ID Card• Multi-application Java Card-based Smart Card
> Identification, Border Control, E-Government, E-Commence and Public Services Access
> Driver's License and E-Purse Envisioned in Future• Secure Laser Engraved Java Cards
> Facial Image,Signature, and Fingerprint Biometrics> PKI/Certificates
• GlobalPlatform-compatible Card Mgt. System
© Sun Microsystems 2009Slide 24
More...Java Card's Govt ID Successes
•UK NHS and MoD•Canadian ePassports•Portugal National ID•Qatar National ID
•Azerbaijan National ID•Morocco National ID•Finland National ID
•Italy National ID•Queensland Australia Drivers License
•And approximately 20 other countries exploring Java Card
Thank You !
Ramesh [email protected]://www.coresecuritypatterns.com/blogs
Brian KowalHead, Java Card Marketing & [email protected]