More Related Content Similar to Government Citizen ID using Java Card Platform Similar to Government Citizen ID using Java Card Platform (20) More from Ramesh Nagappan More from Ramesh Nagappan (13) Government Citizen ID using Java Card Platform1. Govt. Citizen ID
with
TM
Java Card Platform
Emphasis on the role and relevance of Java Card and
Sun Identity Management Technologies
Ramesh Nagappan
Security Technologist, ISV-E
ramesh.nagappan@sun.com
http://www.coresecuritypatterns.com/blogs
2. Undisputed Market Leader in
Multi-Application Smart Cards
Loyalty
Corporate
Finance
Telecom Government/Healthcare
Armed Forces of the
United States
Photograph
Organization
Seal
U.S. Navy
DoD Civilian
Parker IV,
Last name
First name,J.
Christopher Initial
Issue Date
Chip
September 30 2001
Expiration Date
October 1 2001
Identification Card
Slide 2 © Sun Microsystems 2009
3. Introduction to Java Card Technology
Security and Portability with Reliability as Core Value Proposition
• A Programmable Runtime engine for Smart cards
> Open & Standards-based
> Built for multi-application
> Proven security (Enabling on-card PKI/Biometrics credentials based
Physical/Logical Access Control)
• A future-proof platform for Smart card based services
> Dynamic application loading
> Test-suite enforced interoperability
> Cryptography and Biometrics support
• A reference technology for Smart card issuers
> Market leader in Security for Government and Citizen ID
> Market leader in reliability for wireless, banking, ID
> Choice of multi-sourcing – Obtain cards from multiple vendors
Slide 3 © Sun Microsystems 2007
4. Java Card Adoption
• 6 Billion Java Card Units deployed SIM Cards
> Variety of form factors Secure Flash
Memory
• Leader in market segments
> Telecom (Defacto for SIM card !)
> Banking (Payment card) Passports
USB Tokens
> ID (Citizen/Govt/Defence/Intelligence)
> PayTV (Cable/Dish Subscriber card)
> Transport, Healthcare...
Smart Cards Contactless
Slide 4 © Sun Microsystems 2007
6. Java Card as Cryptographic Token
PKI enabled Smart cards
• A credit card sized computing device acts as a
Cryptographic token.
> Contact / Contactless cards
Standards
• ISO-7816
• Allows performing core PKI functions
> Key generation • Java Card, Multos
> Public/Private key operations • Global Platform
> PIN/Biometric authentication • PC/SC
> Challenge/response authentication • FIPS-201/PIV, CAC
• Supports the use of Public-key infrastructure to • PKCS#11, PKCS#15
verify the Identity claim.
• GSM/PCS
> PKI credential issuance.
> Credential validation/verification via OCSP, • EMV
CRLs (Europay/Mastercard/Visa)
• Defends against tampering and hacking.
> PKI/Private key protection
Using Smart card based PKI as an Authentication Credential
Slide 6 © Sun Microsystems 2007
7. Java Card as Biometric Token
Java Card based Biometric Identity Standards
• Matching to Physiological or Behavioral • INCITS 378 / CBEFF (Fingerprints)
characteristics to identify a person.
• INCITS 379 (Iris)
> High degree of assurance with proof of
presence + proof of possession • OASIS BIAS
> Fingerprints, Facial image/geometry, Iris • BioAPI
images can be stored on card.
• JavaCard BioAPI
> Match on-card samples to live human
samples. • FIPS-201 / PIV
• Biometric templates can be stored on Smart
card for personal identification.
> Fingerprint template is ~200 bytes
> Iris template is 500 bytes
• Biometric credential must be exchanged in a
secure network channel (Trusted path)
Using Smart card based Biometrics as an Authentication Credential
Slide 7 © Sun Microsystems 2007
8. Managing Govt ID Issuance Life-cycle
Identity Management life-cycle events
Identity
Registration
Identity Identity Enrollment &
Termination Adjudication
Credential Card/
Maintenance Credential Issuance
Physical & Logical
Access Control
Slide 8 © Sun Microsystems 2009
9. Managing Govt ID Issuance Lifecycle
Smartcard issuance life-cycle using Sun Identity Management Suite
Demographic
Data
Physical
Access Biometrics
Control
Sun
Logical IDMS
Access
PKI
Control
Verified
Credentials Identity
( Smartcard Proofing
/ Biometrics)
Slide 9 © Sun Microsystems 2009
10. Sun IDM Authorization Workflow
Hiring Enrollment HR
Manager Officer Officer
Approval/Denial Approval/Denial Approval/Denial
Biometrics Identity
Applicant Card Issuance &
Breeder Documents Proofing &
Registration Activation
Enrollment Adjudication
HR Enrollment Hiring
Manager Officer Manager
Approval/Denial Approval/Denial Approval/Denial
Physical &
Retirement / Credential
Logical Access
Termination Maintenance
Provisioning
• Sun IDM manages the authorization workflow and authority
approval and denials.
• Sun IDM facilitates digitally signed approvals using Smart card
based credentials verified against a PKI provider.
Slide 10 © Sun Microsystems 2009
11. Smart card based Credentials -
Logical Access Control
Sun Confidential: Sun Employees and Immersion Week 2008 Partner Attendees
Only. 11
12. Sun Rays In a Govt eID Environment
Security
Manageability
Reliability
Mobility
Value
Sun Ray supports the use of most eID and
CAC/PIV Cards
Slide 12 © Sun Microsystems 2009
13. Logical Deployment of Sun Rays
Smartcard based authentication – Virtual/Remote Desktop/Application
environment
PC & Thin Client users can Access layer The access tier Each user desktop Native protocols
securely access their remote controls the user supports standard environment runs are used to access
desktops & applications from access and Authentication on a virtual machine apps.
any location using PIV Cards. application profiles. mechanisms: located in the
corporate data No modification of
It maintains audit LDAPv3 the OS or apps
logs of user and center.
Once PIV authenticated, the Active Directory required.
app usage. All desktop and
access tier establishes a NIS
display connection to the user It provides the application
device and a protocol display engine to the MS Windows communication
connection to the back-end user desktop. Domain remains in the
desktop OS and data center.
applications.
Combine existing Windows XP / 2003
Secure remote Desktop
access from any authentication Virtualization
Firewall
Firewall
location and authorization
mechanisms using Sun Rays
using Sun IDMS and Sun VDI
PIV
Credential Authentication Sun Access Tier Identity/Auth. ESX Virtualization Applications
Sun Rays Data Center
Slide 13 © Sun Microsystems 2009
14. Sun CMT Servers: Wire-speed Security
UltraSPARC T2 offers On-chip Cryptographic Acceleration for PKI Applications
• Sun UltraSPARC T2 offers industry-
leading cryptography performance for
PIV environments.
> On-chip Crypto threads virtually eliminates large
workloads with PKI & Cryptography.
> Out-performs competition on SSL and Public-key
crypto opertaions
> Over 30x greater RSA1024 performance than 2-socket IBM p510
• Support common used ciphers for
Public-key encryption and secure
hashing functions
> Public-key cryptography (RSA, DSA, Diffie-Hellman, ECC)
> Bulk encryption (RC4, DES, 3DES, AES)
> Secure hash (MD5, SHA-1, SHA-256)
Slide 14 © Sun Microsystems 2009
16. U.S. Department of Defense Photograph
Armed Forces of the
United States
• Military ID and Geneva Convention Card Organization
Seal
> Common credentials for verified identity
U.S. Navy
DoD Civilian
Parker IV,
Last name
First name,J.
Christopher Initial
> DoD-wide health benefits ID card
> Physical access and manifesting
Issue Date
Chip September 30 2001
Expiration Date
October 1 2001
> Logical access with PKI/digital signature Identification Card
• Well established security certification platform with numerous
cards with FIPS-140 ratings
> High-degree of Security and Assurance
• Supports additional military branch-specific applications at
issuance and post-issuance
• Flexible to support original CAC format, CAC transitional
format and PIV format (evolution of requirements)
• Deployment: +3M active duty units. Over 12M units to date.
Issuing +30K units a day at peek war periods
Slide 16 © Sun Microsystems 2009
17. US Federal Employee PIV Card
• Presidential Directive 12 (HSPD-12) mandated a
Federal Government-wide smart card ID program.
> Use of combined PKI and Biometric credentials
• Dual interfaces for both for Physical and Logical
access
> Secure Contact/Contactless access to target
resources
• To date, all deployed PIV cards are Java Card
> Conformance to Java Card 2.2.1
• By 2013 over 12 million PIV cards will have been
issued
• The PIV model is being replicated in the US Federal
Govt in programs such as Travel Worker Identity
Program (TWIC), First Responder ID, Immigration
Cards and potentially Drivers Licensees
Slide 17 © Sun Microsystems 2009
18. Taiwan Healthcare ID
• National health insurance ID card
• Multi-application smart card
> Identification, medical profile
and benefits
> E-Purse capable
> Restricted use by other governmental
agencies to protect privacy
• Supports open standards and
post-issuance of new applications
• 40M Java Cards deployed
Slide 18 © Sun Microsystems 2009
19. Belgium National ID
• First country in EU to deploy citizen ID
card to entire population
• Multi-application Java Card
> Identification, e-Government Services,
e-Voting, etc.
> Filing Tax Returns, Birth Certs, Civil Records
> Digital Certificates: Authentication, Digital
Signature
– PKCS15 Conformance
> Commercial Applications: e-Banking, e-
Ticketing
• Common Criteria EAL 5+ Certified
• Deployment: 40+ Million Java CardsSlide 19 © Sun Microsystems 2009
20. Thailand National ID Card
• National Citizen ID card to entire population
> Multi-application Java Card-based Smart Card
> Personal ID, fingerprints, tax, social welfare and social
security numbers, agricultural data and healthcare data.
> Citizens will be able to access eGovernment services at
e-government kiosks nationwide and by smart card
readers integrated into desktop computers.
• 60M+ Java Cards deployed
Slide 20 © Sun Microsystems 2009
21. Oman National ID Card
• First country in Middle East to start deploying large-
scale citizen ID Card to entire population
> Multi-application Java Card-based smart card
> Provides positive identification with digital photograph, digital
certificates and biometrics authentication
> Have plans to add driver’s license, emergency medical data
and border control applications
• Deployment: 3M+ Java Cards
Slide 21 © Sun Microsystems 2009
22. United Arab Emirates National ID
• National Citizen ID Card to Entire Population
> Multi-application Java Card-based Smart Card
> Positive Identification with Digital Photograph, Digital
Certificates and Fingerprint Biometrics Authentication
> Enabled e-Government Services
> Plans to add Driver’s License, Emergency Medical Data and
Border Control Applications
• Deployment: +4.5 Million Java Cards
Slide 22 © Sun Microsystems 2009
23. Macau Government ID Card
• Multi-application Java Card-based Smart Card
> Identification, Border Control, E-Government, E-Commence
and Public Services Access
> Driver's License and E-Purse Envisioned in Future
• Secure Laser Engraved Java Cards
> Facial Image,Signature, and Fingerprint Biometrics
> PKI/Certificates
• GlobalPlatform-compatible Card Mgt. System
Slide 23 © Sun Microsystems 2009
24. More...Java Card's Govt ID Successes
•UK NHS and MoD
•Canadian ePassports
•Portugal National ID
•Qatar National ID
•Azerbaijan National ID
•Morocco National ID
•Finland National ID
•Italy National ID
•Queensland Australia Drivers License
•And approximately 20 other countries exploring Java Card
Slide 24 © Sun Microsystems 2009
25. Thank You !
Ramesh Nagappan
ramesh.nagappan@sun.com
http://www.coresecuritypatterns.com/blogs
Brian Kowal
Head, Java Card Marketing & Sales
Brian.Kowal@sun.com