Your SlideShare is downloading. ×
  • Like
SmartCard Forum 2008 - Securing digital identity
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

SmartCard Forum 2008 - Securing digital identity

  • 592 views
Published

 

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
592
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
7
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Securing Digital Identity An overview of available technologies and solutions to secure digital identity Jérôme Lena IPL Advanced Product Manager j.lena@oberthurcs.com1 Securing Digital Identity - © 2008 Oberthur Technologies
  • 2. Agenda Identity and identities Digital identity at risk Securing digital identity Smart card based solutions from Oberthur2 Securing Digital Identity - © 2008 Oberthur Technologies
  • 3. Identity and identities3 Securing Digital Identity - © 2008 Oberthur Technologies
  • 4. What is an Identity? Internal definition “Identity” … -noun, plural –ties From Latin “identidem”, contraction of “idem et idem”, literally “the same and the same”. “The state or fact of remaining the same one or ones, as under varying aspects of conditions.” “The condition of being oneself or itself and not another.” “The sense of self, providing sameness and continuity in personality over time and sometimes disturbed in mental illness, as schizophrenia.” … requires a proof of identity Random House Unabridged Dictionary, © Random House Inc. 20064 Securing Digital Identity - © 2008 Oberthur Technologies
  • 5. What is an Identity? External definition Identity defined by an authority… Beginning of modern era : identity proof required only from mobile people (pilgrims, beggars, messengers…) Early days of democracy : France, August 4, 1794, first law in the West fixing identity to birth certificate Nowadays : sovereignty and citizenship are the basis of every nation-state. … requires a seal of authority5 Securing Digital Identity - © 2008 Oberthur Technologies
  • 6. Identity in a digital world Digital Identities are used everyday, sometimes all day long… Digital identites at work Log on to your PC Logon to a Wifi hotspot Send and receive emails Log on to a Virtual Private Network (VPN) Log on to legacy corporate applications. Digital identites at home Log on to your PC Logon to a Wifi hotspot Send and receive emails with an e-mail client Send and receive web-based emails Chat with instant messaging (Windows Live Messenger, Skype, etc).6 Securing Digital Identity - © 2008 Oberthur Technologies
  • 7. Identity in a digital world Every new internet service requires a new identity… Digital identities for e-commerce Online banking, e-wallets Online shopping (Amazon™, Pixmania™,…) Online selling/auctions (eBay™,…) Digital identities for online communities Social networks (Facebook, Myspace, Meetic…) Online gaming (Role Playing Games, poker) Online publishing and sharing Photo hosting, video sharing, blogs7 Securing Digital Identity - © 2008 Oberthur Technologies
  • 8. Identity in a digital world … while an “e-citizen” needs a single identity for several internet services. Digital identity for e-government services Income and other taxes declaration Value Added Tax declaration and payment Car registration (online declaration for automobile license) Personal document request and delivery (birth, marriage,…) Social services (unemployment benefits, job search, student grants,…) Declaration to the police (theft, accident,…)8 Securing Digital Identity - © 2008 Oberthur Technologies
  • 9. Digital identity at risk9 Securing Digital Identity - © 2008 Oberthur Technologies
  • 10. Digital identity at risk The overexposure threat Have you been Googleized lately? Specialized search engine are now cropping up (eg. Spock) From social networks to social engineering The Facebook “superhero name” information leak* Should one be afraid of digital identity theft? “post-industrial society, technotronic or informational… will be overwhelming for the ones mastering it badly…” “Stolen memories” (Lorenzi & Le Boucher, 1979) *Article of Paul Johns, Complinet Chief Marketing Officer (2007)10 Securing Digital Identity - © 2008 Oberthur Technologies
  • 11. Digital identity at risk Figures on identity fraud in the UK* Case of identity and impersonation fraud reported 90 000 80 000 80 000 66 000 70 000 60 000 56 000 50 000 46 000 40 000 34 000 30 000 24 000 20 000 16 000 9 000 10 000 0 1999 2000 2001 2002 2003 2004 2005 2006 *CIFAS – UK’s Fraud Prevention Service 200711 Securing Digital Identity - © 2008 Oberthur Technologies
  • 12. Digital identity at risk Figures on identity fraud in the US* In 2006: 8,9 million Americans were victimized by identity fraud. Total cost of identity fraud was $56,6 billion. Average fraud amount per victim : $6 383. Average fraud cost per victim : $422. *Javelin Strategy/Better Business Bureau 2006 Identify Fraud Survey Report.12 Securing Digital Identity - © 2008 Oberthur Technologies
  • 13. Digital identity at risk How does identity theft happen?* Real world Some control Lost or stolen wallet, checkbook or credit card Mail theft from an unlock mailbox Private documents retrieved from trash can (“dumpster diving”) Information stolen at home (relatives, friends, employees) E-mails, calls or text messages pretending to be a trusted source Eavesdropping by a criminal while conducting a public transaction (“shoulder surfing”) Criminal changing address of an account Corrupt business employee who has access to private data Hacking, viruses, spyware Digital world Data breach at an organization that maintains access to private No control information (retailer, school, bank, hospital ) *Ibid.13 Securing Digital Identity - © 2008 Oberthur Technologies
  • 14. Digital identity at risk Threats to digital identity (some control) E-mail security issues Anybody can create a fake email address E-mail communication provides no confidentiality Wifi security issues WEP encryption has been cracked in January 2001 by the University of Berkeley Any communication going through a “free” hot-spot can be intercepted E-banking security issues Increasing attacks to steal user name & password (phishing, pharming, drive-by-pharming) Insufficient countermeasures User name & password still widely used Web Image Authentication do not offer real protection for online banking (May 2007 Harvard-MIT report)14 Securing Digital Identity - © 2008 Oberthur Technologies
  • 15. Digital identity at risk Threats to digital identity (no control) Generic IT security issue: digital attacks (a.k.a. “hacking”) For data theft Industrial spying (pricelists, source code, contracts, blueprints, etc…) Customer identity theft (credit card data, personal data, login, etc…) For other cyber criminal activities To be able to impersonate an identity and carry on anonymously on the internet To use e-mail clients or servers to send spam (spam-farm) To store and share illegal or stolen files To synchronize thousands of computers to disable a web site (DDoD) To use computing power to break encryptions To spread virus, trojans, spywares, etc To sell a complete access to a large company network More on these topics : “Dirty Money on the Wires, The Business Models of Cyber Criminals” (Virus Bulletin Conference 2006)15 Securing Digital Identity - © 2008 Oberthur Technologies
  • 16. Securing digital identity16 Securing Digital Identity - © 2008 Oberthur Technologies
  • 17. Securing digital identity Identification Unsecure identification Username & password over a clear connection Internet is an open (distributed) environment any data can be intercepted Static End-user Service provider17 Securing Digital Identity - © 2008 Oberthur Technologies
  • 18. Securing digital identity Identification, confidentiality Identification with confidentiality Username & password over an encrypted connection SSL/TSL https:// + Internet Explorer’s or Firefox’s Internet is not a controlled environment User’s identity is not authenticated Visited web site is not (satisfactorily) authenticated Identification with confidentiality and web site authentication Username & password over an Extended Validation SSL connection Internet is still not a controlled environment User’s identity is still not authenticated18 Securing Digital Identity - © 2008 Oberthur Technologies
  • 19. Securing digital identity From static to dynamic identification Identification can not be done with constant data Any constant data can be intercepted or stolen It can then be replayed… An end-user can only provide constant data Something he knows (passwords, PIN) Something he is (biometrics) There is a need for a device between the end-user and the service provider The end-user inputs a static identification (password, PIN, biometrics) to identify himself to the device And the device performs a dynamic authentication with the service provider Static Dynamic End-user Device Service provider19 Securing Digital Identity - © 2008 Oberthur Technologies
  • 20. Securing digital identity Identification, confidentiality, authentication Identification with confidentiality and user authentication Username & password over an encrypted connection, with verification of a shared-secret Paper-based challenge-response One time password provided by a time-based dongle Smart card-based EMV authentication Shared secrets must be… shared Distribution of shared secret is complex and risky Mostly suited for one-to-many digital transactions Not suited for document signing (non-repudiation)20 Securing Digital Identity - © 2008 Oberthur Technologies
  • 21. Securing digital identity Digital identity document A digital certificate is an electronic document Linking an entity (person, company) with a public key Carrying a digital signature linked with a public key from a trusted third party Compliant to an international standard (ITU X.509 v203)  User’s public key User’s name Email Expiration date Etc… Issuer’s Digital Signature User’s Digital Certificate Trusted User Third party21 Securing Digital Identity - © 2008 Oberthur Technologies
  • 22. Securing digital identity Identification, confidentiality, authentication, signature Public Key Infrastructure (PKI) Worldwide accepted model for securing communications on intranet, extranet, internet Protocols, services and standards to manage Public Keys to distribute and verify Digital Certificates To verify and authenticate the validity of each party involved in a transaction Trusted Trusted User certificate issuer certificate issuer22 Securing Digital Identity - © 2008 Oberthur Technologies
  • 23. Securing digital identity Securing private keys PKI security relies on private keys security Private keys are stored on the user’s hard disk A desktop PC is protected only by user/password (in best case) On a PC, private keys can be easily stolen or misused On a PC, cryptographic calculation can be monitored or tempered with There is a need for a secure device To store private keys To perform cryptographic calculations Static Dynamic End-user Secure device Service provider23 Securing Digital Identity - © 2008 Oberthur Technologies
  • 24. Securing digital identity Smart cards to secure PKI For secure data storage Secure storage of private keys, passphrase, PIN or biometrics data Secure storage of several digital certificates in X.509 format Secure storage of standardized data for digital identification XMLDSIG : (XML Digital Signature), SAML : (Markup Language) Secure storage of national/specific data structure (eg. PIV, IAS) For complex calculations True random generator Cryptographic engine (DES, 3DES, RSA, AES, ECC) + =24 Securing Digital Identity - © 2008 Oberthur Technologies
  • 25. Securing digital identity Levels of confidence for digital identity Signature tools Software only Smart device + Smart device + Digital Certificate software terminal + delivery mode software Face to face delivery 3 6 9 Highest level of confidence Document-based delivery 2 5 8 Self-registered or self- signed 1 4 7 Lowest level of confidence Secure Static Dynamic End-user Secure data entry device Secure device Service provider25 Securing Digital Identity - © 2008 Oberthur Technologies
  • 26. Smart card based solutions from Oberthur26 Securing Digital Identity - © 2008 Oberthur Technologies
  • 27. Smart card based solutions from Oberthur Smart cart, devices and software to upgrade PKI to smart card security Smart cards Private key generation & secure storage of credentials Based on market standards Smart card readers & USB Tokens Hardware interface between smart cards and PC environment Based on market standards (PC/SC to serial, USB, PCMCIA) Client software Software interface between smart cards and Windows Operation Systems Based on market standards27 Securing Digital Identity - © 2008 Oberthur Technologies
  • 28. Smart card based solutions from Oberthur Classic Smart Card Features Contactless Mifare™ and T=CL interface Contact ISO 7816 interface Support for X.509 digital certificates Support for multiple application Form factors Common Criteria EAL 4+ PP SSCD ID-1 smart card SIM-Plug size United-States NIST United- USB Token FIPS 140-2 Level 3 140- Standards supported Javacard 2.2 with Global Platform 2.1.1. * Compliant with Qualified Electronic Signature as defined by Common Criteria EAL 4+ PP SSCD* (ISO Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for 15408) electronic signatures28 Securing Digital Identity - © 2008 Oberthur Technologies FIPS 140-2 Level 3
  • 29. Smart card based solutions from Oberthur Transparent readers Desktop contact readers Desktop contactless readers Laptop readers CC EAL 3+ Enhanced security readers Common Criteria certified Pinpad & LCD Fingerprint biometrics reader29 Securing Digital Identity - © 2008 Oberthur Technologies
  • 30. Smart card based solutions from Oberthur Client software (middleware) ID-One Classic Mini-driver For 32 bits and 64 bits versions of Microsoft Vista ™ Compliant with Microsoft new specifications for smart cards (Crypto API Next Generation) Tested and validated by Microsoft Smart Card Certification Center in Dublin Referenced and available on-line for instant download on Microsoft Update Catalog30 Securing Digital Identity - © 2008 Oberthur Technologies
  • 31. Smart card based solutions from Oberthur Client software (middleware) ID-One Classic Middleware (AuthentIC Web Pack) Support for deployed Oberthur smart cards Support for PKCS#11 under Windows Vista™ Operation Systems: Windows 9x Windows Me Windows 2000 Windows 2003 Windows XP Windows Vista™ 32 bits Linux31 Securing Digital Identity - © 2008 Oberthur Technologies
  • 32. Smart card based solutions from Oberthur Contact chip ID-One Token for Digital ID Contactless chip for Access Control Desktop readers ID-One Classic card Common Criteria Laptop readers Secure Chips Smart Card Readers EAL 4+ PP SSCD Identity applications USB Token Secure Pinpad readers United-States NIST United- FIPS 104-2 Level 3 104- Comp Common Criteria le bringi te solutions EAL 3+ n secur g smart ca it y t o r CustomerI-based digita PK l ID sy d stemsAdvanced physical security Secure background Security Features Interface to link Invisible ink Personalization smart card with ID-One Classic minidriver Hologram embedding applications on PC Fulfillment AuthentIC Web Pack middleware for Windows 9x, 2K, 2K3, XP ,Vista Personalization services Secure login Electronic signature E-mail encryption32 Securing Digital Identity - © 2008 Oberthur Technologies
  • 33. Thank you33 Securing Digital Identity - © 2008 Oberthur Technologies