SmartCard Forum 2009 - New trends in smart-cards technology

306 views
235 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
306
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

SmartCard Forum 2009 - New trends in smart-cards technology

  1. 1. Smart Card ForumMay 21st, 2009 New trends in smart-cards technology
  2. 2. Agenda Gemalto introduction Computer Authentication Solutions Biometrics on Computers Smart Card, Biometrics and ConvenienceReference, date
  3. 3. Making people’s everyday interactions with thedigital world secure and easy Gemalto provides end-to-end solutions for digital security, from the development of software applications, through the design and production of secure personal devices such as smart cards, e-passports and secure tokens, to the deployment of managed services for our customersReference, date
  4. 4. Introducing Gemalto World Leader: Key figures:• World’s #1 for SIM (2)  € 1.7 billion revenue 2008• World’s #1 for chip payment cards (3)  Innovation investment:  10 R&D sites worldwide• World’s #1 reference for e-passports (4)  1,300 engineers• World’s #1 install-base of over-the-air  Global footprint: (OTA) platforms for GSM networks (5)  19 production sites  31 personalization centers• Pioneer and patent holder of high-speed  85 sales & marketing offices SIM for mobile Internet, multimedia and mobile contactless applications  Experienced team:  10,000 employees• Pioneer of the .NET card, the first  90 nationalities Microsoft Vista compatible smart card  40 countries solution Source: (1) Gartner 2006; (2) Frost & Sullivan 2006; (3) The Nilson Report 2007; (4) Keesing Journal of Identity 2007; (5) Gemalto 2007 Reference, date
  5. 5. Gemaltos worldwide presenceReference, date
  6. 6. Agenda Gemalto introduction Computer Authentication Solutions Biometrics on Computers Smart Card, Biometrics and ConvenienceReference, date
  7. 7. Computer Authentication Solutions There are many ways to authenticate to a computer:  Username/Password  Tokens storing credentials  Tokens storing digital certificates  Biometrics unlocking credentials or digital certificates stored on PC  Dynamic passwords (OTP), challenge & response  ... to name a few Multifactor is recognised as necessary  Something you know, something you are, something you own Simplicity is key  Complex solutions lead users to look for shortcuts! Strong link to users is necessary  Avoid credential passing/borrowing  Enables non-repudiationReference, date 7
  8. 8. The need for strong authentication High profile cases  UK aide to Gordon Brown gets blackberry stolen – http://www.timesonline.co.uk/tol/news/politics/article4364353.ece – “Downing Street BlackBerrys are password-protected but security officials said most are not encrypted”  FBI loses 3-4 laptops a month (2007) – AP, http://www.msnbc.msn.com/id/17115660/ – “"Perhaps most troubling, the FBI could not determine in many cases whether the lost or stolen laptop computers contained sensitive or classified information” Regulatory compliance Non repudiation Strong Authentication is an enabler  High mobility  Home office  Trust management Real Strong authentication is mutual!  Not only user to computer/network, but also the other way aroundReference, date 8
  9. 9. Strong Authentication on computers What is “Strong Authentication” ?  Multifactor  Mutual  Secure Digital certificates on smart cards/tokens enable all three  Only solution today Remaining issues  Strong but not absolute binding with user (lending of smart card)  Potential day to day issues – Lost cards – Blocked cards Enter biometrics  Enables 3rd factor if needed  Makes it more convenient!  Boosts user adoptionReference, date 9
  10. 10. Agenda Gemalto introduction Computer Authentication Solutions Biometrics on Computers Smart Card, Biometrics and ConvenienceReference, date
  11. 11. Biometrics and Identity “Any distinguishing element of a physical person/entity that can be considered as unique” Remains constant over time – mostly Public – most of the time Difficult to revoke Sensitive – cultural bias → Needs to be considered carefully before using! Principle of Psychological Acceptability: A security mechanism should not make accessing a resource, or taking some action more difficult than it would be if security mechanism were not present.Reference, date 11
  12. 12. What type of biometrics ? Linked to  User acceptance  Technology maturity  Performance Fingerprint recognition is the only prevalent type of biometrics on regular computers  Does not mean other types wont catch up quickly!  Swipe readers are now common Source: JF MainguetReference, date 12
  13. 13. Fingerprint authentication Good maturity – standards and evaluation campaigns Large-scale deployments – National ID schemes Good user acceptance Can be achieved in “Match On Card” mode Performance is a tradeoff between:  Quality (FAR) – Typical figures are well below 0.001%  Convenience (FRR) – Typical figures are below 2%  Accessibility (FTE) – Below 1%Reference, date 13
  14. 14. Biometrics on computers Almost all corporate notebook brands embed a fingerprint reader either as option or standard Mostly swipe readers, varying quality Surface readers emerging  Government standards (FIPS201) as driver 61 Million fingerprint readers to be shipped in 2009  Cumulative 300 Million to date  (F&S WW Silicon Chip fingerprint market, 2007)Reference, date 14
  15. 15. Biometrics and regulations The use of biometrics needs to take local regulations into account  CNIL in France  European data privacy directives (data protection working party Art 29)  UK Data Protection Act Regulations mostly require  Justification of means  Appropriate protection of biometric dataReference, date 15
  16. 16. Biometric Technologies : Reliability vs Convenience + Iris/Retina Fingerprint Hand Face Signature Voice Gait Keystroke - + User friendliness - - User friendliness + Behavioral Physiological 16
  17. 17. Fingerprint Recognition  Strengths  Long experience  Good user acceptance  Good reliability  Easy to use  Weaknesses  Criminality-related image  Leaves traces (latent prints) 17
  18. 18. Agenda Gemalto introduction Computer Authentication Solutions Biometrics on Computers Smart Card, Biometrics and ConvenienceReference, date
  19. 19. Merging Biometrics & Smart Card  Mutual & Strong authentication  Using X509 certificates  Portable device  Personal, linked to user, “regulator friendly”  Biometrics establish a strong link to user  Multifactor security  Convenience  User adoption  Evolutivity  Can adapt to rapidly evolving technology Reference, date 19
  20. 20. Existing implementations Standalone Match On Card not linked to certificates  Used with ad hoc software  Standalone 3rd authentication factor  Can be used for identification purposes Standalone Match On Card protecting PIN code and credential storage  Enables biometric-protected credential storage  Enables biometric-protected PKI certificate usage by PIN replay Match Off Card with fingerprints stored on card  Compatible with every existing PKI smart card  “Regulator-friendly”  Enables both credential storage & PKI cert usage by PIN replay PKI Smart card accepting PIN and/or Match On Card  Most secure implementation  Enables card-enforced authentication policy (2 to 3 factor)Reference, date 20
  21. 21. Current limitations and way forward  OS Architecture can lead to limitations  MS Crypto API was not written for anything else than PIN code  Even though there are openings in future Windows versions  Practical Workarounds are available  PKCS#11 API has better support for biometrics natively  Wrappers for ill-behaving applications are possible  Most important limitation  A lof of software assumes the use of PIN code for smart cards  Practical approach  Test and validation ! PIN or Fingerprint Authentication Biometric Verification Please swipe your finger OR enter your PIN Biometric Authentication SWIPE FINGER PIN Authentication PIN Select Finger Click here for more information OK CancelReference, date 21
  22. 22. Why Smart Card with Biometrics?  Provides «Something you have» to the authentication scheme  & smart card PIN code provides «something you know»  Provides privacy  No centralized database  You carry your own biometric template  Provides trust between Authority & End User  Mutual authentication  Provides simplification of operations  One to one matching 23
  23. 23. Process : Template Extraction & Storage 24
  24. 24. Process : Matching 25
  25. 25. Pin vs Bio PinCode Biometrics  Secret  Public  Modifiable  Fixed (Template)  Delegation  No delegation  Exhaustive attacks  Not possible  Perso very easy Very    difficult Match very    simple Match not    trivialVery efficient counter measures(for example against physical &   Not Yet logical attacks) 27
  26. 26. Conclusion : Smart Cards / Biometrics ? Smart-Card + PIN & Biometrics have to be considered as complementary technologies. Smart cards & pin-code need Biometrics  Card holder authentication  Non repudiable transaction Biometrics need Smart cards & pin-code  Privacy  Large volume opportunity  Simplification : One to One matching The ultimate solution : Smart card & Pin-code + Biometrics + PKI 28
  27. 27. THANK YOU

×