Smart cards, ePassports, …    and Open Source    Martijn Oostdijk, Novay  Wojciech Mostowski, UTwente
whois• Martijn Oostdijk, advisor @ Novay• Wojciech Mostowski, researcher @ Utwente• We share a history of applying formal ...
Smart Cards• Chances are you have at least 3 smart cards on  you right now…  – Banking (EMV debit/credit card)  – Telecom ...
Smart Cards•   Simple computer, designed for security•   Simple I/O (ISO 7816 comparable to RS 232)•   With crypto process...
Java Card                applet                            applet                                     applet              ...
Java Card• Higher level of abstraction than native  assembly programming (but only slightly)• Published standard: JLS, JCV...
ePassports
Why? Document authenticityLook-a-likefraud cheaperthan documentfalsificationCheaper to altergenuine than tofabricate one S...
Why? Extra info on user• Face ~ 449x599 .jpg ~ 20KB  – Machine can do (reasonable) match  – Human inspector gets better qu...
Why? ABC                                   [Link]• ePasport == Privium for mere mortals                     12
DEMO
OSS coding “in the boss’s time”•   @RU 2006: BZK funded security test ePassport•   @RU 2009: BZK funded security test EAC•...
Conclusions• Smartcard == “secure core” computer• ePassport primarily for doc authenticity, we will  have to see about bio...
More Info•   http://jmrtd.org•   http://isodl.sf.net•   http://javacardsign.sf.net•   http://gpj.sf.net•   http://martijno...
Smart Cards, ePassports, and open source
Smart Cards, ePassports, and open source
Smart Cards, ePassports, and open source
Upcoming SlideShare
Loading in …5
×

Smart Cards, ePassports, and open source

1,597 views

Published on

Presentation on http://jmrtd.org at TkkrLab Enschede on the occasion of Hardware Freedom Day.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,597
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Smart Cards, ePassports, and open source

  1. 1. Smart cards, ePassports, … and Open Source Martijn Oostdijk, Novay Wojciech Mostowski, UTwente
  2. 2. whois• Martijn Oostdijk, advisor @ Novay• Wojciech Mostowski, researcher @ Utwente• We share a history of applying formal methods to smart cards (in Nijmegen)• And as a result started some open source projects: – JMRTD.org (ePassport API & applet) – GPJ (Global Platform), ISO 18013 (eDL), PKI applet
  3. 3. Smart Cards• Chances are you have at least 3 smart cards on you right now… – Banking (EMV debit/credit card) – Telecom (SIM card) – Government (passport / identity card) – Public transport (“OV chipkaart”) – Access control (access key card for building) – Conditional access (card for TV decoder)• They’re EVERYWHERE!
  4. 4. Smart Cards• Simple computer, designed for security• Simple I/O (ISO 7816 comparable to RS 232)• With crypto processor• And security counter measures – Noise generator – Dual rail logic – Active grid• Ranging from “filesystem with access control” to “fully programmable microcontroller”
  5. 5. Java Card applet applet applet Java Card Java Card platform API Java Card Virtual MachineCommand APDUResponse APDU smart card hardware
  6. 6. Java Card• Higher level of abstraction than native assembly programming (but only slightly)• Published standard: JLS, JCVM• Multiple applets on one card• Use standard Java toolset to develop for JC• Simpler VM: 16 bit arithmetic, simpler API, no floats• More complex: transactions, applet firewall• Crypto API (for access to crypto processor)
  7. 7. ePassports
  8. 8. Why? Document authenticityLook-a-likefraud cheaperthan documentfalsificationCheaper to altergenuine than tofabricate one Special paper, some stamps typewriter Watermark Polycarbonate Document with holder page public key crypto signature 10
  9. 9. Why? Extra info on user• Face ~ 449x599 .jpg ~ 20KB – Machine can do (reasonable) match – Human inspector gets better quality• Fingerprints ~ 35KB – Machine can do match• Signature ~ 2KB – Machine can check authenticity, based on country root certificateCompare QR code: 7KB max11
  10. 10. Why? ABC [Link]• ePasport == Privium for mere mortals 12
  11. 11. DEMO
  12. 12. OSS coding “in the boss’s time”• @RU 2006: BZK funded security test ePassport• @RU 2009: BZK funded security test EAC• @RU/Novay: RDW funded pilot• @Novay: NLnet funded project• @Novay: project for ScanTech-IT (Denmark)
  13. 13. Conclusions• Smartcard == “secure core” computer• ePassport primarily for doc authenticity, we will have to see about biometric, ABC, etc.• Academic project == good starting point OSS• Smart cards, Java Card, ePassport … small incrowd of developers & users. It’s not Linux / OpenOffice• Still, some adoption, and developers, perhaps NFC in more handsets will help
  14. 14. More Info• http://jmrtd.org• http://isodl.sf.net• http://javacardsign.sf.net• http://gpj.sf.net• http://martijno.blogspot.com• http://wwwhome.ewi.utwente.nl/~mostowski wi/

×