Government Citizen ID using Java Card Platform

5,746 views

Published on

Published in: Technology, Business
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,746
On SlideShare
0
From Embeds
0
Number of Embeds
39
Actions
Shares
0
Downloads
227
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Government Citizen ID using Java Card Platform

  1. 1. Govt. Citizen ID with TM Java Card Platform Emphasis on the role and relevance of Java Card and Sun Identity Management Technologies Ramesh Nagappan Security Technologist, ISV-E ramesh.nagappan@sun.com http://www.coresecuritypatterns.com/blogs
  2. 2. Undisputed Market Leader in Multi-Application Smart Cards Loyalty Corporate Finance Telecom Government/Healthcare Armed Forces of the United States Photograph Organization Seal U.S. Navy DoD Civilian Parker IV, Last name First name,J. Christopher Initial Issue Date Chip September 30 2001 Expiration Date October 1 2001 Identification Card Slide 2 © Sun Microsystems 2009
  3. 3. Introduction to Java Card Technology Security and Portability with Reliability as Core Value Proposition • A Programmable Runtime engine for Smart cards > Open & Standards-based > Built for multi-application > Proven security (Enabling on-card PKI/Biometrics credentials based Physical/Logical Access Control) • A future-proof platform for Smart card based services > Dynamic application loading > Test-suite enforced interoperability > Cryptography and Biometrics support • A reference technology for Smart card issuers > Market leader in Security for Government and Citizen ID > Market leader in reliability for wireless, banking, ID > Choice of multi-sourcing – Obtain cards from multiple vendors Slide 3 © Sun Microsystems 2007
  4. 4. Java Card Adoption • 6 Billion Java Card Units deployed SIM Cards > Variety of form factors Secure Flash Memory • Leader in market segments > Telecom (Defacto for SIM card !) > Banking (Payment card) Passports USB Tokens > ID (Citizen/Govt/Defence/Intelligence) > PayTV (Cable/Dish Subscriber card) > Transport, Healthcare... Smart Cards Contactless Slide 4 © Sun Microsystems 2007
  5. 5. Java Card vs MULTOS Slide 5 © Sun Microsystems 2009
  6. 6. Java Card as Cryptographic Token PKI enabled Smart cards • A credit card sized computing device acts as a Cryptographic token. > Contact / Contactless cards Standards • ISO-7816 • Allows performing core PKI functions > Key generation • Java Card, Multos > Public/Private key operations • Global Platform > PIN/Biometric authentication • PC/SC > Challenge/response authentication • FIPS-201/PIV, CAC • Supports the use of Public-key infrastructure to • PKCS#11, PKCS#15 verify the Identity claim. • GSM/PCS > PKI credential issuance. > Credential validation/verification via OCSP, • EMV CRLs (Europay/Mastercard/Visa) • Defends against tampering and hacking. > PKI/Private key protection Using Smart card based PKI as an Authentication Credential Slide 6 © Sun Microsystems 2007
  7. 7. Java Card as Biometric Token Java Card based Biometric Identity Standards • Matching to Physiological or Behavioral • INCITS 378 / CBEFF (Fingerprints) characteristics to identify a person. • INCITS 379 (Iris) > High degree of assurance with proof of presence + proof of possession • OASIS BIAS > Fingerprints, Facial image/geometry, Iris • BioAPI images can be stored on card. • JavaCard BioAPI > Match on-card samples to live human samples. • FIPS-201 / PIV • Biometric templates can be stored on Smart card for personal identification. > Fingerprint template is ~200 bytes > Iris template is 500 bytes • Biometric credential must be exchanged in a secure network channel (Trusted path) Using Smart card based Biometrics as an Authentication Credential Slide 7 © Sun Microsystems 2007
  8. 8. Managing Govt ID Issuance Life-cycle Identity Management life-cycle events Identity Registration Identity Identity Enrollment & Termination Adjudication Credential Card/ Maintenance Credential Issuance Physical & Logical Access Control Slide 8 © Sun Microsystems 2009
  9. 9. Managing Govt ID Issuance Lifecycle Smartcard issuance life-cycle using Sun Identity Management Suite Demographic Data Physical Access Biometrics Control Sun Logical IDMS Access PKI Control Verified Credentials Identity ( Smartcard Proofing / Biometrics) Slide 9 © Sun Microsystems 2009
  10. 10. Sun IDM Authorization Workflow Hiring Enrollment HR Manager Officer Officer Approval/Denial Approval/Denial Approval/Denial Biometrics Identity Applicant Card Issuance & Breeder Documents Proofing & Registration Activation Enrollment Adjudication HR Enrollment Hiring Manager Officer Manager Approval/Denial Approval/Denial Approval/Denial Physical & Retirement / Credential Logical Access Termination Maintenance Provisioning • Sun IDM manages the authorization workflow and authority approval and denials. • Sun IDM facilitates digitally signed approvals using Smart card based credentials verified against a PKI provider. Slide 10 © Sun Microsystems 2009
  11. 11. Smart card based Credentials - Logical Access Control Sun Confidential: Sun Employees and Immersion Week 2008 Partner Attendees Only. 11
  12. 12. Sun Rays In a Govt eID Environment Security Manageability Reliability Mobility Value Sun Ray supports the use of most eID and CAC/PIV Cards Slide 12 © Sun Microsystems 2009
  13. 13. Logical Deployment of Sun Rays Smartcard based authentication – Virtual/Remote Desktop/Application environment PC & Thin Client users can Access layer The access tier Each user desktop Native protocols securely access their remote controls the user supports standard environment runs are used to access desktops & applications from access and Authentication on a virtual machine apps. any location using PIV Cards. application profiles. mechanisms: located in the corporate data No modification of It maintains audit LDAPv3 the OS or apps logs of user and center. Once PIV authenticated, the Active Directory required. app usage. All desktop and access tier establishes a NIS display connection to the user It provides the application device and a protocol display engine to the MS Windows communication connection to the back-end user desktop. Domain remains in the desktop OS and data center. applications. Combine existing Windows XP / 2003 Secure remote Desktop access from any authentication Virtualization Firewall Firewall location and authorization mechanisms using Sun Rays using Sun IDMS and Sun VDI PIV Credential Authentication Sun Access Tier Identity/Auth. ESX Virtualization Applications Sun Rays Data Center Slide 13 © Sun Microsystems 2009
  14. 14. Sun CMT Servers: Wire-speed Security UltraSPARC T2 offers On-chip Cryptographic Acceleration for PKI Applications • Sun UltraSPARC T2 offers industry- leading cryptography performance for PIV environments. > On-chip Crypto threads virtually eliminates large workloads with PKI & Cryptography. > Out-performs competition on SSL and Public-key crypto opertaions > Over 30x greater RSA1024 performance than 2-socket IBM p510 • Support common used ciphers for Public-key encryption and secure hashing functions > Public-key cryptography (RSA, DSA, Diffie-Hellman, ECC) > Bulk encryption (RC4, DES, 3DES, AES) > Secure hash (MD5, SHA-1, SHA-256) Slide 14 © Sun Microsystems 2009
  15. 15. Mandatory Access Control and Security Labels (Solaris TX) Slide 15 © Sun Microsystems 2009
  16. 16. U.S. Department of Defense Photograph Armed Forces of the United States • Military ID and Geneva Convention Card Organization Seal > Common credentials for verified identity U.S. Navy DoD Civilian Parker IV, Last name First name,J. Christopher Initial > DoD-wide health benefits ID card > Physical access and manifesting Issue Date Chip September 30 2001 Expiration Date October 1 2001 > Logical access with PKI/digital signature Identification Card • Well established security certification platform with numerous cards with FIPS-140 ratings > High-degree of Security and Assurance • Supports additional military branch-specific applications at issuance and post-issuance • Flexible to support original CAC format, CAC transitional format and PIV format (evolution of requirements) • Deployment: +3M active duty units. Over 12M units to date. Issuing +30K units a day at peek war periods Slide 16 © Sun Microsystems 2009
  17. 17. US Federal Employee PIV Card • Presidential Directive 12 (HSPD-12) mandated a Federal Government-wide smart card ID program. > Use of combined PKI and Biometric credentials • Dual interfaces for both for Physical and Logical access > Secure Contact/Contactless access to target resources • To date, all deployed PIV cards are Java Card > Conformance to Java Card 2.2.1 • By 2013 over 12 million PIV cards will have been issued • The PIV model is being replicated in the US Federal Govt in programs such as Travel Worker Identity Program (TWIC), First Responder ID, Immigration Cards and potentially Drivers Licensees Slide 17 © Sun Microsystems 2009
  18. 18. Taiwan Healthcare ID • National health insurance ID card • Multi-application smart card > Identification, medical profile and benefits > E-Purse capable > Restricted use by other governmental agencies to protect privacy • Supports open standards and post-issuance of new applications • 40M Java Cards deployed Slide 18 © Sun Microsystems 2009
  19. 19. Belgium National ID • First country in EU to deploy citizen ID card to entire population • Multi-application Java Card > Identification, e-Government Services, e-Voting, etc. > Filing Tax Returns, Birth Certs, Civil Records > Digital Certificates: Authentication, Digital Signature – PKCS15 Conformance > Commercial Applications: e-Banking, e- Ticketing • Common Criteria EAL 5+ Certified • Deployment: 40+ Million Java CardsSlide 19 © Sun Microsystems 2009
  20. 20. Thailand National ID Card • National Citizen ID card to entire population > Multi-application Java Card-based Smart Card > Personal ID, fingerprints, tax, social welfare and social security numbers, agricultural data and healthcare data. > Citizens will be able to access eGovernment services at e-government kiosks nationwide and by smart card readers integrated into desktop computers. • 60M+ Java Cards deployed Slide 20 © Sun Microsystems 2009
  21. 21. Oman National ID Card • First country in Middle East to start deploying large- scale citizen ID Card to entire population > Multi-application Java Card-based smart card > Provides positive identification with digital photograph, digital certificates and biometrics authentication > Have plans to add driver’s license, emergency medical data and border control applications • Deployment: 3M+ Java Cards Slide 21 © Sun Microsystems 2009
  22. 22. United Arab Emirates National ID • National Citizen ID Card to Entire Population > Multi-application Java Card-based Smart Card > Positive Identification with Digital Photograph, Digital Certificates and Fingerprint Biometrics Authentication > Enabled e-Government Services > Plans to add Driver’s License, Emergency Medical Data and Border Control Applications • Deployment: +4.5 Million Java Cards Slide 22 © Sun Microsystems 2009
  23. 23. Macau Government ID Card • Multi-application Java Card-based Smart Card > Identification, Border Control, E-Government, E-Commence and Public Services Access > Driver's License and E-Purse Envisioned in Future • Secure Laser Engraved Java Cards > Facial Image,Signature, and Fingerprint Biometrics > PKI/Certificates • GlobalPlatform-compatible Card Mgt. System Slide 23 © Sun Microsystems 2009
  24. 24. More...Java Card's Govt ID Successes •UK NHS and MoD •Canadian ePassports •Portugal National ID •Qatar National ID •Azerbaijan National ID •Morocco National ID •Finland National ID •Italy National ID •Queensland Australia Drivers License •And approximately 20 other countries exploring Java Card Slide 24 © Sun Microsystems 2009
  25. 25. Thank You ! Ramesh Nagappan ramesh.nagappan@sun.com http://www.coresecuritypatterns.com/blogs Brian Kowal Head, Java Card Marketing & Sales Brian.Kowal@sun.com

×