Journal of Computer Science 3 (5): 361-367, 2007ISSN 1549-3636© 2007 Science Publications                      Digital Ide...
J. Computer Sci., 3 (5): 361-367, 2007from being non-transferable among individuals,biometrics do not provide data about t...
J. Computer Sci., 3 (5): 361-367, 2007and processing data that may come with optional                      cash, airline a...
J. Computer Sci., 3 (5): 361-367, 2007Public Key Infrastructure (PKI): is a framework for                                 ...
J. Computer Sci., 3 (5): 361-367, 2007                                                                   [17][18][19]elect...
J. Computer Sci., 3 (5): 361-367, 2007PKI in enabling secure electronic transactions, PKI can                   which, the...
J. Computer Sci., 3 (5): 361-367, 2007verification of both physical and virtual identities. On                  Entitlemen...
Upcoming SlideShare
Loading in …5

Digital Identities and the Promise of the Technology Trio: PKI, Smart Cards, and Biometrics


Published on

This article looks at one of the evolving crimes of the digital age; identity theft. It argues and explains that if three key technologies were implemented together namely biometrics, smart cards, and PKI, then they can deliver a robust and trusted identification and authentication infrastructure. The article concludes that such infrastructure may provide the foundation for e-government and e-commerce initiatives as it addresses the need for strong user authentication of virtual identities.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Digital Identities and the Promise of the Technology Trio: PKI, Smart Cards, and Biometrics

  1. 1. Journal of Computer Science 3 (5): 361-367, 2007ISSN 1549-3636© 2007 Science Publications Digital Identities and the Promise of the Technology Trio: PKI, Smart Cards, and Biometrics A.M. Al-Khouri and J. Bal Warwick University, United Kingdom Abstract: This article looks at one of the evolving crimes of the digital age; identity theft. It argues and explains that if three key technologies were implemented together namely biometrics, smart cards, and PKI, then they can deliver a robust and trusted identification and authentication infrastructure. The article concludes that such infrastructure may provide the foundation for e-government and e- commerce initiatives as it addresses the need for strong user authentication of virtual identities. Key words: identity theft, e-government, G2C, online authentication, biometrics, smart cards, public key infrastructure INTRODUCTION example: Federal Trade Commission report released in 2004; UK Cabinet Office report released in 2002). Identity theft has become the fastest growing crime According to Gartner’s recent study, about 15in the world [1][2]. Undoubtedly, the expansion and million Americans were victims of fraud that stemmedincreasing sophistication of identity theft threatens the from identity theft in the period from mid-2005 andadoption of many strategic information technology (IT) mid-2006[6]. This represented an increase of more thaninitiatives such as e-government and e-business [3][4][5]. 50 percent from the reported 9.9 million in 2003 by theIdentity theft is an activity that takes place when an Federal Trade Commission. Current research andindividuals personal details are taken over or stolen by studies refer to the advances and spread of computersomeone else in attempt to impersonate him/her and technology as the main factor behind this dramatichave access to particular information or service, increase in identity theft [7].perform financial transactions, or even commit crimes. The literature shows that identity theft and fraudIdentity theft has many and increasing links to levels are increasing throughout the world (e.g.,organised crime. Canada, Australia, Britain, and Japan) with gigantic As recently as 10 years ago, people would research costs to victims and business[8]. Some countries haveto find someone who had died before they ever had a introduced identity theft legislation that recognises suchjob. They would then apply for a copy of birth crimes and puts penalties and additional imprisonmentcertificates in the names of those dead people, and use sentences[8]. However, countries around the world areit to obtain other ID documents. However, with the realising that the legislation in itself cannot prevent oradvances in the field of information technology, combat identity theft unless they adopt more effectiveidentity theft has become much easier. For instance, and advanced solutions. One of the approaches pursuedmore than 30 internet websites offer fake IDs for sales by many organisations both in government and privatefrom as little as $40 for a social security card, $79 for a sectors is the employment of advanced technologiesbirth certificate and $90 for a driving license from any such as smart cards biometrics, and PKI. It is widelyUS state. Websites such as and argued that if properly implemented, such offer driving licenses with similar can provide secure and accurate identity verification,security features issued by the US government from all enhance the security of the system and protect thethe 50 US states for $100 each, as well as Canadian integrity and confidentiality of information. The nextID’s. Several hundred dollars buys one a complete ID few sections will look at these three technologies andset, including a military ID and a college diploma. explore them in further detail. Use of false identification is considered to be asignificant threat to homeland security as well as Biometrics: Biometrics is defined as the sciencepersonal and financial security of citizens. It is not easy of using individuals unique physical, behavioural andto gauge the amount of identity fraud at this moment of biological qualities for identification purposes e.g.,time, however, the minimum cost to the economy in fingerprint, hand print, facial recognition, iris, voicesome countries is in excess of $40bn per annum pattern, etc. The first modern biometric device wasaccording to some official studies carried out (see for introduced commercially over 20 years ago. ApartCorresponding Author: A.M. Al-Khouri, Warwick University, UK. 361
  2. 2. J. Computer Sci., 3 (5): 361-367, 2007from being non-transferable among individuals,biometrics do not provide data about the person; butrather, information of the person. The biometric industry found a global marketthrough smart card technology. Biometric identitycards are being adopted in many countries around theworld. Analysts predict biometrics to boom in the nextfew years, referring to the recently released report fromthe International Biometric Group (IBG), whichindicated that the global market sales of biometrictechnologies will grow from less than $1bn in 2003 tomore than $4.6bn in 2008, with fingerprint scanningbecoming the most dominant technology, as illustrated Fig. 2: National physical lab results: FAR vs. FRR [12]in Fig. 1 below. Governments and businesses areincreasingly adopting biometric technologies in the In another evaluation, the UK National Physicalbelief that they will make identity theft and multiple Laboratory prepared a comprehensive feasibility studyidentities impossible. into using biometrics as a means of establishing unique identity, to support the proposed entitlement scheme under development by the UK Passport Service and Driver and Vehicle Licensing Agency [12]. The purpose of the study was to assess the feasibility of three main biometrics namely fingerprint, iris, and face recognition technologies as a medium of identification in a national identity scheme and assessing the associated risks, and forwarding recommendations. The feasibility study concluded once again that biometric methods do not offer 100% certainty of authentication of individuals and that the success of any deployed system using biometric methods depends on many factors such as the degree of the uniqueness of biometric measure, technical and social factors, user interface, etc. However, and in principle, fingerprint and iris recognition were found to provide the identification performance required for unique identification over the entire UK adult population. In the case of fingerprint recognition, the system required the enrolment of at least four fingers, whereas for iris recognition both iris were required to be registered. However, the practicalities of deploying either iris or fingerprint recognition in such a scheme were found to be far from Fig. 1: Biometrics growth [9] straightforward in terms of the complexity of implementation, user training, etc. The National Physical Laboratory conducted a Other studies show that it is the device and theperformance evaluation test of several biometric algorithm used that actually determine the effectivenesstechnologies for a scenario of positive identification of the biometric in use. A recent study by the Nationalinvolving the following biometrics: face, fingerprint, Institute of Standards and Technology (NIST) revealedhand geometry, iris, vein and voice recognition. Iris that fingerprint identification systems have approached 99 percent accuracy with some enhanced devices and,recognition had the best accuracy, with 1.8 percent false perhaps more importantly, a slim 0.01 false positiverejections and no false matches in over two million rate i.e., only about one in 10,000 scans resulting in acomparisons as illustrated in Fig. 2 [10]. Of the other misidentification [13]. The study tested 34 fingerprint IDsystems, fingerprint performed best for low false systems from 18 companies with about 50,000 sets ofacceptance rates (FAR), while hand geometry achieved fingerprints from 25,000 people. The best systemslow (below 1 percent) false rejection rates (FRR). The reached 98.6 percent accuracy for a single-print match,study demonstrated that there is no one universal ‘best’ whereas two-finger matches were accurate 99.6 percent of the time.biometric system yet for both identification orauthentication, rather a combination of two or more SMART CARDS: The smart card is a plastic cardbiometrics may enhance the FAR and FRR factors [11]. with an IC (integrated circuit) chip capable of storing 362
  3. 3. J. Computer Sci., 3 (5): 361-367, 2007and processing data that may come with optional cash, airline and theatre tickets, credit and debit cards,magnetic strips, bar codes, optical strips, holograms, toll tokens, medical records, and keys. Fig. 4 providesetc, on a variety of card bodies. further information about the emerging card Developed in 1973 by the Frenchman Roland technologies and their uses.Marino, the smart card was not introducedcommercially until 1981, when the French statetelephone system adopted it as an integral part of itsphone card network. This led to widespread use inFrance and then Germany, where patients have hadhealth records stored on the cards. Table 1 provides ahighlight on the developments of the smart card fromthe 1970s to-date. Due to their capabilities, they are increasinglypopular in many industries around the world mostparticularly in telecommunications, but also banking,transportation (e.g., vehicle registration and drivinglicences) healthcare, insurance, and e- governance.With the increasing need for security, smart cards arebeing viewed as the ideal medium for implementing asecure identification and authentication infrastructure[14][15] . Fig.3: Types of Smart CardTable 1: Smart card developments Contact Cards The most widely used one. They have to 1970s Smart Card Technology invented by one of be moved past a reader i.e., require the Schlumberger companies (i.e., Axalto) to insertion into a smart card reader with a curb fraud direct connection to a conductive micro- module on the surface of the card 1980s First commercial applications as a pre-paid Contactless Cards Require only close proximity (a few memory card in the public telephony sector, inches) of a reader. followed by the banking industry which incorporated microprocessor capabilities Combi Cards Could be used in both situations. Their main attraction is that one card could fill 1990s telecommunication industry adopted smart many purposes, such as credit card, bank cards as SIM cards card, membership card, ID-card, etc, all in the same card Mid 1990s advent of Open Platform cards e.g., Java cards (invented in 1996) which boosted multi-application cards, Smart cards are widely being adopted in many e- government and e-business initiatives as a vital element Usage of complex cryptography and become a medium to store, carry and transact with of a secure identification infrastructure and as a digital signatures. platform to hold both biometrics and PKI [16]. The next Introduction of contact-less technology and section will explain the PKI and its role in providing a the invention of combi cards (contact + higher trusted standard of authentication. contactless) in 1996-97 Late 1990s Applications based on contact-less technology and the invention of combi cards (contact + contactless) in 1996-97 2002 Invention of .NET technology in 2002 which led to the increase of smart card memory capacity to 512 K byte Smart Card chips normally look like in the diagrambelow (Fig. 3), with an integrated circuit built into it.This integrated circuit may consist only of EEPROM inthe case of a memory card, but may also contain ROM,RAM and a CPU. As memory capacity, computing power, and dataencryption capabilities of the microprocessor increase,many research studies indicate that smart cards areenvisioned as replacing commonplace items such as Fig.4: Emerging Card Technologies 363
  4. 4. J. Computer Sci., 3 (5): 361-367, 2007Public Key Infrastructure (PKI): is a framework for PKI encompasses a set of complex technologies ascreating a secure method for exchanging information illustrated in Table 2 which shows the main PKIbased on public key cryptography. It is widely components. In a PKI environment, one would requireconsidered to be one of the prime components along a digital certificate, which usually contains thewith smart card and biometric technologies to enhance individuals public key, information about the certificatethe overall security of systems. PKI is known to authority, and additional information about theprovide two main features: certificate holder. The certificate is created and signed(a) security, and (b) encryption, to fulfil four vital (digital signature) by a trusted third party; certificaterequirements and establish what is called a trust authority (CA). The individuals identity is bound toenvironment (see also fig. 5): the public key, where the CA takes liability for the authenticity of that public key, to allow a secure1. authentication communication environment.2. confidentiality3. integrity, and Table 2: PKI Architecture4. non-repudiation • Defines requirements and standards for issuance and management of keys and Security Policy certificates and the obligations of all PKI entities, and used to determine level of trust the certificate affords Authentication • Authenticate subscribers, issue & manage Assurance of the persons identity or the data originator Certification certificates, schedules expiry date for through the use of Digital Authority (CA) certificates and revokes them when the Certificates10. Data Privacy/ Confidentiality validity period expires. Maintaining data consistency &integrity Registration • provides the interface between the user and through Data Hashing 11 Authority - CA. It verifies the identity of the user and (RA) passes the valid requests to the CA. Authorisation/ Integrity • is usually through a directory service. A Certificate Maintaining data consistency directory server may already exist within an and integrity through Data Hashing12 Distribution organisation or may be supplied as part of Non-repudiation System Communication originator can’t deny it the PKI solution. later i.e., guarantees the ownership of the electronic document through the use • is a cryptographic toolkit employed to PKI- of the use of Digital Signatures 13 PKI Enabled enable applications e.g., communications applications between web servers and browsers, email, Fig. 5: PKI Trust framework electronic data interchange (EDI), virtual private networks (VPNs), etc. n a PKI environment, a pair of two different Source: Certicom - www.certicom.comcryptographic keys is used for encryption and The registration authority (RA) is where thedecryption purposes, referred to as public and private individual or the organization requesting the certificatekeys. The private key is kept secret by the user or in is checked to ensure that they are who they claim theythe system, and the public key is made public. The are. Another fundamental component of PKI is thekeys are mathematically related and could not be certificate distribution system which publishes thededucted from one another. Data encrypted with one certificates in the form of an electronic directory,key can be decrypted only wit the other complementary database, or through an email to allow users find them.key and vice versa (see also Fig. 6). PKI enabled applications usually refer to applications that have had particular CA software suppliers toolkit added to them so that they are able to use the suppliers CA and certificates to implement PKI functions such as in emails and networks for encrypting messages. The certificate policy, also referred to as certificate management system, is where the certificate procedures are defined including the legal liabilities and responsibilities of the involved parties. Digital Signature: Based on a range of encryption techniques, digital signature; one of the essential Fig. 6: PKI Trust framework services of PKI allow people and organizations to 364
  5. 5. J. Computer Sci., 3 (5): 361-367, 2007 [17][18][19]electronically certify such features as their identity, . Nonetheless, studies also show that PKI on itstheir ability to pay, or the authenticity of an electronic own will not provide maximum security fordocument. The digital signature also referred to as authentication unless it is incorporated with otherencrypted hashed text is a digital fingerprint; a value security technologies such as smart cards, biometrics,which is calculated from the information in a message virtual private networks, etc. [20][21][22]through the use of a cryptographic hash function. Anychange to the message, even of a single bit typically The Application of the Technology Trio: Asresults in a dramatically different message digest. explained earlier, statistical data in the literatureFigure 8 shows an example of a system generating a provides horrifying data about identity theft and howhash value from the message and encrypting it with the much it is costing both public and private organizations.originators private key. The message which could also In order to combat identity theft, organizations need thebe encrypted is sent along with the digital signature to means by which they can accurately recognize peoplesthe recipient who will then decrypt the digital signature identities in two main forms as illustrated in Fig. 8:with the senders public key to change it back into amessage digest. If the decryption was successful then it (a) identification (1:N) andproves that the sender has signed the message, because (b) verification - also referred to asonly him/her has the private key. The recipient then authentication - (1:1).calculates the hash value out of the received message,and compares it with the message digest. If the messagedigest is the same as the message digest created whenthe signature was decrypted, then the receiver can beassured that the signed message/data has not beenchanged or tampered with. Fig. 8: Accurate identification/verification requirements Fig. 7: PKI Trust framework The technology trio of PKI, smart cards and In their study to understand the PKI infrastructure biometrics is being widely considered to address theand how it may support electronic authentication and e- need for precise identification and authentication ofgovernments, [17] adopted an organisational framework individuals. They offer a solid business model that not to facilitate the understanding and classification of only addresses high-level security requirements andelectronic services according to their security strong authentication but also protects individualrequirements (e.g. issuing birth certificates, submitting privacy and preserves resources. The adoption of thesetax forms, conducting electronic payments, etc.). The three technologies will create the two fundamentalfindings of the study demonstrated that the security elements:services offered by the public key infrastructure can be 1. a trustful mechanism to identify and authenticateemployed for fulfilling most of the identified security individuals, andrequirements for an integrated e-authentication platform 2. a secure communication and transactionaland a one-stop e-government portal as illustrated in environment.Table 3. However, other requirements like availability, Smart cards, for instance, can serve as the issuer’sperformance, un-coercibiliy, un-traceability, and agent of trust and deliver unique capabilities to securelyanonymity could not be fulfilled, and additional and accurately verify the identity of the cardholder,security measures were found necessary. authenticate the ID credential, and serve the credential In addition, several studies have proved that PKI is to the ID system [23]. PKI, on the other hand, hasthe state-of-art technology in the field of digital emerged as the most reliable framework for ensuringauthentication and overall security infrastructure security and trust [24][25]. Apart from the main benefit of 365
  6. 6. J. Computer Sci., 3 (5): 361-367, 2007PKI in enabling secure electronic transactions, PKI can which, their efforts is likely to standstill. In otheralso be used to encrypt the data stored in the chip (e.g., words, governments need varying levels ofpersonal information, digital photo, biometrics, etc.), in authentication strength based on the value or sensitivityaddition to the data stored in the database, to limit of their online information or services, balanced againstaccess to only authorised persons and entities. other considerations like usability, deployment, and Biometrics allows the padlocking of the person to budget.the card. In doing so, the card cannot easily be It is important to heed that the essence of G2C e-transferred to another individual. In particular, given government is that transactions occur between peoplethe current focus on the use of biometrics in ID card that are represented by machines. The anonymity ofsystems, its sets out architecture for strongly- these transactions makes it more difficult to identify theauthenticated identity cards that deliver (perhaps parties involved and to ensure a trusted businesscounter-intuitively) both enhanced security and relationship. Since all successful business relationshipsenhanced privacy. are based on trust, establishing online trust should be Through the incorporation of these three one of the primary goals of any e-governmenttechnologies in an identity management system, initiative[23]. The focus must be building a trustindividuals are not locked into one form of environment that provides a high level of data privacy,authentication, but rather three different forms of data integrity, and user authorisation. Nonetheless, andauthentication (see also Fig. 9): as mentioned earlier that the real cornerstone of G2C e-1. knowledge factor: a password to ascertain what one business trust is authentication: that is, knowing with knows whom the government is doing business with. PKI,2. possession factor: a token (smartcard) to ascertain smart cards, and biometrics are the technologies that are what one has, and believed to be the key components of the trust model to3. biometric factor: biometric recognition (for address both electronic transactions security and online example fingerprint or thumbprint) to ascertain identity authentication. Using the power of the who one biologically is. presented technologies in this article, government organisations and businesses alike can use varying something you have? levels of authentication depending on the level of security required for a particular transaction as depicted smart card in Fig. 10. Complexity Biometrics with PKI something you something you PKI/Digital know? password biometric are? Signature Pin/ Password None Class I Class II Class III Class IV Fig. 9: Three factor authentication Regulatory Account Regulatory Wire Risks Guidelines Summary Filing Transfer As such, if one factor has been compromised, Authentication: None Weak Strong Extremely strongfraudsters need to pass through another two levels of Authorisation: Confidentiality: None None Weak Data in Transit Strong Data at rest Strong Data element levelauthentication. By requiring three forms ofidentification to access credentials, organisations will no risk and low Low risk & require require stronger most stringentbe able to bind card holders (digital) identities on the in complexity one factor authentication e.g., user id & password authentication and authorisation as well as requirements for identity verification security,card to their physical identities. confidentiality of data in databases compliance, and intelligence From an e-government perspective, the key to G2Ce-government is authentication i.e., the ability to Fig. 10: An example of types of authenticationpositively identifying and proving the authenticity of for G2C e-gov servicesthose with whom the government conduct businesswith. Without authentication, other security measures CONCLUSIONput in place for many G2C transactions can beineffective. The argument here is that for G2C e- Organisations will be better able to protect theirgovernment to progress, governments need a strong systems and assets with the application of biometrics,online trusted authentication infrastructure, without smart cards, and PKI, that provides them with a better 366
  7. 7. J. Computer Sci., 3 (5): 361-367, 2007verification of both physical and virtual identities. On Entitlement Scheme for UKPS, DVLA and thethe plus side, the principal advantage to be gained is Home Office, National Physical Laboratory, UK:more reliable authentication of identities. Without a http://uk.sitestat.c- om/homeoffice/homeoffice/s?docs2.feasibility_studoubt, strong user authentication must be viewed as the dy031111_v2&ns_type=pdffoundation for any e-government and e-commerce 13. McCeary, L., 2004. The Fact of Fingerprints, Theinitiatives [17]. In fact, apart from improving traditional Resource for Security Executives,approaches to identification and authentication, these are seen as the key to e-government, and a 14. George, T.C., 2003. The inside of a smart story:secure digital infrastructure. This utilisation of the smart cards are increasingly becoming relevant inthree named technologies in this paper should have a our everyday life, Businessline, Chenai, October 22, p. 1.profound positive impact not only in terms of the 15. MacGowan, J., 2003. Smart Cards: Enabling e-reduction of identity theft and fraud activities, but Government, Bloor Research,having such an infrastructure should enable the of current government services and 151paving the way for more investment in electronic 16. Gardner, S., 2004. Europe Get Smart, euro-services. In short, the promise of the technology trio is, Hopefully, future applications and 17. Lambrinoudakis, C., Gritzalis, S., Dridi, F., &developments, implemented in well managed products Pernul, G., 2003. Security requirements for e-will prove this right. government services: a methodological approach for developing a common PKI-based security REFERENCES policy, Computer Communications, vol. 26, pp.1873-1883.1. Briefel, A., 2006. The Deceivers: Art Forgery and 18. Conry-Murray, A., 2002. PKI: Coming to an Identity in the Nineteenth Century. Cornell enterprise near you?, Network Magazine, vol. 17, University Press. no. 8, pp. 34-37. 19. Critchlow, D. & Zhang, N., 2004. Security2. Shute, J., 2006. User I.D.: A Novel of Identity enhanced accountable anonymous PKI certificates Theft. Mariner Books. for mobile e-commerce, Computer Networks, vol.3. Adams, J., 2003. E-Fraud Fight Prompts Credit 45, no. 4. Agencies Cooperation, Bank Technology News, 20. Ellison, C. & Schneier, B., 2000. Ten Risks of PKI: vol. 16. no. 6., p. 14. What Youre not Being Told about Public Key4. Marcus, R. Hastings, G., 2006. Identity Theft, Inc. Infrastructure, Computer Security Journal, vol. xvi, Disinformation Company. no. 1, pp.1-8.5. Middlemiss, J., 2004. Gone Phishing, Wall Street 21. Doan, 2003. Biometrics and PKI based Digital & Technology, August, pp. 38-39. Signatures, White Paper, Daon , McCarthy, C., 2007. Study: Identity theft keeps 22. Kolodzinski, O., 2002. PKI: Commentary and observations, The CPA Journal, vol. 72, no. 11, p. climbing, CNET 10 23. SCA, 2004. Secure Identification Systems:7. Zalud, B., 2003. Real or fake?, Security, vol. 40, Building a Chain of Trust, Smart Card Alliance, no. 3, pp. 12-18. Anonymous, 2003. ID theft tops fraud list again, 24. Hutchison, R., 2000. E-Government: Walk before ABA Bank Compliance, vol. 2, p. 5-6. you run, Canadian Business, Toronto, vol. 73, no.9. International Biometric Group, 16, p. 36 25. Russell, S., Dawson, Ed., Okamoto, E., & Lopez,10. Mansfield, T., Kelly, G., Chandler, D. and Kane, J., J., 2003. Virtual certificates and synthetic 2001. Biometric Product Testing – Final Report, certificates: new paradigms for improving public key validation, Computer Communications, vol. National Physical Laboratory, UK, 26, pp. 1826-1838. 26. BiometricTestReportpt1.pdf 27. Al-Khouri, A.M. & Bal. J., 2007. Electronic11. Mansfield, T., 2001. Biometric Authentication in Government in the GCC countries, International the real world, National Physical Laboratory, UK, Journal Of Social Sciences, vol. 1, no. 2, pp.83-98. ns/biometrics/psrevho.pdf12. Mansfield, T. & Rejman-Greene, M., 2003. Feasibility Study on the Use of Biometrics in an 367