Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Social, political and technological considerations for national identity management


Published on

Government agencies face the intricate challenge of effectively and securely controlling population flows,
identifying individuals, and managing their access to services, while aligning their strategies with citizen’s
expectations for convenience, security and privacy. Identity Management initiatives, especially after the
increased frequency of terrorist attacks around the world, have become a political imperative of
unprecedented urgency, for an increasing number of governments around the world. The India’s answer
to this challenge is expressed through the proposed UID Scheme.
This paper details all the architecture considerations and its realizations ...

Published in: Technology
  • Be the first to comment

Social, political and technological considerations for national identity management

  1. 1. A whitepaper by Accenture® Identity Management (IDM) Architecture Considerations Statement of Confidentiality This document contains highly sensitive, confidential and proprietary information from Accenture and should not be duplicated, used, or disclosed, except as solely necessary to continue discussions with Accenture regarding the subject. Copyright © 2008-2009 Accenture. All rights reserved. No part of this document may be photocopied, reproduced, or translated to another language without Accenture’s prior written consent. Accenture, its logo, and Accenture High Performance Delivered are trademarks of Accenture. Social, political and technological considerations for national identity management (e.g. UID initiative in India)
  2. 2. IDM Architecture Considerations 2 Contents 1 IDENTITY MANAGEMENT......................................................................................6 1.1 NATIONAL IDENTITY MANAGEMENT...........................................................................................6 1.2 IDENTITY ......................................................................................................................................6 1.3 DRIVERS FOR NATIONAL IDENTITY MANAGEMENT ....................................................................7 1.4 COMPONENTS OF NATIONAL IDENTITY MANAGEMENT ..............................................................8 1.5 TYPICAL OBJECTIVES OF NATIONAL IDENTITY MANAGEMENT ..................................................9 1.6 NATIONAL IDENTITY MANAGEMENT SCHEMES GLOBALLY......................................................10 1.7 SOME IMPLICATIONS FOR NATIONAL IDENTITY MANAGEMENT ...............................................11 1.8 TYPICAL CONCEPTUAL COMPONENTS OF THE IDENTITY MANAGEMENT SYSTEM ...................12 2 TECHNOLOGIES...................................................................................................14 2.1 OVERVIEW..................................................................................................................................14 2.2 BIOMETRIC TECHNOLOGIES.......................................................................................................14 2.3 TECHNOLOGIES FOR ID TOKENS................................................................................................19 2.4 SECURITY AND CRYPTOGRAPHY...............................................................................................25 3 THE KEY ISSUES AND IMPLICATIONS ..............................................................30 3.1 OVERVIEW..................................................................................................................................30 3.2 TECHNOLOGICAL IMPLICATIONS ...............................................................................................31 3.3 PROCESSES IMPLICATIONS.........................................................................................................37 3.4 GOVERNMENTAL IMPLICATIONS................................................................................................41 3.5 CITIZEN AND SOCIETY IMPLICATIONS .......................................................................................42 3.6 CONCLUSION..............................................................................................................................48 4 REFERENCES.......................................................................................................49
  3. 3. IDM Architecture Considerations 3 EXECUTIVE SUMMARY Government agencies face the intricate challenge of effectively and securely controlling population flows, identifying individuals, and managing their access to services, while aligning their strategies with citizen’s expectations for convenience, security and privacy. Identity Management initiatives, especially after the increased frequency of terrorist attacks around the world, have become a political imperative of unprecedented urgency, for an increasing number of governments around the world. The India’s answer to this challenge is expressed through the proposed UID Scheme. Enrollment/Registration will be the process determining the overall success of the scheme. It is vital that the government agencies, in collaboration with the subcontracted private sector organisations, build a reliable infrastructure that will be able to accommodate the diverse needs of the India’s population. The challenges they will face include the enormous volume of applicants, the coverage of all exceptional cases (in terms of biometrics) and the building of trust and familiarization. Identity Authentication will be the most important operational process of an IDM since it will be the means of providing assurance of the claimed identity of an individual. However, extensive use of Identity Authentication may raise concerns about citizen expectations and thus authentication processes should be limited to the minimum level (only if absolutely necessary). In most transactions the service provider need not know the identity of the individual, but only to verify that the returning individual is the same individual as the one on the previous transaction. In addition, it is particularly crucial to regulate the uses of data and purposes of collection to avoid the catastrophic effects of function and identification creep. The selection of technologies should be considered in parallel with the processes that are implemented around them to ensure the operational efficiency and the protection of individuals’ civil liberties. - Biometrics Biometric technologies provide uniqueness and enable higher levels of security due to the appliance of encryption/ decryption operations. Biometrics have accuracy, reliability and performance weaknesses, which can be overcome at a great extent, by the development and establishment of multimodal systems. Multimodal systems minimize noise and intra-class variability effects, thus reducing false acceptance and reject rates. However, serious implementation risks emerge by the implementation of such a large- scale project, in terms of security, bottleneck, false alarms and people’s resistance. Effective training of the human operators is required in order to handle the cases of false rejection and acceptance. - National Identity Repository There are several ways to implement the IDM scheme. The centralization of core personal information enables the efficient verification of personal details (such as identity, address). However the possibility for data misuse increases in parallel with the risk of mass data theft. The establishment of an independent Trusted Third Party may decrease some of these risks. Alternative models for the organisation of the scheme include the Federated solution, that creates circles of trust where identity needs not be authenticated against centralised data records. - ID cards technologies
  4. 4. IDM Architecture Considerations 4 Smartcard technologies appear to offer significant advantages compared to magnetic stripe technologies; it is more difficult to clone them, they have mush larger memory capacity and it may be possible to update the chip’s content. RFID chips set new challenges for national IDM systems, due to their appropriateness for large scale projects, their reprogrammable and undetectable nature. However, the cost of the active RFID tags, which are the most secure and reliable ones, sets constraints, at the current situation at least. Optical Memory Cards is another prospective technology; it provides a comparatively large storage capacity (5-6 Mbytes of digital data), which is appropriate for the storage of multiple biometric information and records of transaction details. In addition, it has the ability to create laser image of the photograph, thus enabling higher security and making it one of the most counterfeit-resistant machine- readable technology available. - Security/ Cryptography Ensuring the security of the smart ID card-enabled IDM system will be crucial for the success of the scheme. It seems important that multiple layers of security (embedded in technologies, processes and policies) are considered in the architectural design of the system. Security issues arise from the smart chip that will be used (tampering, unauthorized access), the communication channels (between card, reader and NIR), as well as from the establishment of a central database (NIR). It is important that unauthorized access to the NIR is prevented at any cost, as compromised personal data can be used to commit mass ID fraud at a much larger scale than currently. - Other Architectural Issues It is likely that future research in the field will proceed towards the direction of Privacy Enhancing IDM Systems. The aim of PE IDM systems is the creation of a secure infrastructure with the ability to support pseudonymity (here pseudonymity comprises of all degrees of authenticity and linkability to an individual – including anonymity and full identification) while also supporting the required degrees of confidentiality, integrity, authenticity and non-repudiation. PE IDM systems are based on the principle of ‘notice and choice’, where the flow of information is transparent and individuals have control over data linkage. A multiplicity of strategic partnerships between government agencies and private sector organisations forms the basis of the implementation of the multifaceted IDM Scheme. Control over these partnerships, transparency of the processes and the competent project management are key factors that will influence the procurement process. - The complexity, diverse dimensions and lack of previous experience make cost estimation a controversial issue. Infrastructure issues (hardware and software), technological (e.g. smartcard, RFID) and process decisions (e.g. enrollment process design), training needs, operational and risk management costs are some aspects that must be assessed. The need for recurrent biometric registration – in case biometrics are incorporated in the system – is an additional source of cost. The cost of legal liability should be added in the long cost list, as long as individuals may sue government for inconvenience and turmoil in case of access denial to services they are entitled to. - The private sector (and especially high tech service providers) will play a central role towards the successful implementation and operation of the scheme. PPPs (Public Private Partnerships) will form
  5. 5. IDM Architecture Considerations 5 the basis for several components of the IDM scheme ranging from the installation of the technological infrastructure to the training of the system operators and the system’s maintenance. Success in delivering the scheme may also enable trusting relationships with the government with long term benefits. - A clearly stated legislative framework within which the national IDM system will be developed and grow, is prerequisite. The clear Data and Privacy Guidelines should be articulated and establish safeguard mechanisms for their enforcement. Citizen should always be considered as the core element of an IDM scheme; citizen’s rights, expectations, needs and interests should be incorporated in the system and be protected by multiple established mechanisms and policies. - The development of a citizen-centered system is important to enable the smooth diffusion and long term success of the smart ID card. Citizens will benefit from the IDM scheme through the convenient and efficient access to services. However, one should consider the cost barriers; individuals may not be willing to pay an excessive amount for acquiring the smart ID card. - The right of anonymity and confidentiality are core elements in the designing of a national IDM system. Failure to appreciate the importance of protecting the citizen’s interests and rights and adapt them in the proposals may lead to increased sense of distrust and unrest, and thus to the rejection of the scheme. Privacy is affected by the technological choices and the design decisions incorporated in the IDM system; there are more or less privacy invasive systems (biometric centralized VS biometric decentralized). Embodying citizen’s consent in the designing of the IDM system may lead to privacy enhancement; Federated IDM architectures incorporating the concept of “Circle of Trust” may provide the ability for increased individual’s control over the data sharing by supporting the use of pseudo- identifiers and limiting identity verification to the absolutely necessary. - The need for cultivating trust and instilling confidence among the population, that the system is secure and personal data protected, seems to be indispensable. In addition, government will have to improve its image in respect to the ability to deliver a successful and secure IDM system, and thus achieve public support. - There are different social groups that may face difficulties and obstacles in their interaction with the system and their access to the services. People with physical disabilities, marginalized social groups, travelers/ tourists and business people who enter the country without being enrolled in the system are some examples of cases that need to be identified, explored and handled efficiently. Efforts in this direction should be integrated in wider packages of measures, and be consistent with other governmental initiatives. About Presenter Ravinder Pal Singh is a Lead Enterprise Architect in Accenture Technology Consulting, with over 14 years of global technology consulting experience across India, North America, Europe, South America and Asia.
  6. 6. IDM Architecture Considerations 6 1 IDENTITY MANAGEMENT 1.1 National Identity Management The concept of Identity Management is not new at all. It is something that state has always tried to deal with, in order to connect the citizen and the society (of which he/she is part of), and thus establish the rights and obligations that grow out of this relation. Today, social services, law enforcement and national security are all depended on the ability of the state to connect people to records reliably. In what many people have claimed to be the Information Age, issues regarding identity management mount while society has seen transformations in various levels. Individuals are more mobile, use multiple communication channels and require reliable, efficient and personalized services. As a result government institutions around the world face the imperatives of improving service quality by seamlessly integrating citizens’ personal information while reducing costs associated with public service provision. In essence, a simple identity management system associates reliably a unique identifier with every individual inside the system’s boundaries. The rationale is that governmental institutions can ameliorate their governance ability by securely identifying and managing (interactions with) its citizens. Identity management incorporates a broad administrative area responsible for identifying individuals in a system (such as a country, a network, or an enterprise) and controlling their access to resources within that system by associating user rights and restrictions with the established identity. In effect, identity management can be said to be the set of technologies and processes that contributes in (a) identifying resources, (b) authenticating resources and (c) authorizing access to other resources. However it is insufficient to conceptualise identity management solely as a system; it is also an infrastructure that is pervasive into its social context – supporting both centralized and decentralized administration. Governments want to meet citizens’ expectations regarding public service delivery and to do so the best practice approach would be a secure nation-wide identity management system. The government identity service delivery should incorporate a citizen-centered perspective (to tailor interactions to the needs of the individual), well-coordinated cohesive multi-channel services, fluid cross-governmental services (provide integrated services to the citizen) and proactive outreach/ communication. It is necessary that governmental institutions consider a wider service delivery agenda and undertake larger change initiatives (that incorporate or facilitate eGovernment) in order to increase the government’s capability to deliver better services, more efficiently at less cost and eventually redefine the citizen-society relationship. Finally, identity management is a dynamic concept. As such its strategic objectives vary according to the technological, business and governmental environment in which identity management takes place over time. Identity management in a nation-wide context can be seen as a convergence of technologies and governmental operations, materializing in processes facilitated by the existence and use of a unique national identification (UID) standard. Governmental institutions must respond to citizens’ needs by motivating necessary resources and applying the appropriate processes and tactics to eventually promote an optimal service delivery strategy, manage access to services and the country as well as counter crime and terrorism. 1.2 Identity Before proceeding to examine the factors that drive the need for identity management, it would be appropriate to refer briefly to the notion of identity and the basic components that is constituted of. Identity refers to the set of information about a person that can be used to tell who that person is. This personal information is what makes something or someone the same today as he/she/it was yesterday, in respect to his/her/its social context. A person may have multiple identities and identity may also belong to a non human entity (e.g. a computer). In this paper, when we refer to identity, we refer to the three basic elements of human identity. Firstly, biometric identity can be described as ‘the things that one is’ or the unique to an individual attributes (DNA, iris, fingerprints, hand shape etc). Biometric information that forms the biometric identity of an individual in respect to national identity management is the most promising area of national identification schemes because of the (inherent in the nature of biometrics) 1-to-1 relationship between the composite values of biometric information and individuals. The next element is attributed identity, which refers to things that are given to an individual at his/her birth, (i.e. full name, date & place of birth, parents). Finally, biographical identity defines things, which happen to one during his/her life (life events, education details,
  7. 7. IDM Architecture Considerations 7 issue of marriage certificate, insurance policies, etc). Each of the aforementioned types of identity encompasses a set of related challenges regarding national identity management that will be further examined in this paper. 1.3 Drivers for National Identity Management In an ever increasing in complexity social environment, identity has become a pivotal issue for both public and private sector organisations. The past years, investment decisions in public services have seen a continuous increase in terms of the level of importance to both the government and citizens; consequently, understanding the citizens' preferences and practices is / will becoming / become a central government objective. In this section, an investigation into the main driving forces that make identity management a necessary component of any governmental institution that wants to provide high-level service quality and security to its citizens is provided. Mobility The rising mobility of a globalised world has introduced new factors and dimensions, in respect to how individuals today interact with private and public sector agencies. People and goods move continuously within and between countries, fact that requires increased control. It is not only refugees and immigrants, but tourists, students, business people and so on, that cross the borders in an ever increasing pace. Obviously as the globe becomes increasingly interconnected the borders become more permeable and vulnerable. The need for identification keeps up with the increasing mobility, in order to ensure which visitors are eligible to enter, work, ask for medical insurance and remain in the country for appropriate time periods etc. Migration Stream and Illegal Working Governments have a legitimate interest in managing and controlling their borders. In other words, governments face various challenges in managing the flow of citizens/individuals entering/leaving the country. By simplifying the process of immigration controls the state may minimize the effects of illegal immigration and working (exploitation, taxes loses, unfair competition etc). Identity Fraud Identity fraud refers to an action whereby a person adopts a completely false identity, falsifies part of his own identity (i.e. age) or adopts the identity of another person. The continuously increasing reporting of identity theft calls for direct response addressing identity fraud at the following operational levels: the reliability of identification; the ID system enrollment process; public and private (sector) services access management. Need for Increased Efficiency and Effectiveness in the Public Sector Simplifying the identity management processes required for every transaction and relation created between the citizen and the governmental bodies and reducing the error possibilities are major driving forces that demand the development and establishment of an identity management scheme. In context, where identity management is poor, public and private services identify individuals through distinct (not cross referencing) methods. It is considered crucial in respect to the future of government service delivery to reduce the complexity of integrating and operating the public sector information systems and processes. Other elements of this driving force are to avoid duplication of data and effort (from both the service providers and the individuals [i.e. by giving out their information in several different forms]), as well as to reduce extensive bureaucratic procedures and create a more citizen-friendly system. The absolute control of the services provided only to the entitled people is necessary. Overall, moving towards a consistent set of identity (management) standards will enable higher level of public service delivery. eGovernment The citizen-centered perspective of the governmental services, the integration of the services provided and the establishment of multi-channel services make obvious the need for an efficient and effective identity management system. Thus, eGovernment in order to interact with the citizens and offer all the expected benefits must be able to identify them; in light of future developments in eGovernment, the need for a digital identity management system is inevitable. Speed, usability and security are key issues. The aim of effective eGovernment has become a major driver for identity management and secure authentication of the citizens.
  8. 8. IDM Architecture Considerations 8 The key to integration is to tie up the different accounts and numbers of people from different systems together, in secure centralized data management architecture. Terrorism, Organized Crime and National Security The concept of multiple identities used by terrorists and other types of criminals renders the identity management scheme imperative (more than 1/3 of known suspects have used more than one identity). Drug crimes, people trafficking, prostitution, human exploitation are phenomena that are taking place at a great extend, undermining the social order and security that democratic societies deserve to live in. A more effective national identity management scheme would also allow national security services to access, as part of their investigations, centrally stored biometric information. The need for rehabilitating the social perception of security and order and empowering the national security drives to the same direction. Convenience – the New Lifestyle Citizens nowadays interface with more service providers in the ordinary course of their lives, than ever. These services have to accommodate a large number of individuals; as a result the citizen interfaces with complex institutions, creating the need (from all parties) of an efficient identity management solution. The notion of convenience has become so intense nowadays; people seek for maximum benefits at the least possible cost. Time is considered a great source of cost and thus individuals when they interact with public and private service providers look for convenience and speed. For example, most citizens prefer to use credit or loyalty cards for their everyday transactions. An ID card may be used as a convenient travel document, as well as an integrated services card. Technological developments provide the foundations for this new lifestyle and can serve the needs for convenience and speed at the point of service. The trends and streams of modern societies, as described above represent substantial forces driving the development of national identity management systems that essentially aim at establishing and maintaining reliable individual identification. Apart from these more or less obvious driving forces, it is necessary to highlight the significance of the ‘event’, which can become the milestone of the world’s social structure. An event can have a decisive impact on the flow of human’s lives; it actually plays the role of a “transformational device between the past and the future” and it is an indispensable prism through which social structure and processes maybe seen. Undoubtedly, the bombing attacks of IRA in mid-1990s in the UK, the terrorist attack in Spain, New York’s September 11, London tragedy of July 7 th, and the most recent Mumbai terrorist attack of 26/11 are events that have contributed in the transformation of the world processes subsequently altering the discourse/conceptualisation of and the most recent. 1.4 Components of National Identity Management As mentioned identity management is a dynamic concept. Nonetheless, it can be argued that there is an underlying fundamental purpose in any identity management system, irrespective of the processes and technologies used to implement it. This section will present and distinguish five essential, mutually complementary building blocks of any identity management system, as in the table below. Fundamental Components of Identity Management i. Identification: Who are you? ii. Authentication: How do we know? iii. Authorization: What services and transactions are available to you? iv. Access to Data: - Who (service provider) has authority to access what data and under what terms? - How can you access the data collected referring to yourself? v. Security: Is the information about you secure and not misused?
  9. 9. IDM Architecture Considerations 9 i. Identification tries to answer the question ‘who are you’ and refers to one or more elements of the identity of someone that uniquely identifies that user in the context of use. It may be an identifier already associated with the individual such as his/her SSN or in the case of the UK ID cards scheme it is the NIRN or in Indian context it may (will) be UID. ii. Authentication can be defined as the provision of assurance of the claimed identity of an entity. In other words by authentication we refer to the process used to verify that individual’s, or ‘subject’s’ association with an identifier. There are three authentication methods; 1. based on tokens (something one has, such as smartcard, key, passport, etc), 2. based on knowledge (something one knows, such PIN and password) and 3. based on biometrics (something that one is, such as one’s face, fingerprint, iris, voice, etc), which appears as the most promising form of authentication today. iii.Authorisation is defined as the process whereby the requester is allowed to access a given service. In a more formal way authorisation refers to the way of determining whether the policy at the point of service allows/permits an intended action to proceed. In some systems, such as most governmental services, the authorisation service either grants or denies access to the individual, whereas in other systems (e.g. private sector), users are linked with access rights and thus access is protected through role or group-based management. The efficacy of the process is limited by the availability of subjects’ attributes and by how faithfully policy is incorporated in the infrastructure or application. iv.Access to Data has a dual meaning. First, it refers to the definition of the service providers that are authorized to access the data collected. According to the needs, the nature of transaction and the given circumstances each service provider has different authority to access data. Secondly, the individual has the legitimate right to access the data referring to him/ her and control the nature, quality and accuracy of the information. v.The fifth component of IDM is claimed to be security, in respect to the personal information of individuals and the identity management system as a whole. When identity management takes place in any form, personal information of individuals is exposed to entities outside the control of the individual. Authorised and unauthorized misuse of the personal information should be prevented, as much as possible of course, since there are not absolute secure systems. It follows that the level of security is compromised in complex identity management systems, and both technological and process safeguards must be establish to shield the system. 1.5 Typical Objectives of National Identity Management The clear and precise recognition and statement of the objectives of an identity management system is more than important, since objectives are the main driving factor of the decisions and the policies of the system. The absence of accurate limits and well defined framework within which the identity management scheme will be developed would generate serious issues in terms of privacy, functionality and security. In this section, a summary of the main aims and objectives of typical identity management are presented. It is necessary to explore the objectives from the viewpoint of the three major stakeholders: citizens, governmental bodies and private sector. These objectives should be the drivers of every choice and decision; the selection of the technologies incorporated in the system and the design of the processes should be in accordance with the following objectives. However, it needs to be recognized that it is not possible to create one single system serving all the following aims in total. However, our intention is to provide with an overview of what each stakeholder wants to achieve and then introduce the problematisation that these objectives should be prioritized and evaluated in parallel with the potential options/ solutions. Identity Management Objectives A. Governmental Bodies want to: A1 Identify individuals for effective provision of services (speed, accuracy, minimum errors, no duplications) A2 Integrate identity records across governmental services (more personalized pro-active and targeted communications and services) A3 Preserve privacy and ensure data security A4 Provide equal and universal identification (avoid current exclusions, when driving license,
  10. 10. IDM Architecture Considerations 10 passport etc are not available) A5 Increase the border and immigration flow control A6 Enhance and facilitate the evolution of e-government A7 Create the perception of safety to the public, reduce the fear of crime and cultivate trust to the system A8 Facilitate the law enforcement A9 Establish and maintain cost-benefit balance in the short and long run A10 Avoid misuse of services – such as free riding A11 Reduce organized crime, identity fraud, terrorism & illegal working B. Citizens want to: B1 Access services with convenience and speed (avoid bureaucratic processes) at a reasonable cost B2 Keep anonymity where and when is possible B3 Be dealt with equally, without discrimination (no groundless exclusion or inclusion) B4 Secure their right of privacy and ensure data security B5 Ensure transparency of the system (open black boxed processes) to prevent illegitimate data collection & usage C. Private Sector wants to: C1 Identify individuals for effective provision of services (speed, accuracy, minimum errors, no duplications) C2 Increase the strength and reliability of the customer base to deliver better services C3 Enhance and facilitate the e-services’ provision. C4 Reduce ID fraud, organized crime and illegal working 1.6 National Identity Management Schemes Globally It is interesting to take a short glance at national identity management schemes applied in different countries, in order to have a view of what is happening globally. Indicatively, the case of three different countries: France, Singapore and Spain is presented in this section. France France has introduced national IDM system but without enabling the linkage of all public service providers. French national ID number, which is a 15 digits number (first digit reflects the sex, the next two refer to the year of birth, the next two refer to the month of birth, the next two are relates to the administrative district, the next three show the municipality of birth, the next three are random and the final two are check digits), is not an identifier used widely for every service provision. The main area of use is the field of social security, thus enables only the social security organizations to the data. Other service providers, such as Tax departments, require legal permission and prior authorization by the President of the Republic in order to obtain access. The private sector is also excluded by the scheme, with exception to the services related to health and social welfare (doctors, private health insurance etc). Singapore Singapore has the SingPass ID card, which enables citizens to interact across all governmental services. SingPass is a single-factor authentication system which demands only one single password. Citizens are able to apply for their ID card on-line and receive their SingPass by post. In Singapore, there is not a core central legal framework on data privacy, but only separate laws dealing with personal information. Spain In Spain, there is a single ID card, which holds a single identification number (algorithm based), which is an eight digits number (randomly created) plus one letter. This number is used in every interaction with the public sector; even the passport holds the same number. However, despite the universality of the ID number, some service providers (such as Social Security, Public Health Service, etc) keep additional identification numbers. Parents may ask for ID number when their child is born, but the compulsion emerges when the child reaches the 14 th year of its life. The foreigners living in Spain obtain a Foreigner Identification Number.
  11. 11. IDM Architecture Considerations 11 1.7 Some Implications for National Identity Management ‘System’ may be the most important (and heretofore least discussed) aspect of the term “nationwide identity management system”, because it implies the linking together of many social, legal and technological components in complex and interdependent ways. The control of these interdependencies, and the mitigation of security vulnerabilities and their unintended consequences, would determine the effectiveness of the system” At this point, it would be interesting to introduce some implications generated when a national identity management scheme is proposed to be implemented. First, implemented over very large populations, it is assumed that it will take considerable time to coordinate the activities required for full population enrollment/registration (critical mass). A universal national identity management system will probably be targeted by organized criminals, increasing the risk for cyber-terrorism. Experience of identity management systems implemented the past decades in both the private and public sectors suggests that identity is best proven if agencies do not rely on one single proof of identity (a token such as document, card, etc.) to establish a person’s identity. In addition, a number of organisations (public, private) tolerate an amount of fraud since the financial benefits of stopping fraudulent behaviour may be less than the cost of checking. These implications regard the success of the system. However identity management exists within the technological, political and social context in which it is implemented. Nowadays, the use of Information Communication Technologies (ICT) are affecting both the private and the public sectors through the ‘imposition’ of more efficient techniques for gathering and managing information, reaching and interacting with customers in addition to managing the processes (to name but a few). The current technological environment provides a variety of possibilities and alternatives for the implementation of identity management systems, such as RFID (Radio Frequency Identification) and other types of chip- enabled cards (e.g. oyster cards). In brief, technological implications include protecting the confidentiality, integrity and availability of the data and information systems, as through the following positions: The larger and more complex the network, the more complex the security infrastructure needed The more information in a token (the ID card) the greater its importance for service transactions The strength of the authentication is directly related to the value of the resources protected The consideration of card technologies in respect to cryptography and security. At a political and societal level, implications root from concerns on data centralization, the protection of civil liberties and individuals’ privacy expectations, as well as the involvement of independent private sector organisations. Identity management technologies lead to the transformation of the national landscape they are applied, the result being the internalization of social norms (that may soon not be regarded as repressive). There are generated valid fears that more intense discrimination issues will be provoked, acknowledging the discrimination against certain minority population groups and non-population groups (such as travelers, business people, etc) that already takes place in the name of national security. Nevertheless, it is very crucial to identify and map out the ways all this accumulated data is going to be organized in terms of managing individuals and populations. The main argument used that citizens have to counter a trade-off between their civil liberties and national security should be assessed thoroughly, in order to secure the social gains with the least personal costs. The amount and the type of information revealed at different circumstances and the risk of profiling are also crucial issues. In terms of adoption, failure to explain the benefits of an identity management scheme and how security and privacy can be maintained may heighten resistance to the scheme. The compatibility of the scheme with the Data Protection, Human Rights, Freedom of Movement generate important implications that need to be assessed. Finally at the organisational level, identity management must take into account the processes (i.e. human activity models) that surround the established information policies. identity management provides with a framework to manage citizens’ access to services as well as to redefine the communication and interaction between the individuals and the state. It follows that the way identity management processes are designed and implemented are central to defining the scope and boundaries of governmental ‘reach’. The main processes that should be considered include the registration and renewal of ID cards, the retention and use of information by service providers, service access management (authentication) and citizen relationship management (the processes of interacting, communicating, etc).
  12. 12. IDM Architecture Considerations 12 1.8 Typical Conceptual Components of the Identity Management System Under this section the aim is to describe the identity management scheme at a conceptual level. In the following figure the typical components, processes and a high level view of the structure of the ID cards scheme is provided. A conceptual model of the identity management system The model depicts four coloured sections each representing different aspects of the identity management (IdM / IDM) system. First (in the green area - left) the individual, biometric information, the smart ID card and any combination of these, represent the proof of identity needed for IDM. This block shows the main actor of the system – the citizen – and the related to him (a) ID Card and (b) biometric information. In the yellow- shadowed area the main processes of interaction between cardholder and the IDM scheme is presented. Registration, Identification, Authentication and Authorisation is the order of processes that deal with the proof of identity. In the middle right sector, the model presents the ICT network that operates as the infrastructure for the processes to take place. This includes all technologies and, internal to the service provider, processes for using the individuals’ proof identity at the point of service. Finally, at the right hand side of the model, the central datastore of personal information is portrayed; it is accessed by a trusted third party (TTP) for authentication & data exchange purposes and by certified database management applications (for adding, deleting, updating). The National Identity Repository (NIR), will hold core personal information about individuals who have registered and been issued with an ID card. Essentially it will be a new data warehouse or database that may be created as people apply for ID cards. The amount of personal information considered as ‘core’ must be sufficient for the individual to allow for the issuing of an ID card. The National Identity Repository will provide a record of registrable facts about individuals in the country, other individuals who entered or have applied for entering the country. The NIR will be accessible from public service applications (for the cross referencing of information), with the potential of integrating access from interested private sectors (banking institutions, insurance companies, etc).
  13. 13. IDM Architecture Considerations 13 The Identity Number (IN), which is a unique identification number provided to every successful applicant to the scheme. This number is actually the key for the citizen to access the services that he/she entitled to and for the governmental bodies and private sector to access the information on the NIR. This unique identifier is the basis for many national IDM schemes; however recent developments in IDM (e.g. as in France) have been seeking more privacy-protective ways of integrating the unique identification number into the overall scheme. The ID card will provide all legal residents of the country with an easy and secure way of demonstrating their identity and accessing the services they are entitled to, by establishing a single universal identifier. The ID cards will contain part of the information stored in the NIR and will be issued by a governmental agency, that will work in collaboration with immigration and passport agencies. Depending on the technology used within the card, there will be different processes and mechanisms for authorizing access to individuals (card readers, RFID readers, human). A Biometric is a unique physical characteristic such as facial dimensions, iris patterns and fingerprints. Biometrics used in an IDM scheme tie a verified identity to an individual. Moreover, biometrics can be used to associate an individual to an ID card, supplementing traditional methods (e.g. signature, photograph). To enable these two mechanisms and exploit the potential of biometrics, biometric information will be held both centrally and inside the card. Hence, an IDM system exploits the advantages of biometric information to ensure that a person did not establish more than one identity in the scheme and at the same time that the entitlement card, passport, driving license are being used by the correct person. Service Providers are those agencies and/or organisations from the public or private sectors that require the verification of identity to allow a transaction to proceed. While identity fraud has been an enormous problem for free public sector agencies, it is also a predicament of delivering effective services for independent service providers. Service providers require the reliable authentication of the cardholders, in order to increase their capability to manage access to their services. When private sector service providers connect to centralized, state-owned information, the establishment of information gateways that operate in synergy with authentication agencies is essential. The Authentication service is also a key component of the proposed IDM scheme. Its purpose is to enable the service provider or biometric reader to authenticate the identity of an individual in order to authorize access to certain services. The Authorisation Service operating independently, is responsible for connecting to the NIR and verifying that the details provided (by the Service Provider) match to no more than one records in the register. Then depending on the context of application it may return personal information to be combined with what is locally available or simply communicate the result of the matching process (match, no- match). Another component that we consider to be central is Legislation. Understanding the privacy concerns, it is important to impose exhaustive legislation regarding all aspects of the Identity Lifecycle. IDM may pose threats to the human rights and/or civil liberties of certain societal groups or individuals and therefore legislation should go beyond existing privacy laws and the data protection / IT laws. In addition, new crimes and penalties need to be established in order to ensure the compliance of people with the new requirements. Finally, IDM systems do not consist only of the set of technologies (network communications, cards, databases, etc) but also of detailed policies and procedures, to account for the numerous security and privacy considerations. Procedures are needed to be established to register individuals, manipulate (manage) information about them, issue credentials and verify access to services (to name but a few). At this point it is important to mention the elements of the identity lifecycle which are: account set up, maintenance and teardown. Account setup refers to providing to the users the appropriate level of access to resources they need. Account maintenance refers to continuously keeping the users’ records updated and adjusting the levels of access to the resources needed. Account teardown is the deactivation of the accounts that are not necessary anymore. IDM schemes attempt and aim at managing these three stages as effectively and efficiently as possible.
  14. 14. IDM Architecture Considerations 14 2 TECHNOLOGIES 2.1 Overview As is the case with all large scale organisational projects, a national IDM scheme comprises of a complex network of technologies and processes. In this part, the aim is to identify and present briefly a variety of technologies that play a crucial role for the success of the project. First, in this paper we will try to shed some light on the strengths, weaknesses and risks of alternative biometric technologies. Second, we will examine card technologies and in specific focus on RFID technology as one of the most prominent technologies for use in ID cards. Apart from RFID-enabled cards a short evaluation of other types of smart cards is also provided. We will argue that the debate about RFID technology is not quite the same with a similar debate about barcodes that took place some years ago. We will examine RFID advantages and disadvantages through an assessment of available card technologies, in order to provide the basis of determining the viability of an RFID approach in a national IDM scheme. Finally, we will frame security as a problem that can be approached through a combination of security and cryptography technologies. 2.2 Biometric Technologies Introduction Biometric technologies have received great interest as a powerful weapon against terrorism, crime and as an effective proof of identity. The term biometric is derived from the Greek words bio=life and metric=to measure and it stands for the measurement, digitization and statistical analysis of biological data. Biometric technologies are mechanisms that automatically recognize individuals based on unique human physiological and behavioral characteristics, which cannot be easily duplicated or forged. The more important and widely used biometric technologies are finger print biometrics, eye biometrics (iris, retinal), face biometrics, hand geometry biometrics, signature biometrics, and voice biometrics. There is also some more biometrics found in literature, such as DNA, gait biometrics, body odor measurements, vein recognition (hand), movement pattern recognition and ear shape. The elements of universality, uniqueness, stability, forge resistance and collectability are some of the main reasons that render biometrics the most effective and important source of proving identity. The objectives of generic biometric applications are better security, higher efficiency and user convenience. There is a distinction between the static (or physiological) biometrics, which are based on features that are always present and dynamic (or behavioral) biometrics, which are based on certain behavioral patterns. For example, fingerprint, iris scan and retinal scan are static biometrics, while signature and gait biometrics belong in the dynamic methods. Each method offers different degree of exactness and accuracy, depending on the context and the purpose of the biometric application. Biometric systems have three main uses: to check that applicants are not erroneously issued documents based upon two different identities; to help confirm that the correct person is associated with a certain document’s or service’s credentials; to check identity against a ‘watch-list’. In other words, s biometric system could be used for identification, for authentication or screening. The first type recognizes a person (who does not make any claim of identity) by comparing the captured images to an entire template database. Thus this is a one-to-many match and aims at establishing an individual’s identity without the person having to declare his/her identity. The second system authenticates an individual who claims identity by comparing the captured biometric elements with the biometric template of that person that are already stored in the system or in a distributed storage, such a smart card. This is a one-to-one match in order to make sure that the person is the one who claims to be. The screening process is actually the comparison of the biometrics captured against a watch-list, which may have only biometrics or other information as well.
  15. 15. IDM Architecture Considerations 15 Biometric system’s architecture, is the combination of the major processes of a biometric system namely Data collection, Signal processing, Matching, Decision, Storage, and Transmission. These processes together with a set of technological components form a generic biometric system architecture, as presented in the following schematic. Biometric System Architecture Data Collection This sub-system handles the acquisition of the biometric data of the applicants and requires a biometric device or sensor (such as finger scanner, digital camera) in order to retrieve the biometric sample. Transmission Channel The transmission channel sub-system is concerned with passing the data on a distributed environment. Data compression techniques can be imposed/applied on the biometric data to economise system resources and handle large volumes of data that need to be transmitted. Signal Processing The signal processing sub-system illustrates two main activities. (1) The biometric sample is processed and segmented from the environment/noise in order to extract the feature information and create the biometric template, which is a mathematical representation in a more compact version of the original image that captures just those features of the image that contribute to the distinctiveness of each person’s fingerprint, iris, face etc. In the end of this process a score is presented evaluating the quality of the extracted image (if everything went well). (2) The new template is compared with one or more reference templates by using a matching algorithm and a match score that illustrates the similarities of the various templates is created. Data Storage All created templates, before stored, they are compared with the already stored templates. Biometric templates can be stored in a centralized biometric database, in a distributed system or on ID tokens and smart cards (which remains at the user’s possession). Matching A new biometric sample is required and follows the three first stages and when it has obtained the appropriate template format it is submitted to the biometric verification engine. According to the type of process required (either identification [one-to-many] or authentication [one-to-one]), the system compares the new template to all stored biometric samples generating zero to many possible matches or compares the new template to the suspected identity generating a yes/no score. Decision The match score is translated into a decision by using a threshold score, which would have been initially defined. The user is authenticated if the match score is above the threshold else the user is rejected. In general, people will never present themselves in exactly the same way every single time, thus biometric systems should allow some latitude in this matching process. The described matching/decision processes introduce risks and fears, because this latitude may lead people to match templates other than their own. Biometric systems in practice can generate four possible outcomes:
  16. 16. IDM Architecture Considerations 16 correct person accepted or rejected, impostor rejected or accepted. Thus there are two possible situations that the system may provoke an error. A False Reject Rate (FRR) occurs when ‘correct’ individuals are rejected. A False Accept Rate (FAR) occurs when an impostor is accepted by the biometric matching algorithm. False reject and False acceptance are included as part of a generic biometric system process. Generic Biometric System Process Model FAR and FRR cases increases when the threshold value used in the matching algorithm is ‘looser’, as in application of biometric systems in airports. A one biometric modality system can increase its performance by processing a biometric through more than one matching algorithms. Then a logic algorithm can be applied in order to ‘fuse’ the results and arrive to a more accurate decision, as in the following schematic. Fusion Unimodal Biometric System Alternative Biometrics When reviewing different physiological or behavioural elements (of humans), there are numerous requirements against which each biometric can be assessed. These include biometric’s universality, distinctiveness, permanence (over a time period) and collectability (quantitatable characteristic). Moreover, the performance issues (accuracy, speed, immunity from external factors), the level of acceptability that people show and the circumvention (the possibility for cheating the system by fraudulent methods) should also be evaluated and assessed. A brief description of the four most widely used biometric technologies (fingerprint, handshape, iris and face recognition) and a comparative table of them is provided below. Fingerprint Recognition Fingerprint is one of the most widespread biometric since a long time ago for the purpose of identification. Apart from the correlation of the fingerprint with the crimes detection there are already established many fingerprint systems which contribute in the establishment of a unique identity for the individual.
  17. 17. IDM Architecture Considerations 17 There are two methods of fingerprint recognition that could be applied; the minutiae based recognition and the fingerprint pattern. The minutiae-based operates using the coordinates of points on the fingerprint where ridges end or split, while the second method is using the whole fingerprint pattern, which is more costly and more appropriate for one-to-one matching processes. The minutiae-based is more appropriate for large-scale systems and one-to-many matching. It is suggested that at least 4 fingerprints should be captured for each applicant, in order to help verify any potential false matches and hence reduce false match rates. The main benefits of this technology is the high accuracy, usability (ease of use), the ability to exploit already existing databases and the distinctiveness (8/20), while the major drawbacks is that it demands the involvement of the individual, there is an estimated 10% of the population that cannot enroll, there are environmental factors that affect the result (humidity, temperature), there have been invented ways to spoof the system quite easily and the perception of this technology is strongly linked with criminal context. Iris Recognition Camera of extra high resolution and a source of light are necessary for iris capture. The absolute uniqueness of each iris - even the two iris of the same person are completely different – and the inability to create a fake duplication of an iris, because of its numerous characteristics and properties, contribute in characterizing iris recognition the most promising biometric technology. Under normal conditions (avoid injuries, illnesses etc) iris remain the same throughout one’s life. Iris recognition is a very attractive method, as it is estimated that an iris image is as efficient in identification matching as two or more fingerprints and is very fast. It demands the involvement of the subject, both in registering the image of the iris (and creating the template) and in providing successfully the captured image of the iris. However, it is a rather new technology that has not been tested at large-scale applications. Face Recognition Lately, Interest in facial recognition systems has been triggered because they are relatively inexpensive and do not require the active involvement of the individuals (subjects), thus it is a silent technology that acts in the background. Face is considered as the most commonly used biometric element so far; people purposefully provide photos as means of identification in numerous transactions involving tokens such as their passport, driving license, library card etc. The level of acceptability to reveal one’s face is high, as people are used to it. But apart from the moments that consciously people submit their face image there are many other points where one’s face is captured without his/her awareness and consent. During the enrolment process a series of digital photos is taken, which allow capturing the face at different angles and expressions, in order to extract the distinctive features that will create the template. There are two main methods: the 2D, which consists of four main methods (eigenface, feature analysis, neutral network, and automatic face processing) and 3D capture and modeling. Face recognition technologies do not require great involvement of the individual and they may also obtain a covered format. The other significant advantage is that everyone can enroll. However, the performance of the face recognition is rather low in comparison with the two previous technologies, even in small populations. A single fingerprint provides higher accuracy than face recognition and the fingerprint identification can be improved by using multiple fingers, while in face this is not feasible. In addition, in case of identical twins this method is not reliable to provide accurate identification and the number of this case is not rare at all (1:200 are identical twins). Furthermore, there have been identified some factors that diminish its reliability, such as poor illumination, shadows, glasses, facial expression. The screening applications that are used in order to capture the images mainly on the move, like CCTV in airports and shopping malls, diminish the quality of the image and the task of matching faces against a certain database becomes really difficult and time consuming. The size of the database is another significant factor that should be mentioned; the bigger the database the more false recognition occurs. Overall, face recognition technologies are most suitable in the checking process for one-to-one authentication or for small watch-list applications. Hand shape Recognition Hand recognition is a quite old technology that uses different geometric measurements. There are many geometric features that can distinguish one hand from another, such as width and length of fingers, hand size and height, distance between knuckles etc. It is considered as a more easy to enroll technology in comparison to iris and fingerprint recognition that creates anxiety to the subject. In addition, it is shows high accuracy and it is hard to spoof.
  18. 18. IDM Architecture Considerations 18 However, the capture of the hand features with most of the existing technologies has constraints because the individual has to place his/ her hand on the platform between fixation pegs (see figure). Moreover, these techniques do not record the shape of the fingers but just measure feature on the fingers. This may be beneficial for the storage space, though may omit significantly geometric elements that can empower the recognition process. Thus, there has been started being proposed other methods that can overcome these constraints and limitations. B-Spline curves is an alternative method that can record the shape of the fingers and removes the difficulty of the fixed-pegs, thus increasing the accuracy and the convenience of the method. Evaluation of different biometrics The following table portrays a comparison among the main biometric technologies. The criteria upon which it is established are: cost, security, acceptability of the public, easiness of usage, transparency of the capture process, stability of the biometric information, the proposed applications for each one and their suitability for one-to-one and one-to-many authentication. Table: Comparing different biometrics Suitability for Cost Security Acceptability Ease of Use Transparency Stability Suitable applications 1 : 1 1 : N Face Medium Medium – Low Medium – High Medium – High Covert Medium – Low Watch-list scanning, verification Yes Potenti ally Fingerprint Medium – Low Medium – High Medium High Overt High Verification, medium- to large-scale identification Yes Yes Iris High High Medium Medium – Low Overt High High security access, large- scale identification Yes Yes Voice Low Medium – Low High High Covert Medium – Low Telephone authentication, low security verification Yes No Signature Medium Medium – Low High High Overt Medium – Low Applications with traditional signature Yes No Hand Medium Medium – High Medium – High Medium – High Overt Medium – High Verification for access control Yes No Combining Biometrics in a Multimodal Biometric System Biometrics seem to offer solution of stronger and more solid identification and current circumstances (increase of digitalization, increase of mobility, social and national demand for more accurate and effective identification etc.) render their use pivotal in respect to the success of proposed IDM schemes. Despite the potential and beneficial effects that biometrics seem to have, there are some concerns raised; the incorporation of biometrics in a national IDM scheme is an extremely large-scale and untested emprise. Up to now, biometrics are usually used at small-scale projects mainly in the private sector. Nevertheless, airports - given the involvement of a larger number of people - have implemented some pilots that just recently have started getting bigger dimensions. Unimodal biometric systems are currently deployed in a variety of application contexts (including airport, passport, logical and physical access control). In general they are subject to a variety of errors including noise associated with the acquired biometric data and intra-class variability. Noise is linked to the reader’s performance when reading/scanning biometrics, poor ambient conditions and by user behaviour (i.e. misplaced finger). Intra-class variability is defined as the variation between biometric data acquisitions for the same person. Combining technologies with mixed intra-class variability could result in systems which exhibit overall better performance characteristics. Fig. : Fixation Pegs on Hand Shape Recognition
  19. 19. IDM Architecture Considerations 19 In order to reduce the inadequacies and errors of unimodal biometric systems, multimodal systems combine more than one biometric modality, resulting in enhanced performance, reliability and even increased user acceptance. In other words, the aim of multimodal systems is to minimize noise and intra-class variability effects, thus reducing false acceptance and reject rates. There are two alternative ways of using multimodal systems: (1) In sequence: multiple biometric readers are used the one after the other, strengthening the performance and security of the biometric system (2) In parallel: multiple biometric scanners/readers are used in parallel, providing alternative modes for the identification/authentication process, thus strengthening the overall flexibility of the system. Biometric systems their implications and their process significance in national IDM schemes will be discussed later in this paper. Two Alternative Applications of Multimodal Systems I. In Sequence In this scenario, multiple biometric readers are used the one after the other; the user must ‘pass’ from a series of biometric scans. In sequence multimodal biometric systems allow for multiple biometric checks; as a result this type of biometric multimodality strengthens the performance and security of the biometric system. Combining biometric technologies in sequence is likely to counter attacks since a lot more effort will be required to spoof the combined system. II. In Parallel In this scenario multiple biometric scanners/readers are used in parallel. The cardholder (user of the system) chooses which type of biometric he prefers to be taken. By providing alternative modes for the identification/authentication process, the service equipped with a parallel multimodal system strengthens the overall flexibility of the system. This type of multimodal system could prove useful to citizens who have temporarily lost the ability to provide one of their biometric traits (e.g. a temporary eye problem that rules out an iris scan) or in cases where people refuse to use a specific modality (for religious or health purposes, for instance). In the following diagram, the generic processes of a ‘’in-parallel multimodal biometric system are presented. It is clear that with a reasonably good logic algorithm, the proposed system reduces the probability of a FAR and FRR and improves the overall of performance towards lawful citizens. The operation of a ‘in parallel’ multimodal biometric system At this point it is necessary to underline the need to combine biometrics instead of relying on one of them in order to increase performance and accuracy and at the same time reduce the exception cases (few people don’t have iris and fingers). Although biometrics are considered as universal, a certain portion of the population may have biometric identifiers that cannot be captured and quantifiable or even does not have at all (such as truncate or blind people). Moreover, the security of a multiple biometrics system increases as long as it is much more difficult to fake all the biometrics of a person and cheat the system. In addition, the possibility of interoperability and future upgrades increases. This increases the cost and the amount of data collected, which may raise issues about the right of privacy and other implications that will be examined in more details later in this paper. 2.3 Technologies for ID Tokens Citizen’s identification goes back to 3000 BC and the ancient Babylonian culture where slaves where identified by either their tattoos or branded on their face/back of their hands. Today, after years of social and
  20. 20. IDM Architecture Considerations 20 political ‘framing’, national identity tokens take the form of plastic cards for two main reasons. First, cards can contain both human readable (text, images, visual security features) and computer readable information, thus assisting in both human and technology assisted methods of identification, authentication and authorisation. Second, plastic cards can be stored in wallets and can be sent over by any post service with convenience (as defined in our society). Smart cards are plastic cards embedded with computer chips that can hold a wide variety of data types, including identification strings, biometric templates, security access information, applications, and records. Smartcards can be distinguished into four categories according to their communication with readers (contact or contactless) and their functionality (memory or microprocessor). In the following table a brief categorization of smartcards is presented according to their communication with readers (contact or contacless) and their functionality (memory or microprocessor). Smartcard categorization 1. Contact 2. Contactless Smartcards in this category have golden plates and contact pads on one corner of the card. These are used to supply the necessary energy and communicate via direct electric with the reader. The connection between reader and card is done via Radio Frequency (i.e. as in RFID). They also have a wire loop which feeds energy to the chip when the card goes into the RF field of the reader. 3. Memory 4. Microprocessor Usually contain EEPROM (Electrically erasable Programmable Read-Only Memory) non-volatile memory. Data is managed via a microcontroller responsible for accessing the data and accepting the communication. This type of smartcard does not support cryptography. Contain EEPROM (file system), ROM (operating system) and RAM (fuctions) memories, together with a microprocessor. With the addition of a crypto module, the smartcard can process complex mathematical computations in relation to a Public Key Infrastructure (PKI). Current ID cards can contain technology ranging from simple barcodes and magnetic stripes to integrated circuits and RFID tags. Magnetic stripe technology has reached a saturation point in term of its capabilities to process and store data. Smartcards offer several key advantages over traditional magnetic stripe cards. They are more difficult to clone than traditional cards; the information they hold can be considerably more complex; and they can be updated. Nowadays, governments around the world are considering the issuance of smart ID cards for numerous expressed and unexpressed reasons. Reasons for national smart ID cards Expressed Unexpressed Efficient and faster service delivery leading to citizen satisfaction Government process automation Clearly show where taxpayers’ money go Long-term cost reductions Track and reduce identity theft/forgery, fraud and abuse Data sharing between governmental agencies and between the public and private sector Customized and always available public services Active archives Promote wide usage of information systems Infrastructure for monitoring unusual behaviour Increase the security of identification mechanisms Collect taxes more efficiently In general, the move towards smart multi-application cards is happening and as a result citizens expect real service delivery improvements. Overall, national smart ID card projects are complex and involve important considerations for privacy and security, as explored later in the paper. Current ID cards can contain technology ranging from simple barcodes and magnetic stripes to integrated circuits and RFID tags. Magnetic stripe technology has reached a saturation point in term of its capabilities to process and store data. Smartcards offer several key advantages over traditional magnetic stripe cards. They are more difficult to clone than traditional cards; the information they hold can be considerably more complex; and they can be updated.
  21. 21. IDM Architecture Considerations 21 In general, the move towards smart multi-application cards is happening and as a result citizens expect real service delivery improvements. Overall, national smart ID card projects are complex and involve important considerations for privacy and security. 2.3.1 RFID Technology Introduction RFID or Radio Frequency Identification is a set of technologies that use radio waves to automatically detect individual entities. From an academic viewpoint, RFID falls under the umbrella of Ubiquitous Computing, a broad research area that has received increased interest the past decade. Ubiquitous Computing refers to the application of computation technologies that disappear/are embedded into the environment and space itself becomes intelligent. The significance of RFID technology lies in the fact that it changes the global e- network of computers to a global e-network of computers and objects – and humans who carry/use the RFID enabled objects as a result. Essentially, RFID-enabled cards are a special type of smartcard that use of radio waves and thus no contact to a reader device is necessary (compared to other smartcards that require contact with the reader in order to operate). RFID technology is designed to enable the remote capture of data from physical objects. Data collected through RFID systems can be stored on a small token (the tag) embedded in the object. In the case of nationwide IDM systems, the object is the ID card used by individuals/citizens in their routine interactions with private and public services. Today, data can be read via these tags by RFID Readers which are usually connected to computer networks, databases and database management systems. As a result RFID facilitates the transfer of information to remote datastores and allows for the tracking of the tags through space. Current successful applications of RFID include animal tracking, electronic roadway toll collection, and most importantly revolutionizing supply chain management. If we follow the chronological evolution of RFID Technology, we can argue that the market is moving towards true globally unified standards for UHF RFID technology, thus encouraging the global interoperability of private and national (public) IDM systems. Interest in RFID technology by organisations has seen a dramatic increase the last years mainly because (after years of technology refinement) the RFID tags have now become very small and inexpensive. Before proceeding to an operational description of RFID systems, it would be useful to make evident the components of a basic RFID system. All RFID systems have three major components: the RFID tag, the RFID Reader and a Database system, as shown in the following figure. The components of a RFID system The RFID tag refers to a microchip attached to an antenna, able to transmit identification information by transmitting to and/or receiving data from the RFID Reader. Moreover, RFID tags have embedded memory that can be read-only, read-write, or write-once read-many. Readers use their own antenna to communicate with the tag and can process multiple tags simultaneously, allowing for increased read processing times. In practice, the Reader sends energy to the tag to provide it with sufficient power to operate and send data back to the Reader (if the tag has an embedded battery, this step is not needed). Depending on the type of RFID system the Reader can receive the data held by the tag (read process), write or update data on the tag (write process). In other words, the Reader then performs a series of read/write operations while the tag has
  22. 22. IDM Architecture Considerations 22 data storing and sending abilities. The tag is able to store data that the Reader writes unto it or data that was originally stored unto it by the issuing authority. These operations constitute the centre of any RFID system, and allow for the Reader to track the object carrying the tag in its vicinity. Another aspect of RFID Readers is anti-collision techniques implemented to prevent the ‘collision’ of data when the reader reads from more than one tag at the same time. Anti-collision algorithms include spatial, frequency and time domain techniques that essentially aim at regulating the replies so that a Reader can detect exactly all tags in its vicinity. Types of RFID Technology It would be also useful to draw a distinction between different RFID tag categories. In this section we will discuss the three identified categories are passive, semi-passive and active RFID tags; their typical characteristics are presented in the following table. Typical Characteristics of RFID Technology Source: National Institute of Standards and Technology and Robert W. Baird & Co., Inc., “RFID Explained: A Basic Overview” (February 2004) Passive Passive tags represent the simplest form of RFID tag technology and do not contain their own power source (i.e. battery), nor they can initiate communication with a reader. As described in the previous section, passive tags derive their power from energy waves and respond to radio frequency emissions form the reader. Minimum storage requirements of passive tags include the unique identification number of the object in which it is embedded; as storage capacity increases so do costs. In addition, typical passive tags allow for read-only operations on their data, while their memory is around 64 bits of permanently programmed data (e.g. cannot be altered or updated). Costs vary depending on the communication frequency used, design of the antenna as well as the packaging around the transponder. The read range of passive RFID tags varies according to four key factors: the design/length of the tag antenna, the radio wave frequency used, the power of the reader and the material between tag and reader. Common RFID operating frequencies (for passive RFID tags) Source: National Institute of Standards and Technology and Bear Steams “Supply Chain Technology” (January 2004) The development of inexpensive passive tags has made able the consideration of RFID technology adoption in wide-scale implementations in an effort to optimize government and industry processes. Semi-passive
  23. 23. IDM Architecture Considerations 23 Compared to passive tags, semi passive tags have embedded a power source used for specific purposes. These include the monitoring of environmental conditions and powering the tag’s internal micro-electronics. The main use of the power source of semi-passive tags is in enabling the efficient data storage. On the other hand, semi-passive tags do not initiate communications with (do not actively transmit information to) readers. Most of the tags in this category remain dormant (thus conserving battery life) until they receive a signal from a reader. Finally, it is worth mentioning that semi-passive tags have the lowest lifetime from all types of RFID technology, fact that poses serious considerations regarding IDM. Active Active tags represent the most powerful RFID technology mainly because they contain a power source and a transmitter. These tags have read/write capabilities ensuring communication over distances reaching up to hundreds feet (depending on the battery power). In addition to storing data, active tags can allow the data in the tag’s memory to be updated when necessary; this means that the tag has larger memory capacity compared to the other types of RFID tags as well as increased costs. It is important considering that the read/write capability of active tags represents both a revolutionizing advantage and a huge risk depending on the context of use of the RFID system. Benefits of using RFID Technologies It can be argued that RFID is a new and enhanced barcode. However compared to barcodes, RFID offers three significant advantages. RFID puts forward sufficient storage capacity for larger scale implementations, is reprogrammable and can be undetectable (if examined by the human eye) due to its miniature size. The most important advantage of an RFID system is that it expands the range and function of databases. In the private sector, RFID technology has revolutionised the management of the supply chain (and other business processes that involve utilization management and/or tracking), by enabling identification, tracking and data processing for each individual item (compared to previous solutions that identified items per product category). Accenture highlights that RFID has already been used in public service provision such as public transport services around the world. The benefits in the public transport domain extend to all involved parties (passenger, driver and the transport company) since the RFID system enables (1) security by eliminating the exchange of money, (2) less distraction to the driver, (3) convenience for the passengers who do not need a ticket or to know the precise ticket price before they ascend in the bus and (4) reduces maintenance costs for sales dispensers and optimizes the fare collection process. Similar advantages are expected to public service providers’ transactions with citizens in a range of contexts. The individuals’ and society’s privacy issues arising from the use of RFID technology will be discussed in detail later in the paper. 2.3.2 Other Card Technologies Apart from RFID tags, other types of silicon chips can be used in plastic ID cards. Depending on the sophistication of the silicon chip, smart cards (carrying alternative to RFID tag chips) have the ability to both store data in their memory cell (RAM) that is processed by the smartcard reader, and to store procedures (ROM) to manipulate data through an embedded microprocessor. The movement towards smart cards and away from magnetic-stripe cards has been driven from a need to both update data in the card as well as the limited infrastructure to ensure an acceptable level of security (in magnetic stripe cards). And while ISO 3 allowed for update operations on the magnetic stripe, it failed to be widely adopted for the reasons of inexistent offline security and high cost for installing and maintaining reliable readers/writers. Smartcards unlike magnetic stripe cards can carry all necessary functions and information on the card. Therefore, they do not require access to remote databases at the time of the transaction and depending on their memory capacity can have embedded security (cryptography) modules. Smartcard Lifecycle The smartcards lifecycle typically consists of five distinct stages. First there is the fabrication phase where the manufacturer assigns a fabrication key to protect the chips from unauthorized tampering. Then the card is mounted on the actual card and the fabrication key is replaced by a personalization key. During the third phase, the manufacturer equips the card with the functions it will need during its lifetime. Application and data are written on the card including the unique identifier, the name of the card holder and a utilization lock to indicate that the card is in use. Access to the card is limited by the user’s PIN or other authentication key that
  24. 24. IDM Architecture Considerations 24 indicates how many of the functions of the card the cardholder can access. Last, in the end-of-life phase the card is discarded and must be disabled (also in cases where the card is lost or malfunctioning). Structure of integrated circuit (IC) microprocessor cards The integrated circuit (IC) microprocessor card has a file structure as presented in the following schematic. The internal structure of an integrated circuit processor card The Master File (MF) is a list of all the headers of all the dedicated and elementary files that contain the MF in their parental hierarchy, acting as an indexing service. A dedicated file includes data (itself) and headers of its immediate children, whereas an elementary file contains its own header and data. The microprocessor reads access information first and if the entity ‘calling’ for the information does not have the access rights to the file, then the microprocessor locks access to the elementary file. Optical Memory Cards Optical Memory cards is another type of smart card technology that seems to have many advantages, in terms of storage capacity, durability, ability for laser image creation of the photograph and some other. Different vendors provide with different types of smartcard technologies; the latest technological development in smart cards is the Optical Memory Card. Optical Memory Cards have two advantages over other technologies including RFID tags. First it has a comparatively large storage capacity reaching 5 to 6 Mbytes (typical card has 2.8 Mbytes) of digital data. This is particularly helpful in governmental IDM and immigration systems as it allows for the storage of facial images, fingerprint images, and iris patterns (and probably chronological series for each biometric). Furthermore, an identification scheme can take advantage of the large storage capacity of the cards by recording transaction details (thousands of transaction records can be stored). Finally, it has been widely suggested by forensic documents specialists that optical memory is the most counterfeit-resistant machine-readable technology available. An additional characteristic of optical memory cards is that the optical memory card writers can create a laser image (is indestructible) of the photograph at resolutions up to 12,000 dots per inch and etch it in the card. This is a unique feature for machine readable cards and enables higher ID security by allowing the comparison of the photograph in the card with the laser image and the person. It is worth mentioning that the optical media is laminated between multi-layer polycarbonate, fact that ensures the high card durability. However, the price of readers/writers for Optical Memory Card is high compared to RFID readers/writers, a factor that may seriously impede its adoption in governmental implementations. Card Technologies Comparison As it has been described, smart cards can be read either by direct contact (i.e. inserted in a reader) or by being placed in close proximity to the readers (i.e. contactless technologies such as RFID). Contact cards may contain embedded microprocessors and offer better security whereas contactless cards contain
  25. 25. IDM Architecture Considerations 25 antennae and offer the advantages of convenience and may speed up transaction times. Smartcards can also be online, offline or hybrid. Briefly, online smartcards allow access to external databases rather than holding information in their memory cell, whereas offline cards hold data physically with no computer backup. Most smartcards are a combination of the two types, to allow for both online and offline verification of identity depending on the level of security at the point of service. In the following table, a variety of alternative smartcards are compared according to their costs, processing power and maximum data capacity. Comparison of card technologies 2.4 Security and Cryptography A major driving force for IDM schemes around the world is to increase national and social security; in order to achieve this, it is required that a reasonable degree of information protection is achieved. The concept of security in a national IDM system is similar to other Information Systems; it refers to mechanisms and procedures designed to ensure that information is not stolen, misused, damaged, unauthorized modified or access to it groundlessly denied. After the events of 9/11 the photo ID has been rendered as a useless security measure; and as we have argued governments around the world are adopting the use of alternative biometric technologies. The NIR (UID repository) will be accessed by a variety of public and private service providers, other governmental agencies (police, national security office and other) and citizens through the use of biometric smart ID cards and/or a nation Identification Number (IN). Moreover, as mentioned, one of the objectives of the scheme should be to enable more efficient eGovernment including eVoting and access to existing governmental eServices. In order to do so, but also to enable the secure communication between card readers and the NIR, the scheme presupposes the existence of (a) cryptographic technologies and (b) a national PKI that will issue (inside the ID card) and use digital certificates to each citizen enrolled to enable the secure and efficient citizen authentication/ eService access control. The microprocessor with a cryptographic engine on-board ensures the right security in terms of identification and authentication based on symmetric and asymmetric cryptography. This is dealt through a PKI responsible for enabling citizen authentication and access to both data and services. Furthermore, by the incorporation of digital signatures inside the smart ID card the proposed scheme achieves non-repudiation. Security in a national IDM scheme should address at a minimum level: a. the visual security of the plastic card itself (against card forgery), b. the security of the card data from being accessed/read/altered by an unauthorized entity, c. the security of communication channels in the resulting network (network security), d. authentication and access management at the level of the NIR (against unauthorized access), e. the preservation of the security and reliability of the privacy-sensitive data held in the NIR Traditional ways for ensuring the visual security of the ID card
  26. 26. IDM Architecture Considerations 26 In secure IDM systems, ID cards usually have visual security features that make the card more difficult to manufacture, copy and/or imitate. Visual security features today consist of a combination of the following: ultra violet printing optical variable ink rainbow and guilloches multiple laser images softened personalized area anti-copy patterns microtext hidden text holograms It is worth noting that a combination of these as defined by card specialists would be an ideal measure to prevent card replication at a first level. Cryptography and Security Mechanisms in IDM Cryptography offers the following possible functionalities (see table below), with differing degrees of interest depending on the IDM subsystem. Table : Generic Objectives of Cryptography Objective Description Data confidentiality ~ the message must be decrypted for the information to be understood. Data integrity ~ provide assurance that an intruder is not able to alter (in any way) the message’s content in transit. Authentication ~ the message recipient should be able to confirm that the message originates from the message sender. Electronic certification and digital signatures ~ protection against unauthorized changes to electronic documents. Non repudiation ~ assurance that the sender will not able to later deny sending the message (if he has send it). In practice, security in IDM comprises of three basic building blocks: Encryption is used to provide confidentiality, can provide authentication and integrity protection Digital signatures are used to provide authentication, integrity protection, and non-repudiation Checksums/hash algorithms are used to provide integrity protection and can provide authentication Securing the database Needless to mention that NIR database will be secure and shall include a mapping mechanism between readers’ serial numbers, readers’ locations on the network, and readers’ access permissions. The database should be maintained by a governmental agency. It is important that through the design of the database, access will be controlled for different service providers/ agencies under relevant information policies and legislation. Securing the communication channel The following diagram explicates a possible way for ensuring that the communication between a card reader and a database (i.e. the NIR) occurs over a secure communication channel, in order to minimize risks arising from eavesdropping activities.
  27. 27. IDM Architecture Considerations 27 Secure communication channel After the process as shown in the above schematic is finished successfully, the citizen’s public key can be used to decrypt the information on the card, and the cardholder/citizen can be verified. National Public Key Infrastructures and Digital Certificates Regarding IDM schemes, the most prominent cryptography and security developments revolve around the development of a national Public Key Infrastructure (PKI) and its operation through digital certificates or digital signatures stored in the ID card. PKIs are a basic requirement for national IDM schemes where the ID card is designed to fulfill a dual purpose: Act as a physical identity mechanism – to physically identify a citizen Act as an electronic authentication mechanism - to secure electronic identification, authentication and access to specific network resources (e.g. web-based government services) With the rolling out of smart ID cards, the establishment of a PKI for efficient web service provision may be a seductive opportunity for future uses of the IDM system. RSA Security defines a PKI as consisting of ‘protocols, services, and standards supporting applications of public-key cryptography’. PKI sometimes refers simply to a trust hierarchy based on public-key certificates, and in other contexts embraces encryption and digital signature services provided to end-user applications. Although PKIs can take several different forms, they essentially involve the existence of a Certification Authority (CA), a Registration Authority (RA), a user (citizen), a repository and a relying party. In a highly secure PKI, the main requirement is to have more than one PKI authorities (i.e. CAs). The PKI authorities involved must interoperate so as to establish trust relationship between governmental agencies and in order to do so the PKI architecture can take two forms as presented in the following table. Two Alternative PKI Architectures A. Hierarchical PKI The common trust point is provided by a root CA, trusted by all subordinate CAs (subordinate CAs are cross-certified by the root CA). This means that subordinate CAs can interoperate as each has a verifiable path to the root CA. However as with single CA models, the Hierarchical PKI has a single point of failure. Its realization may fail to both practical and political grounds. B. Mesh PKI CAs are connected in a set of peer-to-peer bi-lateral relationships (by one- or two- way cross-certification). That results in no single trust point; trust is established through the bi-lateral relationships in the form of a ‘trust network’, enabling for adaptability and scalability but introduces performance drawbacks in large networks.
  28. 28. IDM Architecture Considerations 28 In the Registration stage of the national ID card, the only difference is that the local authority (where the registration takes place) will have to forward a request at the CA for issuance of a digital certificate. Once the registration is validated and the digital certificate is issued, the smart ID card can be issued to the citizen. Experience form electronic ID projects around the world has shown that each national ID card should contain at least two discreet PKI based digital certificates. One will be used for authentication and the other for digital signing. These certificates will have two associated private keys that will be stored on the card and protected by a unique user PIN code. One of the most important issues in national PKIs is how is the certificates issued and managed. One possible scenario is that the CA and RA lie within the boundaries of governmental control. In this case, it is necessary to establish a governmental agency to control the registration and certification process. In an alternative scenario where the government cannot provide with assurance or does not possess the resources to run and maintain this service, a Trusted Third Party (TTP) can be subcontracted, under a strict service level agreement. The TTP will be responsible for decrypting the message sent by citizen A to service provider (can be an eGovernement service) B, with a secret key he shares with A, and then re-encrypt the message with a secret key common with B. Finally the message recipient (service provider or web based govt. service) B, will decrypt the message from A with a secret key shared between the TTP and B. Finally, in order for any PKI to be successful, a properly functioning revocation system must be put into place to provide individuals and agencies dealing with individuals with a way to identify bad certificates. Certificates can become invalid for many reasons, including the loss or theft of the corresponding private key or termination of the certificate. Thus, if we consider the existence of a national smart ID card, (with incorporated biometric data), the ID card would contain a microprocessor, crypto-engine and issued digital certificates in its memory. The master file (revert to: Other Card Technologies) will therefore include two dedicated files (DF) for the storage of: [DF1:] the digital certificate(s) (usually X509 type certificates) [DF2:] information about the installed services and the public keys of the institutions providing the service In order to ensure that the digital certificates and public keys information are protected against unauthorized alteration or deletion, the access mode to the DFs can be restricted to read-only. Other uses of the crypto- engine include the strong network authentication, the signature operations of the card, and the authentication and secure messaging process during the installation phase of the qualified national services. The crypto-engine is used to generate the two keys used for the strong network authentication of the card based on asymmetric cryptography (block ciphers). The private key length defines the strength of the encryption decryption processes ( key length of 1024 bits or more may be justified for the purposes of national IDM), and the algorithm used for service installation can be any ‘secure’ block cipher like 3-DES, or AES (Advanced Encryption Standard). Iterative block ciphers are block ciphers that can have multiple encryption rounds. A set of sub-keys is created from the original secret key and they are applied at each iteration of the algorithm so as to transform the data. As it can be understood there is a trade off between security (being added by each round of transformation) and speed (the more the rounds the slower the computation). An alternative way to implement the digital certificates based PKI, is through a TTP-enabled Pseudonymity scheme that fulfills two tasks: Creating personal pseudonyms (offline) Certifying pseudonyms (online) The registration is offline, because the service must be convinced of the correctness of the individual's identity data outside the identity management system. After registration of the user's data, the user gets a