Integrated Solutions for Secure Identity

Técnicas ctiptográficas para la Protección de Datos Biométricos en el E-Passport / E-DNI

f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07

Dr. Yuri Grigorenko

Nov 07’

Services

About USAbout US Basic CryptographyBasic Cryptography PKI & ePassportsPKI & ePassports Best PracticesBest Practices

f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07

In an Nutshell

• is a security consultancy company and OEM solution provider specializing in the field of identity management• is based on a managing team of IT veterans with a combined experience of over 30 years in the smart card business and information security sector• provides a wide portfolio of consulting services and integrated solutions in the field of identity security for governments worldwide

Integrated Solutions for Secure Identity

Contact USContact US

In an Nutshell

About USAbout US Basic CryptographyBasic Cryptography PKI & ePassportsPKI & ePassports

f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07

• We focus on the combination of Identity Management with IT Security TechnologiesSmart CardsPublic Key InfrastructureHardware Security Modules

• Our services include:Threat analysisTechnological gaps identificationAvailable products survey and QAProvision of tailored technological solutionsSecond-tier technical supportTraining program

s

Integrated Solutions for Secure Identity

Best PracticesBest Practices Contact USContact US

Services

CertificatesTrust ModelsDigital SignatureSigning ProcessEncryption ProcessHash FunctionsSymmetric vs. AsymmetricEncryption Basics

Basic CryptographyBasic CryptographyAbout UsAbout Us PKI & ePassportsPKI & ePassports

f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07

• Encrypting a message is like locking your house• An encryption algorithm ~ Lock mechanism• An encryption key ~ Lock key / combination

Lock

Integrated Solutions for Secure Identity

Best PracticesBest Practices Contact USContact US

Lock

About USAbout US Basic CryptographyBasic Cryptography PKI & ePassportsPKI & ePassports

f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07

• A riddle:How do two people lock a room without sharing the secret code?

•A hint: skcol owt esU !•Symmetric - same key•Asymmetric - public and private keys

Lock

CertificatesTrust ModelsDigital SignatureSigning ProcessEncryption ProcessHash FunctionsEncryption BasicsSymmetric vs. Asymmetric

Integrated Solutions for Secure Identity

Best PracticesBest Practices Contact USContact US

About USAbout US Basic CryptographyBasic Cryptography PKI & ePassportsPKI & ePassports

f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07

A function that digests the message and provides a unique (and short) representation

•Irreversible•Public algorithms

Yuri

Marcel

To: MarcelCC: YuriFrom: YuriThis is the original message

Hash

To: MarcelCC: YuriFrom: YuriThis is the original message----------------------ADS#$#$%3ffr4

Hash

?

CertificatesTrust ModelsDigital SignatureSigning ProcessEncryption ProcessEncryption BasicsSymmetric vs. AsymmetricHash Functions

Integrated Solutions for Secure Identity

Best PracticesBest Practices Contact USContact US

About USAbout US Basic CryptographyBasic Cryptography PKI & ePassportsPKI & ePassports

f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07

• Symmetric / Asymmetric• Confidentiality

Yuri

To: MarcelCC: YuriFrom: YuriThis is a secretmessage

Encryption

To: MarcelCC: YuriFrom: YuriSDF#$%8SDFD21#$ADF#@$4D

Decryption

Marcel’s public key

Marcel’s private key

CertificatesTrust ModelsDigital SignatureSigning ProcessEncryption BasicsSymmetric vs. AsymmetricHash FunctionsEncryption Process

Integrated Solutions for Secure Identity

Best PracticesBest Practices Contact USContact US

Marcel

Same mutual key

Same mutual key

About USAbout US Basic CryptographyBasic Cryptography PKI & ePassportsPKI & ePassports

f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07

•Asymmetric•Authenticity

Yuri

To: MarcelCC: YuriFrom: YuriThis is an authenticatedmessage

Encryption

To: MarcelCC: YuriFrom: YuriSDF#$%8SDFD21#$ADF#@$4D

Decryption

Yuri’s private key

Yuri’s public key

CertificatesTrust ModelsDigital SignatureEncryption BasicsSymmetric vs. AsymmetricHash FunctionsEncryption ProcessSigning Process

Integrated Solutions for Secure Identity

Best PracticesBest Practices Contact USContact US

Marcel

About USAbout US Basic CryptographyBasic Cryptography PKI & ePassportsPKI & ePassports

f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07

Yuri Marcel

To: MarcelCC: YuriFrom: YuriThis is a signed message

Encryption

To: MarcelCC: YuriFrom: YuriThis is a signed message-----------------------SDF#$%8SDFD

Decryption

Yuri’s private key

Yuri’s public key

Hash

AD4543$%DF

Hash

AD4543$%DF

AD4543$%DF

?

CertificatesTrust ModelsEncryption BasicsSymmetric vs. AsymmetricHash FunctionsEncryption ProcessSigning ProcessDigital Signature

Integrated Solutions for Secure Identity

Best PracticesBest Practices Contact USContact US

About USAbout US Basic CryptographyBasic Cryptography PKI & ePassportsPKI & ePassports

f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07

Yuri

Marcel

Yuri’s public keyKpu = 0xff132483ab98------------------------------FFK$#%5534FSAB

To: MarcelCC: YuriFrom: YuriThis is a signed message-----------------------SDF#$%8SDFD

CertificatesEncryption BasicsSymmetric vs. AsymmetricHash FunctionsEncryption ProcessSigning ProcessDigital SignatureTrust Models

•Q: How does Marcel know that Yuri’s (Kpu,Kpr) wasn’t forged ?

•A: It has to be digitally signed by someone Marcel trusts (TTP)!

Encrypt with trusted party

Kpr

Decrypt with trusted party Kpu

Hash

?

HashGR%3HJT$6

Integrated Solutions for Secure Identity

Best PracticesBest Practices Contact USContact US

About USAbout US Basic CryptographyBasic Cryptography PKI & ePassportsPKI & ePassports

f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07

Yuri’s public key Kpu = 0xff132483ab98

additional information Issuer, Validity, privileges… ------------------------------ FFK$#%5534FSAB

Encryption BasicsSymmetric vs. AsymmetricHash FunctionsEncryption ProcessSigning ProcessDigital SignatureTrust ModelsCertificates

•X.509 Certificate Standard

•Card Verifiable Certificates Hash signed by a

trusted party

Integrated Solutions for Secure Identity

Best PracticesBest Practices Contact USContact US

Active AuthenticationExtended Access ControlBasic Access Control PA Trust LevelsPassive AuthenticationLogical Data Structure

Basic CryptographyBasic CryptographyAbout UsAbout Us PKI & ePassportsPKI & ePassports

f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07

What should we protect?

• Authenticity of personal data

• Privacy of personal and biometric data

• Passport uniqueness

• An ICAO TAG/MRTD recomendation

General

Passive Authentication

Basic Access Control

Extended Access Control

Active Authentication

Integrated Solutions for Secure Identity

Best PracticesBest Practices Contact USContact US

Active Authentication

Basic CryptographyBasic CryptographyAbout UsAbout Us PKI & ePassportsPKI & ePassports

f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07

Logical Data Structure:• Mandatory - personal details, face picture, digital signature.• Optional - Fingerprint, iris, signature picture…

Data group 1 (MRZ)

Data group 2 (Encoded Face)

Data group 3 (Encoded Finger)

Data group 4 (Encoded IRIS)

Data group 5 (Displayed Face)

Data group 6 (Future Use)

Data group 7-15

Data group 16 (Persons to notify)

LDS

Extended Access ControlBasic Access Control PA Trust LevelsPassive AuthenticationGeneralLogical Data Structure

Integrated Solutions for Secure Identity

Best PracticesBest Practices Contact USContact US

Active AuthenticationGeneral

Basic CryptographyBasic CryptographyAbout UsAbout Us PKI & ePassportsPKI & ePassports

f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07

Data group 1 (MRZ)

Data group 2 (Encoded Face)

Data group 3 (Encoded Finger)

Data group 4 (Encoded IRIS)

Data group 5 (Displayed Face)

Data group 6 (Future Use)

Data group 7-15

Data group 16 (Persons to notify)

LDS SOD

Hash DG_1

Hash DG_2

Hash DG_5

Digital Signature

• Protects against data alternation:

• Personal data

• Hash values

Extended Access ControlBasic Access Control PA Trust LevelsLogical Data StructurePassive Authentication

Only issuer could have signed this passport!

Integrated Solutions for Secure Identity

Best PracticesBest Practices Contact USContact US

Active AuthenticationGeneral

Basic CryptographyBasic CryptographyAbout UsAbout Us PKI & ePassportsPKI & ePassports

f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07

DSCA EnvironmentsCSCA Environment

HSM

Backup HSM

CA managem

ent software

HSM

Backup HSM

Document SignerSoftwar

e

Personalization

equipment

DBePassport Management

System

Extended Access ControlBasic Access ControlPassive AuthenticationLogical Data Structure PA Trust Levels

2 level PKI

Integrated Solutions for Secure Identity

Best PracticesBest Practices Contact USContact US

Active Authentication

Basic CryptographyBasic CryptographyAbout UsAbout Us PKI & ePassportsPKI & ePassports

f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07

Extended Access ControlGeneralLogical Data StructurePassive Authentication PA Trust LevelsBasic Access Control

Who can read my personal and biometric data?

• Skimming - secretly reading the data from small distance

• Eavesdropping - passive observation of “legal” communication

Solution: If I can see your passport - I am allowed to read it!

• Establishment of a symmetric encryption key based on the optically readable MRZ, thus encrypting the connection between the passport and the reader

P<D<< GRIGORENKO<YURI<<<<

123456D<<123M01011975<<<<<0

Symmetric key establishment

HashENCRYPTION

Integrated Solutions for Secure Identity

Best PracticesBest Practices Contact USContact US

Active Authentication

Basic CryptographyBasic CryptographyAbout UsAbout Us PKI & ePassportsPKI & ePassports

f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07

GeneralLogical Data StructurePassive Authentication PA Trust LevelsBasic Access ControlExtended Access Control

• Only a face picture is a mandatory biometric data!

• Additional biometric data must be protected from unauthorized access

• Number of possible cryptographic solutions:

• Data encryption using dedicated Master Key(s), as well as additional information (such as MRZ details)

• Inspection system authorization, introducing additional PKI scheme (CVCA, DVCA, IS). A reader must be digitally verified in order to read sensitive data from the passport

• Issuing country is always in control: sharing of secret keys, signing certificates…

Integrated Solutions for Secure Identity

Best PracticesBest Practices Contact USContact US

General

Basic CryptographyBasic CryptographyAbout UsAbout Us PKI & ePassportsPKI & ePassports

f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07

Data group 1 (MRZ)

Data group 2 (Encoded Face)

Data group 3 (Encoded Finger)

Data group 4 (Encoded IRIS)

Data group 5 (Displayed Face)

Data group 6 (Future Use)

Data group 7-14

Data group 15 (AA Public Key)

LDS SOD

Hash DG_1

Hash DG_2

Hash DG_5

Digital Signature

• Protects against data coping:

•AA private key is secretly stored on chip and is unreadable

•A challenge-response protocolData group 16 (Persons to notify)

Hash DG_15

AA Private Key

Logical Data StructurePassive Authentication PA Trust LevelsBasic Access ControlExtended Access ControlActive Authentication

Integrated Solutions for Secure Identity

Best PracticesBest Practices Contact USContact US

Questions

Basic CryptographyBasic CryptographyAbout UsAbout Us PKI & ePassportsPKI & ePassports

f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07

Integrated Solutions for Secure Identity

Best PracticesBest Practices Contact USContact US

•Modern cryptographic techniques, e.g. PKI provide the suitable framework for protection of sensitive biometrical data

•Deployment of a Public Key Infrastructure, being a highly complicated issue combining delicate technological aspects, requires unique specialization

•Being the heart part of your e-passport security, it is highly recommended to treat the Public Key Infrastructure separately from the deployment of the passport production system

•We offer our clients an integrated PKI solutions to fit their passport production process

Best Practices

Basic CryptographyBasic CryptographyAbout UsAbout Us PKI & ePassportsPKI & ePassports

f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07

Integrated Solutions for Secure Identity

Best PracticesBest Practices Contact USContact US

Best PracticesQuestions

Basic CryptographyBasic CryptographyAbout UsAbout Us PKI & ePassportsPKI & ePassports

f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07

Visit Us:Rosa Hoffman Strasse 33A-5020 Salzburg, Austriawww.f-id.at

Call Us:+43 662 906002054+43 662 903333054

• E-Mail Us:info@f-id.at

Integrated Solutions for Secure Identity

Best PracticesBest Practices Contact USContact US