Integrated Solutions for Secure Identity Técnicas ctiptográficas para la Protección de Datos...
-
Upload
erik-palmer -
Category
Documents
-
view
215 -
download
2
Transcript of Integrated Solutions for Secure Identity Técnicas ctiptográficas para la Protección de Datos...
Integrated Solutions for Secure Identity
Técnicas ctiptográficas para la Protección de Datos Biométricos en el E-Passport / E-DNI
f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Dr. Yuri Grigorenko
Nov 07’
Services
About USAbout US Basic CryptographyBasic Cryptography PKI & ePassportsPKI & ePassports Best PracticesBest Practices
f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
In an Nutshell
• is a security consultancy company and OEM solution provider specializing in the field of identity management• is based on a managing team of IT veterans with a combined experience of over 30 years in the smart card business and information security sector• provides a wide portfolio of consulting services and integrated solutions in the field of identity security for governments worldwide
Integrated Solutions for Secure Identity
Contact USContact US
In an Nutshell
About USAbout US Basic CryptographyBasic Cryptography PKI & ePassportsPKI & ePassports
f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
• We focus on the combination of Identity Management with IT Security TechnologiesSmart CardsPublic Key InfrastructureHardware Security Modules
• Our services include:Threat analysisTechnological gaps identificationAvailable products survey and QAProvision of tailored technological solutionsSecond-tier technical supportTraining program
s
Integrated Solutions for Secure Identity
Best PracticesBest Practices Contact USContact US
Services
CertificatesTrust ModelsDigital SignatureSigning ProcessEncryption ProcessHash FunctionsSymmetric vs. AsymmetricEncryption Basics
Basic CryptographyBasic CryptographyAbout UsAbout Us PKI & ePassportsPKI & ePassports
f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
• Encrypting a message is like locking your house• An encryption algorithm ~ Lock mechanism• An encryption key ~ Lock key / combination
Lock
Integrated Solutions for Secure Identity
Best PracticesBest Practices Contact USContact US
Lock
About USAbout US Basic CryptographyBasic Cryptography PKI & ePassportsPKI & ePassports
f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
• A riddle:How do two people lock a room without sharing the secret code?
•A hint: skcol owt esU !•Symmetric - same key•Asymmetric - public and private keys
Lock
CertificatesTrust ModelsDigital SignatureSigning ProcessEncryption ProcessHash FunctionsEncryption BasicsSymmetric vs. Asymmetric
Integrated Solutions for Secure Identity
Best PracticesBest Practices Contact USContact US
About USAbout US Basic CryptographyBasic Cryptography PKI & ePassportsPKI & ePassports
f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
A function that digests the message and provides a unique (and short) representation
•Irreversible•Public algorithms
Yuri
Marcel
To: MarcelCC: YuriFrom: YuriThis is the original message
Hash
To: MarcelCC: YuriFrom: YuriThis is the original message----------------------ADS#$#$%3ffr4
Hash
?
CertificatesTrust ModelsDigital SignatureSigning ProcessEncryption ProcessEncryption BasicsSymmetric vs. AsymmetricHash Functions
Integrated Solutions for Secure Identity
Best PracticesBest Practices Contact USContact US
About USAbout US Basic CryptographyBasic Cryptography PKI & ePassportsPKI & ePassports
f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
• Symmetric / Asymmetric• Confidentiality
Yuri
To: MarcelCC: YuriFrom: YuriThis is a secretmessage
Encryption
To: MarcelCC: YuriFrom: YuriSDF#$%8SDFD21#$ADF#@$4D
Decryption
Marcel’s public key
Marcel’s private key
CertificatesTrust ModelsDigital SignatureSigning ProcessEncryption BasicsSymmetric vs. AsymmetricHash FunctionsEncryption Process
Integrated Solutions for Secure Identity
Best PracticesBest Practices Contact USContact US
Marcel
Same mutual key
Same mutual key
About USAbout US Basic CryptographyBasic Cryptography PKI & ePassportsPKI & ePassports
f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
•Asymmetric•Authenticity
Yuri
To: MarcelCC: YuriFrom: YuriThis is an authenticatedmessage
Encryption
To: MarcelCC: YuriFrom: YuriSDF#$%8SDFD21#$ADF#@$4D
Decryption
Yuri’s private key
Yuri’s public key
CertificatesTrust ModelsDigital SignatureEncryption BasicsSymmetric vs. AsymmetricHash FunctionsEncryption ProcessSigning Process
Integrated Solutions for Secure Identity
Best PracticesBest Practices Contact USContact US
Marcel
About USAbout US Basic CryptographyBasic Cryptography PKI & ePassportsPKI & ePassports
f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Yuri Marcel
To: MarcelCC: YuriFrom: YuriThis is a signed message
Encryption
To: MarcelCC: YuriFrom: YuriThis is a signed message-----------------------SDF#$%8SDFD
Decryption
Yuri’s private key
Yuri’s public key
Hash
AD4543$%DF
Hash
AD4543$%DF
AD4543$%DF
?
CertificatesTrust ModelsEncryption BasicsSymmetric vs. AsymmetricHash FunctionsEncryption ProcessSigning ProcessDigital Signature
Integrated Solutions for Secure Identity
Best PracticesBest Practices Contact USContact US
About USAbout US Basic CryptographyBasic Cryptography PKI & ePassportsPKI & ePassports
f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Yuri
Marcel
Yuri’s public keyKpu = 0xff132483ab98------------------------------FFK$#%5534FSAB
To: MarcelCC: YuriFrom: YuriThis is a signed message-----------------------SDF#$%8SDFD
CertificatesEncryption BasicsSymmetric vs. AsymmetricHash FunctionsEncryption ProcessSigning ProcessDigital SignatureTrust Models
•Q: How does Marcel know that Yuri’s (Kpu,Kpr) wasn’t forged ?
•A: It has to be digitally signed by someone Marcel trusts (TTP)!
Encrypt with trusted party
Kpr
Decrypt with trusted party Kpu
Hash
?
HashGR%3HJT$6
Integrated Solutions for Secure Identity
Best PracticesBest Practices Contact USContact US
About USAbout US Basic CryptographyBasic Cryptography PKI & ePassportsPKI & ePassports
f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Yuri’s public key Kpu = 0xff132483ab98
additional information Issuer, Validity, privileges… ------------------------------ FFK$#%5534FSAB
Encryption BasicsSymmetric vs. AsymmetricHash FunctionsEncryption ProcessSigning ProcessDigital SignatureTrust ModelsCertificates
•X.509 Certificate Standard
•Card Verifiable Certificates Hash signed by a
trusted party
Integrated Solutions for Secure Identity
Best PracticesBest Practices Contact USContact US
Active AuthenticationExtended Access ControlBasic Access Control PA Trust LevelsPassive AuthenticationLogical Data Structure
Basic CryptographyBasic CryptographyAbout UsAbout Us PKI & ePassportsPKI & ePassports
f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
What should we protect?
• Authenticity of personal data
• Privacy of personal and biometric data
• Passport uniqueness
• An ICAO TAG/MRTD recomendation
General
Passive Authentication
Basic Access Control
Extended Access Control
Active Authentication
Integrated Solutions for Secure Identity
Best PracticesBest Practices Contact USContact US
Active Authentication
Basic CryptographyBasic CryptographyAbout UsAbout Us PKI & ePassportsPKI & ePassports
f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Logical Data Structure:• Mandatory - personal details, face picture, digital signature.• Optional - Fingerprint, iris, signature picture…
Data group 1 (MRZ)
Data group 2 (Encoded Face)
Data group 3 (Encoded Finger)
Data group 4 (Encoded IRIS)
Data group 5 (Displayed Face)
Data group 6 (Future Use)
Data group 7-15
Data group 16 (Persons to notify)
LDS
Extended Access ControlBasic Access Control PA Trust LevelsPassive AuthenticationGeneralLogical Data Structure
Integrated Solutions for Secure Identity
Best PracticesBest Practices Contact USContact US
Active AuthenticationGeneral
Basic CryptographyBasic CryptographyAbout UsAbout Us PKI & ePassportsPKI & ePassports
f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Data group 1 (MRZ)
Data group 2 (Encoded Face)
Data group 3 (Encoded Finger)
Data group 4 (Encoded IRIS)
Data group 5 (Displayed Face)
Data group 6 (Future Use)
Data group 7-15
Data group 16 (Persons to notify)
LDS SOD
Hash DG_1
Hash DG_2
Hash DG_5
Digital Signature
• Protects against data alternation:
• Personal data
• Hash values
Extended Access ControlBasic Access Control PA Trust LevelsLogical Data StructurePassive Authentication
Only issuer could have signed this passport!
Integrated Solutions for Secure Identity
Best PracticesBest Practices Contact USContact US
Active AuthenticationGeneral
Basic CryptographyBasic CryptographyAbout UsAbout Us PKI & ePassportsPKI & ePassports
f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
DSCA EnvironmentsCSCA Environment
HSM
Backup HSM
CA managem
ent software
HSM
Backup HSM
Document SignerSoftwar
e
Personalization
equipment
DBePassport Management
System
Extended Access ControlBasic Access ControlPassive AuthenticationLogical Data Structure PA Trust Levels
2 level PKI
Integrated Solutions for Secure Identity
Best PracticesBest Practices Contact USContact US
Active Authentication
Basic CryptographyBasic CryptographyAbout UsAbout Us PKI & ePassportsPKI & ePassports
f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Extended Access ControlGeneralLogical Data StructurePassive Authentication PA Trust LevelsBasic Access Control
Who can read my personal and biometric data?
• Skimming - secretly reading the data from small distance
• Eavesdropping - passive observation of “legal” communication
Solution: If I can see your passport - I am allowed to read it!
• Establishment of a symmetric encryption key based on the optically readable MRZ, thus encrypting the connection between the passport and the reader
P<D<< GRIGORENKO<YURI<<<<
123456D<<123M01011975<<<<<0
Symmetric key establishment
HashENCRYPTION
Integrated Solutions for Secure Identity
Best PracticesBest Practices Contact USContact US
Active Authentication
Basic CryptographyBasic CryptographyAbout UsAbout Us PKI & ePassportsPKI & ePassports
f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
GeneralLogical Data StructurePassive Authentication PA Trust LevelsBasic Access ControlExtended Access Control
• Only a face picture is a mandatory biometric data!
• Additional biometric data must be protected from unauthorized access
• Number of possible cryptographic solutions:
• Data encryption using dedicated Master Key(s), as well as additional information (such as MRZ details)
• Inspection system authorization, introducing additional PKI scheme (CVCA, DVCA, IS). A reader must be digitally verified in order to read sensitive data from the passport
• Issuing country is always in control: sharing of secret keys, signing certificates…
Integrated Solutions for Secure Identity
Best PracticesBest Practices Contact USContact US
General
Basic CryptographyBasic CryptographyAbout UsAbout Us PKI & ePassportsPKI & ePassports
f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Data group 1 (MRZ)
Data group 2 (Encoded Face)
Data group 3 (Encoded Finger)
Data group 4 (Encoded IRIS)
Data group 5 (Displayed Face)
Data group 6 (Future Use)
Data group 7-14
Data group 15 (AA Public Key)
LDS SOD
Hash DG_1
Hash DG_2
Hash DG_5
Digital Signature
• Protects against data coping:
•AA private key is secretly stored on chip and is unreadable
•A challenge-response protocolData group 16 (Persons to notify)
Hash DG_15
AA Private Key
Logical Data StructurePassive Authentication PA Trust LevelsBasic Access ControlExtended Access ControlActive Authentication
Integrated Solutions for Secure Identity
Best PracticesBest Practices Contact USContact US
Questions
Basic CryptographyBasic CryptographyAbout UsAbout Us PKI & ePassportsPKI & ePassports
f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Integrated Solutions for Secure Identity
Best PracticesBest Practices Contact USContact US
•Modern cryptographic techniques, e.g. PKI provide the suitable framework for protection of sensitive biometrical data
•Deployment of a Public Key Infrastructure, being a highly complicated issue combining delicate technological aspects, requires unique specialization
•Being the heart part of your e-passport security, it is highly recommended to treat the Public Key Infrastructure separately from the deployment of the passport production system
•We offer our clients an integrated PKI solutions to fit their passport production process
Best Practices
Basic CryptographyBasic CryptographyAbout UsAbout Us PKI & ePassportsPKI & ePassports
f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Integrated Solutions for Secure Identity
Best PracticesBest Practices Contact USContact US
Best PracticesQuestions
Basic CryptographyBasic CryptographyAbout UsAbout Us PKI & ePassportsPKI & ePassports
f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Visit Us:Rosa Hoffman Strasse 33A-5020 Salzburg, Austriawww.f-id.at
Call Us:+43 662 906002054+43 662 903333054
• E-Mail Us:[email protected]
Integrated Solutions for Secure Identity
Best PracticesBest Practices Contact USContact US