Javacard as Govtid 100206130505 Phpapp01

8/9/2019 Javacard as Govtid 100206130505 Phpapp01

1/25

Govt. Citizen ID

withJava CardTM PlatformEmphasis on the role and relevance of Java Card andSun Identity Management Technologies

Ramesh Nagappan

Security Technologist, ISV-E

[email protected]

http://www.coresecuritypatterns.com/blogs


2/25

Sun Microsystems 2009Slide 2

Undisputed Market Leader inMulti-Application Smart Cards

Finance

Government/Healthcare

Last name

First name, Initial

Issue Date

Expiration Date

IdentificationCard

Organization

Seal

Photograph

U.S.Navy

DoD Civilian

Chip

ArmedForces of theUnitedStates

ParkerIV,

ChristopherJ.

Septem

ber30 2001

October 1 2001

Telecom

CorporateLoyalty


3/25


Introduction to Java Card Technology

A Programmable Runtime engine for Smart cards> Open & Standards-based

> Built for multi-application

> Proven security (Enabling on-card PKI/Biometrics credentials based

Physical/Logical Access Control) A future-proof platform for Smart card based services

> Dynamic application loading

> Test-suite enforced interoperability

> Cryptography and Biometrics support

A reference technology for Smart card issuers> Market leader in Security for Government and Citizen ID

> Market leader in reliability for wireless, banking, ID

> Choice of multi-sourcing Obtain cards from multiple vendors

Security and Portability with Reliability as Core Value Proposition


4/25


Java Card Adoption

6 Billion Java Card Units deployed> Variety of form factors

Leader in market segments> Telecom (Defacto for SIM card !)

> Banking (Payment card)

> ID (Citizen/Govt/Defence/Intelligence)

> PayTV (Cable/Dish Subscriber card)

> Transport, Healthcare...

Passports

Contactless

USB Tokens

Smart Cards

SIM CardsSecure Flash

Memory


5/25


Java Card vs MULTOS


6/25


Java Card as Cryptographic Token

PKI enabled Smart cards

A credit card sized computing device acts as aCryptographic token.

> Contact / Contactless cards

Allows performing core PKI functions

> Key generation

> Public/Private key operations

> PIN/Biometric authentication

> Challenge/response authentication

Supports the use of Public-key infrastructure toverify the Identity claim.

> PKI credential issuance.

> Credential validation/verification via OCSP,CRLs

Defends against tampering and hacking.

> PKI/Private key protection

Standards

ISO-7816

Java Card, Multos

Global Platform

PC/SC

FIPS-201/PIV, CAC

PKCS#11, PKCS#15

GSM/PCS

EMV(Europay/Mastercard/Visa)

Using Smart card based PKI as an Authentication Credential


7/25 Sun Microsystems 2007Slide 7

Java Card as Biometric Token

Using Smart card based Biometrics as an Authentication Credential

Java Card based Biometric Identity

Matching to Physiological or Behavioralcharacteristics to identify a person.

> High degree of assurance with proof ofpresence + proof of possession

> Fingerprints, Facial image/geometry, Irisimages can be stored on card.

> Match on-card samples to live humansamples.

Biometric templates can be stored on Smartcard for personal identification.

> Fingerprint template is ~200 bytes

> Iris template is 500 bytes

Biometric credential must be exchanged in asecure network channel (Trusted path)

Standards

INCITS 378 / CBEFF (Fingerprints) INCITS 379 (Iris)

OASIS BIAS

BioAPI

JavaCard BioAPI

FIPS-201 / PIV



Managing Govt ID Issuance Life-cycleIdentity Management life-cycle events

IdentityRegistration

Identity Enrollment &

Adjudication

Physical & LogicalAccess Control

Card/Credential Issuance

Identity

Termination

Credential

Maintenance



Managing Govt ID Issuance LifecycleSmartcard issuance life-cycle using Sun Identity Management Suite

Sun

I D M S

Demographic

Data

Biometrics

P K I

Identity

Proofing

Verified

Credentials

( Smartcard

/ Biometrics)

Logical

Access

Control

Physical

Access

Control



Sun IDM Authorization Workflow

Applicant

Registration

Biometrics

Breeder Documents

Enrollment

Identity

Proofing &

Adjudication

Card Issuance &

Activation

Retirement /

Termination

Physical &

Logical Access

Provisioning

Credential

Maintenance

Hiring

ManagerApproval/Denial

Enrollment

OfficerApproval/Denial

HR

Officer

Approval/Denial

HR

Manager

Approval/Denial

Enrollment

Officer

Approval/Denial

Hiring

Manager

Approval/Denial

Sun IDM manages the authorization workflow and authorityapproval and denials.

Sun IDM facilitates digitally signed approvals using Smart card

based credentials verified against a PKI provider.


11/25

Sun Confidential: Sun Employees and Immersion Week 2008 Partner AttendeesOnly. 11

Smart card based Credentials -Logical Access Control



Security

Manageability

Reliability

Mobility

Value

Sun Rays In a Govt eID Environment

Sun Ray supports the use of most eID and

CAC/PIV Cards



Logical Deployment of Sun RaysSmartcard based authentication Virtual/Remote Desktop/Applicationenvironment

Firewall

Data CenterSun Rays

Firewall

Native protocolsare used to accessapps.

No modification ofthe OS or appsrequired.

Each user desktopenvironment runson a virtual machinelocated in thecorporate datacenter.

All desktop andapplicationcommunicationremains in thedata center.

The access tiersupports standardAuthenticationmechanisms:

LDAPv3

Active Directory

NIS

MS WindowsDomain

Access layercontrols the useraccess andapplication profiles.

It maintains auditlogs of user andapp usage.

It provides thedisplay engine to theuser desktop.

PC & Thin Client users cansecurely access their remotedesktops & applications fromany location using PIV Cards.

Once PIV authenticated, theaccess tier establishes adisplay connection to the userdevice and a protocolconnection to the back-end

desktop OS andapplications.

PIVCredential Authentication

Secure remoteaccess from anylocation

Combine existingauthenticationand authorizationmechanismsusing Sun IDMS

Windows XP / 2003DesktopVirtualizationusing Sun Raysand Sun VDI

Sun Access Tier Identity/Auth. ESX Virtualization Applications



Sun UltraSPARC T2 offers industry-leading cryptography performance forPIV environments.> On-chip Crypto threads virtually eliminates large

workloads with PKI & Cryptography.

> Out-performs competition on SSL and Public-keycrypto opertaions

> Over30x greater RSA1024 performance than 2-socket IBM p510

Support common used ciphers for

Public-key encryption and securehashing functions> Public-key cryptography (RSA, DSA, Diffie-Hellman, ECC)

> Bulk encryption (RC4, DES, 3DES, AES)

> Secure hash (MD5, SHA-1, SHA-256)

Sun CMT Servers: Wire-speed SecurityUltraSPARC T2 offers On-chip Cryptographic Acceleration for PKI Applications



Mandatory Access Control andSecurity Labels (Solaris TX)



U.S. Department of Defense Military ID and Geneva Convention Card

> Common credentials for verified identity

> DoD-wide health benefits ID card

> Physical access and manifesting

> Logical access with PKI/digital signature

Well established security certification platform with numerouscards with FIPS-140 ratings

>High-degree of Security and Assurance

Supports additional military branch-specific applications atissuance and post-issuance

Flexible to support original CAC format, CAC transitionalformat and PIV format (evolution of requirements)

Deployment: +3M active duty units. Over 12M units to date.Issuing +30K units a day at peek war periods

Last name

First name, Initial

Issue Date

Expiration Date

Identification Card

OrganizationSeal

Photograph

U.S. NavyDoD Civilian

Chip

Armed Forces of theUnited States

Parker IV,

Christopher J.

September 30 2001

October 1 2001



US Federal Employee PIV Card

Presidential Directive 12 (HSPD-12) mandated aFederal Government-wide smart card ID program.

> Use of combined PKI and Biometric credentials

Dual interfaces for both for Physical and Logicalaccess

> Secure Contact/Contactless access to targetresources

To date, all deployed PIV cards are Java Card

> Conformance to Java Card 2.2.1

By 2013 over 12 million PIV cards will have beenissued

The PIV model is being replicated in the US FederalGovt in programs such as Travel Worker Identity

Program (TWIC), First Responder ID, ImmigrationCards and potentially Drivers Licensees



Taiwan Healthcare ID

National health insurance ID card

Multi-application smart card> Identification, medical profile

and benefits> E-Purse capable

> Restricted use by other governmentalagencies to protect privacy

Supports open standards andpost-issuance of new applications

40M Java Cards deployed



Belgium National ID

First country in EU to deploy citizen IDcard to entire population

Multi-application Java Card> Identification, e-Government Services,

e-Voting, etc.> Filing Tax Returns, Birth Certs, Civil Records

> Digital Certificates: Authentication, DigitalSignature

PKCS15 Conformance

> Commercial Applications: e-Banking, e-Ticketing

Common Criteria EAL 5+ Certified

Deployment: 40+ Million Java Cards



Thailand National ID Card

National Citizen ID card to entire population> Multi-application Java Card-based Smart Card> Personal ID, fingerprints, tax, social welfare and social

security numbers, agricultural data and healthcare data.> Citizens will be able to access eGovernment services ate-government kiosks nationwide and by smart cardreaders integrated into desktop computers.

60M+ Java Cards deployed


21/25


Oman National ID Card

First country in Middle East to start deploying large-scale citizen ID Card to entire population

> Multi-application Java Card-based smart card

> Provides positive identification with digital photograph, digitalcertificates and biometrics authentication

> Have plans to add drivers license, emergency medical dataand border control applications

Deployment: 3M+ Java Cards


22/25


United Arab Emirates National ID

National Citizen ID Card to Entire Population> Multi-application Java Card-based Smart Card

> Positive Identification with Digital Photograph, DigitalCertificates and Fingerprint Biometrics Authentication

> Enabled e-Government Services

> Plans to add Drivers License, Emergency Medical Data andBorder Control Applications

Deployment: +4.5 Million Java Cards


23/25


Macau Government ID Card

Multi-application Java Card-based Smart Card> Identification, Border Control, E-Government, E-Commence

and Public Services Access

> Driver's License and E-Purse Envisioned in Future

Secure Laser Engraved Java Cards> Facial Image,Signature, and Fingerprint Biometrics

> PKI/Certificates

GlobalPlatform-compatible Card Mgt. System


24/25


More...Java Card's Govt ID Successes

UK NHS and MoD

Canadian ePassports

Portugal National ID

Qatar National IDAzerbaijan National ID

Morocco National ID

Finland National ID

Italy National ID

Queensland Australia Drivers License

And approximately 20 other countries exploring Java Card


25/25

Thank You !

Ramesh [email protected]

http://www.coresecuritypatterns.com/blogs

Brian KowalHead, Java Card Marketing & Sales

[email protected]
mailto:ramesh.nagappan@sumailto:ramesh.nagappan@su

Javacard as Govtid 100206130505 Phpapp01

Documents

Transcript of Javacard as Govtid 100206130505 Phpapp01