Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

App Container - GlobalPlatform

advertisement 
AATD
GlobalPlatform Business Seminar
Toronto, August 21, 2002
DoD Common Access Card
From Smart Card to Identity Management
Dr. Robert van Spyk
Senior DMDC Consortium Research Fellow
Bill Boggess
Chief Access & Authentication Technology
Division, DMDC
Topics
1. Context: Challenges Met
2. Learnings: Challenges
Ahead
3. Paradigm Shift: from
Smart Card to Identity
Management
Context: Challenges Met
The Decision
Common Access Card
November 10, 1999
MEMO FROM:
Dr. John Hamre
(Deputy Secretary of
Defense)
Create a Common Access
Card
• I.D. card for:
– Active military
– Selected Reserves
– DoD civilians
– “Inside the wall”
contractors
• Physical and logical
access
– Authentication keys
• Military ID card
infrastructure
Card Architecture Goals
Goals
Security
Multi-application
Multiple vendors
Interoperability
Post issuance
Best commercial
practices
COTS
Cost effective
Requirements
Java 2.1
Global platform
RESULTED
Interoperability
IN
Specification (BSI)
32K EEPROM
FIPS 140-1 Level 2
Certification
The Business Problem
What are DEERS and RAPIDS?
Independent but closely coupled established systems which provide
eligibility information for DoD benefits
DEERS
• Defense Enrollment Eligibility
Reporting System
• Database with 23 million
records providing:
– Accurate and timely
information on all eligible
uniformed service members
(active, reserve, retired),
their families and DoD
civilians
• Detailed information on DoD
benefit program eligibility
RAPIDS
• Real-time Automated personnel
Identification System
• Application that produces the
ID card
– Automated ID card system
for military, retirees and
their families
– Joint, total force, multinational and worldwide
DEERS Population
DMDC
PERSON
REPOSITORY
Sponsors
DEERS
SIZE
(Active, Reserves, Retired, Civil Servants)
Previous Sponsors
(Separatees with MGIB)
8,467,411
4,000,000
Family Members
10,695,181
Total
23,162,592
Where Are We Today
• 883 Workstations in 466 Locations
• 787,456 Cards issued as of 30 June
(current trend issuing around 7,000
cards per day)
Toward the Million Mark
787,456 CACs Issued
as of 30 June
303,017
217,493
U.S. Navy
U.S. Army
U.S. Marine Corps
U.S. Air Force
U.S. Coast Guard
DoD Agencies
Other
9,373
23,037
5,644
137,899
90,993
Infrastructure
DEERS/RAPIDS is a Person Based DoD Benefit Delivery System
DEERS - over 25,000 users throughout DoD
RAPIDS - 1318 workstations at 878 sites in 13 countries.
OVER 1.5 MILLION TRANSACTONS A DAY
ARMY, NAVY, AIR FORCE, MARINE CORPS, COAST GUARD, NOAA, PUBLIC HEALTH
Learnings: Challenges Ahead
Technology Adoption
100
Radio
(1905)
90
Electricity
(1873)
100
Telephone 90
(1876)
Percentage of Ownership
80
70
60
80
Cell
Phone
(1983)
50
Automobile 70
(1886)
PC
(1975) Internet
(1975)
60
50
40
40
30
30
20
20
Smartcard
(1980)
10
0
1
10
10
20
30
40
50
60
70
80
Years after Invention
90
100
110
0
120
Learnings
1. The card is the tip of the application
and IT infrastructure iceberg
2. Standards Mandatory for
Interoperability
3. Introduction is not the same as
Adoption
4. The card is about Identity
1. Network Infrastructure
• CA access is critical for CRL and
issuance
• Network performance impacted by
several layers of security.
• Workstations converted to Win2K and
Active Directory for integrated
management: legacy systems
problematic (e.g Y2K conversion)
• TNG and other tools for monitoring
PKI Enabling Non-Trivial
• Legacy applications and OS versions
• Some work: Outlook 2000, Netscape, IE.
but only in latest versions
• Requires extensive user training
• Requires local CA for single login
application
• Multiple dependencies across network
with sever security and S/MIME, SSL,
SSH, Kerberos, etc.
2. Standards
Made great progress with standards:
• GP version 2.01 and Compliance
Testing
• GSC-IS version 2.0 published July
2002 includes
– Card Edge Interface (CEI)
– Basic Services Interface (BSI)
– Extended Services Interface (XSI)
• Java 2.1 version but with proprietary
implementations
Interoperability Elusive
• No Middleware agreement hence
continue to depend on vendor specific
software for accessing containers
• Standards options leads to incompatible
implementation
• FIPS and other certifications costly
Interoperability Solutions
The DoD Strategy • Embrace standards where they exist and stretch
requirements so that standards work for the
application- examples - PKCS11 - PCSC
• Adopt industry best practices as defacto standards examples - Global Platform - Javacard
• Publish specifications and distribute freely - example
the card edge specifications for our applets were
published
• Develop interfaces that are provided to anyone
interested in developing or adapting applications to
work with our card system - example - Basic Services
Interface (BSI)
3. Adoption
• Security alone not compelling to most
• Requires customer awareness and
marketing-DOD has younger
demographic
• Quality of Life enhancement
• Multi-purpose
Paradigm Shift: from Smart Card to
Identity Management
4. Paradigm Shift: Identity Management
To know, unequivocally, the identity
and privileges of an object (person
or device) in real time.
Case for a New Paradigm
Credit card industry has long recognized the issue 1960’s - The card looks good - use the embosser
1970’s - I need to get authorization for this
purchase - central system verification
Present - all transactions authenticated network based always on connection to
central system
Physical Access is at the 1960’s stage - it
looks like a good card
Case for a New Paradigm
Today -
Lots of Cards …….
Lots of credit/debit cards …
Different pins - different procedures
Different acceptance and capabilities
Lots ID cards ….
Different trust and authentication levels
Visual evidence of your authorizations,
memberships, affiliation
The Vision
One Card
SAMPLE
Armed Forces
of the
United States
Marine Corps
Active Duty
Parker IV,
Christopher J.
Rank
LTCOL
Pay Grade
O5
Issue Date
1999SEP03
Expiration Date
2003SEP01
Geneva Conventions Identification Card
or a few cards
Integrated identity solution
Based on strong authentication
Incorporating biometrics
Able to perform multiple functions
Components for Success
What are the components of a strong system?
• Chain of trust in the identity end to end - key role
•
•
•
•
for biometrics
Independent verification wherever and whenever
possible - authoritative confirming records
Single identity repository that reconciles alternative
views of the identity - person id services
Multi-factor authentication at boundaries - the more
the better
Secure solutions for both the token/card and the
central system - especially the biostore
Components for Success
1. Enrollment
Process
3. Third-Party
Trust
RAPIDS
Face to Face and
Biometric Identification for
2. Unique &
Persistent
Identity
DEERS
Info
ENROLLMENT
CERTIFICATE
AUTHORITY
Store Digital
Certificates for
Maintain
DoD-Wide
AUTHENTICATION IDENTITY
Components for Success
Chain of Trust
Where we are going in DoD … role of biometrics
Initial capture at application for military service - digital prints
to FBI and to DMDC biostore - records check, face to face
authentication, National Agency Check
Entry onto military service - stored biometric checked against
live scan before initial ID card issued
Periodically - Member biometrically authenticated on ID card
Reissue - every three years
Physical access systems - multi-factor authentication including
a biometric in high security areas or under high treat
conditions
Biometrics Issues
Future Directions for CAC
• Biometrics Match on Card used instead
of PIN
• Biometrics use as an Access Control
Process for using applets on the card.
This will be for both on and off card
matching scenarios and will be vendor
neutral
More work has to be done to protect biometric
stores.
Summary
Path Forward
• Increased emphasis on standards as
prerequisite to interoperability and hence
market share
• DOD focus on Identity
• IT infrastructure transformation exceeds
Y2K effort
• It is not the technology: it is the
customer’s quality of life
Contact
Dr. Robert van Spyk
vanspyrp@osd.pentagon.mil
831-583-2500 ex 5576
Bill Boggess
boggesbf@osd.pentagon.mil
831-583-4170
Additional Slides
Application
Middleware-Card Issuer Specific
Middleware
BSI/XSI
Card Edge
Card
EdgeAPI
API
ISO 7816-4
A
P
D
U
A
P
D
U
File system 7616-5 API
Vendor extentions
crypto
File System
DATA (PKCS#15)
Card OS (Proprietary)
Smart Chip Hardware
Native
Smartcard
Hierarchical
File system
Interoperable
Directory
Structure
Application
Generic Middleware
BSI/XSI
Card Edge API
A
P
D
U
A
P
D
U
API
API
Global Platform 2.01
Card Manager Applic
Loader & Manager
Java Card JCRE 2.1.1
Virtual Machine API
Directory structure points at
credentials and other objects
CCC
Card Info
Container
App Directory
Container
Each container can
store several objects
App Container
Authent Object
App Container
Data Object
App Container
Applet
Key Object
DATA
App Container
Applet
Cert Object
DATA
Related documents
UEC Electronics Presentation
UEC Electronics Presentation
Veterans Data Sheet
Veterans Data Sheet
Military Family Support – Barbara Thompson
Military Family Support – Barbara Thompson
DOD
DOD
CS 2813 - Loyola College
CS 2813 - Loyola College
Security methods and devices, including biometrics
Security methods and devices, including biometrics
March 8, 2007 The Honorable Robert M. Gates The Secretary of Defense
March 8, 2007 The Honorable Robert M. Gates The Secretary of Defense
Download
advertisement