An Infineon Technologies Publication 02/2002 · An Infineon Technologies Publication 02/2002 The...

02/2002An Inf ineon Technologies Publ icat ion

www.s i l i con- t rus t . com T h e S i l i c o n T r u s t R e p o r t

Trusted ComputingIntel’s Security ArchitectDavid Grawrock talks toSecure about the TCPA

Biometric StandardizationAre we nearly there yet,or have we just begun?

Contactless TechnologyConvenient and easy-to-usePublic Transport

In thisIssue

Editorial

Superheroes are everywhere right now:Spiderman is a box office success andDaredevil is to be released worldwidenext year. There are rumors that therewill be a new Superman production,too. The public continues to be fasci-nated by the bigger power that willprotect them from harm. Does this trendstretch to the IT world? It would seemso.At least the key players got together to

create a spec that wouldprotect computing: theTCPA. And with thefounding of this Alliancea new term was created:

Trusted Computing.In this issue ofSecure we inter-

view Intel’sSecurity Architect

- David Grawrock, who maintains thatconsumers who are looking to purchasea particular electronic product in the

future (be they phones, PC’s or PDA’s),may use the security of the particularplatform as a key differentiating factorin their purchasing decision – obviouslythis is of great relevance to the TCPA.Read the article on page 30 to find outmore.

There is an emerging market where theintroduction of new security technologyvery much depends on end consumeracceptance: transport and electronicticketing. Security is only one require-ment for success here, equally importantis convenience. The technology answeris Contactless Smart Card Technology:the security level of a Smart Card pay-ment system combined with the hassle-free contactless interface that no longerrequires the card to be inserted into areader. Additionally, such a transport /leisure card could contain other appli-cations, such as an e-purse or loyalty

program – just imagine: you will beable to take the train to the concert,automatically gaining bonus points,walk right into the venue withoutqueuing, buy a hot dog and take yourdate out for drinks afterwards – all withone card.

Other topics covered in this issue are thelatest updates on what is happening in theworld of Biometrics: business cases, pro-duct updates as well as a comprehensiveaccount by Brigitte Wirtz of where westand with Standardization.

If you have any questions or simplywant to voice your opinion on SmartCards, Biometrics and other silicon-based security related topics, go tothe Silicon Trust Discussion Area atwww.silicon-trust.com.

Veronica von Preysing

Impressum

SECURE - The Silicon Trust Reportis a Silicon Trust program publication,sponsored by Infineon Technologies AG.

SECURE - The Silicon Trust Reportis an Infineon Technologies publication

The Silicon Trust ProgramDirectorVeronica PreysingEmail: [email protected]

Infineon Editorial TeamVeronica Preysing(Infineon Technologies)Iris Parsiegla(Infineon Technologies)

Magazine Project DevelopmentKrowne Communications GmbHMunich, Germany

Creative Director/LayoutStefan GassnerEmail – [email protected] Stefan Gassner

Advertising & DistributionKaren BrindleyEmail – [email protected]

PrintingADM BozenSiebeneich-Terlan, Italy

This issue of SECURE - The SiliconTrust Report is Copyright 2002 byInfineon Technologies AG.

Subscriptions ofSECURE – The Silicon Trust Reportcan be obtained at:www.silicon-trust.com

No portion of this publication may bereproduced in part or in whole withoutthe express permission, in writing, fromthe publisher. All product copyrightsand trademarks are the property of theirrespective owners. All product names,specifications, prices and other infor-mation are correct at the time of goingto press but are subject to change with-out notice. The publisher takes noresponsibility for false or misleadinginformation or omissions.Any commentsmay be addressed to the Silicon TrustProgram Director – Veronica Preysing([email protected])

22 Application FocusIdentification/HealthThe Parkinson PassA Pioneering Project

26 Trusted ComputingConvenient Security

The real ‘Key’ to BiometricSecurity Solutions

30 Trusted ComputingProtecting Your Platform

36 ContactlessConvenient and easy-to-usepublic transport

6 ContributorsWho’s whoin this Issue

8 HighlightsWhat’s new atInfineon Technologies

10 Introducing theSilicon Trust

11 Welcometo the Trust

12 Info-BoxSmart Card and BiometricIndustry News Exclusivelyfrom Ctt and Btt

14 Industry InitiativesSleek, Slim, Smalland Secure Memory forMobile Applications

The MultiMediaCard Association(MMCA) was founded in 1998, with14 companies as original members,to promote the worldwide adoptionof MultiMediaCards, the sleek, slim,small and secure memory devicesdesigned for a wide range of mobileapplications.

16 The Associationfor Biometrics (AfB)

The AfB is a UK based organizationwith a mission “To provide a forumfor the European and InternationalBiometrics Community.”

This is achieved by promoting thedevelopment and implementation ofBiometric technologies, standards andapplications through education andawareness programs and the gatheringand dissemination of best practices.

18 ApplicationFocusIdentification/Health

Biometric Data on ID Cards:No Longer a Thing of theFuture

In recent months, the issue of secureidentification documents has arousedpublic debate. Often, however, it isonly the documents themselves thatare discussed, while the overall systemrequired to guarantee that an IDfunctions securely has been largelyignored.

22 The Parkinson PassA Pioneering Project

During the last few years much workhas been done on the developmentof a Smart Card for Parkinson patientsthat will be suitable for biometricidentification.

The ultimate aim of the project wouldbe to develop a special Smart Cardfor all categories of people with achronic illness and it is hoped thatthis project could one day become anation-wide scheme.

26 Trusted ComputingConvenient Security

The real ‘Key’ to BiometricSecurity Solutions

Biometric recognition systems aredestined to replace PIN codes in manyapplications (Smart credit cards andmobile phones immediately cometo mind). The advantages of bio-metrics are compelling – enhancedsecurity, easy and convenient hand-ling, and unambiguous verificationof identity.

30 Protecting Your Platform

On a very hot day in June, SECUREcaught up with David Grawrock,Security Architect with Intel, at theInfineon Technologies headquartersin Munich, to talk about the TCPA,Intel’s role, the TPM modules andwhat it’s going to take to make thebenefits of a secure platform obviousto the average guy-in-the-street.

36 ContactlessConvenient and easy-to-usepublic transport

Contactless Chip Cardtechnology as the basis foruniversal electronic ticketsin Germany

Every day around 25 million passen-gers use public transport inGermany; this is more than ninebillion a year – but the figure couldbe higher still. The attraction of aservice that would otherwise beeasy and convenient to use is oftenimpaired by everyday problems –either you don’t have enough smallchange, the ticket machine is out oforder, or the price system is toocomplicated. A convenient solutionwould be for a ticket to be valid inother transport networks in differ-ent regions.Thus, in cooperation withthe Association of German TransportCompanies (VDV), Infineon andother industrial firms are workingon a technical standard whichwould allow a universal electronicticket to be introduced throughoutthe whole of Germany.

Content

4

40 Smart CardsElectromagnetic Espionagefrom Smart Cards – Attacksand Countermeasures

46 RFIDChip Sharing

The potential for all-inclusiveuse of RFID-Technology

50 BiometricsBiometric StandardizationAre we Nearly There Yet,Or Have We Just Begun?

58 Embedded SecurityInfineon’s TrustedPlatform Module

40 TechnologyUpdateSmart CardsElectromagnetic Espionagefrom Smart Cards – Attacksand Countermeasures

A quick look back into the historyof espionage shows that the analysisof electromagnetic emanations forespionage purposes is a process thathas been in use for a number ofyears. The codeword TEMPESTcovers a methodology known since1950, of receiving, amplifying andevaluating high-frequency side-channel radiation - including theappropriate countermeasures. Apractical example of a very simpleattack, known as HF flooding, wasdiscovered in 1952 at the Americanembassy in Moscow. Behind a bigstate seal, a strange mechanicaldevice was hidden and was beingirradiated from outside with strongelectromagnetic fields. The deviceitself included a resonant circuit,which was sensitive to voices in thatparticular room. The modulated sig-nal from this mechanical device wasthen analyzed from a distance ofseveral hundred meters, compromis-ing all spoken words inside theroom. HF Flooding attacks still arecommon today – albeit in a slightlymodified form.

44 DonglesAladdin moves intothe Fast Lane

Aladdin’s eToken protects sensitiveFormula Three race car data with USB-based two-factor authentication.

46 RFIDChip Sharing

The potential for all-inclusiveuse of RFID-Technology

“Radio Frequency Identification”, orRFID for short, is one of the mostinnovative and forward-lookingtechnologies in the object and per-son oriented recognition systemssector. The chip systems, which arealso known as transponders, havebeen in use for several years already.For example, practically every carowner is also a user of RFID tech-nology if the chip contained in thekey communicates with the engineelectronics via an antenna located inthe dashboard and enables the ignitionto be activated following authenti-cation (the immobilizer).

50 BiometricsBiometric StandardizationAre we Nearly There Yet,Or Have We Just Begun?

The usage of biometric solutions overthe last few years has clearly shiftedto a solution and application-orientedapproach. The unfortunate events ofSeptember 11th have resulted in aworld wide change of biometricfocus to large scale government, IDand travel applications.The apparenturge to also secure national securityby biometric methods has imposeda pressure on standardization, with achange from a strong focus onInternet security to also incorporatethe requests of secure travel, ID docu-ments and government applications.

58 Embedded SecurityInfineon’s TrustedPlatform Module

Global Networking is causing the globeto shrink and network boundariesto disappear. Closed corporate net-works are opening up as demand forinformation is increasing from trav-eling employees, customers and part-ners. With this development thevulnerability of information is rising;as is the need for security.

60 Within the TrustAchieving More with Less –reducing the Template Data Size

BeyondLSI rises to the Challengewith 64-Byte Secure FingerprintTemplate

62 Look, but don’t touch!

Providing Contactless SmartCard Reader Modules since 1996

Baltech supported the new SmartLabel technology from the be-ginning and was the first companylinking the two worlds of secureSmart Cards and low-cost SmartLabels on the Reader side, to enableusers to use both technologies withthe same infrastructure.

63 Secure business solutions

Guardeonic Solutions AG suppliescomplete solutions for securitytechnologies.

64 IKENDI® Smart Match

Fingerprint Match-on-Card forInfineon Smart Card andSecurity ICs.

65 Let’s play it safe!

The FingerTip® SensorCardfrom Novacard.

66 Running Commentaryby Mark Lockie

5

Content

Contributors

Dr. Frank Gillert

Frank Gillert studiedmechanical engineer-ing at the Universityof Dortmund. Hejoined the Institutefor Supply ChainManagement (IDH)at the University of

Dortmund, where he worked on intell-igent packaging projects on the basisof EAS and RFID technologies. In1998 he joined Checkpoint / Meto. Hewas in charge of several internationalmanagement functions related to EASand RFID. In February 2001 he joinedInfineon Technologies and is responsiblefor marketing contactless solutions.

Dorothee Göbel

Dorothee graduatedin 1995 with a degreein electrical engi-neering with the focuson Information Tech-nology.She joined SiemensSemiconductors the

same year and worked in the product-analysis and optimization departmentfor memory products (DRAM, SDRAMetc.). In January 2000 she started in theChip Card Marketing Department atInfineon, where she held the positionof a marketing manager for 8/16 bitSecurity Controller (particular respon-sibility contactless controllers). Since2001 she has been working as Directorof Business Development of Contact-less Systems within the Chip Card andSecurity Unit.

David Grawrock

David Grawrock is aSecurity Architectfor the DesktopArchitecture Lab ofIntel. He designsand evaluates secu-rity protocols andsystems for Intel

products. David has been involved withTCPA since 1999. David has worked inthe computer industry for 25 years,holding positions with Central Point,Symantec and Lotus.

Peter Hofreiter

After studying Elec-trical Engineeringand data systems tech-nology in Munich,Peter developed apc-based automatedtest system for ChipCard ICs within the

scope of his diploma thesis. Subsequently,he joined Siemens AG, working in theProduct Analysis and Optimizationdepartment within the Security andChip Card ICs division, being responsiblefor production optimization of solid-state Chip Cards. In December 1997,he became a founder member of thenew Analysis Group in the area of

Security and Chip Card ICs. Todaywithin Infineon Technologies, he isresponsible for the development ofmeasuring equipment for safety evaluationwithin the Product Security depart-ment. Being a valued expert in the areaof attack procedures and counteractivemeasures, Peter is also operating as aconsultant in the advancement and newdevelopment of security features for securecontroller and security memories.

Florian Höfle

After completing hisdegree, Florian Höfleworked in the fieldof IT-Networkingand database pro-gramming. In early1994 he started hissecurity career by

developing cashless payment systemswith Smart and RFID Cards. Whileworking on security systems, Florianbecame a consultant for security appli-cations within large companies (above50,000 employees) and other large scaleapplications, combining digital signa-ture on multifunctional cards. Withinhis work he designed personalization andlogistic processes and technical conceptsto realize complex Smart Card Systems.Being involved in security made ita natural process to take on newchallenges such as biometrics and withthis Florian Höfle became CEO ofIKENDI Software AG in 2001.

6

Who’s Whoin this issue?

1999 also carried out consultancy workwith television companies such asARD, ZDF, SAT1, Pro7.After studying data protection/securityissues and applications for contactlessChip Cards in the area of “car sharing”,in 1997 Peter took part in the projectcalled “Die Karte” at the KuratoriumDeutsche Kartenwirtschaft – going onto complete his PhD at the ChristianAlbrechts Universität in Kiel.He currently manages the Product andSystem Security department (Securityand Chip Card ICs) at InfineonTechnologies AG in Munich Germany.

Mark Lockie

Mark Lockie has aMasters Degree inEngineering and isa seasoned journalistcovering the bio-metric industry andother identificationtechnologies. He is

the editor of the leading industry news-letter Biometric Technology Today andthe annual digest Biometric TechnologyInternational. He is also the author ofnumerous industry reports and hisrecent educational book – Science at theEdge: Biometric Technology – is helpingto bring awareness of biometrics to theyounger generations. More recentlyMark set up Ideal Media Consulting, acompany that offers editorial, marketresearch and publishing expertise inhigh-tech identification markets. Awayfrom the office, Mark is a keen sport-sman with a passion for the game ofrugby and can often be found on thegolf course attempting to improve hishandicap.

7

Contributors

Wim Kuling

After finishing hisdegree, Wim Kulingjoined Zorg enZekerheid in 1969in an administrativecapacity. He thenspent 21 months inthe Army before

returning to the company as aController, later becoming Head of theControl department. Wim studied“informatics” and went on to beresponsible for the “informatics” of thelargest division in the company. Duringthis time he conducted studies on thepossibilities of using Smart Cards inHealthcare and in 1997 Zorg enZekerheid introduced the first healthcard in the Netherlands. Now he isinvolved in many different projects inthe Netherlands using health cards,especially where biometrics areinvolved. He is the project leader of theParkinson project: a Smart Card withonboard biometrics.

Dr.PeterLaackmann

Peter has been devel-oping hardware andsoftware componentsfor synchronous andasynchronous ChipCard terminals since1991.He has written both

technical articles and columns fornumerous publications covering ChipCard technology, applications and secu-rity concerns, and between 1993 and

Dr. Brigitte Wirtz

Brigitte has spentmany years working inthe Siemens Research& Technology Center,specializing in patternrecognition and com-puter vision, humanmachine interaction

as well as biometrics. Currently she iswith Infineon Technologies, serving asthe head of biometric development.She is also chair of the interfaces groupof the German BioTrsutT project, whichis investigating the feasibility of biometricsas a measure to secure e-commerce ande-business.

Dr. ChristophWoenckhaus

Christoph has beenworking for G&Dsince 1995 in theID Systems Division.After heading theresearch and develop-ment section there,he took over the task

of Government Key Account Executiveat the beginning of this year.He graduated from university as amechanical engineer and earned hisPh.D. at Munich’s Institut für Werk-zeugmaschinen und Betriebswissen-schaften before joining Giesecke &Devrient at the end of 1995.

Highlights

This April, the 3rd Security Solutions Forumtook place, hosted by the Silicon Trust and wasconsidered by all, to be the most successfulpartner event so far. More than 100 attendeesturned out to hear Silicon Trust members, aswell as selected guests, speak on the possibilitiesof silicon-based solutions.Two key security appli-cations were addressed in parallel tracks:Identification and e-Business.

InternalSecurity

Identification TrackParallel to a top level Podium Discussion on the SecurityRequirements for e-Business, the Identification Track focusedon two main themes: National ID Card projects and high volumeTicketing projects.This training track approach to the SecuritySolutions Forum allowed all attendees to meet top levelExperts from the Security Industry, representing companiessuch as Giesecke & Devrient and Siemens Business Services,and listen to actual business cases from Silicon Trust Partners(Novacard, ISL and SC2).

A small exhibition also allowed visitors to view products andtechnology from the Silicon Trust partners, as well as talk torepresentatives of the companies present.

e-Business Track The Podium Discussion brought together leading figuresfrom the main e-Business companies (Deutsche Bank, Oracle,Mastercard, Palm, Microsoft and Infineon), to discuss the issue:

“Hardware Security in an e-Business Environment. A necessaryfeature or an unnecessary expense?” During what was an enter-taining and interesting 90 minutes, it emerged that although allspeakers recognized the need for more hardware security in ane-Business environment, it is still difficult to understand whowould actually pay for this security. Palm even went further bysaying that they considered the real breakthrough for standardizedsecurity in an e-Business environment would only happen onceone of the market players was to initialize the market throughthe incorporation of security hardware in their end application.

All of the speakers agreed that Biometric security techniqueswere a potential growth area in the security industry, butneeded more exposure for consumer acceptance.

8

Security Solutions ForumSpring 2002

SiliconTrustprovides

expert platformto shape the

Future ofSilicon Based

Security

9

Highlights

Mastercard caused a stir in the audience when they announcedthat although credit card fraud was considered a problem,they viewed identity theft an even greater risk and would belooking for security solutions that could combat this.

Biometric security techniques –needs more exposure forconsumer acceptance...

Overall though, it was agreed that Hardware Security wasindeed a necessity and that all of the players needed toaddress trust in systems, as well as trust in individual hardwareand software. The trust in systems discussion also includedthe TCPA and the specifications for platform security. Thepanelists (and audience) also recognized the TCPA specifi-cations as a major milestone that will allow trusted systemsto move from being an interesting peripheral feature to anecessity for tomorrow’s e-business platforms.

In the afternoon Attendees listened to presentations fromPartners (Aladdin, Sospita and Datacard),as well as guestSpeakers from the MMCA and realtime, covering the differ-ent technologies available today.

Overwhelminglypositive feedback forSecurity Forum

This Security Solutions Forum attracted 123 people over atwo-day period. Of those attendees, 94% ranked the forum(through the feedback forms) as “very good”. The audienceagreed that the podium discussion was indeed the richest partof the Forum, with 100% of attendees saying they wouldattend another such Forum again and would recommend theSecurity Solutions Forum to their colleagues.

“It’s great to actually see andhear about practical examplesfor the security industry. Byhosting such an event, Infineon,through the Silicon Trust,allows everyone to learn fromeach other and that’s whatit is going to take for thismarket to grow to its truepotential”. Comment from Feedback Form

The Silicon Trust

The Silicon Trust– what is it andhow do you join?

Partner Mission

The Silicon Trust is a platform createdfor those businesses utilizing Infineon’sSecurity products and solutions in theirend applications. Its primary goal is todevelop and enhance market awarenessas well as customer acceptance for indi-vidual products and solutions devel-oped by the Silicon Trust partners.

The Silicon TrustVision

The Silicon Trust is an industry plat-form for silicon-based security techno-logy embracing a unified approach tothe marketplace. It intends to becomethe number-one reference for compa-nies searching for the highest-quality,certified security solutions availableacross the entire spectrum of productsand solutions.

Our Silicon Trust Partners provide thecritical link between Infineon and cus-tomers with complex projects or signif-icant time constraints. Because oursecurity products serve such a widevariety of applications, opportunitiesexist for consultants and system inte-grators with specific vertical marketexpertise. Silicon Trust Partners addvalue by writing custom software appli-cations, designing custom hardware, andproviding turnkey solutions.

Qualifying for theSilicon TrustInfineon Technologies aims to workwith companies, which provide com-plementary products or services. Youmay be eligible to join the Silicon Trustif your company is engaged in:

1. Hardware or softwareconsulting

2. Systems integration

3. Third-party productsand systems

Infineon Technologies seeks partnerswho use Infineon’s security productsand who want to build a business rela-tionship with Infineon Technologiesand other Silicon Trust partners.

The Silicon Trust provides tangiblebenefits for active members. Whenevaluating applicants, Infineon Techno-logies looks for:

� Competency in the area ofsecurity products or similar areas.

� A clear business strategy andexplanation of how Infineon’ssecurity products are a partof your particular solution.

� References from customerswho are satisfied with yourtechnical abilities and businesspractices.

� Sponsorship by the InfineonTechnologies representativein your area.

10

Introducing theSiliconTrustWith the New Economy growing at an exponential rate, the need for solutions enabling secure E-Commerce, M-Commerce, and banking as well as data and content protection is becoming morecritical. Silicon based security is paving the way to make tomorrow’s lifestyles secure.

For information visit:www.silicon-trust.com

Members of theSiliconTrust

• ACG

• Aladdin

• Association forBiometrics

• Baltech

• BeyondLSI

• Bioscrypt

• Datacard

• Faktum

• G&D

• Guardeonic Solutions

• Ikendi

• ISL

• Loqware

• MMCA

• Novacard

• Omnikey

• Pollex

• Precise

• PSE

• SC2

• Secartis

• Siemens

• Sospita

• Teletrust

• Towitoko

11

The Silicon Trust

BALTECHBALTECH is specialized in the design and production of contactless Smart Cardand RFID Read/Write modules and devices.The underlying product philosophy isto provide contactless technology sub-solutions to enable customers to handle thevariety and complexity of contactless technologies on the market without the needto dive into details. The products address a wide range of applications like accesscontrol, time & attendance, e-purse, loyalty, ticketing, logistics, EAS etc. Besidesstandard products for integration or direct use, Baltech offers customized adoptionsbased on its existing core technologies. www.baltech.de

BEYONDLSIBeyondLSI Inc. offers a compact fingerprint authentication systems solution basedon its distinctive fingerprint identification core technology (patent pending world-wide). Technological features such as small fingerprint template data size (50 to 64bytes), small program and data sizes, fast processing time, encrypted networking, areintegrated into a subcard-sized module, providing an ideal authentication platformfor all systems including small hand-held devices, computer terminals, e-commerce,access control, door locks, and social security. www.beyondLSI.com

IKENDIThe core of IKENDI's marketing strategy is the licensing of technology and soft-ware.The target customers develop and market final products and applications withthe help of the IKENDI development kits, IKENDI know-how and support. Thusthe customer is in a position to integrate fingerprint recognition technology in hissystem with low costs and short time to market. IKENDI has 15-year-old roots inthe research of digital image processing (mainly for medical applications) and artifi-cial intelligence. In 1996 the focus was turned on fingerprint recognition, whereIKENDI today has a leading position for embedded and PC BIOS solutions for fin-gerprint recognition. www.ikendi.com

MMCA (MultiMediaCard Association)The MultiMediaCard Association (MMCA) was founded in 1998, with 14 compa-nies as original members, to promote the worldwide adoption of a compact, remov-able standard for storing and retrieving digital information in small, low powerdevices. In fact, MultiMediaCards are the world’s smallest removable solid-statememory solutions for mobile applications. The organization has grown rapidly andnow has over 100 member companies worldwide, representing all branches ofmobile electronic applications. The MMCA developed and regulates open industrystandards that define all types of MultiMediaCards, and drives worldwide accept-ance of MultiMediaCards as an industry standard across multiple host platforms andmarkets. www.mmca.org

NOVACARDNovacard is an innovative card manufacturing company specialized in the produc-tion of Smart Cards, contactless cards, dual interface cards and high quality plasticcards. Since 1999 Novacard has dealt with the development of Chip Cards withintegrated finger tip sensor, pioneered work and is at present the only card manu-facturer with current projects / cards in the field. For its biometric Smart Card,Novacard has gained three awards: The Sesames Award 1999 in the categoryHealthcare, the ICMA Elan Award 2000 for Technical Achievement as well as theNational Dutch Chip Card Award. www.novacard.de

We would like to welcome the following members to the Silicon Trust. For further information onthese companies, please check out their websites.

Welcome to theTrust

InfoboxSmart Card and Biometric Industry News Exclusively from Ctt and Btt

A date foryour Diary!6, 7, 8, November 2002Biometrics 2002This major biometrics show in Londonhas a three-day conference and two-dayexhibition. Over 1,300 attendees madeit to last year’s event and this year thefloor space has been extended to accom-modate even more exhibitors. New thisyear is a continual conference streamcovering industry case studies, a scientificpapers area and competition, as well asrecruitment advice and a cyber café.

Biometrics getinternet standardBtt April 2002The use of biometrics in internet-basedapplications has been given a boost asOASIS, the well-known e-businessstandards interoperability consortium,announced it will work on a standardXML (Extensible Markup Language)schema for biometrics.This is important for the biometricsindustry as XML is seen as an essentiallanguage for the development of next-generation Web services. XML is alsopopular among current application devel-opers, as they (rather than machines) areable to read and correct any faulty code.

Smart Cardsfor US airportworkersCtt May 2002Smart Card technology will underpinthe common ID document that is to beissued to 15 million US workers atsome 1,000 airports, seaports and otherkey transportation sites. The Trans-portation Workers Identification Cre-dential card (TWIC) is currently thesubject of a major project within theDepartment of Transportation (DOT).There will be one standard federal creden-tial and one integrated network of data-bases; this network will link the recordsof enrolled personnel in the aviation,maritime, road and rail industries.The architecture of the TWIC card willbe based on the General ServiceAdministration Smart Card standards –

already in use for the Department ofDefense Common Access Card. TheTWIC card will initially be a 32 KBEEPROM Smart Card, running underJava, with contact chips; the later additionof contactless technology forms part ofthe plan.A pilot of the TWIC card is to be runthis summer.

Biometricdrivers’ licenseson the cardsBtt May 2002A new bill introduced to the US Houseof Representatives on 1 May 2002 pro-poses the standardization of drivers'licenses in the USA. Importantly forthe biometric industry, the legislationrequires the inclusion of a biometricidentifier on a Smart Card and anotherin a centralized Department of MotorVehicles (DMV) database.The Driver's License ModernizationAct is sponsored by Democratic Rep.Jim Moran and Republican Rep. TomDavis. Under the proposed guidelines,the US states and the District ofColumbia would have five years toconform to a new nationwide standardfor licenses.The bill joins several other efforts alreadyunderway to enhance the security ofdriver's licenses, an issue that hasbecome an increasingly hot topic sinceit was discovered that at least eight ofthe 19 hijackers on 11 September hadused fake state-issued licenses.

Germany tolaunch nationwidee-ticketsCtt May 2002Germany's association of transportoperators (VDV) is planning to launcha standard electronic ticket for nation-wide use. Cooperating in the jointproject are Card etc, Cubic, DeutscheBank, ERG, Guardeonic Solutions,Infineon, Siemens, T-Systems and theFraunhofer Institute for Transport andInfrastructure Systems.The aim is to produce a standard solu-tion for the purchase and use of elec-

tronic tickets in public transport bymid-2003. The first large-scale pilotprojects are to be launched in theBerlin and Dresden metropolitan areas.The basic technology will be contact-less data transfer; but the tickets can beprovided to passengers in a variety offorms – as Smart Cards or built into awrist-watch or key fob.

Europeanbiometric roadmapannouncedBtt May 2002A new consortium – BIOVISION – hassigned a 400,000 Euro contract with theEuropean Commission to develop a road-map for future biometrics development.The seven to ten-year plan will focuson issues such as security, the concernsof end users and the legal issues sur-rounding the use of biometrics. One ofthe consortium’s early conclusions isthe lack of a Europe-wide forum forexchange of ideas and opportunitiesand it aims to act as a catalyst for theformation of such a forum.

Nine percentgrowth expectedCtt June 2002The Smart Card industry is set to growat about 9% during 2002, according tothe latest forecasts from Eurosmart, theindustry's leading trade association.Thisis in line with the rate of growth in2001, but a long way below the 23%increase shown in 1999.The slowdown of expansion in mobilephone market continues to have its effect.Shipments in 2001, at 390 millionunits, accounted for 65% of the micro-processor (high value) card market. In2002, there will be a 6% increase inshipments to the mobile phone industry,at 415 million units, but this will repre-sent just 60% of the microprocessorcard market.However, microprocessor cards are setto show an overall increase of 15% dur-ing 2002, due to the roll-out of EMVbank cards and the first major deploy-ments of Smart Cards in the ID andtransport sectors.

12

13

InfoboxSmart Card and Biometric Industry News Exclusively from Ctt and Btt

Australia looksat facial biometricsfor passportsBtt June 2002Biometric facial identifiers could be intro-duced into the Australian passport ifnewly-funded research into the tech-nology proves successful. The intro-duction of facial recognition technologyis designed to cut down on passportfraud and help reduce the risk of poten-tial terrorist attacks.

Australian Treasurer Peter Costello hasearmarked approximately A$3.0 millionin 2002-2003 for the research anddevelopment which will be conductedby the Department of Foreign Affairsand Trade (DFAT).

The development of a biometric identi-fier would be in line with action takenby other countries. For example, the UKand the Netherlands are known to beactively looking at the different optionsfor integrating biometrics with theirpassports, and new legislation announcedby the USA last month outlined itsintention to put biometric identifiersinto passports by October 2004.

Southamptongoes live withsmart city servicesCtt June 2002Six thousand tenants of publicly-ownedhousing in Southampton, UK, will beable to go online (using either PCs orpublic kiosks located in a few areas),under the city's SmartPath scheme, tomonitor the progress of applications forrepairs to their homes. Once this phaseis successfully up and running, the cityaims to include a wide range of servicesfor its entire citizen body of 250,000,and to provide access points at kiosksacross the city.

The SmartPath project is one of theUK Government's 25 Pathfinder pro-jects – initiated by the Department forTransport, Local Government andRegions (DTLR) – to deliver govern-ment services online.SmartPath builds on Southampton'sSmartCities multi-application SmartCard initiative. The SmartCities card,which was launched in Spring 2000,provides access to bus transport andother services.With the addition of digitalcertificates (supplied by Entrust), Smart-Cities cards are now becoming availablefor accessing the Web.

Forget privacy,give us biometrics!Btt July/August 2002Two polls looking at public opinion onprivacy issues and biometrics shouldleave extreme privacy advocates feelingabashed that their high-profile attacksseem to have fallen on deaf ears. Bothpolls indicate that the majority of UScitizens are happy to use biometrics intheir daily life, with more than 70% infavour of carrying identification cardswith fingerprints.The latest statistics may come as a sur-prise to many, as the torrent of negativenews stories in the national media, andfrom privacy groups, would have sug-gested a strong revulsion to the idea of anational ID card in the US – particularlyone using biometrics.The two nationwide polls were frombiometric supplier Saflink and TheGallup Organization. The Saflink pollrevealed that only 11% of those inter-viewed perceived biometric identifi-cation to be an invasion of privacy withover 70% saying they would be morewilling to purchase products online ifthe transactions required biometricauthentication. Some 65% meanwhile

said they would prefer that hospitalsand doctors used biometrics in place ofpasswords to protect patient records.

Hong KongSMARTICS projectunder wayCtt July/August 2002The Government of the Hong KongSpecial Administration Region (SAR)has begun to place orders for SmartCards for use in its Smart Identity CardSystem (SMARTICS) project.For the first phase of this projectInfineon is to supply its 66Plus micro-controller chips for embedding in 1.2million Smart Cards supplied byKeycorp, a member of the consortiumthat won the project.Identity cards have been in use inHong Kong since 1949.The new SmartCard will replace the current laminatedplastic photo ID card and will contain afingerprint identifier (believed to beboth thumbprints). It will be held byadults and may eventually carry basicmedical data or driver license details.

Identix mergerapproved Btt July/August 2002Two of the biometric market's leadingplayers – Identix and Visionics Corpo-ration – have been given approval fortheir merger worth an estimatedUS$600 million. The deal has createdthe largest multi-biometric company inthe industry's history.In a surprise strategic move, Identix hasretreated from the low end optical finger-print sensor market, where it was one ofthe market leaders. Instead it will adaptits fingerprint software to work withthe many cheap and increasingly robustsilicon sensors on the market today.

The above news stories are brief excerpts from articles published in Card Technology Today(Ctt) and Biometric Technology Today (Btt).

Visit www.smartcards-today.com or www.biometrics-today.com for more information.

Industry InitiativesMMCA

The MultiMediaCard Association (MMCA) was founded in 1998, with 14 companies as original

members,to promote the worldwide adoption of MultiMediaCards, the sleek, slim, small and secure

memory devices designed for a wide range of mobile applications.

MultiMediaCards:

Sleek,Slim,Smalland Secure Memoryfor Mobile Applications

14

15

Industry InitiativesMMCA

The cards work on both the Palm andPocketPC standards and are used ingovernment, health care, publishing anda wide variety of other industry sectors,as well as in such consumer products asMP-3 music players, portable videogames, personal digital assistants(PDAs), mobile telephones, video cam-corders and digital cameras.Weighing less than two grams andapproximately the size of a postage stamp,these convenient, reliable, rugged andlightweight standardized data carriersstore up to 128 Mbytes, sufficient forover two hours of CD quality MP-3digital music, or approximately 80,000book pages. Storage capacities of 256Mbytes are expected to be available incalendar year 2003.The MultiMediaCard standard has beenadopted by over 100 of the world’sleading electronics firms, includingCanon, Casio, Eastman Kodak, Ericsson,Hewlett Packard, Hitachi, JVC, Motorola,Nokia, Palm, Panasonic, Samsung,Sanyo, SCM, Siemens and many others,with hundreds of products now avail-able in the marketplace. In addition,most slots today accommodate bothMultiMediaCards as well as SD cards.MultiMediaCards use Flash technologyfor many-times reusable recording appli-cations, and ROM technology for read-only applications. They are fast forexcellent system performance; energyefficient for prolonged battery life inportable products; and cost-effective foruse in systems sold at consumer pricepoints. The molded package has a simpleseven-pad (pin) serial interface thatoffers easy integration to the manyhardware platforms used in today’sportable devices.

Secure MultiMediaCards (Secure-MMC™) address the numerous require-ments of future consumer, business andindustrial applications (such as mobilee-commerce, banking, copyright pro-tection and content security), particu-larly in portable devices. To meet theserequirements, SecureMMCs containspecial tamper-resistant modules incor-porating the same security technologyfound in Smart Card bank and creditcards.To ensure backward compatibility,

all SecureMMCs have the full function-ality of standard MultiMediaCards.The first applied version of the Secure-MMC meets the requirements of thesecure copyright protection markets(e.g. SDMI PD Specification Version 1.0),offering unique copyright protectionand content protection for all kinds ofdigital data. Copyright holders of digitalrecordings can define the maximumnumber of copies that can be made ofthe protected content.They can also blockillegal downloads to other memorycards of lower security level. For thisreason, the MultiMediaCard standardwas chosen by the Keitaide-MusicConsortium in Japan to provide contentprotection for secure delivery of musicto mobile phones using the Keitaide-Music Technical Specification.Moreover, SecureMMCs will soon pro-vide a platform to provide content en-cryption on special cards for securedcommercial and even mobile e-commercetransactions. New security technologieswill be considered as they emerge.Going forward, SecureMMCs willensure secure storage and retrieval ofdigital information for mobile e-trans-actions, independent of the device,server or network. The standard willalso provide content protection for dig-ital content distribution of music,video, books and a host of other appli-cations. In addition, low-voltage cardsas well as half-size cards are expected tobe on the market soon.

The MultiMediaCard Associationdeveloped and regulates open industrystandards that define all types ofMultiMediaCards, and drives world-wide acceptance of MultiMediaCards asan industry standard across multiplehost platforms and markets. The organ-ization works aggressively toward fullinterchangeability and compatibility(including backward compatibility)among the cards produced by allMMCA members. The MMCA alsopromotes alternate sourcing, and hasestablished a compliance program.MultiMediaCards offer an unmatchedarray of features and benefits, and arebecoming the industry standard forcompact removable storage media.

The MultiMediaCardstandard offers a uniqueblend of benefits to avariety of users:

• For consumers, they aresmall, low cost, robust andable to store photos, music,games, reference, catalogsand other media-richcontent used in many ofthe coolest, leading-edgeelectronic products onthe market today.

• Benefits to host manu-facturers include the cards’simple interface and thefact that they representa widely adopted industrystandard offering themost compact productpackaging possible.

• Benefits to contentdistributors are the cards’ability to plug and playand the fact they areshipping today. Most ofthe content delivered onMultiMediaCards useslow-cost ROM for suchapplications as referencematerial, mapping software,travel guides, games anda host of other uses.

For more information on theMultiMediaCard Association,contact: Andy Prophet, ExecutiveDirector at [email protected]

Public Relations Contact for theMMCA:Tom [email protected]+1 (925) 937-4921

For information visit:www.mmca.org

All trade names are either registered trademarks or trademarks of their respective holders.

Industry InitiativesAfB

The AfB is a UK based organization with a mission“To provide a forum for the European and International Biometrics Community.”

The Associationfor Biometrics (AfB)

This is achieved by promoting thedevelopment and implementation ofBiometric technologies, standards andapplications through education andawareness programs and the gatheringand dissemination of best practices.

The Association for Biometrics is oneof the longest-standing organizationsdevoted exclusively to the developmentand promotion of the technology. Tenyears ago, initial meetings under thesponsorship of the UK’s Departmentfor Trade and Industry brought togetheracademics, suppliers and potential endusers to share their experience andideas. Numerous seminars and work-shops have continued to further thatvision.

The past twelve months has seen amarked increase in the press coverageof biometric systems and technologiesin addition to market response. Thechanges occurring in the biometricsindustry demanded that the AfB wasbetter positioned to meet these newchallenges. Responding to these changesthe AfB has successfully completed asignificant restructuring during 2001.The AFB is now registered as a limitedcompany with a Board of Directors anda professional secretariat to enable thedevelopment of appropriate strategiesand the implementation of a range ofprograms for the European/Inter-national biometrics industry.

In order to meet the focus in all areasof biometrics, the AfB Board hasformed sub committees that will con-centrate on three key areas, namely:• Education and Awareness • Technology and Applications • Marketing, Membership and Services

16

17

Industry InitiativesAfB

The current Board has attracted newmembers and now represents the fullbreadth of the biometrics communityfrom academic and research activitiesthrough to suppliers, integrators andend users.

Our goal remains to promote all aspectsof biometrics in a professional, inde-pendent and responsible manner. TheAfB intends to be at the heart ofInternational Biometrics and to thisend has already created strategic linkswith many European and Internationalorganizations, and will proactively con-tinue this process. Over the comingyear we will endeavor to provide thebest possible services to our members,including an active membership pro-gram, numerous conferences and work-shops whilst providing up to date infor-

Advertising

mation services (including listservs).Our website is now a living area, withmajor enhancements including a mem-bers only section, a membership direc-tory and continuously updated infor-mation, news and events.To fully achieve our objectives and rep-resent the International BiometricsIndustry, we will continue to recruitnew members from across Europe andother International territories, whilstcontinuing to build strong relationshipswith related organizations throughoutEurope and further a field.

The most ambitious program to date inthis arena is that of BioVision, an EUProject within the IST projects onTrust and Confidence area. It has atimeline of roughly one year and willaim to develop:

• a roadmap for the European biomet-rics industry over the period 2003-2010, and

• a blueprint for a Europe-wide forumfor biometrics.

One deliverable within the BioVisionprogram is a European BiometricsForum, which the AfB has promotedfor the past two years. Indeed, AfB sup-port was instrumental in BioVisionachieving success during the bid peri-od. The AfB is, and will continue toplay a major role in the Biometricindustry both in the UK and Europe.

For information visit:www.afb.org.uk

• Fingerprint• Iris Scan• Retina Patterns• Voice Recognition

• Signature Verification• Facial Recognition• Hand Goemetry• Keystroke

The leading source of biometric identification information

Includes a complete listing of 425 biometric compa-nies, suppliers and integrators, photos of biometricdevices, an overview of biometrics, users of biometrictechnology, trade associations, biometric publications,tradeshows, publicly held companies, e-mail and webaddresses and more.Over 360 pages.CD $250 plus shipping & handling.Paper bound--$325 plus shipping & handling

Biometric Digest newsletter plus weeklye-mail reports on the latest biometricnews of the past week.Register at http://www.biodigest.com

Support Processes Corp.Division of Biometric Digest News4048 ManisonDr. NWWashington, DC 20007Tel: 202-337-0023Fax: 202-337-0024E-mail: [email protected]://www.biodigest.com

Immediate

Shipment

Biometric Information Directory

Now Avaiable on CD Or Paper

ApplicationFocusIdentification/Health

The purpose of an identification docu-ment is to enable positive determina-tion of a person’s identity. Based on apositive comparison between the docu-ment holder and the ID, the individualcan be authorized to request or receivea service or gain access to a specifiedarea, for example at a border crossing.For an identity document to fulfill thispurpose, a number of points must begiven equal consideration:• The document itself should be

counterfeit-proof, meaning it shouldbe impossible to replicate it ormanipulate it after issue.

• The identity document shouldestablish a positive match betweenthe person offering it as proof ofidentity and the document itself.

• The verification processshould be simple and accurate andtherefore quick to perform.

• The document must be durableand should not “lose” theinformation contained on it.

Biometricsas verificationtechnology

The secure identity documentID cards themselves are protected by anumber of security features that, ideally,cannot be reproduced or altered, atleast not without an unjustifiable amount

of effort. Generally, a combination ofvarious security features is used. Figure 1shows a sample card-based identitydocument with a selection of securityfeatures.The document pictured here does notyet contain any personal data. The datamust be applied during the personali-zation process in such a way that itcannot be removed or altered later.

Regardless of any other possible datastorage devices they may contain, suchas a microprocessor chip, identity docu-ments will always need to carry imageand text data since visual ID checkswill remain the most widely used appli-cation.

Laser engraving has proved to be one ofthe most secure methods of personalizinga card with text and image data. Thedata is essentially burned into the card(Figure 2), with several layers of thecard being blackened. The technologyused to do this allows precise control ofthe laser beam’s energy down to a singlepixel, so that the data is not onlyengraved in black and white, but also inas many as 256 shades of gray. Any laterattempt to alter the information wouldautomatically lead to the destruction ofthe entire ID card.

A life expectancy of 10 years and morefor PC (polycarbonate) cards of thiskind is nothing unusual.

18

MicroprintingOptical Variable Color Effect

Photo Area With Softframe IntegratedMicroprocessor

Multiple LaserImage Film

Kinegram™/Hologram

Fluorescent Ink

Surface Relief

By Dr. Christoph WoenckhausGovernment Key Account Executive, Giesecke & Devrient

BiometricData on

ID Cards:No Longer a Thing

of the Future

In recent months, the issue of secure identification documents has aroused public debate. Often,however, it is only the documents themselves that are discussed, while the overall system requiredto guarantee that an ID functions securely has been largely ignored.

Figure 1: Chip Card security features

19


Reliably matchingdocument andholder usingbiometrics traits

Almost every identity document in usenowadays relies on a photograph toprovide an association between theindividual being identified and the ID.Such comparisons cannot be carriedout with a high degree of reliability,since a person’s appearance could haveeither changed over the years or beenchanged on purpose.Establishing a link between the card andthe cardholder can be made more reliablethrough the use of biometric technology.This technology takes advantage of thefact that every human being possessescharacteristics unique to him or her.During a process known as enrollment,these traits are captured once for thepurpose of generating an identity doc-ument. The feature, such as a finger-print, recorded as an image using asensor or scanned into a computer, isconverted to a set of parameters withthe aid of special image processing pro-grams. The parameters are then storedexclusively on the document, eliminatingany need to store them centrally.When a person crosses the border intoanother country, for example, the bio-metric features would be captured onceagain locally in a procedure similar tothat used during enrollment. Theparameters recorded live would then be

compared on the spot with those foundon the ID (Figure 3). In essence, thismethod of comparison does not rely onthe exact biometric trait that has beenselected, because it is only the parame-ters that are compared each time.A large variety of biometric character-istics can be used for verificationprocesses, such as fingerprinting, facialrecognition, hand geometry measure-ments, iris or retina scans, voice recog-nition, and lip movement recognition.Each of these methods has certainadvantages and disadvantages that mustbe considered for the intended applica-tion. In addition to being perfectlysecure, the technology must meet crite-ria of acceptance and practicality.The one biometric trait that has beenmost used so far is the fingerprint(Figure 4). When using this feature, thecoordinates of the skin’s distinctivecross points and bifurcations, known asminutiae, are used as biometric data.The image processing program deter-mines the coordinates and direction ofthese selected points. Anywhere from20 to 60 of these sets of data are suffi-cient for a description.The data, knownas a template, is then stored on theidentity document.

changed over its lifetime. For example,a digital signature can be stored ona card. This application assures therecipient of a message, on the onehand, that the sender is indeed who heor she claims to be and, on the other,that the document was not alteredduring transmission.

information onto the card. Besidesmerely storing data, cards of this kind arealso capable of performing complicatedcalculations, much like a computer.With the aid of a process known as on-card matching, there is no longer anyneed for the biometric data to be readoff the document for it to be processed.Instead, the sensitive information neverleaves the card. Returning to the bor-der crossing example described above,the scanned data would be sent to thecard’s microprocessor, which wouldthen perform the comparison itself andcommunicate only the results; eitheracceptance or rejection.

Multiple usesfor intelligentID systems

The use of Smart Cards in connectionwith modern open card operating sys-tems, Java for example, allows differentapplications to be stored and operatedon a card and be deleted again. Whatmakes this special, is that the applica-tions can be uploaded even after thecard has already been personalized. Inthis way, a card’s functions can be

Transparent Film 1

Transparent Film 2

Image Processing

Storage Template Matching

Acceptance/Rejection

Enrollment Verification

Image Processing

Substrate

Figure 3: Comparison of locally scanneddata and template on the card

Figure 2: Laserengraving is a securemethod of inscription

Storing biometricdata on anidentity document

Today, a Chip Card with a correspondingsecurity system offers the highest possiblesecurity against unauthorized individualsreading information from, or writing


This function is an important compo-nent of all e-government systems.Citizens can thereby save themselvestroublesome and time-consuming tripsto conduct business with local authori-ties. Activities such as reporting achange of address, registering a vehicle,or even voting in an election can all becarried out over the Internet with theaid of this secure means of authentica-tion. Other individual applications,such as a payment function, public

transportation, or gaining access tocertain buildings are conceivable (seeFigure 5).

Case in point:Macao

All these applications and functions areno longer limited to science fiction. InFinland, for example, a solution with thedescribed elements has been in place forseveral years now. Macao launched a sys-tem of this kind at the start of this year.In addition to serving as identity docu-ments, the multiapplication cards beingissued there will contain a digital signa-ture. A payment function and driver’slicense are also in the works.The ID willbe personalized using laser engraving,and two different fingerprints will serveas the biometric characteristics.A consortium of various companies,including Giesecke & Devrient, is sup-plying all the necessary componentsfrom the cards and their operating sys-

tems to the data capturing units tosolutions for personalizing the cards.The project’s scope also covers installa-tion of the entire infrastructure, at bor-der crossings for example.

Summaryand outlook

The events of last year have shown thatpublic security cannot be taken forgranted. Instead, it must be activelypursued and continually improved.With the technologies at our disposaltoday, it is quite possible to increasesecurity in various areas of public life,while at the same time making theiruse quicker and more convenient.The challenge in doing so is not somuch to use one single technology,such as secure inscription, to the extentof its possibilities as it is to achieve atotal solution through a well thought-out combination of different elementsof security and different functions.

20

Figure 5: Simplified model of a complete system solution

Figure 4: Minutiae– biometric detailsof a fingerprint

For information visit:www.gieseckedevrient.com

By Wim A. Kuling Project Leader OWM Zorgverzekeraar ZORG en ZEKERHEID

During the last few years

much work has been done on

the development of a Smart

Card for Parkinson patients

that will be suitable for

biometric identification.

The ultimate aim of the

project would be to develop a

special Smart Card for all

categories of people with

a chronic illness and it is

hoped that this project

could one day become a

nation-wide scheme.

23


The background of the scheme is basedupon the fact that people with a chronicillness - probably accounting for bet-ween 10 and 15% of the population -consume around 80% of the budget andfacilities available for health care. Patientsin this category are also often receivingtreatment from more than one physicianor therapist, and these specialists alsoneed to know about their colleague'stherapies and treatment methods. TheParkinson-Pass creates a basis for theElectronic Patient Dossier (EPD) andprovides a practical, quick and easy touse key for that Dossier. Use of the keyis exclusive to the patient and their careprovider. Without one of the two keysthere can be no access to the data storedon the Pass.

The Parkinson-Pass is not a top-downexercise, as many other ICT projects inthe health care sector are or have been.The idea has been developed from realneeds and in close collaboration withpatient organizations such as the DutchParkinson Association, a dozen or soDutch and German ICT companies, theCare Card Group*, hospitals, a regionalhealth insurer, and an enthusiastic neuro-logist based in Leiden. Expertise was alsoforthcoming from the National SmartCard Platform of the Netherlands(which is now no longer in operation).From the very beginning, we ensured thatthe Registration Board (the national watch-dog on issues of privacy and security) hasbeen involved in the project.

The Parkinson Pass was awarded theNational Smart Card Prize in TheHague at the end of 1999. Shortly after-wards, the Pass was judged the mostsuccessful card project in the health caresection of the Sesames Awards during theprestigious Cartes 99 in Paris. Recently,IPZorg** chairman, Elco Brinkman, advo-cated expansion of the existing Care Cardtests with experiments for people withchronic illnesses, especially those whoneed to visit more than one physicianor therapist. However, despite suchinterest, the Parkinson Pass has not hadfinancial support from any officialsource in the past. In the beginning itwas very difficult to convince interested

parties of the usefulness of theParkinson Pass, and in fact there wasvery little support for the project initially.

Patients retainaccess key

The present version of the Parkinson-Pass contains both a built-in memorychip and a processor chip, the formerlinked to a sensor for biometric identi-fication. Various characteristics of theowner's fingerprint are stored in digitalform in the memory chip. In the presentversion of the Pass the memory chip isstill being used as the storage and trans-port medium for biometric informa-tion. In future versions, the sensor, thefingerprint data and the recognitionalgorithm will all be stored in theprocessor.Information from the medical dossierwhich is stored on the card is onlymade available if the fingerprint corre-sponds to the one registered on thecard. In addition, Smart Cards are alsoissued to all care providers. Only ifboth cards are used simultaneously candata from the card be made accessible.The patient will always have the finalword in deciding who can access hismedical data.

The Pass serves mainly as a medicationalarm for Parkinson Patients. Informa-tion stored on the card includes themedication used and the progress of thedisorder. Neurologists can add new pre-scriptions to the card along with atimetable for taking the medication.

Pharmacists are also able to read outthe prescriptions and then input detailsof what medication has been handed tothe patient. If necessary, the pharmacistcan also adjust the timetable for takingmedication, providing approval has firstbeen obtained from the prescribingspecialist.One of the aims of the Parkinson SmartCard has been to provide help to thisgroup of patients in taking their medi-cation. One way to do so is to facilitatean exchange of information and data.Parkinson patients are wholesale medi-cation users and they often take a widerange of medicines. In the course oftime it is often necessary to adjust thetimetable for taking this medication. Inorder to improve patient compliance,each Parkinson patient who takes partin the test is given a special little gadgetcalled “Ex Libris” - specially designedfor the purpose of this scheme - toenable them to read out the medicationand other details from the chip on theSmart Card. An acoustic, light orvibrating signal from the Ex Libris tellsthe patient that it is time to take theirmedication. At the same time, an LCDdisplay shows which specific medicinehas to be taken. In the initial phases,special software was installed in about50 pharmacies so that the Smart Cardscould be read and adjusted. Two phar-macy wholesalers adapted their ownsoftware in the second quarter of 2001,so that it would be compatible with theParkinson Pharmacy Application. Thishas allowed about 95% of the pharmaciesin the Leiden area to take part in the


trial. Consultations are presently beingheld with a third supplier of pharmacycomputer software. Two hospitals in theLeiden area have agreed to take part inthe trial and eventually it is hoped thatapproximately 500 patients living inand around Leiden will be testing theParkinson Pass in practice.

ComplexTechnology

This project demonstrates just howcomplex such an issue is: in both thetechnical and the organizational aspects,and how plans have to be constantlyadjusted to allow for new technologicaldevelopments. The second generationof Ex Libris is much thinner, lighterand easier to use than the originalversion. The first prototype of the

Parkinson Pass contained two chips, buttechnology has now progressed to astage where a single chip is possible.

So the Parkinson-Pass offers uniquepatient identification and better patientverification without the need for anation-wide system of unique patientnumbers. The ultra modern and ultrathin (only 2 mm) biometric sensor hasbeen developed by Infineon Tech-nologies and the thickness of the Passnow complies with the ISO standard7816 and the card is physically suitablefor use in most card readers. Five

German companies are collaborating inthis project, including both Novacardand Infineon. Integration is in thecapable hands of HSB in Woerden (NL)and Zorg & Zekerheid (Z&Z), a healthinsurer based in Leiden, has also madesubstantial investments in this project.

A modern, Windows-based, programhas been written by HSB especially forthe neurologists involved in this proj-ect, i.e. the SPES: Short ParkinsonEvaluation Scale. The mouse-drivenSPES program allows the neurologist tomake notes on the status or conditionof each Parkinson patient very quicklyand easily. This is particularly usefulwhen we consider the pressure of workin neurology departments. New tech-nology must not be allowed to interferewith the normal work rhythm. Using

SPES the neurologist can makes noteson the card about the progress of thepatient's disorder, medication and time-table. SPES also includes an electronicformulary on the basis of the Z-Index***of medicines.

As most neurologists do not even havecomputer systems, these specialists arebeing provided with modern PCs thathave SPES pre-installed. If anotherphysician or a family doctor prescribesmedicines, the pharmacist can add thedetails from such hand-written pre-scriptions to the Pass.

Pioneering work

It is inevitable that a cutting edge proj-ect of this kind should encounterobstacles. Originally it was hoped toprovide volunteer Parkinson patientswith a Smart Card at the beginning of1999, then the starting date had to bepushed back to February 2000. Itproved impossible to meet this dead-line, and so in early 2001, the rolloutfinally started with 80 to 100 Parkinsonpatients registered at the LeidenUniversity Medical Centre (LUMC)and the Diaconessen Hospital inLeiden, hopefully increasing by an extra100-150 this year, by including all thepharmacists in Leiden. The originalinvestment budget of several hundredthousand guilders - made available byhealth insurer Zorg & Zekerheid - hasnow been exceeded. One reason forthis, is that it proved necessary to devel-op all hardware, software and many newstandards from scratch. “Dutch develop-ers have invested far too little in bio-metrics in the past”, says Johan Beun,co-manager of the project and ICTambassador for the Association for theChronically Ill and the Dutch PatientConsumers Federation (NPCF). “Weneed to stimulate the acquisition of thissort of expertise throughout the coun-try and make it available for other proj-ects.Then others will not need to sufferthe delays and setbacks we have. ”

Many of the products and standardsthat have been developed as part of theParkinson-project can be used in futureICT projects for the chronically ill.TheEx-Libris was developed specially forthe Parkinson-Pass project. The latestfingertip sensors are proving to beabout four times as fast as the chips inmost card readers. “With the ParkinsonPass we are actually shooting at a mov-ing target”, says Wim Kuling, projectmanger for Z&Z. “It is barely possibleto keep pace with the technologicaldevelopments. It has always been agreat temptation to draw the latesttechnology into the project, but to doso would be to introduce new problemsas well.That was why we have chosen ascenario which may make concessions

24

The Ex-Libris medication aid was modified several timesusing feedback from the users.

25


to overall functionality, but it will pro-vide the best overall practical results.”

The Parkinson Smart Card is not atechnological island: many existing andreputable standards have been integrat-ed (Vektis/API, AGB, APHNOR, ISO,medication codes, and Edifact standardssuch as MEDREC and MEDEUR).Nonetheless, there has been a needfor standardization and normalization,especially for purposes of security andbiometric identification. The projecthad to make its own choices in thatrespect. The Parkinson Pass also had tobe 100% compatible with the specifica-tions of the Care Card Group, which iscurrently running a national trial for ahealth care card in the Amersfoort area.In addition, it was the intention tomake the Parkinson Smart Card fullyreadable in the card readers used byhealth insurer Z&Z.“In the end we hadto drop that criterion because, for thetime being at least, we are having todeal with readers with two heads”,explains Kuling. In and around Leidenabout 450,000 people are using a mem-ory card as a proof of registration. Cardreaders have been installed in ten healthcare consumer centers (Zorgwinkels)operated by Z&Z in the Leiden area.

“Historically, the Parkinson Pass isdoing pioneering work for HollandLimited”, says Beun. “We now have a

multi-functional card in a multi-disci-plinary and hybrid environment. That'sno sinecure.” The Card ManagementSystem had to be adapted, links to phar-macy systems had to be developed andimplemented, and new procedures forrepeat prescriptions and home deliveryof medication had to be created.Pioneering technical work has also beendone to create a back-up and recoverysystem in the event of loss or damage ofcards. Just imagine how much coordina-tion has gone into creating a system towrite the medication history onto thecard, to allow simultaneous use of careprovider's and patient's cards, the linkbetween the Parkinson PharmacyApplication and the normal systems inuse at pharmacies, and the principle thatthis complex little card would have tobe compatible with just about everytype of card reader in common use.HSB and its partners in TheNetherlands and Germany have reallydone innovative work.

That is also the reason why theNational Smart Card Platform (NCP –no longer operational since early 2001)was interested in keeping abreast of theParkinson Pass project. Former NCPsecretary Jan van Arkel (now co-chairof E-Europe) points out that a cardwith a built-in biometric verificationcertainly fulfils a certain social need.“Something like this is also of signifi-

* The Care Card Group - ZorgPasGroep - was a Dutch initiative todevelop a nation-wide Smart Card forpatient identification. This initiativewas fully supported by the Dutchgovernment, health insurers and allcare providers, but ceased operationsearlier this year.

** IPZorg (now called NICTIZ –Nationaal ICT instituut de zorg) – agovernment initiated organisationwhose task it is to stimulate the appli-cation of ICT technology in thehealth care sector.

*** The Z-Index is a database of allpharmaceutical and medical productsavailable in The Netherlands.

cance outside the health care sector.Just think of E-government electronicvoting for instance, via the Internet, orE-commerce where reliable verificationfunctions are indispensable for card-holder and supplier alike.”

“The Parkinson Pass is a unique investi-gation into the usefulness and effective-ness of a health care Smart Card forhundreds of thousands of specificpatients, like those people with achronic illness”, says Johan Beun. “Thisis a crucial step in the direction of EPDfor the most expensive health carepatient.” He feels it is quite possiblethat in the longer term patient infor-mation will be available via a network,without being stored on a card. “At themoment it is a big advantage that thebiometric data is stored in the carditself.” But in the longer term Beun isconvinced that affordable and water-tight forms of biometric identificationwill be available without card technolo-gy. Just as banking organizations arealready using “smart tokens” for elec-tronic payments traffic, biometric tech-nology is increasingly being integratedinto GSM phones, palmtop computersand even keyrings. It will be yearsbefore every patient with a chronic ill-ness uses this type of technology, butuntil then, card technology can be anexcellent aid for specific groups ofpatients.

Table showing figures relating to the project

Parkinson patients in the Netherlands...............................................45,000Members Parkinson Patients Org. .......................................................6,000Parinson patients in our province (z.H.) ...............................................6,000Zorg en Zekerheid clients with Parkinson............................................1,000Excepted number of participants..................................................500 – 800

Impression of other chronic illnesses in NL (source: WOCZ)

• diabetes mellitus .......................................................................300,000• bronchitis and asthma...............................................................750,000• heart disease ............................................................................480,000• migraine.................................................................................1,500,000• rheumatoid arthritis...................................................................470,000• liver, intestine and kidney disease .............................................160,000

For information visit:www.zorgenzekerheid.nl

27

ApplicationFocusTrusted Computing

To protect mobile telephones, PC’s andcredit cards from unauthorized use,people have relied for many years on anumber generally composed of fourdigits; the PIN code.This system has itsdrawbacks. With just 10,000 possiblecombinations, it offers relatively lowsecurity. Beyond that, the user is oftencompelled to memorize a multitude ofdifferent numeric codes for differentdevices and/or electronic cash andcredit cards. For these reasons, engi-neers have been looking for alternativesystems offering failsafe protectionagainst unauthorized access, unambigu-ous identity verification, and greaterconvenience. Biometric technology canstore and retrieve the distinguishingtraits of physiological features thatenable unambiguous identification.

Ease of useis decisive

However, for biometric technology tomake inroads, it must satisfy other cri-teria; for example, the need for lowcost, ease of use, and microelectronicspace constraints. And of course themethod of identification must winwidespread acceptance among con-sumers. There is much to be said forfingerprint recognition – next to itspopular appeal, it is easy to use. Thefinger is simply moved over or placedon a sensor, and a scanner records thepapillary lines in a fraction of a second.Several manufacturers offer sensors thatuse different methods to transform the

values for papillary lines detected onthe skin by the sensor’s surface, intogray shade images. Fingerprint sensorsgenerally have a surface area of bet-ween 150 and 250 mm2. Line scanners(thermal scanners, for example) have amuch smaller area (approximately 30mm2). All scanning processes are able toachieve resolutions up to 500 dpi.Complex mathematical formulae extractthe distinguishing features from theimage recorded by the sensor.

However, one of the growing markets isthe securing of PC’s. It is here thatIKENDI has taken a different path tomany other biometric security imple-menters. This solution is based uponstopping the intruder gaining access tothe data in the PC right from boot-up;not after the BIOS environment hasalready started. In effect, to use an anal-ogy, the system blocks the intruder atthe office front entrance, not at recep-tion (after they have got through thefront door).

The FingerprintBIOS-Solution

With the Fingerprint BIOS-Solution®IKENDI has implemented a full Finger-print recognition (with encoding andmatching) in the System-BIOS environ-ment. The whole program, includingthe fingerprint database, is managed inthe System-BIOS. In the pre-boot phase,the system can be locked securely andis accessible with a pre-registered finger

placed on the integrated Fingerprintsensor. The implementation is deliveredas two option ROM modules for anyPC-BIOS and is adaptable to differentFingerprint sensor types and hardwareconnections. All security options can beconfigured with the BIOS-Setup mask,while the access to the BIOS-Setup isalso secured by a Fingerprint. For thedifferent functions, supervisor and userfingers can be captured on the database.Inside the System-BIOS flash the data-base is stored and mirrored for faulttolerance reasons. The solution workswithout any other storage device (harddisk) or operating system function(OS-independent) and is already imple-mented in current notebook types.

Functionality

From the BIOS-Setup the separatesupervisor and user menus are accessible.The supervisor can also enter the sys-tem BIOS, while a user can only startthe PC. In the supervisor menu it’s alsopossible to delete the whole databaseand to enroll a complete set of newfingers. In this way, the best workingfingers can be selected with a separateprocedure.

In the test-menu the user can checkhis finger templates to see if they aresuitable for a secure fingerprint recog-nition. Not all fingers can be used, andit is dependent on the characteristics ofthe finger. The user can also view theimage in order to adjust the handling

Biometric recognition systems are destined to replace PIN codes in many applications(Smart credit cards and mobile phones immediately come to mind). The advantages ofbiometrics are compelling – enhanced security, easy and convenient handling, and unambiguousverification of identity.

ConvenientSecurityThe real ‘Key’ to

Biometric SecuritySolutions

By Florian Höfle, CEO, Ikendi


of the system and get a good imagequality.Each supervisor or user finger has to becaptured 4 times during the enrollmentprocedure. Each finger must be of a goodquality, with enough characteristics fora secure recognition. After all fingersare captured, the system merges the fin-gers into an enhanced template.The tem-plate is stored in the mirrored BIOSflash database.When the PC starts-up, the user identi-fication by fingerprint is automaticallystarted. The system always shows thefinger quality by value on the left side.The displayed line indicates the qualityby its length and changes from red to

Separate Supervisor Menu availablefrom the BIOS-Setup.

green when the quality of the finger isgood enough. Only if the user (orsupervisor) is identified, will the systemproceed with booting.

Implementation

The first PC manufacturer to haveimplemented this system into their lat-est model of laptop PC is Fujitsu-Siemens. The IKENDI FingerprintBIOS-Solution can now be found onthe Fujitsu-Siemens CELSIUS®Mobile H. Fujitsu-Siemens must beimpressed with the IKENDI solution,as they are currently calling their newCELSIUS Mobile ‘the most secure

28

User fingers must be captured fourtimes during the enrollment procedure.

The Test Menu allows the user to checkthe finger templates for suitability.

User identification by fingerprintautomatically begins at PC-Startup

For information visit:www.ikendi.com

Fujitsu-SiemensCELSIUS® Mobile H.

mobile family in the world’. Of course,the laptop also contains an integratedcard reader and data encryption on theHDD, but the IKENDI solution goesan awfully long way to enable Fujitsu-Siemens to back up their claim!

On a very hot day in June, SECURE caught up with David Grawrock, SecurityArchitect with Intel, at the Infineon Technologies headquarters in Munich, to talkabout the TCPA, Intel’s role, the TPM modules and what it’s going to take tomake the benefits of a secure platform obvious to the average guy-in-the-street.

An interview with David Grawrock, Security Architect, Intel Corporation

ProtectingYour Platform


SECURE - David, what would you say are the benefits ofthe TCPA* and TPM** products?

First, it increases your level of trust in your platform. Thisstarts with a measuring process, so you now know what’s hap-pening on your machine. The next step is that it then givesyou a way of taking those measurements and reliably report-ing them. After that, you can validate those measurements,and finally there is a way to monitor data (and other things)that are stored on that particular platform, that is tied tothose specific measurements. So you can say, “I only get thisvalue back when everything is in the same configuration.”For a manufacturer, these are the now the basic buildingblocks that allow you (as a manufacturer) to build applica-tions that use those facilities.

SECURE - That’s great for the chip manufacturers,but what about the man in the street? How will endconsumers react when they are told that the machinethey are about to purchase has security products onboard that were defined by the TCPA?

Personally, I hope that they don’t know about TCPA at all! Inthe sense that I would like them to believe that the systemsthemselves are simply more secure than they used to be;primarily because security is hard for end consumers to see.

They get [their machine] and go, “Why is this one moresecure and this one less secure?” So what you would really liketo do is build up the brands [of the machines], so that the PCmanufacturers (or whoever), can say this one is more securethan the last one we produced. And consumers get to the pointwhere they believe that their information is going to be prop-erly protected because this particular platform is more securethan the previous platform. That’s the end user benefit – anincrease of faith in their machine to protect their data.Today’s machines are pretty good, however threats are increas-ing. Consumers need to have confidence that the platform willprotect their data and work properly. And so the idea here is tostart giving system manufacturers the ability to make betterbuilding blocks and produce better systems, so that the endconsumer can say, “Oh, I trust that this machine will workproperly.”

SECURE - Does that mean then that the people who willget the real benefit from the work of the TCPA is not theInfineon’s and the Intel’s of this world, but the IBM’s andthe DELL’s. In fact any platform maker, because the endconsumer only looks at the platform as a whole and notat the fact that it has a TPM chip on board?

D.G. – The customers will get the real benefit. I think youwill see the benefit first with the IBM’s and DELL’s. I guess

* TCPA:Trusted ComputingPlatform Alliance

** TPM:Trusted Platform ModuleSee page 58 formore backgroundinformation.

31

“At the startthe (TCPA)logo will bea little morevisible, to

differentiatethis plat-

form (secure)from the

otherplatform

(unsecured).”


that there will probably be a TCPA logo on the machinesomewhere. It’s interesting when you look at how informa-tion is distributed about the machine through logos andstickers. If you look at a machine today, there are loads ofstickers giving information about the machine but many ofthem are now on the bottom of the machine. Those on thetop are the ones that are used to differentiate one platformfrom another in today’s market environment.I think this is how it will start with TCPA. At the start, the logowill be a little more visible, to differentiate this platform fromthe other platforms, so the end consumer will be able to say,“Oh this is one of the machines that was built with one of thesesecurity things on board.This is a secure platform, so I can trustthis platform more.” So what we see is that there is a step up. Itmoves everything forward.

SECURE - Why did Intel want to be a part of the TCPA?Is it simply because it’s the next big marketing thing?

D.G. - Oh, I don’t think it’s the next big marketing thing. I’ma security person from way back and I believe that securityshould have been looked at a long time ago. It’s a realizationthat we need to make things better for the consumer. Andbetter in this case means more trustworthy. Not that thingsare not sellable and usable right now (from a security point ofview) - they are. But end consumers would like to see anincreased level of trust. And I think that is what we are tryingto provide. Our mission statement is about providing buildingblocks for the Internet. Some of the building blocks we needto provide are provided by the TCPA – it’s providing morebuilding blocks.

Security is a difficult thing to differentiate on, sometimes it’svery hard to say, “I’m more secure than you are.” But I thinkthat’s what is important to say to the consumers (be they ITor someone at home), that these are more trustable platforms.That’s important, that’s what drives us.You can have a greaterdegree of trust now and in the future.

SECURE - Can you give me an overview of the TCPAguidelines for different applications? Are we talking aboutone platform or many?

D.G. - One of the guiding principles of TCPA was that wedidn’t want to be tied to one specific platform – we didn’twant to say that this was a PC effort. (Laughs). Granted, thatwhen you see who the original promoters were, it drives thepoint home that PC’s were what we thought about first andthis is where we went. But the main specification that wewrote is platform agnostic.We don’t talk about things that areon a specific platform, because we think that this concept ofproviding a level of trust through measurements and report-ing and so on, is valid on whatever platform you are dealingwith; whether it’s a PC or a PDA or a cell phone or a routeror any of those types of computing platforms. They all havethe same requirements. What am I dealing with? What is itscurrent configuration? How do I store things securely on thatplatform? So we went and made sure that the specificationsaid that these functional requirements were on all platformsand so let’s make sure they are available; let’s make sure this isdone. And then on top of that, we said “Fine. Let’s look athow you would take this generic definition and make sure itwas implemented properly on a specific platform.” And thefirst one we did was the PC. But the idea is that these specifi-cations are very generic and usable building blocks on allsorts of different types of platforms.By giving building blocks and saying this is the base level ofthings that you are going to do, that gives us the guidelinesfor application building.When you are using standard genericinformation, it doesn’t matter what application or platformyou are on. I can send this, the same command on any type ofplatform or machine and get the same answer back. I canevaluate my answer and decide on my level of trust to thatsystem based on that. So the guidelines we are giving forapplications are not in the sense of “Here’s how you buildyour application.” What we are doing is that we are sayinghere is this great bottom level building block and it gives youthis piece of information and it will tell you reliably what’sgoing on. Now you as an application, make your decision;make up your mind.

32

“...the main specificationsthat (the TCPA) wroteare platform agnostic.”

33


Once you get that information, there are a whole bunch ofthings you can do. And so the guidelines for an applicationare going to be “use the facilities, the building blocks as they aredesigned and it will give you a whole new world of things to do.”

SECURE - Are TPMs available today?

D.G. - Yes, they are shipping.You can look at the membershiplist and find out who is doing that. But there are platformsthat are shipping today that have TPMs on them.

SECURE - Any immediate feedback from the marketabout the TCPA and the TPM products or is it still a littletoo early?

D.G. - Honestly, it’s a little too early for that right now.

SECURE - What are the problems in taking a subject likethis from theory to practice and on to implementation?

D.G. - Huh! Do I start at the beginning or at the end?(Laughs).

Going from a spec to something that actually happens is along process and what you have to make sure happens first, is

that what you provided really is something of value. And thenyou have to be able to find either your own internal compa-ny’s or an external company’s part of the organization that iswilling to do the work necessary. People have to take a risk. Ifits not been done before, you are out there all of a suddenimplementing something that you don’t know if it’s beendone properly, you don’t know if it’s complete and you don’tknow if there are any other problems on it. So you really haveto find people who are willing to take a risk and develop itand suddenly find a problem and still be willing to go backand make some changes. So it’s a process that requires a lot ofgive and take by everybody. You have to be willing to sitthere and say, “This is what I have designed, and this is what Ihave produced for everybody.” And if there is also a mistake,you also have to be willing to say, “Oh sorry, I made a mistake– I’ll make that change.” You have to be very flexible on thatprocess.

SECURE - What does it take to make security an every-day item?

D.G. - We have to continue to tell people that this is some-thing they need - whether they realize it or not. And we haveto continue to tell them. But part of the problem is that man-ufacturers in the past have made security too visible. We havemade security something that you see, as opposed to some-thing that works in the background for you. It should besomething that is easy to use. Human error is normally whatbreaches security protocols or causes crashes. What’s happen-ing now is that we are trying to make everyone a securityexpert (even if all they want to do is buy something withtheir credit card over the web!), whether they want to be ornot. Now we have unknowing, untrained, unknowledgeable,and uncaring people who are supposed to be securityexperts. It’s not going to work.

So our job really, is to make sure these people do not have tobecome security experts. We have to take it out of theirhands, because they are not going to do it right. And if wedepend upon them to do it right, we are going to be in trou-ble. So we have to make sure that the security we providepeople is so simple to use, that they do not understand theyare becoming security experts and that the technology worksall the time, every time - without their knowledge and fortheir benefit.

SECURE - Could something like the TCPA have happen-ed without the credibility and presence of the likes ofMicrosoft, IBM and Intel and other industry movers?

D.G. - No, I think that if you had tried to do this as an indi-vidual company, even if you were Microsoft, IBM or Intel,you would not have had the power or the ability to movethings like a large organization does (in this case the TCPA)where people work together. If you get a collection of pas-sionate people out there pushing the same idea and they are

“That's the end userbenefit – an increase of

faith in their machines toprotect their data.”


in different companies and they can get together and getthings done, then the whole thing grows and multiplies andpretty soon you have that critical mass. I don’t know what thenumber is for that critical mass, but it is very hard to startsomething like this in one company and get it out there.There have been lots and lots of products from single compa-nies in the past that haven’t made it. They have done a goodjob, have worked well, but they withered on the vine.

SECURE - So what is it that makes all these months of workwithin the TCPA a success; that TPM products are a success?What’s the one little item that makes it all worthwhile?D.G. - (Laughs, as do other Infineon people in the room).It’s on every single machine out there! (Pauses).Although it’s a nice idea – that’s not really likely. (Pauses again).Probably the success criterion is that it’s in use and that theTPM or its successor is still in use five, ten years from now. Ifthat’s the case then we are a success.

SECURE - Final question. How do you see the TCPAevolving over time?D.G. - (Laughs). That’s an open question right now, becausefrom one side I think that security is not the point.You don’tstick a stake in the ground and say, “Hey, I’m secure. I’mdone.” Security is a process; it’s always about give and take. Iset a barrier, the attackers go over it. I set a new barrier; theygo over that one too. However, hopefully, as we set new bar-riers, we take out a whole section of attackers – they are nolonger able to play, and you move forward.

However, crypto algorithms change, procedures change, allthese things are events that occur and I think that if you aregoing to try and provide long term trust in a platform, thenyou are going to be saying: “what am I going to look at andhow can I evaluate how this platform is viewed right now?What do I do to make it more trustable in the future?”

So that says you are moving forward. Now what does it saytowards the organization? I’m not sure.That’s a business issue,not a mechanical issue of how we manage that. But what it isnot saying is that we are going to do this once and thenthrow it over the wall and forget it. I don’t think that’s goingto happen.We have to go forward and look at features and seewhat we need to change. So I think we are going to have tobaby-sit this thing and watch it for a while. How long thatwhile is – I don’t know.

34

Biography

David Grawrock is a Security Architect for the DesktopArchitecture Lab of Intel. He designs and evaluates securi-ty protocols and systems for Intel products. David hasbeen involved with TCPA since 1999. David has workedin the computer industry for 25 years, holding positionswith Central Point, Symantec and Lotus.

Munich, Germany – June 2002

For information visit:www.trustedcomputing.org

By Dorothee Göbel, Director Business DevelopmentContactless Systems, Infineon Technologies AG

37

ApplicationFocusContactless

As part of a project supported by theGerman Federal Ministry for Educationand Research (BMBF), the Associationof German Transport Companies (VDV) –the umbrella organization of all Germanpublic transport operators, is workingon a future technical standard for uni-fied pricing and sales systems in publictransport networks. As a supraordinatebody, the VDV represents more than400 public transport operators servingaround 9 billion passengers a year. Theobjective of the scheme is to increasethe user-friendliness of the system forexisting passengers, while gaining newcustomers who are discouraged frommaking more frequent use of bus andrail networks by complicated salesmethods. The development programaims to create a uniform data standardwhich makes it possible to link a vari-ety of electronic tariff managementapplications and formats. This coreapplication will offer the followingcentral features:

• Cashless payment,• Electronic tickets,• Automatic ticket pricing.

The approach is comprehensive, yetflexible enough to allow the creation ofcompatible technology-independentsolutions. It includes both systems thatinitially only implement electronic tickets,as well as systems with automatic ticketpricing and expanded shopping features.With an open chip platform as its basis,the system can be used in a variety offorms with different features, but issimple to upgrade and expand. Thus,with e-ticketing it is possible to have

Every day around 25 million passengers use public transport in Germany; this is more than ninebillion a year – but the figure could be higher still.The attraction of a service that would otherwisebe easy and convenient to use is often impaired by everyday problems – either you don’t haveenough small change, the ticket machine is out of order, or the price system is too complicated. Aconvenient solution would be for a ticket to be valid in other transport networks in differentregions. Thus, in cooperation with the Association of German Transport Companies (VDV),Infineon and other industrial firms are working on a technical standard which would allow a uni-versal electronic ticket to be introduced throughout the whole of Germany.The cooperation part-ners will present their universal solution for the purchase and use of electronic tickets on publictransport networks by the middle of 2003.

systems where customers can log on andoff (so-called “CiCo” systems: check-in/check-out), as well as ones whichregister whether the customer is pres-ent or not (“BiBo” systems: be in/be out).Even the systems’ payment features candiffer. One further core feature is thepossibility of automatic ticket pricing –whenever customers use their electronicticket, they are only charged for thedistance they actually travel.

The interoperability and compatibilityof the system ensures that customersonly need one device to use the entirerange of features, and provides a uni-form tariff management system. Forthis purpose a standardized customerinterface has to be created with the fol-lowing objectives:

• The methods used must be inde-pendent of the tariff system and beable to adapt to any conceivable tariffsystem.

• The various forms of electronic tariffmanagement must be compatible so thatdifferent versions of the system canbe used in parallel over a long period.

• It must be possible to introduce thetechnology in stages, and the invest-ment involved – particularly for theintroduction of electronic tickets –must be safeguarded.

• Compatibility between public trans-port networks and rail networks mustbe ensured.

Flexible, high-performance hardwareand software guarantees that the systemcan be integrated in stages. The choiceof the most economical form of elec-

Contactless e-ticketing– convenient when timeis short

tronic tariff management systems willdepend on local conditions. Thus, tobundle the development potential andto protect the investments of theinvolved parties, it is economicallyparamount to create a standard andinvolve a range of industrial companiesin the scheme.

The core application is being developedby industrial partners such as T-Sys-tems, Siemens, ERG, Card.etc, Cubic,Infineon Technologies, the Institute forTransport and Infrastructure Systemsof the Fraunhofer Gesellschaft, andDeutsche Bank.

The VDV’s initiative for the develop-ment of a compatible electronic tariff


management system on the basis of acore application provides the basis forthe standardization of a wide range ofsystems – first in Germany and later inEurope.The decision as to exactly whichapplication – be it electronic payments,e-tickets, or automatic pricing – iseventually put into practice has to betaken at a local level by the individualtransport company or within regionaltransport organizations. The flexibletechnology at the heart of the scheme(semiconductors and software) allowsdynamic applications to be implementeddepending on the needs of the trans-port operators and customers, as well ason budgetary requirements.The optimalsystem for customers and companieswill vary according to local conditions– the size of the transport region, trafficinfrastructure, market shares, customerbases, economic feasibility studies, etc.Clearly, many transport companies willintroduce cashless e-tickets as a firststep. Subsequently there is the optionof extending the service by adding auto-matic ticket pricing or further cashlessshopping features. E-tickets can thus alsobe used as entrance tickets for enter-tainment events, or as a cash or identitycard, for instance.Whatever the decision,the system remains transparent for cus-tomers and gives them full control overpayment.

Ambitious ChipCard project forpublic transport

For many Germans the scenario is alltoo familiar.You arrive on a local trainat the central station in Munich just intime for you to get your long-distanceconnection to Frankfurt. When youarrive there, you’ll have to hurry tocatch another local train, after whichyou’ll need to catch a local bus. Therewill hardly be any time to buy the ticket,and as you’ll be in a hurry, there’sbound to be a particularly long queueat the counter. To be on the safe sideperhaps you should get some changefor the ticket machine in the dining caron the train. Experiences like these willsoon be a thing of the past. Passengerswill be able to use their electronic ticketseverywhere in Germany, and pay forthem without needing cash. In addition,passengers will be able to buy and usee-tickets on any of the around 530 trans-port companies throughout Germany inexactly the same way – whether they arein Munich, Berlin or Dresden. Yet theonly way to bridge the present gapbetween the differing tariff systemsused by the various independent transportcompanies is a universally recognizedtechnical standard. The first conceptswere devised in the 90s, based on contact-

based Chip Cards, where a fixed sumwas charged for each journey. Yet thisprocedure turned out to be too incon-venient and inflexible. This is whythe VDV has decided to implementa contactless ticket system with thenecessary core features and standardizedprotocols.These are:

• A standard protocol for the mainfunctions of the system (air interfacein accordance with ISO 14443/ISO15693 and a contact-based inter-face in accordance with ISO 7816)

• Standardized application software anddata records in order to ensure a com-patible system with flexible pricestructures

• A multi-application framework andan open platform to secure compati-bility with other e-applications (cashcards, identity cards, etc.)

In this project, Infineon is providingthe expertise for the chip technologyrequired for the envisaged chip-basedcontactless solution. In contactless datatransfer a reading device emits an electro-magnetic field that activates a chip inthe electronic ticket as it passes withinrange.The chips ensure reliable and rapiddata transfer, even if several tickets haveto be validated simultaneously, as atpeak times, for instance.The decision asto what the electronic ticket actuallylooks like is left up to the individualtransport company. With this highlyintegrated space-saving chip technology,e-tickets can take the form of a ChipCard, or can be integrated into a wrist-watch or key ring.

Technologicalrequirements

What are the technological requirementsfor the implementation of a convenientand universal electronic ticketing system?No matter what form the system ulti-mately takes, the core components areprovided by semiconductor technology.Infineon has provided my-d and my-Cproduct families to ensure that thecontactless identification technology is

38

Underground train(never miss your trainwith your easy electronicticket to ride)

Pay as you pass –the contactless e-ticketmakes it possible

39


implemented practically and effectively.This contactless Chip Card technologyfulfils all necessary requirements, suchas chip sharing for dynamic applica-tions, simple access and use, systemimplementation completely based onstandardized system components, andexpanded security functions. Chip sharinginvolves making secure storage sectorswith variable data access on the ICavailable to several users or applications(more precisely, to their read/writedevices), provided the users/applicationshave the corresponding access rights. Inthis way manufacturers, service pro-viders or resellers can use the chips notonly for various data storage purposes,but also in changing dynamic applications.

Electronic tickets for secure, convenientand quick payment on public transportrequire contactless technology. Only inthis way are secure and rapid pay-as-you-pass systems possible. With e-tick-ets all passengers benefit from an addedconvenience that was previously onlyknown to pass holders.

The technology of the new storage ICs

The my-d chips are components with astandardized frequency of 13.56 MHz,

and are equipped with both EEPROMstorage capacity and a contactless inter-face (ISO/IEC 14443 or 15693). Allthis technology is contained in just afew square millimeters. The memorychip (128 to 2040 bytes) can be dividedinto several sectors for different usersand protected if required. The technol-ogy of the chips corresponds to theinternational RFID standard for vicini-ty cards and smart labels, which definesthe protocols and interfaces for datatransfer between the IC and the readingdevice. At present two my-d variantsare available, both meeting the specificmarket requirements, with one versionoffering additional cryptographic secu-rity of up to 14 keys. The componentscan be read or written to with readersconforming to the new ISO standard;the energy transfer to the chip is car-ried out by the read/write device forthe duration of the read/write proce-dure.

Whereas contactless technology hasmany advantages for the envisagedelectronic ticket system, the existinginfrastructure is still contact-based. Thismeans that a suitable solution must beable to support both technologies andalso guarantee interoperability betweenthe systems.The answer to this are my-dSmart Cards with dual interfaces forboth contactless and contact-based

communication. In order to use existinginfrastructures, Chip Card controllersare required that can support bothcontactless ISO14443 and contact-based Chip Cards in accordance withISO7816. In addition they must alsosupport both operating modes (types Aand B) in accordance with ISO 14443.Furthermore, hardware-based crypto-graphic algorithms also ensure securityfor personalized use in public transportsystems.

Concluding remarks

With this ambitious VDV project, cus-tomers can use public transport serviceseasily and conveniently in a definedarea. The scheme is initially conceivedfor Germany, but discussions are under-way with the EU regarding extendingit to Europe as a whole.

In addition, the core systems based oncontactless Chip Card technology pro-vided by Infineon offer an interestingadded benefit. As a system of this kindalso allows the detailed monitoringof customer flows, the public trans-port operators can control these moreefficiently and thus also adapt the pricesystem better to actual use.

Infineon´s ContactlessSystems SolutionOffering

The Principal behind Contactless Chip Card Technology

my-CSecure Controllers• Bare die• Modules You-R components

System SW and personalizationSW application notes

Reader board

my-dSecure Memoriesfor cards and labels• Inlay• Module• Bare die

• Antenna• Easy to

customizeantennabased onapplicationnotes

Technology UpdateSmart Cards

Some years later, a major flaw was dis-covered concerning certain crypto-graphic devices, which were found tobe susceptible to electromagneticattacks. Crypted Teletype units showedoccurrences of small traces of side chan-nel information beneath the normalCrypted output. This side channelinformation contained clear text signals,traveling through the whole devicefrom the keyboard to the output anten-na. Using sophisticated equipment, theclear text could be separated from thedominating cipher text, and later ampli-fied and displayed. A practical approachconcerning a Teletype crypto devicewas performed in 1960, and is docu-mented in detail in the autobiographyof the former MI5 Scientist - PeterWright [3]. At the same time, as aware-ness for such an attack was slowlyincreasing, the race began to find andintegrate the first technical counter-measures against electromagnetic analysis.Expendable and costly methods weretested for effective shielding of the

complete units. One concept recentlybeing “reinvented” is the completedecoupling of the power supply - amethod with only limited effectiveness(as will be discussed later). Also the firststandards were defined for supplying com-parable protection against TEMPESTattacks in different applications andenvironmental conditions.In the age of electronic data processing,TEMPEST attacks are gaining evengreater notoriety. Considering the factthat modern enciphering methods are,due to their enormous key lengths,nearly “unbreakable” [4] (using suchmethods as Brute-Force Attacks), theattackers have to find other ways togain possession of the secret clear textor keys. The proposed method is togain the clear texts or keys before theencryption itself happens. Side-channelanalysis helps in these cases, snoopingfor trace amounts of compromisingelectromagnetic emanations from thesesystems. The systematical approach toAnti-TEMPEST standards, test manuals

40

By Peter Hofreiter, Dr. Peter LaackmannInfineon Technologies AG

ElectromagneticEspionage from Smart Cards –

Attacks andCountermeasures

A quick look back into thehistory of espionage shows thatthe analysis of electromagneticemanations for espionage pur-poses is a process that hasbeen in use for a number ofyears. The codeword TEM-PEST covers a methodologyknown since 1950, of receiv-ing, amplifying and evaluatinghigh-frequency side-channelradiation - including theappropriate countermeasures.

A practical example of a verysimple attack, known as HFf l ood i ng , was discovered in1952 at the American embassyin Moscow (see Figure 1).

Behind a big state seal, a strangemechanical device was hiddenand was being irradiated fromoutside with strong electro-magnetic fields [1, 2].

The device itself included aresonant circuit, which wassensitive to voices in that par-ticular room. The modulatedsignal from this mechanicaldevice was then analyzedfrom a distance of severalhundred meters, compromis-ing all spoken words insidethe room.

HF Flooding attacks still arecommon today – albeit in aslightly modified form.

Figure1: 1952 – The American ambassador HenryCabot Lodge Jr. demonstrates the function of theelectromagnetic “Big Seal Bug”

41


and recommendations began in 1980.Today, TEMPEST-proof devices forelectronic data processing (PCs, Key-boards, Monitors, etc) are commonlyavailable and widely used.

SPA and DPA

SPA [5, 6] and DPA [7, 8] (Simpleand Differential Power Analysis) arewell known in the Smart Card industryas standard attacks against Smart Cardcontrollers. Both methods are based ondirect measurement of the device’spower consumption during the pro-cessing of a security relevant operation.Not only have a variety of mathematicaland analytical methods for attacks beendeveloped, but also multifaceted trialsto prevent SPA and DPA.Today, some of these attack technolo-gies are becoming diversified fromSPA/DPA attacks and are focusing onother side channel information includ-ing the electromagnetic emanations ofsemiconductor devices. The correspon-ding attacks in this special case arecalled EMA (Electromagnetic Analysis),not TEMPEST.Due to its electromagnetic effect, theswitching processes in a microchip canbe detected in the vicinity of thedevice without probing the directpower consumption. As today's micro-controllers are operated in theMegahertz frequency range, the high-frequency signals that are produced areemitted into the air directly from thechip surface. The subsequent conclu-sion that Smart Card microcontrollerswhich are not efficiently protected, mayalso permit electromagnetic side chan-nel analysis, has been voiced some timeago [9]. As the research activities con-cerning these attacks normally coversecurity relevancy, results of theseattacks and countermeasures were forthe most part, not published in the past.Kuhn released the first publicly avail-able material in 1999, documentingexperiments to evaluate the high-fre-quency emanations of a standard micro-controller [10]. From this moment on,the discussion concerning electromag-netic analysis of Smart Card controllersbecame public in a broader sense.

SEMA and DEMA

The electromagnetic attacks corres-ponding to the conventional “SimplePower Analysis” (SPA) are called SEMA(Simple ElectroMagnetic Analysis). Forthe transfer of the classical methodology“Differential Power Analysis” (DPA) toelectromagnetic emanations, Quisquater andSamyde came up with the abbreviationDEMA (Differential ElectroMagneticAnalysis) [11].In order to conduct successful attacksagainst Smart Card controllers that do notcontain dedicated and highly efficientcountermeasures against EMA/DEMA,and for testing and verifying own counter-measures, it is very important to find asuitable experimental arrangement. Thesetup has to be developed with the con-dition that the electromagnetic signals thatradiate from the chip can be detectedwith high bandwidth, high amplificationfactor and also very low noise levels.The signals that emanate from a SmartCard controller in normal cases are firstamplified, then recorded using a mod-ern digital oscilloscope and sent via fastdata links to a personal computer forfurther evaluation. Using digital signalanalysis methods, the PC processes thesingle signal traces, finally yieldingsecret data.

Electromagnetic radiation itself consistsof two components, the electrical andmagnetic field vectors. In theory, bothcomponents can be measured individu-ally or in their interaction. Capacitivesensors mainly capture the electrical fieldcomponents, while antennas and coilsare able to acquire both electrical andmagnetic components, and hall sensorsand so-called “SQUIDS” (supercon-ducting quantum interference devices)mainly detect the pure magnetic fieldcomponents (see Figure 2).The simplest method for monitoringthe high-frequency emanations of amicrocontroller is the direct attachmentof the measurement device on any pinof the microcontroller. Using thisapproach, Kuhn showed, in 1999, thatthe emanations of a commonly usedunsecured microcontroller could bedetected with regard to an attack [10].Later, an IBM working group described[12] the usage of an antenna for con-tactless measurements, placing theantenna just above the surface of themicrocontroller being analyzed. Althoughit was clear that this assembly woulddetect the complete entity of emana-tions from the chip surface without localdefinition, the attacks carried out werefound to be more efficient in comparisonto conventional SPA/DPA analysis.

Figure 2: Microscopic SQUID for magnetic field determination


The option to identify and measurelocal sources of high frequency emis-sion on a chip surface was first reportedin public at the conference “CHES2001 - Cryptographic Hardware andEmbedded Systems” by Gandalfi,Mourtier and Olivier. A simple, but alsovery effective, sensor developed fromusing a cylindrical coil with a length of3mm and a diameter of 0.5mm andmade from ordinary copper wire, hadbeen used (see Figure 3). Through thissimple setup on conventional, non-secured Smart Card chips, successfulattacks could be carried out easilyenough [13]. The results clearly showthat different areas of the chip undertest will also provide different signalstrengths and data dependencies. Com-pared to the conventional methodologyof SPA and DPA, it is possible to analyzein detail the behavior of small chipareas, to measure the electromagneticemanations directly and to localize theplace of their origin.

SQUIDS (Superconducting QuantumInterference Devices) are in theory, alsosuitable for local measurements. As thesuperconducting ring structure of asquid is usually cooled with liquid helium,several severe problems may occur inthe realization of an experimental setupfor analyzing a Smart Card chip. Butusing a special thermal isolation, thesedifficulties can be solved, as demon-strated in commercially available SQUIDmicroscopes like the Neocera C-10.These devices are able to determine acurrent of only 10 nanoamperes from adistance of 0.1mm, and are already usedtoday in the failure analysis of modernsemiconductors.

Infineon Technologies, after extensivetests applying different receiver systems,uses proprietary sensors showingextremely low sensitivity to externalelectromagnetic noise (“electromagnet-ic smog”) and high sensitivity to localelectromagnetic emanations from thechip surface. Analyzing Smart Cardchips, Infineon looks at different areasof interest with excellent spatial resolu-tion, and performs tailor-madeSEMA/DEMA attacks. Testing somecommercially available Smart Cardcontrollers, it was noted that for theefficient analysis of an unknown chiplayout, a “scanning process” can be veryhelpful, moving the sensor over thechip surface in defined steps to yield an“emanation map” of the chip - and tofind the source of the highest strengthof interesting signals.Whereas the acquisition of the measure-ments may be performed in differentways, it soon became clear that theconventional methods of signal analysisand mathematics associated with SPA andDPA could be adapted. The low signalintensity demands sophisticated amplifi-cation techniques, without acquiringtoo much noise from background andartifact effects - but these requirementscould be fully met by modifying con-ventional SPA/DPA measurement equip-ment.

HardwareCountermeasures

When defending against SPA and DPA,the different and (more or less) effec-tive countermeasures can be found by

utilizing literature, patents and practicalexamples. In contrast to this large selec-tion of material, only a few publiclyavailable articles describe countermea-sures against an EMA analysis of SmartCard microchips. A complete shieldingof Smart Card controllers, known fromdevices used in electronic data process-ing, is possible, but an attacker couldsimply remove the shield prior toanalysis, making this countermeasureworthless.With these presumptions in mind,SEMA/DEMA countermeasures haveto reach much further than the com-monly known SPA/DPA defense sys-tems, due to the fact that EMA/DEMAattacks provide information about smallchip areas, whereas the SPA/DPAmeasurement only yields data concern-ing the supply current of the completechip.

42

Figure 3: Coil forthe measurement ofelectromagneticemanations (lengthapprox. 3 mm)

Evaluation of a DEMAmeasurement performedat Infineon using a testobject without counter-measures. The big peakat the lower left sideshows the right keyhypothesis.

Sensor Technology Component detected Advantages Disadvantages

SQUID Magnetic Also suitable Cooling necessary.for static Magneticmagnetic fields. shieldingGood resolution necessary

Inductive Sensor Electrical & Magnetic Good resolution Limitation at high frequencies

Antenna Electrical & Magnetic Suitable for Sparse resolutionvery highfrequencies

Capacitive Coupling Electrical Suitable for very Sensitive tohigh frequencies external influences

Overview of different SEMA/DEMA sensor technologies

As electromagnetic analysis has been asignificant part of the development andsecurity evaluation of the InfineonSmart Card controllers, effective coun-termeasures could be developed, notonly covering the new SEMA/DEMAattacks, but also the conventional SPAand DPA methods.These countermeasures are integratedin the new Smart Card controller prod-ucts, which are constantly being testedusing modern, sophisticated equipment(also developed by InfineonTechnologies). The main bases are inte-gral security strategies in core designsthat cannot be fulfilled by using stan-dard CPU cores. These countermea-sures are not only used in the CPU of aSmart Card chip, but also in cryptocoprocessors. The efficiency of thesecountermeasures is strictly monitored

during the internal evaluation andexternal certification of the products.As an example, measurements using avery sensitive DEMA setup showed atdirect localization above the DEScoprocessor of an Infineon chip, thatvery efficient protection against EMA/DEMA could be achieved.

Software Countermeasures

Using software countermeasures, adeveloper may strengthen the resistanceagainst direct power analysis and elec-tromagnetic attacks. One target is to

43


increase the share of randomly generat-ed information by “randomization”;pushing useful information for theattacker into the background. Anotherfocus of software countermeasures isthe protection against data dependen-cies. These dependencies could indicatedifferences in the processing of selecteddata blocks, if combined attack meth-ods including timing analysis andpower analysis are utilized.The use of software countermeasureson their own may not serve as a suffi-cient protection from SPA/DPA andSEMA/DEMA, as long as they are notrun on a secured hardware platform.But in close cooperation with appro-priate hardware countermeasures, thecombined strength of both defensewalls can be effectively used. Therefore,special design guidelines and a propri-etary architecture deploying integralsecurity, are the fundamentals of bothtoday’s and tomorrow’s secure systems.

Evaluation andDevelopment of theSEMA/DEMAMethodologyat InfineonTechnologies

By both driving and monitoring theevolution of SPA and DPA as a standardanalysis process, it became clear severalyears ago, that the conventional poweranalysis attacks could soon be shiftedinto the sector of electromagnetic ema-nation analysis - as soon as the mainattack scenarios using SPA/DPA couldbe commonly blocked by countermea-sures. The development of new prod-ucts is targeted not only at today’srequirements from customers, evalua-tion and certification bodies, but also attomorrow’s requirements, derived fromnew attack technologies. Infineon'sown internal evaluation facilities andtest platforms are constantly beingimproved, helping to identify newattack scenarios. Infineon utilizes thenewest insights and devices of digitalsignal processing, and any correspon-ding software is constructed by cryptol-ogists, mathematicians and test engi-neers working in close cooperation.

Literature[1] K. D. Murray, “The great seal bugstory”, Murray Associates, Oldwick, USA2002.

[2] NSA, “Replica of the great seal bug”,National Cryptographic Museum,Baltimore.

[3] P.Wright, “Spycatcher - The CandidAutobiography of a Senior IntelligenceOfficer”,William Heinemann, Autralia1987.

[4] S. Budiansky, “Losing the Code War”,The Atlantic Monthly 1, 2002, 33-35.

[5] P. Kocher, J. Jaffe, B. Jun,“Introduction to Differential Power Analysisand Related Attacks”, CryptographicResearch, Inc., San Francisco 1998.

[6] R. Mayer-Sommer, “SmartlyAnalyzing the Simplicity and the Powerof Simple Power Analysis on Smartcards”,in C. K. Koc,“Proceedings CHES 2000,Workshop on Cryptographic Hardware andEmbedded Systems, 17.08.-18.08.2000”,Worchester, USA 2000.

[7] P. Kocher, J. Jaffe, B. Jun,“Differential Power Analysis”, “ProceedingsAdvances in Cryptology - CRYPTO99”,Springer Verlag 1999, 388-297.

[8] J.-S. Coron, P. Kocher, D. Naccache,“Statistics and Secret Leakage”, EcoleNormale Superieure, Paris; CryptographyResearch Inc., San Francisco; Gemplus CardInternational, Issy-les-Moulineaux, 2000.

[9] J. Svigals, “Smartcards - A SecurityAssessment ”, Computer and Security,Elsevier Science 13, 1994, 107-114; s.a. H.J. Highland, “Electromagnetic RadiationRevisited”, Computers and Security 5,1986, 85-93.

[10] Markus G. Kuhn, in Anto Veldre,“Markus Kuhn Annab Teada”, Newsgroup“ee.arvutid.turvalisus”, 23.11.1999.

[11] J.-J. Quisquater, D. Samyde,“A new tool for non-intrusive analysisof Smart Cards based on electro-magneticemissions, the SEMA and DEMA methods”,Presentation Eurocrypt 2000.

[12] J. R. Rao, P. Rohatgi, “EM-PoweringSide Channel Attacks”, 11.05.2001.

[13] K. Gandalfi, C. Mourtel, F. Olivier,“Electromagnetic Analysis: ConcreteResults”, in C. K. Koc, D. Naccache, C. Paar(Eds.) “Proceedings CHES 2001,Workshopon Cryptographic Hardware and EmbeddedSystems, 14.06.-16.06.2001”, Paris 2000.

Further ReadingP. Laackmann, “Mit Sicherheit guteKarten - Transparente Kryptographie:Neue Herausforderungen für Chipkarten-Entwickler”, Elektronik 23, 2000, 78-80.

M. Janke, P. Laackmann,“Power und Timing Analysis Angriffegegen Chipkarten-Mikrocontroller”,Card-Forum 7/8, 2001, 32-36.

P. Laackmann, M. Janke, “Power andTiming Analysis Attacks against SecurityControllers”, Secure 5, 2002, 40-44.

M. Janke, P. Laackmann,“Angriffe auf geheime Kartendaten”,Sicherheitsmarkt 1, 2002, 13.

DEMA measurement ofan Infineon Smart Cardcontroller with hardwarecountermeasures.The right key could notbe identified.

Technology UpdateDongles

The CarlinMotorsportChallenge“Before implementing eToken, weclearly lacked security for our vital racecar data. Not wanting to provide allsystem users with the ability to down-load or manipulate cornering forcesdata or suspension movement on par-ticular cars, we have some eTokens thatallow only viewing, while others allowfull administrator rights. It’s simple. Toaccess that information, you must havethe proper credentials.”Dave BettanyNetwork Administrator and Design EngineerCarlin Motorsport (UK)

With several competing teams workingin close quarters around British Formula3racetracks, Carlin Motorsport decidedthey needed to keep their racing statis-tics and performance data completelyinaccessible to anyone except author-ized team members. Since it is oftenonly milliseconds that make the differ-ence between 1st and 2nd place in aFormula 3 race, vital vehicle data used

to measure strengths and weaknesses arekept close at hand in the preparationarea.These computers contain the entire“fingerprint” of a driver, revealing hisdriving style and even his slightestinconsistencies. Put in the wrong hands,this information can give a competitorthe edge he needs. But because driversand their teams are not IT experts, theauthentication process had to be simpleand easy to use, as well as inexpensiveand durable enough to handle the strainsof a racetrack environment.

Aladdin’s SolutioneToken provides Carlin Motorsport withcomplete MS GINA replacement. (GINAis the graphical user interface presentedby Windows when a person starts or lockstheir workstation.) Instead of asking fora simple password, Aladdin’s eToken andeToken PIN are required to accessany information on the computer. Themoment an eToken is removed from thecomputer’s USB port, users must loginagain, creating two-factor authentication– even for the demanding pit areas of aracetrack. Race team members provide

something they have (their eToken) as wellas something they know (their eTokenPIN). Carlin teammates continuallylogon and off using their eTokens,providing each with their own set ofcapabilities. Some team members candownload data, while others are givendifferent colored eTokens that only allowdata to be viewed, further enhancingsecurity. Any prying eyes now face anextremely high security barrier protect-ing the vital storage and use of driverdata. Global Secure Systems (GSS) – aUK distributor for Aladdin KnowledgeSystems – supplied, installed and main-tains eToken for Carlin Motorsport.

eToken Benefits Using USB-Based Authentication hasprovided the following benefits for CarlinMotorsport :• Portability – Drivers and other

team members can easily carry theeTokens from track to track

• Simplicity – Numerous passwordsare a thing of the past; one eTokenand one password secure the data

• Flexibility – Multiple teammatesuse separate eTokens with differentlevels of access to protected data

• Affordability – As a small team,Carlin can implementtwo-factor authentication fora low, per-token charge

• Security – Competitors have noway of accessing the data on thecomputers without an eToken

• Peace of Mind – Carlin’s networkadministrator can devote more timeto driving performance, not security

44

Aladdinmoves into

theFastLane

Aladdin’s eToken protectssensitive Formula Threerace car data with USB-basedtwo-factor authentication

About eTokeneToken, a USB device about the sizeof a normal house key, is the ultimatedevice for securing networks ande-Business platforms. It offers a fullyportable and cost-effective means toauthenticate users and to digitallysign sensitive business transactions.Utilizing state of the art technology,eToken offers advanced Smart Cardfunctionality with a robust onboardcryptographic processor such as1024-bit RSA, 3xDES and SHA1algorithms.

For information visit:www.ealaddin.com

By Dr. Frank Gillert, Director Business DevelopmentInfineon Technologies AG

47

Technology UpdateRFID

The development of powerful one-wayantennas and inexpensive chips withouttheir own power supply, (supplied withpower via the read antenna passive sys-tems), led in the mid-nineties, to thetechnology making inroads into otherapplication areas in which an intelligentadhesive tag (smart label) can take overthe tasks of the barcode or OCR(Optical Character Recognition) scriptand delivers additional benefits into thebargain (see Figure 1).

Essentially, the advantages of RFIDtechnology lie in the invisible individu-alization of objects of every kind, andeven of people. Ski pass solutions are afamiliar example of the latter type ofapplication.

Unlike the barcode, where only oneobject at a time can be scanned, smartlabels featuring RFID technologyenable multiple objects or goods to beidentified simultaneously. It does noteven matter where the smart label isattached to the object. An alignment orseparation operation, as is necessarywith barcodes, is not required.

ApplicationExamplesIntelligent Library

A key requirement in public and scien-tific libraries is the management of thebook stocks and the identification ofmedia and their assignment to a lender.In order to ensure customer servicelevels, the libraries are naturally anxiousto minimize the costs incurred inmeeting these key requirements. Whyshould the users not be able to borrowthe media they select independently?

The first German libraries wereequipped with RFID technology (based

“Radio Frequency Identification”, or RFID for short, is one of the most innovative and forward-looking technologies in the object and person oriented recognition systems sector.The chip sys-tems, which are also known as transponders, have been in use for several years already. For exam-ple, practically every car owner is also a user of RFID technology if the chip contained in the keycommunicates with the engine electronics via an antenna located in the dashboard and enablesthe ignition to be activated following authentication (the immobilizer).

on the Infineon concept) in the fall of2001.The system was developed in colla-boration with ekz.bibliotheksserviceGmbH in Reutlingen, the leadinglibrary service provider in Germany,Austria and Switzerland. Taking themunicipal library of Siegburg as anexample, all media is fitted with anRFID tag. All the relevant data for pro-cessing the library functions is storedon a chip integrated in the book. Oncea visitor to the library has made hischoice of books, CDs or videos, he canchoose from 2 options. Either to pro-ceed to the staffed check-out desk,where a librarian will pass the stackedmedia over a hidden read antennalocated on the underside of the desk andbook them to thevisitor’s account infractions of a sec-ond. Or he canperform the sameoperation himself.Two self-servicecheckout stationsare installed in thelibrary area for thispurpose.After iden-tifying himself atone of these withhis user pass, theborrower can quick-ly and easily checkout the stackedmedia. Delays at theissuing counter area distant memory.Assuming the checkout operation hasbeen properly completed, this status isactivated in the book’s chip. If thecheckout operation has not been carriedout correctly, whether knowingly orunknowingly, an alarm is triggered inthe exit gate (two large-surface antennas,similar to those from retail stores usedfor theft prevention).

This system configuration is made pos-sible by the dynamic usability of thechip. In contrast to current barcode sys-tems, where the originally stored infor-mation cannot be changed, the chipcan be updated any number of timeswith the current status information,e.g. “on loan”/ “not on loan”, by anauthorized station.

IntelligentDocumentManagement

In the same way, law firms are beingequipped with a similar RFID conceptto allow quick and easy location of casefiles. Each file is tagged with a smart

label. Readers installed at the doors toeach office scan the files as they arebrought into the room. Room and fileare automatically linked in a database,enabling the file to be located viasearch routines. Time-consumingsearches for files in very large legalpractices in particular, are a thing of thepast. The information on which mem-

Figure 1: Infineon’s my-d transponder inlay


ber of staff is currently processingwhich file is available at all times.In the previously illustrated applica-tions, the processes run in a closed loopand the label is reused. The benefit istransparent to the user and can be cal-culated by the frequency of use.The RFID tag in an open loop remainsattached to the object. At the end ofthe product lifecycle the RFID tag isalso discharged of its duties. In the pastthis fact was an obstacle to the wide-spread use of RFID technology in pro-duction and logistics applications foreconomic reasons - lack of benefittransparency of the individual stake-holders in a supply chain!

Chip sharingapproach optimizescost-effectiveness

Consequently, a longstanding requirementfor optimizing the cost-effectiveness ofRFID in the supply chain is the possi-bility of providing each stakeholderwith his individual (even if it is virtual)RFID tag.

While the development of the paper-thin passive transponder represented a

milestone in the introduction of RFIDin closed-loop systems, the developmentof the Infineon my-d product familymarks a breakthrough for open-loopsystems also. Based on a 2kbit or 10kbitmemory (a 10kbit memory stores thecontents of approx. one formatted DINA 4 page), individual segments can bedefined, similar to a logical drive on thehard disk or different file structures ina network. Introducing defined access

rights can generate a clear assignmentof the benefits for each individual user.Whether product manufacturer, logisticsservice provider or retailer, each stake-holder can use his part independentlyand without risk of access by others.

Chip sharing in thecontainer pool

At this year’s Interpack in Düsseldorf,NEFAB Deutschland GmbH, a packag-ing company based in Hückelhoven,and the Logistics Faculty of theUniversity of Dortmund presented thechip-sharing concept for a containerpool for the first time. As a manufactur-er of reusable shipping containers and apool operator, NEFAB defined the nec-essary data structures as part of theconcept engineering process.In addition to the general data, whichis stored in a “public all” segment andincludes, for example the physical con-tainer data, data areas covering theneeds of the individual stakeholders arereserved for the provider (e.g. NEFAB),the customer (e.g. supplier of automo-bile accessories or spare parts) and theuser (e.g. automobile manufacturer).The provider is therefore able to handlehis pool management (see Figure 2).The lifecycle of the individual containercan be documented by updating data

48

Figure 2: Data structures for chipsharing in the container pool

The chip-sharing approach enables the following:

“The cost-effective use of innovative RFID products calls for an in-depth understandingof the relevant processes. As long as the logistic processes and systems have to be adaptedto the technical capabilities of RFID, success will elude us. The only way is an openapproach that permits existing processes to be mirrored. The logistics within the supplychain requires the interaction of different business processes of individual companies.

The sharing and economic use of information taking into account the individuality of thedifferent partners creates the economic basis for a long-term business process. Theseapproaches follow the already successfully applied information management premise ”asmuch information as possible, as little as necessary“. The chip segmentation route (chipsharing approach) must therefore be regarded as the key concept in the AutoID(Automatic Identification) technologies sector in order to integrate compatible low-costderivatives or existing AutoID solutions (barcode).”

Prof. Dr.-Ing. Rolf Jansen, Dean of the Logistics Faculty, University of DortmundDirector of the Institute for Distribution and Retail Logistics (IDH), Dortmund

Today, RFID already offers rationalization and process improvement benefits in many applications, e.g. fast and accuratedata capture for multiple objects simultaneously without line-of-sight contact. Moreover, the technical preconditions forthe chip-sharing approach are already established. The chip-sharing security functions take account of the increasedsecurity requirements of our modern world, and secure partitioning of the data memory can lead to further economicoptimization potential being opened up through transparent benefits, as well as transparent costs (cost per bit!).

Summary

49


e.g. wash cycles and maintenance data.Bilateral areas (e.g. provider-customer)are also provided to ensure data ex-change at the specific logistical inter-faces (see Figure 3).

Technical require-ments for the chip-sharing approach

Based on the RFID technology stan-dardized in ISO 15693, security func-tions have now been added. A standard-ized read-write station must therefore beupgraded with these security functions.

State-of-the-art cryptography and secu-rity technology is used to protectmemory areas on the RFID chip by meansof hardware security features. Infineonoffers suitable crypto RFID chips.Knowledge of secret keys is necessaryin order to gain access to a protectedpartition. The corresponding area canbe “unlocked” using such a key. Theprocess could be compared with asecure login to a computer.Once opened, the memory area con-cerned can be processed. In addition,the transactions performed after thearea has been opened are still protectedcryptographically, in order to ensurethat the same user is still working withthe data after the partition has beenopened.The secret keys are now combinedwith access rights so that different usergroups can be set up. Two secret keysare provided per partition.This conceptpermits a so-called “key hierarchy”with higher- and lower-value keys.

In practice, the producer of an item ofmerchandise, for example, has read andwrite access to the data area assigned to

him, and he can allow the logisticscompany read-only access to certaindata in his area. The hardware of themy-d chip then ensures that the logis-tics company cannot change any data inthe producer’s area. The producer hasthe higher-value key that permits read-ing and writing, while the logisticscompany has the other key that onlypermits reading.In general, this key hierarchy allowseach chip-sharing stakeholder to set up

private data partitions, to which onlyhis read-write devices have access, butshared data areas can also be created toguarantee secure data exchangebetween the chip-sharing stakeholders.

Keys are similar to passwords. Bothmust be kept secret, because they allowaccess to the data.The difference is thata password is entered directly. Anyone

looking on or tapping a line could login. When the memory areas of the my-d chip are opened, a dynamic authenti-cation feature ensures that the datatransferred via the air interface is notidentical when the same keys are used.The read-write station can also verifythe authenticity of the transponder.This is an add-on function that pro-vides security mainly for brandedgoods, customs documents or tokens. Ifa transponder chip is sewn into a

branded article of clothing, for exam-ple, the latter can be positively verifiedas genuine by checking the chip.

The keys must also be securely protect-ed in the read-write devices. Ideallythey are stored in SAMs (SecureApplication Modules).These are securi-ty controllers that protect electronickeys against attacks, as if in a safe.

Figure 3: The technical requirements for secure chipsharing are in place

A survey by Dr. Brigitte Wirtz, Senior Director Development Security ICs,Infineon Technologies AG

51

Technology UpdateBiometrics

Introducing standards to a developing in-dustry can bring widespread benefits.As well as highlighting an increasingindustry maturity, standards can alsoencourage the widespread use of a tech-nology by facilitating integration, re-ducing time-to-market and reducing risk.

For a long time, the development of aunified Biometric Application Pro-gramming Interface and the respectivebiometric template formats has beenacknowledged as a major prerequisitefor the widespread adoption of biometrictechnology. So, 2 years after the firstrelease of BioAPI and CBEFF, aren’t wethere yet? What is being done throughthose ongoing standardization effortsaround biometrics, which seem to beeven more numerous than 2 years ago?Do we really need even more standards?Reviewing the status of the major currentstandardization efforts reveals that it is notabout new standards, but that a naturalshift has taken place from standarddevelopment to their acceleration intoproducts and solutions, as well as theirinter-operability between application do-mains. The work on biometric standardsis not yet complete. But it has changedfrom a technology-oriented to an appli-cation and security integrated approach.

This survey gives a (non-complete!)overview on major biometric standard-ization initiatives with an interoperability,focusing on the recent advances andachievements in those initiatives. For amore detailed technical overview ofsome of them, also refer to the surveyon biometric standardization in the Btt7/00 by the same author.

The usage of biometric solutions over the last few years hasclearly shifted to a solution and application-oriented approach.The unfortunate events of September 11th have resulted in aworld wide change of biometric focus to large scale govern-ment, ID and travel applications. The apparent urge to alsosecure national security by biometric methods has imposed apressure on standardization, with a change from a strong focuson Internet security to also incorporate the requests of securetravel, ID documents and government applications.

Biometric ApplicationProgrammingInterfaces(Biometric APIs)

Generally speaking, a Biometric APIseparates individual biometric techno-logies from applications, allowing therespective technologies to be used acrossmultiple applications, as well as thesimple integration of that technologyinto existing applications.

Together with standardized biometricdata formats (see next paragraphs) thebiometric API is the basis for ‘plug &play’ integration of biometrics into appli-cations and security concepts, especiallyin the Internet world. Plug and play isessential for widespread adoption byintegrators, as they should not needspecialist knowledge in order to inte-grate biometrics into their applica-tions. Integrators should also be able toeasily replace different sensors or soft-ware versions (from varying suppliers),or combine a number of biometrics ina standardized form.

BioAPI

From a number of competing biomet-ric API proposals including SVAPI(Speaker Verification API), BAPI (I/OSoftware Biometric API), CAPI (IBMAdvanced Identification API), BAAPI(a commercial biometric API) and HA-API (User Authentication API), theplatform-neutral BioAPI evolved as theunified biometric API standard for theintroduction of biometrics into stand-

alone or client-server applications. TheBioAPI interface addresses both theneeds for either very high-levelabstract, or for very sophisticated inter-acting integration of biometrics intothe end-user application.

BioAPI provides a high-level genericbiometric authentication model, suitedfor any form of biometric technology.It covers the basic functions of enroll-ment, verification and identificationand includes a database interface toallow a biometric service provider(BSP) to efficiently manage popu-lations of identities.With these conven-ience functions, application program-mers get an interface that allows themto concentrate on their application,instead of the internals of biometrics.On the other hand BioAPI also pro-vides primitive functions which allowfor more flexible system arrangements– for example, by enabling the captureof samples on a client, while enroll-ment, verification and identificationtake place on a server.

In the history of biometric standardi-zation, the BioAPI has been an unpar-alleled industry effort for the open andinter-operable standardization of thebiometric API, targeting inter-operabilityto all relevant standardization initiativeslike CBEFF, ANSI X9 and ISO SmartCard standardization. The BioAPI con-sortium (Btt June ’00, p1) released theupdated BioAPI V1.1 including itsWindows platform reference imple-mentation at the end of March 2001.The specification was released as ANSI/NCITS standard in February 2002. Inkeeping with platform independence,the consortium is currently working onUnix and Linux reference implementa-tions. For a brief overview on the his-tory and status of BioAPI see Table 1.

The support for the standard is unparal-leled, with more than 90 member com-panies and organizations being involved.The American DoD requires BioAPIcompliance as a pre-requisite for theconsideration of biometric solutions,and thus gives a strong push for inter-operability and the use of BioAPI.


Java CardBiometric APIHistorically the BioAPI as well as theCBEFF (see next chapter) originatedfrom a strong focus of integratingbiometrics into client-server scenarios;to introduce biometric identificationinto Internet applications. It is morerecently, that the view is shifting to asolution and application oriented view,where biometrics is just a small portionof the overall solution, and more diversesystem configurations are considered.Thus security, and especially data pro-tection demands, gain more awareness.Those requirements almost lead naturallyto applications, where the biometric datais at least stored, and even dealt with, inthe secure environment of a SmartCard or a token and integrated into anoverall client-server scenario, and areconsequently one reason for the ongo-ing request for further standardizationin the field – as well as in the field ofdata interoperability (see next chapter)and in the field of the API as well.

Whereas the ISO/IEC SC17 has chosento use and adapt existing card com-mands for the biometric case (see nextchapter), the Java Card Forum’sBiometric Taskforce has decided todefine a more generic Biometric API inorder to enable the open platform and

interoperable integration of biometricsinto Smart Cards, in close co-operationwith the respective Biometric Consor-tium Working Groups. The primarygoal of the working group is todescribe the rationale and architectureof a Java Card biometric API to prima-rily facilitate on-card applets to makeuse of the card-resident Match onCard. The API builds on existing JavaCard API designs for security and max-imal functionality.

While the original members are theclassical Smart Card manufacturers(Schlumberger, Oberthur, Hitachi andGemPlus), its target is to define a bio-metric card API, that uses Java Card andits security mechanisms for storage ofall sensitive information on the card,enables efficient matching on card, allowsfor multiple templates and biometrics,and enables different applet implemen-tation scenarios from standalone toserver&client applets. The promotionand integration into the existing bio-metric standards CBEFF and BioAPI,ensure the transparent integration of thecard or token platform into a networkedworld, and thus enables seamless imple-mentation of biometric solutions over aset of distinctive computing platforms.A common White Paper on the Java-Card Biometric API jointly written by

the Biometric Consortium Interopera-bility, Assurance, and PerformanceWorking Group and the Java CardForum’s Biometric Taskforce is currentlyunder review and supposed to be sub-mitted as an official working groupdocument thereafter in September 2002timeframe.

TemplateStandardization –The Interoperabilityof Biometric DataThe interoperability of biometric datais probably the most important issue thatbiometric standardization faces. Datacollection is an expensive task, and thesame enrollment data could be used bydifferent biometric identification pro-ducts.Thus a possible restricted reuse ofexisting data is desirable (given theappropriate data and privacy protectionmeasures, see later in this survey).Biometric data sharing between differ-ent system components in a compoundsystem with biometrics – for examplethe seamless integration of biometricsinto Smart Card integrated applications– at first requires interoperability of data.

Interoperability can be achieved in 2ways; one being the dedicated standard-ization of the biometric template data,and the other being the standardizationof the representation form of the dataonly. While the first alternative is anapproach which has been undertakenfor some dedicated applications, likethe use of minutiae-based fingerprintdata for AFIS identification or driver’slicenses, the second approach is tech-nology neutral, and thus does not restrictitself to specific representatives of somebiometric technologies. See Table 2 foran overview on some of the data stand-ards with relevance to biometrics. In thissurvey the focus is on the technology neu-tral biometric template standardization.

There is not yet a single industry-widebiometric data standard, and some ofthe recently ongoing standardization workhere again stems from the desire tointegrate biometric person identificationinto broader system scenarios, such asmaking the Smart Card available as asecure biometric data storage and com-

52

Table 1: Brief History and Status of the BioAPI

April 1998: Founded by Compaq, original promoters Compaq, IBM,Identicator, Microsoft, Miros, Novell

December 1998: Merger of BAPI and Bio-API

March 1999: Merger of HA-API and Bio-API Membership continues to grow (currently over 90)

30 March 2000: Ver 1.0 of specification released

September 2000: Reference implementation completed

March 2001: Specification and Reference implementationVer 1.1 released

February 2002: Accepted as ANSI/INCITS 358-2002

INCITS M1 committee letter ballot resolution to send BioAPIthrough ISO fast track process once ANSI publishes

Products being announced

Ongoing projects: Conformance Test Suite, Platform portations

53


puting device, as well as using biometricsin the context of traditional Internetcommunication schemes.Three major efforts targeting the bina-ry description of biometric data mostlyfor traditional computing platforms,which do achieve interoperabilitybetween the respective biometric datadescriptions - the Common BiometricExchange File Format (CBEFF); theBioAPI biometric data format (BIR);and the ANSI X9.84 BiometricsManagement and Security For TheFinancial Services Industry data format- are already available.

The BioAPI BIRThe BioAPI biometric data format isdesigned as a fixed format biometricidentification record and is known as theBIR (Biometric Identification Record).It consists of a header, the opaque bio-metric data and an optional signature.The 16 byte header holds informationsuch as the length of the completeBIR; the header version number; thetype of data; the format ID of the

opaque data format (which can eitherbe proprietary or in an open format);the quality and purpose of the data; thebiometric factors (finger, face, voice,etc.); and the specifications of anoptional signature.

CBEFFThe Common Biometric ExchangeFile Format was predominantly definedby a subgroup of BioAPI consortiummembers (originally Identicator, InfineonTechnologies, NIST/ITL, NSA, Saflinkand Veridicom). Recently the CBEFFspecification has been undertaken as ajoint effort by the industry, user organi-zations and the Biometric Consortium,in co-ordination with the BioAPI con-sortium, ANSI X9F4 Financial servicesWorking group, the IBIA and the inter-faces group of the German TeleTrusT.Chaired by NIST/ITL the subgroupgenerated a ‘technology-blind’ standardfile format to facilitate the exchangeand interoperability of biometric data.Because it is a data description format,it does not standardize the underlying

biometric data sets – therefore it is nota barrier to competition between theproviders.The data structure within the CBEFFspecification was designed to handle awide variety of application systems, fromsophisticated systems with complex bio-metric procedures (that might require acomplex structure, as well as compli-ance with an internationally accepteddata encoding scheme), to systems thathave limited storage media and requirea data structure with minimum over-head. Template description formats inCBEFF, so-called Patron formats, alwaysdescribe the specific encoding of thedata elements, additional (non-common)data elements, as well as possiblyoptional fields.This concept is more general than theoriginal BioAPI BIR definition, and infact the CBEFF serves as the biometrictemplate definition for BioAPI. In asimilar manner to BioAPI’s BIR, theCBEFF data format comprises a headerfollowed by an opaque data format.Currently two biometric formats are

Organization Standard Status

ANSI/NIST Data Format for the Interchange of Fingerprint Information ANSI/NIST-CSL 1-1993

FBI WSQ Standard for fingerprint image compression/decompression CJIS/FBI IAFIS-IC-0110

FBI Electronic Fingerprint Transmission Specification http://www.biometrics.org/REPORTS/FBIfp.html

FBI “Appendix F & G CJIS-RS-0010Fingerprint image quality specification (IQS) Written for scanning of inked prints on paper”

ISO Information Technology - Digital compression and coding of ISO 10918-1:1994continuous tone still images: Requirements and Guidelines

ANSI/NIST “Data Format for the Exchange of Fingerprint, Facial, and SMT Information ANSI/NIST-CSL-1a-1997 AmendmentSMT = Scars, Marks, and Tattoos”

ANSI Mugshot standards ANSI B10.8 Digital ImagingDocument 98008

AAMVA “AAMVA National Standard for the Drivers License/Identification Card AAMVA DL/ID –2000Annex C – Finger Imaging, Includes Minutiae Record FormatAnnex F – Image Compression, Facial photo, Signature”

ANSI B10.8 “Drivers License/Identification Cards “Draft standard (dpANS NCITS 327-1999)Includes annexes for Finger Imaging, image compression, – Generally consistent withPhoto/Signature, File exchange formats, Capture conditions” AAMVA specs”

INCITS B10 INCITS 327 Draft based on AAMVA DL/ID 2000

NIST Data format for finger/facial/SMT ANSI/NIST-ITL-1-2000

Table 2: A Selection of Data Standards with Relevance to Biometrics


defined as so-called Patron formats inthe CBEFF. One of these is a ‘simple’BioAPI like format, which uses fixedlength fields, one or two bytes in length(all BioAPI compliant products). Theother is the ASN.1 (Abstract SyntaxNotation One) Patron, which is thedefinition of a biometric data set in thestandardized description language,which is also used by the X9.84.Both equivalent encodings are given inthe CBEFF document, which wasreleased as a NIST/ITL standard inNovember 1999.

The recent urge for application inte-gration with respect to biometric datainteroperability has driven the currentdefinition of two new Patron specifi-cations: a Smart Card format using theTLV encoding present in the SmartCard world, as well as a XCBF patron,describing a non-binary patron formatto be used in the XML context.

XCBF – XMLPatron to theCBEFFSince Spring 2002, OASIS, ISO/IECand the Biometric Consortium havebeen cooperating to define XCBF, thebiometric XML schema for exchange ofbiometric data in Electronic Business.The XCBF is targeting an XML repre-sentation for biometric data as the stand-ard interface to biometric data andfunctions in XML systems and applica-tions (the standard language of theInternet), to overcome the shortfalls ofthe existing binary CBEFF specificationsin those applications. Interoperability toexisting data formats and securitystandards, is a strong focus and guaran-teed by the implementation of XCBFas a CBEFF Patron, the adherence tothe X9.84 system security require-ments, and the co-ordination with theINCITS M1 Biometrics TC.

The current schedule for the XCBFdefinition is to have a draft version of aworking module by November 2002;the draft version of example binaryencodings of XML values by March2003; the draft final versions of allremaining deliverables by May 2003; thefinal versions of any new CBEFF for-

mats by July 2003, and the final versionsof all deliverables by November 2003.

X9.84The X9.84 (Biometric Information Mana-gement in Financial Services) definitionfor biometric data uses ASN.1 encodingrules. These rules are popular in theSmart Card sector and in securityinformation processing standards suchas X.509, SET and Microsoft ActiveDirectory. The advantage of ASN.1encoding of data formats, lies in itsplatform independence and flexibilitywith respect to the size of individualdata fields. It is also flexible whenintroducing new data fields.Being one available CBEFF patron, theX9.84 biometric data format is naturallyCBEFF and BioAPI compliant. Further-more, biometric data is stored in thesame format as X.509 version 3 certi-ficate extensions, and as such, compliantto the Internet Engineering TaskForce’s (IETF) PKIX-standards (PublicKey Infrastructure for X.509) for theintegration of biometric and crypto-graphic keys in certificates.

ISO/IEC 7816-11 In the international IT standardizationof ISO and IEC, new areas have usuallybeen established without major contro-versial discussions. For biometrics thishas been surprisingly different. Sub-committee 17 (SC17) of ISO/IECJoint Committee 1 (JTC1), which isresponsible for the international stan-dardization of personal identificationand cards issues, have been developingstandards with biometric related partsfor three years. Subcommittee 27 (SC27)also feels responsible for a major part ofbiometrics standardization, in particularthose related to security techniquesissues. The USA felt in October 2001(quite soon after the tragic events ofthe 11th September) that the biometricstandardization for identification docu-ments and cards should be given itsown Working Group (WG) withinSC17, concentrating on the biometricissues within SC17. The USA appliedfor such a WG at SC17's Plenary inOctober 2001 and SC17 unanimouslyagreed to the USA's proposal and

established the Working Group WG11.

By the end of 2001 the USA changedtheir position, dropped their initiativefor WG11 and established a new Sub-committee within JTC1. Its ballotbecame successful in early June 2002,with 11 approvals and 9 disapprovals.The inaugural meeting of SC37 willprobably be held in December 2002and its tasks are planned not to be inconflict with standardization issues ofother subcommittees, in particular thoseof SC17 and SC27. Where identifi-cation documents and cards are notinvolved, nor security techniques, SC37will concentrate on issues related toapplication program interfaces, fileformats, biometric template standardi-zation and application/implementationprofiles. The new biometrics WorkingGroup WG11 of SC17 (Secretariat andConvener provided by Germany) juststarted their activities at the end ofJune 2002. Its first standards develop-ments are concentrated on logical datastructures with relevance to biometricsfeatures for identification documents.This task is well observed and supportedby several governments and by ICAO.Significant progress has been achievedsince the last survey on the Work Item“Personal verification through biomet-ric methods”. The Final CommitteeDraft of ISO/IEC 7816-11 is currentlyunder vote, and defines commands(thus the “biometric card API”) anddata elements for biometric user verifi-cation on a Smart Card.The rationale isto use the existing Smart Card struc-tures and upgrade the given SmartCard commands for the introduction ofbiometrics as a personal identificationmethod. The biometric data structuresare currently being aligned with theCBEFF and X9.84, targeting a CBEFFpatron in the future. However, theinteroperability or compliance to theICAO logical data format would be atopic that still has to be included in thisfield, and will certainly be targeted bythe WG11. A further New Work ItemProposal has just been balloted fromthe German DIN to ISO, which isrelated to the matching of biometricdata on Chip Cards.

54

55


Biometric standardization will conse-quently be undertaken in various sub-committees with different focuses ontheir topics. A close cooperation seemsto be the best recipe for constructiveand fast moving biometric related stan-dards, which should attract sufficientattention by the industries involved andhopefully generate a mass market.

Operating System,Security and Appli-cation IntegrationThe integration of a biometric APIinto the target platform’s operating sys-tem is a necessary and inevitable stepfor the security integration and ubiquityof biometric systems. The security ofthe biometric data, if stored on the plat-form’s file system, as well as the securitymechanisms between the different bio-metric functions and modules cannotbe viewed independently from thesecurity policies and facilities of thehost operating system. Biometrics mustbe integrated into the complete soft-ware stack of the respective platformAPI to achieve integrated security. Abiometric API only offers a uniqueinterface to the application. The bio-metric system integration – from BIOSintegration up to data protection andintegrity checking within the operatingsystem constraints, is crucial for theoverall security concepts, and shouldneither be left to the application nor toa proprietary implementation withinthe Biometric Service Provider (BSP).Furthermore, there do exist severalapproved security tools on the market –security should not be implementedwithin each biometric API for example,but rather the biometric API shouldinterface securely with accredited secu-rity mechanisms. It would for examplemake sense, that a BSP can interface toexisting cryptography tool-sets like CAPI,PKCS, GSSAPI, rather than each im-plementing cryptography on its own.BioAPI was designed to interface withexisting security protocols, rather thanto implement the security inside the BSP.The X9.84 standard is an excellentexample for giving a normative recom-mendation for the secure integration ofbiometrics into end-user applications.

CDSA – IntegratingBiometricsinto a SecurityArchitectureThe Open Group CDSA (CommonData Security Architecture) is a standardthat implements user authenticationwithin a security framework via alayered approach that bridges fromspecial so-called Security Add-In Mo-dules via a Common Security ServicesManager to the System SecurityServices, that is finally linked to theapplications. In CDSA, user authen-tication is handled via the UAS (UserAuthentication Services). Thus biomet-rics can be integrated into an overallsecurity architecture in a consistent andsecure manner - a BSP just plugs intothe UAS the same way that classicaluser authentication mechanisms do.

Operating SystemIntegration of theBiometric APIThe BioAPI specification has purposelybeen developed as platform independent,although the first reference implementationwas targeted at Windows platforms. Andso, the BioAPI consortium is currentlyworking on reference implementations inUnix and Linux to make the BioAPIavailable on those platforms as well.Whereasthe reference implementations enable theusability of the BioAPI on the respectiveplatforms, the subsequent important stepis the integration of the operating systeminto the operating system’s securityarchitecture.The announcement by Microsoft in May2000 to foster the widespread growth ofbiometrics through the integration of bio-metric technology in future versions ofthe Microsoft Windows operating systemin general, was definitely a promising signfor the push of biometric technology.Microsoft is currently integrating bio-metrics into their operating system, basedon licensing the commercial and notBioAPI compliant BAPI.Microsoft’s choice of API is not necessarilyas big a rift in the world of standardiza-tion as it may at first seem, especially con-sidering that the interoperability of datamight be even more important than theAPI, which could at least be solved by an

appropriate translation layer betweenBioAPI and the Microsoft BAPI.At the PC/SC Coremember Meeting atthe CTST2002, the integration of bio-metric interfaces into the next ServicePack or LongHorn were discussed.The MSarchitecture would then extend the speci-fication of a top level biometric API by alower level specification for fingerprintdevices (image, self-encoding and self-matching), a ResourceManager for themaintenance of biometric devices, a deviceclass Biometrics, as well as probably aWHQL specification for such devices.Biometric service providers could thus beloaded above the ResourceManager.Given a fast interoperability to the existingstandards BioAPI and CBEFF, this archi-tectural integration into the pre-dominantMS platform could be a further signifi-cant step towards the ubiquitous introduc-tion of biometrics as a means of personidentification on computer platforms.

X9.84(Biometric InformationManagement inFinancial Services)The scope of the X9.84 is the usage ofbiometric technology for identificationand authentication of banking customersand employees. Besides a CBEFF/BioAPIcompliant definition of the biometrictemplate data (see paragraph on templatestandardization above) the ANSI standardserves as a security integration profile forthe biometric application integration.As such, it deals with the security andmanagement of biometric data and phys-ical hardware, the application of biomet-ric technology for logical and physicalaccess, the encapsulation of biometricdata, as well as with techniques forsecure transmission and storage of bio-metric data.The target was to establish minimumsecurity requirements for the effectivemanagement of biometric data; such asto maintain the data integrity of bio-metric data and verification resultsbetween any two components, toauthenticate the source of the biometricdata and verification results betweenthe sender and receiver component, aswell as to ensure the confidentiality of


the biometric data during transmission.The X9.84 could probably be calledthe first available biometric securityand application integration profile –which with respect to interoperabilityrequires BioAPI as the normative API.

AcceleratingAdoption AndClosing MissingLinksDespite excellent progress made in thelast 2 years – this report mentions just

Biometric standardization - are wenearly there yet, or have we just begun?The ongoing considerable amount ofstandardization work around biometricsmight create the impression that wehave only just started – if viewedsuperficially. However, in reality stand-ardization must and is changing itsfocus from pure technology to applica-tion and solution interfacing, and thusfocusing even more on interoperabilitythan has previously been the case inthis still young industry. The need forinteroperability has always beendeemed high in this industry, andworking groups like the M1 or

Copyright the Biometric Consortium Interoperability, Assurance, and Performance Working Group and the Java Card Forum’s Biometric Taskforce

Summarizing the Roadmap of Biometric StandardizationConvergence or Just a Whole Lot More Standardization Activities?

SC17/WG11 are actually consolidatingthe interoperability of the standardsthat have been worked upon in the past– the interoperability of travel docu-ments and Smart Cards is one suchexample - given the application shiftwe are currently seeing in the biomet-ric field. Discussions on an API levelintegration of BioAPI and X9.84 aswell as the template interoperabilitylevel have also just started.Biometrics is now leaving the technol-ogy phase, and entering a solution inte-gration phase in applications with anobvious benefit for the end-user. Openplatform design and standardized inter-

faces, operating system and securityintegration, as well as the convergenceof technologies such as PKI, SmartCards and biometrics will certainlypave the way for the ubiquitous use ofbiometrics. On the other hand, theywill also partially evolve quite naturallyfrom the experience gained in real lifesolution integration.

As such, the recent efforts and workinggroups are not a sign of divergence, butrather of striving for interoperabilityand a focus shift to integrated solutions.Major standardization efforts arealigned with each other with respect to

some of the results anticipated 2 yearsago - standardization activities are stillin flux.Partially this is due to a natural transi-tion from mere technology standardi-zation to an application and solutionoriented approach.The achieved standardsmust interface with the existing inter-faces in the end-user application world.This is why, for example, the INCITSTechnical Committee Biometrics M1,that has recently been established as thegeneric biometric working group with-

in ANSI, is not only striving for fastadoption of the existing standards likeBioAPI and CBEFF through ISO fasttrack procedures, but also targetingapplication profiles and implementationagreements.Furthermore, a biometric API – no matteron which computing platform – or somededicated data or template standard, doesnot address all the standardization require-ments to have a working end-userapplication with integrated biometrics.Besides the general application shift that

56

Figure 1: The ‘Big Picture’

57


has partially occurred in the biometricindustry, there are further issues, such asbiometric evaluation, certification,assurance and privacy, and data protec-tion that need serious consideration andwould actually demand standardizationas well, before the picture is complete.

Besides standards compliance, the actualbiometric performance and security isone major criteria for the applicationintegrator’s choice of a biometric solu-tion. Despite a considerable amount of

work done by well-known institutionsin the past (institutions like the Bio-metric Interoperability, Performance,and Assurance Working Group of theBiometric Consortium, the BiometricWorking Group of the CESG, theBioTrusT evaluation project of theGerman TeleTrusT, the German BSI,the Interna-tional Biometric Group(IBG) commercial test center, the USArmy Biometric Test Center at San JoseState University, the National PhysicsLaboratory (NPL), UK ), still an inter-

nationally agreed and standardized testprocedure for testing biometric systemsdoes not exist. The formulation of Bio-metric Protection Profiles according toCommon Criteria is under way – andhopefully the 3 available versions thatare currently under review, theCanadian, British and US biometricprotection profiles will finally converge.In the end, standardized test proceduresthat deal with all the statistical peculi-arities of biometric systems, will bemandatory.

templates, API and security architec-tures. Different biometric standards, likethe BioAPI, ISO/IEC 7816-11, PC/SCand the JavaCard Biometric API forexample, fit into the same consistent“big” picture of a distributed securesystems application with biometrics(see Figure 1).

The transition of industry consortiastandards to internationally accreditedstandards has started and is continuing.Biometric standardization – just as the

technology – must enter a phase ofusage and evaluation now. Any stan-dardization will never “be there yet”since technology is always underlyingin a natural improvement cycle. Butbiometric standardization has defini-tively entered this phase of consolidatedinteroperability and iterated improve-ment! The biometric standardizationpuzzle (see Figure 2) will naturallyevolve when the industry implementsend-user solutions with a strong focuson interoperability.

Useful website addresses• www.bioapi.com• www.nist.gov/cbeff• www.biometrics.org• www.ibia.org• www.nist.gov• www.nist.gov/bcwg• www.teletrust.de• www.oasis-open.com• www.ncits.org/press/2001/

biometrictcpr.htm• www.cesg.gov.uk/technology/

biometrics/index.htm• www.javacardforum.org• www-engr.sjsv.edu/~graduate/

biometrics• www.afb.org.uk/

Interoperabledata & template

standardsimplementedin operating

systems

Figure 2: The biometric Standardization Puzzle

Biometric APISfor respectiveplatforms

TechnologyIntegration• Platform

security stack • PKI and

Smart Card • Certificationand assurance

Integrationinto applicationstandards /applicationprofiles

Technology UpdateEmbedded Security

Realizing that this security need wouldbe a major hindrance in the develop-ment of electronic communication andtransactions, the electronics industryitself needed to react and develop anappropriate answer. Founded in 1999by Compaq, Hewlett Packard, IBM,Intel, and Microsoft the TrustedComputing Platform Alliance (TCPA)defined and developed the concept ofTrusted Computing as a security standard.In the meantime more than 160 com-panies all along the value chain have joinedthis impressive industry approach.Being recognized as the world marketleader in secure controllers, InfineonTechnologies has contributed to all speci-fications of the TCPA organization.The basis for the concept that willchange PCs, notebooks, PDAs, mobilephones, etc. into Trusted Clients is theso-called TPM (Trusted PlatformModule). Being a secure controller theTPM provides functionality for strongauthentication, secure storage as well asfor the protection of the PC’s integrity.Infineon Technologies is one of the firstcompanies to provide a product buildto the specification of the TCPA.

Global Networking is causingthe globe to shrink and net-work boundaries to disappear.Closed corporate networks areopening up as demand forinformation is increasing fromtraveling employees, customersand partners.With this develop-ment the vulnerability of in-formation is rising; as is theneed for security.

Infineon’sTrusted

PlatformModule

The TCPA conceptBasically the TPM has the following tasks:• Monitoring the trustworthiness

of the platform it is bound to.• Providing strong authentication

mechanisms for identifyingthe platform.

• Providing secure storagefor the user’s keys and secrets.

• Providing additional cryptographicservices to applications.

Besides functionality, the TCPA under-stood that the TPM must be cost effec-tive, would not influence in any meansthe exportability of the platform it isintegrated in, and most importantlywould not infringe the privacy of theplatform owner.

Trustworthy statusTo perform this task the TPM monitorsthe booting process of, for example, aPC. During this process so-called hashvalues (basically a checksum) for therelevant components are created: BIOS,device drivers, loaders of the operatingsystem.These values are stored in the TPM

and can be compared to the referencevalues that define the trustworthy statusof a platform. Reporting the result toeither the owner or a communicationpartner, the TPM provides crucial infor-mation to base a security policy upon.A system that reports a non-trustworthystate can be disconnected by the systemadministrator from the network or at leastbe checked for the reason of this status.

StrongauthenticationUp to now it has been difficult for systemadministrators to determine whetherthe system that is connected to theirnetwork is a company system or not.For example it might be necessary tolimit the download of critical docu-ments only to corporate computers (asyou don’t want to have them on thehard drive of the PC in an airportlounge, thanks to your traveling busi-nessman). As the TPM provides thecapabilities of a built-in Smart Card,strong authentication can be providedto give a higher level of assurance tosecure networks.

58

By Infineon Technologies AG

59

Technology UpdateEmbedded Security

Secure storageThe main CPU of a PC or notebook isbuild to execute the loaded applicationquickly and correctly. It is not built todistinguish between “good” and “evil”software. Viruses and Trojan horses areable to steal information that is avail-able on, or on its way to, the mainCPU. To protect the most importantdata (such as digital signature key) it isnecessary to store it in well protected,separate, hardware that is also able toprovide the necessary performance forthe utilization of this data e.g. for digi-tally signing a document. The TPMprovides this functionality with a securenon-volatile memory and efficient crypto-graphic coprocessors.

AdditionalcryptographicservicesServing standard cryptographic serviceproviders (CSP) like Microsoft® CAPIand RSA’s PKCS#11, the TPM per-forms additional cryptographic requests.Secure creation of keys, calculation of ahash value and a lot of other functionsare provided as services to the request-ing applications.As the applications alreadyuse software cryptography, the additio-nal increase in the level of security throughthe TPM hardware is tremendous.

FrameworkAs mentioned earlier, there was a certainframework for the TPM concept. Firstthe concept had to reflect that the TPMcould be cost effective by not addingtoo much to the overall costs of theplatform. Secondly, care had to be takenthat no export restrictions were addedto the platform. Consequently, the TPMdoes not offer freely available encrypt-ion services to applications.

One of the most important require-ments was to maintain the privacy ofthe user.This was realized by giving fullcontrol over the functionality to theowner of the TPM (the TPM can evenbe disabled). Even if it is enabled it isjust responding to so-called challengesof third parties if allowed to, by theowner. Allowing the creation of so-called identities that might be differentfor each service, provides additionalprotection of the user’s privacy.

The TPM marketThe first definition provided by theTCPA is reflected in the integration ofTPMs in PCs and notebooks. Given themarket power of the promoter andmember companies and the possibilitiesprovided by the TPM functionality, theTCPA concept has the potential to berealized on every PC and notebookplatform. This would mean a market ofabout 200 Million pieces by 2005.

For the future, it is very likely that theTPMs will move into PDAs, mobilephones and other devices, as they facethe same security requirements as clientsof a worldwide network.

The InfineonTPM product(SLD 9630 TT 1.1)

HardwareThe basis for the Infineon TPM is themature technology of the 66P securecontrollers. In addition to the well-proven, true random number generatorand the asymmetric RSA coprocessor(which was upgraded up to 2048 bitkey length) Infineon has realized thehash coprocessor (SHA-1 and MD5)and the LPC interface. Security measures

such as active shielding, as well as fre-quency and temperature sensors, arepart of the product just as they are inall the other 66P based products.

This gives the Infineon TPM the highestlevel of security protection that is avail-able in the world.

FirmwareandSoftwareMaking the integrationinto customers’ platforms

as secure and convenient as possible,Infineon provides firmware (runningon the secure controller), the TCPASoftware Stack (TSS) and support forthe integration into customers’ BIOS.

By providing the firmware in addition,to the secure controller, Infineon takesownership of the security critical partsof the system based on more than 10years of security expertise.

ServicesIn addition to the product, Infineonprovides two services to the customers thatare required by the TCPA specification.

• The TPM, including the firmware,will be certified according to theCommon Criteria protection profileof the TCPA. This evaluation will bethe basis for the customer’s certificatefor the Trusted Client.

• Infineon is ensuring the securitycritical personalization of the TPMs.During this process a unique pub-lic/private key pair that is certifiedby Infineon will be created for eachTPM and stored inside.

Security is recognized as the next differentiation feature for PCs and notebooks. The TCPA provides a standard withspecifications that leave room for differentiation, but ensure interoperability and compliance. With the introduction ofthe TPM into these systems, a higher level of security and trustworthiness can be achieved.Infineon Technologies is very much involved in the standardization work and is accepted as a leader in security compo-nents.With the SLD 9630 TT 1.1 Infineon has introduced their first TPM into the market.The further development of a roadmap that covers secure devices for PCs and notebooks, as well as for other networkappliances will keep Infineon in the lead in this exciting and growing market.

Summary

Within the Trust

64 bytesFingerprintTemplateHave you ever had an experiencewhere your fingerprint authenticationapplication has been stymied by thedemands of the small memory size forstoring fingerprint templates?Fingerprint template is the data extractedoffline from collected fingerprint image(s)and is used for reference during thesubsequent online use. Depending onyour application, this data must be storedin some medium (Flash ROM, Smart-Card, magnetic card, etc). If 64-bytefingerprint template is small enough foryour currently-abandoned applications,you are a potential customer ofBeyondLSI’s fingerprint technology. Inaddition to expanding fingerprintapplication domain, BeyondLSI believesthat this small fingerprint template datawill completely change the status offingerprint authentication technologyin the market. BeyondLSI has just startedto deliver this superior feature to theworld market, integrated in compacthardware modules and software pack-ages, after a long period of tests with avery large number of real test cases (seeFigure 1).

StandaloneSecurity PlatformAmong various kinds of fingerprintauthentication algorithms, BeyondLSIdeveloped its original algorithm in

AchievingMorewithLess

– reducingthe Template

Data SizeBeyondLSI rises to the

Challenge with 64-Byte SecureFingerprint Template

1999, introducing new techniques inimage processing, fingerprint featuredata encoding and fingerprint matching.The algorithm has been carefully designedto address a spectrum of system opti-mization issues: minimizing fingerprinttemplate data size, maximizing accuracymeasured by FAR (False AcceptanceRate) and FRR (False RejectionRate), reducing computational com-plexity (instruction steps, program/datamemory size) and processing time, andmaximizing scalability / interoperability.

Standalone Security Platform is an em-bedded hardware system solution basedon this algorithm together with its cut-ting-edge and market-tested securitytechnologies. The platform provides all

required functions for various kinds ofsecurity-related applications. The mainfeatures of this Standalone SecurityPlatform are:

• 64-byte fingerprint template data

• 360° rotation free

• FAR : 0.001%

• FRR : 0.1%

• 0.25 sec for feature extractionand less than 0.1 sec formatching

• Low power consumption of lessthan 600 mW at operation mode

• Built-in secure networkingfunctions

Among them, template data size of64 bytes is 1/4 to 1/10 smaller thanother algorithms, without sacrificingthe identification performance such asFAR and FRR.The compactness of thedata size opens up a new vista for fin-gerprint applications, by allowing finger-print templates to be stored in tinymemory or other media. 64 bytes isoften the size of ID data of numerousidentification systems, and therefore thefingerprint template data can be treatedmerely as additional ID data, enabling

the use of current identification systemsinfrastructure. This is a strong contrastof having to treat larger (conventional)fingerprint template data with dedicateddata handler functions, requiring the

60

Figure 1: BeyondLSI’s Fingerprint Module

61

Within the Trust

introduction of new infrastructurewhich has been one of the major obsta-cles in the spread of fingerprint authen-tication technology (see Figure 2).Standalone Security Platform is equippedwith the following dedicated securityfunctions:

• Internal / external personalauthentication

• PIN management andverification

• Encryption/Decryption/Digital Signature

• Random number generation

These functions provide solutions forvarious security applications such asidentification, driver’s license, socialsecurity, passports, tolls and access con-trol.The Platform is also equipped withdedicated communication interfaces:

• RS232C/RS422 serial interface

• USB interface

• Ethernet interface

• Smart Card interface

• Keyboard interface

• LCD interface

These interfaces provide solutions forPC security, PDA security, mobilephone, online security, and Smart Cardapplications.

The above functions are also providedthrough software packages with a finger-print capture box based on Infineon’sFingerTIP™ sensor (see Figure 3).BeyondLSI’s algorithm can easily beported to any type of CPU or DSP plat-forms, enabling third parties to developlow power, low cost, and high perform-ance applications.

BeyondLSI’sSystemOptimizationMethodologyBeyondLSI’s R&D is driven by a uniquemethodology towards system optimi-zation. The methodology has beendeveloped during long experience inthe field of multimedia LSI designs.Theunderlining philosophy is that in orderto truly optimize any system, one hasto start the design at the very begin-ning, namely at the algorithm level,while at the same time, clearly defininga target system platform or a group ofplatforms. By truly understanding thenature of the application and its operatingenvironment, reexamining the existingalgorithms, and being conscious of thesystem specifications, such a designprocess can produce a number of inno-

Figure 3: BeyondLSI’s Fingerprint Authentication Unit withInifineon FingerTIP™ sensor (Fingerprint Module inside)

Figure 2:Template data size

BeyondLSI

ID datainformation

ID datainformation

Finger-Printdata

FP data

Conventional

For information visit:www.beyondLSI.com

vative ideas that affect the system quality(performance, functionality, cost, speed,usability, power consumption) as well asthe productivity (development cost,portability, time-to-market). BeyondLSIis a group of professionals who all exceedexpectations in design experience, forall aspects of system designs (algorithm,application software, firmware, hard-ware, system integration).

BeyondLSI is a venture company, intro-ducing innovative technologies fromKunieda laboratory in Tokyo Instituteof Technology, Japan, to world industry.5 Professors associated with Kuniedalaboratory joined the company toachieve its mission; not just limited toR&D of its own products, but also toinclude consulting, collaboration, andassistance in developing applicationproducts for other organizations.

Shenyang BeyondLSI, China, is a sistercompany, whose office is located inShenyang 21th Century High-TechGarden. It is mainly developing finger-print security solutions in various kindsof application fields.These two BeyondLSIs continue thechallenge to bring new fingerprinttechnology to the world market withthis 64 byte secure fingerprint template.BeyondLSI also welcomes partnerswilling to collaborate in developingnew applications with this 64-byte finger-print template.

Within the Trust

By listening to our customers and tryingto anticipate future requirements, wecontinuously extend the product func-tionality to serve the needs of our cus-tomers arising with the increasing num-ber of Contactless Card Systems.This functionality is incorporated in ourstandard products, which are available indifferent versions and offer mechanical,electrical and a high level of functionalcompatibility through Baltech’s uniqueUnified Reader Interface. Based on thistechnology, integrators can significantlyreduce their project specific efforts dueto greatly reduced adaptation costswhen different projects require differentcard technologies.All major 13,56 MHz proprietary sys-tems as well as ISO14443/15693 com-pliant cards and labels are supported.Read ranges from proximity via midrange up to ISO15693 long range read-ers for 1m and above can be offered.Throughout the whole process – fromhard and software development, to pro-

Look,butdon’t touch!

Providing Contactless SmartCard Reader Modules since 1996Baltech supported the new Smart Label technology from the be-ginning and was the first company linking the two worlds of secureSmart Cards and low-cost Smart Labels on the Reader side, toenable users to use both technologies with the same infrastructure.

duction and sale, Baltech can offer cus-tomized products tailored to the specificapplication needs, to meet even the mostchallenging requirements in functionalityand cost.

Who can benefitfrom our productsand services?Potential customers for Baltech’s prod-ucts are all users of contactless SmartCard and Smart Label technology.Users who want to start with the con-tactless technology in their applications,can rely on the high level of functionalitywhich makes integration convenient andstraightforward. For the initial steps,Baltech can advise and assist in choosinga card system, defining the card structureand providing the initial set-up of a readerconfiguration.Along with tools offered tominimize the complexity of project hand-ling, the integration of contactless tech-nology is reduced to sending a couple ofcommands via a serial interface.Users looking for the highest perform-ance of the contactless interface with thecapability to control the communicationon a low-level basis, can also be served.All Baltech readers offer low-level func-tionality for execution of sophisticatedcard processing algorithms through thehost system.Together with the integrator,Baltech can integrate customer specificfunctionality into the reader, in order toimprove the overall system performanceand, in some cases, to improve systemsecurity.Due to the different possibilities of proj-ect structures, the requirements on thereader side are different. The following

examples should highlight the benefitsof Baltech’s products and services fromthe contactless reader point of view.

Application Example:E-ticketing inPublic TransportTicketing projects require large infra-structure investments. The most impor-tant features of a reader are perform-ance (transaction speed), a high level offlexibility and conformity to ISOStandards. Because of this, the systemowner benefits from future develop-ments in the functionality and cost ofcontactless card technology.Based on Baltech’s standard producttechnologies, ISO-compliant contact-less readers with a high level of per-formance are offered.Together with thesystem integrator, the optimal readerconception to fit into the overall tick-eting system structure of hard and soft-ware can be analyzed, designed anddelivered in the form of standard orcustomized products. Especially if itcomes to interaction of encryption andtransaction speed, readers with a higherlevel of functionality improve the over-all system performance.

Application Example:Card HolderAuthenticationApplications like logical and physicalaccess control, time and attendance, etc.are widely spread on the basis of compa-ny cards. Companies providing solutionsfor these applications have to supportdifferent card technologies and cardstructures for each project. In contrast tothe situation with e-ticketing, the con-tactless card technology used within an“authentication” project remains thesame for the lifetime of the system. Themost important issue for a systemprovider is the support of a broad rangeof technologies and the handling cost ofthe project specific card structures andtechnologies. With Baltech’s UnifiedReader Interface and the Configurationcapabilities of the readers, the adaptationrequirements are reduced to the readerconfiguration without involvement ofthe system provider’s hard and software.

62 For information please e-Mail:[email protected]

A Baltech Smart CardReader Module

63

Within the Trust

Guardeonic –Security From OneSourceWith a staff of about 200 employees,Guardeonic offers worldwide customer-tailored, interoperative IT securitysolutions for integrated, efficient andsecure business procedures. In doingthis, the company is able to make use ofa fully comprehensive, home-grownproduct portfolio such as secure e-mailapplications, secure entry access andencoding systems for PCs as well as acomplete Public Key Infrastructure(PKI) solution with a “CertificationAuthority” as the core element of aTrust Center (issuing certificates forsecure data transfer). This Public KeyInfrastructure is the basis on whiche-business applications or secure e-docu-ment workflows are built.

ConfidentialBusiness RelationsGuardeonic was one of the key con-tributors to the development ofSiemens AG’s Trust Center – with apotential of 400.000 employees operat-ing all over the world, this is one of thelargest PKI projects in Europe. Furthercustomers come from the fields ofgovernment, communication, mobilecommerce and automotive. “In thefuture every company should be able todevelop business relations securely andconfidentially with any other companyof their choice anywhere in the world– that is our objective”, explainsMoritz. However, there is still a longway to go, and there are many political

Securebusinesssolutions

Guardeonic Solutions – a wholly owned subsi-diary of Infineon Technologies – was foundedin March 2001.The company provides IT secur-ity solutions with a wide expertise in the areasof security technology and cryptology. Wolf-Rudiger Moritz, chairman of Guardeonicexplains, “Guardeonic offers complete softwaresolutions for guaranteeing secure e-businessand m-business transactions. Our claim is tomeasurably increase the business success of ourclients. We also of course offer products andservices to protect IT infrastructures.”

Guardeonic Solutions AGsupplies complete

solutions for securitytechnologies

and cultural obstacles to overcome.That is why Guardeonic Solutions is amember of “Initiative D21”, launchedby the German Ministry for InternalAffairs, which aims to accelerate theprocess by awareness-raising campaignsand providing descriptions of modelpractices. Guardeonic offers its customersprofessional consulting and advice pro-vided by a number of experts who haveextensive IT know-how and experi-ence, as well as in-depth understandingof the security involved in crypto-exercise (encoding). The new USencoding standard AES was developedby an employee of the subsidiary firmCryptomathic.

Products andServicesGuardeonic supplies and develops solu-tions for the industry, banking andhealth care sectors, as well as for publicauthorities. The basis for this is a largenumber of blocks in the product port-folio, such as Secure Access, SecureEmail, Secure Desktop, Secure WebForms, Public Key Infrastructure (PKI)and Smart Card Security. Furthermore,the supply of solutions and products issupplemented by the service areasSecurity Consultancy, ProfessionalServices and Customer Development.Guardeonic products and services helpcustomers to develop an extensiveguidance in forming a security policyas well as a status analysis. It is on thisbasis that the conception, implementa-tion and training of internal securityexperts succeeds.

For information visit:www.guardeonic.com

A monitoring concept for regularlychecking the IT infrastructure is subse-quently created.

IT Security Market“At present, there is no structure in themarket for security solutions.”, explainsWolf-Rüdiger Moritz. “What is more,to date there have hardly been any uni-form security standards and, as we allknow, in times of economic difficultycompanies cut their security budgets,which of course is precisely the wrongthing to do in this situation.You couldsum it up by saying that everybodywants more security, but no one wantsto pay for it. We are trying to satisfythis basic desire by orientating our cor-porate strategy accordingly. We are notselling security, we are selling businesssolutions that are secure. In this way weprovide the customer with a cost andcompetitive advantage which leads to aReturn on Investment (ROI)”.

Wolf-Rüdiger MoritzCEO,Guardeonic Solutions

Within the Trust

For example, the customer can imple-ment a function to identify the userand open the Smart Card, not only byPIN code, but also by Fingerprint aloneor in combination with a PIN code.The operation during a secure match isfully stateless between the card and theencoding device. The encoding devicecan be a Smart Card reader with finger-print-sensor.The template to be matchedagainst stored templates in the card canbe sent in one standard APDU commandto the card, compliant to the ISO7816with a single answer or action insidethe card. Following these restrictions,the SmartMatch can be implementedvery easily in all kinds of secure functions.All the application specific operations aremanaged and programmed by the cus-tomer.The IKENDI SmartMatch enableseverybody who develops software, oper-ating systems or applications on SmartCards and other security controllers touse a fingerprint matching function. Inthe present version, the IKENDITemplate format is supported and theSmartMatch can be combined with all

With the SmartMatch, IKENDI has ported the full IKENDI Fingerprint-Matching algorithmfor very small computing environments. The software is designed as a generic object moduleto be implemented in the customer application or operating system by the customer himself.Inside the module the customer’s specific application or operating system communicates via normalfunction calls and for the final product, it can be compiled in the operating system ROMmask. The object modules deliver the function to match a received Fingerprint Templateagainst stored templates in the internal file system or memory. Where the templates are storedand how the communication via ISO7816 (for example) is designed, is dependent on the imple-mentation of the customer.

IKENDI®SmartMatch

FingerprintMatch-on-Card

for InfineonSmart Card and

Security ICs

IKENDI Fingerprint Encoder Modulesand development environments.

As soon as the upcoming internationalISO/ANSI and DIN (V66400) standardsfor minutia based template formats aresubmitted, IKENDI will deliver astandard compliant SmartMatch im-plementation. This guarantees a fullyinteroperable fingerprint solution forSmart Cards.

FunctionalDescriptionThe customer application calls the Smart-Match module via only one function.During the execution of this function,the SmartMatch is calling externallysupplied helper functions. These helperfunctions have a defined API and mustbe written by the Smart Card integrator.Within these functions the two templatesfor the matching fingerprints areaccessed and the configuration parame-ters for SmartMatch are read in. Thisflexible design gives the Smart Cardintegrator full freedom to store the

templates and the parameter blockwherever he wants.The result of the matching function isa score value (verification). For anidentification, the function can becalled repeatedly over a database storedin the card.A first implementation of the IKENDISmartMatch will be available on theApollo Operating System from SC2 Ltd(www.scsquare.com).

SystemRequirements(Smart Card)• 1780 Byte Workspace (RAM)• ~350 Byte Stack (RAM)

depending on controller• 246 Byte for actual template

(RAM/Flash)• Codesize <32Kb (8-bit),

17Kb (32 Bit) (Depending oncontroller, ROM/Flash/E2)

• ≤ 384 Bytes per storedtemplate (E2 or Flash)(Database in chip,captured during enrollment)

64 For information visit:www.ikendi.com

65

Within the Trust

The central storage of user data in mostbiometric applications faces seriousopposition concerning data protection,because this kind of storage could leadto an eventual uncontrollable propaga-tion, in respect of the potential misuseof data. Novacard´s FingerTip® SensorCard has found the solution that com-bines the advantages of biometric iden-tification with ultimate data protection:Your template “in your pocket”.Fingerprint authentication belongs tothe method with the highest useracceptance and it has been recognizedfor approximately 100 years as legal evi-dence. Fingerprint technology is provid-ed by the Infineon FingerTIP® Sensorwhich is integrated into a standardSmart Card. A crypto-processor SmartCard module allows communicationwith the reading device connected tothe external system and also stores thefingerprint data. For an added securitymeasure, the Smart Card module hasbeen evaluated to an E4-level (ITSEC)and therefore the template is stored inan extremely secure environment.

The FingerTip®

SensorCard

Let’splay itsafe!

A template on cardThe fingerprint storage occurs solely onthe card’s processor chip. Therefore it ispossible to provide any user with a per-sonal card.The problem of central storageof sensitive data is thus solved, as the user’sfingerprint is stored on the card and can-not be manipulated.The capacitive sensorrecognizes the fingerprint with a highresolution. Characteristic features (minutiae)are extracted from this picture of thefingerprint and are then securely stored inthe card’s processor chip. During usagethese features are compared to the currentminutiae of the user. Only in the case of apositive identification will the chip andthe associated data be unlocked, comparablewith entering the right PIN.

Convenient security “Darling”, “Honey” - nicknames anddates of birth are very popular if userscan choose their own Passwords andPINs. Hence knowing the dates of birthof a company’s employees will morethan likely allow access with nearlyninety percent of the Smart Cards,if a conventional Smart Card based sys-tem is installed. With the FingerTIP®SensorCard, Passwords and PIN numbersof any kind cease to exist and in case thecard is lost, it cannot be used by a thirdperson. Propagation to a non authorizedperson can be excluded, too. While theprobability of determining a four-digitPIN number is 1: 10000, the probabilityof an identical fingerprint is incomparablyhigher.Therefore the FingerTip® SensorCard represents an absolute improve-ment in security.

New Smart CardopportunitiesThe FingerTip® SensorCard featuresenable the safeguarding of airports, mili-tary security areas, public utilities andinternational conglomerates.

For information visit:www.novacard.de

A demand for reliable access control onorder to protect highly sensitive objectsor IT-networks, leads to the increasedapplication of biometric identificationsystems.Applicants from the most diversesectors are showing interest inNovacard’s biometric Smart Card tech-nology. For example, the airport securityof an international European airport isunder discussion, as well as securing aninternational chemistry concern, regard-ing access control of the whole plant andprotection of the internal network con-taining research and development results.The card will also be utilized for thenetwork security of a German bank’sBrazilian subsidiary. The companyexpects an increased security level inaddition to a saving of expenses of 50%in the area of software and hardware,which will result in a payback period ofless than one year.

Making visionsattainable Novacard is an innovative card manufac-turing company specialized in the pro-duction of Smart Cards, contactless cards,dual interface cards and high quality plas-tic cards. Since 1999, Novacard has dealtwith the development of Chip Cards withintegrated finger tip sensors, pioneeredwork and is at present the only card man-ufacturer with current projects and cardsin the field. Even during the developmentperiod, the product was validated by gainingseveral international awards: The SesamesAward 1999 in the category Healthcare,the ICMA Elan Award 2000 for TechnicalAchievement as well as the NationalDutch Chip Card Award. It has beenemployed successfully since 2000 withina project of a Dutch health insurancecompany.

In the age of digital data transmissionand because of increasing security require-ments, Novacard InformationssystemeGmbH attaches great importance on thecontinuous growth of its know-how inthe area of high security technologies.Novacard is the only Chip Card manu-facturer who is able to provide its cus-tomers with the FingerTIP® SensorCard, reaching this maximum level ofsecurity.

Of course you appreciate thebenefits of biometric identifi-cation systems – but do youwant your biometric tem-plate; your personal finger-print to travel through thevirtual data world? Certainlynot. However, for most bio-metric systems available onthe market today, there is noguarantee that your templatewill always stay your ownsecret property.

The FingerTip® SensorCard

Instructive? Yes, the world of sport hasmany parallels with another topic thatoccupies much of my time - security,and biometric security, in particular.

A surprising number of similarities canbe drawn between sports, such as foot-ball or rugby, and the world of IT security,and I am sure you will be able to thinkof more than I can mention in thisshort article. So, if you will excuse mysporting indulgences for the next fewparagraphs, let's get down to the mainissues of the day - or the latest team news.

The biometric industry has been rockedin recent months with revelations thatmost of the different types of technologyavailable, such as iris, fingerprint andface recognition, can be 'spoofed' withsimple, but ingenious tricks.

Videos of people's faces, irises printedon card (with little holes cut out forthe perpetrator to position their pupils),and breathing on fingerprint sensors,were all found to be successful ways tobypass some of the best-known equip-ment in the industry.

To be absolutely honest on this point,this has been a PR disaster for the bio-metric industry. (Even though it was doneafter many attempts in a laboratory,without any additional security defens-es in place.) It is like a football managerfinding out that his new and expensivesigning has a phobia defending against

66

Running Commentary

Give security systemsa sporting chance

My wife tells me I watch too much sport. She's probablyright. But then she isn't addicted to the passion and excite-ment generated when teams of players bust a gut to achieveglory in front of their adoring fans. For me, however, it isn'tjust the adrenaline of the game that holds my attention forhours on end. It is also the mechanics and tactics of thegame that I find fascinating - and instructive.

have layers of defenders to impede theattacking sides' approach to the goal-mouth. Overall, a biometric-based systemthat is designed thoughtfully with otherlines of defense in place, such as tokens,passwords or PKI, will be a strongersystem, where the chances of an impostorgetting through are still there, butseverely diminished.

Despite the negative PR, these spoofingattacks will ultimately strengthen thebiometrics industry. You can be surethat biometric suppliers are franticallyredesigning their systems to patch upthese latest vulnerabilities. In effect, theendless ping-pong match betweenattacker and system developer has justbegun in the biometrics industry. Theindustry shouldn't be scared of this,just alert and proactive. So, the mainmessage from this article is that despitethis 'spoofing' set back, biometricsshould still be given a chance to provetheir undeniable worth. Properly im-plemented, they will set the securitybar a couple of notches higher forattackers to jump and, for many, thatmay prove to be one hurdle too many.

The second message is to remind youthat the next time your partner tells youthat you watch far too much sport, youcan plead innocence. Far from neglectingyour household chores, you are in factdeveloping important skills vital foryour career. At least that's my excuseanyway!

players with unusual hairstyles - analarmingly common phenomenon thesedays.This new player may be the hottestnew defender on the block, but if thisflaw is discovered before it can be putright, then attacking teams will have adistinct advantage on the playing field.

Game, set and match for biometricindustry nay Sayers then? I hope, andsuspect, not.

Biometrics may have been billed asnew star defenders in the IT securityworld, but it should be rememberedthat no security system is infallible. Andin the case of biometrics, there hashardly been any proper testing of theireffectiveness in the real world (indeedthe standard tests needed to determinewhether a biometric system's security isup to scratch are only just reachingcompletion - see Brigitte Wirtz's stan-dardization article on p57).

This doesn't mean that IT managersshould hold back from purchasing untilthe perfect biometric system comesalong. After all, PINs and passwords arefar from perfect. As long as the system'svulnerabilities are understood then theycan either be rectified, designed aroundor accounted for in whatever riskassessment model is being used.

Any good security system designerknows that biometrics shouldn't beused in isolation - good football teams

Mark Lockie is the editor of the

newsletter Biometric Technology

Today, author of the Biometric

Industry Report and proprietor of

Ideal Media Consulting. He can be

contacted via email:

[email protected]

An Infineon Technologies Publication 02/2002 · An Infineon Technologies Publication 02/2002 The...

Documents

Transcript of An Infineon Technologies Publication 02/2002 · An Infineon Technologies Publication 02/2002 The...