Smart Card ForumMay 21st, 2009

New trends in smart-cards technology

Reference, date

Agenda

Biometrics on Computers

Gemalto introduction

Smart Card, Biometrics and Convenience

Computer Authentication Solutions

Reference, date

Making people’s everyday interactions with the

digital world secure and easy

Gemalto provides end-to-end solutions for digital security,

from the development of software applications,

through the design and production of secure personal devices

such as smart cards, e-passports and secure tokens,

to the deployment of managed services for our customers

Reference, date

Source: (1) Gartner 2006; (2) Frost & Sullivan 2006; (3) The Nilson Report 2007; (4) Keesing Journal of Identity 2007; (5) Gemalto 2007

€ 1.7 billion revenue 2008

Innovation investment:

10 R&D sites worldwide

1,300 engineers

Global footprint:

19 production sites

31 personalization centers

85 sales & marketing offices

Experienced team:

10,000 employees

90 nationalities

40 countries

Introducing Gemalto

Key figures:World Leader:

• World’s #1 for SIM (2)

• World’s #1 for chip payment cards (3)

• World’s #1 reference for e-passports (4)

• World’s #1 install-base of over-the-air

(OTA) platforms for GSM networks (5)

• Pioneer and patent holder of high-speed

SIM for mobile Internet, multimedia and

mobile contactless applications

• Pioneer of the .NET card, the first

Microsoft Vista compatible smart card

solution

Reference, date

Gemalto's worldwide presence

Reference, date

Agenda

Biometrics on Computers

Gemalto introduction

Smart Card, Biometrics and Convenience

Computer Authentication Solutions

Reference, date 7

Computer Authentication Solutions

There are many ways to authenticate to a computer:

Username/Password

Tokens storing credentials

Tokens storing digital certificates

Biometrics unlocking credentials or digital certificates stored on PC

Dynamic passwords (OTP), challenge & response

... to name a few

Multifactor is recognised as necessary

Something you know, something you are, something you own

Simplicity is key

Complex solutions lead users to look for shortcuts!

Strong link to users is necessary

Avoid credential passing/borrowing

Enables non-repudiation

Reference, date 8

The need for strong authentication

High profile cases

UK aide to Gordon Brown gets blackberry stolen

– http://www.timesonline.co.uk/tol/news/politics/article4364353.ece

– “Downing Street BlackBerrys are password-protected but security officials said

most are not encrypted”

FBI loses 3-4 laptops a month (2007)

– AP, http://www.msnbc.msn.com/id/17115660/

– “"Perhaps most troubling, the FBI could not determine in many cases whether

the lost or stolen laptop computers contained sensitive or classified information”

Regulatory compliance

Non repudiation

Strong Authentication is an enabler

High mobility

Home office

Trust management

Real Strong authentication is mutual!

Not only user to computer/network, but also the other way around

Reference, date 9

Strong Authentication on computers

What is “Strong Authentication” ?

Multifactor

Mutual

Secure

Digital certificates on smart cards/tokens enable all three

Only solution today

Remaining issues

Strong but not absolute binding with user (lending of smart card)

Potential day to day issues

– Lost cards

– Blocked cards

Enter biometrics

Enables 3rd factor if needed

Makes it more convenient!

Boosts user adoption

Reference, date

Agenda

Biometrics on Computers

Gemalto introduction

Smart Card, Biometrics and Convenience

Computer Authentication Solutions

Reference, date 11

Biometrics and Identity

Remains constant over time – mostly

Public – most of the time

Difficult to revoke

Sensitive – cultural bias

→ Needs to be considered carefully before using!

“Any distinguishing element of a physical person/entity that can be considered as unique”

Principle of Psychological Acceptability:

A security mechanism should not make accessing a resource, or

taking some action more difficult than it would be if security

mechanism were not present.

Reference, date 12

What type of biometrics ?

Linked to

User acceptance

Technology maturity

Performance

Fingerprint recognition is the only prevalent type of biometrics

on regular computers

Does not mean other types won't catch up quickly!

Swipe readers are now common

Source: JF Mainguet

Reference, date 13

Fingerprint authentication

Good maturity – standards and evaluation campaigns

Large-scale deployments – National ID schemes

Good user acceptance

Can be achieved in “Match On Card” mode

Performance is a tradeoff between:

Quality (FAR) – Typical figures are well below 0.001%

Convenience (FRR) – Typical figures are below 2%

Accessibility (FTE) – Below 1%

Reference, date 14

Biometrics on computers

Almost all corporate notebook brands embed a fingerprint

reader either as option or standard

Mostly swipe readers, varying quality

Surface readers emerging

Government standards (FIPS201) as driver

61 Million fingerprint readers to be shipped in 2009

Cumulative 300 Million to date

(F&S WW Silicon Chip fingerprint market, 2007)

Reference, date 15

Biometrics and regulations

The use of biometrics needs to take local regulations into

account

CNIL in France

European data privacy directives (data protection working party Art 29)

UK Data Protection Act

Regulations mostly require

Justification of means

Appropriate protection of biometric data

16

Biometric Technologies : Reliability vs Convenience

Face

Behavioral

User friendliness

Signature

Gait

Keystroke

User friendliness

Fingerprint

Hand

Iris/Retina

Physiological

Voice

+

++ -

-

-

17

Fingerprint Recognition

Strengths

Long experience

Good user acceptance

Good reliability

Easy to use

Weaknesses

Criminality-related image

Leaves traces (latent prints)

Reference, date

Agenda

Biometrics on Computers

Gemalto introduction

Smart Card, Biometrics and Convenience

Computer Authentication Solutions

Reference, date 19

Merging Biometrics & Smart Card

Mutual & Strong authentication

Using X509 certificates

Portable device

Personal, linked to user, “regulator friendly”

Biometrics establish a strong link to user

Multifactor security

Convenience

User adoption

Evolutivity

Can adapt to rapidly evolving technology

Reference, date 20

Existing implementations

Standalone Match On Card not linked to certificates

Used with ad hoc software

Standalone 3rd authentication factor

Can be used for identification purposes

Standalone Match On Card protecting PIN code and credential

storage

Enables biometric-protected credential storage

Enables biometric-protected PKI certificate usage by PIN replay

Match Off Card with fingerprints stored on card

Compatible with every existing PKI smart card

“Regulator-friendly”

Enables both credential storage & PKI cert usage by PIN replay

PKI Smart card accepting PIN and/or Match On Card

Most secure implementation

Enables card-enforced authentication policy (2 to 3 factor)

Reference, date 21

Current limitations and way forward OS Architecture can lead to limitations

MS Crypto API was not written for anything else than PIN code

Even though there are openings in future Windows versions

Practical Workarounds are available

PKCS#11 API has better support for biometrics natively

Wrappers for ill-behaving applications are possible

Most important limitation

A lof of software assumes the use of PIN code for smart cards

Practical approach

Test and validation !

OK Cancel

Please swipe your finger OR enter your PIN

Biometric Verification

Biometric Authentication

PIN or Fingerprint Authentication

PIN

PIN Authentication

SWIPE FINGER

Select Finger Click here for more information

23

Why Smart Card with Biometrics?

Provides «Something you have» to the authentication scheme

& smart card PIN code provides «something you know»

Provides privacy

No centralized database

You carry your own biometric template

Provides trust between Authority & End User

Mutual authentication

Provides simplification of operations

One to one matching

24

Process : Template Extraction & Storage

25

Process : Matching

27

Pin vs Bio

Biometrics

PinCode

Secret Public

Fixed (Template)

No delegation

Not possible

Very difficult

Match not trivial

Not Yet

Modifiable

Delegation

Exhaustive attacks

Perso very easy

Match very simple

Very efficient counter measures(for example against physical &

logical attacks)

28

Conclusion : Smart Cards / Biometrics ?

Smart-Card + PIN & Biometrics have to be considered as

complementary technologies.

Smart cards & pin-code need Biometrics

Card holder authentication

Non repudiable transaction

Biometrics need Smart cards & pin-code

Privacy

Large volume opportunity

Simplification : One to One matching

The ultimate solution :

Smart card & Pin-code + Biometrics + PKI

THANK YOU