Biometrics go hand in hand with Smart Cards

Neville Pattinson

Director of Business Development & Technology

Smart Cardsneville.pattinson@slb.com

Content

• What is a Smart Card?• Factors of Authentication• Biometrics for Identity

Authentication/Verification• Convergence of Smart Cards with Biometrics• Smart ID Cards• Biometric adoption• Summary

What is a smart card?

• One or more Electronic chips embedded into a plastic card

• Contact or contactless

• Memory• Protected Memory• Micro-controller based

Exploded view of a smart card

PVC Overlay (thermal printable)

Polycarbonate (PC)

Filling layerInletInlet (etched antenna)

CARD BODY LAMINATION

CAVITY MILLING MODULE INSERTION

DIE PROBING SAWING AND CUTTING

PVC Overlay (thermal printable)Polycarbonate

(PC)

DIE BONDINGMicro Module8 or 6 Contacts

Chip with antenna

HologramBrand StampMagnetic Stripe

SGS Thomson, Infineon,

Philips, Atmel, Hitachi,

OKI, Samsung, NEC

SchlumbergerGemplusOberthurG&DOrgaMotorola

Card/Micro-Module Assembly(Cross section) Surface

Connections

PCB

Epoxy pot

Smart Card Chip

Gold wire Interconnections

Smart Card Body

Clock

Reset

Input / Outpu

t

CPU

RAM :Scratch

Pad

ROM,Operating

system

EEPROM,Application

Memory

EEPROM :Application

Memory

ROM :Operating

System

the smart card is the ultimate secure portable computer !!

Smart Card Chip

Smart Card Chip Components

• CPU : 6805/8051/H8/RISC• 8 bits/16 bits/32 bits - up to 3 / 5

MIPS• Clock Frequency: 3.57 / 5Mhz• Supply voltage: 5 / 3 / 1.8 Volts• Specialized circuitry (e.g.

Cryptography)

• CPU : 6805/8051/H8/RISC• 8 bits/16 bits/32 bits - up to 3 / 5

MIPS• Clock Frequency: 3.57 / 5Mhz• Supply voltage: 5 / 3 / 1.8 Volts• Specialized circuitry (e.g.

Cryptography)

• RAM = Random Access Memory• Up to 4k bytes• Scratch pad• Checked and blanked out after reset

• RAM = Random Access Memory• Up to 4k bytes• Scratch pad• Checked and blanked out after reset

ROM,Operating

system

EEPROM,Application Memory

• ROM (Read Only Memory)

• Card Operating System• Up to 128k

• ROM (Read Only Memory)

• Card Operating System• Up to 128k

• EEPROM (Electrically Erasable and Programmable Read Only Memory

• Applications and data• Up to 64k (512k soon)

• EEPROM (Electrically Erasable and Programmable Read Only Memory

• Applications and data• Up to 64k (512k soon)

Smart Card Security

• Don’t trust anything until proven...• Physical security (at silicon design)• Hardware security mechanisms (tamper detectors, bus

scrambling, )• Card packaging security mechanisms• Operating System security mechanisms (software

hardness & tamper detection)• Logical Security mechanisms (encryption etc)• Application Security integration• >20 years of innovation and knowledge

Factors of Authentication

• Something you have

• Something you know

• Something you are

• Somewhere you are

Enhanced Security in Identification

• Graph

PIN, PasswordSomething You Know

Solutions

RelativeSecurity

Level

Something You Have + Something You Know + Something You Are

++

Something You Have + Something You Know

++

Something You Have + Something You Are

++ Biometric

ID Card

++

Something You Have

Key or

Card

Two Technologies Are not Enough

• Requires Central Data base

• Requires Trusted Terminals

• Weak User-to-Card Authentication

• Password & multi-Password issues

• Lacks of Key Management

• Weak User-To-Remote Site Authentication

Three Technologies Working Together

• Secure Storage• Portable• Personalized• Privacy • Processing• - Crypto • -Matching• Low-cost

infrastructure• Transactions

world

• Personal : you• Present • Difficult to forge• Convenience• Solves multi-pins

problem• Hard to steal

• Public Notary• Digital information• Usable on networks

Biometrics for Identity Authentication and

Verification

Biometric Identification

• Used to establish the claimed identity of an individual

• Identity is used for background checks• Identity is compared to known identities (1 to

many)• Ensures not previously enrolled under different

Identity

Biometric Identity Verification

• Used to establish card holder is same person who initially enrolled

• Can be – On line to central Database for match

• Card as ID number

– Off line – match locally• Card serves biometric or template

– Off line – match-on-card• Card compares received biometric or template

Umbrella Biometric Verification

• Issuer enrolls everybody into system wide implementation specification– Selects Biometric Identification

technology– Selects Biometric Identity verification

technology– Issuer establishes Reference Biometric

scheme– Match-on-card

Delegated Biometric Verification

• Initially card holder verifies using system wide Umbrella biometric verification credential

• Once verified card holder is optionally allowed to enroll into local biometric system which is added to the card (e.g. template for off-card local match)

Smart Card’s Biometric role

• Using on board computer allows the card to – Authenticate external equipment– Serve raw biometric– Serve template biometric– Compute on-card-template-match

The case against raw biometrics

• Smart Cards can support Reference Template Biometrics as server or matching device.

• Issuer does not need to maintain accessibility to Reference Biometrics other than for enrollment – Privacy, Security, System/User efficiencies– Template cannot be reverse engineered

• Card does not carry raw reference Biometrics– Uses live biometrics for on card match or off card

template Verification – Privacy, Security, convenience– Reduces Identity Theft

Convergence of Smart Cards and Biometrics

+

Smart card capabilities have evolved

Efficient Biometric algorithms have arrived

Biometric Terminal

BiometricSmart Card

Match on card Biometric Verification

X.509 Parsing& Verification

ProcessingParameters

MatchingParameters

BiometricProcessing

“Livescan”BiometricTemplate

BiometricMatching

“Stored”BiometricTemplate

BiometricCapture

imageMatching

Score

X.509 BIOcertificateStorage

Smart ID Card markets

• Corporate Badges– Schlumberger, Shell, Sun, Nissan, Merck…

• Government employee– DoD CAC (>2M of 4.3M)– TSA TWIC – Treasury, GSA, DoI, NASA, GSA…

• Government Issued to citizen– Passport– Drivers License– Permanent Resident / Boarder Crossing– Healthcare Entitlements

Smart ID Card

Austin

Neville PattinsonSmart CardsBusiness Development

Sub-surface hidden RF chip with hidden antennain body of card forPhysical (building) Access

Smart Card Secure Micro computer:User Authentication andLogical Access

Contactless chip: used forUnified physical access for

buildings and facilities,Local cafetaria payment

e-purseTime attendance

Contact chip: used forDigital Credentials

processing,On-card-match verification of Biometric information,

Computer logon,multiple password server

e-pursesecure email

Secure web access

Plastic Body

Photo (Visual Biometric)

Security device & Security printing Security features:

Holograms; Optical device;Security Printing

used forCard Authenticity

Main componentsUsage

• A Smart Card is a secure portable computer.–The “stored” biometric template is protected.

• Smart Cards can verify biometric identities.–The biometric matching can be done in the smart card–Biometric Templates can be served off-card once external device is authenticated

• Smart Cards can update the biometric reference.–The program inside the card can track “trends”.

Smart Card Benefits

Smart ID Card Benefits

• Smart Cards are excellent support for privacy.– No need for a central on-line data base of templates– On card Firewall for data protection– Only authenticated subjects obtain access to allowed

objects – External trust must be proven

• A Smart Card is a faithful digital signing companion. – After the card has authenticated its owner, applications in

the card act on behalf of the cardholder (e.g. digital signatures)

Biometric interoperability

• Proprietary implementations• Inhibiting adoption• Need for multiple sources• Need for interoperability• How to solve?

– Standards– Specifications– …

• Consider what effect the Java Card introduction did to the smart card market

Summary

• Smart ID Cards can improve Privacy

• Smart ID Cards incorporating match-on-card biometric card holder verification are the most cost effective, secure identity verification technology

• Biometrics go hand in hand with Smart Cards.

Thank You