Match On Card Technology Match On Card Technology and its use for PKIand its use for PKI
Mgr. Miroslav ValešSales Manager Eastern Europe
May 9, 2001
CATE 2001Security and Protection of Information
Slide 2CATE 2001 - Security and Protection of Information
Presentation Outline The problem of adding biometrics to
smartcards How Match On Card (MOC) solves it
• The Potential Impact of MOC• MOC specifications• MOC in PKI applications
Alternatives to MOC Summary and Conclusions
Slide 3CATE 2001 - Security and Protection of Information
Biometric data cannot be kept private PC is not secure PIN still necessary to unlock card No way to add stronger security than PIN
Enrolled Biometric Data
Operating System
Private ROM Data
Readable Public Data
Smart CardHost PC
SC Reader FP Processing SW
FP template FP template
Match Y/N Match Y/N
The Problem of AddingBiometrics to Smartcards
Slide 4CATE 2001 - Security and Protection of Information
Fingerprint Background
Scan raw image Locate minutiae Template showing geometric relationship
between minutia points is stored
Minutiae data are unique and are the fingerprint processing standard
Slide 5CATE 2001 - Security and Protection of Information
Recognition TechnologyMinutiae detection
Bifurcation Ridge Ending
• 2 fingers not more than 7 matching min.• Usual fingerprint has around 30-40 min.• Comparison - relative position of minutiae• Allows rotation and translation• 2,5 Kb template created (50 bytes per
minutiae)
Slide 6CATE 2001 - Security and Protection of Information
Template generated on PC is matched on card
Fingerprint template never leaves the smart card
Card not unlocked unless finger matches Can be PIN supplement or replacement Still need to trust the reader or PC
MOC Operating System
Private ROM Data
Private FLASH Data
Smart CardHost PC
SC Reader FP Processing SW
FP template FP template
Enrolled Biometric Data
MOC System using PC
Slide 7CATE 2001 - Security and Protection of Information
The Potential Impact of MOC Smart cards become easier to use
(PIN replacement) Finally have a way to securely
tie the card to its owner The user privacy is secured
(user’s biometric data will never leave the card)
Slide 8CATE 2001 - Security and Protection of Information
Software program running on smartcard Designed for 8-bit low-cost smart cards
• 120 lines of C-code• Object code < 2Kbytes• RAM < 64 bytes
Verification time• 0.5 sec / successful match• 2 sec / unsuccessful match
Templates use about 2.5Kbytes / finger Uses non-proprietary input features
(minutiae)
MOC Specifications
Slide 9CATE 2001 - Security and Protection of Information
Standalone MOC SystemAll fingerprint processing on card with FP
sensor on reader
MOC Operating System
Private ROM Data
Private FLASH Data
Smart Card
Host PC
FP ProcessingFirmware
Signed FP template
Enrolled Biometric Data
“Smart” SC & FP Reader
Challenge/Response
Slide 10CATE 2001 - Security and Protection of Information
Fingerprint used to authorize operations with the user’s private key
Smartcard securely
stores:
• User’s digital certificates• Associated private keys
The biometry guarantees who is using the smartcard
MOC in PKI Applications:PKI + Smartcards + Biometry
Slide 11CATE 2001 - Security and Protection of Information
Alternatives to MOC: PIN only (current systems)
• Benefit: status quo costs nothing to implement• Drawbacks: Can’t tie user to card. Does not
provide strong security. Process-On-Card Everything-On-Card
Slide 12CATE 2001 - Security and Protection of Information
Alternative to MOC: PROC Process-On-Card: all fingerprint software,
including image processing, runs on card Signed FP images are sent into card from
the reader Higher cost
(likely needs 16 or 32 bit card to work reliably)
Not much more secure than MOC(still have to send in signed biodata)
Slide 13CATE 2001 - Security and Protection of Information
Alternative to MOC: EVOC Everything-On-Card: sensor and all FP
software runs on card Very secure but very expensive All sorts of production issues
• Smartcard durability, flexibility, etc.
Slide 14CATE 2001 - Security and Protection of Information
Summary and Conclusions MOC is the first secure way of adding
fingerprint security to smart cards MOC can replace or supplement the PIN MOC adds encryption capabilities and PKI
to the biometrics Thanks to the encryption support biometry
can now be integrated into complex security applications:• File encryption, digital signatures,
remote authentication, VPNs, …