Comapny presentation
Download
Report
Transcript Comapny presentation
Integrated Solutions for Secure Identity
Técnicas ctiptográficas para la Protección de
Datos Biométricos en el E-Passport / E-DNI
Dr. Yuri Grigorenko
Nov 07’
f-ID Security Technologies GmbH
Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Integrated Solutions for Secure Identity
About US
Basic Cryptography
PKI & ePassports Best Practices
Contact US
In an Nutshell
Services
•
is a security consultancy company and OEM solution
provider specializing in the field of identity management
•
is based on a managing team of IT veterans with a
combined experience of over 30 years in the smart card business
and information security sector
•
provides a wide portfolio of consulting services and
integrated solutions in the field of identity security for governments
worldwide
f-ID Security Technologies GmbH
Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Integrated Solutions for Secure Identity
About US
Basic Cryptography
PKI & ePassports Best Practices
Contact US
In an Nutshell
Services
• We focus on the combination of Identity Management with IT Security Technologies
Smart Cards
Public Key Infrastructure
Hardware Security Modules
• Our services include:
Threat analysis
Technological gaps identification
Available products survey and QA
Provision of tailored technological solutions
Second-tier technical support
Training program
f-ID Security Technologies GmbH
s
Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Integrated Solutions for Secure Identity
About Us
Basic Cryptography
PKI & ePassports Best Practices
Contact US
Encryption
Symmetric
Basics
vs. Asymmetric
Hash
Encryption
Functions
Signing
Process
Digital
Process
Signature
Trust Models
Certificates
• Encrypting a message is like
locking your house
• An encryption algorithm ~ Lock
mechanism
• An encryption key ~ Lock key /
combination
f-ID Security Technologies GmbH
Lock
Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Integrated Solutions for Secure Identity
About US
Basic Cryptography
PKI & ePassports Best Practices
Contact US
Encryption
Symmetric
Basics
vs. Asymmetric
Hash
Encryption
Functions
Signing
Process
Digital
Process
Signature
Trust Models
Certificates
• A riddle:
How do two people lock a
room without sharing the
secret code?
•A hint: skcol owt esU !
•Symmetric - same key
•Asymmetric - public and private
keys
f-ID Security Technologies GmbH
Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Integrated Solutions for Secure Identity
About US
Basic Cryptography
PKI & ePassports Best Practices
Contact US
Encryption
Symmetric
Basics
vs. Asymmetric
HashEncryption
Functions
Signing
Process
Digital
Process
Signature
Trust Models
Certificates
A function that digests the message and
provides a unique (and short)
representation
•Irreversible
•Public algorithms
Yuri
To: Marcel
CC: Yuri
From: Yuri
This is the
original message
f-ID Security Technologies GmbH
Hash
Marcel
To: Marcel
CC: Yuri
From: Yuri
This is the
original message
---------------------ADS#$#$%3ffr4
Hash
?
Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Integrated Solutions for Secure Identity
About US
Basic Cryptography
PKI & ePassports Best Practices
Contact US
Encryption
Symmetric
Basics
vs. Asymmetric
Hash
Encryption
Functions
Signing
Process
Digital
Process
Signature
Trust Models
Certificates
• Symmetric / Asymmetric
• Confidentiality
Yuri
To: Marcel
CC: Yuri
From: Yuri
This is a secret
message
f-ID Security Technologies GmbH
Marcel
Marcel’s public
key
Encryption
Same mutual
key
To: Marcel
CC: Yuri
From: Yuri
SDF#$%8SDFD
21#$ADF#@$4D
Marcel’s
private key
Decryption
Same mutual
key
Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Integrated Solutions for Secure Identity
About US
Basic Cryptography
PKI & ePassports Best Practices
Contact US
Encryption
Symmetric
Basics
vs. Asymmetric
Hash
Encryption
Functions
Signing
Process
Digital
Process
Signature
Trust Models
Certificates
•Asymmetric
•Authenticity
Yuri
To: Marcel
CC: Yuri
From: Yuri
This is an
authenticated
message
f-ID Security Technologies GmbH
Marcel
Yuri’s private key
Encryption
To: Marcel
CC: Yuri
From: Yuri
SDF#$%8SDFD
21#$ADF#@$4D
Decryption
Yuri’s public
key
Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Integrated Solutions for Secure Identity
About US
Basic Cryptography
PKI & ePassports Best Practices
Contact US
Encryption
Symmetric
Basics
vs. Asymmetric
Hash
Encryption
Functions
Signing
Process
Digital
Process
Signature
Trust Models
Certificates
Yuri
To: Marcel
CC: Yuri
From: Yuri
This is a
signed message
Hash
AD4543$%DF
Encryption
Yuri’s private key
f-ID Security Technologies GmbH
To: Marcel
CC: Yuri
From: Yuri
This is a
signed message
----------------------SDF#$%8SDFD
Marcel
Hash
AD4543$%DF
Decryption
?
AD4543$%DF
Yuri’s public
key
Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Integrated Solutions for Secure Identity
About US
Basic Cryptography
PKI & ePassports Best Practices
Contact US
Encryption
Symmetric
Basics
vs. Asymmetric
Hash
Encryption
Functions
Signing
Process
Digital
Process
Signature
Trust Models
Certificates
•Q: How does Marcel know that Yuri’s (Kpu,Kpr)
wasn’t forged ?
To: Marcel
CC: Yuri
From: Yuri
This is a
signed message
----------------------SDF#$%8SDFD
•A: It has to be digitally signed by someone Marcel
trusts (TTP)!
Hash
GR%3HJT$6
Yuri
Encrypt with
trusted party
Kpr
f-ID Security Technologies GmbH
Yuri’s public key
Kpu = 0xff132483ab98
-----------------------------FFK$#%5534FSAB
Hash
?
Marcel
Decrypt with
trusted party Kpu
Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Integrated Solutions for Secure Identity
About US
Basic Cryptography
PKI & ePassports Best Practices
Contact US
Encryption
Symmetric
Basics
vs. Asymmetric
Hash
Encryption
Functions
Signing
Process
Digital
Process
Signature
Trust Models
Certificates
Yuri’s public key
Kpu = 0xff132483ab98
additional information
Issuer, Validity, privileges…
-----------------------------Hash signed by a
FFK$#%5534FSAB
trusted party
f-ID Security Technologies GmbH
•X.509 Certificate
Standard
•Card Verifiable
Certificates
Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Integrated Solutions for Secure Identity
About Us
Basic Cryptography
PKI & ePassports Best Practices
Contact US
General
Logical Data
Passive
Structure
Authentication
PABasic
TrustAccess
Levels
Extended
Control
Access
Active Authentication
Control
What should we protect?
• Authenticity of personal data
• Privacy of personal and biometric data
• Passport uniqueness
• An ICAO TAG/MRTD recomendation
f-ID Security Technologies GmbH
Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Integrated Solutions for Secure Identity
About Us
Basic Cryptography
PKI & ePassports Best Practices
Contact US
General
LogicalPassive
Data Structure
Authentication
PABasic
Trust
Extended
Access
Levels Control
Access
Active Authentication
Control
LDS
Logical Data Structure:
• Mandatory - personal
details, face picture, digital
signature.
• Optional - Fingerprint, iris,
signature picture…
Data group 1 (MRZ)
Data group 2 (Encoded Face)
Data group 3 (Encoded Finger)
Data group 4 (Encoded IRIS)
Data group 5 (Displayed Face)
Data group 6 (Future Use)
Data group 7-15
Data group 16 (Persons to notify)
f-ID Security Technologies GmbH
Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Integrated Solutions for Secure Identity
About Us
Basic Cryptography
PKI & ePassports Best Practices
Contact US
General
LogicalPassive
Data Structure
Authentication
PA
Basic
Trust
Extended
Access
LevelsControl
Access
Active Authentication
Control
LDS
SOD
Data group 1 (MRZ)
Hash DG_1
Data group 2 (Encoded Face)
Hash DG_2
Data group 3 (Encoded Finger)
Hash DG_5
Data group 4 (Encoded IRIS)
Digital Signature
Only issuer
could have
signed this
passport!
Data group 5 (Displayed Face)
Data group 6 (Future Use)
• Protects against data alternation:
Data group 7-15
• Personal data
Data group 16 (Persons to notify)
• Hash values
f-ID Security Technologies GmbH
Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Integrated Solutions for Secure Identity
About Us
Basic Cryptography
PKI & ePassports Best Practices
Contact US
General
PassiveLogical
Authentication
Data
PA Structure
Trust
BasicLevels
Extended
Access Control
Access
Active Authentication
Control
DSCA Environments
CSCA Environment
CA
managemen
t software
HSM
2 level PKI
Backup
HSM
Personalization
equipment
f-ID Security Technologies GmbH
Document
Signer
Software
ePassport
Management
System
HSM
Backup
HSM
DB
Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Integrated Solutions for Secure Identity
About Us
Basic Cryptography
PKI & ePassports Best Practices
Contact US
General
LogicalPassive
Data Structure
PA
Authentication
TrustBasic
Levels
Extended
Access Control
Access
Active Authentication
Control
Who can read my personal and biometric data?
• Skimming - secretly reading the data from small distance
• Eavesdropping - passive observation of “legal” communication
Solution: If I can see your passport - I am allowed to read it!
• Establishment of a symmetric encryption key based on the optically
readable MRZ, thus encrypting the connection between the passport
and the reader
P<D<< GRIGORENKO<YURI<<<<
123456D<<123M01011975<<<<<0
f-ID Security Technologies GmbH
Hash
Symmetric key
establishment
ENCRYPTION
Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Integrated Solutions for Secure Identity
About Us
Basic Cryptography
PKI & ePassports Best Practices
Contact US
General
Logical Passive
Data Structure
Authentication
PA TrustBasic
Levels
Extended
Access Control
Access
Active Authentication
Control
• Only a face picture is a mandatory biometric data!
• Additional biometric data must be protected from unauthorized access
• Number of possible cryptographic solutions:
• Data encryption using dedicated Master Key(s), as well as additional
information (such as MRZ details)
• Inspection system authorization, introducing additional PKI scheme (CVCA,
DVCA, IS). A reader must be digitally verified in order to read sensitive data from
the passport
• Issuing country is always in control: sharing of secret keys, signing certificates…
f-ID Security Technologies GmbH
Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Integrated Solutions for Secure Identity
About Us
Basic Cryptography
PKI & ePassports Best Practices
Contact US
General
LogicalPassive
Data Structure
PA
Authentication
TrustBasic
Levels
Access
Extended
Control
Active
Access
Authentication
Control
LDS
SOD
Data group 1 (MRZ)
Hash DG_1
Data group 2 (Encoded Face)
Hash DG_2
Data group 3 (Encoded Finger)
Hash DG_5
Data group 4 (Encoded IRIS)
Hash DG_15
Data group 5 (Displayed Face)
Digital Signature
Data group 6 (Future Use)
Data group 7-14
AA Private Key
• Protects against data coping:
Data group 15 (AA Public Key)
•AA private key is secretly stored on
chip and is unreadable
Data group 16 (Persons to notify)
•A challenge-response protocol
f-ID Security Technologies GmbH
Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Integrated Solutions for Secure Identity
About Us
Basic Cryptography
PKI & ePassports Best Practices
Contact US
Best Practices
Questions
•Modern cryptographic techniques, e.g. PKI provide the suitable
framework for protection of sensitive biometrical data
•Deployment of a Public Key Infrastructure, being a highly complicated
issue combining delicate technological aspects, requires unique
specialization
•Being the heart part of your e-passport security, it is highly recommended
to treat the Public Key Infrastructure separately from the deployment of
the passport production system
•We offer our clients an integrated PKI solutions to fit their passport
production process
f-ID Security Technologies GmbH
Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Integrated Solutions for Secure Identity
About Us
Basic Cryptography
PKI & ePassports Best Practices
Contact US
Best Practices
Questions
f-ID Security Technologies GmbH
Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07
Integrated Solutions for Secure Identity
About Us
Basic Cryptography
PKI & ePassports Best Practices
Contact US
Visit Us:
Rosa Hoffman Strasse 33
A-5020 Salzburg, Austria
www.f-id.at
Call Us:
+43 662 906002054
+43 662 903333054
• E-Mail Us:
[email protected]
f-ID Security Technologies GmbH
Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, 30.11.07