This brief for the Brits

Download Report

Transcript This brief for the Brits

AATD

GlobalPlatform Business Seminar Toronto, August 21, 2002

DoD Common Access Card

From Smart Card to Identity Management

Dr. Robert van Spyk Senior DMDC Consortium Research Fellow Bill Boggess Chief Access & Authentication Technology Division, DMDC

Topics

1. Context: Challenges Met 2. Learnings: Challenges Ahead 3. Paradigm Shift: from Smart Card to Identity Management

Context: Challenges Met

Common Access Card

November 10, 1999 MEMO FROM: Dr. John Hamre (Deputy Secretary of Defense)

Create a Common Access Card

The Decision

• I.D. card for: – Active military – Selected Reserves – DoD civilians – “Inside the wall” contractors • Physical and logical access – Authentication keys • Military ID card infrastructure

Card Architecture Goals

Goals

Security Multi-application Multiple vendors Interoperability Post issuance Best commercial practices COTS Cost effective

Requirements

Java 2.1

Global platform

RESULTED IN

Interoperability Specification (BSI) 32K EEPROM FIPS 140-1 Level 2 Certification

The Business Problem

What are DEERS and RAPIDS?

Independent but closely coupled established systems which provide eligibility information for DoD benefits DEERS •

Defense Enrollment Eligibility Reporting System

Database

with 23 million records providing: – Accurate and timely information on all eligible uniformed service members (active, reserve, retired), their families and DoD civilians • Detailed information on DoD benefit program eligibility RAPIDS • •

Real-time Automated personnel Identification System

Application

that produces the ID card – Automated ID card system for military, retirees and their families – Joint, total force, multi national and worldwide

DEERS Population

DMDC PERSON REPOSITORY DEERS SIZE Sponsors (Active, Reserves, Retired, Civil Servants) Previous Sponsors (Separatees with MGIB) Family Members 8,467,411 4,000,000 10,695,181 Total 23,162,592

Where Are We Today • 883 Workstations in 466 Locations • 787,456 Cards issued as of 30 June (current trend issuing around 7,000 cards per day)

Toward the Million Mark

303,017 9,373 23,037 5,644 787,456 CACs Issued as of 30 June 217,493 U.S. Navy U.S. Army U.S. Marine Corps U.S. Air Force U.S. Coast Guard DoD Agencies Other 137,899 90,993

Infrastructure

DEERS/RAPIDS is a Person Based DoD Benefit Delivery System DEERS - over 25,000 users throughout DoD RAPIDS - 1318 workstations at 878 sites in 13 countries.

OVER 1.5 MILLION TRANSACTONS A DAY

ARMY, NAVY, AIR FORCE, MARINE CORPS, COAST GUARD, NOAA, PUBLIC HEALTH

Learnings: Challenges Ahead

Technology Adoption

100 90 80 70 60 50 40 30 20 10 0 1 Cell Phone (1983) PC (1975) Internet (1975) 10 20 Smartcard (1980) 30 40 Radio (1905) Electricity (1873) 50 60 70 Years after Invention 80 90 100 100 Telephone (1876) 90 80 Automobile (1886) 70 60 50 40 110 30 20 10 120 0

Learnings

1. The card is the tip of the application and IT infrastructure iceberg 2. Standards Mandatory for Interoperability 3. Introduction is not the same as Adoption 4. The card is about Identity

1. Network Infrastructure

• CA access is critical for CRL and issuance • Network performance impacted by several layers of security.

• Workstations converted to Win2K and Active Directory for integrated management: legacy systems problematic (e.g Y2K conversion) • TNG and other tools for monitoring

PKI Enabling Non-Trivial

• Legacy applications and OS versions • Some work: Outlook 2000, Netscape, IE. but only in latest versions • Requires extensive user training • Requires local CA for single login application • Multiple dependencies across network with sever security and S/MIME, SSL, SSH, Kerberos, etc.

2. Standards

Made great progress with standards: • GP version 2.01 and Compliance Testing • GSC-IS version 2.0 published July 2002 includes – Card Edge Interface (CEI) – Basic Services Interface (BSI) – Extended Services Interface (XSI) • Java 2.1 version but with proprietary implementations

Interoperability Elusive

• No Middleware agreement hence continue to depend on vendor specific software for accessing containers • Standards options leads to incompatible implementation • FIPS and other certifications costly

Interoperability Solutions

The DoD Strategy • Embrace standards where they exist and stretch requirements so that standards work for the application- examples - PKCS11 - PCSC • Adopt industry best practices as defacto standards examples - Global Platform - Javacard • Publish specifications and distribute freely - example the card edge specifications for our applets were published • Develop interfaces that are provided to anyone interested in developing or adapting applications to work with our card system - example - Basic Services Interface (BSI)

3. Adoption

• Security alone not compelling to most • Requires customer awareness and marketing-DOD has younger demographic • Quality of Life enhancement • Multi-purpose

Paradigm Shift: from Smart Card to Identity Management

4. Paradigm Shift: Identity Management

To know, unequivocally, the identity and privileges of an object (person or device) in real time.

Case for a New Paradigm

Credit card industry has long recognized the issue 1960’s - The card looks good - use the embosser 1970’s - I need to get authorization for this purchase - central system verification Present - all transactions authenticated network based always on connection to central system Physical Access is at the 1960’s stage looks like a good card it

Today -

Case for a New Paradigm

Lots of Cards …….

Lots of credit/debit cards … Different pins - different procedures Different acceptance and capabilities Lots ID cards ….

Different trust and authentication levels Visual evidence of your authorizations, memberships, affiliation

The Vision

One Card

or a few cards

Armed Forces of the United States Parker IV, Christopher J.

Rank LTCOL Marine Corps Active Duty Pay Grade O5 Issue Date 1999SEP03 Expiration Date 2003SEP01 Geneva Conventions Identification Card

Integrated identity solution Based on strong authentication Incorporating biometrics Able to perform multiple functions

Components for Success

What are the components of a strong system?

• • • • • Chain of trust in the identity end to end - key role for biometrics Independent verification wherever and whenever possible - authoritative confirming records Single identity repository that reconciles alternative views of the identity - person id services Multi-factor authentication at boundaries - the more the better Secure solutions for both the token/card and the central system - especially the biostore

Components for Success

1. Enrollment Process

RAPIDS Face to Face and

3. Third-Party Trust

Biometric Identification for ENROLLMENT CERTIFICATE

2. Unique &

DEERS

Persistent Identity Info

AUTHORITY Store Digital Certificates for AUTHENTICATION Maintain DoD-Wide IDENTITY

Components for Success

Chain of Trust Where we are going in DoD … role of biometrics Initial capture at application for military service - digital prints to FBI and to DMDC biostore - records check, face to face authentication, National Agency Check Entry onto military service - stored biometric checked against live scan before initial ID card issued Periodically - Member biometrically authenticated on ID card Reissue - every three years Physical access systems - multi-factor authentication including a biometric in high security areas or under high treat conditions

Biometrics Issues

Future Directions for CAC • Biometrics Match on Card used instead of PIN • Biometrics use as an Access Control Process for using applets on the card. This will be for both on and off card matching scenarios and will be vendor neutral More work has to be done to protect biometric stores.

Summary

Path Forward • Increased emphasis on standards as prerequisite to interoperability and hence market share • DOD focus on Identity • IT infrastructure transformation exceeds Y2K effort • It is not the technology: it is the customer’s quality of life

Contact

Dr. Robert van Spyk [email protected]

831-583-2500 ex 5576 Bill Boggess [email protected]

831-583-4170

Additional Slides

Application

Midd lewar e-Card Issuer Specific Middleware A P D U ISO 7816-4

File system 7616-5 API

A P D U

Vendor extentions crypto File System

DATA (PKCS#15)

Native Smartcard

Hierarchical File system Card OS (Proprietary) Smart Chip Hardware

A P D U

Application

Generic Midd lewar e

BSI/XSI Card Edge API API

Global Platform 2.01 Card Manager Applic Loader & Manager A P D U

API

Java Card JCRE 2.1.1 Virtual Machine API

Interoperable Directory Structure

Directory structure points at credentials and other objects

CCC Card Info Container App Container

Authent Object

App Directory Container App Container

Data Object Each container can store several objects

App Container

Key Object

App Container

Cert Object

Applet

DATA

Applet

DATA