By John Latta, WAVE
Las Vegas, NV
April 12 - 15, 2005
SourceMedia is the producer of CardTechSecurTech and it
is at the center of a rapidly expanding market. These are exciting times
as smart card technology play an increasing role in securing the United
States. The conference fills a valuable role and had many quality presentations
in addition to one of the best exhibits of the technology of smart cards
in the U.S.
Industry statistics presented before the keynote provided
a useful perspective into the industry:
1 billion smart cards were sold in 2004 and 1.4 billion
are expected in 2005.
There was $6b in revenue in 2004 which is up over 20%.
The major application of smart cards is the SIM card
in cellular phones in the GSM network.
2 major ID projects are the U.S. Government ID card
and the China national ID card with a contactless chip.
Terrorism, Security and Identity
Richard Clarke, the former Counterterrorism Czar, tied
together the current security situation in the U.S. and closed with what
the secure card industry can do to help. It was one of the most balanced
arguments on these issues we have heard.
Al-Qaeda as a terrorist network has largely been dismantled.
But we should not be lulled into a false sense of confidence because
14 related organizations with membership of 400 pose a serious threat
to the United States.
As we saw in the Madrid bombing, Al-Qaeda is increasingly
relying on connections with criminals to fund their operations.
Identity theft, fraudulent ID and fraud, in general,
are frequently used by terrorists. Thus, it is important that we do
what is possible to limit this opportunity. (Richard encouraged the
audience to read the 9/11 Commission Report.)
One of the problems is that government-issued ID’s
are easily faked. I got a fake drivers license for $40 and the Social
Security Cards have no security. Thus, it is phony to think that we
have secure IDs.
By improving our identity security, we can do much to
secure the U.S. But in the U.S. we have a problem and it goes to our
roots. We fear big government. Individuals do not like the impacts
of 9/11 and they fear their loss of privacy.
Europe and U.S. have different views of privacy. In
Europe there is an opt-in model where a company cannot collect information
on you unless one permits it. While in the U.S. there is not even an
opt-out option from personal data collection. Many of these recent
issues have been highlighted in the recent thefts of personal information,
such as credit histories.
There is a key point that is not getting across to the
public. By improving identity security this will do much to enhance
personal security and privacy. It will be much harder to commit ID
theft. The bottom line is that greater personal identity security is
not about the invasion of privacy but the how to better protect it.
There needs to be a clear massage: we can enable better
privacy protection. For example, Bill 1386 in California requires that
the loss of identity information be notified promptly to those affected.
This should be support and it should be a federal law. The FTC needs
to play a stronger role against ID theft.
There should be standards on the protection of personal
data, and the implementation of these should be independently audited.
Privacy and security are not opposing forces but these
can work together.
The secure card industry is in a strong position to
implement technology which will better protect privacy.
Homeland Security Presidential Directive (HSPD) 12
A whole track was devoted to this. We summarize key points
which came from many speakers.
In August 2004, the President signed a directive that
there be a common ID throughout the government.
In February 2005, FIPS 201 was released which describes
both how common ID will be accomplished and how the identity will be
managed to allow the card holders to have interoperable physical and
logical access. These are central elements to a Personal Identity Verification
The timeline is aggressive:
Agencies will have plans to implement by 6/05
Implementation will start with the vetting process
Biometrics are a part of the card. One of the outstanding
issues is the storage of the fingerprint data on the card. An image
is currently the only feasible option but this consumes processing
power and memory space and makes the card harder to implement. Minutea
is a better alternative but the specification for this and its testing
will not be complete until 2006. This puts the schedule at risk. Thus,
and executive decision is required to implement the current cards either
with the timeline or with a delay.
The implementation of FIPS 201 is a major challenge
to the integrator. One of the reasons is that the system must cross
many systems in operation today – legacy support is important.
One speaker referred to the integrator task in terms of sheer complexity.
One of the data locations on the card, CHUID, has the
prospect of embedding an IPv6 address. Thus, every card could have
its own unique IP address, and thus, accessible over the net.
The card and biometrics provide at least 2 factor authentication.
In this era of ID Theft and other frauds, it was counseled that the
principle should be “Defense in Depth.” That is, no one
tool provides adequate defense.
The intent of FIPS 201 is to combine both physical and
logical security. But when the WAVE asked how will the logical security
be implemented to minimize unauthorized system use, the answer was
foggy. For example, when one uses a FIPS 201 ID for computer access,
the card is entered into a reader. The user enters a PIN to gain access
to the system. The card has PKI encryption on it. For the present no
fingerprint reading is planned.
Given that it will be possible to access government
computers in areas which have no physical access security, how is logical
security assured? Basically they have yet to work out the scenarios
which will support FIPS 201. The WAVE stated: If one has the card and
PIN, anyone can log onto the computer. When asked about biometrics,
the response was – there is not the infrastructure on computers
to support fingerprint reading. Using biometrics would allow for 3
Passwords are not considered a safe means to protect
The WAVE also asked – If the RealID Act is implemented,
will FIPS 201 and the experience gained from this likely be a prototype
for a much larger public implementation? No doubt was left on this.
In fact, the IAB, Government Smart Card Interagency Advisory Board,
is now taking on members from outside the federal government. State
governments are also joining.
Biometrics is Growing – What does this mean?
Raj Nanavati, Partner, the International Biometric Group,
gave a keynote in the Biometrics for Access Security session. He made
a number of interesting points.
The revenue in the Biometric Industry is estimated to
$1.2B – 2004
$1.85B – 2005
$2.64B – 2006
$3.68B – 2007
$4.64B - $2008
Retail, ATM and POS use of Biometrics
2005 - $67.6
2006 - $121.7m
2007 - $194.8
2008 - $243.5m
Financial Sector use of Biometrics
2005 - $159.5m
2006 - $236.4m
2007 - $324.7m
2008 - $405.5m
This does not include revenue for integrators.
The vast majority of the revenue is for AFIS and
$1.14B – 2005
$2.59B - 2008
Important new roll outs of biometrics are happening
in the private sector. The supermarket chain Piggly Wiggly will deploy
a new program in 114 stores for check processing. Lowes Foods has a
similar program with 108 stores.
In the private sector, important challenges lie ahead.
One of the foremost is making a business case for the use of biometrics.
A significant issue, which could impact biometrics on
the regulation front, are the recent problems with data aggregators.
ChoicePoint had problems when it sold personal information to individual’s
intent on committing fraud. This has raised the awareness on personal
data collection and what is done with this information. The recent
Lexis/Nexis stolen information on 310,000 individual’s shows
another example of how the loss of personal data may be much more common.
From these compromises there are indications that Congress
may be willing to legislate greater privacy protections but it is too
early to tell.
The EPIC, Electronic Privacy Information Center, has
sent a letter to the TSA stating that privacy principles should be
incorporated into its biometric standards.
There have been some absurd proposals at the state level
to regulate biometrics.
HIPAA compliance represents an area when biometrics
can be applied. Estimates for the size of the HIPAA compliance market,
beyond just biometrics are very large. These ranged from $42.9B to
One of the continuing problems in biometrics, especially
in fingerprinting, is that there are significant claims that border
on absurd. One vendor claims a FAR of 1 in a million and another states
it has 0% FAR.
White House Speaks on Biometrics
Kevin Hurst, Senior Policy Analyst, White House Office
of Science and Technology, provided an assessment of advances in Biometrics.
There is been a very rapid growth in applications of
biometrics in the government. These include, in addition to many obvious
ones on the list:
Duplicate enrollment recognition
Logical and physical access control
Identified as biometric performance gaps were:
Excessive error rates
Poor ability to find database match
High sensitivity to varying conditions
Each of the biometrics was summarized well:
Facial – 90% accuracy with 1% FAR
Fingerprint – 99% accuracy with .1% FAR
Iris – 97% accuracy with .01% FAR
There are important motivations for biometrics fusion.
These include the potential for reduced error rates, reduced effect
of noise, ability to enroll anyone and raise the barrier for spoofing.
Much remains to be done.
Advances in Facial Recognition
Joseph Atick, President and CEO of identix, gave an overview
of the large biometric programs. In it he described the Department of
State program which identix is implementing with SAIC and IBG. The specification
for the system is that it will have a 41m records which can grow by 8m/year.
Searches must be able to be done at 500/hour and going to 2000/hour.
The system is a build off of blade servers and uses Oracle 9i RAC. One
of the cautions around such a system deployment is the high level of
skills required and the management talents. This also relates back to
the role of the system integrator.
Claims are made on the facial accuracy, which includes
dermal texture, at 90% - 95% with a FAR of 1%. It was noted that not
all of the images in the DoS image data base would be of adequate quality
to support dermal texture. It was also stressed since dermal texture
requires higher resolution on the texture of the skin that the image
quality requirements are very important. When asked by the WAVE what
the spatial frequency requirements were for the imaging, Joseph did not
With all the emphasis on physical and logical security
using biometrics, nothing has been said about the next level – persistence.
That is, the continual monitoring of the individual to assure that once
taken, the relationship between the individual and the biometrics has
not changed. This is of particular importance on access to networks where
an individual can access an open computer. A persistence requirement
would allow for the monitoring of a changed biometric. What facial texture
would provide would be the ease of continual monitoring of the individual
using a means much less intrusive than fingerprints.
Just slapping a fingerprint reader on an enterprise network
does little for the enterprise. There are early signs of sophisticated
software to manage identity.
Enterprise Security System – Software Innovations
Integrates with Radius, LDAP and Active Directory
Digital Network Authorization for Role assignment to any Identity
Life Cycle management
Encryption of pathways for Identity
HiPath Slcurity – Siemens
Authentication using Secure Token, Smart Card and/or
Administration with Metadirectory, provisioning and Web Resource Management
Authorization with Policy enforcement, Secure sessions, and audits
Identity Management is handled with metadirectories and DirX software product
Both packages indicate the level of complexity which is
emerging in the identity management space.
Sharp – Smart Cards to enable embedded Biometrics
The WAVE spoke with Robert Stuart, Product Manager, Optoelectronics
and Smart Card, Sharp Microelectronics of America. Sharp was highlighting
its smart card which is at the top end of capabilities and performance.
This card includes:
Embedded IBM JCOP31 with GP 2.1.1 compliance
Java Card 2.1.1 compliance
Support for multiple cryptographic algorithms
Multiple application support
1MB of Flash memory
Dual Interface – contact and contactless
Contactless transfer to 424kb/s
Contact transfer to 76.8kb/s
16bit embedded microprocessor
As biometrics becomes a part of the smart card, as with
HSPD 12, there are increased demands for memory and processing power.
One is for an embedded biometric, be it a template or image, and the
other for cryptographic support. Because of the superior capabilities
of the Sharp card, they won the epassport contract for Australia. It
is expected that as FIPS 201 matures, cards such as Sharp’s offering
will become mainstream. One of the major advantages of this approach
is that applications can be added and changed on the card. DoD has seen
this in the CAC deployment because of the high mobility of troops between
assignments. Thus, as an individual is TDY, the card can be updated based
on the new responsibilities and access required for the location.
TechCU Application of Biometrics
Certainly the financial sector has much to gain from better
authentication of identity. Yet, this has been slow to roll out, in part,
due to the enormity of the infrastructure that has to be changed. There
are organizations which are driving better authentication and the TechCU
is one experimenting with the technology. This credit union has implemented
a program called MemberID. There is a scanner unit at the branches which
has mag stripe reader, keypad and fingerprint chip. This allows a member
to enter personal data, scan their card or to just use a finger print.
This was begun in 2003 and, with no advertising, it has attracted 8,200
users, nearly 11% of the members. 82% of the target demographics of the
users range from 30 – 59 and 74% are male. Biometrics is felt to
be the security program of the future.
As TechCU looks to the future, they are considering alliances
with merchants to use biometrics and to allow access from home. However,
there are important interoperability issues to be addressed. But more
important, any home solution cannot compromise the security of the system.
It is felt that biometric readers need to be in the $25 range. TechCU
has considered providing the readers to the members if the price is in
this range. One unit considered is the Sony Puppy but the price is too
high at $150.
Keystroke Dynamics as a Biometric
An interesting potential biometric surfaced which uses
typing patterns as a means to uniquely identify an individual. This has
significant implication in a persistent biometric that could verify an
individual’s presence while on a PC. The company involved is BioNet.
Quote of the Day
“In spite of the words about biometrics for logical
access security, every application I have seen is driven by convenience.” Biometrics
supplier on the floor.
There is pressure building to strengthen identity security.
Areas of concern include ID theft, terrorism, privacy, accountability
and fraud. Biometrics as a stand alone technology will not assure identity
security. Biometrics, however, is the only way to link an individual
with a token of that individual. However, the quality of the biometric
to identify an individual varies greatly by the biometric used. The key
measures of False Acceptance Rate and False Reject Rate are unreliable
by any measure used in the computer industry. Thus, biometrics are combined
with other factors to lessen security risk.
It became obvious at CardTechSecurTech that Smart Cards
are a primary means to enable portable personal attributes. The strength
of a Smart Card is its biometric ability to directly enable 1:1 matching.
Each individual has a complex series of unique biometric markers that,
in their totality, cannot be “spoofed” or “phished”.
Combined with the essential physical possession of a Smart Card, absolute
identity is assured. Thus, with standardization, the emergence of a national
ID card becomes increasingly real.
Governments, world wide, remain the leaders in biometric
projects. To date most deployments have been successful and are likely
to set the stage for broad deployments of biometrics, including enterprise.
If the equivalent of a national ID card is created, such
as from the RealID legislation, this will likely influence the use of
biometrics in many other sectors including the enterprise. It is important
to note that many other countries are well along in such cards and their
In the U.S., fear of Government intrusion and loss of privacy
are the strongest obstacles to the deployment of a national ID card.
The key here is education. Biometric data are inherent to individuals
and are key to their absolute identities. Personal history is acquired
and not a key to identity. The issue of individual privacy vs. biometric
identity should not be a deterrent to progress in protecting the unique
and verifiable identity of every individual.