WAVE Report

CardTechSecurTech 2005
By John Latta, WAVE 0519 5/13/05

Las Vegas, NV
April 12 - 15, 2005

SourceMedia is the producer of CardTechSecurTech and it is at the center of a rapidly expanding market. These are exciting times as smart card technology play an increasing role in securing the United States. The conference fills a valuable role and had many quality presentations in addition to one of the best exhibits of the technology of smart cards in the U.S.

Industry statistics presented before the keynote provided a useful perspective into the industry:

1 billion smart cards were sold in 2004 and 1.4 billion are expected in 2005.

There was $6b in revenue in 2004 which is up over 20%.

The major application of smart cards is the SIM card in cellular phones in the GSM network.

2 major ID projects are the U.S. Government ID card and the China national ID card with a contactless chip.

Terrorism, Security and Identity

Richard Clarke, the former Counterterrorism Czar, tied together the current security situation in the U.S. and closed with what the secure card industry can do to help. It was one of the most balanced arguments on these issues we have heard.

Al-Qaeda as a terrorist network has largely been dismantled. But we should not be lulled into a false sense of confidence because 14 related organizations with membership of 400 pose a serious threat to the United States.

As we saw in the Madrid bombing, Al-Qaeda is increasingly relying on connections with criminals to fund their operations.

Identity theft, fraudulent ID and fraud, in general, are frequently used by terrorists. Thus, it is important that we do what is possible to limit this opportunity. (Richard encouraged the audience to read the 9/11 Commission Report.)

One of the problems is that government-issued ID’s are easily faked. I got a fake drivers license for $40 and the Social Security Cards have no security. Thus, it is phony to think that we have secure IDs.

By improving our identity security, we can do much to secure the U.S. But in the U.S. we have a problem and it goes to our roots. We fear big government. Individuals do not like the impacts of 9/11 and they fear their loss of privacy.

Europe and U.S. have different views of privacy. In Europe there is an opt-in model where a company cannot collect information on you unless one permits it. While in the U.S. there is not even an opt-out option from personal data collection. Many of these recent issues have been highlighted in the recent thefts of personal information, such as credit histories.

There is a key point that is not getting across to the public. By improving identity security this will do much to enhance personal security and privacy. It will be much harder to commit ID theft. The bottom line is that greater personal identity security is not about the invasion of privacy but the how to better protect it.

There needs to be a clear massage: we can enable better privacy protection. For example, Bill 1386 in California requires that the loss of identity information be notified promptly to those affected. This should be support and it should be a federal law. The FTC needs to play a stronger role against ID theft.

There should be standards on the protection of personal data, and the implementation of these should be independently audited.

Privacy and security are not opposing forces but these can work together.

The secure card industry is in a strong position to implement technology which will better protect privacy.

Homeland Security Presidential Directive (HSPD) 12

A whole track was devoted to this. We summarize key points which came from many speakers.

In August 2004, the President signed a directive that there be a common ID throughout the government.

In February 2005, FIPS 201 was released which describes both how common ID will be accomplished and how the identity will be managed to allow the card holders to have interoperable physical and logical access. These are central elements to a Personal Identity Verification (PIV) system.

The timeline is aggressive:

Agencies will have plans to implement by 6/05

Implementation will start with the vetting process by 10/05

Biometrics are a part of the card. One of the outstanding issues is the storage of the fingerprint data on the card. An image is currently the only feasible option but this consumes processing power and memory space and makes the card harder to implement. Minutea is a better alternative but the specification for this and its testing will not be complete until 2006. This puts the schedule at risk. Thus, and executive decision is required to implement the current cards either with the timeline or with a delay.

The implementation of FIPS 201 is a major challenge to the integrator. One of the reasons is that the system must cross many systems in operation today – legacy support is important. One speaker referred to the integrator task in terms of sheer complexity.

One of the data locations on the card, CHUID, has the prospect of embedding an IPv6 address. Thus, every card could have its own unique IP address, and thus, accessible over the net.

The card and biometrics provide at least 2 factor authentication. In this era of ID Theft and other frauds, it was counseled that the principle should be “Defense in Depth.” That is, no one tool provides adequate defense.

The intent of FIPS 201 is to combine both physical and logical security. But when the WAVE asked how will the logical security be implemented to minimize unauthorized system use, the answer was foggy. For example, when one uses a FIPS 201 ID for computer access, the card is entered into a reader. The user enters a PIN to gain access to the system. The card has PKI encryption on it. For the present no fingerprint reading is planned.

Given that it will be possible to access government computers in areas which have no physical access security, how is logical security assured? Basically they have yet to work out the scenarios which will support FIPS 201. The WAVE stated: If one has the card and PIN, anyone can log onto the computer. When asked about biometrics, the response was – there is not the infrastructure on computers to support fingerprint reading. Using biometrics would allow for 3 factor verification.

Passwords are not considered a safe means to protect logical access.

The WAVE also asked – If the RealID Act is implemented, will FIPS 201 and the experience gained from this likely be a prototype for a much larger public implementation? No doubt was left on this. In fact, the IAB, Government Smart Card Interagency Advisory Board, is now taking on members from outside the federal government. State governments are also joining.

Biometrics is Growing – What does this mean?

Raj Nanavati, Partner, the International Biometric Group, gave a keynote in the Biometrics for Access Security session. He made a number of interesting points.

The revenue in the Biometric Industry is estimated to be:

$1.2B – 2004
$1.85B – 2005
$2.64B – 2006
$3.68B – 2007
$4.64B - $2008

Retail, ATM and POS use of Biometrics

2005 - $67.6
2006 - $121.7m
2007 - $194.8
2008 - $243.5m

Financial Sector use of Biometrics

2005 - $159.5m
2006 - $236.4m
2007 - $324.7m
2008 - $405.5m

This does not include revenue for integrators.

The vast majority of the revenue is for AFIS and

$1.14B – 2005
$2.59B - 2008

Important new roll outs of biometrics are happening in the private sector. The supermarket chain Piggly Wiggly will deploy a new program in 114 stores for check processing. Lowes Foods has a similar program with 108 stores.

In the private sector, important challenges lie ahead. One of the foremost is making a business case for the use of biometrics.

A significant issue, which could impact biometrics on the regulation front, are the recent problems with data aggregators. ChoicePoint had problems when it sold personal information to individual’s intent on committing fraud. This has raised the awareness on personal data collection and what is done with this information. The recent Lexis/Nexis stolen information on 310,000 individual’s shows another example of how the loss of personal data may be much more common.

From these compromises there are indications that Congress may be willing to legislate greater privacy protections but it is too early to tell.

The EPIC, Electronic Privacy Information Center, has sent a letter to the TSA stating that privacy principles should be incorporated into its biometric standards.

There have been some absurd proposals at the state level to regulate biometrics.

HIPAA compliance represents an area when biometrics can be applied. Estimates for the size of the HIPAA compliance market, beyond just biometrics are very large. These ranged from $42.9B to $17.6B.

One of the continuing problems in biometrics, especially in fingerprinting, is that there are significant claims that border on absurd. One vendor claims a FAR of 1 in a million and another states it has 0% FAR.

White House Speaks on Biometrics

Kevin Hurst, Senior Policy Analyst, White House Office of Science and Technology, provided an assessment of advances in Biometrics.

There is been a very rapid growth in applications of biometrics in the government. These include, in addition to many obvious ones on the list:

Duplicate enrollment recognition
Logical and physical access control

Identified as biometric performance gaps were:

Excessive error rates
Poor ability to find database match
High sensitivity to varying conditions

Each of the biometrics was summarized well:

Facial – 90% accuracy with 1% FAR
Fingerprint – 99% accuracy with .1% FAR
Iris – 97% accuracy with .01% FAR

There are important motivations for biometrics fusion. These include the potential for reduced error rates, reduced effect of noise, ability to enroll anyone and raise the barrier for spoofing. Much remains to be done.

Advances in Facial Recognition

Joseph Atick, President and CEO of identix, gave an overview of the large biometric programs. In it he described the Department of State program which identix is implementing with SAIC and IBG. The specification for the system is that it will have a 41m records which can grow by 8m/year. Searches must be able to be done at 500/hour and going to 2000/hour. The system is a build off of blade servers and uses Oracle 9i RAC. One of the cautions around such a system deployment is the high level of skills required and the management talents. This also relates back to the role of the system integrator.

Claims are made on the facial accuracy, which includes dermal texture, at 90% - 95% with a FAR of 1%. It was noted that not all of the images in the DoS image data base would be of adequate quality to support dermal texture. It was also stressed since dermal texture requires higher resolution on the texture of the skin that the image quality requirements are very important. When asked by the WAVE what the spatial frequency requirements were for the imaging, Joseph did not respond.

WAVE Comment

With all the emphasis on physical and logical security using biometrics, nothing has been said about the next level – persistence. That is, the continual monitoring of the individual to assure that once taken, the relationship between the individual and the biometrics has not changed. This is of particular importance on access to networks where an individual can access an open computer. A persistence requirement would allow for the monitoring of a changed biometric. What facial texture would provide would be the ease of continual monitoring of the individual using a means much less intrusive than fingerprints.

Identity Management

Just slapping a fingerprint reader on an enterprise network does little for the enterprise. There are early signs of sophisticated software to manage identity.

Enterprise Security System – Software Innovations

Integrates with Radius, LDAP and Active Directory
Platform independent
Digital Network Authorization for Role assignment to any Identity
Life Cycle management
Encryption of pathways for Identity

HiPath Slcurity – Siemens

Authentication using Secure Token, Smart Card and/or Biometrics
Administration with Metadirectory, provisioning and Web Resource Management
Authorization with Policy enforcement, Secure sessions, and audits
Identity Management is handled with metadirectories and DirX software product family

Both packages indicate the level of complexity which is emerging in the identity management space.

Sharp – Smart Cards to enable embedded Biometrics

The WAVE spoke with Robert Stuart, Product Manager, Optoelectronics and Smart Card, Sharp Microelectronics of America. Sharp was highlighting its smart card which is at the top end of capabilities and performance. This card includes:

Embedded IBM JCOP31 with GP 2.1.1 compliance
Java Card 2.1.1 compliance
Support for multiple cryptographic algorithms
Multiple application support
1MB of Flash memory
EAL4+ certification
Dual Interface – contact and contactless
Contactless transfer to 424kb/s
Contact transfer to 76.8kb/s
16bit embedded microprocessor

As biometrics becomes a part of the smart card, as with HSPD 12, there are increased demands for memory and processing power. One is for an embedded biometric, be it a template or image, and the other for cryptographic support. Because of the superior capabilities of the Sharp card, they won the epassport contract for Australia. It is expected that as FIPS 201 matures, cards such as Sharp’s offering will become mainstream. One of the major advantages of this approach is that applications can be added and changed on the card. DoD has seen this in the CAC deployment because of the high mobility of troops between assignments. Thus, as an individual is TDY, the card can be updated based on the new responsibilities and access required for the location.

TechCU Application of Biometrics

Certainly the financial sector has much to gain from better authentication of identity. Yet, this has been slow to roll out, in part, due to the enormity of the infrastructure that has to be changed. There are organizations which are driving better authentication and the TechCU is one experimenting with the technology. This credit union has implemented a program called MemberID. There is a scanner unit at the branches which has mag stripe reader, keypad and fingerprint chip. This allows a member to enter personal data, scan their card or to just use a finger print. This was begun in 2003 and, with no advertising, it has attracted 8,200 users, nearly 11% of the members. 82% of the target demographics of the users range from 30 – 59 and 74% are male. Biometrics is felt to be the security program of the future.

As TechCU looks to the future, they are considering alliances with merchants to use biometrics and to allow access from home. However, there are important interoperability issues to be addressed. But more important, any home solution cannot compromise the security of the system. It is felt that biometric readers need to be in the $25 range. TechCU has considered providing the readers to the members if the price is in this range. One unit considered is the Sony Puppy but the price is too high at $150.

Keystroke Dynamics as a Biometric

An interesting potential biometric surfaced which uses typing patterns as a means to uniquely identify an individual. This has significant implication in a persistent biometric that could verify an individual’s presence while on a PC. The company involved is BioNet.

Quote of the Day

“In spite of the words about biometrics for logical access security, every application I have seen is driven by convenience.” Biometrics supplier on the floor.

WAVE Comments

There is pressure building to strengthen identity security. Areas of concern include ID theft, terrorism, privacy, accountability and fraud. Biometrics as a stand alone technology will not assure identity security. Biometrics, however, is the only way to link an individual with a token of that individual. However, the quality of the biometric to identify an individual varies greatly by the biometric used. The key measures of False Acceptance Rate and False Reject Rate are unreliable by any measure used in the computer industry. Thus, biometrics are combined with other factors to lessen security risk.

It became obvious at CardTechSecurTech that Smart Cards are a primary means to enable portable personal attributes. The strength of a Smart Card is its biometric ability to directly enable 1:1 matching. Each individual has a complex series of unique biometric markers that, in their totality, cannot be “spoofed” or “phished”. Combined with the essential physical possession of a Smart Card, absolute identity is assured. Thus, with standardization, the emergence of a national ID card becomes increasingly real.

Governments, world wide, remain the leaders in biometric projects. To date most deployments have been successful and are likely to set the stage for broad deployments of biometrics, including enterprise.

If the equivalent of a national ID card is created, such as from the RealID legislation, this will likely influence the use of biometrics in many other sectors including the enterprise. It is important to note that many other countries are well along in such cards and their deployment.

In the U.S., fear of Government intrusion and loss of privacy are the strongest obstacles to the deployment of a national ID card. The key here is education. Biometric data are inherent to individuals and are key to their absolute identities. Personal history is acquired and not a key to identity. The issue of individual privacy vs. biometric identity should not be a deterrent to progress in protecting the unique and verifiable identity of every individual.