"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."           Thomas Mann, 1896

---

NATIONAL SECURITY CONCERNS

Author:  Jim Prohaska, Vice President, Government Systems
Contributed by:  SSP Litronic, Inc.

Introduction

Achieving robust and useable security requires careful selection of not only the right technology and products, but also the right processes and policies to ensure the integrity and privacy of enterprise-based assets and the ability to effectively operate in the current electronic world.  September 11th, 2001 redefined the national view on security. Up to that date, major portions of the government and most corporations have allowed a security facade to protect critical national or corporate information.

No longer is it acceptable to "pretend" to protect valuable enterprise-based assets by using easy to compromise passwords, software-based electronic credentials and security processes that are dependent upon widely acclaimed unsecured personal computers (PCs).  Today there is heightened need and demand for robust and validated protection of digital assets that are regularly transported via the Internet. Concurrently there is the demand for quick implementation - easy to use and manage security components and systems that actually enable the proper and full utilization of the Internet, e-commerce and e-government.

"Do I need security?" is no longer the question. Instead, government and business are asking how people and enterprise processes can exist and flourish in highly protected and validated environments - without sacrificing service, convenience and usability. A technology answer does exist - public key infrastructure (PKI), biometrics and smart cards effectively transform general business into a secure e-business environment that takes full advantage of the Internet as an effective yet protected multiplier of corporate assets.

What a Difference a Day Makes

In both government and business, the technology trio of PKI, biometrics and smart cards is being recognized as usable, deployable and powerful technology that equally guards the interests of buyer and seller, sender and receiver, user and administrator - and uniquely delivers the same strong authentication and verification to both physical and virtual environments.

"Right now there is much emphasis on physical security as seen at airports and other facilities - however, there is an increasing need to merge physical and data security. Within this merged environment authentication and authorization are critical, and their success and level of protection depends largely on implementation and technology management," said Charles Kolodgy, research manager, Internet Security, IDC.

"The policy for determining who individuals are (i.e., authentication or identity) and what they can do (i.e., authorization) will become paramount. To accomplish this and to do it in both physical and electronic ways will require technologies incorporating multiple authentication methods such as smart cards, as well as streamlined and automated security policies and procedures."

PKI provides the infrastructure for strong authentication and secure communication without the Achilles’ heel of shared encryption/decryption keys. Biometrics add the integrity of non-transferable personal confirmation (the equivalent of a super PIN that can never be shared and can never be copied); and smart cards deliver the hardened portable container for transporting and processing crypto and authentication functions. The combination unequivocally establishes identity, presence and votive action of electronically signing and sending a message or financial transaction - delivering the never-in-the-clear and never compromised environment for PKI operations.

More on PKI and Protection of Digital Identities

PKI, smart cards and biometric authenticating technology bolster electronic signatures, providing the powerful security processes necessary for real confidence in digital transactions and communications. This distinct combination of technologies proves that information was sent or received by a specific person and that person was also present at the time of the transaction, offering strong authentication on both sides of a transaction or communication.

Unlike passwords, PKI is a technology used to authenticate the origin or owner or instigator of a document or transaction, and optionally can allow only the intended recipient to access, process or open it. It is based on keys - actually asymmetric number sequences - that are related and only work together. These keys work in pairs (public and private keys) in order to validate and identify specific individuals in a digital environment, delivering asymmetric compatibility that eliminates the shared secret of a password. Digitally signing a message or transaction with using PKI assures strong authentication of both the message and the signature.

Biometrics Bring "Physical" Security to Virtual Environments

Biometrics enable strong authentication for physical access and verification of identity. Certain biometrics work best for certain applications and for certain people. Usually there is a 90/10 rule for each system chosen - it will be comfortable for 90 percent of the population and the remaining 10 percent would prefer another option. Because of these kinds of issues, it’s likely that more than one biometric would be necessary to fulfill the needs of a single company - particularly true in an enterprise implementation.

Some biometrics focus on a physical characteristic such as a fingerprint, while others recognize mannerisms such as voice or signature. It’s important to note that it’s the biometric of the mannerism that is recognized, rather than the mannerism itself. The authentication process will evaluate the speed of the handwriting, the pressure of the pen or the tension in the voice rather than seeking an exact match. In fact, an exact match is so unlikely that if it were presented, it would be rejected on the basis that it’s not possible and therefore fraudulent. Even fingerprints aren’t matched "print for print" - rather a filtered extraction is used for matching so original fingerprints can never be reconstructed.

Each biometric has its most appropriate application depending on the needs of the business and requirements of the user base. For example, the simple process of placing a finger on a touchpad may not be "active" enough to prove a transaction decision was made. Imagine authorizing a $10 million contract with a touch of your finger - it’s very likely that the more positive action of saying a confirmatory sentence or writing a signature may be perceived as more satisfying and clear-cut to the user.

The Universal Secure Access (USA) Forte card includes a fast 32-bit processor, a cryptographic co-processor, a random number generator, a real time clock, a 64 Kbyte EEPROM, a standard ISO-7816 interface and a high speed USB I/0 port. - Source Biometric Industry Report

Characteristic and mannerism biometrics have widely varying applications, based on factors such as intrusiveness, accuracy, cost and degree of difficulty in implementation.

Identification Versus Authentication

Biometrics can be used to identify or authenticate identity - and there is a distinct difference between the two applications.  Identification systems do not ask the individual to declare an identity prior to offering up biometric data.

For example, an iris scan might be used to grant physical access by simply comparing the scan against an employee database. The system itself tries to answer the question of identity rather than requiring the user to claim their identity and then authenticate with a PIN or username. This works well for smaller databases, such as employee files or criminal databases where biometric data on selected individuals may be stored. These systems are for identification purposes only - a good example is surveillance video where random individuals, with no stated identities, may be taped and then compared against a list of known criminals or persons wanted by the authorities.

In verification systems, participants state an identity and then present biometric data such as fingerprint, iris scan, voice or signature, for verification. The biometric data is matched against data on file, and assuming a match, identity is authentication and the transaction is complete. The biometric systems used in most smart card and PKI applications are the authentication kind where the user is the guardian of his biometric.

The Smart Place to Store Your Keys

The secure electronic communication and financial transaction climate created by the integration of PKI and digital signatures can be further secured when the private key, biometric template or digital certificate - or confirmed representation of a person’s or company’s identity - are stored off the computer on a smart card.

Basically what digital signatures and smart cards provide together is two-factor authentication - combining something a person has (the smart card), with something they know (the PIN). The smart card not only stores the digital certificate securely, it provides the arena for the signing and privacy processes to take place. Since signing and encryption is actually performed on the card, the digital identity is never in the open and there is no risk of it being spoofed or stolen.

Adding biometrics actually enables three-factor authentication - something you have (the smart card), something you know (the PIN) and something you are (your biometric). Industry focus, however, is now moving toward a "better" two factors. Smart cards and biometrics (have and am) are viewed as a significant improvement for the enterprise. Various pilot programs, in both government and industry, have shown that the cost of issuing and administering passwords (or PINs) is prohibitively high.

Power in an On-Card Identity

Biometrics systems integrate the smart card with a personal physical characteristic, such as iris pattern, voice, fingerprint or handwritten signature, before the digital signing can commence. The template of a person’s biometric replaces the PIN and is actually held on the smart card along with the digital certificate. Only when both are verified will the smart card have access to use the private key necessary for the signing ceremony to take place.

The end result: the transaction can’t be completed without the card and card can’t be used without the cardholder - delivering a "cardholder present" situation for the strongest physical authentication and the highest confidence in Internet communications and transactions.

However, a smart card that requires any part of the signing, encryption or verification processes to be performed "off card" substantially contributes to a facade of security. The smart card needs to have power, memory and performance so that it does not serve as just a secure storage media while requiring that critical security processes are compromised by performing them in unsecured areas or hostile electronic territory.

Speed of handling on-card signing, encryption and biometric verification is also essential to real world protection of electronic communications and financial transactions. Speed combines with ease of installation of "plug and play" devices to encourage critical user acceptance. If the smart card’s capabilities cause delays in the normal work processes, users and managers will be hesitant to accept the need for real-world security.

"Human recognition technology has already seen significant advances that extend with confidence the effectiveness of the business enterprise. New silicon sensors - more intelligent and less expensive than their earlier counterparts - are very much the shape of things to come. These can harmonize better with new business processes such as the on-card management of digital credentials by offering a biometric solution equally well tailored to the card platform, using compact algorithms that deliver the best systems security to date," said Calum Bunney, Director, International Biometric & Authentication Consulting Ltd, UK

"Implemented properly, biometrics promise to eliminate the security weaknesses inherent in ‘traditional’ business processes moving to the Internet, and will work particularly well to leverage securely the investment by government in digital trust approaches such as PKI. Implementation is critical, however, as improperly handled biometrics will not add security - only a false sense of increased protection."

System on a Chip

Protected electronic communications and financial transactions require a smart card that effectively functions as a "system on a chip," such as SSP’s USA (Universal Secure Access™) Forté card. The required smart card is a key component, with a full-featured operating system that ensures that all sensitive information and data requiring protection and authentication can be quickly processed directly on the card without exposing any cryptographic tasks to the user’s PC.

This requirement for on-card signing and bulk encryption capabilities mandates a smart card that has the fast 32 bit processor, cryptographic co-processor and the high speed USB I/O port that is capable of streaming encryption bandwidths of at least 1.5Mbytes per second (Figure 2). Fast and highly secure on card key generation is also required to ensure integrity of the public/private key pair and the security of the private key - and eliminates security compromises such as spoofing, Trojan horses or sniffers which have surfaced in recent attacks.

USA Forté possesses high assurance on-card key generation and supports both government and commercial encryption and signing algorithms. It allows for the biometric template to be securely stored under credentials that can be totally separate from the required credentials for all other personal or security related data. Multiple templates for different biometric types can be separately stored and controlled, utilizing on-card policy enforcement. This will allow users to maintain one biometric process for work, one for banking, one for the government records, etc. - all under separate control of different domains.  The fingerprint software reads specific characteristics of the fingerprint pattern to create a user reference template for subsequent matching.

Protected PIN Path

Even with proper implementation of PKI and use of high performance, secure smart cards, it is imperative that any selected biometrics be properly implemented so that sampling or template data cannot be fraudulently captured and used in a future attack on the enterprise’s electronic communications and financial management systems.

Properly handled technology is also key to gaining public confidence in the use of biometrics. All sensitive data, particularly PINs and biometric information, must be protected always, even when actually being accessed for matching and authentication. This is more critical than it may seem - simply because mishandled biometrics will not add security and will only provide a false sense of well-being and confidence.

When accessed for authentication, data becomes vulnerable if passed through to the PC or other computing device for processing. SSP’s patented technology, known as Protected PIN Path (PPP), answers this concern by restricting transmission of PINs and biometric data to the secure smart card reader only. This isolates PINs and biometric identification such as fingerprint, facial or subcutaneous palm recognition data, from networks, servers, PCs or other computing environments when being accessed to authenticate identity.

All matching of PINs and biometric data takes place directly on the card and never enters hostile public territory where it is in danger of being sniffed, stolen or falsified. 

Security, Privacy and Control For the Enterprise

Achieving robust and useable security requires careful selection of not only the right technology and products, but also the right processes and policies to ensure the integrity and privacy of enterprise-based assets and the ability to effectively operate in our current electronic world.

Coupled with related physical security requirements, data security has challenged top engineering minds - however, recent innovations reflect the industry’s push for mass acceptance and deployment. New features ensure protection and portability of sensitive data and biometric templates, enable highly secure on-card generation of public and private keys, and answer hotly debated privacy concerns. Authentication technology is delivering significant potential for growth and acceptance in a burgeoning security market - and maturing at exactly the time that events have mandated its use.