Govt.

Citizen ID
with
TM
Java Card Platform
Emphasis on the role and relevance of Java Card and
Sun Identity Management Technologies

Ramesh Nagappan
Security Technologist, ISV-E
ramesh.nagappan@sun.com
http://www.coresecuritypatterns.com/blogs
Undisputed Market Leader in
Multi-Application Smart Cards

Loyalty
Corporate
Finance

Telecom Government/Healthcare
Armed Forces of the
United States
Photograph

Organization
Seal

U.S. Navy
DoD Civilian
Parker
Last IV,
name
Christopher
First name,J.Initial

Issue Date
Chip
September 30 2001
Expiration Date
October 1 2001

Identification Card

Slide 2 © Sun Microsystems 2009

Introduction to Java Card Technology
Security and Portability with Reliability as Core Value Proposition
• A Programmable Runtime engine for Smart cards
> Open & Standards-based
> Built for multi-application
> Proven security (Enabling on-card PKI/Biometrics credentials based
Physical/Logical Access Control)
• A future-proof platform for Smart card based services
> Dynamic application loading
> Test-suite enforced interoperability
> Cryptography and Biometrics support
• A reference technology for Smart card issuers
> Market leader in Security for Government and Citizen ID
> Market leader in reliability for wireless, banking, ID
> Choice of multi-sourcing – Obtain
Slide 3 cards from multiple vendors
© Sun Microsystems 2007
Java Card Adoption

• 6 Billion Java Card Units deployed SIM Cards

> Variety of form factors Secure Flash
Memory

• Leader in market segments

> Telecom (Defacto for SIM card !)
> Banking (Payment card) Passports
USB Tokens

> ID (Citizen/Govt/Defence/Intelligence)
> PayTV (Cable/Dish Subscriber card)
> Transport, Healthcare...

Smart Cards Contactless

Slide 4 © Sun Microsystems 2007

Java Card vs MULTOS

Slide 5 © Sun Microsystems 2009

Java Card as Cryptographic Token
PKI enabled Smart cards
• A credit card sized computing device acts as a
Cryptographic token.
> Contact / Contactless cards
Standards
• ISO-7816
• Allows performing core PKI functions
> Key generation • Java Card, Multos
> Public/Private key operations • Global Platform
> PIN/Biometric authentication • PC/SC
> Challenge/response authentication • FIPS-201/PIV, CAC
• Supports the use of Public-key infrastructure to • PKCS#11, PKCS#15
verify the Identity claim.
• GSM/PCS
> PKI credential issuance.
> Credential validation/verification via OCSP, • EMV
CRLs (Europay/Mastercard/Visa)
• Defends against tampering and hacking.
> PKI/Private key protection

Using Smart card based PKI as an Authentication Credential

Slide 6 © Sun Microsystems 2007
Java Card as Biometric Token
Java Card based Biometric Identity Standards
• Matching to Physiological or Behavioral • INCITS 378 / CBEFF (Fingerprints)
characteristics to identify a person.
• INCITS 379 (Iris)
> High degree of assurance with proof of
presence + proof of possession • OASIS BIAS
> Fingerprints, Facial image/geometry, Iris • BioAPI
images can be stored on card.
• JavaCard BioAPI
> Match on-card samples to live human
samples. • FIPS-201 / PIV
• Biometric templates can be stored on Smart
card for personal identification.
> Fingerprint template is ~200 bytes
> Iris template is 500 bytes
• Biometric credential must be exchanged in a
secure network channel (Trusted path)

Using Smart card based Biometrics as an Authentication Credential

Slide 7 © Sun Microsystems 2007
Managing Govt ID Issuance Life-cycle
Identity Management life-cycle events

Identity
Registration

Identity Identity Enrollment &

Termination Adjudication

Credential Card/
Maintenance Credential Issuance

Physical & Logical

Access Control

Slide 8 © Sun Microsystems 2009

Managing Govt ID Issuance Lifecycle
Smartcard issuance life-cycle using Sun Identity Management Suite

Demographic
Data
Physical
Access Biometrics
Control

Sun
Logical IDMS
Access
PKI
Control

Verified
Credentials Identity
( Smartcard Proofing
/ Biometrics)

Slide 9 © Sun Microsystems 2009

Sun IDM Authorization Workflow
Hiring Enrollment HR
Manager Officer Officer
Approval/Denial Approval/Denial Approval/Denial

Biometrics Identity
Applicant Card Issuance &
Breeder Documents Proofing &
Registration Activation
Enrollment Adjudication

HR Enrollment Hiring
Manager Officer Manager
Approval/Denial Approval/Denial Approval/Denial

Physical &
Retirement / Credential
Logical Access
Termination Maintenance
Provisioning

• Sun IDM manages the authorization workflow and authority

approval and denials.
• Sun IDM facilitates digitally signed approvals using Smart card
based credentials verified against a PKI provider.
Slide 10 © Sun Microsystems 2009
Smart card based Credentials -
Logical Access Control

Sun Confidential: Sun Employees and Immersion Week 2008 Partner Attendees
Only. 11
Sun Rays In a Govt eID Environment

Security
Manageability
Reliability
Mobility
Value

Sun Ray supports the use of most eID and

CAC/PIV Cards
Slide 12 © Sun Microsystems 2009
Logical Deployment of Sun Rays
Smartcard based authentication – Virtual/Remote Desktop/Application
environment
PC & Thin Client users can Access layer The access tier Each user desktop Native protocols
securely access their remote controls the user supports standard environment runs are used to access
desktops & applications from access and Authentication on a virtual machine apps.
any location using PIV Cards. application profiles. mechanisms: located in the
corporate data No modification of
It maintains audit LDAPv3 the OS or apps
logs of user and center.
Once PIV authenticated, the Active Directory required.
app usage. All desktop and
access tier establishes a NIS
display connection to the user It provides the application
device and a protocol display engine to the MS Windows communication
connection to the back-end user desktop. Domain remains in the
desktop OS and data center.
applications.

Combine existing Windows XP / 2003

Secure remote Desktop
access from any authentication Virtualization
Firewall

Firewall

location and authorization

mechanisms using Sun Rays
using Sun IDMS and Sun VDI
PIV
Credential Authentication Sun Access Tier Identity/Auth. ESX Virtualization Applications

Sun Rays Data Center

Slide 13 © Sun Microsystems 2009
Sun CMT Servers: Wire-speed Security
UltraSPARC T2 offers On-chip Cryptographic Acceleration for PKI Applications

• Sun UltraSPARC T2 offers industry-

leading cryptography performance for
PIV environments.
> On-chip Crypto threads virtually eliminates large
workloads with PKI & Cryptography.
> Out-performs competition on SSL and Public-key
crypto opertaions
> Over 30x greater RSA1024 performance than 2-socket IBM p510

• Support common used ciphers for

Public-key encryption and secure
hashing functions
> Public-key cryptography (RSA, DSA, Diffie-Hellman, ECC)
> Bulk encryption (RC4, DES, 3DES, AES)
> Secure hash (MD5, SHA-1, SHA-256)

Slide 14 © Sun Microsystems 2009

Mandatory Access Control and
Security Labels (Solaris TX)

Slide 15 © Sun Microsystems 2009

U.S. Department of Defense Photograph
Armed Forces of the
United States

• Military ID and Geneva Convention Card Organization

Seal

> Common credentials for verified identity

U.S. Navy
DoD Civilian
Parker
Last IV,
name
Christopher
First name,J.Initial

> DoD-wide health benefits ID card

> Physical access and manifesting
Issue Date
Chip September 30 2001
Expiration Date
October 1 2001

> Logical access with PKI/digital signature Identification Card

• Well established security certification platform with numerous

cards with FIPS-140 ratings
> High-degree of Security and Assurance
• Supports additional military branch-specific applications at
issuance and post-issuance
• Flexible to support original CAC format, CAC transitional
format and PIV format (evolution of requirements)
• Deployment: +3M active duty units. Over 12M units to date.
Issuing +30K units a day at peek war periods
Slide 16 © Sun Microsystems 2009
US Federal Employee PIV Card
• Presidential Directive 12 (HSPD-12) mandated a
Federal Government-wide smart card ID program.
> Use of combined PKI and Biometric credentials
• Dual interfaces for both for Physical and Logical
access
> Secure Contact/Contactless access to target
resources
• To date, all deployed PIV cards are Java Card
> Conformance to Java Card 2.2.1
• By 2013 over 12 million PIV cards will have been
issued
• The PIV model is being replicated in the US Federal
Govt in programs such as Travel Worker Identity
Program (TWIC), First Responder ID, Immigration
Cards and potentially Drivers Licensees
Slide 17 © Sun Microsystems 2009
Taiwan Healthcare ID
• National health insurance ID card
• Multi-application smart card
> Identification, medical profile
and benefits
> E-Purse capable
> Restricted use by other governmental
agencies to protect privacy
• Supports open standards and
post-issuance of new applications
• 40M Java Cards deployed

Slide 18 © Sun Microsystems 2009

Belgium National ID
• First country in EU to deploy citizen ID
card to entire population
• Multi-application Java Card
> Identification, e-Government Services,
e-Voting, etc.
> Filing Tax Returns, Birth Certs, Civil Records
> Digital Certificates: Authentication, Digital
Signature
– PKCS15 Conformance
> Commercial Applications: e-Banking, e-
Ticketing
• Common Criteria EAL 5+ Certified
• Deployment: 40+ Million Java CardsSlide 19 © Sun Microsystems 2009
Thailand National ID Card
• National Citizen ID card to entire population
> Multi-application Java Card-based Smart Card
> Personal ID, fingerprints, tax, social welfare and social
security numbers, agricultural data and healthcare data.
> Citizens will be able to access eGovernment services at
e-government kiosks nationwide and by smart card
readers integrated into desktop computers.
• 60M+ Java Cards deployed

Slide 20 © Sun Microsystems 2009

Oman National ID Card
• First country in Middle East to start deploying large-
scale citizen ID Card to entire population
> Multi-application Java Card-based smart card
> Provides positive identification with digital photograph, digital
certificates and biometrics authentication
> Have plans to add driver’s license, emergency medical data
and border control applications
• Deployment: 3M+ Java Cards

Slide 21 © Sun Microsystems 2009

United Arab Emirates National ID

• National Citizen ID Card to Entire Population

> Multi-application Java Card-based Smart Card
> Positive Identification with Digital Photograph, Digital
Certificates and Fingerprint Biometrics Authentication
> Enabled e-Government Services
> Plans to add Driver’s License, Emergency Medical Data and
Border Control Applications
• Deployment: +4.5 Million Java Cards

Slide 22 © Sun Microsystems 2009

Macau Government ID Card
• Multi-application Java Card-based Smart Card
> Identification, Border Control, E-Government, E-Commence
and Public Services Access
> Driver's License and E-Purse Envisioned in Future
• Secure Laser Engraved Java Cards
> Facial Image,Signature, and Fingerprint Biometrics
> PKI/Certificates
• GlobalPlatform-compatible Card Mgt. System

Slide 23 © Sun Microsystems 2009

More...Java Card's Govt ID Successes
•UK NHS and MoD
•Canadian ePassports
•Portugal National ID
•Qatar National ID
•Azerbaijan National ID
•Morocco National ID
•Finland National ID
•Italy National ID
•Queensland Australia Drivers License
•And approximately 20 other countries exploring Java Card
Slide 24 © Sun Microsystems 2009
Thank You !

Ramesh Nagappan
ramesh.nagappan@sun.com
http://www.coresecuritypatterns.com/blogs

Brian Kowal
Head, Java Card Marketing & Sales
Brian.Kowal@sun.com