A recent announcement researchers made about the uniqueness nano-structure of every document got me thinking about another technology from Mag-tek, MagnePrint.

Both technologies provide a way of uniquely identifying the fundamental makeup of individual credentials, paper and magstripes. With each of these, the actual structure of the document operates as a seed string for a hash, creating a unique “fingerprint” for that document.

The ultimate goal of secure documents is information integrity. As technology advocates we often get enamored with the high tech solutions. Maybe these two technologeis are enough to ensure the integrity of the document. Although simple, forgery becomes a practical impossibility. Even better, the costs are borne almost entirely on the issuance and reader infrastructure. Nothing beats paper and magstripe when it comes to ease and cost of issuance.

There are still good reasons to have some sort of smarts in documents like passports. However, the RFID component that so many privacy advocates rail against may not be the most secure solution. How about a contact smart card embedded in the document?

As technologists we like the most cutting edge solutions. If the real goal is maximizing security, are we obligated to advocate the solution that gives us the best bang for our security dollar? Lower credential costs means more dollars to spend on cameras or guards, two proven security technologies. Something to think about.

Wired News: Fraud Roshambo: Paper Beats RFID

Comments (0)

Across the board, the idenity space is hot. Last week French smart card manufacturer spread its wings a little bit with the acquisition of Finnish secure document company, Setec.

Apparently their cooperation on the Singapore electronic passport last year impressed some folks. The deal makes lots of sense. As our paper documents become smarter, the vertical integration of the component manufacturers provides a logical competitive advantage. Pennies matter on this scale, so making production as efficient as possible means a more competitive Gemplus.

While it won’t immediately translate into benefits for the rest of Gemplus’ customer base, maybe it will down the road. Like most smart card companies, Gemplus gets most of their revenues from the telco industry. Although Gemplus has been supplying the ID market for some time, it always held more promise than profits. They made a big play into solutions just before the dot com bust. The Setec acquisition puts Gemplus in a stronger competitive place to pursue secure ID efforts like they won in Singapore.

Smart cards are already showing up in lots of other form factors than cards, so why not throw paper into the mix?

Gemplus Press Release

Gemplus snaps up e-document firm | The Register

In a bill with a good intent and poor execution, the California legislature is considering banning RFID in government documents. This could have a dramatic impact on building security, transit and campus ID programs. While many outlets, like Wired and RFIDNews have been watching this for a while, the bill’s recent passage out of committee deserves notice. It effectively dumbs down government building security and transit while not really protecting much information. A bill titled “Identity Information Protection Act” is sure to be a hit with consumers’ groups without a clear understanding of the impact.

The bill acknowledges beneficial uses for RFID by allowing exceptions such as toll road collection, ID bracelets for children under four, inmates, and mental health patients. Transit applications and building security are not included in the exceptions. Government facilities with existing RFID deployments not covered by exceptions would have until 2011 to phase those out.

Beth Givens, founder and executive director of the Privacy Rights Clearinghouse, quoted in RFIDNEWS, said “Senator Simitian’s bill provides vital protection for all Californians. Individuals who are required to carry government issued IDs should not be put in a situation where that document enables them to be monitored and tracked.” That’s an appropriate sentiment, but it misses the mark because security requires that tracking in some settings and transaction convenience mandates it in others, such as subways and campus dining.

Spurred by a combination of privacy concerns, federal initiatives and public outcry over a poorly considered RFID plan at an elementary school in Northern California, the bill seems to throw the baby out with the bathwater.

Much of the concern about government RFID documents is that your information would be freely available to anyone walking by. If the legislation read “only unique, alphanumeric identifiers can be unencrypted” much of the exsiting technology could be accomodated while still protecting privacy concerns. The ICAO recommended a system of storing a pin in a 2D barcode for government officials to “decrypt” more information. This provides for active presentation of the document before more sensitive information is passed along.

As for concerns about surreptitious tracking of individuals, it’s not really worth the effort. Legislation could forbid government tracking with a court order or public notice. Bad guys simply would not carry their documents and police would implement other, less expensive passive surveillance like video facial recognition.

For building access badges, the only alternative technologies are magstripes and bar codes, which are much easier to compromise. Some have suggested the use of contact smart cards for access control but those have proven problematic in the past.

In the US, almost all transit applications are run by the government and they are increasingly moving to contactless technologies as the only method for speeding throughput, increasing transaction security and allowing for the complex fare calculations many transit implementations demand.

Since much of the nation looks at California as a bellwether, expect other states to consider follow up legislation if the California bill passes later this spring. I’m all for privacy, but the implications of an ill-considered bill need to be heard.

Wired News: State Bill to Limit RFID

EPIC.org bill listing

Around the Capitol

http://www.rfidnews.org/weblog/2005/03/03/new-bill-will-protect-californians-privacy-rights-rfids-misnomer/

It’s just a college paper, but this article shows how wide the knowledge gap is about RFID and card technologies. The duo prox is nothing like an ICAO passport and has only a fraction of the security risks. Prox cards operate on a different frequency than the proprosed passport chips and only pass 26 bits of information to the reader, barely enough for an unique identifier.

Comparing a true contactless smart card to a prox card is like comparing a computer to a calculator. Whole different scale.

Why care about a Dartmouth student article? In any deployed identity system, user education is critical. I am not suggesting that Dartmouth educate their population on the nuances of wiegand vs. 13.56, but the population should know the relative risks of using a system with only an abstract idenitifier and one with a large amount of freely readable identity information. Something to consider. Done right, Dartmouth continues to deploy their identity solutions without having to engage in big debate about what the State Department wants to do.

The Dartmouth Online

Here’s an extension of the last post on security convergence. It’s really just a concrete illustration of the fact that the technologies for physical and logical security credentials can live side by side, but they still require different chips.

A few years ago, HID launched a contactless smart card line, iClass. While a lot of the smart card crowd looked down their nose at iClass, HID strategy squarely focused on the card and reader sets as an easy migration for their existing channel. HID’s channel of physical security integrators and installers were less concerned about the greatest smart card technology than with the ability to plug it into their existing systems. To many of the systems it hangs on, the iClass card and reader combo looks just like a dumb old prox card and that suits the customers just fine.

Recently, HID has worked effectively to expand the ecosystem around their cards and this press release shows that off. As I wrote a short while back, they are also bringing some of that ecosystem expertise in house with the acquisition of Synecard.

I’ll lay off HID for a while but they do show how users are not waiting for the “ideal” all-in-one technology, but putting together off the shelf components for an effective convergence solution.

Raak Technologies Joins HID%u2019s Development Partner Program to Supply Strong Authentication Products and Services to HID%u2019s Reseller Channel

In another security forum a security professional asked about using smart cards for a physical/logical security convergence project.

IT security folks often assume this should happen but it’s slow to get moving on the ground. The recent FIPS 201
standard is really bringing these discussions out in the open. Here’s my response to his questions. I hope you find it as helpful as he did.

The token (smart card) is an obvious place to handle security convergence and actually can be deployed fairly cost effectively. However, there is a substantial amount of confusion about what “smart card” convergence actually is. FIPS 201 addresses some of this but there is much to learn from previous, broader roll outs in business and higher education.

Issues to be aware of:

1. The PC/SC standard for smart card computer interfaces addresses a contact chip. This provides a higher level of security by requiring active presentation of the credential.

2. Physical security applications work best with RF technologies. It really boils down to wear and tear on readers and throughput at ingress points. This means a “converged” card will be effectively looking at two technologies, contact and contactless in the same form factor. You may even need to have multiple flavors of contactless, for instance 125 khz prox and 13.56 contactless smart card. Card manufacturers can accomodate this.

3. Physical access control systems rarely take advantage of the “smarts” in a card, most often using RF capabilities to broadcast a unique system identifier, rather than any challenge/response authentication. Don’t let the logical security guys make this assumption. Also, switching physical security tokens can represent substantial costs switching the readers at every door. Don’t cram a card down physical securitys throat or you may be stuck with the bill.

4. Address physical and logical security concerns seperately when looking at card technologies and the ROI. The only thing combined cards save on is plastic. In most instances you’re still paying for the seperate costs of physical and logical security chips. Your savings will come from reduced administrative overhead. Security is raised by reducing the number of provisioning and revocation points for an identity. This really needs to be a policy and operations identity initiative, not a card project.

5. You will have to maintain seperate provisioning systems for physical and logical security. I have yet to see a security vendor from one side that meaningfully crosses the gap to the other, so mature single system solutions are still pending. As a practical matter this can be addressed with the appropriate processes and data flows between systems. Not easy, but absolutely practical. The important thing to remember is that you have a single physical point of registration and issuance from an operational and policy standpoint.

6. Consider logical security applications for your smart card other than PKI. The card based private key is the holy grail of security, but deployments often falter under the cost of deploying and managing certificates for everyone. In most organizations, the vast majority if users could be adequately served with something along the lines of RSA’s SecurID, while deploying PKI to a subset of users. As the system matures, PKI can be expanded to include more users. If you play your cards right, literally, you can deploy PKI to users without having to exchange their cards down the road.

7. Make the card a payment vehicle. Someone will surrender their password for a candy bar, but you’ll have to pry their cards from their dead hands if that is the key to Mountain Dew. If the card means “lunch” it doesn’t get left in the desk. Don’t reinvent the wheel for this. A magstripe adds about 3 cents to the cost of the card and all the payment infrastructure is already in place.

8. Work to have both physical and logical security events reported in the same interface. Let both physical and logical security groups use this. Nothing paints the broader security picture like having it on the same screen. Both your physical and logical access control systems should have the ability to import/export events. If they don’t, upgrade. Do not make this a battle for control.

9. Get HR & public relations invovled. Internal branding is important, too. The “one card” can be a point of access for a variety of service points, not just security. It seems silly, but they can be an unexpected help at getting uninterested C level folks on board. Let the magstripe be an employee health insurance card, or the key to a sweepstakes. Giving away a free iPod to the xxxxth user in foodservice gets people a lot more excited, cheaply, than your latest security effort.

10. Be open minded about the card, but guard the security like a hawk. For instance, smart card based print & copy control can save real $$$, but their “required” card technology may not be adequate for security purposes.

Finally, don’t be fooled by the costs of cards and readers as the ROI. You’re already paying for a physical access card. You’re paying through the nose for lost passwords and bad identity management. USB smart card readers can be had as cheaply as $10 US in bulk. Build a comprehensive ROI for the project. Cards and readers should be a modest portion of that. This is where the “intangibles” from public relations, HR, food service, can providing a tipping momentum.

Personal Identity Verification (PIV) Project