A recent announcement researchers made about the uniqueness nano-structure of every document got me thinking about another technology from Mag-tek, MagnePrint.

Both technologies provide a way of uniquely identifying the fundamental makeup of individual credentials, paper and magstripes. With each of these, the actual structure of the document operates as a seed string for a hash, creating a unique “fingerprint” for that document.

The ultimate goal of secure documents is information integrity. As technology advocates we often get enamored with the high tech solutions. Maybe these two technologeis are enough to ensure the integrity of the document. Although simple, forgery becomes a practical impossibility. Even better, the costs are borne almost entirely on the issuance and reader infrastructure. Nothing beats paper and magstripe when it comes to ease and cost of issuance.

There are still good reasons to have some sort of smarts in documents like passports. However, the RFID component that so many privacy advocates rail against may not be the most secure solution. How about a contact smart card embedded in the document?

As technologists we like the most cutting edge solutions. If the real goal is maximizing security, are we obligated to advocate the solution that gives us the best bang for our security dollar? Lower credential costs means more dollars to spend on cameras or guards, two proven security technologies. Something to think about.

Wired News: Fraud Roshambo: Paper Beats RFID

Comments (0)

Across the board, the idenity space is hot. Last week French smart card manufacturer spread its wings a little bit with the acquisition of Finnish secure document company, Setec.

Apparently their cooperation on the Singapore electronic passport last year impressed some folks. The deal makes lots of sense. As our paper documents become smarter, the vertical integration of the component manufacturers provides a logical competitive advantage. Pennies matter on this scale, so making production as efficient as possible means a more competitive Gemplus.

While it won’t immediately translate into benefits for the rest of Gemplus’ customer base, maybe it will down the road. Like most smart card companies, Gemplus gets most of their revenues from the telco industry. Although Gemplus has been supplying the ID market for some time, it always held more promise than profits. They made a big play into solutions just before the dot com bust. The Setec acquisition puts Gemplus in a stronger competitive place to pursue secure ID efforts like they won in Singapore.

Smart cards are already showing up in lots of other form factors than cards, so why not throw paper into the mix?

Gemplus Press Release

Gemplus snaps up e-document firm | The Register

Here’s an extension of the last post on security convergence. It’s really just a concrete illustration of the fact that the technologies for physical and logical security credentials can live side by side, but they still require different chips.

A few years ago, HID launched a contactless smart card line, iClass. While a lot of the smart card crowd looked down their nose at iClass, HID strategy squarely focused on the card and reader sets as an easy migration for their existing channel. HID’s channel of physical security integrators and installers were less concerned about the greatest smart card technology than with the ability to plug it into their existing systems. To many of the systems it hangs on, the iClass card and reader combo looks just like a dumb old prox card and that suits the customers just fine.

Recently, HID has worked effectively to expand the ecosystem around their cards and this press release shows that off. As I wrote a short while back, they are also bringing some of that ecosystem expertise in house with the acquisition of Synecard.

I’ll lay off HID for a while but they do show how users are not waiting for the “ideal” all-in-one technology, but putting together off the shelf components for an effective convergence solution.

Raak Technologies Joins HID%u2019s Development Partner Program to Supply Strong Authentication Products and Services to HID%u2019s Reseller Channel

In another security forum a security professional asked about using smart cards for a physical/logical security convergence project.

IT security folks often assume this should happen but it’s slow to get moving on the ground. The recent FIPS 201
standard is really bringing these discussions out in the open. Here’s my response to his questions. I hope you find it as helpful as he did.

The token (smart card) is an obvious place to handle security convergence and actually can be deployed fairly cost effectively. However, there is a substantial amount of confusion about what “smart card” convergence actually is. FIPS 201 addresses some of this but there is much to learn from previous, broader roll outs in business and higher education.

Issues to be aware of:

1. The PC/SC standard for smart card computer interfaces addresses a contact chip. This provides a higher level of security by requiring active presentation of the credential.

2. Physical security applications work best with RF technologies. It really boils down to wear and tear on readers and throughput at ingress points. This means a “converged” card will be effectively looking at two technologies, contact and contactless in the same form factor. You may even need to have multiple flavors of contactless, for instance 125 khz prox and 13.56 contactless smart card. Card manufacturers can accomodate this.

3. Physical access control systems rarely take advantage of the “smarts” in a card, most often using RF capabilities to broadcast a unique system identifier, rather than any challenge/response authentication. Don’t let the logical security guys make this assumption. Also, switching physical security tokens can represent substantial costs switching the readers at every door. Don’t cram a card down physical securitys throat or you may be stuck with the bill.

4. Address physical and logical security concerns seperately when looking at card technologies and the ROI. The only thing combined cards save on is plastic. In most instances you’re still paying for the seperate costs of physical and logical security chips. Your savings will come from reduced administrative overhead. Security is raised by reducing the number of provisioning and revocation points for an identity. This really needs to be a policy and operations identity initiative, not a card project.

5. You will have to maintain seperate provisioning systems for physical and logical security. I have yet to see a security vendor from one side that meaningfully crosses the gap to the other, so mature single system solutions are still pending. As a practical matter this can be addressed with the appropriate processes and data flows between systems. Not easy, but absolutely practical. The important thing to remember is that you have a single physical point of registration and issuance from an operational and policy standpoint.

6. Consider logical security applications for your smart card other than PKI. The card based private key is the holy grail of security, but deployments often falter under the cost of deploying and managing certificates for everyone. In most organizations, the vast majority if users could be adequately served with something along the lines of RSA’s SecurID, while deploying PKI to a subset of users. As the system matures, PKI can be expanded to include more users. If you play your cards right, literally, you can deploy PKI to users without having to exchange their cards down the road.

7. Make the card a payment vehicle. Someone will surrender their password for a candy bar, but you’ll have to pry their cards from their dead hands if that is the key to Mountain Dew. If the card means “lunch” it doesn’t get left in the desk. Don’t reinvent the wheel for this. A magstripe adds about 3 cents to the cost of the card and all the payment infrastructure is already in place.

8. Work to have both physical and logical security events reported in the same interface. Let both physical and logical security groups use this. Nothing paints the broader security picture like having it on the same screen. Both your physical and logical access control systems should have the ability to import/export events. If they don’t, upgrade. Do not make this a battle for control.

9. Get HR & public relations invovled. Internal branding is important, too. The “one card” can be a point of access for a variety of service points, not just security. It seems silly, but they can be an unexpected help at getting uninterested C level folks on board. Let the magstripe be an employee health insurance card, or the key to a sweepstakes. Giving away a free iPod to the xxxxth user in foodservice gets people a lot more excited, cheaply, than your latest security effort.

10. Be open minded about the card, but guard the security like a hawk. For instance, smart card based print & copy control can save real $$$, but their “required” card technology may not be adequate for security purposes.

Finally, don’t be fooled by the costs of cards and readers as the ROI. You’re already paying for a physical access card. You’re paying through the nose for lost passwords and bad identity management. USB smart card readers can be had as cheaply as $10 US in bulk. Build a comprehensive ROI for the project. Cards and readers should be a modest portion of that. This is where the “intangibles” from public relations, HR, food service, can providing a tipping momentum.

Personal Identity Verification (PIV) Project

After a whole series of conversations following the Slashdot post, I need to clarify the relative roles of idenity mangement from a digital perspective and the broader perspective of identity & transaction management.

Most of the conversations these days on the topic of identity management center around digital identities. Without a doubt, that’s the hot area and it’s huge. As an information security professional it’s near and dear to my heart.

However hot digital identity may be, organizations taking a broader perspective can leverage identity for even greater value. That’s the premise behind the Identity Initiative, to encourage organizations to develop a synergy between the identity for their network and what they can do across the enterprise. The concept of Identity & Transaction Management encompasses the realms of digital identity management and all the transaction infrastructure where identity can be physcially used across the enterprise. Think university ID cards meets digital certificates.

Last week was the National Association of Campus Card User’s (NACCU) annual conference. Other obligations kept me from attending for the first time since 1997. That and the beginning of the events log got me thinking aobut what are the “Don’t Miss Events” as it relates to Identity & Transaction Management.

For those looking to draw additional value from your identity management initiatives, college campuses are a great place to look. Unlike most corporate organizations, higher education often leverages their identity for value added services while neglecting security. Add that solution set to a corporate or government security stance and you have a recipe for a broad identity.

NACCU just passed and Card Tech/Secure Tech is just around the corner. IDWorld is emerging as a strong fall conference for identity. ISCWest is the premier spring physical security event. ASIS takes the physical security lead for the fall. I’ve always enjoyed the RSA conferecne, especially with my PKI experience. Moving to the straight transaction side, NAMA (vending) and FSTech (food service), NACUFS (more food), and IPI (parking) are all good shows. NACAS, NACUBO and ACUHO all offer oppotunities to learn about how higher ed draws additional value from what they traditionally call “card programs.” Educause in the fall offers another really good chance to look at hgher ed identity, this time from the IT perspective.

Wow, I know that seems like a lot, but I barely touched on the information security opportunities and left out the government conferences entirely. Please drop us a comment or email, to let us know which events you get the most out of. Check our events calendar and feel free to submit any we missed.

CTST, ISCWest and NAMA almost overlap in the coming weeks in Vegas. I however, will be attending an Infosec conference in Orlando and then heading down to Ft. Lauderdale for the International Parking Institute conference. Don’t laugh, there’s a lot of money in parking and we always want security around our cars.