A recent announcement researchers made about the uniqueness nano-structure of every document got me thinking about another technology from Mag-tek, MagnePrint.

Both technologies provide a way of uniquely identifying the fundamental makeup of individual credentials, paper and magstripes. With each of these, the actual structure of the document operates as a seed string for a hash, creating a unique “fingerprint” for that document.

The ultimate goal of secure documents is information integrity. As technology advocates we often get enamored with the high tech solutions. Maybe these two technologeis are enough to ensure the integrity of the document. Although simple, forgery becomes a practical impossibility. Even better, the costs are borne almost entirely on the issuance and reader infrastructure. Nothing beats paper and magstripe when it comes to ease and cost of issuance.

There are still good reasons to have some sort of smarts in documents like passports. However, the RFID component that so many privacy advocates rail against may not be the most secure solution. How about a contact smart card embedded in the document?

As technologists we like the most cutting edge solutions. If the real goal is maximizing security, are we obligated to advocate the solution that gives us the best bang for our security dollar? Lower credential costs means more dollars to spend on cameras or guards, two proven security technologies. Something to think about.

Wired News: Fraud Roshambo: Paper Beats RFID

Comments (0)

Forrester issued a report earlier this year on the convergence of Physical and Logical Security. The author, Steve Hunt, felt strongly enough about the subject to leave and form 4AInternational, a consulting firm focused on securty convergence.

Security Focus, published a nice summary
of the report which I’ve been meaning to discuss for some time. Anyone following the security convergence discussions would not be surprised by Forrester’s conclusions. However, it puts numbers on the size of the security convergence market and adds the weight of third party validation to media and conference discussions about security convergence.

What does this mean for convergence? There are a few key areas that offer immediate opportunities for convergence with a moderate effort. First and foremost, card integration. Other areas are policy development, reporting structrues, monitoring software, combined incident response, and regulatory compliance. This is where we should see growth over the next 12 months. Now is the time to lay the groundwork for larger efforts in 2006.

Now, to 4AInternational. During engagements with my clients “security convergence” has a achieved buzzword penetration. Convergence issues are being taken seriously in the context of other efforts. What we are not seeing is security convergence as a stand alone project. Major vendors offer lip service but few effectively offer products and solutions.

Talking about the benefits of security convergence at the C-level is fairly easy. Getting to those benefits is a little more difficult. Traditionally the physical and logical security efforts in an enterprise have different organizational structures and career paths. Both can have great systems, but there are very few individuals with the experience to talk to both groups. What most people do not realize is that physical and logical security systems integration can start small and may not be as far off as they think. If 4AInternational can put together a team that outlines the convergence business case for both sides of security and shows the client the low hanging fruit, they could find themselves with a nice slice of that security convergence growth.

4AInternational

Security-Flaws » Blog Archive » Wedded to physical and IT security?

In a bill with a good intent and poor execution, the California legislature is considering banning RFID in government documents. This could have a dramatic impact on building security, transit and campus ID programs. While many outlets, like Wired and RFIDNews have been watching this for a while, the bill’s recent passage out of committee deserves notice. It effectively dumbs down government building security and transit while not really protecting much information. A bill titled “Identity Information Protection Act” is sure to be a hit with consumers’ groups without a clear understanding of the impact.

The bill acknowledges beneficial uses for RFID by allowing exceptions such as toll road collection, ID bracelets for children under four, inmates, and mental health patients. Transit applications and building security are not included in the exceptions. Government facilities with existing RFID deployments not covered by exceptions would have until 2011 to phase those out.

Beth Givens, founder and executive director of the Privacy Rights Clearinghouse, quoted in RFIDNEWS, said “Senator Simitian’s bill provides vital protection for all Californians. Individuals who are required to carry government issued IDs should not be put in a situation where that document enables them to be monitored and tracked.” That’s an appropriate sentiment, but it misses the mark because security requires that tracking in some settings and transaction convenience mandates it in others, such as subways and campus dining.

Spurred by a combination of privacy concerns, federal initiatives and public outcry over a poorly considered RFID plan at an elementary school in Northern California, the bill seems to throw the baby out with the bathwater.

Much of the concern about government RFID documents is that your information would be freely available to anyone walking by. If the legislation read “only unique, alphanumeric identifiers can be unencrypted” much of the exsiting technology could be accomodated while still protecting privacy concerns. The ICAO recommended a system of storing a pin in a 2D barcode for government officials to “decrypt” more information. This provides for active presentation of the document before more sensitive information is passed along.

As for concerns about surreptitious tracking of individuals, it’s not really worth the effort. Legislation could forbid government tracking with a court order or public notice. Bad guys simply would not carry their documents and police would implement other, less expensive passive surveillance like video facial recognition.

For building access badges, the only alternative technologies are magstripes and bar codes, which are much easier to compromise. Some have suggested the use of contact smart cards for access control but those have proven problematic in the past.

In the US, almost all transit applications are run by the government and they are increasingly moving to contactless technologies as the only method for speeding throughput, increasing transaction security and allowing for the complex fare calculations many transit implementations demand.

Since much of the nation looks at California as a bellwether, expect other states to consider follow up legislation if the California bill passes later this spring. I’m all for privacy, but the implications of an ill-considered bill need to be heard.

Wired News: State Bill to Limit RFID

EPIC.org bill listing

Around the Capitol

http://www.rfidnews.org/weblog/2005/03/03/new-bill-will-protect-californians-privacy-rights-rfids-misnomer/

It’s just a college paper, but this article shows how wide the knowledge gap is about RFID and card technologies. The duo prox is nothing like an ICAO passport and has only a fraction of the security risks. Prox cards operate on a different frequency than the proprosed passport chips and only pass 26 bits of information to the reader, barely enough for an unique identifier.

Comparing a true contactless smart card to a prox card is like comparing a computer to a calculator. Whole different scale.

Why care about a Dartmouth student article? In any deployed identity system, user education is critical. I am not suggesting that Dartmouth educate their population on the nuances of wiegand vs. 13.56, but the population should know the relative risks of using a system with only an abstract idenitifier and one with a large amount of freely readable identity information. Something to consider. Done right, Dartmouth continues to deploy their identity solutions without having to engage in big debate about what the State Department wants to do.

The Dartmouth Online

After a whole series of conversations following the Slashdot post, I need to clarify the relative roles of idenity mangement from a digital perspective and the broader perspective of identity & transaction management.

Most of the conversations these days on the topic of identity management center around digital identities. Without a doubt, that’s the hot area and it’s huge. As an information security professional it’s near and dear to my heart.

However hot digital identity may be, organizations taking a broader perspective can leverage identity for even greater value. That’s the premise behind the Identity Initiative, to encourage organizations to develop a synergy between the identity for their network and what they can do across the enterprise. The concept of Identity & Transaction Management encompasses the realms of digital identity management and all the transaction infrastructure where identity can be physcially used across the enterprise. Think university ID cards meets digital certificates.