Embed Size (px)
Citation preview
Operating Software in Secure Electronic Documents
White Paper October 2008
- 2 -
About Gemalto
Gemalto is the leader in digital security, with annual revenue of over €1.6 billion registered in 2007, more than 85 offices located in 40 countries and a workforce 10,000 strong that includes 1,300 R&D engineers.
Gemalto secure electronic documents are deployed in more than 50 government programs worldwide. Our firm is an acknowledged market leader in the field of smart card identity document technology. Gemalto is an active member of all standardization organizations relevant to smart card implementation.
- 3 -
Operating Software in Secure Electronic Documents
Authors Charles Mevaa
Kimmo Karppinen
Thierry Pepy
Patrice Plessis
Emmanuel Ventadour
Petri Viljanen
October 2008
- 4 -
Executive summary
Secure documents such as passports, identity cards, driver licenses and healthcare cards can be migrated to electronic security by embedding these with a secure electronic component. This type of electronic component comprises a microprocessor running specially developed operating software.
Successful implementation of a secure electronic document is achieved when best-in-class operating software is deployed together onto appropriate and qualified microprocessor platforms. When these criteria are met:
• Security reaches its apex, as software countermeasures represent the ultimate, most effective barrier of protection appropriate to each microprocessor’s design.
• Functionality offered by the single or multi-application operating software covers current and future government application needs and supports third-party applications.
• Performance (in particular personalization and reading time) are optimized through operating software that best leverages all of the microprocessor’s operation and communication characteristics.
• Interoperability at national and international levels is the result of the optimum processing and formatting of data by the operating software.
Hence, choosing the right operating software is the first and most important step when building a secure electronic document project. Other considerations, including the selection of the microprocessor platform, should come as a second step.
Any choice of operating software and supplier must meet both immediate needs and long-term viability. Governments should therefore look to operating software partners with extensive, field-tested expertise:
• A broad portfolio that allows easy upgrade migration paths as government requirements evolve
• Continual innovation in terms of security, applications and trends in secure electronic documents
• Expertise and experience to ensure the success of the identity project deployment
• Critical mass of business as proof of manufacturing capabilities and ability to offer microprocessor platform multi-sourcing
• A solid partner-based relationship, thanks to proven financial standing and a strong business track record
In summary, an electronic passport, identity card, driver license or health card should embed carefully selected operating software. The choice of the operating software will greatly influence the short-term success and long-term viability of any secure electronic document program.
- 5 -
Table of contents
About Gemalto ........................................................................................................................................................2 Executive summary................................................................................................................................................4 Table of contents ....................................................................................................................................................5 Introduction.............................................................................................................................................................6 Understanding secure electronic documents .....................................................................................................7
Applicative environment........................................................................................................................................7 Electronic component ...........................................................................................................................................8 eBorder, eGovernment and eHealth applications ................................................................................................9
Security to outpace the spread of fraud.............................................................................................................11 Cryptography ......................................................................................................................................................12 Attacks and countermeasures ............................................................................................................................12 Security certification............................................................................................................................................14 A secure electronic component ..........................................................................................................................14
Expanded functionality ........................................................................................................................................15 Increasingly versatile applications ......................................................................................................................15 Range of operating software choices .................................................................................................................15 Secure electronic documents in practice............................................................................................................16 Electronic document programs to date...............................................................................................................17 Examples of programs........................................................................................................................................17
Performance pivotal to efficiency .......................................................................................................................19 Performance optimizes costs .............................................................................................................................19 Performance: hardware and software ................................................................................................................19 Fast and slow software .......................................................................................................................................20 Real example of software performance..............................................................................................................22
Interoperability for international reach...............................................................................................................24 Travel documents and interoperability................................................................................................................24 Standards convergence......................................................................................................................................26
Consistent microprocessor sourcing.................................................................................................................28 Microprocessor platform selection......................................................................................................................28 Microprocessor quality monitoring......................................................................................................................30 Liaising with the microprocessor supplier...........................................................................................................31
Long-term viability................................................................................................................................................32 Upgradeable portfolio offerings ..........................................................................................................................32 Significance of innovation ...................................................................................................................................33 Expertise and experience ...................................................................................................................................34 Critical mass of business....................................................................................................................................34 Reliable and steadfast partner............................................................................................................................35
Conclusion ............................................................................................................................................................36 Glossary of acronyms..........................................................................................................................................37
- 6 -
Introduction
Electronic versions of secure documents have evolved gradually over time to supplant their conventional counterparts. Be they passports, national ID cards, driver licenses or healthcare cards, these documents are now equipped with an electronic component embedded within the card or—as in the case of passports—within the cover or plastic data page. Today, over 50 countries issue electronic passports for a total of over 50 million per year. Worldwide, over 21 countries issue an eID card to their citizens—the first to do so being Finland in 1998.
This trend in secure electronic documents, driven by national and international policy and legislation, stems from a relentless pursuit of security, to stay one step ahead of fraud and forgery. Indeed, embedded electronic technology enables a leap in security, well surpassing the visual security allowed by conventional, non-electronic documents. For instance, it is impossible to tamper with the civil data stored electronically. Likewise, biometric data can be kept confidential and even kept out of the reach of unauthorized parties.
The migration of secure documents to electronic format also enables a connection to be established with the networked applicative environment that has reshaped our society (Internet, eGovernment services, intranets, peer-to-peer communication, etc.). Secure electronic documents simplify everyday living for citizens while dramatically reducing operations costs and deterring fraud. Border control authorities, immigration authorities and health organizations all stand to benefit from secure electronic documents.
Secure access to e-Banking services with the national e-ID card in Finland.
To be classified as electronic, a secure document must include an ‘electronic component’. What exactly is this embedded electronic component? How does it work? How can it deliver the appropriate degree of security, functionality, performance and interoperability? What is vital to ensure the issuing organization chooses a reliable, future-proof and viable electronic component?
This white paper aims to explain the parts of an electronic component—combining a microprocessor and operating software—and explores how security, functionality, performance, efficiency and viability are all determined by the microprocessor and operating software.
- 7 -
Understanding secure electronic documents
Applicative environment
The purpose of a secure electronic document is by nature similar to that of a conventional (non-electronic) secure document:
• It must serve as valid proof of identity for the citizen
• It should be trusted by third parties
• It should enable the citizen to access government services, even remotely
To meet this challenge, electronic documents are designed to include a specific set of applications, particularly:
• Cardholder data digitally signed by the government as proof of authenticity
• Biometric data stored on the document to prove that stored data matches that of the bearer
• Digital signature enabling the citizen and government to securely establish contracts online
To operate, a secure electronic document uses an IT infrastructure deployed wherever the citizen may require proof of identity and access to government services. This infrastructure consists of four main links:
• Application system processing data
• Digital network connected to government institutions and third-party organizations
• Document reader connected to the document
• Electronic component of the document securely managing the electronic credentials
The electronic component includes the silicon microprocessor platform and the operating software.
Government & Application
ServersSecure Document
eHealth
eGovernment
PKI
eBorder
Document reader IT Infrastructure
End to End Secure Connection
OperatingSoftware
Microprocessor
Application
Electronic Component
Leveraging IT infrastructures, the electronic document offers advanced proof of identity enabling citizens to access remote services.
- 8 -
Electronic component
Microprocessor platform: the secure electronic document ‘hardware’
A secure electronic document embeds a small Integrated Circuit (IC) commonly referred to as a ‘chip’. Two main categories of chips are used in the smart card industry:
• Chips featuring memory-only storage components, usually holding a slightly greater amount of data than a magnetic stripe. Such technology is seldom used in secure documents.
• Chips integrating a microprocessor component in addition to memory storage. Far more complex than the ‘memory-only’ chips, they have the ability to process data and perform complex cryptographic operations. Most secure electronic documents are microprocessor-based.
Microprocessor platforms can be compared with the hardware of a ‘mini computer’, with a Central Processing Unit (CPU) and memory.
In order to function and serve an application, the microprocessor requires software—called operating software—that is installed in the microprocessor platform’s memory. This operating software is designed specifically to both run the CPU computing power and process personal data and credentials stored in the microprocessor’s memory.
Operating software combines the core operating system and software applications (sometimes called applets) running on top of the operating system.
In microprocessors, operations are controlled by the operating software and executed by the CPU.
Operating software: the secure electronic document ‘software’
The purpose of the operating software stored in the microprocessor memory is to manage microprocessor resources and interface with the exterior environment. The operating software is therefore designed to perform the following actions:
• Communicate with the exterior environment through defined protocols
• Store, retrieve and manage data from the microprocessor memory
• Process data
• Ensure data protection (cryptographic operations)
• Support card life management (initialization, personalization and deactivation)
Two distinct types of operating software exist:
• Dedicated operating software, commonly referred to as a ‘native’, which is designed to run a specific application. In such cases the operating software usually includes the application itself.
• General-purpose operating software, commonly referred to as a ‘multi-application’, which is designed to operate several dedicated standalone applications, or ‘applets’. Today, this trend continues to pick up momentum.
The operating software is the concertmaster of the activities taking place in the microprocessor. It may manage one or many applications at the same time, as is increasingly more commonplace with multi-application secure documents.
- 9 -
Contact and contactless interfaces
Contact interface cards feature a metallic contact pad embedded in the surface of the document. The secure document must be inserted into a card reader to enable data transfer between the electronic component and the exterior environment.
Contactless interface cards enable communication with readers through radio-frequency induction technology and do not show any obvious exterior sign of the electronic component. An antenna embedded in the secure document’s body relies on the principle of electromagnetic induction to send and receive data via radio waves.
The Swedish national eID card is both contact and contactless. Here the module for the contact part. The antenna embedded for contactless purpose is not visible.
Contact and contactless secure documents rely on the operating software to exchange encrypted data over the interface, feeding and managing the communication channel at high speed. The operating software is designed to meet interface specifications, enabling secure and efficient communications.
Convenient and efficient, the interface delivers true ease of use. Its underlying security and performance are intrinsically tied to the operating software.
eBorder, eGovernment and eHealth applications
Secure electronic documents make use of IT infrastructure to connect to government or third-party services. Once connected to the card reader, the operating software processes data and completes advanced security checks and operations. For instance, the operating software can execute a Match on Card (MoC) application to securely compare the bearer’s fingerprints with a certified template in the aim of proving his or her identity. Alternatively, it could simply prompt the bearer to authenticate by entering a Personal Identification Number (PIN).
When all security checks are positively completed, the operating software can proceed to establish a secure connection with a government or third-party service. This enables data exchange to take place between the operating software and the application servers. Many kinds of applications are possible, including:
• Identity applications involving a national civil registry, which are used mainly for identity control purposes, possibly involving biometrics (comparing the card holder’s fingerprint with data stored in the government-certified secure document).
• Travel applications, with personal data formatted to International Civil Aviation Organization (ICAO) standards and, in some cases (Singapore’s BioPass, introduced in 2006; European passports as of 2009), biometrics. Electronic Access Control (EAC) application will restrict access to fingerprint biometrics only to authorized border control authentication.
- 10 -
• Authentication for government or third-party eServices that allow citizens to access personal data online for administrative purposes (online tax filing, etc.).
• Digital signature is an important application supported by most country legislations. The operating software uses a digital certificate stored in the microprocessor’s memory to sign electronic documents (non-repudiation of contracts, etc.).
The operating software enables the connection to the IT application and manages the interaction with government or third-party services.
The second generation of ePassports is a major step in biometrics. It creates a very strong link between the document and its owner as fingerprints offer a sure means of personal identification. Operating
software must integrate security mechanisms such as EAC (Extended Access Control).
- 11 -
Security to outpace the spread of fraud
As with any other digital environment, a secure electronic document is only as strong as its weakest component. Because absolute security does not exist, high-level security can best be described as a balance struck between the level of implementation and the resulting benefits.
When migrated to an electronic format, secure documents must offer the extremely high level of security that government authorities have come to expect. They must enforce the basic security mechanisms of confidentiality, integrity and availability, particularly to enable key functionalities used in secure transactions and exchanges:
• Authentication of parties involved
• Confidentiality to prevent information disclosure
• Integrity to ensure that data are not altered
• Non-repudiation to enable digital signature mechanisms
Hackers of secure electronic documents are motivated by crime, terrorism and, in some cases, the lure of fame. Although less rewarding to hack than databases–which contain millions of data records–secure electronic documents are still potential targets due to their widespread deployment and value.
As of June 2009, EU countries will be required to incorporate biometric data (digital fingerprints) into ePassports
- 12 -
Cryptography
Cryptographic functions are used in the complex calculations necessary for authentication, confidentiality, integrity and non-repudiation. These software operations run on microprocessor capabilities, two of which are particularly important for cryptographic functions:
• A random number generator to deliver numbers randomly and on demand
• A cryptographic co-processor to expedite calculations in silicon-hardwired dedicated circuits
The operating software must therefore be designed in a way that optimizes data processing required for cryptography–not only through the best logical path, but also by best exploiting the capabilities, strengths and weaknesses of the microprocessor platform.
Managing cryptographic functions becomes ever more complex as new algorithms–such as elliptic curve cryptography (ECC) algorithms–are introduced, or as key length grows to position security well beyond the computing capabilities required to crack algorithms through intense calculation.
Operating software of secure electronic documents is designed to handle an array of cryptographies:
• Asymmetric cryptography used in Public Key Infrastructure (PKI), such as RSA-based cryptography and, increasingly, elliptic curve algorithms
• Symmetric cryptography used in secure channeling, such as 3/DES and AES algorithms
Attacks and countermeasures
Because cryptographic algorithms are nearly impervious, hackers have shifted their focus from attempted cracking to a more direct attack of electronic components.
Physical attacks
Physical attacks are one category of attack usually irreversibly alter physical microprocessor properties. Many rely on reverse engineering techniques using optical or scanning electron microscopes. The aim is to capture data stored in memory areas, as well as data flows. Such techniques are also used to disconnect circuits, override sensors or regenerate blown fuses.
Due to their minute size and increasingly dense number of transistors, microprocessors are considered intrinsically secure against visual analytic reverse engineering. Additional features further enhance security:
• Single-component design (without reusing standard silicon blocks) and glue logic design (mixing functional blocks) render the structure more complicated to analyze.
• Scrambling of buses and memory protects data.
• Multiple-layer design enables sensitive components to be concealed between less sensitive ones.
• Protective layers offer physical protection that impairs microprocessor operation if removed.
• Sensors detect abnormal environmental conditions (temperature, light, etc.).
Sophisticated equipment and considerable technical expertise–coupled with the inherently minute scale of microprocessors–all contribute to a significant reduction in the actual threat of physical attacks on microprocessor platforms.
Operating software must fully exploit microprocessor capabilities such as data scrambling and environmental sensors.
- 13 -
Logical attacks
Logical attacks are the most widespread threats. They aim to recover confidential data from secure devices without actually damaging the device. By monitoring execution time, power consumption or electromagnetic radiation from a microprocessor, it is possible to make inferences about processed data. Typical attacks include:
• Simple Power Analysis (SPA), which uses variations in overall power consumption
• Differential Power Analysis (DPA), which is based on statistical analysis of power consumption curves applied to several executions of a single algorithm
• Electromagnetic analysis, which is similar in principle to SPA and DPA, except that it is applied to radio frequency emissions
• Timing attacks, which are based on an analysis of the timing required to execute operations, reflecting specific data
• Fault attacks, which rely on a combination of environmental conditions that cause the microprocessor to produce computational errors that can leak protected information
• Software attacks, which focus on software weakness by using the microprocessor’s normal interface-based communication channel
Countermeasures against logical attacks are outlined in the table that follows.
Attack Microprocessor countermeasures Operating software countermeasures
SPA, DPA, Electromagnetic analysis
• Reduce power and electromagnetic emission signals
• Add noise • Introduce random factors including
clock speed and processor interruptions
• Random delays • Time constant programming • Dedicated measures addressing
mathematical characteristics of algorithms • Ratification counters • Restricted use of cryptographic functions
Timing attacks • Time constant design
Fault attacks
• Sensors (voltage, frequency, light, temperature)
• Usage of sensors • Random delays added to critical parts of
code • Redundancy computation and checks • Additional measures based on data
sensitivity
Software attacks
• Bug-free programming • Rigorous development method • Intensive validation tests • Formal methods development for critical
functions
Efficient protection against attacks
Logical attacks are the most common attacks. Their countermeasures are essentially software-based.
Only expert security specialists with extensive experience and technical knowledge of cryptography, microprocessor architecture and distributed-system security can design and implement such countermeasures in operating software.
- 14 -
Security certification
Testing by third-party laboratories enables the effectiveness of security measures to be evaluated independently and objectively. As a result, government authorities gain access to an independent security review recognized industry-wide.
Although important, certification is not enough to differentiate microprocessors and operating software. Indeed, certification is merely a threshold–two products awarded the same certification can have two very different levels of security.
The best-known evaluation scheme for smart cards in general–and particularly for secure electronic documents–is Common Criteria (CC). CC is the result of the improvement and harmonization of American (TCSEC), Canadian (CTCPEC) and European (ITSEC) IT security criteria. Federal Information Processing Standard (FIPS) also provides certification, but is less commonly used in identity programs.
In CC evaluations, EAL4+ denotes the highest level of actual security evaluation. Levels EAL5 and beyond correspond solely to formalization methods used in the development process. For example, EAL5+ involves a semi-formal programming method for the establishment of specific documentation. EAL5+ does not entail any additional technological security, in contrast to EAL4+.
The date certification is awarded is also important, as is the related Protection Profile (PP) used to perform the evaluation. For instance, an operating software application that was certified EAL4+ in 2004 is less secure than one certified EAL4+ in 2008.
In the electronic components of secure documents, it is best, although not sufficient, to rely on certified products with:
• The recommended microprocessor chip certification of EAL5+
• The recommended operating software certification of EAL4+
A secure electronic component
Operating software is the layer running on top of the microprocessor hardware layer. It utilizes the tools and capabilities offered by microprocessors, but also handles its weaknesses. It is therefore easier to develop secure operating software on a secure–usually certified–microprocessor. A secure microprocessor will also provide better protection against physical attacks.
Operating software provides the layer that, in the context of an identity application, handles, processes and communicates data. The level of security of an electronic component therefore corresponds to the level of security of its operating software.
Operating software must necessarily be highly secure:
• Preferably certified, EAL4+ being the appropriate level of certification, with certification awarded relatively recently
• Provided by a supplier with a proven track record of security, with a dedicated security department and undisputable expertise in cryptography, microprocessor architectures and distributed-systems security
- 15 -
Expanded functionality
Increasingly versatile applications
Secure electronic documents provide governments with the possibility of introducing a wide range of electronic applications, the most obvious being electronic identity providing proof positive of the bearer’s identity. This application can be introduced by storing printed data or electronic keys on the microprocessor for proof of identification.
In the interest of convenience for both government and citizens, secure electronic documents additionally enable introduction of new online government services such as tax filing and electronic voting. They maximize government resources through automated processes while increasing quality of service for citizens. They also enable private services such as eBanking, or any electronic service requiring authentication, security or signature.
National eID cards offer flexibility, as they are dynamic and can support new applications once issued to citizens, through multi-application and post-issuance capabilities. Emerging uses for secure electronic documents—such as for eGovernment services—extend beyond the original scope of the ID documents (visual identification). New applications can be added over time, making the card an integral part of each holder’s day-to-day routine. As demonstrated, electronic documents are extremely secure devices to store the citizen’s electronic identity.
To capitalize on the secure electronic capabilities, additional applications are needed. The electronic component of the secure document—specifically, the operating software—is the key enabler for application introduction.
Electronic components include keys that enable identification, authentication and digital signature. In some instances, authentication occurs online, with the application and data stored on centralized databases. In other instances, applications run in offline mode with data stored, processed or maintained inside the electronic component.
Range of operating software choices
Several levels of platforms exist to enable applications to perform actions ranging from simple storage of basic data (such as personal data of a cardholder or serial number) to multi-application functionality to provide a true multi-applicative environment.
• One example of cost-effective yet powerful operating software for basic applications is the Multi-application Payment Chip Operating System (MPCOS) for secure data storage and basic identification applications. It typifies the native technology approach that offers a low entry barrier for single or multi-application needs where basic data is encrypted and stored inside the microprocessor.
• The greatest number of sophisticated applications on a secure electronic document can be achieved today using Java Card and Multos technologies. Based on the Java Card Platform specifications developed by Sun Microsystems, Java Cards enable Java-based applets to run securely on the electronic component. The card and security architecture are outlined by Global Platform, which has drafted specifications on securely downloading applets from the card. Multos is an integrated, highly secure framework allowing easy card management. Multos specifications are managed by the independent Multos Consortium.
• In the case of targeted applications, such as the ICAO travel application, dedicated operating software is designed to meet specific security and performance requirements. Implementations of such operating software by various technology providers can produce widely ranging results, however.
Open platforms such as the Java Card and Multos have become the most widely implemented to date. Similarly, globally widespread native applications have evolved to become part of the Java and Multos environments, present as applets in these multi-application operating software platforms. MPCOS technology evolved in this way, and now counts over 100 million cards delivered worldwide for multiple purposes. By using the MPCOS
- 16 -
functionality as an applet together with other applications, it is possible to maintain legacy functionality while entering the world of open platforms.
Secure electronic documents in practice
Border security
Thanks to ICAO standards and recent introduction of electronic passports, border security is currently one of the driving applications in secure electronic documents. The ICAO sets the standards for electronic travel applications that have already been incorporated into both electronic passports and electronic identity cards. For operating software development, these standards result in remarkable functional and security requirements.
Harmonization of identity documents is currently underway, for instance, in the Schengen zone where national eID cards now serve as travel documents. Sweden has already set the tone in Europe by combining contactless ICAO-compliant travel applications with contact-based functionality in a national eID card:
• The contact interface offers access to governmental and private electronic services
• The contactless interface houses the ICAO-standardized electronic travel application
As a result, contact and contactless national eID cards are being deployed widely in Europe, whether hybrid (two microprocessors and two interfaces for applications) or dual (one microprocessor with two interfaces). In any case, it is the operating software that manages the data processing, transfers and communication. Such dual interface operating software must be designed using state-of-art technology and secured in order to meet the complex requirements of multi-application use.
Biometrics
The ICAO standardizes machine-readable passports worldwide. In this capacity, the ICAO sets the standard for biometric passports, which contain biometrics to authenticate the identity of travelers. Incorporation of biometrics into electronic passports has already been implemented in a number of national eID cards, especially using the MoC functionality. The impact of biometrics is wide-reaching, by both securing authentication and enabling greater citizen convenience.
In electronic passports, the operating software will securely filter access to the biometric fingerprint data to authorized organizations only, thanks to the EAC privacy mechanism. This mechanism reinforces the security of an anti-skimming mechanism called Basic Access Control (BAC).
In MoC mechanisms incorporated into national eID cards, the operating software obtains a fingerprint from a reader and compares it to data stored securely inside the secure electronic document. The stored fingerprint data is never communicated, protecting the individual’s privacy. Secure storage of the fingerprint and optimized matching mechanisms is handled by the operating software.
European Citizen Card
Global interoperability is a major objective of the specifications developed by the ICAO for electronic passports. A similar need for common security mechanisms exists, as there are no international standards for eID. European governments and secure electronic document specialists have therefore collaborated to establish a common framework for eID applications. The European Citizen Card (ECC) conforms to the Identification Authentication Signature (IAS) framework, achieving eID application interoperability and an increased level of security, as requested of operating software providers. IAS relies on existing smart card-related standards. Work currently performed in the area of ECC is supported by standardization committees led by the European Committee for Standardization (CEN).
- 17 -
Electronic document programs to date
The table below illustrates the scope of major ePassport, eID and eDriver license & vehicle registration and eHealth programs (projects being deployed) around the world as of August 2008 (non-comprehensive list).
Region ePassport National eID eDL eHealth
Asia
Australia, Brunei, Hong Kong, Japan, Malaysia, New Zealand, Philippines, Singapore, South Korea, Taiwan, Thailand
Brunei, China, Hong Kong, Macau, Malaysia, Thailand
India, Japan China
Middle East Qatar, Pakistan Bahrain, Kuwait,
Oman, Qatar, UAE, Saudi Arabia
Africa Côte d’Ivoire, Nigeria Morocco Algeria
CIS Azerbaijan
Europe
Austria, Belgium, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Macedonia, Netherlands, Norway, Poland, Portugal, Slovenia, Slovakia, Spain, Sweden, Switzerland, United Kingdom
Belgium, Estonia, Finland, Portugal, Italy, Spain, Sweden
Tachograph: 27 EU countries
Austria, Belgium, France, Germany, Italy, Spain
Americas USA, Venezuela Mexico, El Salvador Mexico, Puerto Rico
Examples of programs
The electronic identity programs presented below, for instance, provide access to a large number of different public and private applications.
Omani eID Card
In 2002, the Sultanate of Oman and the Royal Oman Police decided to deploy a nationwide electronic identity card for its citizens. The main objectives entailed modernizing the Oman National Registry System; simplifying and expediting administrative processes; improving public services for Omani citizens and residents; promoting the use of IT solutions; improving homeland security and paving the way for eGovernment services. The identity card itself provides secure access to three main applications: proof of identity, driver license and border control. The eID smart card is used to store the bearer’s personal credentials including name, address, digital photo and fingerprints. The Omani eID Card showcases a true multi-application environment for citizens enabled by open smart card operating software.
- 18 -
Belgian eID
In July 2001, the Belgian Council of Ministers made the decision to introduce an electronic national ID card for all citizens as the cornerstone of a broader eGovernment project to simplify administrative processes and modernize public services. The goal was to provide Belgian citizens not only with a new, highly secure identity document but also with a brand-new tool for electronic signature and authentication to access eGovernment applications, social welfare services or even private online services.
Today with more than 7 million cards in circulation, Belgium is highly successful in effective utilization of secure electronic documents. In Belgium, a wide range of applications has been deployed, all using secure authentication with the national eID card: tax filing, theft reports and secure authentication to a government portal, to name a few.
Operating software is key to enable applications. Here, the Belgian eHealth card (SIS Card) will evolve
and its functionality will be integrated into the national e-ID card
Singaporean BioPass
A participating country in the United States Visa Waiver Program enabling tourism or business travel for up to 90 days without a visa, Singapore migrated to the electronic passport in 2006.
Foreseeing the need to introduce a second generation of electronic passport, fingerprint biometrics capabilities were incorporated inside the passport from the outset. These capabilities facilitate secure authentication at airports using efficient fingerprint recognition-enabled automated control systems. To ensure that biometrics do not undermine privacy, the operating software features highly secure EAC technology restricting access to fingerprint data only to Singapore-authorized authorities. The operating software also enables fully ICAO-compliant interoperability and outstanding data reading performance.
Singapore is the first country ever to implement an EAC-based passport.
- 19 -
Performance pivotal to efficiency
Performance optimizes costs
The origin of computers and software can be traced as far back to research conducted by Alan Turing in the 1930s. From the outset, the chief objective was to build a machine that could perform logical operations faster and more reliably than a human being. Computer security was introduced almost immediately thereafter and has been a key requirement ever since.
Today’s microprocessors and operating software perform complex tasks in nanoseconds, enabling applications never deemed possible before:
• Editing home video is possible today, whereas only a few years ago, simply adjusting the contrast of one individual frame would have taken several minutes.
• Fingerprint matching can be performed today on a smart card, whereas 20 years ago, this was not yet possible when smart cards were first introduced to the market.
Performance impacts costs directly. The faster a task is completed, the more swiftly the entire process can be handled. This holds especially true for both the issuance and actual usage of secure electronic documents once in the field:
• Rapid personalization of the electronic component is crucial to cut costs and optimize the issuance process. This becomes even more important when vast quantities of data, as with biometry, are involved.
• Swift reading of the electronic component streamlines usage. The performance of border control systems capable of reading electronic passports can be optimized through faster biometric passport reading time.
In addition to cost savings, speed directly improves end-user acceptance.
Performance: hardware and software
In the early ages of computing, hardware and software were supplied by the same firm. In the 1980s, however, companies began specializing in dedicated expertise. It is extremely rare today for a firm to manufacture both computer hardware and software, with the exception of prototypes or simple products.
As mentioned earlier, it is the operating software that provides the functionality and determines the user experience. Operating software providers recognize and meet detailed user needs. Hardware providers develop and supply a hardware platform that provides low-level functionality to support the software operations.
This is easily distinguishable in the personal computer environment, with software providers such as Microsoft and Apple, and hardware providers such as Intel and AMD.
The same applies to secure electronic documents: specialist firms have expertise in operating software in order to develop secure and efficient software meeting specific user needs. The most experienced companies are those with a long track record of handling limited microprocessor platform resources and developing efficient software methods.
- 20 -
Fast and slow software
As seen with personal computers, different software applications usually offer varying user experiences and performance. In particular, some software applications are fundamentally faster in performing specific tasks and slower in performing others.
Performance is easier when targeting simply scoped functionality. It is far more challenging to achieve high performance within a broad scope of functionality that also encompasses security.
Performance challenges
With secure electronic documents, the performance challenge is even greater due to the restrictions of the microprocessor hardware platform. The operating software can leverage limited resources, which can be hampered by fluctuating environmental conditions and a resultant reduction in power. For example, ePassports must induct power from a magnetic field without direct contact with the power source.
Performance challenges for operating software in secure electronic documents span:
• Parallel use of microprocessors, co-processors, memory and communication channel
• Processor clock speed adjustments
• Efficient software methods for high security level algorithms despite limited hardware support
• Efficient security methods against logical attacks
• Software logic for communication
ePassport high-speed communication
Because vast quantities of data are read from the ePassport, communication can be impacted by the use of ‘extended length’. The basic commands standardized in ISO7816 enable a reading of 256 bytes per command. This means that hundreds of commands need to be issued to read the content, thereby creating high overhead. To improve performance in the reading of large data sets, the ISO standard was expanded to include ‘extended length’ specification. This enables a reading of up to 65536 bytes per command.
Using such ‘extended lengths’ introduces new challenges for the operating software:
• All sent data need to be encrypted and checksums must be calculated.
• Microprocessor platforms usually have only 4096 to 8192 bytes of RAM memory–far less than the data being prepared.
• Part of the limited RAM is already used by other operations running simultaneously.
This explains why most firms developing ePassport operating software settle for less than the 65536 bytes allowed by the standard. For those firms, the size of data that can be sent is limited to the amount of RAM available to prepare it, meaning 512 or 1024 bytes.
Few companies have developed efficient software logic to surmount the hardware limitations.
At the interoperability tests in Prague in September 2008, only one supplier presented ePassport operating software that can send the maximum amount of data in a single command allowed by the ‘extended length’ ISO standard, deriving maximum performance benefit from the standardized commands.
- 21 -
Development methodologies
To address the challenges of operating software development, firms have opted for an array of methodologies:
• Legacy purpose-designed software upgraded with basic additions of new functionality. Software of this type tends to execute more slowly. The more additions are incorporated over the years, the less optimal the software performance becomes. This holds especially true in instances where the software was not originally meant for multiple uses, or if the new functionality presents a requirement not foreseen during the previous development cycles.
• Multipurpose software. It is difficult to optimize operating software to address multiple uses. Designing multipurpose operating software is a complex matter (multilayered architecture), where both current and potential future requirements must be met. Only experienced operating software suppliers succeed in meeting this challenge. However, inherently and by design, multipurpose software will address a specific functionality (such as ICAO and EAC specifications) more slowly than software designed for that functionality.
• New software developed from the start with a single purpose in mind, without the restrictions of legacy code. Such software usually delivers faster, purpose-designed functionality (such as ICAO and EAC specifications). Performance even is better when development is carried out with strict performance requirements. Only operating software suppliers with sufficient R&D capabilities can consistently use this method.
Whichever methodology is adopted, results are largely dictated by the quantity and quality of R&D resources involved. Firms with sufficient resources assign development of operational software to dedicated expert teams:
• Communication team
• Power management team
• Cryptography team
• Other dedicated expert teams
Dedicated expert teams usually provide more efficient software components than general-knowledge teams.
Efficiency of security features
As mentioned previously, security attacks are mostly countered by software. Many attacks center on an attempt to analyze what is taking place inside the microprocessor or to disturb the microprocessor operations.
One simple yet highly performance-impacting security method is to multiply all the critical operations of the microprocessor:
• Fraudulent microprocessor analysis is made more difficult when certain operations are performed multiple times randomly.
• Disturbing microprocessor operation becomes more challenging when internal verifications are performed by repeatedly executing the same operation–up to 16 times–and cross-referencing the results.
Alternatively, intelligent processing enables an identical or higher security level, with negligible performance impact: genuine understanding of attacks and cryptography enables development of security methods more efficient than simple processing repetition.
Combining performance and security is a challenge that only experienced suppliers can meet.
- 22 -
Real example of software performance
ePassport secure electronic documents have garnered much attention in recent years and offer good conditions to compare performance:
• Multiple ePassport operating software exist on the market, available on a limited number of different microprocessor platforms.
• ePassport operating software must comply with ICAO-standardized functionality.
• ICAO and EU arranged several testing sessions between 2004 and 2008, with the participation of most ePassport operating software suppliers.
Various operating software running on a same microprocessor platform
The following table is from the 7th ePassports EAC Conformity & Interoperability Tests held in Prague in September 2008. It compares the performance of nine different operating software–mainly from mature products released on the market,– all running on a same hardware platform.
57.5
50.5 50.3 49.2 48.8
42.8
30.427.6
19.9
0
10
20
30
40
50
60
70
OS 1 OS 2 OS 3 OS 4 OS 5 OS 6 OS 7 OS 8 OS 9
Bau
drat
e (k
bps)
Different ePassport operating softwarerunning on a same microprocessor platform
(Prague, September 2008 – ePassports with EAC and ECDSA 224-256)
Although all of the operating software ran on the same microprocessor platform, the fastest operating software can send about three times more data per second than the slowest one.
In essence, there is a 3:1 performance ratio between the fastest and slowest operating software.
- 23 -
Same operating software running on a multiple microprocessor platforms
The following table–also from the September 2008 ePassports EAC Conformity & Interoperability Tests–offers another look at performance, this time comparing the same operating software running on different microprocessor platforms.
In this example, there are four ePassport operating software, each available on two different microprocessor platforms from two different hardware suppliers. In fact, the same microprocessor platform pairs are used for all four operating software.
91.1
57.3
30.4
48.8
95.3 94.4
69.9
55.0
0
20
40
60
80
100
120
OS 1 - RSA2048 OS 2 - RSA1024 OS 3 - EC224 OS 4 - EC224
Bau
drat
e (k
bps)
Same ePassport operating software,each running on two different microprocessor platforms
(Prague, September 2008 – ePassports with EAC)
On average, the difference in performance is 1.5.
The 1:1.5 ratio of same operating software running on different microprocessors is not as high as the 1:3 ratio of different operating software running on a same microprocessor. This underscores an important point: if microprocessor platform choice does impact performance, operating software choice impacts performance even more.
When the results are examined more closely, they illustrate how some companies are capable of utilizing different microprocessor platforms effectively, while many others offer capabilities limited to a single microprocessor platform:
• OS 1 shows high performance despite a high security algorithm, and that performance is achieved invariably on both microprocessor platforms with a difference of less than 4%.
• OS 2 and OS 3 are unable to consistently achieve high performance on both microprocessor platforms.
• OS 4 offers homogeneous yet poor performance on both platforms.
Conclusion
Operating software is critical to the performance of secure electronic documents.
The choice of microprocessor platform has far less impact on performance, particularly when combined with operating software from experienced suppliers.
- 24 -
Interoperability for international reach
Hitherto guided mainly by national requirements, the evolution of secure documents began in the 1970s with the boom in international travel. This spectacular growth spawned a need to enhance and better standardize secure documents with the objective of facilitating global interoperability and border security.
With respect to secure electronic documents, the term ‘interoperability’ encompasses two complementary ideas:
• A first level of interoperability requires travel documents from different issuing authorities to be read electronically across all control points equipped to do so. This requires adherence to published standards for both the Electronic Machine Readable Travel Document (eMRTD) and related document readers, coupled with properly tested strategies developed to verify such compliance.
• Broader interoperability, which embraces both operational processes and environmental design, ensuring that, especially in the context of automated systems, the user experience is equivalent among locations.
Automation of security controls of citizen identity—as well as an accelerated introduction of biometrics in the post-9/11 world—has irreversibly launched the need for end-to-end, world-level interoperability in both secure documents and inspection system networks. This has in turn led to the globally interoperable biometric data outlined in the new edition of ICAO 9303 specifications, comprising mandatory facial image and optional fingerprint image. The specifications increase the data storage capacity and global interoperability of an eMRTD through incorporation of a contactless electronic component into the travel document.
Travel documents and interoperability
The ICAO has decided that travel documents should both conform to existing ISO standards and incorporate state-of-the-art technologies in the fields of biometrics, radio frequency, security algorithms and operating software.
Biometrics
Biometrics was confirmed as a strong mechanism for authentication of identity. The ISO standard SC37 has launched several working groups to address this major challenge and to develop standards through:
• Harmonized biometrics definitions
• Biometric profiles for interoperability and common data interchange file format for facial, fingerprint and iris recognition, etc.
• Processes for enrolment, acquisition, storage and matching
• Test methods
Facial recognition forms the primary biometric datum. To prevent national or vendor bias by favoring one capture system or algorithm of extraction due to lock-in effect, the method retained stores the unprocessed facial image in the form of a high-resolution digitized image.
Radio frequency
With respect to physical specifications, mature development of Radio Frequency (RF) interface-based ISO 14443 was selected to be the contactless interface directly embedded in the passport cover. As a matter of practical application, the contact interface cannot apply to the passport cover form factor. ISO/IEC 14443
- 25 -
specifies two alternative types of microprocessor platforms—types A and B—and allows either type to be used at will. The control point reader must be designed with verification capabilities compliant with both types.
Logical data structure
To achieve global interoperability, it is crucial that data be stored in a standardized fashion in the contactless electronic component. The ICAO has outlined specifications for the Logical Data Structure (LDS). The LDS currently comprises 16 data groups. The data groups are in turn divided into data elements. Some data groups are mandatory while others are optional.
Privacy mechanisms
The ICAO has identified fingerprint and iris recognition as the most suitable secondary biometrics in a travel document program. It is acknowledged that secondary biometrics represent more sensitive personal data than facial recognition. Access to these data groups should, therefore, be more restricted.
One solution to meet this challenge is Extended Access Control (EAC) technology. Specific EAC implementation is not an ICAO standard as such. The European Union has, however, outlined a specific EAC program to be implemented in member state eMRTDs before June 28, 2009. The use of EAC in the European program is based on authorization of inspection systems by eMRTD issuers, authenticated by detecting the possession of certificates. These certificates are exchanged via a Public Key Infrastructure (PKI). The European PKI program requires a complete infrastructure and certificate distribution program. Although rather complex, it provides a high level of protection for sensitive biometric data and protects the privacy of an eMRTD bearer.
Interoperability tests
All of the aforementioned interoperability requirements—particularly the secure privacy protocols—are handled by the operating software. Tests are carried out by organizations such as the ICAO or Brussels Interoperability Group (BIG) to evaluate conformity of the operating software and validate interoperability with reading platforms.
The importance of operating software is highlighted by the wide-ranging results of various operating software applications on similar microprocessor platforms.
Also, vendors proposing compliant, interoperable operating software can do so on different microprocessor platforms.
During such tests, leading secure operating software vendors reach 100% interoperability. One such example is the BIG interoperability test conducted in Paris, France in April 2008.
0
20
40
60
80
100
0 20 40 60 80 100
EAC Interoperability
Con
form
ity
Target
- 26 -
Standards convergence
Following the first step of ICAO-led interoperability specifications for electronic passports, secure electronic documents have entered the second phase: citizen and government benefits-based electronic identity.
Secure mechanisms ensure the real identity of a person through authentication during an electronic transaction over a public network. Such mechanisms reduce costs and enhance service quality. Sensitive data are indeed accessed or exchanged in eGovernment services or during an electronic transaction.
Consistent standards for increased efficiency
To address these new services, which include travel-related services, some governments have opted to capitalize on passport standards in the multi-application card programs combining electronic identity, driver license and healthcare.
Operating software providers—especially leading firms—have used their position as active standards-organization members to propose the following:
• For the driver license, they have endorsed a data structure similar to the ICAO specifications, as well as a secure protocol exchanges standard similar to the European EAC mechanism called EAP.
• For the European Resident Permit, ECC eTravel profile and national eID applications, a similar approach was taken.
Beyond Europe, many countries—including Korea and Japan—are contemplating endorsement of the EAC model. ICAO is therefore reviewing application of this model on a worldwide basis.
For citizen eServices interoperability, governments have issued IAS multi-application eID programs. The European Union is working on the possibility of finding global interoperability-based IAS ECC standards, but national interests could drive some countries to endorse other specifications. To help governments in this task, operating software leaders are promoting the adoption of Multos, Java Card and Global Platform specifications. Widely endorsed by technology providers, these specifications will facilitate the necessary convergence enabling citizens to use their services in the mobility context or when traveling.
Middleware: a key link to interoperability
At regional level (North America, Asia, Gulf Region, etc.), interoperability issues can arise from divergence in existing programs or local specifications. A new ISO program has addressed global interoperability at infrastructure software level. ISO/IEC 24727 standards constitute a set of programming interfaces for interaction between secure electronic documents and external applications to include generic services for multi-sector use. To conform to Application Programming Interface (API) standards, operating software providers are supporting proposals to make ECC standards compliant and find migration tracks for existing programs. Aimed at improving healthcare administration at European level, the NETC@RDS initiative illustrates the global interoperability enabled by this type of architecture.
ePassport eResidentPermit
eID
eHealth
ICAO 9303 Part 1& Part 2
ICAO Part 3EAC
ISO 18013
DriverLicense
ECC part 4eSIGN
ECC Part 1& Part 2
Middleware ISO 24727
ECCpart 3
- 27 -
Importance of operating software
Clearly, operating software is key to the interoperability of ePassports, eID, driver licenses and healthcare cards. Their role in establishing secure connections to readers and in communicating and processing data is central to interoperability.
Operating software providers are the proactive drivers of progress in the area of standards, working hand-in-hand with governments to set interoperability standards and develop solutions.
Operating software is key to interoperability. Here, the United States electronic passport must be readable by all electronic border control systems.
- 28 -
Consistent microprocessor sourcing
As explained in the previous sections, security considerations, performance optimization, functionality capability and interoperability are all determined by appropriate design of the operating software.
The choice of microprocessor platforms must, however, be made bearing in mind compliance objectives and broader application requirements. The microprocessor platform forms a solid basis for operating software performance and, more specifically, the electronic component to be used inside the secure document.
Microprocessor supplier
ElectronicComponent
Electronic component supplier Government
Secure DocumentMicroprocessor
OperatingSoftware
In most cases, the electronic component supplier is the provider of the operating software and takes the liability on a performing, durable and innovative electronic component
embedded within the secure document.
Microprocessor platform selection
The microprocessor must be chosen from among a narrowed field of choices. Several steps are followed to ensure secure, efficient microprocessor selection and introduction. These include technology analysis/benchmarking, road map alignment with microprocessor suppliers, technical audits and product qualification.
Technology benchmarking
Technology benchmarking of the products and technologies available in the field is the process used to qualify features and identify trends in performance, security level, size, silicon technology, etc. Microprocessor supplier capabilities and manufacturing processes are also assessed. This process is widely used in the semiconductor industry to help build road maps.
Road map alignment with microprocessor suppliers
Microprocessor supplier roadmaps are greatly influenced by operating software providers, especially those offering global positioning and a complete range of electronic components for integration into the secure document.
Microprocessor suppliers are driven to design platforms that meet:
• Specific technical requirements, such as new Non-volatile Memory (NVM) cells, new Microprocessor Control Units (MCUs) and new security concepts
• Operating software constraints and applicative needs
- 29 -
Requirements are continually exchanged between global operating software providers and silicon suppliers to ensure that microprocessor platform road maps are aligned and consistent with operating software road maps. Alignment of road maps is essential to enable multi-sourcing.
Technical audits
Technical audits of wafer manufacturing processes must be performed each time a new manufacturing plant is contracted, each time a new process is developed, or each time a microprocessor supplier introduces new technology. The objective of these audits is to ensure that:
• The process to manufacture the microprocessor platform is well under control to avoid quality and delivery issues. Process characterization and qualification results are reviewed; yield data and road maps are analyzed; process flows are reviewed; process control parameters and Process Control Monitoring (PCM) data are reviewed as well for the same purpose.
• Manufacturing capabilities are sufficient. The manufacturing plant is visited, and an inventory and throughput of equipment are analyzed.
Significance of multi-sourcing
The microprocessor platform selection process is a formal, structured and strictly managed process. For many projects and product types, at least two sources from two different suppliers are identified, which allows rapid porting of operating software from one source to another.
Microprocessor multi-sourcing is a key parameter during microprocessor platform selection in order to secure delivery, prevent shortage and foster innovation while maintaining a competitive environment.
For this multi-sourcing to be possible, all platforms selected must meet several technical requirements spanning microprocessor operating range, MCU core, power supply, operating power consumption, maximum internal and external frequency, Random Access Memory (RAM), Read-only Memory (ROM), Enhanced Performance Profiles (EEP), memory performance (access time) and reliability (endurance and data retention), interface types and security features and level.
The microprocessor and supplier selection reflect other criteria linked to the overall supplier capabilities. These include the ability to deliver on time, the ability to deliver large volumes sourced from different wafer manufacturing facilities, and the ability to deliver high-quality, high-reliability microprocessors chips.
Microprocessor qualification
Semiconductor experts must ensure that all microprocessor platforms are qualified by suppliers prior to use in the manufacture of secure document electronic components. Tests performed by suppliers are crosschecked. Microprocessor platform characterization and qualification results are reviewed with microprocessor suppliers to verify that results are in line with specifications and that designs are robust enough for process variations.
Additionally, the supplier of the electronic component must perform systematic qualification of all products (modules, cards, inlays or passports). These tests are electrical parametric and functional tests, mechanical and environmental tests, performed on a statistically significant number of parts from different wafer lots, including corner lots.
- 30 -
Tests performed include:
• High temperature operating life
• Temperature and humidity bias
• Die breakage
• Electro-static discharge
• Latch-up
• Electro-magnetic charge
• Vcc ripple
• Endurance
• Data retention
• Non-volatile memory disturbance
• Functional voltage/frequency
• Current measurement
• VIH/VIL range
• Full duty cycle range
Microprocessor quality monitoring
To ensure a high and continuous quality level for microprocessors received by the electronic component supplier (as well as high delivery performance), silicon supplier performance must be monitored using an array of different tools. A continuous improvement plan is shared with each supplier.
Key parameters measured include:
• Incoming wafer yield
• Lot reject rate
• Cost Of Non-quality (CONQ)
• Lead time of deliveries
• On-time delivery ratio
• First-pass product qualification rate
The performance and ranking of a microprocessor supplier is shared with management. Performance and ranking are based on quality, technology/engineering, delivery and service-related criteria.
Supplier Quality Management can be summarized by the following diagram:
- 31 -
Liaising with the microprocessor supplier
Dealing with microprocessor suppliers involves both procurement and component technology expertise. Component technologists drive microprocessor supplier product road maps and provide insight to suppliers for their technology road map and microprocessor architecture specifications. Such liaising facilitates the porting of identity operating software from one microprocessor platform to another and from one supplier to another, thereby ensuring multi-sourcing.
Expertise in semiconductor processes and technology is required to efficiently select suppliers and microprocessor platforms and qualify their products, so as to:
• Guarantee electronic component performance
• Ensure high quality and reliability levels
• Offer a high level of security
• Ensure microprocessor multi-sourcing
The process of introduction of new products, handled by the electronic component provider—often the operating software provider–is designed to facilitate deployment as much as possible for the government body.
- 32 -
Long-term viability
Because of their high-profile, politically sensitive nature, governments should make decisions that are viable in terms of risk, technology and business efficiency. In particular, when qualifying operating software suppliers for the deployment of secure electronic documents, governments should focus their attention on partner expertise, the product and services portfolio, innovation, business capabilities and financial standing.
Portfolio & Portfolio & easy upgradeeasy upgrade
InnovationInnovation
Expertise &Expertise &experienceexperience
Critical massCritical massof businessof business
Solid partnerSolid partner
Viability of theViability of the
Operating SoftwareOperating Software
providerprovider
The five key success factors for a viable OS provider
Upgradeable portfolio offerings
As a central component of the secure electronic document, operating software is a critical product to select. That is why the choice made by government authorities should not be restricted to a limited product offer. Instead, providers should act as technological partners. A broad portfolio of products allows selection from among different levels of security, performance and functionalities, especially:
• Native to multi-applicative operating software
• Multiple interfaces: contact, contactless or contact/contactless
• Complete range of applications based on international standards such as ICAO, EAC, ECC, MoC, etc.
• Multiple cryptographic algorithms—including RSA and elliptic curve—and secure messaging protocols with a broad range of supported key lengths
• Security certifications—especially Common Criteria—as an additional guarantee of security
Governments should also bear in mind the prospect of upgrading the operating software within the lifecycle of a secure document. It is incumbent on the operating software provider to offer upgradeable products that prevent costly and lengthy system reengineering while enabling seamless evolution with an easy migration path. Examples include:
• European migration from BAC to EAC requiring electronic passport operating software to be upgraded to integrate enhanced PKI and biometrics
• Natural evolutions of eID programs to encompass additional functionality and applications, possibly evolving from native to multi-applicative technology
Government representatives should select partners offering a wide range of operating software and applets ensuring security, performance, functionalities and easy upgrade.
- 33 -
Significance of innovation
Security
Security is a never-ending combat between fraudsters and security providers. Powerful, state-of-the-art computer hardware is becoming increasingly more affordable and accessible, making it easier for ill-intentioned individuals or groups to perpetrate fraud on secure electronic documents. Governments must therefore ascertain that their technological partners possess the capabilities to anticipate and counter such fraud:
• Innovative software countermeasures must be developed continuously to protect against new attack methods developed by hackers.
• The latest cryptographic algorithms—as well as secure messaging and hashing protocols—must be implemented using the appropriate key lengths with room for key length upgrade while delivering satisfactory performance. In particular, high-end operating software with most stringent security requirements should support key lengths of up to 2048 bytes for RSA or at least 224 bytes for ECC.
Credible security expertise is based on a dedicated security laboratory, internationally renowned experts, ownership of relevant patents, a proven track record and a broad portfolio of Common Criteria and Federal Information Processing Standards (FIPS) security-certified products.
Applications
As secure electronic documents become increasingly commonplace, their usage by citizens will become widespread. Likewise, expectations will increase:
• Travel applications will evolve to include multimodal biometrics, travel data and, ultimately, visa information.
• More and more, identity applications will connect to eGovernment services as well as to third-party eServices offered by non-profit or commercial organizations. Biometrics will be used on a greater scale without compromising citizen privacy, especially through MoC.
• Healthcare applications will open access to medical files and support the healthcare insurance administration and payment process.
A clear trend in favor of multi-application secure electronic documents is emerging. Operating software will have to support this applicative progress both by offering high-performance, upgradeable technology and by supporting the addition of new applets, whether before or after document issuance.
Governments must be sure that their partners offer the technology, know-how and available R&D resources to facilitate migration along the application path.
Other technological trends
Now that secure documents have entered the electronic world, they will evolve at a significantly faster pace than seen previously. Beyond the security and applicative evolutions highlighted here, a handful of major trends are certain to impact secure electronic documents:
• Processing power and memory capacity will expand to process and store additional personal data (travel, biometrics, identity and healthcare).
• Whether for contact or contactless formats, electronic component communication speeds will increase to shorten transaction time. Communication protocols will evolve and integrate fully into the citizen’s surrounding environment. Near Field Communication (NFC) Internet Protocol Suite (TCP/IP), for instance, will facilitate diversified use of secure documents.
• Long-term, secure electronic documents will tend to become increasingly autonomous—with incorporated biometric sensors and active displays—while solving the paradigm of power consumption.
- 34 -
Only partners with a proven track record in digital security can support governments throughout these evolutions.
Expertise and experience
A secure electronic document project is not simply a matter of developing an electronic component (i.e. the combination of operating software with a microprocessor):
• The security of a system is as weak as its weakest link.
• The overall efficiency (costs, benefits and sustainability) of a system can be achieved if all parts of the system have been carefully designed to fit together.
Suppliers and partners should be in a position to guide governments as they outline specifications for the secure electronic document and related infrastructure. The choice of operating software will be central at this stage. The partner should therefore be capable of informing and supporting the government’s choice thanks to extensive experience in the field. When required, operating software providers should also be able to successfully customize solutions delivered to governments.
In fact, the ability for operating software providers to meet those requirements is often reflected in concrete proof in the field. It is important to refer to real projects where secure electronic documents have been deployed to citizens, actually used by them and subject to the test of time:
• Previous electronic passport deployments for operating software not only demonstrate software performance, but also ensure a clear way forward for future evolutions. In such an instance, the supplier can leverage more customer needs and feedback and better prepare interoperability.
• Previous eID and electronic healthcare card implementations by the operating software provider clearly demonstrate the successful capability of that provider to support governments in the complex process of identity program deployment.
Governments are usually pleased to share insight and experience with other countries following successful deployment of their identity projects.
Critical mass of business
Delivery capabilities
Ensuring security, offering adequate functionality, delivering best performance and guaranteeing interoperability today and into the future can appear to be a challenging goal. Delivering electronic components on identity projects involves significant ramp-ups that must be absorbed smoothly within the supplier’s operations.
Achieving these goals is directly tied to critical mass of the technology provider and in fact to the number of successful references implemented by the provider.
• Many players in the identity field have limited experience or no reference at all. Some boast references that are never actually deployed. Such players do not have the critical mass to adhere to standards, nor can they keep up with fast-moving technological change. It is also exceedingly difficult for such players to ramp up on new projects.
• The operating software providers who have that critical mass have a much greater chance of serving governments successfully, both for their current and future needs. They offer solid operating software portfolios, set industry standards and chart innovative yet credible road maps. They are capable of smoothly ramping up production and delivery of new electronic component projects at their manufacturing sites.
- 35 -
Multi-sourcing
Critical mass enables the operating software provider to engage in microprocessor platform multi-sourcing. In such case, governments will enjoy the fact their operating software runs on multiple microprocessors:
• Governments can therefore use electronic components containing one microprocessor or another at will.
• There is no impact on either issuance or usage of the secure document.
• Using one microprocessor or another is fully seamless and transparent.
Multi-sourcing offers an essential degree of freedom, from which both small and large secure electronic document programs can benefit:
• It enables technological innovation by constantly relying on the market’s most efficient microprocessor platforms.
• It fosters competition and improves business conditions.
• It copes with the business cycles of microprocessor suppliers and with any major, unforeseeable circumstances that could arise (from planning or quality issues to manufacturing site shut-down due to fire, earthquakes or other natural disasters).
• It secures deliveries no matter what trends affect the silicon market.
Multi-sourcing is possible only when operating software providers have sufficient delivery volumes on operating software to justify such investments (selecting the microprocessor and porting the operating software).
Reliable and steadfast partner
Identity projects are high-profile, long-term projects for which policymakers are held accountable. Not only must the project be a success in technological terms—with no possible security breach that could destroy confidence—it should also be deployed smoothly with a long-term commitment on the part of suppliers and partners.
Such long-term commitment can be made by established technological leaders offering:
• Solid financial standing, justified by indicators such as strong revenue, sustainable profitability and a sound balance sheet
• Proven ability to weather economic storms, whether global or specific to the electronics industry
• Sound business practices that ensure company-wide profitability and not merely limited specific contracts, whose loss could endanger the overall viability of the company
• A proven track record of successful references in the field of secure electronic documents
• Long-term presence on the market and dedication to the secure electronic documents business
When selecting a supplier and partner for secure electronic documents—and particularly the operating software—governments should turn to established firms in a position to supply the right solution through a long-term commitment.
- 36 -
Conclusion
Government authorities, when contemplating embedding electronic components within their secure documents, should consider the long-term perspective in addition to any short-term needs. Issued documents remain in the field for periods that can exceed 10 years and the success of politically-sensitive identity programs is based on the smooth continuity and security of the secure document’s issuance and usage.
The operating software is an essential component of a secure electronic document.
Choosing the right operating software is the first and most important step when building a secure electronic document project. Other considerations, including the selection of the microprocessor platform, should come as a second step.
Any choice of operating software and supplier must therefore meet both immediate needs and long-term viability. Governments should look to operating software partners with extensive, field-tested expertise. They should also favor operating software partners who can offer multi-sourcing.
Any potential supplier should be viewed as a long-term partner offering:
• A broad portfolio that allows easy upgrade migration paths as government requirements evolve
• Continual innovation in terms of security, applications and trends in secure electronic documents
• Expertise and experience to ensure the success of the identity project deployment
• Critical mass of business as proof of manufacturing capabilities and ability to offer microprocessor platform multi-sourcing
• A solid partner-based relationship, thanks to proven financial standing and a strong business track record
In summary, an electronic passport, identity card, driver license or health card should embed carefully selected operating software. The choice of the operating software will greatly influence the short-term success and long-term viability of any secure electronic document program.
- 37 -
Glossary of acronyms
Application Programming Interface (API) - a set of declarations of the functions an operating system, library or service provides to support requests made by computer programs
Basic Access Control (BAC) - mechanism specified to ensure only authorized parties can read personal information from passports wirelessly using a contactless microprocessor
Brussels Interoperability Group (BIG) - technical work group that studies issues stemming from implementation of electronic machine-readable travel documents by EU member states
Central Processing Unit (CPU) - a class of logic machines that can execute computer programs
Common Criteria (CC) - an international standard for computer security
Cost Of Non-quality (CONQ) - measure of costs specifically associated with the achievement or non- achievement of product or service quality
Differential Power Analysis (DPA) - statistical analysis of power consumption curves applied to several executions of a same algorithm
Electronic Machine Readable Travel Document (eMRTD) - an electronic international travel document containing visual and machine-readable data
Elliptic curve cryptography (ECC) - a cryptography technique based on the algebraic structure of elliptic curves over finite fields
Enhanced Performance Profiles (EEP) - memory technology designed to make over-clocking easier
European Citizen Card (ECC) - European specifications for EAC-enabled eID with facial recognition and fingerprint biometrics capabilities
Extended Access Control (EAC) - a mechanism specified to allow only authorized inspection systems to read sensitive biometric data
Federal Information Processing Standards (FIPS) - standards developed by the United States Federal government for use by all non-military government agencies and government contractors
Federal Information Processing Standard Publication 140-2 (FIPS 140-2) - an United States Federal government security standard used to accredit cryptographic modules
Identification Authentication Signature (IAS) - global interoperability framework outlining criteria for authentication
Integrated Circuit (IC) - another name for a silicon chip, an IC is a small electronic device made out of a semiconductor material
International Civil Aviation Organization (ICAO) - UN agency promoting understanding and security through cooperative aviation regulation
Internet Protocol Suite (commonly TCP/IP) - the set of communications protocols used for the Internet and other similar networks
Logical Data Structure (LDS) - a data modeling technique used to examine the structure of the data required for a system
- 38 -
Match on Card (MoC) - biometric authentication using a microprocessor smartcard endowed with an operating system running a suitable match application
Microprocessor Control Unit (MCU) - reads opcode and instruction bits from machine code instruction and creates a series of control codes to activate and operate various components to perform a desired task
Multi-application Payment Chip Operating System (MPCOS) - operating system adapted to multi-purpose and payment applications
Near Field Communication (NFC) - short-range high frequency wireless communication technology enabling the exchange of data between devices approximately 10 centimeters apart
Non-volatile Memory (NVM) - computer memory that can retain the stored information even when not powered
Personal Identification Number (PIN) - secret numeric password used to authenticate a user to gain system access
Process Control Monitoring (PCM) - procedure followed to obtain detailed information about the process used in the application of integrated circuits
Protection Profile (PP) - a document used as part of the certification process according to the Common Criteria (CC)
Public Key Infrastructure (PKI) - an arrangement that binds public keys with respective user identities by means of a certificate authority
Radio Frequency (RF) - rate of oscillation in electrical circuits or electromagnetic radiation
Random Access Memory (RAM) - a type of computer data storage comprising integrated circuits that allow stored data to be accessed in any order
Read-only Memory (ROM) - a class of storage media used in computers and other electronic devices
RSA - an algorithm described publicly in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT
Simple Power Analysis (SPA) - a logical attack using variations in global power consumption
