Integrated Solutions for Secure Identity Técnicas ctiptográficas para la Protección de Datos Biométricos en el E-Passport / E-DNI f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, Dr. Yuri Grigorenko Nov 07’

Services About US Basic Cryptography PKI & ePassports Best Practices f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, In an Nutshell is a security consultancy company and OEM solution provider specializing in the field of identity management is based on a managing team of IT veterans with a combined experience of over 30 years in the smart card business and information security sector provides a wide portfolio of consulting services and integrated solutions in the field of identity security for governments worldwide Integrated Solutions for Secure Identity Contact US

In an Nutshell About US Basic Cryptography PKI & ePassports f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, We focus on the combination of Identity Management with IT Security Technologies  Smart Cards  Public Key Infrastructure  Hardware Security Modules Our services include:  Threat analysis  Technological gaps identification  Available products survey and QA  Provision of tailored technological solutions  Second-tier technical support  Training program s Integrated Solutions for Secure Identity Best Practices Contact US Services

CertificatesTrust ModelsDigital SignatureSigning ProcessEncryption ProcessHash FunctionsSymmetric vs. AsymmetricEncryption Basics Basic Cryptography About Us PKI & ePassports f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, Encrypting a message is like locking your house An encryption algorithm ~ Lock mechanism An encryption key ~ Lock key / combination Lock Integrated Solutions for Secure Identity Best Practices Contact US

Lock About US Basic Cryptography PKI & ePassports f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, A riddle: How do two people lock a room without sharing the secret code? A hint: skcol owt esU ! Symmetric - same key Asymmetric - public and private keys Lock CertificatesTrust ModelsDigital SignatureSigning ProcessEncryption ProcessHash FunctionsEncryption BasicsSymmetric vs. Asymmetric Integrated Solutions for Secure Identity Best Practices Contact US

About US Basic Cryptography PKI & ePassports f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, A function that digests the message and provides a unique (and short) representation Irreversible Public algorithms Yuri Marcel To: Marcel CC: Yuri From: Yuri This is the original message Hash To: Marcel CC: Yuri From: Yuri This is the original message ADS#$#$%3ffr4 Hash ? CertificatesTrust ModelsDigital SignatureSigning ProcessEncryption ProcessEncryption BasicsSymmetric vs. AsymmetricHash Functions Integrated Solutions for Secure Identity Best Practices Contact US

About US Basic Cryptography PKI & ePassports f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, Symmetric / Asymmetric Confidentiality Yuri To: Marcel CC: Yuri From: Yuri This is a secret message Encryption To: Marcel CC: Yuri From: Yuri SDF#$%8SDFD Decryption Marcel’s public key Marcel’s private key CertificatesTrust ModelsDigital SignatureSigning ProcessEncryption BasicsSymmetric vs. AsymmetricHash FunctionsEncryption Process Integrated Solutions for Secure Identity Best Practices Contact US Marcel Same mutual key

About US Basic Cryptography PKI & ePassports f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, Asymmetric Authenticity Yuri To: Marcel CC: Yuri From: Yuri This is an authenticated message Encryption To: Marcel CC: Yuri From: Yuri SDF#$%8SDFD Decryption Yuri’s private key Yuri’s public key CertificatesTrust ModelsDigital SignatureEncryption BasicsSymmetric vs. AsymmetricHash FunctionsEncryption ProcessSigning Process Integrated Solutions for Secure Identity Best Practices Contact US Marcel

About US Basic Cryptography PKI & ePassports f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, Yuri Marcel To: Marcel CC: Yuri From: Yuri This is a signed message Encryption To: Marcel CC: Yuri From: Yuri This is a signed message SDF#$%8SDFD Decryption Yuri’s private key Yuri’s public key Hash AD4543$%DF Hash AD4543$%DF ? CertificatesTrust ModelsEncryption BasicsSymmetric vs. AsymmetricHash FunctionsEncryption ProcessSigning ProcessDigital Signature Integrated Solutions for Secure Identity Best Practices Contact US

About US Basic Cryptography PKI & ePassports f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, Yuri Marcel Yuri’s public key K pu = 0xff132483ab FFK$#%5534FSAB To: Marcel CC: Yuri From: Yuri This is a signed message SDF#$%8SDFD CertificatesEncryption BasicsSymmetric vs. AsymmetricHash FunctionsEncryption ProcessSigning ProcessDigital SignatureTrust Models Q: How does Marcel know that Yuri’s (K pu,K pr ) wasn’t forged ? A: It has to be digitally signed by someone Marcel trusts (TTP)! Encrypt with trusted party K pr Decrypt with trusted party K pu Hash ? GR%3HJT$6 Integrated Solutions for Secure Identity Best Practices Contact US

About US Basic Cryptography PKI & ePassports f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, Yuri’s public key K pu = 0xff132483ab98 additional information Issuer, Validity, privileges… FFK$#%5534FSAB Encryption BasicsSymmetric vs. AsymmetricHash FunctionsEncryption ProcessSigning ProcessDigital SignatureTrust ModelsCertificates X.509 Certificate Standard Card Verifiable Certificates Hash signed by a trusted party Integrated Solutions for Secure Identity Best Practices Contact US

Active AuthenticationExtended Access ControlBasic Access Control PA Trust LevelsPassive AuthenticationLogical Data Structure Basic Cryptography About Us PKI & ePassports f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, What should we protect? Authenticity of personal data Privacy of personal and biometric data Passport uniqueness An ICAO TAG/MRTD recomendation General Passive Authentication Basic Access Control Extended Access Control Active Authentication Integrated Solutions for Secure Identity Best Practices Contact US

Active Authentication Basic Cryptography About Us PKI & ePassports f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, Logical Data Structure: Mandatory - personal details, face picture, digital signature. Optional - Fingerprint, iris, signature picture… Data group 1 (MRZ) Data group 2 (Encoded Face) Data group 3 (Encoded Finger) Data group 4 (Encoded IRIS) Data group 5 (Displayed Face) Data group 6 (Future Use) Data group 7-15 Data group 16 (Persons to notify) LDS Extended Access ControlBasic Access Control PA Trust LevelsPassive AuthenticationGeneralLogical Data Structure Integrated Solutions for Secure Identity Best Practices Contact US

Active AuthenticationGeneral Basic Cryptography About Us PKI & ePassports f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, Data group 1 (MRZ) Data group 2 (Encoded Face) Data group 3 (Encoded Finger) Data group 4 (Encoded IRIS) Data group 5 (Displayed Face) Data group 6 (Future Use) Data group 7-15 Data group 16 (Persons to notify) LDSSO D Hash DG_1 Hash DG_2 Hash DG_5 Digital Signature Protects against data alternation: Personal data Hash values Extended Access ControlBasic Access Control PA Trust LevelsLogical Data StructurePassive Authentication Only issuer could have signed this passport! Integrated Solutions for Secure Identity Best Practices Contact US

Active AuthenticationGeneral Basic Cryptography About Us PKI & ePassports f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, DSCA Environments CSCA Environment HSM Backup HSM CA managemen t software HSM Backup HSM Document Signer Software Personalization equipment DB ePassport Management System Extended Access ControlBasic Access ControlPassive AuthenticationLogical Data Structure PA Trust Levels 2 level PKI Integrated Solutions for Secure Identity Best Practices Contact US

Active Authentication Basic Cryptography About Us PKI & ePassports f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, Extended Access ControlGeneralLogical Data StructurePassive Authentication PA Trust LevelsBasic Access Control Who can read my personal and biometric data? Skimming - secretly reading the data from small distance Eavesdropping - passive observation of “legal” communication Solution: If I can see your passport - I am allowed to read it! Establishment of a symmetric encryption key based on the optically readable MRZ, thus encrypting the connection between the passport and the reader P<D<< GRIGORENKO<YURI<<<< D<<123M <<<<<0 Symmetric key establishment Hash ENCRYPTION Integrated Solutions for Secure Identity Best Practices Contact US

Active Authentication Basic Cryptography About Us PKI & ePassports f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, GeneralLogical Data StructurePassive Authentication PA Trust LevelsBasic Access ControlExtended Access Control Only a face picture is a mandatory biometric data! Additional biometric data must be protected from unauthorized access Number of possible cryptographic solutions: Data encryption using dedicated Master Key(s), as well as additional information (such as MRZ details) Inspection system authorization, introducing additional PKI scheme (CVCA, DVCA, IS). A reader must be digitally verified in order to read sensitive data from the passport Issuing country is always in control: sharing of secret keys, signing certificates… Integrated Solutions for Secure Identity Best Practices Contact US

General Basic Cryptography About Us PKI & ePassports f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, Data group 1 (MRZ) Data group 2 (Encoded Face) Data group 3 (Encoded Finger) Data group 4 (Encoded IRIS) Data group 5 (Displayed Face) Data group 6 (Future Use) Data group 7-14 Data group 15 (AA Public Key) LDSSO D Hash DG_1 Hash DG_2 Hash DG_5 Digital Signature Protects against data coping: AA private key is secretly stored on chip and is unreadable A challenge-response protocol Data group 16 (Persons to notify) Hash DG_15 AA Private Key Logical Data StructurePassive Authentication PA Trust LevelsBasic Access ControlExtended Access ControlActive Authentication Integrated Solutions for Secure Identity Best Practices Contact US

Questions Basic Cryptography About Us PKI & ePassports f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, Integrated Solutions for Secure Identity Best Practices Contact US Modern cryptographic techniques, e.g. PKI provide the suitable framework for protection of sensitive biometrical data Deployment of a Public Key Infrastructure, being a highly complicated issue combining delicate technological aspects, requires unique specialization Being the heart part of your e-passport security, it is highly recommended to treat the Public Key Infrastructure separately from the deployment of the passport production system We offer our clients an integrated PKI solutions to fit their passport production process Best Practices

Basic Cryptography About Us PKI & ePassports f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, Integrated Solutions for Secure Identity Best Practices Contact US Best PracticesQuestions

Basic Cryptography About Us PKI & ePassports f-ID Security Technologies GmbH Dr. Yuri Grigorenko, Biometria 2007, Buenos-Aires, Visit Us: Rosa Hoffman Strasse 33 A-5020 Salzburg, Austria Call Us: Us: Integrated Solutions for Secure Identity Best Practices Contact US