Core Security Patterns Weblog

Looks like convergence projects are in the limelight… lately I noticed a lot of interests on enabling the use of common credentials for securely accessing physical and logical resources.  Although we find most convergence projects are targeted at the enterprise level but there are serious minds working on using smartcard based PKI credentials for supporting citizen-scale projects (I regret that I cannot discuss the specifics) !  Ofcourse the use of on-card PKI credentials and its on-demand verification with the PKI service provider is in practice for a while now at security sensitive organizations. The DoD CAC, PIV and most smartcard based National ID/eIDs contain PKI certificate credentials and few of them includes Biometric samples of the card holder as well. Using those on-card identity credentials for accessing physical and logical resources becomes critical and also makes sense to  fulfil the ultimate purpose of issuing smartcard based credentials… it cannot be overstated.

Couple of weeks ago, I had a chance to present and demonstrate PIV card credentials based logical access control using Sun IDM, OpenSSO Enterprise, WinXP running on Sun Ray environment. The demo was hosted  one of the Big5 SI.  If you curious to see my preso detailing the pieces of the puzzle…here you go:

Java Card technology has been a passion of mine for so long and I always tried my best to keep updated on Smart card technologies…… not just because of my role at Sun, I did get several opportunities to work closely with citizen-scale Java Card deployments with multiple National ID, eID/ICAO, US DoD/CAC, PIV/FIPS-201 cards and related Identity management projects.  It is always been quite adventurous everytime to experience a card issuance architecture and deployment scenario – right from applicant enrollment, demographic data provisioning, Biometrics/PKI credentialing, adjudication/background checks, post-issuance maintenance including card authentication/verification/usage and final retirement/termination.  In the early 2000′s, I even had an opportunity to write couple of Java Card applets for a big 5 financial organization using Java Card 2.x and it is still exists on production (No kidding! one of them may be in your wallet). With all those experiences, I did have my own stumbling issues with programming Smartcards, where I pulled my hair-out on understanding those evil ”Application Protocol Data Units” (APDU) based commands and responses. In my opinion, APDUs are quite complex to understand when you jump in unless you read the docs in-and-out beforehand and then test-driving APDUs are even more hard unless you have the luxury of having a debugging environment –  seriously, you may not want to experience those pains.  Havingsaid, now we can breathe a sigh of relief – I am bit late to experience the newer features of Java Card 3.0 -  It has introduced “network-centric” and “Java/J2EE developer” friendly features that radically changed the way we originally designed, developed, deployed, and integrated Smartcard applications.  Interestingly, there are very compelling aspects about Java Card 3.0 technology -  As I digged with my little experience… here is my observations.  

Understanding Java Card 3.0  

1. A Smartcard can act as a ”Personal Web Application Server”  or an user-centric miniature Java EE application server on a network.  Java Card 3.0 has introduced a Servlet container environment referred to as “Connected Edition” – which allows the smartcard applications can built as Java servlets (Web applications) using Servlet 2.4 APIs and deployed as a “WAR” file to the Web container running on a Java Card 3.0 compliant Smart card. This Servlet based deployment is an addition to existing Java card applet deployment model referred to as Classic Edition (exists with Java card 2.2.x). The Java Card clients access the applications using a Web browser (ex. http://localhost:8019/myJavaCardServlet).   
   

   Java Card Platform - Architecture

2. Java Card 3.0 supports 32-bit processor based Smartcards and handles more memory – upto 128k.
3. Enough with pain of understanding/testing APDUs, now you can readily develop Java Servlet 2.4 API compliant Web applications and deploy them to a Smart card.
4. With Java Card 3.0, we can perform interact with using standards based communication with the card using HTTP/HTTPS and also its supporting XML based protocols such as SOAP, REST etc.
5. Support for Java crypto APIs and additionally you can enable access control with the card similiar to performing container-managed authentication in Java EE – using SSL/TLS mechanisms.     
   

   Java card 3.0 - Communication Protocols

    

    

6. Java Card 3.0 based Web applications can be developed, debugged and deployed using Netbeans 6.7.1 and up.
7. Smart card issuance (for Card holders) and updates using GCF can be done through Web based deployment model (via HTTP, TCP) – using both contact and contactless communication interfaces.
8. Other features include full Java language support (Java 1.6 features) including all data types (except float and double), multi-threading, garbage collection, XML parsing/generation capabilities etc.
9. Allows Java developers to explore Java Card platform easily with strong potential for deploying security applications intended for National ID card schemes, passports and simplifying deployment of  ”Match-to-card Biometrics”, “On-card” credential persistence and secure transaction based applications.

Try it yourself

If you are curious to test drive Java Card 3.0 reference implementation especially using its “Connected Edition” to deploy Java Servlet based application to Smart card - Before you begin, make sure you obtain the list of pre-requistes :

1. Java Card Connected Development Kit 3.0.1
2. Netbeans 6.7.1

and then proceed with the following steps for deploying a “Hello World” Web application – creating Java card applications can’t get easier than this :

1. Install the Java Card 3.0 plugins for Netbeans 6.7.1 – Go to Tools, Plugins and search for card to select plugins for “Java Card Projects” and “Java Card Console”.  

   

   Installing Java Card plugins for Netbeans

    

2.  Go to Netbeans IDE,  Choose Project – “Java Card” and select Projects type “Web Project”. 
   

   Creating a Java Card "Web project"

3.  Assign Project name/location/folder and then select “Manage Platforms” to assign the Java Card 3.0 runtime environment.   

    

    

   

   Assigning Java Card Runtime Info

    

    

4.  To assign the Java Card runtime info, select “Manage Platforms” and choose “Platform type” to Java Card Platform.  
   

   Choosing Java Card as runtime

5.  Select the location of your ”Java Card 3.0 Connected Edition Dev kit” installation. 

     

    

   

   Select "Java Card 3.0" Connected Edition

    

6.  Define the default device (assuming your Smartcard) attributes and press “Finish”: 
   

   Select your "Java Card"

    

7.  As a result, you should see the Netbeans console showing your “Java Card Platform” environment for test-driving your applications.     
8. With above steps complete, now you are ready to develop/debug/deploy your Java Card web applications…. here is my first “Hello World” Java Card Web application excercise.       
9.  Compile the application -  In the Projects window, right-click the project node and choose Build to build the project.     
10. To deploy and run the Web application from your target Smartcard device (in my case the JavaCard RI), In the Projects window, right-click the project node and choose Load/Create Instance or just Run to run the application.  Netbeans will launch the browser, displaying the Hello world application prompting for your name….  and push the button to see – what happens !    

Netbeans does all the magic for you – if something not working, no worries ! Like implementing anyother Web application in IDE,  it is now easy for you to painlessly debug and redeploy the application – I am sure, you’ll find deploying applications on Java Card is nolonger a mystery.

With Billions+ Java Cards already in use and so much demand for the Smartcard technology,  Java Card 3.0 promises beyond citizen IDs and can potentially act as your “Personal Web application server” on your wallet.

Thanks to Anki Nelaturu and Saqib Ahmad who introduced me to Java Card 3 with their JavaOne ’09 sessions. After playing with my first excercise on Java Card 3.0 RI, now I am chasing my friendly Smartcard vendors to loan me couple of Java Card 3.0 cards

Just read this interesting research paper published by Prof. Bobby Tait and Prof. Basie von Solms of the University of Johannesburg (South Africa), explains how a person’s biometric fingerprints/Iris scans can be used as a protocol to perform private key based encryption and digital signatures.  The paper describes a biometric middleware infrastructure (BioVault) which requires users to performs biometric authentication for generating or retrieving a random key from user’s keystore. The selected key is used to perform the required encryption or signature operation. If Alice and Bob exchanges messages using their secret key they are required to authenticate with biometrics. The only advantage of this process is the user don’t need to remember a password or carry a smartcard/PIN to support accessing their keystore – as it uses fingerprint or Iris pattern based authentication prior to initiating the operations.

I am not sure, how accurate the solution will be given the “False Acceptance Rate (FAR)” with Biometrics especially with Fingerprints.  With all the highest accuracy, as I noted…. Iris recognition’s FAR is 1 in 1.2 million and with Fingerprints FAR may occur 1 in 100,000.   And there is no guidance on …how reliable is the solution in case of a MITM attack that compromises the user’s biometric sample….? Still It is an interesting work – but in my opinion using a conventional PKI based solution has its own security advantages over the several inherent reliability issues with biometric authentication.

Lately I’ve been franctically busy with couple of my ISVs and an SI helping them out on a Citizen-scale National Healthcare Identity Infrastructure solution pilot for one of the populous countries in the Atlantic region – Sorry I cannot disclose the country’s name to abide their privacy laws and to protect my job . The solution aims to deliver an Unified Desktop/Voice Infrastructure via Sun Ray environment and fortified by Biometrics and Smartcard PKI based authentication to access the exposed services.  Using Smartcard/PKI and Biometrics for Sun Rays has been deployed in production (at few customers) and in practice for a while now… but in my current project the interesting thing is the complete Sun Ray solution will be hosted as a SaaS environment (~Private Cloud) and other complexities are related to legal/privacy issues with performing citizen’s biometric enrollment and storing the biometric information with a private organization  (Especially, when the Country’s privacy laws forbids storing citizen’s biometric samples). Keeping those nail biting legal issues aside, the Govt folks are still very enthusiastic and excited about adopting to Biometric authentication for Sun Ray based desktops to access their SaaS hosted Web-based healthcare applications.

Biometric Authentication on a Sun Ray environment

Looks cool, Is’nt it.  If you are curious to know the secret sauce of the Sun Ray biometric authentication solution, here is the bill of materials, to put together in place:

1. Sun Ray Session Server 4.x or above
2. Solaris 10 X64 or SPARC
3. Sun OpenSSO (Biometric SSO for Web applications)
4. Sun Identity Manager (Provisioning Biometric Samples during enrollment)
5. Sun Directory Server
6. Sun Secure Global Desktop (Support accessing Windows, Mac, Linux, Solaris Desktops)
7. Oracle 11g or MySQL 5.x database
8. BiObex Authentication Middleware (Advanced Biometric Controls)
9. Hamster Plus – USB Biometric Scanner (SecuGen) – For supporting Desktop/Web authentication
10. CrossMatch Verifier E – Biometric Scanner for supporting Biometric enrollment

Shortly, I will update this blog entry with a detailed architecture and deployment cheatsheet… as soon as I wrap up my current project deliverables.  If you are a Sun Ray enthusiast,  I know you will be having some burning questions ! Feel free to send them, I will try to answer them quick…. otherwise please stay tuned for my unofficial deployment guide.

This stateless infrastructure could be your next generation client for securely accessing your virtual desktops hosted on the cloud

Lately, Biometric identification and authentication technologies gaining unprecedented importance in government organizations across the globe as evidenced in the US by introduction of HSPD-12, HSPD-24 and and other countries complying with ICAO requirements for biometric-enhanced machined readable traveller documents (MRTDs) / ePassports providing support for Facial/Fingerprint identification for travelers passing through airports, security-sensitive locations and ensuring protection against identity thefts.

I just came across this interesting prediction and analysis  by Matia Grossi, Frost & Sullivan’s industry analyst, – highlights:

• Biometric technology adoption will triple by 2012 from its 2008 value.
• Biometric technologies are getting increased attention in commercial markets particularly the financial, healthcare, retail and educational sectors.
• Technologies currently gaining momentum include face recognition 2D/3D, Iris scans, Hand geometry, Vascular scans (palm vein scans), and Retina scans. Upcoming physiological technologies will be skinprints, earlobe scans, brain fingerprints, and DNA recognition.
• By 2020, Multimodal biometrics using combination of fingerprint, Face, and Iris will emerge as the standard biometric identification solution for  government, border control and airport security applications.

I did’nt have a chance to read the complete report….all I read was the highlights of the report by Matia Grossi, Frost & Sullivan’s industry analyst…right here. If you are curious about using Biometric technologies for enabling Physical and Logical Access Control…read my earlier posts on Biometric SSO Authentication and Provisioning/De-provisioning Biometrics for Physical and Logical Access Control.

Last night, I had the opportunity to present at an OWASP event @Hartford, CT.  James McGovern, a long-time buddy of mine organized this event at one of the Hartford skyscrappers – What a great view !  I had contributed code artifacts to OWASP projects before, but it was the first time I had a chance to attend an OWASP event. Amazing to see..it was an enthusiastic crowd with a lot of focus on the emerging trends in IT security.  I took a small piece of the IT puzzle.. to present  a topic on “Multi-factor Authentication” and then a demo showing OpenSSO w. PKI/Biometric authentication. It was a well-organized event and I saw a lot of interests around OpenSSO.

As promised, here is my slides for your reading pleasure. Enjoy.

A month ago, I had a chance to meet with John Beveridge (Deputy State Auditor at Office of the State Auditor of Massachusetts) at an ISACA event in Boston. During a casual chat, he briefly mentioned about the upcoming regulation highlighting “Mass 201 CMR 17.00 – Massachusetts Standards for Data Protection of Personal Information”  and it’s compelling security requirements !  With all curiousity…I had my first dig at Mass 201 CMR 17.00 last week… it is the toughest data protection law so far (as a Govt initiative for preventing identity theft).. I am quite amazed by the stringent rules imposed by this regulation for protecting the personal identity information of Massachusetts residents. I am not a lawyer or an auditor by profession…so here is a my layman interpretation of the regulation and its dictated requirements for securing personal identity information.

• Comprehensive Information Security Program mandates ALL businesses that deals with personal identity information of Massachusetts residents  (in paper and electronic forms)  to provide  comprehensive documentation of all practiced security measures taken for preventing unauthorized access and ensuring confidentiality and integrity of the personal identity information.
  • Access control policies and rules for all employees who have access to identity information and enforce disciplinary action on those who violated the rules.
  • Upon employee termination, all physical and logical access privileges must be instantly revoked.
  • Third-party service providers need to comply with the Information security program and it requires a contractual binding before providing them access to personal information.
  • Identification of media including Laptops and PDA devices that store identity information and written procedures detailing how the physical access to those media is restricted.
  • Monitoring to verify the information security is operational preventing unauthorized access and support putting safeguards for minimizing both internal and external risks.
  • Require atleast an annual review and also whenever there is a material change has occurred in the business practices that relates to security and integrity of the information.
  • Documentation of incidents, response actions and post-incident review of events and actions.
• Secure User Authentication
  • Control of user identifiers and secure methods for selecting and assigning passwords.
  • Use of authentication technologies such as Token devices and Biometrics.
  • Restricting access to active users only.
  • Blocking access to multiple unauthorized access attempts.
• Data Encryption for all personal information in transit and storage.
  • Encryption of all records/files in storage (Laptops/other media) and transmitted over the wired/wireless networks.
• Firewall protection and Operating System Security Patches must be updated to support maintain the integrity of personal identity information.
• Malware and Virus protections ensuring all patches and definitions are updated on regular basis.
• Education and employee awareness training on the Information security program and practices.

Mass 201 CMR 17 data protection requirements aligns well with Federal Trade Commission’s Red Flag rules on Identity Theft Prevention. Some of the security practices has already been in use at many big companies addressing PCI-DSS, GLBA and HIPAA requirements. At the outset, this is a big business boost to Security architects and consulting companies deal with providing Information Security and identity management infrastructure and solutions.  This regulation supposed to be effective on Jan 1, 2009 and now for some reasons the deadline is extended till May 1, 2009 – Not sure it helps everyone – but the deadline for compliance is chasing and not too far !