The GlobalPlatform Value Proposition for Identity Management

The GlobalPlatform Value Proposition
for Identity Management
White Paper
November 2007
secretariat@globalplatform.org
www.globalplatform.org
© 2007 GlobalPlatform Inc.

---

Contents
About GlobalPlatform




ii
Publication Acknowledgements




ii
Executive Summary




iii
Section 1: The Concept of Identity Management



1
Introducing Smart Cards to Identity Management



2
Section 2: Case Study - U.S. Department of Defense (DoD) Common Access Card

4
The U.S. DoD Identity Management Concept



4
The Common Access Card (CAC)




4
Evolving DoD Systems to Support CAC



5
Section 3: What GlobalPlatform Offers the ID Card



8
Personalizing Chips and Managing Applications – Vendor (In)Dependence



8
A Card With More Than One Application



9
ID Card Security Considerations




11
The Smart ID Card Life Cycle




11
Card Issuance Processes




13
Section 4: The GlobalPlatform Proposition



14
Identity Management Roles




15
Smart Card Management Roles




16
Section 5: GlobalPlatform Specifications - Future-Proofing Government Identity Programs
18
Appendices:




20
Appendix I - Acronyms




20
Appendix II – List of GlobalPlatform Specifications



21
i
© 2007 GlobalPlatform Inc.

---

About GlobalPlatform
GlobalPlatform is a member driven organization with worldwide cross-industry representation.
GlobalPlatform is the leading, international association, focused on establishing and maintaining
interoperable specifications for single and multiple application smart cards, acceptance devices and
systems infrastructure that deliver benefits to issuers, service providers and technology suppliers. These
specifications are known as the standard for smart card infrastructure, thanks to their balance of technical
superiority and business justification.
GlobalPlatform Specifications are freely available and have been adopted in Europe, the Americas, Asia
and Australia by many public and private bodies.
For further information, visit www.globalplatform.org
Publication Acknowledgements
GlobalPlatform wishes to offer special thanks to the members of the Government White Paper Task Force,
and their respective organizations, for their contributions and involvement in developing this White
Paper.
Participants included:

Rien de Grijp - ACI Worldwide Inc.

Pieter Hoogendoorn - ACI Worldwide Inc.

Eric Le Saint - ActivIdentity

Gil Bernabeu - Gemalto

David Asay - IBM Global Business Services

Ian Hermon – Thales e-Security

Lynne Prince - U.S. Department of Defense / Defense Manpower Data Center
With special thanks to the GlobalPlatform Marketing Secretariat for managing the development of this
White Paper.


Phil Davidson - GlobalPlatform

Kevin Gillick - GlobalPlatform

Ayse Korgav - GlobalPlatform
© 2007 GlobalPlatform Inc. All Rights Reserved. Reproduction or distribution of this publication in any form is
forbidden without prior permission from GlobalPlatform Inc.
ii
© 2007 GlobalPlatform Inc.

---

Executive Summary
The need has never been greater for governments worldwide to implement secure and robust identity (ID)
management programs in order to control access to their physical and logical property and ultimately ensure the
safety of staff and their own establishment. With countless solutions deployed in today’s marketplace and new
products introduced every year, however, the challenge is not finding a technology to help manage identities and
secure data, but how to select a solution that is flexible, secure, cost-effective, scalable and standardized, yet which
offers a minimum level of risk.
This White Paper aims to explain the value of implementing a government ID smart card program which is based
on the GlobalPlatform Specifications. Many governments worldwide have already realized the benefits of deploying
GlobalPlatform technology in their ID programs. Current known implementations, at the time of this White Paper’s
publication, include: Austrian Citizen Card, BioPass (Singapore Biometric Passport), CNS Italy, Daejeon Project
(South Korea), Hong Kong National ID Card, Kingdom of Belgium ICAO e-Passport, Macau Special Administrative
Region Project, Moroccan National ID Card, Polish Transport Authority Project, Qatari National ID Card, Saudi
Arabia’s King Fahd University ID Card, Sultanate of Oman National ID Card, Taiwan National Health Insurance Card
and US Government Agency initiatives from the Department of Defense, the General Service Administration and
the Transportation Security Administration.
For ease of reference, this document focuses solely on one widely recognized use-case of GlobalPlatform technology
– the United States Department of Defense (DoD) Common Access Card (CAC) - and also uses the widely recognized
Personal Identification Verification (PIV) standard as an example ID management framework. The case study
illustrates how the GlobalPlatform Specifications can be applied across the entire smart card infrastructure to
benefit the issuance and management of smart ID cards and applications in a government program. It is intended
that other use-cases, originating from Europe and Asia-Pacific, will be developed and explored in future editions of
this White Paper series.
This document provides a detailed overview of how and where GlobalPlatform technology is applied across an ID
management program and to what effect. GlobalPlatform’s impact relative to the ID card itself and different roles
within a card management system are explored, and the role that GlobalPlatform plays in facilitating interfaces and
data exchange between different actors in an ID management program is also outlined.
For the purpose of clarity from the outset, it is important to note that GlobalPlatform technology offers an approach
to deploying smart cards and card management. It does not address the entire ID management program
framework.
This White Paper is intended to be informational rather than technical in nature. This allows it to be accessible to
government officials, project managers and consultants advising on the implementation of smart card based ID
programs in government, in addition to more technical audiences.
iii
© 2007 GlobalPlatform Inc.

---

Section 1: The Concept of Identity Management
There was a time when to secure a loan or join a club, a person required a sponsor. It was a banker, attorney,
preacher, or someone of similar reputable standing who vouched for the person by confirming their identity (ID).
Even without using smart cards, ID management systems essentially provide the same services - they establish
trusted identities and securely link credentials to people using tokens.
The ID management model no longer requires a one-on-one introduction from a trusted person to enter a physical
space or access a web site. Rather, the trusted ID carried on securely issued tokens empowers the credential holder.
This person can use their credential to move across networks, use web applications and enter doors, gates and
buildings. Simultaneously, organizations protect themselves from unauthorized access.
Figure 1 introduces a reference model of ID management, which will be used throughout this White Paper to describe
the impact of smart card technology in general and to explain how the GlobalPlatform Specifications ensure an open
and future-proof approach. Figure 1 depicts the situation before the introduction of smart cards:
Token
Token
Cardholder
Person
Person
Access Control
Registration
Issuance
Terminal
(reader, middleware)
Station
Station
Access
Token
Control
IDMS
Personalization
System
ID
Vetting
Token
S
i
Manufacturer
Service
Manufacture
Access Control
t
u
o
(
f
o
)
e
p
o
c
s
I

y
ti
t
n
e
d
t
n
e
m
e
g
a
n
a
M

n
e
k
o
T
n
o
it
c
u
d
o
r
P
Figure 1 – Identity management overview
The secure and accurate control of access privileges (Access Control - the area shown on the left (green) in Figure
1) is the primary objective of ID management. People may be granted access to facilities or infrastructures/services
when their credentials have been authenticated and they have proven to be the rightful carrier of the token, for
instance by entering a PIN. The Access Control System may subsequently contact the Identity Management System
(IDMS) to ensure that the presented credentials have not been revoked. As this White Paper does not discuss card
reading equipment characteristics in any detail, however, the area depicted in Figure 1 as ‘Access Control’ is outside
the scope of this document.
The middle (blue) area of the diagram, which represents ID Management, comprises all of the facilities required to
actually issue and manage identities and credentials. During the first stage of enrolment on an ID scheme a person
must present documents to establish his/her proper ID. Those documents must be presented to a registration
station and ID vetting may occur either before or during the enrolment process. Here ID information is validated
and the right of the person to obtain ID credentials is established. It is imperative that registration and ID vetting
processes are performed by different people or organizations. At the issuance station, tokens will be issued in a
secure way in order to make sure the ID credential can be accepted as a representation of an ID later on.
1
© 2007 GlobalPlatform Inc.

---

The IDMS is a core component of any ID infrastructure. The IDMS usually conjoins multiple databases that contain
various ID elements. It controls the enrolment/registration process — including credential vetting — and initiates
document production. It may schedule personal appointments for enrolment and issuance stations. After issuance,
the IDMS plays a role in the online authentication of credentials, e.g. for building access, border control or e-
government services. During its life cycle, the token may require updating, revocation or replacement, so the IDMS
must also be capable of addressing these requirements as necessary.
Finally, the right (orange) area of the diagram, which represents Token Production, is concerned with the actual
token production and personalization processes. These tasks can be done in central secure facilities, from where
personalized tokens are shipped to issuance stations for collection, or in a distributed fashion close to the issuance
stations. In all cases, production and personalization must be highly secure and stocks of blank cards must be
protected from misuse.
Introducing Smart Cards to Identity Management
The key aim of this White Paper is to educate on the capabilities and benefits offered by smart cards and smart
card management systems when deployed in government ID management programs. While much of this document
focuses on ID management concepts and issues, this information is provided as a context for explaining the value
that a smart card based solution – specifically a smart card solution based on GlobalPlatform’s open technology
– can bring to issuers of government ID management programs. For the purpose of clarification it has to be made
clear that GlobalPlatform offers an approach to deploying cards and card management, not ID management.
Just like many smart ID cards today, including driving licenses and health cards, a smart government ID card
body often has additional features such as text, Machine Readable Zone (MRZ) lines, a bar code and a photo. In
the case of a government credential, however, standard graphical personalization is combined with highly secured
printing such as Changeable/Multiple Laser Image (CLI/MLI), micro perforation for text and images, a hologram
and UV color personalization, designed in a way to offer an overt and covert means of determining authenticity of
the credential. The embedded chip, however, constitutes a new element which may contain a wealth of applications
and data, optionally originating from different authorities. This is the value that multi-application smart cards bring
to a government ID program. The information on the chip is securely stored and not retrievable without the express
permission of the cardholder. Additionally, the smart card can authenticate users with a high degree of fidelity,
allowing them to digitally sign documents, ensuring non-repudiation. The use of a chip, however, does necessitate
vital changes to an ID management program. Token production is a key illustration of this.
Token production was traditionally seen as the subject of printing technology and key concerns were for security
paper, holograms, and lamination. In the case of smart cards, however, more sophisticated programming and
cryptographic processes are required to personalize the chip. It is a mistake to view chip personalization as
simply an extension of the printing process. This results in the mistaken focus on the brief period during which the
token is produced and ignores the need to manage the chip and its data during the entire life cycle of the token.
Additionally, enhancing the IDMS to perform these new processes can result in a highly complex project, as more
and more features may impact the upgrade.
So, what starts out as a simple extension to personalize chips can quickly expand to encompass all other aspects
of the life cycle of the chip and its data. To avoid this situation, the following approach is recommended:
2
© 2007 GlobalPlatform Inc.

---

ID Card
ID Card
Person
Person
Cardholder
Access Control
Registration
Issuance
Terminal
(reader, middleware)
Station
Station
Smart Card
Access
Lifecycle
Smart Card
Control
IDMS
Smart
Management
Personalization
System
(SCMS)
ID
Vetting
Certification
Digital
Smart Card
Au
A t
u h
t o
h r
o i
r t
i y
t
Signatory
Signator
Ser i
Manufacturer
vice
Manufacture
Access Control
(o t
u of c
s o e
p )
Iden it
y
t Mana
t
n
e
m
e
g
n
o
it
c
u
d
o
r
P

d
r
a
C
t
r
a
m
S
Figure 2 – Smart card enhancements (orange) to identity management
To implement the new smart card technology with minimal impact to the existing environment, a Smart Card
Management System (SCMS) is necessary. The SCMS encapsulates important aspects of the life cycle of a smart
card, such as data encryption, key generation and key management and allows most of the smart card specific
processes to be isolated from existing systems. For instance, the IDMS is responsible for the life cycle events of the
cardholder, and may continue to send token renewal/replacement requests to the SCMS as if little has changed.
Triggered by the IDMS requests, the SCMS will interface with the certificate authorities, personalization bureaus and
other external institutions to drive smart card issuance and post-issuance updating. When properly implemented,
the personalization of a smart card can be securely outsourced to either a central facility or local (distributed)
issuance bureaus or stations.
Besides the addition of an SCMS, other areas in Figure 2 may need to be upgraded to ensure that they do not
become a weak link in the security chain. For instance, biometrics data may be captured at the registration desk
for later inclusion on the smart card and two factor authentication may be used to ensure the person collecting the
card at the issuance station is the same person who enrolled at the registration desk. Two factor authentication is
a means of identification based on more than one criteria, e.g. something you have (card) and something you know
(PIN). Though these critical ID management elements are imperative for a secure ID program, they are outside the
scope of GlobalPlatform systems. Both ID management and GlobalPlatform systems are required to build a strong
government smart card based ID scheme.
The model of ID management outlined in this section is more clearly illustrated in Section 2 by one concrete
example of GlobalPlatform technology deployed in a government ID program: the U.S. Department of Defense’s
(DoD) Common Access Card (CAC). In addition to providing some background information on the CAC, this section
will also examine the impact of smart card technology on different functions of the CAC ID management program
and explain how GlobalPlatform technology facilitates and benefits the CAC implementation.

3
© 2007 GlobalPlatform Inc.

---

Section 2: Case Study - U.S. Department of Defense (DoD) Common Access Card
At this juncture, it is considered beneficial to showcase a successful ID management solution which uses smart
cards. The U.S. Department of Defense’s (DoD) Common Access Card (CAC) is the flagship model of a government
smart card solution for ID management and in this section all the processes from pre-issuance to post-issuance of
the ID token will be explored.
Upon reading this case study, readers may note the complexity of electronic ID schemes and how a smart card
facilitates rapid authentication for both logical and physical access.
The U.S. DoD Identity Management Concept
The U.S. DoD has always had an obligation to provide an ID token to its Uniformed Service personnel and their
family members. As such, the DoD ID Management Program was initiated in the early 1900s when the basic ID
card was the primary form used for ID management. In the mid 1980s, the initial and current DoD ID repository,
The Defense Enrolment Eligibility Reporting System (DEERS), was established and used to consolidate identities
and ID cards into one database.
The DoD ID card, as it was then, served as a token of affiliation to the DoD. Additionally, for those military members
serving overseas, the U.S. DoD ID card was also accepted as a Geneva Convention Card. For family members,
the U.S. DoD ID card identified privileges such as commissary, medical care, recreational facilities or exchange
access.
In 1999, however, the Deputy Secretary of Defense mandated a new technology for DoD ID cards. The new
technology was a smart card called the Common Access Card (CAC). The smart card was considered to provide
greater security against fraud tampering and counterfeiting and provided better privacy protection for the cardholder.
The first CAC was issued in 2001, resulting in the DoD becoming the first U.S. Government Agency to develop an
ID smart card.
The Common Access Card (CAC)
Today, the CAC is a smart card that serves as the DoD standard identification and logical access credential. It may
also be used for physical access to DoD facilities. In addition to retaining the key functions of the traditional ID
card it replaces - serving as an ID and privileges card and a Geneva Convention Card - the CAC is additionally used
for secure authentication and network access, enabling users to securely log on to their computer, decrypt email
and digitally sign documents. The CAC increases security for unclassified networks and allows the undertaking of
secure transactions over the internet.
The CAC conforms to the following standards:
•
Federal Information Processing Standards (FIPS) 201 – a U.S. Government standard related to the


Personal Identity Verification of Federal Employees and Contractors.
•
FIPS 140-2 – a U.S. Government computer security standard which specifies requirements for


cryptography modules.
•
ISO 7816 – an international standard related to electronic identification cards.
All members of the Uniformed Services (Active Duty, Reserves and National Guard), receive a CAC, as do DoD
civilians, eligible contractors and DoD affiliated organizational members. The look of a DoD ID card is unified by
external features including a digital photograph, bar codes, a magnetic strip and a contactless interface. While
these features facilitate proper recognition of military, civilian and appropriate DoD contractors worldwide, the real
value proposition is in the chip. The secure data on the chip enables the rapid electronic authentication which both
the DoD, and the Homeland Security Presidential Directive (HSPD)-12, mandate. The CAC chip contains:
•
DoD PKI certificates
•
Two digital fingerprints
•
Digital photo
•
Personal Identity Verification (PIV) Authentication Certificate
-
U.S. Federal Government
•
DoD organizational affiliation
•
DoD agency code
•
DoD department code
4
© 2007 GlobalPlatform Inc.

---

•
CAC expiration date
•
Cardholder unique identifier
-
available through both a contact and contactless interface

(Front of CAC) (Back of CAC)
Figure 3 – Layout of the Common Access Card (CAC)
Highlighting the complexity of CAC issuance, there are 2000+ issuance stations worldwide and a central issuance
facility which issues cards to all military recruits. Post-issuance facilities, for updating CACs, are made available at
users’ desktops and facility kiosks.
In the second quarter of 2007, 11 million CACs had been issued since the start of the program, and 3.3 million
active cards were in circulation. The DoD’s daily CAC issuance rate was 10,000 cards per day, with an annual
sustainment rate of 2.2 million cards.
Testifying to the success of the CAC program, the January 25, 2007, issue of Federal Computer Weekly, referred to
the CAC as ‘the gold standard for rapid electronic identity authentication, online security and physical access’. The
article continued by highlighting that the CAC is now actively being used by over 91% of DoD users who require
logical access, as only people authenticated via their CAC are authorized logical access to DoD networks and web
services. The result is that successful intrusions of DoD networks declined by over 46% between 2006 and 2007.
Evolving DoD Systems to Support CAC
This section follows the ID management life cycle of a DoD person applying for a CAC and the life cycle of the CAC
itself, from registration to termination.
The ID management life cycle of a DoD person begins when they register with a DoD Human Resources (HR)
System. The ID of all DoD military personnel or civilians is logged within DEERS, the central IDMS repository,
together with details of their personal CAC and Public Key Infrastructure (PKI) certificates. When that person leaves
or resigns from the DoD, their personal ID remains in DEERS but is marked as inactive. The CAC is terminated and
their PKI certificates are revoked.
Figure 4, below, illustrates the central role of DEERS in the issuance, authentication and access processes relative
to CAC:
5
© 2007 GlobalPlatform Inc.

---

CAC
CAC
Fingerprint
Cardholder
Photograph
Fingerprint
2 ID docs
2 ID docs
Access Control
DoD HRM
Issuance
DoD HRM
Issuance
2000
Post
Terminal
dept..
DoD HR 1
Station 1
dept.. 1
Issuance
Issuance
(reader, middleware)
Systems
Station 1
stations
kiosks
Access
CAC
CAC
Control
DEERS
Management
Personalization
System
Token IDs
System
certificates
Gener t
a e
3 certificates
Security
Clearance
Certification
Digital
Smart Card
&
Au
A t
u h
t o
h r
o i
r t
i y
t
Signatory
Signator
Man
a u
n f
u a
f c
a t
c u
t r
u e
r r
e
Suit
i b
a i
b l
i i
l t
i y
checking
Access Control
(o t
u of c
s o e
p )
Iden it
y
t Mana
t
n
e
m
e
g
n
o
it
c
u
d
o
r
P

d
r
a
C
t
r
a
m
S
Figure 4 - A conceptual overview of the Common Access Card (CAC) system concept
As already outlined, the CAC, using the PKI keys generated by the chip, allows DoD cardholders secure logical
access to DoD networks and protects DoD facilities from unauthorized physical access. The U.S. DoD CAC program
therefore relies heavily on the fundamentals of a secure and robust ID management program.
So how is security maintained throughout the CAC ID management and smart card production stages (middle and
right (blue and orange) sections in Figure 4) and how does the program benefit from smart card technology and
GlobalPlatform’s Specifications?
Stage 1)
Cardholder Registration
People working for the DoD are registered to a DoD Human Resource system. At the time of enrolment,
a person’s fingerprints are captured and matched to the FBI master fingerprint database. Additionally, a
photograph is taken and a personal background investigation or security check is initiated. To validate
the ID of the person, the prospective DoD employee must provide two forms of acceptable ID documents.
At least one of these documents must be a federally issued credential and contain a photograph. The
documents are scanned into DEERS and in some instances, validated for authenticity.
Since the DoD is a large organization consisting of many components (Army, Navy, Marine Corps, Air Force
and DoD Agencies, plus the National Atmospheric and Oceanic Agency, Public Health Service and the Coast
Guard), it is imperative that each DoD Human Resource system feeds this information, taken at the time of
enrolment, back to DEERS.
Stage 2)
CAC Issuance
Once enrolment and the security check are completed, the person is eligible for an ID token. If the person
requires logical and/or physical access to DoD networks and facilities, then they are eligible for a CAC. If
no logical access is required but the person is entitled to DoD privileges, then an alternate plastic ID token
is issued. The CAC issuance system is separate and distinct from the registration system. The separation
of agents performing these tasks acts as a check and balance to fallacious enrolment or issuance of a DoD
credential.
For the CAC issuance, a choice of centralized or decentralized model is available (see section 3 – Card Issuance
Processes). At the local issuance station, the person once again provides two forms of ID documents. These
documents may be the same documents presented at enrolment, in which case they can be validated against
6
© 2007 GlobalPlatform Inc.

---