Issue 1/2003

Editorial

The mobile world is finally upon us.Witha saturation of mobile phone usersworldwide there is a renewed emphasisupon phone manufacturers, operatorsand service providers to enhance andupgrade their range of services andapplications. In other words, we are on

the edge of thechangeover fromvoice to dataoriented servicesthat are accessiblefrom your mobilephone.

This in itselfbrings a wholenew set ofchallenges forthe market in

terms of security and co-operation fora suitable, safe, trusted environment forthese services to work and be widely

accepted. The Radicchio Associationhas made some progress in this arena,with their trusted transaction roaming(t2r) proposal that appears to be makingheadway with a number of global playerswithin the mobile industry.You can readmore about this on page 12.

Once again, proposals of a widely in-corporated biometrics identificationproject have appeared on the scene.Thedifference between these projects andothers that have appeared in the past is thenew interest of governmental agencies.In this issue of SECURE, we are talkingabout the use of biometric identificationtechnology being incorporated into pass-ports. After all, a passport is the closestthing that anyone has to an officiallyrecognized form of identification. Ifbiometric identification technology isto achieve a mass acceptance status –

then this could be the application thatenables it on a global scale. Setec'sarticle on page 21, explains more aboutthis particular subject, as well as SC2’sarticle on the triumphs and tribulationsof issuing an identification card inIsrael on page 26.

As usual, this issue of SECURE ispacked with all the latest news fromthe Silicon Trust partners, as well as thelatest information on a whole range ofsecurity technologies from WLANs tosmart cards.

Who knows - a few years from now,you may be reading SECURE via yourphone!

Dr. Jürgen KuttruffHead of Security GroupInfineon Technologies

Impressum

SECURE - The Silicon Trust Reportis a Silicon Trust program publication,sponsored by Infineon Technologies AG.

This issue of SECURE - The SiliconTrust Report is Copyright 2003 byInfineon Technologies AG.

Infineon Editorial TeamVeronica Preysing(Infineon Technologies)

Magazine Project DevelopmentKrowne Communications GmbHMunich, Germany

Creative Director/LayoutStefan GassnerEmail – stefan.gassner@krowne.deCover Stefan Gassner

Advertising & DistributionKaren BrindleyEmail – karen.brindley@krowne.de

Subscriptions ofSECURE – The Silicon Trust Reportcan be obtained at:www.silicon-trust.com

No portion of this publication may bereproduced in part or in whole withoutthe express permission, in writing, fromthe publisher. All product copyrightsand trademarks are the property of theirrespective owners. All product names,specifications, prices and other infor-mation are correct at the time of goingto press but are subject to change with-out notice. The publisher takes noresponsibility for false or misleadinginformation or omissions.

Any comments may be addressed tocontact@silicon-trust.com

12 Application FocusSecure Mobility

21 Application FocusIdentification

32 Technology UpdateSmart Cards

40 Within the Trust

Highlights

6 What’s new at

Infineon Technologies

The Silicon Trust

8 Introducing the Silicon Trust

9 Welcome to the Trust

Industry Initiatives

10 The Smart Card Centre atRoyal Holloway University ofLondon

11 The Institution ofElectrical Engineers

Application FocusSecure Mobility

12 Trusted Transaction Roaming

By Stefan Engel-Flechsig,Radicchio Ltd.

18 Who’s Listeningon your WLAN?

By Dr. Peter Laackmann,Infineon Technologies AG

Application FocusIdentification

21 At the Border forBiometric Passports

By Pekka Kariola, Setec Oy

24 Smart ID for theman on the street

By Olivier Chavrier, Gemplus

26 Smart Proof of Citizenship

By SC2

28 The Card that Cares

By Michael Nitz,Giesecke & Devrient

Technology UpdateSmart Cards

32 Integral Security fromFLASH to ROM

By Dr. Peter Laackmann, MarcusJanke, Infineon Technologies AG

36 Single Event Effects – SecurityControllers under Attack

By Dr. Peter Laackmann, MarcusJanke, Infineon Technologies AG

Within the Trust

40 BIOPASSPORT®

Enterprise Server

By IdentAlink

42 Multos Products forMigration and Security

By Keycorp

43 Explaining theSyntiQ Solution

By SyntiQ

44 realtime Security inBrevard County

By realtime

46 Wave Systems’EMBASSY®Trust SuitePortfolio Enables SecureBusiness Computing

By Wave

48 RunningCommentary

By Mark Lockie

50 SECURESubscription Form

Content

4

ContentContact

5

IndustryInitiatives

Page 10Dr. Keith MayesDirector of the Smart Card CentreTel: + 44 1784 414408keith.mayes@rhul.ac.uk www.isg.rhul.ac.uk

Page 11Paul MathewsProfessional Network ManagerThe IEETel: + 44 1438 765635pmathews@iee.org.ukwww.iee.org.uk

Application Focus –Secure Mobility

Page 12Stefan Engel-Flechsig Radicchio Ltd.Tel: +49 172 944 70 93stefan.engel-flechsig@radicchio.orgwww.radicchio.org

Page 18Peter LaackmannInfineon Technologies AGpeter.laackmann@infineon.comwww.infineon.com/security

Application Focus –Identification

Page 21Setec Oy Tel: +358 9 89 411info@setec.comwww.setec.com

Page 24Carl NorellGemplusTel: +1 215 390 2899Carl.NORELL@gemplus.comwww.gemplus.com

How to Contactthis Issue’s Authors

Page 26Jacob MendelSC2 LtdTel: +972 3 765 7 369 jacob_me@netvision.net.ilwww.scsquare.com

Page 28Michael NitzGiesecke & Devrient GmbHTel: +49 89 4119 2640 michael.nitz@de.gi-de.comwww.gi-de.com

TechnologyUpdates –Smart Cards

Page 32 + 36Peter Laackmann, Marcus JankeInfineon Technologies AGpeter.laackmann@infineon.commarcus.janke@infineon.comwww.infineon.com/security

Within the Trust

Page 40Elmar HilgersIdentAlinkTel: +49 30 63926970ehilgers@identalink.comwww.identalink.com

Page 42 Graeme BradfordKeycorp LimitedTel: +61 2 9414 5303gbradford@keycorp.netwww.keycorp.net

Page 43Jolanda ZuijdendorpSyntiQ International BVTel:+31 162582175jolanda.zuijdendorp@syntiq.comwww.syntiq.com

Page 44Thomas Neudenbergerrealtime North America Inc.Tel: +1 813 283 0070 ext. 703thomas@realtimenorthamerica.comwww.realtimenorthamerica.com

Page 46Brian BergerWave SystemsTel: +1 949 716 3116bberger@wavesys.comwww.wave.com

RunningCommentary

Page 48Mark LockieIdeal Media Consultingm.lockie@btopenworld.com

Highlights

5th SecuritySolutions Forumsold out

At the beginning of June, the 5thSecurity Solutions Forum took place atthe Marriott Hotel, Munich. The bi-annual Solutions Forum consists of twoparts: Day 1 is dedicated to the SiliconTrust Partners, whereas Day 2 takes theform of a Security Conference and isby invitation only.Day 1 began with a strategic overviewof the Secure Mobile Solutions Group,stressing the inevitability of the need forsecurity in a more and more mobileworld. The Silicon Trust Partners presenthad the chance to discuss with InfineonManagement, amongst other topics, thechanges that are taking place in the secu-rity value chain.For the remainder of the day, Partnerswere able to catch up with InfineonTechnologies SMS Product Roadmapsand Strategy Updates, as well as minglein the Mini-Exhibition that was set upin a nearby room.

Day 2 was a huge success: nearly 100participants accepted the Silicon Trustinvitation to listen to the tightly packedpresentation schedule. The agenda wassplit into 3 sessions:� Secure Identification� Wireless Security � Secure Computing.

Each Session consisted of three BusinessCase Presentations, with Speakers fromSilicon Trust Partners, Infineon andguest companies. The most enthusiasticattendee feedback was received for theInfineon presentation on the necessity ofWLAN Security, where the presentersusing simple equipment and softwaredownloaded off the internet, showedeveryone in the room just how easy it isto locate and interpret data from aWLAN Access Point.

www.securitysolutionsforum.com

Infineon HelpsBring New Levelof Securityto ComputerNetworks

Infineon Provides EmbeddedSecurity Chip Solution for NewHP Compaq Business Desktop PCInfineon Technologies has announcedthat it now provides the standards-basedEmbedded Security solution for HP’sd530 series business desktop PC. Thenew HP ProtectTools EmbeddedSecurity chip enhances the security fea-tures of the desktop’s native operatingsystem and third-party security applica-tions, bringing a new level of data pro-tection and access control to networkedcomputers.Infineon worked closely with HP tointegrate a Trusted Platform Module (TPM)compliant with specifications publishedby the Trusted Computing Group

(www.trustedcomputinggroup.org).Infineon also collaborated with HP todevelop the system’s user-friendlySecurity Management Software applica-tion and the HP Personal SecuredDrive, which simplifies data protectionthrough file and folder encryption pro-tected with hardware-based key generationand storage.“We are very proud to extend our long-term relationship as a key supplier ofcomponents for HP Compaq systemsand help the company be one of the firstproviders of this important new securitytechnology,” said Ulrich Hamann, formerChief Executive Officer, Secure MobileSolutions Business Group, InfineonTechnologies. “This program also repre-sents one of the first publicly announcedexamples of Infineon’s success in deliver-ing a complete solution in collaborationwith a systems customer, marking animportant milestone in the company’sAgenda 5 to 1 strategy.”

“The Embedded Security option for thed530 series helps HP give businesses thetools to protect valuable data, withoutsacrificing the performance, reliabilityand excellent lifecycle ownership coststhat are the hallmark of HP systems,”said Brian Schmitz, Worldwide SeniorProduct Marketing Manager, HP Busi-ness Desktops. “Infineon provided out-standing support to our product teamsin turning this important and complextechnology into a world-class, seamlesslyintegrated solution.”

Infineon was one of the first semicon-ductor companies to release a completeTrusted Platform Module compliant withthe Trusted Computing Group (TCG)Main Specification 1.1b. TCG specifica-tions define hardware/software solutionsto support a hardware-based public keyinfrastructure (PKI) implemented in anycomputing device that interacts withother systems and networks.

6

Dr. Erk Thorsten Heyen

New Head of SMS Group

From September 1st, 2003, Dr. Erk

Thorsten Heyen took over world-

wide responsibility for Infineon's

Secure Mobile Solutions (SMS) group.

The physics graduate began his career

in 1992 at McKinsey&Company as a

member of the Telecommunication

Practice. Between 1996 and 2001 he

performed various management

functions in different business areas at

Bertelsmann AG, primarily in the

sector of electronic media. His last

post there was Chief Financial

Officer of the E-Commerce

Division. From 2001 to 2003 Heyen

was CEO at Unit.Net AG.

7

Highlights

Infineon Technologiesand the GermanFederal Ministryof the Interior FormSecurityCo-operation

On the 30th June, 2003, the German FederalMinistry of the Interior (Bundesministeriumdes Inneren, BMI) and Infineon Technologiesannounced that in the future, they will beclosely co-operating in the field of ITSecurity. BMI Minister Otto Schily and Dr.Ulrich Schumacher, President and CEO ofInfineon Technologies AG, have signeda “Memorandum of Understanding” to initi-ate this security co-operation.The far-ranging security co-operationbetween BMI and Infineon, aims toestablish a sound technology basis for anenhanced security level in InformationTechnology (IT) systems that are used inthe Civil Service, private companies andhouseholds.The contracting parties haveagreed upon a close information exchangein three subjects: the security aspect inthe field of smart card technology; secu-rity of future mobile applications; and

the security components needed to ele-vate the trustworthiness of personal com-puters and computer networks. Further-more, BMI and Infineon intend to driveselected projects, as a way of promotingthe use of secure information technolo-gies in Germany. An example of such aproject would be the German citizen cardincorporating a digital signature or “Bund-Online 2005”; a government initiativeto make all designated Civil Serviceinformation services available online toGerman citizens by the year 2005.The discussions covering smart cardsecurity center on the technologicalconsiderations that form the basis ofnew electronic identification cards andan omnibus concept for a qualified sig-nature card. This signature card plannedfor every German citizen, would incor-porate biometric functionality and beutilized for a wide range of applications,such as Civil Service, job and healthrelated functions.The topic of security for personal com-puters and PC networks includes thesecurity standards set out by the “Trusted

Computing Group“ (TCG).The TCG is anindustry initiative that aims to standardizethe requirements for a trustworthy PCand to secure it against virus attacks andunauthorized manipulation.When reviewing the topic of secure mobilesolutions, the BMI and Infineon ex-pressed their aim to jointly develop bothapplication scenarios and a trustworthymobile platform. The results of the co-operation would enable cellular phonesand other mobile devices to encrypt dataand authorize payments.“Our information society gets more andmore mobile and is in need of new securitymechanisms. Reliable communication andinformation technologies are necessaryto secure our computer systems and net-works against unauthorized use and mani-pulation.” said Minister Otto Schily.“The intensive co-operation with Infineonwill enable the speedy availability of secu-rity for our citizens. It will also help tomodernize Civil Services and to offer newservices that are more citizen-friendly.”“Advanced silicon-based technologiesenable a broad spectrum of flexible secu-rity solutions for future ID documents,mobile communication devices, PCs andnetworks,” said Dr. Ulrich Schumacher,President and CEO of InfineonTechnologies AG.“Security co-operationbetween government and the privatesector – such as the one between theGerman Federal Ministry of the Interiorand Infineon – and the subsequent use ofsilicon-based solutions, have the poten-tial to make Germany the pacesetter forsuch security solutions in Europe.”

Dr. Ulrich Schumacher, President andCEO of Infineon Technologies AG andBMI Minister Otto Schily.

Ultimately, this will enable more securedata storage, online business practices, andonline commerce transactions, while pro-tecting privacy and individual rights.

Complete hardware/software systemfor computer network securityInfineon (the worldwide market shareleader in security chip technologies,including non-volatile memory, micro-controllers and cryptographic controllers)

provides the secure hardware and com-plete suite of embedded system andapplication software TPM systemsrequire. This includes host software tointegrate the TPM into the PC softwareenvironment and a TPM managementapplication. The TPM, which can becontrolled only by its primary userand system administrator, automaticallychecks system integrity, can authenticatethe platform to third parties if authorized

by the primary user, and provides pro-tected storage for secrets, such as keysand passwords. With a true randomnumber generator (RNG), hardwareaccelerated RSA and Hash Algorithms,and Active Shield technology, Infineonprovides the highest available perform-ance levels for TPM systems.More information about Infineon’s TPMproduct is available at:www.infineon.com/tpm

The Silicon Trust

What is theSilicon Trust?

The Silicon Trust Program has, over thelast few years, become a well-respectedand established Partnership Programwithin the Security Industry, and hascertainly achieved its initial goal ofraising awareness for Silicon-BasedSecurity.As one of the first such Partner Pro-grams in the market, Infineon hasdemonstrated that bringing together anetwork of Security Partners canimprove the relationship with the endcustomer, by offering a complete solu-tion across the Value Chain. Buildingon its past success, Infineon nowbelieves that the Partnership should bewidened to include more products andsolutions - to provide the Customerwith more choice.

And Infineon means to do this byfocusing internal resource on continuingto build up solid relationships with com-panies working with Infineon products,as well as fostering new relationshipswith companies who are attempting tobring about changes for the future ofthe security industry – working togetherto increase marketing and promotionalofferings in the marketplace.

What are thebenefits of beinga Partner?

Working together with Infineon andother companies in the same Market,will lead to a better understanding ofapplications and future market trends

and ensure more influence on Infineon’sdirection when developing tenders ordiscussing future product specs.

Companies can work together toresearch and formulate Business Caseswithin an environment of trust anddevelop integrated solutions for a com-bined customer base. And promotingthe Program as a whole, individualcompanies can benefit from theresources applied by Infineon.

What are someof the plannedactivities?

Silicon Trust activities will be a mixbetween Marketing and Promotional,and the more time and resourcesinvested by the Partner to participate,the better the result. Below are justsome of the activities currently beingplanned for the Silicon Trust:

Activities for the Partners� Access to a database of

Partner contacts� Behind the Scenes tours

of Fab facilities� Business Case Research

& Development� Participation with Infineon

at Exhibitions & Shows� Web Portal: www.silicon-trust.com� Secure Application Reviews;

in-depth whitepapers aboutspecific market segments

� Secure Magazine� Security Solutions Forums� Annual Security Solutions

Buyer´s Guide

8

Introducing theSiliconTrustWith the New Economy growing at an exponential rate, the need for solutions enabling secureE-Commerce, M-Commerce, and banking as well as data and content protection is becomingmore critical. Silicon based security is paving the way to make tomorrow’s lifestyles secure.

For more information visit:www.silicon-trust.com

Membersof theSiliconTrust

� ACG

� Aladdin

� AssociationforBiometrics

� AspectsSoftware

� Austria Card

� Baltech

� beyondLSI

� Card etc.

� Cherry

� Gemplus

� G&D

� GuardeonicSolutions

� IdentAlink

� IEE

� Ikendi

� ISL

� Keycorp

� MMCA

� Novacard

� Omnikey

� PreciseBiometrics

� PSE

� realtime

� SC2

� SCM

� Secartis

� Setec

� SiemensICM

� Smart CardCentre

� SyntiQ

� Teletrust

� Tresor

� UnitedAccess

� UtimacoSafeware

� WaveSystems

Aspects Software Aspects

Software is a leading independent provider of

operating systems, test and development tools

for smart cards.

www.aspectssoftware.com

Austria Card As a subsidiary

of the Central Bank of Austria (OeNB),

Austria Card is the competence center for

the development and production of smart

cards in Austria. www.austriacard.at

card.etc card.etc AG is a full serv-

ice provider for integrated smart card solu-

tions and issues multifunctional smart cards

for public transport. www.cardetc.de

Cherry Cherry's products include

security keyboards with integrated card

readers, keyboards with integrated finger-

print sensors, and smart card readers for

many different security applications.

www.cherry.de

Gemplus Gemplus helps its clients

offer portable, personalized solutions in

areas including mobile data services, bank-

ing, identity, WLAN, m-commerce and

many others. www.gemplus.com

IdentAlink IdentAlink’s security

software cuts network administration costs

by replacing passwords with biometrics and

technologies like smart card, PINs, or pass-

words. www.identalink.com

IEE The IEE is the largest Europe-

based body for professional engineers, with

members ranging from students to leading

figures in industry, R&D, consultancy, and

education. www.iee.org.uk

Keycorp Keycorp is a global provider

of secure electronic transaction solutions, from

cards and terminals to network carriage and

payment engines. www.keycorp.net

realtime realtime offers bioLock, the

first SAP-certified fingerprint access and

function control for SAP.

www.realtimenorthamerica.com

Setec Setec develops and manufac-

tures high-security smart cards and visual

ID products for reliable identification of

people over networks and in face-to-face

environments. www.setec.com

Smart Card Centre The

ISG Smart Card Centre researches, develops

and provides training on smart cards and

related technologies. www.scc.rhul.ac.uk

SyntiQ SyntiQ creates solutions to

reduce cost-of-ownership and accelerate

time-to-market of new functionality for

remotely controlled devices for payment

terminals and ATMs. www.syntiq.com

Tresor Tresor focuses on mobile

security and has developed a mobile phone

that utilizes military-level encryption for

voice and data transactions.

www.tresor.co.uk

United Access United

Access is a security provider who makes

solutions work as support partner for the

Infineon smart card OS SICRYPT.

www.united-access.com

Utimaco Utimaco Safeware AG

provides professional software solutions for

device and transaction security, e-mail secu-

rity, digital signatures and PKIs.

www.utimaco.com

Wave Systems Wave Systems

Corp. is an industry leader in developing

trusted computing platforms and services to

enable secure platform services, infrastruc-

ture and e-commerce services.

www.wave.com

9

The Silicon Trust

We would like to welcome the following members to the Silicon Trust. For further information onthese companies, please check out their websites.

Welcome to theTrust

®

TM

KEYCORPL I M I T E D

Smart Card CentreRoyal Holloway

D A T A

Industry InitiativesSCC

The Centre, which is part of the worldrenowned Information Security Group(ISG) was founded in October 2002 bythe Royal Holloway University ofLondon, with support and funding fromVodafone and Giesecke & Devrient.

The Information Security Group (ISG)has a well-established MSc programthat is training new experts for theinformation security industry. Each yeararound 200 students, complete theirMSc in either Information security orSecure E-Commerce.

With the MSc program generatinggrowing interest in both the practicalaspects and implementation of securitysolutions, the Smart Card Centre wasan ideal complement to the existingwork of the ISG.

In the first few months of the Centre’sexistence, more than 15 MSc studentssigned up to smart card related projectsand a PhD program has recently started.Work is also at an advanced stage tointroduce a smart card course-module aspart of the MSc syllabus, so that studentsmay qualify with a specialty in cards/tokens. There are also discussions toestablish intensive courses for SMEs,(Small/Medium Enterprises) which wouldhave a stronger business and practicalfocus to help identify and grasp newopportunities in the smart card area.

It is a goal of the Centre to expand itsresearch activities by encouraging furtherindustry participation. There is a fundingaspect to this, but equally, a wish tobenefit from the expertise of the partnersand ensure that results from the Centreare seen as balanced, cross-companyviews. The Smart Card Centre’s indus-trial partners will not only benefit frompublic recognition of their contributionsto research, early access to new develop-ments and the chance to find new expertemployees, but also from a range of net-working and marketing opportunities.

Work is on-going to allow additionalcompanies to become formal membersof the Centre, but in the meantime thereis great support from the Foundersas well as a number of other valuedsupporters. For example;• Giesecke & Devrient has supplied a

range of advanced SIM card develop-ment tools, supporting SIM Toolkit,Java and browser approaches

• Infineon is supporting an MSc proj-ect by making available some low-level development tools

• Mondex (Mastercard) has donated arange of computer equipment, toolsand cards for general project work

• Gemplus is installing some sophisti-cated equipment for side channelattacks

• ORGA has delivered SIM Toolkitdevelopment tools

• Barnes International has provided anEMV profile test tool

Supporters have also been providinglectures to support our expert seminarprogram. The list already includesVodafone, G&D, Gemplus, Swisscom/SICAP and Mondex.

Not surprisingly, the Centre is attractinga growing number of visitors and a commonquestion is - “What is new in the worldof cards, tokens, biometrics etc?” Inresponse, it is planned that the Founderslab will gradually become a “show-case”area for professional demonstrations –with student work moving into a largerspace. This has increased the currentinterest in acquiring a range of demon-stration and evaluation kits, includingcontactless card, biometric plus card,application management and access controlsystems. This represents a low cost/effortopportunity for industrial supporters tohave their products seen by a wide rangeof visitors.The Smart Card Centre is privileged tobe associated with the Silicon Trust andthere is close synergy with partners thatare implementing practical but Hi-Techsecurity products.The next 12 months will be an excitingtime for the Smart Card Centre andalso an opportunity to further strength-en links and co-operation with theSilicon Trust.

10

The Smart Card Centre at RoyalHolloway University of London

The Smart Card Centre atthe Royal Holloway Uni-versity of London was createdto provide a worldwide centreof excellence for training andresearch in the field of smartcards, tokens, applicationsand related technologies andis situated within the presti-gious Founders building.

By Dr. Keith Mayes, Dr. KostasMarkantonakis, Smart Card Centre

For more information visit:www.isg.rhul.ac.uk

11

Industry InitiativesIEE

The IEE, as a professional body, accred-its degree courses and post-graduateindustrial training schemes, as well asorganizing a range of best-practiceevents - from lectures to major confer-ences.The body also publishes technicalmagazines, including on-line titles, aswell as specialist books. In addition tothese events and its publishing activi-ties, the IEE also operates the world’sleading electronics and physics database- INSPEC (as well as other informationservices).

What’s more, the IEE also promotesProfessional Development includingthe running of a providers database andhas close links with industry through itsnotable Business Partners scheme.

The IEE’s 36 Professional Networks areworld-wide groups of people withcommon technical or professional needsand interests. Each network provides ahome, or focal point, for a communityof engineers, and enables them to net-work, share knowledge and keep up todate with developments in their partic-ular industry or profession. These pro-fessional networks are supported by aninteractive community-relevant website.

Embracing ChangeThe IEE has a distinguished history ofembracing change – it was started in1871 by a group of telegraph engineers(sometimes referred to as the VictorianInternet) – and went on to includeelectrical engineering, electronics andmanufacturing. This ability to reflectthe changing face of technology isclearly demonstrated by the range ofProfessional Networks:

� Aerospace� Antennas and Propagation� Automotive and Road Transport

Systems� Buildings Electrical Technology� Communication Networks and

Services� Concepts for Automation and Control� Consultants� Control and Automation Systems

Technologies� e-Infrastructure: Networked Software

and Systems� Electromagnetics� Electromagnetic Compatibility

(EMC)� Embedded and Real-Time Systems� Engineering for a Sustainable Future� Functional Safety� Healthcare Technologies� History of Technology� Human Factors Engineering� Management� Manufacturing Enterprise� Materials and Devices� Measurement, Sensors,

Instrumentation and NDT� Mechatronics and Robotics� Microsystems and Nanotechnology� Multimedia� Communications� Photonics� Power Conversion and Applications� Power System Equipment� Power Trading and Control� Radar, Sonar and Navigation� Railway� RF and Microwave Engineering� Satellite Systems & Applications� Signal Processing� System on Chip� Systems Engineering� Visual Information Engineering

As a technical authority, the IEE isresponsible for the Wiring Regulations(the British Standard to which theindustry works), as well as playing amajor part in many other areas ofnational and international standardsthrough such bodies as CENELEC andIEC. It acts as the voice of the profes-sion and sets standards of conduct forthat profession.

A major role that the IEE undertakes isin promoting public awareness of howimportant engineering is in today’s society.A vital contribution is its educationalactivities service aimed at supportingteachers of science and technology.It has created a portfolio of supportincluding the Faraday Lecture whichattracts an audience of some three millionpeople.

The IEE has a network of localBranches including special YoungerMembers’ sections operating through-out the UK, as well as members fromChina and Hong Kong, Australasia,Southern Africa, Europe and NorthAmerica.The body also has outstandingconference centers in London, Birming-ham and Glasgow.

For more information visit:www.iee.org.uk

The IEEThe IEE (Institution of Electrical Engineers) is the largest Europe-based body for professional engineers – almost 130,000 of them.Ranging from students at the start of their careers, to leadingfigures in industry, research and development, consultancyand education; all of who are working in power engineering,communications, electronics, computing, software, control, infor-matics and manufacturing. Around 30,000 of these engineersare based outside of the UK.

The work of theIEE at a glance:

� Represents the profession of electrical,electronic, manufacturing and systemsengineering and related sciences.

� Acts as the voice of the professionin matters of public concern andassists Government to make thepublic aware of technological issues.

� Sets standards of qualifications forprofessional electrical, electronics,software, systems and manufactur-ing engineers.

� Accredits degree courses in sub-jects relevant to electrical, elec-tronic, manufacturing and infor-mation engineering at universitiesand colleges around the world.

� Accredits professional developmentschemes for engineering graduates.

� Awards scholarships, grants and prizes.

Soon, there will be one billioncellular phone users worldwide.Half of these will be using theirmobile terminals to access thewireless Internet daily. Mobile com-munications devices, in whateverform, offer ideal characteristicsfor undertaking electronic trans-actions, regardless of location. Sincepersonal communications devicescontain the capability for trans-actions based on tamper-resistanthardware, they will enable a huge(and growing) percentage of theworld’s population to participatein secure e-commerce. The com-bination of e-commerce serviceswith the inherent advantages of themobile device, will benefit busi-nesses and consumers alike. Majormarket players are already in theprocess of establishing trustedinfrastructures that will makesecure, high-value transactions frommobile devices across wirelessnetworks a part of everyday life.

TrustedTransactionRoamingBy Stefan Engel-Flechsig, Radicchio Ltd.

13

ApplicationFocusSecure Mobility

Challengesfaced byMobile NetworkOperators

Mobile Network Operators (MNOs) usedto offer their subscribers just one typeof service; voice. Slowly, data servicesmade their way into the portfolio, ascan be seen in the case of the ShortMessage Service (SMS), which becamea pioneer in its field and a huge successworldwide. Nevertheless, the emergingdata features also had a downside: enablingsubscribers to access the Internetsuddenly meant that other businessescould easily reach the MNO’s sub-scribers through their websites. As wasthe case with ISPs, MNOs feared beingrelegated to the role of “pipes” betweentheir subscribers and new service pro-viders.These concerns caused them to takeprotective action. Many MNOs blockedtheir subscribers from accessing sitesthat did not offer the MNO directbusiness value in terms of revenues.However, several countries’ TelecomRegulator Authorities took action andurged operators not to implement suchprotective measures, in order to let endusers benefit from a wider variety ofservices and a healthier price structure.

The actions of the regulators put MobileNetwork Operators back in the awkward

situation of not knowing exactly how toleverage their subscriber relationships.Merely offering voice and limited dataservices (SMS) was no longer a distin-guishing factor, since these had becomecommodity services and were subject tofierce price competition. New compe-tencies and skills were required to offerattractive content and applications toconsumers.The MNOs could be consid-ered as still in their learning phase andtrying to find new business models basedon unmet needs in a changing wirelesseco-system.At the same time, new alternative tech-nologies have emerged on the marketto enable wireless connectivity and Inter-net access: Wireless Local Area Net-works (WLANs) connect various hand-held devices to a local base station,which in turn is connected to theInternet through a regular landline.Themost popular method is the “802.11b”standard, which has already been widelyadopted in the United States. Using acompatible handheld device and the802.11b local area network, the usercan, for instance, surf the Net at rapidspeeds (up to 11Mb/s) and access avariety of services without any need fora Mobile Network Operator’s conven-tional network (GSM/TDMA or CDMA).

In parallel with these developments,Mobile Network Operators have invest-

ed heavily in the next generation ofwireless networks (3G), which providehigher bandwidth (up to 2Mb/s) andwill supposedly enable more com-pelling content and applications. Thesewireless networks are designed to beable to deliver mobile multimedia,music and video downloads to hand-held devices. However, some analystsquestion the value of this higher band-width on the move, especially whenLocal Area Networks (LANS), such as802.11b, offer much higher data through-put speeds.MNOs have found themselves in aposition where they have to justify whyit is worth accessing the Internet throughtheir networks and not by other means(such as 802.11b LANs). The smartcards that already exist in their infra-structure can help them do this. Figure1 illustrates the different options thatconsumers have for accessing data content.

Security in today’s 802.11b networkscould also be considered poor. Thestandard does not include a real securitymechanism, which makes it relativelyeasy for a third party to eavesdrop onthe traffic in the networks. Therefore, itcan be argued, using an 802.11b net-work for accessing the Internet andconducting e-commerce is a scenariothat may not currently offer sufficientsecurity or trust.

Figure 1: Options for accessing data services

ApplicationFocusSecure Mobility

In contrast to 802.11b, a stable securitymechanism was built into the GSM stan-dard from day one, in order to enablesecure network access.This was achievedby relying on SIMs (Subscriber IdentityModules), which is a type of smart card.

Challengesfaced by ServiceProviders

Service providers, both wired and wire-less are looking for better relationshipswith their customers. When a bank setsup its Internet site using the HTMLprotocol, it has to go through itsInternet Access Provider at some point.However, after that, the bank prettymuch has a free hand when it comes toselecting the technology that it wantsto use to enable secure transactions. Itcould, for example, choose to imple-ment a maximum-security system forits customers by using smart cardsintegrated in its online service throughPCs. Nevertheless, this would be a pro-prietary solution for a limited marketand would require new hardware andsoftware for it to take off.

When a Service Provider chooses tomake its online services available wire-lessly, it faces many questions:

� Which device will be mostconvenient for the end user?

� What security level do wewant to offer our customers?

� Which network and codingprotocol do we intend to implement?(GSM/CDMA/802.11b? orHTML/WAP/I-Mode?)

In terms of security, GSM definitelyhas the advantage, since its architectureoffers secure, “tamper-proof” storage.Thisfeature is due to the removable SIMsmart card embedded in the GSM devicethat enables the subscriber to access thenetwork securely. The same smart cardcould also be used for a variety of otherpurposes, such as secure mobile banking,identification, and privacy management.Nevertheless, in today’s world, the SIM is

the property of the MNO. This meansthat nothing can be done with it with-out first consulting the MNO.

In order to utilize the smart cards’capabilities in the GSM devices, manybanks have teamed up with MobileNetwork Operators to offer securewireless financial services based on theSIM. Other banks have relied on alower level of security and have simplyset up their own WAP or I-mode sitefor financial transactions without usingthe SIM or the experience and help ofthe Mobile Network Operators.

Those who have relied on the SIM andits capabilities, have a very secure solu-tion in place, but have also experiencedissues relating to the MNO’s ownershipof the SIM. Having cryptographic keysthat enable secure access and identi-fication for a bank’s Internet site storedin the MNO’s SIM is a sensitive issue.

To counter the ownership issues, somebanks and MNOs have made trialsusing two SIMs (multi-slot) in thehandheld device, one belonging to theMNO and one belonging to theService Provider. This has meant modi-fications both for the hardware andsoftware in the handheld device and isclearly not the best option for a futurein which a large amount of differentservices will have to be offered quicklyand securely to the end users.

The issues that have been discussed herebecome even more evident whendesigning services that extend overnational boarders. However, voice servicesare already offered across nationalborders, and the same could (and should)happen for data services as well.

Challengesfacing the industryas a whole

Rampant credit card fraud continues toweaken consumer confidence in onlinecommerce and drive up the price oftransactions. To combat this, manycompanies are now seeking to enhancesecurity and add trust.

This raises several important issues:

� The need for consumer and retailindustry awareness and adoption of thesolutions available to address mobilesecurity issues.

� Little or no standardization governingthe security practices for establishing,registering, and validating the identityof transacting parties, especially whenthese parties are mobile and roaminternationally.

� A plethora of “island solutions” insecurity emerging in the wired andwireless world, which is resulting infragmentation and confusion amongconsumers, operators, service providers,and content providers.

� Lack of a uniform framework orcommon foundation for mobile busi-ness applications raises the cost of im-plementation.

� Legal issues surrounding liability (riskmanagement), privacy rights, and therecognition of digital signatures inmany countries are too complex forany one company or market sector tosolve, especially when the market isglobal.

� Market development has been hin-dered by “gridlock” as mobile opera-tors and banks jockey for position inthe new economy.

Many of the challenges presented byroaming with voice services havealready been met. Nevertheless, roamingwith data services and transactionsbrings up another set of challenges, asmobile subscribers roam with wirelessdata services between different networks,countries, and services providers.For mobile e-commerce services toreach their true potential, it must bepossible to exploit the main advantageof wireless devices – that of mobility. Inmany markets, these services will soonbe in place. But the question that needsto be asked is: Will subscribers be ableto roam with their data services as theyalready can with voice services?

14

15

ApplicationFocusSecure Mobility

TrustedTransactionRoaming (t2r)

There is clearly a need for a trusted net-work platform that would overcome theinherent weaknesses of the Internet itselfwhen accessing it over a wireless device.The Transaction Roaming Platform(suggested by Radicchio in early 2002)would form the base for a global neutralnetwork that builds consumer confi-dence, offers positive user experience,and ensures a wide array of attractiveservices across national boundaries.

Such a wireless trusted network wouldbe responsible for establishing businessarchitectures, clarifying liability issues,specifying technical standards, facingregulatory challenges, and buildingbridges to other trust networks. Manycompanies have been working withPublic Key Infrastructures (PKIs) togenerate trust by providing non-rep-utable authentication. Since the requiredtechnologies already exist, Radicchio’st2r efforts have been directed towardsdefining the business environment forthe use of a reliable, interoperable trustframework on a global scale.

Objectives

The t2r Platform must meet the follow-ing objectives:

� Global interoperability – The needfor interoperability between securenetworks that extends across nationalboundaries to other secure networks.For example, a subscriber who is roam-ing in a foreign MNO’s network has tobe able to access familiar services assecurely as in their home network.

� Secure network access – This is aprerequisite for any service in anynetwork. However, many networks(for example: 802.11b) are not con-sidered secure enough today. In thesenetworks, a third party could eaves-drop on the communication or dataflow. Networks that rely on smartcards for network access (as is thecase with GSM) are considered moresecure, because the SIMs offeradvanced cryptographic capabilitiesand tamper resistance.

� Secure content access – Once aconsumer has been able to securelyaccess their preferred network, differ-

ent Service Providers want to makesure that only their appropriate cus-tomers can securely access the con-tent/service on offer.

� Reliable identification – Just as inthe real world, some businesses wantto identify you before they serveyou. Reliable identification systemsare especially important when con-ducting mobile commerce or dealingwith financial or private information.

� Privacy management – Relationshipsbetween consumers and businessesare sensitive and frequently involvethe exchange of private information.Consequently, both parties haveresponsibilities with regard to han-dling this information. Here, we needa technology to secure the informa-tion exchange and to protect andenable management of the privateinformation, wherever it is stored.

� Convenience & benefits – End-userswill be offered a vast amount of serv-ices on a global basis. In some cases,data may have to be added, deleted,edited, or updated. This could causeinconvenience. For instance, when asubscriber changes his/her handset to

Figure 2: The current m-commerce environment

ApplicationFocusSecure Mobility

a newer one, all the settings, names,addresses and bookmarks could becomelost. The trusted network platformhas to take this into account and beconstructed in a way that eases theend user experience.

� Service providers will be able toconveniently reach a global subscriberbase of 600 million GSM users in atrusted environment without having

to negotiate separately with eachMNO. MNOs will earn revenues inproportion to how their networkresources and subscribers have beenused. Importantly, the proposed modeltackles the business cases for both theMNOs and Service Providers througha revenue sharing model.

� Legal enforcement – The relationshipbetween the business and the consumer

should take place in a fair way. How-ever, clear dispute resolution authorityis required in disputes of any kind.Thisauthority could differ depending on thenature of the service (for example,financial service versus health services).Furthermore, the trusted entity thatwill operate the proposed platformmust obey strict laws and guidelines.

Today, each service provider has to gothrough each Mobile Network Operator(MNO) to reach the wireless subscribers.The SIM card can be used to enhance thesecurity of these service offerings, buteach solution is proprietary and involves acomplex implementation process betweenthe MNO and Service Provider (seeFigure 2 on page 15).

The t2rinnovation

The key innovation lies in a new archi-tecture that adds a neutral entity to oper-ate a global platform that will use theproperty of all the MNOs in an equalway. It will use their network infrastruc-ture and their SIM – USIM cards globally,to create one secure network that can belinked to other secure networks. Thearchitecture will unleash the capabilitiesof SIM – USIM cards for everyone’s

16

The first steps have been taken towards t2r

Following a feasibility study on the main concept of trusted transaction roaming, which was done by Secartis AG andErnst&Young, the t2r project was presented to the leading mobile operators at the Carrier Summit held in March 2002 inBandol, France. Operators present included Hutchinson 3G, mm02, MTN, Orange, Sonera, T-mobile, and Vodafone. Theaim of this summit was to reach a consensus on the best way to develop a global framework for trusted mobile and wirelesstransactions.The feedback was encouraging, and Radicchio believes that this summit has signaled the start of global roam-ing for secure wireless transactions.

To ensure that the framework becomes truly global, Radicchio invited the GSM Association and the Liberty Alliance topresent at the Operator Summit. Follow-on efforts and cooperation was established with other leading industry bodies,such as the European Telecommunication Standardization Institute (ETSI) and the ICT Standards Board.

Radicchio helped to set-up and now participates in a European Community (EC) part-funded research project that is fur-ther developing the t2r concept.This project started on 1st September 2002 and was due to be completed by 31st August2003. The project comprised: Gemplus (project manager), Orange, Radicchio, SmartTrust, Ubizen, Vodafone. The projecthas reviewed and leveraged other work, such as ETSI STF on mobile signatures, and developed the business frameworkand ecosystem for mobile authentication and consent. t2r will allow different technologies and provide flexibility in identi-ty service provision; further work will address risk and liability within the t2r architecture and the different roles.

Figure 3: The t2r innovation – a trustedglobal network platform

17

ApplicationFocusSecure Mobility

benefit and serve as a common platformenabling content and service providers toreach mobile subscribers in a trustedenvironment (see Figure 3).

The t2r platform could solve existingbusiness issues in the wireless data servicesmarket. It changes the way that MobileNetwork Operators and Service Providersinteract with each other as they offer dataservices to wireless subscribers. The busi-ness case is founded on a revenue sharingmodel that could be of mutual benefit toboth Service Providers and MobileNetwork Operators.

In today’s business environment, the MNOhas to negotiate separately with eachService Provider to bring a new securewireless service offering into place. Thisincludes business model issues, technicalsolutions, and policies (such as whether ornot adult content is allowed). In the pro-posed trusted network platform, the entitycould take over this costly negotiationoperation and offer a stable revenue sharingmodel to both parties. The MNO wouldreceive revenues in proportion to how itsnetwork resources have been used to dis-tribute the services to the subscribers.Thisshould result in a gradual increase of theARPUs (Average Revenue Per User) forMobile Network Operators.

It is currently somewhat difficult forService Providers to offer services towireless customers by relying on the secu-rity provided by smart cards in the mobilenetworks (GSM). The Service Providerhas to enter into specific agreements withthe MNO for each network that shouldcarry its service. This is an extremelycomplicated and slow process, and fre-quently requires proprietary securitysolutions. If a Service Provider wants toreach wireless subscribers on a globalbasis, the process becomes even morecomplex and costly. Radicchio’s t2r pro-posal would enable any ServiceProvider to benefit from the underlyingsecurity infrastructure and access wire-less subscribers on a global basis. Thiswould simplify the complex process ofproviding secure, high-quality servicesto wireless customers, which is animportant prerequisite for a better cus-

tomer relationship.This revenue sharingmodel could offer the Service Providersthe opportunity to reach the globalmass of wireless subscribers and alsoreduce the set-up and implementationcost of its offering.

Various parties stand to save time andmoney by using independent entitiesto operate the proposed platform in atrusted global network. Furthermore,unleashing the security and privacypotential of smart cards will benefitall parties involved. Smart cards arewidely recognized secure tokens and arealready implemented within the Euro-pean telecommunication and financialindustries.

Since the operator of such an extensiveplatform will deal with so many differ-ent parties’ confidential information, itmust be a neutral entity that is trulytrusted and recognized by all the playersin the data services market – such asfinancial institutions, MNOs, and com-panies that provide services, content, ortechnology. This neutral entity couldoperate the Global Identity Mana-gement on behalf of all GSM MobileNetwork Operators.

Conclusions

Establishing a large trusted marketplacefor mobile e-commerce is too complex,too expensive, and too risky for a singlecompany to accomplish on its own.The roaming framework for trustedmobile services must be:

� Open: by building a common, neu-tral platform for global transactionroaming and 3rd party applications.

� Trusted: to build consumer confi-dence.

� Managed: to allow content andservice providers to reach a large baseof mobile subscribers with com-pelling content without losing controlof the networks.

Clearly, such a challenge requires agreat deal of coordination between themajor players involved, especially the

Radicchio

Launched in 1999, Radicchio seeksto unleash the tremendous potentialof the market for wireless data ser-vices, such as mobile e-commerceand mobile e-government. Guidedby a cross industry board of directorsincluding EDS, Ericsson, Gemplus,Giesecke & Devrient, MTN, Smart-trust and Vodafone, Radicchio isthe authority and industry voicefor trusted networks in the mobileworld.

Radicchio’s focus is “Trusted Trans-action Roaming - t2r”. t2r definesan identity framework, whichenables mobile operators, financialinstitutions, governments and otherservice providers to strongly iden-tify the end-user via the user'smobile device, and thereby lowerthe risk and cost of e-commerceservices. It comprises transactionsin a broad/general sense, for exam-ple, strong end-user identity couldreduce the risk of charge back formerchants and could enable authen-ticated access to services such ascorporate and government portals.The identification frameworkworks across both national andnetwork borders, even while out-side the home operator’s network.

For more information visit:www.radicchio.org

Mobile Network Operators (they havethe subscribers and networks) andServices Providers, such as banks (theyhave the expertise for handling finan-cial transactions). If the industry agreesto build an infrastructure based on theRadicchio t2r proposal, they couldbegin the task of installing confidencein the system. Mobile commerce willonly become a normal part of everydaylife if people know that they can relyon their business partners and are pro-tected against fraud.

ApplicationFocusSecure Mobility

By Dr. Peter Laackmann, Infineon Technologies AG

18

Who’s Listeningon yourWLAN?

Equipment

Most WLAN standards are derivativesof the IEEE802.11, operating at 5 Giga-hertz (IEEE802.11a) or 2.4 Gigahertz(IEEE802.11b). As the 5 Gigahertzband has formerly been used in Europefor other services, the IEEE802.11b ismuch more established in Europeancountries. In setting up a WLAN net-work, two main components arerequired.

First, an Access Point has to beinstalled. The Access Point acts like ahub in a commonly used wired net-work; normally it is equipped with anon-directional antenna so that clientsfrom all directions may log in. On theclient side, a WLAN interface isrequired. These interfaces are availablein the form of PCMCIA cards, e.g. fortemporary integration in notebooks,but also as PCI cards for permanentassembly in desktop computers. Somenewer devices contain a USB orTCP/IP port, making them comparableto external modems.

Every WLAN interface has its ownaddress just like a conventional LANcard, so that clients only get the datathat is intended for them. In the handsof an attacker, some cards can be pro-grammed to the so-called “promiscuous”mode, where every data package, evenwith other destinations, can be read bythe interface. Most WLAN interfacescontain their own internal antenna, but

Today, wireless LAN solutions offer a broad spectrum of products for easy network installation andoperation, making intra-building communication free and simple. But up until now, this freedomhas taken its toll. The open WLAN systems that are ubiquitous now open the door for attackerswho are carrying out their espionage and manipulations with very simple equipment. The mostspectacular example is the so-called “WarDriving”, which involves the attackers moving through acity in order to grab and map all open WLAN systems.

19

ApplicationFocusSecure Mobility

additionally an external antenna can beconnected, allowing a higher datatransmission range. These antennas arealso recommended, if there is a highamount of absorbing material such asmetal or bricks between sender andreceiver. Attackers use external antennastoo, mostly to increase the range ofradio interception, but sometimes alsofor locating a specific WLAN accesspoint, if several points are detectedsimultaneously.

One particular example, which drewsome media attraction, was the use ofthe “Pringles” potato chip can as adirectional antenna. The inside surfaceof his pipe-shaped can is covered with ametallic lining, which acts like a waveguide for the WLAN radio signals.Parabolic antennas have even beensuccessfully tested for interception ofWLAN signals over a range of 40 kilo-meters, so the argument that WLANsystems should normally only bridge100 meters does not apply for attacks(see Figure 1).

WarDriving

It is said the term “WarDriving” isderived from the term “WarDialing”,which means that a large number oftelephone lines are automatically scanned(dialed) and tested for service modemconnections. “WarDriving” stands for avery fast and efficient way of scanning aterritory, like a city or a large building,

for open and unsecuredWLAN access points.WarDriving equipmentusually consists of aportable notebook PC,a PCMCIA WLAN inter-face card, and a GPS(global positioning sys-tem) receiver. On thenotebook PC, a scanprogram such as “Net-Stumbler” is run, whichautomatically searches forWLAN access points inthe surrounding area.

If an access point isfound, the software automaticallyretrieves the navigation coordinatesfrom the GPS receiver, and logs all dataincluding type of network, position andsignal strength in a log file (see Figure 2).

Later on, the attacker can evaluate thecaptured data using mapping softwarelike “StumbVerter”.These tools convertthe log files from a WarDriving eventinto a street map. On this map, the accesspoints are graphically marked, includinginformation about the signal strength andcharacteristics of the observed networks(see Figure 3 on page 20).

Even a new form of urbanart has been observed, theso-called “WarChalking”.The WarChalking signson building walls containinformation about the net-works used therein.

WarChalking is reportedlyused to inform otherWarDrivers about alreadycharacterized networks.Figure 4 (on page 20)explains the differentsymbols used.

Countermeasures

The standard IEEE802.11b alreadyincludes basic security functionality. Anactive authentication (Shared Key Authen-

tication) and data encryption (WirelessEquivalence Privacy - WEP) weredesigned to protect the connection frommanipulation and espionage. If WEP isto be used, both access points andclients have to be provided with theencryption keys, a procedure whichmay turn out to be a “key managementnightmare”.

Using WEP, the message to be sent overthe WLAN first has to be appendedwith an integrity check vector (ICV).The receiver used to check if themessage has been illegally alteredduring the transmission uses this value.

Both message and ICV are thenencrypted using the algorithm RC4.Every cryptographic operation, alsoRC4, needs a key, which in this caseis derived from a 40-bit long seedand an initialization vector (IV). Bothvalues are fed as a starting value intoa pseudo random number generator.This generator supplies the WLANinterface with as many key bits, as thereare message bits. The encryptedmessage is then sent over the air to thereceiver, where it is decrypted using thesame, mirrored process.

The authentication of a transmitter againstthe receiver is carried out utilizing achallenge and response protocol. Theaccess point can send an encryptedrandom value to the client, which issubsequently tested using the same keyin the receiver, and vice versa. If the

Figure 1: WLAN espionage overa 40 kilometers distance using aparabolic antenna

Figure 2: “NetStumbler” loggingposition, name and signal strengthof Access Points

ApplicationFocusSecure Mobility

value is identified to be the right one,both stations have the same, secret key.

StillInsecure?

Despite using encryption and authen-tication, a WLAN network may still beinsecure. The generation of the initialvectors, that are crucial for efficient en-cryption, is not specified in IEEE802.11.

If the encryption is to be protectedagainst attacks, the transmitter must makesure that for every message, a differentinitial vector is to be used. As some sys-tems just contain a limited, ascendingcounter for this purpose, an attackercan wait for two messages beingencrypted with the same vector. In a

typical network with alot of traffic, all vectorsof a typical 24-bitcounter are used upafter only five hours,which is then identicalto the timescale for asuccessful attack.

Some systems allow theuse of conventionalpasswords instead oftyping in the 40 bits inbinaric mode. The pass-word is then trans-formed into the 40-bitencryption key, which

would be a nice solution if some sys-tems would not cut the efficient keylength down to only 21 bits during thisconversion. But even if all 40 bits areused, there is still the probability for anattack via the so-called “brute force”attack method. Thesearch for a 40-bit RC4key only takes someweeks on modern desk-top computers.

As a countermeasure,WEP has been aug-mented to 128-bit keylength. In this scenario,104 bits are used as theencryption key, and 24bits are utilized for theinitial vector. With thiskey length, a brute forceattack should be nearlyimpossible for the nextfew years. But not all deficiencies havebeen corrected.

NewProblems

In 2001, Shamir, Mantin and Fluherpublished a paper describing attacks onWLAN encryption using a completelydifferent methodology. It is well knownthat for the encryption method RC4,there are many so-called “weak keys”;specific combinations of bits that allowattackers to extract secret information.If such a “weak key” is used, an attacker

gets hold of parts of the clear text, non-encrypted message.The first attack soft-ware, based on this effect, is “WEPCrack”; searching a network transmis-sion for weak keys.

“AirSnort”, a professional piece of soft-ware, does the complete attack automat-ically, including the sniffing of 100megabytes to one gigabyte of data,searching for weak keys, and finallyextracting the clear text messages. On afrequently used WLAN system,“AirSnort” just has to be used for threeto four hours.

TheFuture

The new standard IEEE802.11i willbe equipped with a new protocol,increasing the security of WLAN

systems by far. A temporary key isgenerated for a limited number ofdata transmission packets, so that anattacker cannot search a vast amountof data for weak keys, and also cannotuse a compromised key for the eaves-dropping of the complete networktraffic.

The aged RC4 encryption methodcan be replaced by the new standardAES (Advanced encryption standard),which has recently been introducedas a new, worldwide, symmetrical en-cryption algorithm with a very highsecurity level.

20

LiteratureReferences

[1] Matthew Joyce, RAL CCLRC,

Wireless LANs and Bluetooth

Technology and Security, 2002.

[2] Peter Shipley, dis.org,

Open WLANs - The Early Results

of WarDriving, 2001.

[3] Andrew Etter,

A Guide to WarDriving and

Detecting Wardrivers, SANS Info

Sec, 03.09.2002

Figure 3: Screenshot“StumbVerter” Mapping Program

Figure 4: WarChalking Symbols

21

ApplicationFocusIdentification

The means for security improvementshave been looked for in many differentsystems, like online register controls andadvance passenger information (API)systems at borders, and in technologiessuch as biometrics supporting newsecurity requirements, which partly arealso set by legislation and internationalagreements.

One of the key facilitators for securityimprovement will be travel documentsin the form of passports, travel cardsor visas. Biometrics has been widelyrecognized in this area as a technologyfor solving the problem of unreliableidentification of persons accessing anauthorized area (i.e. entering a country).

A standard solutionfor internationalinteroperability

Technology enhancements in traveldocuments will only be seen as partialsolutions if they are not adapted on aglobal scale. Together with the needto support traditional approaches,

Governments and passport manufacturers are facing unique challenges in trying to meet newrequirements for preventing illegal immigration, international crime and terrorism, as well assupporting efficient border crossing of authorized passengers, especially frequent flyers. AfterSeptember 11th 2001 there has also been pressure to develop security systems for border crossingauthorities and the airline industry.

standardization for new technologies isnecessary, otherwise there may well bedelays in their deployment.The leading authority for internationalinteroperability of travel documents isICAO, which in the late 80’s developedthe standard for Machine Readable TravelDocuments (MRTD), deploying OCR-Bcharacter recognition technology. Govern-ments have adopted this technologyslowly but widely, so that today themajority of countries are issuing MRTDsand deploying OCR-B in border controlsystems.

Even before the terrorist attacks, ICAOrecognized that to ensure efficient andsecure border crossing, there should bean added means to MRTDs for machineassisted person identification (i.e. bio-metrics for machine assisted documentauthentication).This has necessitated the specification ofco-existing technologies to MRTDs, inorder to allow for additional storagecapacity as well as more efficient access todata. As the standard storage technologieshave been ID1-type card oriented, the

only feasible technologies for passportbooklets and visas (sticker) are limited to2D-barcode and the contactless chip.

Another big problem that ICAO hasbeen facing, is the immaturity of bio-metric technologies and markets. Themarket is currently fragmented and thereare many different technologies com-peting for the dominant position. After adetailed evaluation process, ICAO is nowon the way to specifying face recognitionas an obligatory element of the traveldocument standards, together with optio-nal fingerprint and iris recognition.

As the standardization of biometrics isin its early phase and the technical solu-tions are mainly proprietary, the result isthe deployment of inefficient andgeneric biometric data formats in traveldocument standards.Together with othernecessary data, the biometric data inpractice needs so much space that itcan’t be stored in 2D barcodes. So theonly possible technology for biometricpassports is a contactless chip with rela-tively large memory - at least 16kB.

At theBorder forBiometricPassportsBy Pekka Kariola, Setec Oy

ApplicationFocusIdentification

Many innovative technologies, basedfor example on magnetic or opticrecognition with different wavelengthsof security elements and/or personal-ized data etc., have been developed formachine assisted document authenti-cation and integrity verification. Theproblems with these technologies areagain the proprietary solutions and thelack of mainstream solutions.These issues and the lack of feasiblemarket entry mechanisms, are prohibitingthe global deployment of such solutions.Luckily, implementation of a contactlesschip as a passport storage media can allowsecure deployment of Public Key Infra-structure (PKI) for document authen-tication and integrity verification. Thisoffers the possibility of solving the crucialproblem of document authentication,which together with biometric identi-fication is needed for a secure, fullyautomatic, border clearing process.

Security of docu-ments and processes

The physical security of travel docu-ments requires continuous improvementand there are different bodies definingthe security requirements for docu-ments, as well as for the issuing processesand systems. In addition to ICAO, theEU Commission by Minimum TravelDocument Security Directive, for ex-ample, is taking care of security issues.When making decisions about documentsecurity requirements, the above-men-tioned organizations utilize traditionalsecurity material, printing technologypossibilities, obligatory optically variabledevices (OVD) and image reproductionrequirements. The focus is moving fromthe security of documents to the securityof the issuance processes i.e. to the reliableinitial identification of the person andto the security and data integritythroughout the identification processuntil delivery of the document to thecorrect holder. This also sets new secu-rity and reliability demands for systemsdeployed in the issuance process.The security requirements are also put-ting pressure on centralizing the issuanceand personalization processes.

Technologychallenges

All the developing technology andsecurity demands, as well as infrastructurechallenges, mean a quantum leap for pass-port issuers and manufactures, especiallyfor those deploying traditional tech-nologies such as laminated data pageswith distributed main stream printingtechnologies. This is especially true forvendors of governments willing to meetthe standard set by the US Governmentfor the Visa Waiver Program, requiringpassports to adhere to the new ICAObiometrics standards as per October26th 2004.The current situation requires newtechnologies to be implemented withvery little proven experience. Thesemodels include the implementation ofsecure and durable contactless chips inpassport booklets, the selection of the mostfeasible biometrics or a combination of

multimode technologies. Other modelsinclude the implementation of enroll-ment, issuance, personalization and veri-fication processes of biometric data andthe implementation of border controlprocesses and systems deploying bio-metric data, etc.

Contactlesschips in biometricpassports

The implementation of a chip in thepassport book is one of the most criticalchallenges for the passport manufacturer.The chip with antenna can be placedon the data page, cover, or sandwichedbetween the center leafs. The key issuein implementation is the size of thechip. Because of the large memoryrequirements, the modules of the chipsare large and thick, which causes prob-lems when modules are attached to thedata page with all the security elements.The thickness of the page, as well as thedurability of the integration underphysical stress, can become critical.The security risks arise from the possi-bility of separating a valid chip fromone passport and attaching it to anotherdocument. The protection against tam-pering is very difficult in a constructionwhere the chip is inside the cover orbetween the center pages. In thesecases, recognizing a possible counterfeitis also extremely difficult.The data pageis preferred because the chip canbe most reliably integrated directlyto the important personalized data,thereby maximizing the security. So farthe most promising solutions includea chip integrated into plastic-baseddata pages made, for example, frompolycarbonate with laser engraved visualpersonalization.Until now, there have been no measuresset by standards or best practices tovalidate the durability of the bookletwith a chip and antenna. This togetherwith chip durability limitations and theageing problem of biometrics, especiallyof face recognition technology, seem todecrease the validity of the documentsdown from the usual 10 years.The selection of the chip type andmemory size today, is partly limited by

22

Figure 1: Different typesof 'lenses' (CLI =Change-able Laser Image, or MLI =Multiple Laser Image™) areone of the most powerfulsecurity features. In thelaser engraved passports,personalized informationsuch as date of birth, andnationality, as well asholder's picture can beused in the lenses.

23

ApplicationFocusIdentification

to be coordinated with the nationalborder control policy.

Until now, the support from biometricsresearch has been very limited when itcomes to making decisions based oncosts, reliability and convenience. Inpractice, the early implementationexperience will show if the quality ofthe selection is adequate or if an adap-tive approach is required.

Implementingenrollment,issuance,personalizationand verificationprocesses ofbiometric data

One of the greatest challenges forthe issuer is the development of anationwide system for the enrollment ofbiometrics.The solution should be a con-venient, non-intrusive, efficient andeconomical addition to the enrollmentof application procedures. Centralizationof the personalization process forms themost secure architecture for biometricpassports and the verification of thereliability of biometric data and iden-tification has to be ensured at somepractical level.

Implementationof border controlprocesses andsystems deployingbiometric data

The implementation of biometric pass-ports cannot be effective if deployment isnot planned at the same time.The inter-dependence of issuance, biometric pass-ports and border control is very strong.With the expected global commitmentto ISO 14443 type biometric passports,there remains the need to invest only incontactless readers connected directlyor through self-service kiosks. Makingdecisions about identification andauthentication software is somewhat com-plicated and it has to be adopted accord-ing to the risk levels and the marketdevelopment of selected biometrics inpassports.

Summary

The biometric passport market is start-ing to open up as a consequence of theup-coming standards. This also createsopportunities for all issuers; to benefitfrom each other’s investments by creatingmore secure passports and the relatedinfrastructures.

The new basic technologies for pass-ports already exist, but there is still a lotof development and research work tobe done before being able to supplythe issuers and users with qualifiedsolutions that solve their unique needsand problems of identifying people withbiometric passports at passport control.

This is a revised version of the original article that appeared in Card Forum International May/June 2003,Vol.7, No.3 (cfi@card-forum.com).

For more information visit:www.setec.com

About SetecSetec develops and manufactures high-security cards and identity docu-ments, such as passports and visas,including smart card, security tech-nologies and visual ID technologies.These products, also combined withbiometrics, secure reliable identifica-tion of people over networks and inface-to-face environments.Setec’s major customers include publicauthorities, banks and telecom oper-ators and its main market areas arethe Nordic countries and the rest ofEurope and Asia. The company hasoperations in Finland, Sweden,Denmark, Poland, Singapore andThailand.

the availability of feasible components.In principle, ordinary memory chipssupporting ISO 14443 with enoughstorage could be a possibility, but inpractice the security and direct access tolarge data areas require support of anISO 7816 type Operating System.However, in the near future the marketmight supply up to 64kB chips withmulti-application support in feasiblemodules.Usage of advanced components allowsthe issuer to develop new business casesby marketing solutions based on the usageof PKI co-processor chips to airlinecompanies and travel agents, for exam-ple, for e-commerce and e-ticketing.Without developing new business cases,the cost structure for the issuers might,in many cases, form a real obstacle formigration to biometric passports.

Selection ofthe most feasiblebiometrics orcombinationof multimodetechnologies

When implementing biometric pass-ports, a lot of attention has to befocused on the selection of biometrics.In addition to the obligatory interoper-able face presentation, the issuer has todecide whether to add one or moreproprietary face templates, as well asinteroperable fingerprint and/or irispresentations together with one ormore templates. This decision also has

Figure 2: Security printing technologies e.g. UVprinting, provide an obvious indication of a genuine'holder page'. Setec's holder page structure enablesindustrial binding processes typically used intraditional passport bookbinding.

Widespread use of information systemsand Internet technology is revolution-izing the way governments and busi-nesses communicate with and deliverservices to citizens, providing cost, timeand resource savings. However, thisconvergence towards an on-line adapt-ed world has created new types of risksand challenges, that traditional ID cardsissued by governments and enterprisesare unable to solve due to their limitedfunctionality capabilities.

Debates are taking place in many coun-tries around the world, arguing thepossibilities to issue a new type of IDin the form of a smart card, with orwithout some form of biometrics func-tionality, such as fingerprint recogni-tion. The most commonly used argu-ment against deployment of national IDcards, is the fear of compromising pri-vacy and thus freedom of individuals.Civil liberty unions and privacy lobby-ists claim that a national ID programwould create a unique way for govern-ments to track citizens, resulting inprofiling and discrimination.

Smart cards provide a solution thatbrings a positive and innovative responseto this current privacy debate, offering anumber of advantages compared to anyother form of ID document. Above all,the technology constitutes a strong andconvincing case for reducing the contin-uing privacy concerns, by enabling theend-user to gain a high level of controlof private identification data.

Mobility and Off-lineCapabilities

Off-line verification is one of the strongestadvantages that smart cards possess in com-parison to other technologies. Throughthis feature, smart card-based identity veri-fication can be cost-effectively deployed atthe various physical security checkpoints thatrequire validation of identity – for exam-ple, at different locations in an airport, aroad control, or other security facilities.

Security officers can verify an individual’sidentity by prompting an ID cardholderto enter his or her PIN (Personal

ApplicationFocus

Smart IDfor theman onthe streetBy Olivier Chavrier, Gemplus

Secure identification of indi-viduals is a fundamental andcritical function in any country.Events since 9/11 have increasednational interests in imple-menting more secure personalID systems, to improve confi-dence in verifying the identitiesof individuals seeking access tophysical or virtual locations.This applies whether identifica-tion is needed at an immigrationcounter checkpoint, or at agovernment hosted web siteoffering citizen services.

This article was first published online at:http://www.infosecnews.com/opinion/2002/12/04_02.htmand has also appeared in Asian Business Times end of 2002.

25

ApplicationFocusIdentification

Identification Number) code, or by com-paring a scanned biometric, such as a finger-print, with a biometric stored on thecard.This unique technology eliminatesthe need for on-line access to a centraldatabase by restricting the data sharedto an individual entity, thus controllingcitizen privacy. Furthermore, with itscapacity to store, read, write and updateinformation in a very secure environment,a smart card can easily be interconnectedwith multiple existing databases. Thiseliminates the need to link all theseindependent legacy systems, hencereducing the possibility of privacyinfringement imposed by a unique govern-ment controlled citizen database.

InformationSegregation

Along with the strong information protec-tion and security that is inherent to smartcard technology, a smart ID card is able toshare ONLY the information required fora specific situation or location.Firstly, the card content is protected againstunauthorized access by a unique PINcode, and/or by the owner’s fingerprint,and always stays in full possession of its

owner. Furthermore, the card’s uniqueability to verify the authority of theinformation requestor allows it to be theperfect guardian of a citizen’s personalinformation. All of the cardholder’s per-sonal information does not need to berevealed every time in order to validatesomeone’s identity. The information sharedcan vary depending on the specific “role”of the individual at a given point in time.I.e. only the data required for a definedidentification purpose would be presented

to the government authority in question.For example, to a police officer in aroad control, a smart card will presentinformation related to the motor vehicleauthority (and this information may varydepending on the country or state issuingthe license).

To a retail shop owner selling alcoholor tobacco, a smart card will only presentinformation strictly related to the age ofthe ID cardholder, with no reference to the

name and the addressof the individual.

Consequently, byallowing authorizedand authenticatedaccess only to theinformation requiredduring a govern-mental identificationoperation, a smartcard-based ID cardcan effectively pro-tect the citizen’sprivacy, while at thesame time ensuringthat the individual isproperly identified.

Smart Driver’s License & Vehicle Registration ProgramSince 1998, Gemplus has delivered smart card technology to the El Salvador government’s smart card program for dri-ver’s license and vehicle registration.Through the use of smart cards, the system efficiently manages real-time vehicle anddriver-related infraction and payments for the citizens of El Salvador. Over 2 million cards have already been issued toregistered drivers of El Salvador, and 60,000 new cards are being issued every month (see Figure 1).

Smart Immigration Clearance ProgramFor nearly a decade, Gemplus has supported the Singapore government’s smart card-based Immigration AutomatedClearance System. Smart cards are used to store the cardholder’s fingerprint for secure identification and automatedimmigration clearance of trans-border workers and frequent travellers at Singapore's major points of entry. The smartcard program has resulted in increased airport security as well as reduced immigration clearance time.

Smart Identification of CitizensIn 2002, Gemplus was selected to provide over 1.2 million smart cards to the Sultanate of Oman in order to streamlineand increase quality of public services through an automated citizen ID system. Through the use of smart cards, Omanicitizens and residents will be able to identify themselves at local authorities all over the country. The Oman nationalsmart ID card program is the first ever smart card-based citizen identity solution to be deployed in the Middle East.

Smart Healthcare Insurance CardsSince 1995 Gemplus has been providing smart cards and readers to the Slovenian government’s Healthcare Card program.All Slovenians are automatically issued a Health Insurance Card, which stores the cardholder’s medical data, such as organdonor status, prescriptions supplied and emergency medical data.Thus, during a patient visit, a physician can easily viewthe patient’s eligibility status and coverage status, as well as the primary physician designation.

For more information visit:www.gemplus.com

Figure 1: Using a smart card toidentify a driver

ApplicationFocusIdentification

The first issue that SC2 had to dealwith was who, by definition, was theclient? A client receives a company’ssolutions and products and hence canmeasure their success. The National IDCard is a project where there are twomajor clients for one single project,both of which are extremely demand-ing. The first client is the Israeli gov-ernment, who initiated the project andselected the solution providers. Thisclient is very security and technologyaware, which impacts their demands.The second "client" is the civilian pop-ulation. It can be argued that they werenot SC2’s direct clients, but the factremains that the civilians are the oneswho will make daily use of the endproduct. This means that even thoughSC2 would not be expected to interactdirectly with the second client, theircharacteristics and opinions are never-theless important.

In order to fully understand the scopeof this project, we should take amoment to review the backgroundissues faced by the main client. Overtime, methods have been developed toforge Israeli National IDs. This resultsin high costs caused by various forgeryscams from different business layers andmarkets. The situation has promptedthe Israeli government to embark on aproject, which will bring such problemsto an end. It is important to mentionthat this was not done over-night; priorto starting this project, a detailed process

A National ID Card is a project that any com-pany should enter into with a certain amountof caution. These projects tend to be fairlycomplicated, with many aspects that must bestudied and carefully considered, in order toensure unexpected problems are kept to aminimum and financial rewards are maximized.

Smart Proof ofCitizenshipBy SC2

of legislation andpreparation tookplace, in terms ofdigital signaturelaws, and govern-mental smart cardand informationsecurity standards.

The “outputs” of this project can bedivided into three stages:the physical part, the electrical part, anddeployment.The physical stage includesthe smart card material and manu-facturing, visual anti-fraud solutions,and the visual personalization of thecards. The electrical stage includesthe preparation of information for per-sonalization and the actual electricalpersonalization. The deployment stageincludes the distribution methods ofthe card from the factory, through thepersonalization process and into thehands of the users.

PhysicalProcess

For this project, SC2 were asked to pro-vide a smart card that will last withdaily use, for a minimum of 5 years.The only plastic material capable ofthat today is polycarbonate. However,satisfying the durability demands wasonly half the solution. Having experi-enced many fraud and forgery issues,the Israeli government demanded thebest, most advanced, anti-forgery solu-

tion currently available. To fulfil such arequirement, the SC2 solution includesvarious security elements. With such acombination, SC2 have been able topresent an impossible-to-forge ID card.

ElectricalProcess

This stage includes the implementationof interfaces between data sources, theSC2 personalization systems and theactual writing of data onto the smartcard. The SC2 personalization system iscapable of connecting to various datasources through standard protocols suchas SQL, ODBC, LDAP, etc. Using theseconnections, data (information aboutcivilians, weapon licenses, drivinglicenses, topographic information etc.)is retrieved from governmental databas-es. The collected data is processed bythe SC2 personalization system andthen prepared for the actual personal-ization. (There is another connection toCertificate Authorities, but this one isusually only used during the actual per-sonalization process, which will bedescribed later on in this article.)

26

27

ApplicationFocusIdentification

The actual personalization is in someways the climax of the process. This isthe stage where everything that hasbeen previously prepared is implement-ed. The personalization system com-mands a smart card printer to pull acard from its input tray and begin theelectrical personalization. This opera-tion includes building a unique filestructure, writing personal and govern-mental data, and the installation of dig-ital certificates. A quality assurance pro-cedure is performed immediately afterthe electrical personalization process, toverify the written data and once fin-ished, the card is transferred to theprinting position. Visual data is thenprinted onto the surface of the card.Printing is done in two ways; one iscommon thermal printing, and theother is laser-engraving printing. Bothmethods are used to eliminate to possi-bility of ID card forgery.

Before moving on to the distributionof the cards, we should look at twoimportant subjects in a little moredepth: the connection to CertificateAuthorities and the smart card’s operat-ing system itself.

Certificate Authority

The specification for this projectrequired the ability to connect toexternal Certificate Authorities (CAs).The CA’s are responsible for both issu-ing and signing the digital certificatesstored on the ID card. The process ofissuing digital certificates can be per-formed in two ways, and SC2 wererequired to support both.

The first, and more secure way, is whena dual RSA key pair is generated insidethe smart card, and the request for thedigital certificate is sent to the CAusing the Public Key from this specifickey pair. Using this method, the PrivateKey is secured inside the smart card,and does not exist outside of the token.

The second way is for the CA to gen-erate the key pair, and send the digitalcertificate to the smart card along withthe Private Key. Even though the CA ishighly secure (as is the connection), it

is still far more secure to generate thekey pair actually inside the card itself.

Operating Systems

This leads us to consider the smart cardoperating system. The selected operat-ing system for this project is the ApolloOS developed by SC2. The client tookseveral important factors into consider-ation, in order to come to this specificOS selection.The Apollo OS has severalunique features, which are extremelyimportant for large-scale smart cardprojects:

� The ability to support both methodsof the digital certificate issuance.

� An automated memory managementmodule (part of the operating system)which provides a transparent memo-ry management and defragmentationsolution, releasing the client from theneed to manually perform this task.

� Perhaps the most important feature, isthe access security capabilities of theApollo OS. Implementing a uniqueaccess protection mechanism, theApollo OS provides the best securityalong with flexibility. Using theApollo OS, we can define not onlyaccess conditions for certain identi-ties, but also access rules that corre-late between several of the authenti-cated identities.

� The capability to execute client pro-prietary applications on the card.

� And if this is not enough, the OSeven supports the execution of bothapplication and operating systempatches and fixes.

Distribution

After reviewing both the personalizationand operating system, the only remainingpart of the process is the distribution ofthe cards to their end users - the civil-ians. The Israeli government onlydescribed their preferred distributionmethod in general terms, and left it tothe provider to specify their detailedapproach.The agreed distribution methodhas been decided as follows: Prior to

the actual distribution, and parallel tothe cards’ personalization, a transportuser PIN is printed and sealed in anenvelope when a card is personalized.At the end of the personalizationprocess, two items are available: the IDcard and the sealed PIN envelope. Eachitem is then sent separately (to ensurestrict security) to the central branch ofthe Ministry of Internal Affairs (MoIF).The MoIF is then responsible fordistributing the envelopes and the cardsto its branches across the country. Atthose branches, when the card and theenvelope are physically delivered intothe hands of the civilians, the clerk setsthe ID card status to “Active” in themanagement system, and a correspon-ding message is then sent to the CAto confirm the validity of the digitalcertificate when asked to.

Summary

SC2 is very familiar with demands forsmart card solutions such as thosedescribed in this article. Our vast expe-rience with these projects is one of themain forces that drove us to developthe Apollo OS into what it is today.

The only possible solution for projectssuch as National ID cards, Employeecards, Banking and Credit cards (andsimilar fields) are smart cards, whichcombine the most generic and flexibletechnology without compromising secu-rity in any way. The Apollo OS SmartCards delivers such a complete solutionand can be referred to more as a plat-form and an infrastructure, rather thananother standard smart card operatingsystem. It is important to rememberthat the Apollo OS smart card is onlya part of the solution SC2 offers,including a key management servercalled “KMS2”, and our personalizationsystem. Like many other clients, theIsraeli government has understood thatfor its new National ID cards it hasto work with the best technologyand the most suitable company, whichwill be able to not only deliver thesmart cards, but also develop and tailorspecific solutions for an individualclient’s needs.

For more information visit:www.scsquare.com

The Cardthat CaresGood health is everyone’s most precious asset.That’s why most of the countries in the worldare concerned with their citizens’ well being.However, many of the world’s health care sys-tems face a crisis. An electronic health card forpatients is one proposed solution that wouldoffer higher quality of care, increased efficien-cy, reduced costs and greater transparency.

This article was first published in its original version in “Report – The Giesecke & Devrient Magazine”, Issue 01/03

By Michael Nitz, Giesecke & Devrient

29

ApplicationFocusIdentification

The Future ofHealth Care

Glistening snow under blue skies andlots of sunshine — conditions that drawcrowds of delighted skiers and snow-boarders to the slopes. But all isn’t funand games up on those mountains.Accidents are commonplace, and evenexperienced skiers sometimes take atumble and find themselves rushed byhelicopter to a hospital. In such emer-gencies the following scenario mightsoon be put into practice:Taking a patienthealth card (PHC) from the pocket ofan unconscious accident victim, anemergency medical technician (EMT)inserts the card into a card reader con-taining the EMT’s health professionalcard (HPC), which is similar to a sub-scriber identity module (SIM) card. Theparamedic then simply enters a PIN toaccess the emergency care informationthe health cardholder has preauthorizedfor release in such circumstances. Later ina nearby hospital, the recovering patientruns his or her card through a readingdevice and enters a PIN to bring upinformation such as the insurance num-ber, name, address and medical data forthe hospital staff. Physicians can also usetheir HPC and PIN to record treatmentdetails on the patient health card.

The card also makes it easier to getprescriptions issued. Like the paramedicon the ski slope, pharmacists can usetheir HPCs and PINs to authenticatethemselves to the PHC. They can thenread out any non-issued prescriptionsand delete them once the medicationshave been dispensed.

When a customer’s medication record islisted on his or her card, the pharmacistcan examine it either immediately orafter the customer has authorized it via aPIN, a feature that makes it possible tocheck for contradictions.This card tech-nology replaces the traditional paper pre-scription with an e-prescription, whichthe prescribing doctor enters and signselectronically on the patient’s healthcard. In addition, the system uses thedoctor’s e-signature to verify the author-ization. At the next visit to the family

doctor or special-ist, the patientonce again entershis health cardand PIN and,depending on thecard type and sys-tem version, thephysician can viewthe hospital’s find-ings, X-rays andthe patient’s pre-scription history.All of these ad-vances are techni-cally feasible. What is needed is thepolitical will to implement the system.

Taiwan – Puttingtheory into practice

While experts in Germany are current-ly discussing various health insurancecard models,Taiwan has already set up amodern and effective health card sys-tem that has replaced paper-based healthservices vouchers with multi-functionalmicroprocessor cards. Giesecke &Devrientdeveloped the Taiwan system, which isthe world’s largest health card projectbased on an open platform, using Javatechnology. G&D, which is based inMunich, Germany, worked closely onthe project with its Taiwanese partnerTeco Electric & Machinery Co., Ltd.The project comprises more than 22million health insurance cards, 345,000health professional cards with a signaturefunction for doctors, pharmacists andhospitals, as well as terminals equippedwith security modules. Here, too, systemusers identify themselves with a PIN,and the system can be programmed foradditional security mechanisms andfunctions. Gregor Boeckeler, G&Dproject manager for Taiwan, expectsthat more benefits are still to come.“Operators are not yet making full useof the system’s potential,” explainsBoeckeler “and it will remain migration-capable in the future.”“By introducing multifunctional micro-processor cards and health system reform,we expect to save approximately € 195million.” Lee Ming Liang, Taiwan HealthDepartment Minister

Distribution of the new national healthinsurance cards began in summer 2002.The program’s rollout was organized ona regional basis and will be completedjust a year after initiation. Personal infor-mation, insurance data and medicationhistories are saved on the cards, withadditional access to treatment recordsand costs (see Figure 1). “By intro-ducing multifunctional microprocessorcards and health system reform, weexpect to save approximately € 195million,” says Taiwan Health DepartmentMinister Lee Ming Liang.Taiwan’s chip-based health card replaces the previoussystem of health services vouchers andenables patients to control the releaseof their medical records by requiring

TAIWANPopulation: 24 million

Heath cardholders: 22.3 million

Citizen information: Ambitiouscampaign launched with timely, up-to-date information including; per-sonal testimonials, comprehensivenewspaper articles and magazinereports, plus radio and televisiontime. Additional media will includeadvertisements, brochures, informa-tion and discussion events, as well ashotlines.

Source: Bureau of National HealthInsurance,Taipei

Project duration: 18 months (fromcall for tenders to completed carddistribution)

Figure 1: An example of theTaiwanese Health Card

ApplicationFocusIdentification

doctors to have their permission beforeaccessing a medical file. Physicians canalso store diagnoses, treatment data andprescriptions directly on the chip card,providing increased transparency forpatients. This intelligent health insur-ance card could well become a modelfor other countries, and the chip cardtechnology offers indisputable advan-tages including improved care, increasedefficiency, reduced costs and enhancedunderstandability.

Health CarePlans in Europe

In 2002,German Health Minister UllaSchmidt joined the representatives ofdoctors, pharmacists and health insur-ance companies in agreeing thatpatients in Germany should be able tostore additional data on their healthinsurance cards. The agreement willallow permanent information to bestored on the cards, such as crucial

emergency medical data includingblood groups. The first step will be torun some model tests. For electronicprescriptions, for example, doctorswould be able to use computers toarchive prescriptions on a server.Patients could then receive printouts,and pharmacists could use individualencryption to call up the informationfrom their servers.

In pilot tests, conventional health insur-ance cards (like those carried by about72 million Germans) were upgraded toinclude server access authorization. Inan initial test jointly conducted by theGerman Health Ministry and the Asso-ciation of Statutory Health InsurancePhysicians in North Rhine-Westphalia,Germany, the microprocessor card passedwith flying colors.

The testing covered features such ase-prescription, e-referral, e-hospitali-zation and the recall of emergencydata. “The health card allows for secureelectronic exchange of data throughoutthe health care system,” explains Dr.Leonhard Hansen, deputy president ofthe National Association of StatutoryHealth Insurance Physicians.

“The health card is an important steptoward increasing the quality of the healthcare system.” Ulla Schmidt, German HealthMinister

Health Minister Schmidt also empha-sized the card’s benefits, calling it “Animportant step toward ensuring qualityin the health care system.” The cardtechnology can deliver on its quality-control claim because it reduces paralleltreatment and increases transparency ofmedical care.

Switzerland also plans to introduce amandatory, standardized insurance card.The plan’s first stage will involvestreamlining administrative processes forpolicy-holders, insurers and health careproviders in preparation for widespreaduse of the cards by 2005 or 2006.

In the second stage, the health card sys-tem will be implemented, becoming an

electronic access key to an individual’sdetailed health and medical treatmentdata. High on the list of Swiss expecta-tions for the new program will behigher-quality treatment and lowercosts, while at the same time stressingthe need to safeguard each cardholder’ssensitive personal data.

Anne Eckart of the consulting firmBasler and Hofmann AG based inZurich, Switzerland, fears that the gen-eral population will not readily acceptthe health insurance card solution. Shereached the conclusion following atechnology impact assessment studyconducted by the Swiss Science andTechnology Council, based in Bern.Eckart recommends a centralized insti-tute for Switzerland, that could serve asan information and co-ordination hubfor initiatives studying computer-basedpatient records.

In Germany, Health Minister Schmidtdoesn’t share concerns that card tech-nology will endanger privacy: “Theelectronic health care card allows us tostrengthen the rights of patients. Theycan decide whether additional informa-tion may be stored on their new chipcard, and they can also view informa-tion that previously was difficult orimpossible to access.” Schmidt considersa so-called “blind box ” or “strong box”to be absolutely essential for data pro-tection.

The feature would allow patients tostore information they would prefernot to share with certain doctors, infor-mation on medications such as Viagra,methadone or HIV medication, forexample. Schmidt also feels that intro-ducing the electronic health card woulddemand a uniform IT architecture. Andwhile the technical standards exist, theobligatory content has not yet beendefined for Germany.

30

SECURITYSYTEMS FACTS

Emergency: Doctors use theirHPCs to verify their identities tothe PHCs by entering a PIN. This isdone via symmetrical or asymmetri-cal cryptography in the ChallengeResponse process.

Hospital: Patients allow doctor’saccess to their PHC by entering aPIN. After verifying their HPC tothe patient’s PHC with a PIN, doc-tors can write treatment data on thepatient’s card.

Pharmacy: Pharmacists verify theirHPCs to the PHCs using PINs andthen read the prescriptions, whilethe background system uses a digitalsignature to check the doctor’sauthorization.

Family doctor/specialist: Doctorverifies HPC to the PHC with aPIN while the background systemreads the medical data.

For more information visit:www.gi-de.com

Every smart card equipped with a microcontroller contains hardware-implemented software(e.g. the card operating system) as well as applications. The introduction of more powerfultechnologies and smaller chip structures allows the storage of this software not only in fixedROM masks (Read Only Memory), but also in re-writable Flash memories.The public discussionabout the advantages and disadvantages of these two alternatives today is very controversial;however, an exact security based examination delivers amazing results.

Integral Securityfrom FLASH to ROMBy Dr. Peter Laackmann, Marcus Janke, Infineon Technologies AG

33

Technology UpdateSmart Cards

ROM-Memory

Most smart card controllers today areequipped with ROM (Read OnlyMemory). On a “Metal-ROM”, theinformation or program code is stored asa sequence of thin metal contacts.Another possibility is the so-called‘Implantation-ROM’. In this instance,the information is coded into thesubstrate of the memory cells by apowerful ion beam.

ROM-Memory does not allow fordeletion, nor can it be overwritten by theuser via program commands. Therefore,all programs and data supposed to be inthe ROM have to be installed throughthe production process. This is doneusing a “ROM-Mask” which containsall data and is used during the process-ing of the silicon chip. At first sight, thelimitation of the irreversible writingprocess seems to be a disadvantage. Butit also discourages potential attackers tomodify the program code on less-secure chip cards.First, grinding the surface of the mem-ory with diamond dust and subsequent-ly using an imaging method, can easilyhelp visualization of the memory con-tent of Implantation-ROM, as well asof Metal-ROM. On a Metal-ROM theconnections can be identified directly byoptical inspection, but for the Implemen-tation-ROM a short-term etching process

Figure 1: Visualization of both the Implantation ROM (left) and Metal ROM(right) is fairly easy

using special chemicals has to be usedfirst. After this procedure, the ROM-content can easily be read under amicroscope with the naked eye or, forlarger data, with an automatic opticalprocessing method (see Figure 1).

Another alternative would be to con-tact the wires connecting the memorywith the heart of the chip card; theCPU. These wires carry the content ofthe memory that is currently processedby the CPU. Contacts to these wirescan be established using “probing”methodology [2].

The selection of the separately usedmemory does not act as protection, astoday, attacks aimed at reading differentkinds of memories are available. Thiswill later be shown on the example ofFlash and EEPROM memories.

As well as all other kinds of memory,the ROM content has to be protectednot only on the chip itself, but alsoduring the transfer of the program codefrom the customer to the chip manu-facturer during the manufacturing ofthe masks, as well as in the productionprocess itself. Infineon utilizes a highlyefficient and secure method in whichthe mask information is alwaysencrypted, even on the chip itself. Thisensures the security of the informationeven if an attacker visualizes the whole

ROM structure on the chip, as theywould only yield encrypted data whichis useless to them.

Furthermore, Infineon offers a veryconvenient process for customers whenboth transferring ROM informationencrypted and protected to Infineonproduction sites and verifying theencrypted data. Infineon has developeda process called SecureX and uses state-of-the-art cryptography. Encrypted inthis way, even the most sensitive datacan be put confidentially onto theROM-Mask. The first time the chip isallowed to transform the encrypteddata to clear text is during operation.But even then, only the clear text datais processed in the very heart ofthe microprocessor (the CPU core)which is protected against multipleattacks. Even the information that istransferred over the various bus-systemsis encrypted.

Flash Memory

Flash memory can be compared to thecommonly used EEPROM-Memory(Electrically Erasable ProgrammableRead Only Memory), which can befound in almost all current chip cardcontrollers. The information is codedinto each memory cell by imprintingelectrons that subsequently are “caught”

Technology UpdateSmart Cards

in that place, enabling them to store theinformation for years. Flash memoriesallow deletion or reprogramming ofany stored information. Higher voltagesthan the usual operating voltage of thesmart card are needed to program EEP-ROM or Flash-ROM, which are notnormally delivered by the smart cardterminal. Therefore, these voltages haveto be generated within the chip itself.Today, Flash smart cards play an impor-tant role in the illegal sector, as attackersare using the feature of reprogrammingthe flash memory content. For exam-ple, one smart card equipped with aFlash controller that is freely availableover the internet can be used to simu-late original Pay-TV cards: Instead ofthe original Pay-TV card, the so-called“Funcard” is put into the Pay-TVdecoder (see Figure 2).

On the other hand, only a few originalcards with Flash memory can be foundin this sector. The reprogrammingoption of the flash memory for cur-rently available (and insufficiently pro-tected) concepts allows attackers tochange or delete security checks, pro-tection mechanisms and operating timelimitations just as they wish. Therefore,this particular sector prefers today’sROM-based cards.This example clearly shows that if Flashmemories are used as carriers for oper-ating systems, highly effective security

concepts have to be used to make surethat such a product cannot be modifiedor rewritten by attackers.As is the case for ROM memories, thecontent of unsecured Flash memoriesmay also be easily read. Signal lines canbe contacted to scan the data traffic. Ifthe memory is not protected by strongencryption, the attacker can get access tosecret data stored therein. Today, differ-ent methods are known that can be usedto directly read the content of Flash andEEPROM memory cells [3]. Evenmethods from other branches of chipanalysis such as LIVA (Light InducedVoltage Alteration) can be used [4].Another very effective possibility hasemerged from the new attack method“Optical Induced Fault Attack” [5].Additionally, a problem may arise afterdeleting Flash as well as EEPROMmemory cells – maybe due to an alert –because there may still be “residues” ofthe previously stored information [6]and in some special cases, this residualinformation may be retrieved. So it canbe assumed that attackers with appro-priate methodologies are able to readROM as well as Flash memory con-tents.However, in some aspects, flash memoryappears to be more sensitive againstmanipulation of content than ROM.The reason for this, is simply that theinformation is not stored in hard-wiredmetal lines, but as an amount of nor-

mally freely movable electrons.Unwanted changes in the memory con-tent can take place if the Flash memoryis exposed to high temperature or highradiation. Attackers can use these effectsif no appropriate protection measuresare implemented. Figure 3 summarizesthe different attacks carried out againstboth technologies and provides some ofthe countermeasures available.

The Solution:High Security FlashController

Chip card controllers that are insuffi-ciently protected – no matter if Flashor ROM is used – may be attacked viatheir memory. With the introduction ofFlash products in the market, theattacks that were already successful inprevious experiments are now movingto these products. Therefore, theauthors, as a result of security examina-tions, would conclude that Flash cardshave their place in storing memory forsensitive applications but only if theyuse integral security. Chip cards utilizingFlash memory have to be protectedagainst attacks at least as well as thoseequipped with ROM. Both of theserequirements are met through the useof Infineon’s integral security concept.The first barrier against an attacker isthe active shield, covering the whole

34

Figure 2: Chip cards that have Flash characteristics may be used (by their owners)in a non-legal capacity, for this very reason (e.g. “Funcard 4”).

35

Technology UpdateSmart Cards

chip. This ‘intelligent fence’ consists ofan extremely narrow parallel structureof small metal wires with a distance ofapproximately one micron. Its wires arepermanently driven with different ran-dom numbers. If these numbers do notreach the end of the active shielduntouched, the chip recognizes that anintruder has tried to modify the chiphardware. If this happens, the chip trig-gers an alarm and the running programis instantly deactivated.The active shieldis a very effective protection againstmany kinds of physical attacks, but forincreased protection of the memory, anumber of further barriers are imple-mented. One of the most importantprotection measures is the strongmemory encryption through an MED(Memory Encryption DecryptionUnit). It makes sure that an attacker,(even if he can directly read the Flashmemory) can only get unusableencrypted values. So the attacker cannotunderstand the program and secret datacontained within, nor can they manipu-late this data because the attacker doesnot know how a specific command is tobe encrypted. Even if they try to deletethe whole Flash memory, the attackerwill still not get any usable data, as aspecial system protects against repro-gramming. Authorized changes of theFlash memory in the field through legalusers however, are still possible.

Using strong memory encryption, aswell as numerous other components ofthe integral security concept, all typesof memory technologies implementedon a chip can be efficiently protected.The features of the memory itself areonly of less importance.

Infineon‘s first pure Flash-Security-Controller is the SLE88CFX4000P.Engineering Samples of this highlyinteresting device are planned to beavailable by end of 2003. The positivefeedback from Infineon’s customersregarding this concept shows thatFlash-Security-Controllers equipped withadequate integral security will have avery strong impact on the smart cardmarket. Even the fear that Flash-Security-Controllers may not be suitablefor high-volume applications becauseof higher costs can be countered - theSLE88CFX4000P has been speciallydesigned to meet the requirements ofmass markets and will therefore allow acost-efficient implementation in allmarket segments.

Therefore it is possible to create notonly pilot lots – for customer internaltests or field trials – at the push of abutton, but also to start high volumeproduction immediately after the evalu-ation phase using the same device.Likewise, logistics will be simplified as

the same smart card controller is con-figurable for several applications.Altogether, the concept of a secureFlash smart card controller offers theoption to apply security applications onFlash controllers for the first time.

The challenge to compete against anupcoming attack technology, and tosuccessfully defend intrusions, is thecentral motivation for the developmentof new security controllers. Until today,numerous countermeasures have beendeveloped and tested with simulatedand real attacks. By nature, the researchdoes not stagnate in this particularsection. The development of newtechnologies for attacks spurs on theconception and realization of newcounter-measures and the evaluation ofmethods for the testing of securityfunctions. Proactive thinking allows usto recognize attacks of the future andto integrate security features againstfuture threats today.

Figure 3: Attacks and Countermeasures for Flash andROM memories

Attack Against ROM Against Flash Countermeasures(examples)

Probing Relatively easy Relatively easy Memory encryption,(Needle attacks, FIB) Active shield, Bus encryption

Forcing Relatively easy Relatively easy Memory encryption,(Needle attacks, FIB) Active shield, Bus encryption

Visualization Relatively easy Relatively difficult Memory encryption

Erasing Relatively difficult Relatively easy Memory encryption,Error correction

Optical Induced Relatively easy Relatively easy Memory encryption,Fault Attacks Error correction, Light sensors

Power Analysis Relatively easy Relatively easy Memory encryption,Error correction, Bus encryption

Attacks using Relatively difficult Relatively easy Memory encryption,radiation Error correction

Differential Fault Relatively easy Relatively easy Memory encryption,Analysis (DFA) Error correction, Bus encryption

LiteratureReferences[1] O.Kömmerling, M.G.Kuhn,“Design Principles for TamperResistant Smartcard Processors”,Proceedings USENIX Workshopon Smartcard Technology, Chicago10.05.1999.

[2] M. Janke, P. Laackmann,“Renaissance der PhysikalischenAngriffe”, Card-Forum 10, 2002,22-25.

[3] B. Dipart, “Cunning CircuitConfound Crooks”, EDN ElectronicDesign News 10, 2000, 103-108.

[4] J. Ewald, “FPGA DesignSecurity: Avoiding the WeakestLink”, COTS Journal 7, 2002, 20-24.

[5] S. Skorobogatov, R.Anderson,“Optical Fault Induction Attacks”,Proceedings CHES 2002, SanFrancisco 13.08.2002.

[6] P. Gutmann, “Data Remanencein Semiconductor Devices”,Proceedings 10th USENIX SecuritySymposium,Washington 13.08.2001.

For more information visit:www.infineon.com/security

Single EventEffects –SecurityControllersunder AttackBy Marcus Janke, Dr. Peter Laackmann

Nuclear radiation is known to not only be harm-ful to human beings, but also pose a significantthreat to the functionality and security ofmicrocontrollers. In the area of aerospace elec-tronics, the effects of radiation on electronicsystems are well documented and have beeninvestigated for many years [1,2]. The reasonfor these intense efforts is the fact that underspace conditions, nuclear radiation is muchhigher than on the earth’s surface and onesingle failure in a spacecraft’s electronics couldmean the loss of millions of dollars.

37

Technology UpdateSmart Cards

A very common phenomenon in thisarea is the so-called “Single EventEffect” (SEE). If a semiconductor deviceis being hit by an atomic particle with avery high energy, for a particularlyshort time period, a conductive channelin the device is created.

This conductive channel can be com-pared to a short-circuit, but as it islocated only in a very small sub-micronarea, it will not in most cases damagethe chip permanently, nor even cause acomplete dysfunction. But it can – andsometimes will – cause faults in the oper-ation of the device [3] that can beharmful to security (see Figure 1).

A particularly efficient way of generatingSingle Event Effects is to use ions witha very high energy, such as alpha par-ticles, that consist of a helium atomwithout its electrons. For the occurrenceof Single Event Effects, it is veryimportant that the particles lose a highamount of their energy in a very smallarea inside the device. All this energy isthereby transferred to the surroundingsilicon, so that the conductive channelcan be set up properly.

A well-known source for alpha particleswith high energy is the metal Radium,which has in the past been used forluminous clock dials. In this example,its emitted alpha particles are shot ontoa substance that is stimulated to emitthe typical green glow-in-the-darkeffect. For technical applications thatdemand alpha radiation, today thecheaper transuranium metal “Americium”is used, which can easily be producedfrom plutonium.

What is not so well known, is that severalminerals also constantly emit alpha par-ticles, including different ores andbuilding materials. In the electronicsindustry, lead is not only known forposing an environmental risk, but alsoas an alpha particle emitter (just likeboron). So for radiation-sensitive elec-tronic devices, there are several “low-alpha-compounds” available today, thatare reduced in composition in terms ofthese critical components [4].

Attacksagainst SecurityControllers

Similar to attacks using visible light [5],an attacker could use Single EventEffects based calculation faults in asecurity controller for different purposes.One target, is to alter the normal pro-gram code sequence that the controlleris working on at the moment. Withsuch an attack, security tests like aPIN-comparison or the integrity test of

(error-) counters could be manipulated.But more significantly, the correct read-ing of account values, debit counters orkey information can be compromised.

If errors using alpha radiation are to beused in the DFA (Differential FaultAnalysis) methodology, informationabout the secret keys may also beretrieved. In the worst case, using justone faulty computation, the completesecret key may be discovered by theattacker – and this faulty computationcan be induced by just one single alphaparticle hitting the security controller.

The observed effects are very similar tothose being introduced by optical radi-ation: the functions normally taking

place in the irradiated parts of the micro-controller are thereby manipulated.

But alpha radiation is not so easily con-trolled, unlike light. Due to theirnature, the atoms (which a radioactivematerial such as radium consists of)emit alpha particles in a random fashion.Only the average rate of alpha particlesper second is known (as the unit“Bequerel”). But neither the time pointnor the impact area of every alphaparticle can be predicted.

This restriction makes an attack withexact timing and synchronization to theprogram flow of the microcontrollerextremely difficult. Furthermore, radio-active materials cannot be simply switchedon or off; the alpha particles can just beblocked using mechanical shutters. Also,magnetic fields can influence the direc-tion of alpha particles, but for a practicalattack, both methods are not very con-venient.

Another problem the attacker faces isthat continued irradiation with highdoses of alpha particles will cause per-manent damage after some time, com-pletely destroying the security controller,so that it is of no more value for theattacker.The cause of this damage is the

Figure 1: Single Event Effect in a Semiconductor Device

Technology UpdateSmart Cards

very high-energy rates of the alpha par-ticles that modify the crystal structureof the silicon itself.

But there are also some advantages tousing irradiation as an attack method:through perforating a simple aluminumfoil, a very efficient mask can be pro-duced for local irradiation of small areason the security controller, such asmemory or crypto modules.

Another advantage is the low detection ofsingle alpha particles. Whereas irradia-tion with light can be detected relativelyeasily by means of optical sensors, thedetection of alpha particles is muchmore complicated. Sensors on the chipitself are able to detect alpha particlesunder certain circumstances, but not everyincoming alpha particle would cause analarm. Also, a protective coating on thechip itself is not efficient, as very thinmetallic structures can be penetrated byalpha particles relatively easily.

Using radiation as a hypothetical mediumfor cryptographic attacks has alreadybeen proposed by Quisquater [6], butno practical experiments or concreteresults are publicly known. The firstpractical tests were performed sometime ago at Infineon Technologies. Inorder to show if a malfunction in asecurity controller could be induced

using alpha particles, and to see if theattack could be detected, a radioactivesource containing a small amount ofRadium-226 was used.

Infineon tested unsecured microcon-trollers, as well as their security con-trollers. These products were irradiateddirectly, without the plastic chip coverthat is normally part of a smart card. Asthe range of alpha particles in air isonly one to two centimeters, the radio-active source was placed directly over

the chip surface (see Figure 2). Underthese conditions, the alpha particlescould penetrate the silicon down to theactive regions of the semiconductormaterial, transferring their completeenergy to the surrounding silicon.

The complete area of the chip wasirradiated in order to observe and under-stand as many of the effects as possible.On average, all areas of the chips weresubject to the same dose rate of radiation.

What Infineon expected, was that usinga radioactive source of appropriatestrength, a significant amount of radia-tion-induced effects could be observed.

Whereas the standard microcontrollerswere defenseless against the attack, thecountermeasures utilized in the Infineonsecurity controllers showed their effec-tiveness in detecting the attacks. Thiswas not only due to the utilizationof the internal sensors of the highlydeveloped security controllers, but alsothe hardware-based surveillance measuresof the CPU and memory modules inthe chip itself. As well as the 16-BitSLE66P, the new 32-Bit Security Con-trollers were also subjected to the tests.

The concept of integral security usedin the Infineon Security Controllers

38

Figure 2: Security controller SLE66CX322P inan open test package

Figure 3: Radium-226 Clock Dials

39

Technology UpdateSmart Cards

was shown to be very efficient againstthe new attacks through the use of alphaparticle radiation. This is not very sur-prising however, as the principle ofsuch attacks had been considered duringthe development of DFA (DifferentialFault Attack) countermeasures from thevery beginning. Today, highly efficientbarriers against these attacks areavailable through the use of Infineonproducts. Such an integralsecurity concept suppliesprotecting functionalitiestoday, against the attacks oftomorrow. Once again, theadvantages of a proprietaryCPU core, whose develop-ment has included securityand performance from thevery start, can clearly bedemonstrated.

Hi-Tech orLow-Tech,Attack?

A first glance, attacks usingparticle radiation seem tobe a high tech approachthat can only be carriedout in a special laboratory.But alpha emitters of appro-priate strength can be foundin several devices aroundtoday. Attackers can also utilize sourceslike old radium dials, which contain theradioactive material Radium-226 insignificant amounts [7], for inducingerrors in unsecured microcontrollers (seeFigures 3).

Other sources of alpha radiation aremantles for gas lanterns containingThorium-232, or from smoke detectorscontaining Americium-241. Even ifthese sources (if properly used) are not athreat to health, they could pose a secu-rity threat if used by an attacker tomanipulate a microcontroller (seeFigure 4).

Also, it should be noted that not only alphaparticles might cause faults in securityrelevant devices, but also X-rays, elec-trons (beta radiation) or neutrons. Never-

theless, single event attacks are best per-formed using alpha particles due totheir high energy and very high-energytransfer rates in the silicon.

Perspective

The challenge of counteracting a rapid-ly growing wave of the most different

attack scenarios, is a central point inthe development of security controllersat Infineon Technologies.

Infineon has considered the methodologyof DFA (Differential Fault Analysis),including the attacks using radioactivesources detailed above, for many years.Up until now, a huge variety of coun-termeasures has been developed, carriedout and verified in the most demandingtests. But the research cannot stop, asnew attack methods are also developedevery day [8], which implies that thesearch for new security concepts mustalso continue.Forward thinking and implementationallows the company to identify the attackscenarios that may come tomorrow andto implement the necessary counter-measures today.

LiteratureReferences

[1] G. C. Messenger, M. S. Ash,

The Effects of Radiation on

Electronic Systems,Van Nostrand

Reinhold, New York 1986.

[2] M. Dentan, Digest of the

Irradiation Effects on Electronics,

CERN, Proceedings Atlas

Electronic Meeting, 08.06.1999.

[3] M.V. O'Bryan, K.A. LaBel,

R. A. Reed, J.W. Howard, J. L. Barth,

C. M. Seidleck, P.W. Marshall,

H. S. Kim, D. K. Hawkins,

M.A. Carts, K. E. Forslund,

Recent Radiation Damage and

Single Event Effects Results

for Microelectronics, 1999.

[4] H. Rauhut, Low-Alpha Epoxy

Molding Compounds, Dexter

Electronic Materials 1999.

[5] P. Laackmann, M. Janke,

Lichtangriffe, Card-Forum 07/08,

2002., 56-59.

[6] J. J. Quisquater, Your electronic

wallet in the Van Allen radiation

belt, or Electronic commerce at

RISK in space?, 30.11.1996.

[7] R. Mullner, Deadly Glow -

The Radium Dial Worker Tragedy,

American Public Health Association,

Washington 1999.

[8] M. Janke, P. Laackmann,

Renaissance der Physikalischen

Angriffe, Card-Forum 10,

2002., 22-25.

Figure 4: CommercialRadioactive Sources

Within the Trust

40

Only biometrics ensures that a personis really the person he or she purportsto be. IdentAlink’s BioPassport EnterpriseServer Family of products incorporatesmulti-layered biometrics, includingIdentAlink’s proprietary finger recog-nition algorithms and high levelencryption, that are combined withPKI to provide a convenient singlesign-on structure for small to largescale organizations.

What is more, customers do not needany additional hardware to run the appli-cation. This is due to the fact that theapplication is built to be platform inde-pendent, which means that there will beno need to modify any existing infra-structure. For Windows® 2000/2003networks it is essentially an ActiveDirectory Plug-In.The Java 2 EnterpriseEdition will be deployed to supportNon- Windows or multiple networks, aswell as for the provision of PKI.

IdentAlink’s BioPassport Enterprise Serverincludes multilayered biometrics (faceand finger as standard – others on

There are two main objectives for deploying biometrics in anenterprise: massive cost savings and a dramatic increase in IT-security. The administration of classic passwords is generallyrecognized to cost an organization at least € 350 per memberof staff per year (Source: Gartner Group Study), while at thesame time IT-security has also become a major concern.Official crime statistics throughout the world show significantincreases of identity theft and computer espionage.

BIOPASSPORT®Enterprise ServerThe Biometric Solution forComprehensive Network Security

demand). In the case of finger recog-nition, there are various different sensorscompliant with the software.The numberof users, as well as domains, is notlimited at all. PKI, including DigitalSignature, is also integrated into thepackage.

It features True Single Sign On, centralcontrol of all infrastructures and com-plies with the European DataProtection Act.The IdentAlink solution supports allcurrently available sensors.

The BioPassportEnterprise Server

The BioPassport Enterprise Server con-tains the following modules:

� BioPassport® BioLogonThis enables a user to login from aWindows® 2000 or XP workstationinto any Windows, Linux- or Solaris-Network with chosen biometricsinstead of a password.

� BioPassport®

Secure ApplicationThis module allows all password-based applications (locally, on a net-work or even web based) to be securedwith any chosen biometrics. Thissolution is available as a ready-to-usemodule that works with almost any ERP,QRM and Database Solutions on themarket or as an SDK to be integratedinto a proprietary application.

� BioPassport®

Secure CommunicationThis enables a user to send and receivedigitally signed and encrypted e-mailsincluding attachments, only when theuser has been biometrically verified.It is provided as a Plug-In for MS Out-look® or as an SDK to be integratedin any other mail application. It alsouses PKI with minimum 512 bitRSA and includes Digital Signature.

� BioPassport®

Time & Attendance (SDK)Interfacing to all current Time &Attendance software

� BioPassport®

Physical Access Control (SDK)Interfaces embedded units intoBioPassport Enterprise Server.

� BioPassport®

Content Provider (SDK)This enables any web-based content(Online Shopping, Online Banking)that is currently secured with a passwordto be protected with biometrics.

IdentAlink has also recently releasedstandalone versions of its BioPassportEnterprise Server Family of productsfor small businesses and standalonecomputers.

TM

For more information visit:www.identalink.com

Within the Trust

Keycorp’s MULTOS, a secure, multi-application smart card operating system,is the pre-eminent smart card platformfor EMV migration, secure identity anddata security applications.Two key market drivers have emergedfor multi-application smart cards, thatare proving to be consistent on a globalscale; namely EMV migration and security.EMV migration is the upgrading ofexisting magnetic-strip-based financialcredit and debit cards to chip-basedcards, in order to reduce fraud and in-crease the number of functions the cardis capable of performing. This initiativehas been led by the major card brands.Market drivers for security, are basedaround the need to ensure the integrityof personal and business data, to enablesuch activities as access control or identi-fication, data exchange, and data security.This market includes such applicationsas national ID cards, contactless trans-port systems, PKI (Public Key Infra-structure) systems for e-business exchanges,and access control to physical or logicalfacilities. Governments have been leadingsome of the larger projects includingthe Hong Kong SMARTICS (smart cardIdentification System) card and the USDepartment of Defense, Common Access

Keycorp Limited is a globalleader in secure transaction pro-ducts including: smart cardoperating systems; paymentterminals for fixed, mobileand Internet applications; ande-commerce gateways.

Multos Products forMigration and Security

Card (CAC). These projects are utilizingthe security and ease-of-use offered bysmart cards to manage cardholder identityefficiently and with high integrity.

But what are the key requirements thata smart card must meet for successfulimplementation in any of these markets?In the majority of cases these include:� Security of data: such as applications,

cryptographic keys and manufactur-ing process

� Assurance of system components:only achievable through a truly openplatform

� Cost effective, easy to use and easy toimplement

� Ability to add/modify functionalityin the future without compromisingthe solution

� Reduced risk by using proven tech-nology that fits its purpose.

With these requirements in mind, theMULTOS smart card platform hasbecome the predominant card operatingsystem deployed today. MULTOS is anopen-platform operating system thatprovides high security, high assuranceand multiple applications for smartcards. MULTOS is unique in that itdefines the complete smart card lifecycleincluding: the operating-system and APIs(Application Programming Interface),mechanisms for securely loading anddeleting applications, security require-ments for hardware and software, keymanagement principles, and card per-sonalization. The MULTOS businessmodel is issuer-centric and as such, itis the issuer that controls which appli-cations are loaded, which vendors touse and how much of the smart cardproject it wants to control.

Questionsand Answers

What about security? The Keycorp MULTOS product hasbeen certified to ITSEC E6 – the high-est level of security available for any

multi-application smart card operatingsystem. The platform includes a cryp-tographic chip providing the high secu-rity exchanges necessary for paymentsand PKI.

Is it a proven product?MULTOS has proven field performancefrom financial applications to nationalID projects, with over 20 million prod-ucts deployed to date.

Who’s in control?MULTOS is a fully open, issuer-centricscheme, allowing for complete choiceof vendors in each stage of the process,right up to how much of the processthe issuer wants to control. Applicationscan even be loaded or deleted after thecards have been issued.

What is the added value?The flexibility of a multi-applicationplatform means that several differentvalue-added services can be offered toeach customer. The Keycorp MUL-TOS module comes with the industry’smost widely used applications pre-loaded – EMV payment application,e-purse, PKI and biometrics (fromPrecise Biometrics). This leaves memoryfor customer specific applications.

What about support?Keycorp and the MULTOS communityhave been developing and implement-ing successful smart card projects formany years. There are dozens of ven-dors in card manufacturing, personal-ization bureaus, application developersand off-the-shelf applications includingEMV payments, e-purse, loyalty, ID,health, biometrics, PKI, contactlesstransport ticketing and others.

Keycorp offers MULTOS products onInfineon SLE66CX series silicon with16K, 32K and 64K memory.

42

KEYCORPL I M I T E D

For more information visit:www.keycorp.net

43

Within the Trust

The motivation to develop what isknown as the SyntiQ Solution arosefrom the need to:

� reduce the cost-of-ownership of theelectronic (payments) infrastructure

� improve the quality of the electronicpayment infrastructure

� speed up the time-to-market fordevelopments in this area.

TheSyntiQ-Pay chip

The SyntiQ Solution is an integratedsuite of both hardware and software.The core of the solution is the SyntiQ-Pay chip: a very small computer imple-mented on a single platform, the size ofa SIM-card (as used in mobile phonesand payment terminals). In essence, theSyntiQ Solution is the card device. It

contains the full banking environmentand uses the peripherals of its host,such as a printer, display and keyboard.

Almost all terminals installed and soldworldwide over the last few years con-tain an ISO (ID-000) slot, where theSyntiQ-Pay chip can be inserted.Although initially designed for paymentterminals, the SyntiQ-Pay chip can alsobe used for ATMs, Mobile Phones,Personal Digital Assistants, PersonalComputers and Set-top boxes.

Key Characteristicsof the SyntiQ-PaySolution

The SyntiQ Solution allows the user todevelop one application for a new pro-duct or a product change, independentof the different card devices, deviceconfigurations and ATMs. The newapplications can be downloaded remotelyinto card devices. The SyntiQ-Pay chipcontains a Multos-based security micro-controller, which prevents the necessityof using SAMs (Secure Access Module)and enables the remote change of secu-rity functions and security keys in bothdevices.

The SyntiQ Solution includes a man-agement system that can diagnoseproblems and receive managementinformation remotely, irrespective ofthe specific card device. In this way, if

SyntiQ International focuses on solutions for remotely controlled payment terminals and ATMs,that benefit retailers, terminal managers and software houses. SyntiQ began as a project withinInterpay (the payment processor for the Netherlands), formally becoming an independent entity onJuly 1st, 2001.

Explaining the SyntiQ Solution

For more information visit:www.syntiq.com

About SyntiQ International

SyntiQ International is dedicated to creating intelligent business solutions by using the possibilities of integrated informa-tion and communication technology. Based in the Netherlands and founded by Dutch banks and Interpay, SyntiQ has broad-ened its base by establishing strategic alliances worldwide.The company’s SyntiQ-Pay solution contains a complete paymentenvironment that can be remotely controlled in a secure fashion and fits into all kinds of payment terminals.

problems do occurr they can be cor-rected remotely – consequently, thenumber of site visits for problem handlingand maintenance can be minimized.

Because the SyntiQ Solution allowsusers to develop one single applicationfor a new product or a product change,the application or application changehas to be tested and certified only once.

Using theSyntiQ-Pay chip

The SyntiQ-Pay Chip can be insertedinto existing card devices. Alternatively,a card device designed with a SyntiQ-Pay chip at the core can utilize the SyntiQadvantages to an even greater degree.

Within the Trust

The need forimproved security

realtime has supported these clients withboth services and software solutions.During the course of numerous consult-ing engagements with many of theworld’s largest corporations, realtime AGrealized that there was an acceptance andcomplacency regarding passwords, eventhough they are becoming extremelyinsecure due to the propensity of users

The company realtime North America, Inc. is the progressiveaffiliate of the established European SAP consulting and soft-ware firm, realtime AG. realtime AG is an SAP solution house,established in 1986 in Europe and still managed by former seniorSAP employees. The company has a client base of over 200“Fortune Global 500” customers in Europe and North Americaincluding Bayer, DaimlerChrysler, Siemens,Toyota, Esso, Procter& Gamble, DuPont, Black & Decker, Nestlé, and others.

realtime Securityin Brevard Countyrealtime North America enablesSAP users to remove an accepted, butseverely flawed, security practice!

posting them in the vicinity of work-stations. realtime developed software andconsulting practices as a solution to theseproblems. Software from realtimeincludes bioLock, bioPortal, and APM.realtime North America was foundedto serve the North American market as anatural outgrowth of realtime’s successin Europe.Due to a combination of a rapidly grow-ing need for security on a global basis,and realtime’s substantial experience in

SAP security and identification manage-ment issues, realtime have proactivelydeveloped the first SAP-certified bio-metric access and function controlsolution for SAP. The resulting soft-ware, bioLock, is the first and onlyaccess-control-via-fingerprint (or otherbiometric) software solution for SAPsystems. bioLock can not only protectthe logon process, but also individualtransactions and fields within the SAPsystem.The system is installed in only afew hours and does not alter the exist-ing SAP system. Usage does not requiretraining and is intuitive and convenient.No programming skills are necessary toprotect the transactions – it can bedone in a minute by any SAP super-visor. The system not only uniquelyidentifies the user, but also logs thecomplete execution information of theprotected transaction, including anyattempt of an unauthorized person toexecute the protected transaction.

Using fingerprintbiometrics withbioLock

SAP recently presented bioLock attheir annual Sapphire conference inOrlando, Florida as part of its home-land security effort. Additionally, SAPhas installed and is displaying bioLockin their Global Solution Center inPennsylvania. SAP is also rolling out apromotion of bioLock to the SAP salesteam focusing on government sales.Thomas Neudenberger, COO of real-time North America, states that “Thefunction of bioLock is in providing asecure and convenient alternative to theinsecure password-method of limitingaccess to valuable or sensitive data in ITsystems”. Additionally according toNeudenberger, bioLock is “basic secu-rity” that every company should alreadyhave, and will have two years from now.To utilize fingerprint technology com-bined with smart cards and RFID, real-time has partnered with the industryleading keyboard manufacturer, Cherry.Cherry provides their well-knownkeyboards with the award winningcapacitive Infineon fingerprint sensor,plus smart card and RFID readers.

44

45

Within the Trust

bioLock – thechoice of localgovernment

A recent installation of bioLock wasat Brevard County (Government) inFlorida, providing much needed extrasecurity. Brevard County SystemsSupervisor, Rick Meshberger says hechose bioLock because the countyneeded to have secure single sign-on tomultiple systems, the provision of extrasecurity for access to sensitive infor-mation in the HR systems, to assist incompliance with the federal HIPAAstandards and to provide access controlto purchasing functions for theEmergency Management Effort. Becauseof the need to access multiple criticalsystems, 8-digit passwords with lowercase, upper case and numbers wereinconvenient, insecure, and time con-suming to retrieve from PDAs wherethey were typically stored and securedwith another easier-to-remember singlepassword. Most importantly, BrevardCounty (which includes the city ofMelbourne and the NASA space facili-ties at Cape Kennedy and CapeCanaveral, and lies in a hurricane pronearea) needed to provide extra-secureaccess to emergency preparednesssupplies that are necessary to protect anarea of national importance. The largequantities of emergency supplies neces-sary for national security of the spacelaunch areas can involve very largeexpenditures. Brevard operates its emer-gency preparedness command head-quarters from an underground bunkercapable of withstanding a nuclear blast,and needed comparable IT security toprotect their systems.Pete Gunn, Director of Safety andSecurity introduced realtime to the Brevard

County leadership for theFlorida Space Authority.Pete Gunn had learnedof the benefits of bio-Lock, knew that BrevardCounty was looking foradditional security, andimmediately recognizedthe benefits that bioLockwould have for an area soconcerned with nationalsecurity.

Otherproductsfromrealtime

In addition to bioLock, realtime is a mar-ket leader with its Authorization ProfileManagement Tool for SAP called APM.APM has been installed over 150 timeswithin Europe, and Fortune 500 com-panies and other clients benefit from itstime savings compared to the SAP pro-file generator, as well as APM’s wideranging auditing functions.

And, as Klaus-Dieter Janzon, EnBW (oneof Europe's largest energy companies)enthuses: "Utilizing the new role-basedfeatures of APM has enabled us to save60% of our initial efforts to set up userprofiles in SAP. But the benefits ofAPM haven't stopped there. Thanks toother APM features (such as traceanalysis and derived roles) we are cur-rently experiencing a reduction of anadditional 30-40% in our routine userand profile maintenance tasks, that aresupporting two systems with thousandsof named users."

The newest software solution from real-time, bioPortal, extends the security of

For more information visit:www.realtimenorthamerica.com

realtime’s expertiseComprehensive, full-service solutions are realtime's specialty. Products and services from realtime encompass the following:� Consulting for SAP and E-Business � Management Consulting � Software for Industry and Security � Application Service Providing � Customer Support Center with Help Desk and Direct Service Line realtime works with regional and proven cooperation partners in the area of hardware component maintenance and service.

bioLock to systems outside of SAP,such as databases like Oracle, DB2UDB, and SQL Server, operating sys-tems, and other applications. bioPortalcombines the simplicity and security ofbiometric access control with the speedand convenience of “single sign-on”capability. With bioPortal, realtime hasextended the concept of eliminatinginsecure passwords, beyond the realm ofany existing IT security.

Summary

SAP consulting services continue to bea strong focus for realtime, and thefoundation of their success.The averagerealtime SAP consultant has over8 years experience. With headquartersin Tampa, Florida, an active staff, anda growing influence in North America,expect to hear a lot more about real-time North America in the future,as security continues to grow in im-portance for American corporationsand government entities.

Siemens ID mouse:Used with realtime’s software

Within the Trust

What is TrustedComputing?An important demonstration of themomentum towards hardware-basedTrusted Computing is the recent for-mation of the Trusted ComputingGroup (TCG), an industry organizationdedicated to embedding trust and secu-rity more broadly into computing plat-forms and devices. The TCG hasdefined a semiconductor device knownas the Trusted Platform Module (TPM)to serve as a “root of trust” for protectedactivities on enabled platforms. TPMsprovide the trusted hardware resourcesused by Wave Systems’ services toextend trusted functions within a PC.Through acceleration of the design, use,

Wave Systems’EMBASSY®

Trust Suite PortfolioEnables SecureBusiness ComputingPC platform security has evolved into one of the most impor-tant issues facing today’s business computing marketplace. Thismay be due to such reasons as the rapid growth of wirelesscomputing, the accessibility of corporate networks providedto the mobile professional or telecommuter, and the possiblesecurity holes that may exist in mainstream operating systemsand applications. To address these issues, the industry is rapidlymoving toward hardware-based Trusted Computing.

management and adoption of trustedsystems for a variety of computing plat-forms, the TCG is helping the businesscomputer users realize increased securitythrough open standards. Earlier thisyear,Wave was among the initial industryleaders, along with Infineon Technolo-gies, in instigating the TCG to develop,define, and promote hardware-enabledTrusted Computing and security tech-nologies, including related hardwarebuilding blocks and software interfaces,across multiple platforms, peripheralsand devices. Wave recently announcedthat Wave’s EMBASSY Trust Suiteportfolio had been enabled on theInfineon Technologies TPM to make asecure computing platform, complete

with an out-of the-box suite of secureand trusted services and available topersonal computer manufacturers.Wave applications and services on theTrusted Platforms make a secure, high-value, services-rich computing platformavailable to businesses and personalcomputer manufacturers. And these capa-bilities are of course compliant withthe recently announced TCG speci-fications.

EMBASSY TrustSuite – WaveSystems' Clientand ServerSolutions

Wave Systems has identified the needfor an introductory set of services onthe business desktop and mobile plat-forms, in order to accelerate the uservalue of the trustworthy computinginitiative. The company has developedthe EMBASSY Trust Suite as a set ofsecure services that introduce the userto value-added applications in a mannerthat is intuitive and simple.

The current portfolio includes:

Document Manager Vault – Thevault capabilities include; documentencryption, decryption and client-sidestorage for important corporate docu-ments. Documents are securely storedand easily accessible to the authorizeduser. The vault also allows multi-userfunctionality for an optional sharedvault. The easy-to-use vault, utilizingMicrosoft Office® integration, protectsagainst unauthorized access from net-work snoopers and hackers (see Figure 1).Private Information Manager (PIM)– The PIM uses the TPM to securelyand efficiently store user information,such as user names, passwords and otherpersonal information. The PIM intelli-gently retrieves login information forsimplified Web login and automaticform-fill capabilities. The PIM’s data issecurely stored using the TPM securityfeatures and can be moved securelyfrom machine to machine (see Figure 2).Smart Signature – This digital signa-ture and document storage capability

46

47

Within the Trust

includes signing keys generated by theTPM. Smart Signature is an AdobeAcrobat plug-in solution that is idealfor contracts or any other customizeddocument or form that requires a sig-nature. Included is a platform registra-tion capability for storing and recover-ing Trusted Platform registration infor-mation and simplified back up andrestore capabilities for the user or ITmanager (see Figure 3).Attestation Credential Manager –The ACM provides capabilities for anyapplication, to ensure that it is transactingwith a Trusted Platform. It issues TPMidentity credentials and certified cre-dentials to provide attestation to a thirdparty that a platform is trusted, andrevocation checking ensures that thecredentials are valid. This is a criticalservice for managing Trusted Platforms.Key Transfer Manager – the KeyTransfer Manager is a web-basedmigration capability for archival ofTPM keys and certificates, and utilizestools to enforce business data manage-ment and access control policies. Itprovides IT administrators with thetools to service users in case of a TPMor platform malfunction, or to updateto a new platform and is considered tobe a logical and uncomplicated methodfor a business to manage its TPM-secured intellectual property assets.

Summary

Wave has leveraged its many years ofresearch and development in securityapplications and trust infrastructures todevelop this growing portfolio of embedded

security solutions for the professionaluser. By adhering to a standards basedapproach to Trusted Computing,Wave Sys-tems can assist its customers withevolutionary growth relying on broadlysupported industry initiatives. Wave Systemshas the products and services to enable anease of use model for deployment, user

experience and management of TrustedComputing platforms. This philosophywill allow the business users to leveragetheir training and knowledge to not onlybe productive, but also secure, as theyembark on the digital commerce revolu-tion which merely awaits the availabilityof Trusted Computing platforms.

For more information visit:www.wave.com

Figure 1:DocumentManagerVault

Figure 3:SmartSignature

Figure 2:Private

InformationManager

(PIM)

Wave Systems Broad Experience in Embedded Security Solutions A leader in delivering trusted computing applications, services and infrastructures across multiple trusted platforms, Wavebrings years of experience in solving challenges in the trusted computing market. Prior to the formation of the TrustedComputing Group, and the emergence of the original TCPA embedded security specification, Wave developed and deployedits pioneering EMBASSY® Trust System in support of trusted computing. Largely targeted to next-generation smart cardreader applications for government, military and financial services markets, the EMBASSY Trust System deploys and managessecure applications and services in a trusted environment. The EMBASSY Trust System provides secure hidden applicationexecution capability, application lifecycle management and secure time based services. Today, with the emergence of theTCG-driven market opportunity, Wave is primarily focused on working with its partners in the PC ecosystem to deliver theEMBASSY® Trust Suite of applications and services. The Trusted Platform Module specified by TCG provides the trustedresources used by the Wave desktop and server services to bring these trusted functions to a PC computing platform. Waveapplications and services for TCG-compliant platforms make a secure, high-value, services-rich computing platform availableto enterprises and personal computer manufacturers.

To make you feel better, I should addthat those of you who didn’t know arein very good company. A recent poll ofaround one thousand home PC usersfound that seven out of ten people hadabsolutely no idea as to the meaning ofthe phrase. According to the Mori poll,some believed that it was a type of ‘hottub’ or a sun bed, while others thoughtit was a microwave meal. Of the ‘single’people surveyed, a staggering one in tenbelieved that it was a nightclub. Mostamusing were the people that thought itwas an expression to use when theywere in trouble with their wife.

This level of ignorance, while under-standable, will no doubt change soon.Latest statistics suggest there are wellover 4,000 hot spots in Europe, withthis number growing fast. Still, one canonly imagine what the public’s responsemight have been if the pollsters hadstopped talking about WiFi and startedtalking instead about public wirelessLAN (PWLAN) or 802.11b – which isthe standard that most of these hotspots are based around.

I would be first to put my hand up andadmit that I have hazy recollection asto the meaning of the standards sur-rounding the WLAN market. For thoseof you unawares, let me tell you there isa whole alphabet of 802.11 standardsout there. They start at 802.11a and goall the way up to 802.11k, before skip-

A quick straw poll. How many of you know what a WiFi HotSpot is? Quite a few of you I should imagine. But for those ofyou that didn’t – it is a public area, such as a hotel lobby orrailway station, that is covered by a wireless access point, typi-cally set up so that people can conveniently connect to theinternet without cables.

ping to 802.11m – 802.11n is still someyears away. The exact meaning of allthese standards will have to be saved foranother day. Some are mind numbinglytedious, while others are actually wellworth a read.

One that I will venture to mention is802.11i. But first I want to bring to yourattention the results of another surveyperformed in the UK, which suggeststhat more than half of companies with aturnover of more than £50 million, haveno plans to implement WLANS.

The survey was conducted by marketresearch group Vanson Bourne on be-half of Cable & Wireless’ network infra-structure services subsidiary Allnet. Todate, the survey says, just 7% of busi-nesses in Britain have rolled outWLANs in any meaningful way, while21% have pilot schemes in place and16% have plans to implement suchtechnology in the future.

WLANs can give freedom to workersand increase productivity, so why is itthat big business seemingly remains to beconvinced? According to the survey, 35%had issues with the perception of poorsecurity offered by WLAN technologyand 32% said they couldn’t afford it.

This finding comes as little surprise.Theexcellent article looking into the phe-nomenon of WarDriving earlier in this

magazine explains very well the reasonswhy network security managers maybe less than happy with the securityfeatures offered by current WLAN tech-nology. It is still possible for hackers tostroll through a city or roam a buildingwith laptops, a wireless network adapterand sniffing software in order to discoveropen or unsecured WLAN accesspoints. With a little effort and a reason-able amount of traffic on the network, itis even possible to break the standardWireless Equivalence Privacy (WEP)protocol within a few hours – and getaccess to a company’s sensitive data.

The soon to be released 802.11i stand-ard could put an end to all of this andgive back the WLAN industry somebadly needed credibility in the securitystakes. It eliminates some of the welldocumented security flaws that allowWarDrivers to ply their malicious trade.At that point perhaps those turned offby the problem of security may recon-sider and provide fresh impetus in thecorporate WLAN market, turning itonce more into a hot spot sector, ratherthan a bit of a ‘damp squib’.

As a side note, is any of this soundingfamiliar to readers from other industries– say the biometrics sector? Let’s see:users unaware of the technology; securityPR problems (note the ‘gummy finger’debacle); a plethora of confusing stand-ards; and users not being able to affordthe technology. For sure, these are allcurrent headaches.

The hottest topic in biometrics at presentis the introduction of biometric pass-ports (see page 21). I tried explaining toan elderly relative recently that she maysoon have to visit an enrolment center,pay an inflated fee for her passport andhave her biometric (what?) taken – faceat present. Let’s just say that fromthe look on her face, I foresee biguser acceptance problems ahead. Notinsurmountable, but from this narrowviewpoint, it is a shame that the UKgovernment has now said that ‘spin’will no longer be a part of its politics.Interesting times ahead.

Mark Lockie

48

Running Commentary

WLAN –hot spot ordamp squib?