Overview

Ask the expert

Online transactions require the ability to determine a person’s identity in a secure, convenient and privacy-guaranteeing manner.

—Michael Osborne, IBM scientist

In recent years, there has been a trend among governments and commercial organizations toward using secure personal identification systems as a way of verifying the identity of individuals. Heightened concerns over terrorist threats and immigration control have prompted a number of countries, including members of the European Union, to pilot biometric passports. In addition, a number of governments have plans to implement a national ID card or a “smart” driver’s license (see for example the US’ RealID act).

Secure ID systems can help businesses and agencies restrict access to physical locations and secure networks, as well as provide an identity verification process for receiving government services or conducting online transactions.

Our team integrates various aspects of expertise to provide such systems in a wide range of public and private sector applications. Most notably, these include public key infrastructure (PKI), biometry, workflow, smart chip technology, and in-depth process knowledge gained from cooperation with customers and colleagues from IBM Global Business Services.

Michael Osborne

Michael Osborne

IBM Research scientist

Process expertise

Taking the production of secure ID cards as an example, the following issues have to be considered in a manner that is very efficient, secure, adds no complexity or costs to existing means of ID production, and is in compliance with international standards:

Understanding the security features …

from high-tech polycarbonates and engraving to smart cards in order to find the appropriate solution for a given situation.

Production and personalization of the cards …

securely and efficiently for enrollment kiosks, secure processes to prevent the production of unauthorized cards, processes to control card production and printing of associated documents.

Fast and efficient verification of cards …

for example at border crossings, by police, etc.

Understanding partners …

including their production and technical capabilities for each of the required components.

Future of Secure ID

In addition to government agency applications, Secure ID can also be used to store patient medical records for use by insurance companies and healthcare providers, and could provide an additional layer of security in screening airline passengers. Other possible applications include use by businesses and universities to verify employee and student identity, and to track purchases and meal consumption. IBM Secure ID is an invaluable source of information for any enterprise seeking a portable solution to identity and authentication verification. It helps clients address national and business security issues while safeguarding personal privacy.

Products & authentication solutions

Many governments are starting to issue Machine Readable Travel Documents (MRTDs) in the form of passports and residence permits with an embedded chip capable of storing biographic information, such as the document holder face portrait, and biometric data, such as the document holder fingerprints.

In order to be able to exploit the full potential of these documents, public and private entities need to be able to read and verify the authenticity and integrity of the information retrieved from these documents’ chips.

Furthermore, when biometric information, such as fingerprints, is available, it may be useful to be able to validate whether the fingerprints retrieved from the document match the ones acquired live from the document holder.

Quality assurance reader

A key part of any personalization system for these documents is quality control: checks to ensure that the cards and chips have been personalized correctly. While data printed on the card can be verified by optical or manual inspection, data stored on the chips needs to be read and verified electronically. The IBM Quality Assurance Reader (QA Reader) accesses data on chips according to the most recent international standards, verifying that it has been correctly written and that it matches the printed information.

Quality assurance reader product (607 KB)

Check Point Reader

The IBM Check Point Reader (CP Reader) accesses data on the chips according to the most recent international standards. Once these validations have been completed, it acquires the document holder’s fingerprints and performs a comparison with the templates stored in the chip. The result of this process is conveyed to the inspector through a very simple and intuitive user interface, which allows further examining of both the physical document as well as the information stored in its embedded chip.

Check Point Reader (447 KB)

Secure chip personalization server

The IBM Secure Chip Personalization Server (SCS) personalizes chips with user or application-specific information and performs a wide range of related tasks. SCS can be adapted to support all existing and emerging chip and encryption standards and applications. For example, SCS supports chip personalization on identity cards including support for EAC-protected data, ISO 18013-compliant driver’s licenses, and on cards used for remote authentication supporting protocols such as CAP.

Core technologies

card_3

Public key infrastructure

Public key cryptography has long served as a core technology for many computer security systems. Using public and private key pairs, one can perform cryptographic operation encryption with one key from the pair, while the reverse operation decryption requires the other key. The private key remains concealed by the key owner, whereas the public key is freely disseminated.

Internet PKI provides additional safeguards by ensuring that a public key for an end-user can be certified without requiring the corresponding private key to be transmitted online to the certification authority. In most cases, the key pair is generated at the end-user’s side of the infrastructure, and the private key remains securely stored in the local environment such as in a smart card token.

For many years, our team has been developing the core cryptographic software used in many IBM products, such as Websphere or Host-on-demand.

card_4

Biometrics

Biometric technologies provide an automated means of identifying or authenticating the identity of a living person based on unique physiological or behavioral characteristics.

Digitized representations of fingerprints, facial scans, hand geometry, as well as voice, iris or retina patterns can be captured via sensors, scanners, microphones or cameras.

The unique characteristics are then extracted from the biometric image and used to create the user’s biometric template, which is stored in a database or on a machine-readable ID card.

Alternatively, the complete biometric image can be stored, but — understandably — this option requires substantially more memory and also can present greater privacy issues than a system that stores only biometric templates.

card_3

Workflow

IBM’s Infoprint Workflow (IPW) product is a distributed client–server solution that can be used to automate the smart card print manufacturing process.

The highly customizable system is divided into two major components: the backend server, which implements the processes that make up a workflow, and the Windows-based GUI, which enables the client to configure and manage the workflow.

The IPW solution offers an array of security management options to ensure the integrity of the smart card production process, and provides tracking and reconciliation facilities throughout each process stage.

card_4

Smart chips

Chips such as those used in smart cards are capable of storing large amounts of biometric and other data and of interacting intelligently with external devices.

The use of chips makes these devices more fraud-resistant than relying on the conventional magnetic strip data storage system still used in many identification applications such as company badges or credit cards.

When employed as part of a secure ID solution, sensitive data is typically encrypted, both on the ID card and during communications with the reader system.

In some cases, digital signatures may be added to help ensure data integrity.