Identity – Page 3

Comments on the Recommended Use of Biometrics in the New Digital Identity Guidelines, NIST SP 800-63-3

NIST is working on the third revision of SP 800-63, which used to be called the Electronic Authentication Guideline and has now been renamed the Digital Identity Guidelines. An important change in the current draft of the third revision is a much expanded scope for biometrics. The following are comments by Pomcor on that aspect of the new guidelines, and more specifically on Section 5.2.3 of Part B, which we have sent to NIST in response to a call for public comments.

The draft is right in recommending the use of presentation attack detection (PAD). We think it should go farther and make PAD a mandatory requirement right away, without waiting for a future edition as stated in a note.

But the draft only considers PAD performed at the sensor. Continue reading “Comments on the Recommended Use of Biometrics in the New Digital Identity Guidelines, NIST SP 800-63-3”

Using Near-Field Communication for Remote Identity Proofing

This is the last of a four-part series of posts presenting results of a project sponsored by an SBIR Phase I grant from the US Department of Homeland Security. These posts do not necessarily reflect the position or the policy of the US Government.

We have just published a paper presenting the last three of the five solutions that we have identified in the research project on remote identity proofing that we are now finalizing. Solutions 3–5 use Near-Field Communication (NFC) technology for remote identity proofing. Each of the solutions uses a preexisting NFC-enabled hardware token designed for some other purpose as a credential in remote identity proofing. A native app running on an NFC-enabled mobile device serves as a relay between the NFC token and the remote verifier.

In Solution 3 the token is a contactless EMV payment card. In Solution 4, the token is a medical identification smart card containing a private key and a certificate that binds the associated public key to attributes and a facial image. In Solution 5, the token is an e-Passport with an embedded RFID chip that contains signed data comprising biographic data and a facial image.

In solutions 4 and 5 a native app submits to the verifier an audio-visual stream of the subject reading prompted text. The verifier matches the face in the video to the facial image in the NFC token, uses speech recognition technology to verify that the subject is reading the text that was prompted, and verifies that the audio and video channels of the stream are in synchrony by matching distinguishable visemes in the video channel to phonemes in the audio channel.

See also:

The Remote Identity Proofing page, with links to other materials related to the project.

Remote Identity Proofing Discussed at the Internet Identity Workshop

This is Part 3 of a series of posts presenting results of a project sponsored by an SBIR Phase I grant from the US Department of Homeland Security. These posts do not necessarily reflect the position or the policy of the US Government.

To get community feedback on our remote identity proofing project we made a presentation two days ago at the 23rd Internet Identity Workshop in Mountain View. The slides can be found here. We were gratified that the feedback was positive and there were in-depth discussions with identity experts both during and after the presentation.

We started by explaining the goal of the project. Remote identity proofing has often relied on asking the subject multiple-choice “knowledge questions” (e.g. which of the following zip codes did you live in five years ago?). This method is terrible for privacy, since it relies on the identity proofing service gathering and using troves of personal information about people. Furthermore, due to the proliferation of personal data available online, it has now become ineffective. Continue reading “Remote Identity Proofing Discussed at the Internet Identity Workshop”

Implementing a PKI on a Blockchain

This is Part 2 of a series of posts presenting results of a project sponsored by an SBIR Phase I grant from the US Department of Homeland Security. These posts do not necessarily reflect the position or the policy of the US Government.

In the previous post I described the concept of a rich credential, and how a rich credential issued by an identity source can allow a subject to identify him/herself remotely to a verifier with a key pair, a password, and one or more biometric samples such as facial image, even if there is no prior relationship between the subject and the verifier. That was Solution 1, the first of five solutions that we have identified as possible alternatives to knowledge-based verification in the course of our research project on remote identity proofing.

We have now published a paper on Solution 2. In Solution 1 the identity source was a DMV. In Solution 2 the identity source is a bank.

Rich Credentials for Three-Factor Identity Verification without Prior Relationship

This is Part 1 of a series of posts presenting results of a project sponsored by an SBIR Phase I grant from the US Department of Homeland Security. These posts do not necessarily reflect the position or the policy of the US Government.

We have just published a paper on the first of five remote identity proofing solutions, which we have identified as possible alternatives to knowledge-based verification in the course of the research project mentioned in the previous post. The paper describes in detail a new type of credential, which we call a rich credential, that could be issued by an identity source such as a DMV and would enable multifactor identity verification by a remote verifier. In this post I will try to explain the motivations that led us to come up with the concept of a rich credential as the basis of Solution 1.

In-person identity proofing typically relies on the presentation of a picture ID, such as a driver’s license or a passport, as the primary evidence of identity, supplemented by secondary evidence from different identity sources, such as proof of ownership of utility, financial or mobile accounts and address verification. Remote presentation of the secondary evidence is not much of a problem, so in the project we have focused on replacing the picture ID with other kinds of primary evidence that can be presented remotely.

Pomcor Receives DHS Grant to Look for Alternatives to Knowledge-Based Verification for Remote Identity Proofing

Last December we saw a Small Business Innovation Research (SBIR) Solicitation from the Department of Homeland Security (DHS) where topic H-SB016.1-010 called for identifying five or more alternatives to knowledge-based verification (KBV) for remote identity proofing. The topic was motivated by multiple data breaches, which, as stated in the Solicitation, showed that “KBV is broken and rapidly becoming less effective as a verification tool as a by-product of the availability of personal information on social media as well as the variety of data breaches of credit bureaus and data brokers”.

We found the topic very interesting for several reasons:

In countries like the United States where residents do not have a national identity card, secure identity proofing is difficult but essential for cybersecurity.
Effective methods of remote identity proofing would not only make it easier for residents to seek government services, but would also enable new ways of doing business, such as remotely opening a bank account or applying for a mortgage.
Reducing the reliance on knowledge-based verification would reduce identity theft, mitigate its damage, and increase privacy by shrinking the market for personally identifiable information (PII). And,
Remote identity proofing has been neglected as a research topic.

Revocable Biometrics Discussion at the Internet Identity Workshop

One thing I like about the Internet Identity Workshop (IIW) is its unconference format, which allows for impromptu sessions. A discussion during one session can raise an issue that deserves its own session, and an impromptu session can be called the same day or the following day to discuss it. A good example of this happened at the last IIW (IIW XXII), which was held on April 26-28, 2016 at the Computer History Museum in Mountain View, California.

During the second day of the workshop, a participant in a session drew attention to one of the dangers of using biometrics for authentication, viz. the fact that biometrics are not revocable. This is true in the sense that you cannot change at will the biometric features of the human body, and it is a strong reason for using biometrics sparingly; but I pointed out that there is something called “revocable biometrics”. Continue reading “Revocable Biometrics Discussion at the Internet Identity Workshop”

Faster Modular Exponentiation in JavaScript

Modular exponentiation is the algorithm whose performance determines the performance and practicality of many public key cryptosystems, including RSA, DH and DSA. We have recently achieved a manyfold improvement in the performance of modular exponentiation in JavaScript over the implementation of modular exponentiation in the Stanford JavaScript Crypto Library (SJCL). JavaScript was originally intended for performing simple tasks in web pages, but it has grown into a sophisticated general purpose programming language used for both client and server computing, which is arguably the most important programming language today. Good performance of public key cryptography is difficult to achieve in JavaScript, because JavaScript is an interpreted language inherently slower than a compiled language such as C, and provides floating point arithmetic but no integer arithmetic. But fast JavaScript public key cryptography is worth the effort, because it may radically change the way cryptography is used in web applications. Continue reading “Faster Modular Exponentiation in JavaScript”

Has Bluetooth Become Secure?

Bluetooth has a bad reputation when it comes to security. Many vulnerabilities have been found over the years in the technology, and many successful attacks have been demonstrated against it. But the Bluetooth specification has also changed much over the years, and each revision of the specification has made substantial changes to the Bluetooth security protocols. Whether the latest protocols are secure is a question open to debate. This question is especially important when Bluetooth is used in emerging medical and Internet-of-Things applications where security flaws have safety implications. But it has also come up recently in the context of the Derived Credentials being standardized by NIST for authentication of Federal employees who use mobile devices.

(This is a continuation of the last two posts, which reported on the recent NIST Workshop on PIV-Related Special Publications. It is also the last of a seven-part series of posts discussing the public comments on Draft SP 800-157: Guidelines for Derived Personal Identity Verification (PIV) Credentials, and the final version of the publication. Links to all the posts in the series can be found here.)

Before tackling the question of whether Bluetooth is secure today, Continue reading “Has Bluetooth Become Secure?”

NIST Looks at EMV to Speed up Physical Access with PIV Contactless Cards

It takes US Federal employees four seconds to get a green light to enter a building after presenting a contactless PIV card to a reader, when using asymmetric cryptography for authentication. NIST is trying to speed this up, and is looking at EMV contactless payment cards for inspiration.

(This is a continuation of the previous post, where I reported on the recent NIST Workshop on PIV-Related Special Publications, and Part 6 of the ongoing series discussing the public comments on Draft NIST SP 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials and the final version of the publication. Links to all the posts in the series can be found here.)

Federal employees have been using PIV cards to enter buildings for many years, and it has not been taking them four seconds to get the green light. But agencies are now transitioning from using a symmetric Card Authentication Key (CAK) to using an asymmetric CAK with an associated public key certificate, the asymmetric CAK being the private key component of an RSA or ECDSA key pair. Inclusion of the asymmetric CAK and associated certificate in PIV cards became mandatory in August 2013 with the publication of version 2 of the FIPS 201 standard (FIPS 201-2).

The motivation from transitioning from a symmetric to an asymmetric CAK is not to use fancier cryptography or to improve security, but rather Continue reading “NIST Looks at EMV to Speed up Physical Access with PIV Contactless Cards”