1 / 30

e-Passport -- Security & Privacy Issues

e-Passport -- Security & Privacy Issues. Achmad Rully arully@computer.org. Intro: Privacy Issue What is, What isn't Privacy Goal: Citizen VS Government. Intro: Privacy Issue What is, What isn't. Data. It ’ s all about data and its use Revocable (alterable) data

alder
Télécharger la présentation

e-Passport -- Security & Privacy Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. e-Passport -- Security & Privacy Issues Achmad Rully arully@computer.org

  2. Intro: Privacy IssueWhat is, What isn't • Privacy Goal: Citizen VS Government BCS 2006

  3. Intro: Privacy IssueWhat is, What isn't

  4. Data • It’s all about data and its use • Revocable (alterable) data • Data which can be revoked or changed • Ex: handwriting, address, name, etc • Non-Revocable (permanent) data • Data which is an eternal feature of the object so that one cannot revoke or alter it, or it is proven highly impractical to do that • Ex: some biometric data (fingerprint, eye-retina, hand geometry (palm’s vena pattern), DNA, etc) BCS 2006

  5. Revocable Data • Susi, a woman, has lost her smart card ID: • Name • Photo • Address • Password • Badu, a stalker, use the data to stalk Susi • Solution: • Persecute the person • Change address BCS 2006

  6. Non-Revocable Data • Budi, a businessman, has lost her ID: • Name • Address • Fingerprint • Pak Ogah, a criminal hacker, use the data to access biometric protected resource in Budi’s office • Solution: • Persecute the person • You CAN NOT CHANGE YOUR FINGERPRINT BCS 2006

  7. Non-Revocable Data(authentication, other case) • Budi, a Mercedes new series motorist, was attacked by stolen car’s mafia • His finger was cut so the mafia can steal his Mercedes • Ethical question: Which one you value most: • Your finger • Mercedes BCS 2006

  8. Privacy Goal: Citizen VS Government

  9. Privacy Goal: Citizen VS Government (SP) • Government or Service Provider • Government or SP want to authenticate their citizen before using their services • Ex: authenticate user to get a mobile phone number • Corporation is included in this category • Citizen • Citizen want their data to be used in limited purpose. • Ex: to get a new mobile phone number BCS 2006

  10. Biometric in Privacy Issue (1) • Biometric data, has been very useful in authenticating an individual as a biometric data will closely relate with particular individual that own the data by using distinctive physical features. • Biometric data has been in used as an ID system in government and military facility, and now beginning to be expanded in mass use. • Convenient, accurate, and auditable. BCS 2006

  11. Biometric in Privacy Issue (2) • Some government already introduce ID system (National ID Card KTP in Indonesia, e-Passport, etc) base on biometric data, without any protection to the private data. • Yet even if they somehow provide protection, there weren’t any guarantee whether the system can not be reversed to retrieve the original data. • The possibility to recover protected data would render the system itself not useful. BCS 2006

  12. Biometric in Privacy Issue (3) • Government Regime can change (in Indonesia every 5 years).Private non-revocable data can't • Therefore, balancing between the need to authenticate trustfully, with the need to protect private data must be addressed. • (look at minority report film) BCS 2006

  13. Biometric in Privacy Issue (4) • Developed Country: Priority in convenience • Almost every one care about privacy • Developing Country: Priority in survival • No one care about privacy BCS 2006

  14. Privacy protection: Technology VS Law • Law: to protect human • Developed Country: US, Japan, Europe • Developing Country: Indonesia • Technology: to make life easier • Conventional: password, pass-phrase • Biometric ID: finger, iris, DNA • Mobile ID: RFID, touch card BCS 2006

  15. Comparing Country in Privacy Data Protection BCS 2006

  16. Privacy in Indonesia ? • Poor: • No privacy law • No political will to address privacy issue • Low Corporate awareness • Low Citizen awareness • Good: • Minimal biometric feature implemented in national ID card, Passport and almost other authentication more convenience (?) BCS 2006

  17. e-Passport

  18. e-Passport • Recommended (mandatory?) by ICAO • 2 side of argument: • Government:to make it easier & smoother for traveler • Citizen: proliferation of private non-revocable data • Protection: • Originality Protection: paper feature • Data Protection: biometric feature • Country: US, UK, Dutch, Malaysia, (and almost every country). BCS 2006

  19. United Kingdom’s e-Passport BCS 2006

  20. Japan’s e-Passport BCS 2006

  21. Japan’s e-Passport BCS 2006

  22. Japan’s e-Passport:Originality Protection Laminate & Holograms Watermark (Mt. Fuji) Micro Letters Laser-perforation Micro-lettering Lines BCS 2006

  23. Japan’s e-Passport:Data Protection BCS 2006

  24. Indonesia’s Passport BCS 2006

  25. e-Passport: revocability • Address: easy - medium • Signature: easy • Photo: hard • Fingerprint: irrevocable • Iris: irrevocable BCS 2006

  26. Case example: Indonesia e-Passport • 6 February 2006 • First phase, can be issued in 43 Immigration Office. Old passport still valid until expired date • Feature • Revocable private data:name, address, birthday • Non-revocable private data (biometric):fingerprint, facial feature • BUTIndonesia not yet provide e-Passport widelyPossibly, there is a dispute about procurement??? • e-Passport  machine readable passport BCS 2006

  27. Case example: Indonesia passport • Possible attacks • Tampering • Change passport data after visa approval • Not yet established security procedure • Originality protection: using freezing technique BCS 2006

  28. Question& Discussion

  29. Closing Remark • It is up to people to decide what is the boundary of their privacy • Including, enforcing their privacy protection • People should maintain their own irrevocable private data • Research in data privacy protection is not yet mature • Security is time dependent, so not disclosing your private data is better BCS 2006

  30. Thank You

More Related