Track 1: The Biometric Experience, from niche market to global impact (2 days)

Module designed and coordinated by Max Snijder, President, Biometric Expertise Group

Biometrics: from niche market to global impact
If you don¹t come to the biometrics, the biometrics will certainly come to you. So, be prepared and learn what you might expect from biometrics entering your daily life. Learn what you need to know. From local applications to public deployments, from algorithms to world wide systems.

General Perspective
Due to a strong pull by police makers, biometrics will evolve from pilot stage towards general acceptation within a relative short period of time. After the 9-11 events the political pressure on creating more reliable identification and authentication procedures has increased significantly. This has resulted in the programming of large scale biometric deployments like the US Visit program, the biometric passports and many national e-ID programs. Pushed by the ICAO guidelines, there is a strong need for expertise on the deployment of biometrics. The Biometric Module of the Smart University gives insight in the technical aspects of biometrics, as well as deployment scenario¹s and financial impact.

Program

1) How to get biometrics working, and why the choice for mainstream technologies fingerprint, face, and iris

This first session will learn you about the basics of biometrics: what exactly is being compared? What are the basic differences between several biometric methodologies and what is the impact of those differences? Being aware of these principles is important when designing biometric applications. The genuine characteristics of the different methodologies are decisive on how they should be deployed and how they shouldn¹t. The three mainstream technologies are being discussed: the ICAO preference for face, finger and iris. This session has a technical approach, with a view on the impact on the applicability of each technology.

Topics:
- Introduction: basic biometric processes (enrolment, verification, identification)
- Image capturing, feature extraction, template building, matching (1:1 & 1:n)
- main methodologies/vendors and their characteristics
- FAR and FRR: factors and impact
- The ICAO choice: face, finger, iris

Lecturers:
Max Snijder, BEG (general introduction on biometrics)
Asker Bazen, University of Twente, BEG (face, finger, basic processes)
Sijbrand Spannenburg, Joh. Enschedé (iris)

2) New frontiers in application domains, Biometrics in everyday life

From the technology we move to the pragmatic world: the every day use of biometrics. How do we imagine the daily use of biometrics? Do biometrics protect our privacy or is it a threat? Why do we consider biometrics and what exactly do we expect from it?
In order to come to well based investment decisions on biometric investments a business approach is needed. But it is not easy to create a cost/benefit analysis when there is no or just little experience with biometric deployments. How can we learn from our pilots and studies? How can we get to the right requirements and what is the underlying business model?
A study on the use of biometrics in the home environment makes us think of the convenient side of biometrics, leaving the security discussion in which biometrics are too often positioned. Will convenience create the final breakthrough of biometrics in our daily life?

Topics:
- the impact of biometrics on procesess and organisations
- cost/benefit: the biometric business case
- the three biometric business drivers: security, convenience, efficiency
- applications: examples of the present and the future
- public acceptance
- biometrics in the home environment
- legal aspects: privacy vs security

Lecturers:
Michiel Kraak, BEG (business cases, drivers, decision frameworks, impact, application examples)
Raymond Veldhuis, University of Twente (home biometrics, transparent biometrics)
Dr. Ronald Leenes, Tilburg University
Marek Rejman Greene, BT (public acceptance)

3) How policy makers direct the world towards biometrics standards, guidelines and directives

This third part of the Biometrics Module will inform you about how several political and governmental bodies are involved in the creation of high level policy towards the use of biometrics. On the highest level there are the ICAO guidelines on the use of biometrics in the new generation of passports. This has resulted in standardization activities on all continents, leaving the big challenge of creating commonly accepted certification/testing models.

Topics:
- ICAO guidelines on passports: content and impact
- EU Counsel Regulation COM(2004)-116 on standards for security features and biometrics in EU citizens passports: content and impact
- ISO SC37:
… general activities: content and current status
… scope and technical aspects (fingerprint, face, iris, CBEFF, X9.84)
… liaisons with NIST and other standardisation bodies
- Standards testing and certification

Speakers:
Björn Brecht, Bundesdruckerei
Christopher Bush, Fraunhofer Institut (SC37 in general, testing, certification)

Track 2: DRM and Content Protection (2 days)

The term Digital Rights Management (DRM) refers to a complex problem involving different aspects, stakeholders and requirements. On the technical side it involves different technologies to support the management of intellectual property for digital resources, such as expression of rights and obligations, description, identification, trading, protection, monitoring and tracking of digital content. In particular, some of the most arduous problems in DRM have been proved to be impossible to solve with software-based solutions. For these problems, a trusted element must be introduced in the system in order to achieve a secure solution.

The goal of this module is to present a complete view of the different aspects and technologies related to DRM with a special emphasis on the role that secure hardware elements such as smart cards can play in this field. The module aims at providing its attendees with a deep knowledge of the state of the art and the different problems and opportunities related to DRM. The module is designed to provide a complete view of the DRM concept including different aspects and technologies and focusing on a wide model of DRM, not only as a technology for digital content commerce, but as a general tool to protect rights such as privacy or owner-retained control.

- What is DRM? The big picture
Antonio Maña, University of Malaga

- State of the art in DRM
Habtamu Abie, Norsk Regnesentral

- DRM Cryptography and Content Protection
Sigi Gürgens, Fraunhofer SIT

- Mobile DRM
Nicolas Bacca, Simulity

- Access Control, Authentication, Authorization and Privacy
Mariemma Yagüe, University of Malaga

- DRM Challenges and Roadmap
Round table

Track 3: New Emerging Standards (2 days)

In the changing universe of IT, standardisation appears more and more as the inescapable relay between the permanent process of technological innovation and its dissemination at both vertical and geographic levels (globalisation as it is called today). This is even more true when the involved technologies are quite recent as it is the case of Smart Card and electronic-ID (because of the force of the globalisation process and aiming for interoperability on a real global scale of the fragility of the existing standards).

Discovering, learning and mastering these standards become therefore the preliminary condition of their implementation through new applications and new products.

The Smart University "emerging standards" module will cover in 2005 8 important emerging standards both in the e-ID and the Smart Card domains. Most of them will be delivered by those who are directly leading or participating to their design, elaboration and progress.

This module addresses all engineers and developers that will have to deal with these issues in the near future.

3.1 - CWA eAuthentication n° 15264 (workshop) part 1-3:
Part 1: Marc Lange, Build in Europe
Part 2: Henry Ryan, Lios Geal Consultants
In relation to Part 3: General Presentation on End-user Requirements with Regard to eID (speaker to be confirmed)

3.2 - European Citizen Card (CEN 224 WG 15)
Part 1: Physical and electrotechnical aspects: Lorenzo Gaston (Axalto)
Part 2: Logical data and security issues: Gisela Meister, Giesecke & Devrient

3.3 - Application Interfaces for Generic Card Services
(SC 17 WG 4 TG 9 leading to ISO/IEC 24727)
This 3 part standard deals with global interoperability of general functions including electronic ID. The workshop will go into technical details and will offer discussions on its content.
Presentation by Mike Neumann, ISO/IEC 24727 Part 3 Project Editor, Axalto

3.4 - The New US PIV Standard (on the basis of HSPD 12) FIPS 201
SP 800-73 contains the interface specifications ; Special Publication 800-76 will specify the biometric elements - fingerprints - for the card.
Presentation by Mike Neumann, Axalto

3.5 - The Narita Airport Passport Interoperability Test (and other Japanese ID specifications)
Presentation by NMDA speaker (to be confirmed)

3.6 - The Trusted Platform Module Specifications
Presentation by Patrick Georges, The Trusted Computing Group

3.7 - The Near Field Communication Standards
Presentation by Dominique Paret (Philips)

Track 4: Smart Card Standards: GlobalPlatform Education Workshop (1 day)

Module delivered by the GlobalPlatform Committee Chairs

Track 5: ID Management Issues and Prospects (1 day)

Module designed and coordinated by Dr Sabine Delaitre, Institute for Prospective Technological Studies of Seville - European Commission

Identity is a key concept for individuals' life; indeed, identity allows each citizen to perform different roles (e.g. employee, voter, customer) in society. The flow of identity information proliferates through many different systems; the increasing digitisation of authentication /identification processes in our private and professional spheres (access to PCs, on-line banking, e-administration services, and so on) creates new vulnerabilities.

Identity Management Systems (IMS) are considered to be the citizen's gateway to the Information Society. Because of the large number of services, IMS could even be presented as a critical tool for the citizen. Its utility as an almost unique access tool to many enhanced facilities of the Information Society will make it the "electronic" witness of a great part of the citizen's online life. However, the acceptance of such systems will be based not only on their usability or ease of use but also on their effectiveness in respecting and reserving the privacy of their users.

Identity protection is an important concern. The disclosure, misuse or abuse of identity may cause considerable inconvenience such as financial loss, damage to reputation, etc. and is often committed to facilitate other crimes (e.g., identification fraud, credit card fraud, computer fraud, mail theft, mail fraud, financial fraud and immigration document fraud). Identity theft is becoming a very serious problem which compromises the safety of people and the integrity of the identity of each individual.

The track will deal with the following topics: Identity Management Systems, e-Identity, identity theft and solutions helping to deterring this crime.

- Identity Management Systems
Martin Meints, ICPP

- Authentication solution in the digital world
Lorenz Mueller, Axsionics

- eIDentification
Paul Smith, Hyperion (UK)

- Overview on e-Identity through TFI approach
Andrew Wallwork, London School of Economics

- Innovative Research Aspects of Guide project
Speaker to be confirmed

Track 6: Advanced Java Technologies (2 days)

This module intends to provide information from industries and academics related to technology involve in the creation of Java Card platform. The lesson will cover different aspects of Java Card technologies, formal methods will be exposed and completed by a presentation related to evaluation of cards. Evolution of Java Card technology will be also taken into account with Java Card Forum update and presentation of emerging new protocols and services.

This module is designed to help young engineers, R&D managers to acquire an overview of different aspects of Java Card technology applicable to design and implementation. It also provides a very deep and up to date lesson on theoretical technics required on Java Card implementation and open perspectives on new potential provided by new protocols.

These lessons will be provided by high technical level actors and practitioners of industry and academics.

- Common Criteria, Protection Profile, Platforms Evaluation
Eric Vétillard, Trusted Labs (France)
This session tackles the issue of security evaluation from a practical point of view, attempting to answer basic questions: Why do I need to certify my cards? What is the process? How secure should the card be?
Can standards help me? The objective is to prepare the participants for a possible forthcoming certification.

- Formal Methods and Java Card Modelisation
Thomas Jensen, IRISA/CNRS (Rennes, France) and Erik Poll, University of Nimègue (The Netherlands)
This session gives an overview of the ways in which formal models, and associated tools and techniques, can be used to improve our trust in the correctness and security of Java Card smartcard applications.
Here we will consider the Java Card platform itself, associated components such as the bytecode and Java Card applets executing on the platform.

- New Protocols, New Applications Protocols and Webservices
Mike Montgomery and Ksheerabdhi Krishna (Axalto, USA)
The next era of smart cards will be cards that are full network citizens. This requires cards which adhere to mainstream communication standards, application standards, and services standards. The purpose of this talk from industry leaders is to give an overview of evolution needed in different standards organization (ISO, ETSI,...) to bring about this goal, the issues of implementing these standards within smart card resources constraints, and the huge application potential of smart cards that are full network citizens.

- Status of Java 3.0
Christian Goire, President, Java Card Forum
The JCF is in progress of working on evolution of Java Card technologies. In September an official status provided by the JCF will be presented by JCF President.

- Java Card Benchmark
Pierre Paradinas, CNAM-CEDRIC
There is no tools with the goals to evaluate the card performances in terms of time execution and memory consumption. We introduce SCCB which is an benchmark for Java Card technology with an open approach.
The Java Card specification defines an API for smart cards, card manufacturers develop and test card with the specification, implemntation reference and test suite provided by Sun Microsystem.
There is no tools with the goals to evaluate the card performances in term of time execution and memory cunsumption. Our project intend to provide these tools.

Many softwares will be introduced during the talk:

(1) In card tools include a large number of applets, each applet will invoke and activate a specific function of the card API,

(2) Off card tools include software develop in C language which intend to measure the execution time of each applet, memory resource used by the applet,...

(3) A software that compile the set of applet results and provide a "number" that represent the "performance of a card" compare to the set of cards used as reference...

A demo of the tools will be also demonstrated.

Track 7: SC and e-ID Security (2 days)

The field of the security of the smart card evolves in a very fast way. This module will handle the main points about the state-in-the-art for the security: new results in cryptography and the impact on the field, the software side (Java card), the hardware evolution and the new attacks and countermeasures, the contactless specifics.
A fresh view of a fast evolving domain.

Cryptography... last year news... and what it means for cryptographic protocols and functions
The last years were very important for the security of the smart card:
- new algorithms: AES, ...
- new cryptographic attacks: againt the hash functions (SHA), ...
- new physical attacks,
- new countermeasures.
The talk will give a complete view of the news in cryptography and its consequences for the fi led of the smart card.
Jean-Jacques Quisquater, UCL, University of Louvain

- Smart card security software (software inside the card) Risks, threats and countermeasures for smart card OS and applications
Java Card Platform Risks, threats and countermeasures
Gemplus, speaker to be confirmed

- Smart card security hardware: State of the art of hardware attacks (SPA, SPA, SEMA,...) and countermeasures
François-Xavier Standaert, MIT, UCL/University of Louvain

- Contact-less specificity in term of security and RFID security
Gildas Avoine (EPFL, Lausanne)