[ieee 2013 international conference on collaboration technologies and systems (cts) - san diego, ca,...

Multi-service Card for Students using JavaCard Global Platform and IAS specifications

The access control use case

Marc Pasquet and Ndiaga Faye GREYC Laboratory, UMR 6072, ENSICAEN -

CNRS - Caen-Basse-Normandie University 14032 Caen, France

marc.pasquet@ensicaen.fr, ndiaga.faye@ensicaen.fre

Sylvie Gerbaix Montpellier Research Management,

Montpellier University macsy2@wanadoo.fr

Abstract— The Greyc Laboratory has designed an innovative, interoperable and evolutionary e-student smartcard environment fully compliant with the Java Card Global Platform and IAS/ECC (European Citizen Card) specification, including a smartcard management system, multiple application provider host, multiple acceptance devices and different form factor token. The IAS ECC standard allows interoperability of the e-services cards in Europe. We present in this paper the card, the IT infrastructure and the access control use case. A complete prototype has been developed and we are expecting a deployment in 2013.

Keywords- JavaCard, Global Platform, IAS / ECC, multi-service card, access control

I. INTRODUCTION The main technical objectives of this project are to design

an innovative, interoperable and up-gradable e-student smartcard environment fully compliant with the Java Card Global Platform specification including a smartcard management system, multiple application provider host, multiple acceptance devices and different form factor devices used as tokens. In this article we have selected two main questions that have arisen from this project: the crucial question of the integration of a standard (in this particular case, the IAS ECC standard) and the particularly accurate question of the access control use.

In 2009, 3 French Universities (Caen, Rouen, Le Havre), 2 National graduate School of engineering (Ensicaen, Insa Rouen), 2 Student Care Organizations and 2 Region Councils of Normandy (Upper and Lower Normandy) have joined together to form « the RUNN » (Normand Numerical University Network) consortium. By September 2013, the consortium has planned to offer a multi-application card to each student of the RUNN (60 000 card holders).

A pilot test, involving 1500 students from the Ensicaen and the University of Rouen has been taking place from September 2011 to September 2012. The purpose of this pilot test was to test the multi-application environment before the main deployment of this environment expected by September 2013.

Ensicaen and the Greyc laboratory have been mandated by the RUNN to design, test and deploy this new e-student card and its related IT infrastructure. The project counts among its members, industrials on all the valuable chain: operators of transport, banks and industrialists, to make this type of project progress.

The objective of this document is to present at first a general overview on this project. Then we will describe the technical and organizational aspects of the IT infrastructure. In the third part we will describe the use of a new standard IAS (Identification, Authentication and Signature) to allow us to manage the access control.

To conclude we will present on one hand the different perspectives for this concept of multiservice university card and on the other hand the IAS specifications future.

This contribution completes a precedent paper, which presented the privacy and security aspects of this access control use case [1].

II. GENERAL OVERVIEW OF THE PROJECT This concept of multi-service card is reducing in many

respects: at first because it does not concern only the support strictly speaking, but makes reference to an information system the card of which constitutes only a point of entry, and then because this support is not inevitably a card but may be in a near future an USB key, a mobile-phone or an applet. It is however a widely spread expression and we shall use it gladly in this document.

The technology without contact, formerly almost exclusive a privilege of the world of the transport, is invading the banking world, and numerous pilots tested throughout the world give evidence of this.

One of the consequences of this is the combination of the physical support and means to operate electronic transactions on. Consequently there appears to be a need to use a common software platform that can work with this variety of support (multi-applications card, mobile phones NFC). Presently, we contribute to the emergence of a technical platform: Java Card

978-1-4673-6404-1/13/$31.00 ©2013 IEEE 185

Global Platform, capable of guaranteeing the good and secure execution of the transactions, of assuring the routing, of allowing the recharging of rights, … while guaranteeing a maximal interoperability with terminals having a dialogue with support.

The multiservice university card, by using the Java Card technology, will take advantage at the same time of having a software very closed to any of the other devices and will benefit additionally as a basis on which will be transplanted diverse applications, presented in the figure 1, divided in three types:

Figure 1. the different services allowed by the student card

� University applications or common services (including students’ identity, access control…),

� University paying services (such as an application of payment for photocopies, university canteen…),

� City services (such as applications to use the public transportation, swimming pool or theater entries…)

The card replaces a lot of previously used cards: the card in paper for ID, the canteen card, the payment card, the access control card, the library card, ... The card is for internal use (presence in the examinations, the votes, the diverse controls) and extern (special price lists granted by bodies, cultural and sports establishments) where ID was used to benefit from these external services. The card allows identifying the borrower of a item in a documentation center or a university library. The card allows to be connected in Digital Working spaces, to reach private data networks, to launch working sessions on computing posts.

The card allows the access to parking lots, the opening of barriers of which is controlled by terminals. (The access control concerns as well the students, the teachers and the administrative staff).

The technology used in the new projects is essentially contactless in three main ways. Here we can use:

- Only the number of series of the card (a PUPI) that is read by the terminal and checked by a management system like in the library access for low secure usages.

- The Secure Element capabilities (global-Platform) to secure all the exchange like in the public transportation system with a Calypso Applet and a Security Domain included in the SE.

- An IAS environment (library, calculation capability and security) in addition with the SE capabilities.

This multi-services IAS smart card is a Global Platform smart card solution for ID Card, Access Control Card, Driving License Card and Healthcare Card. It is a Public Key Java Card designed to meet the most advanced security requirements of long-term multi-application programs such as the ones launched by governments and health insurances.

The flexible and modular system enables modern smart card applications and implementations, such as “Identification, Authentication and Digital Signatures” and e-Passport functionality with biometric data, and can be enhanced by additional services, such as payment functions and driving license points counter. Multi-services IAS smart card can be tailored from country-specific one to European Citizen Card (ECC) standard compliant product. This IAS ECC standard [2] allows interoperability of the e-services cards in Europe.

Multi-services IAS smart card complies with the international standards: Java Card 2.2.1 [3], Global Platform 2.1.1. [4] [5] [6] and ISO 7816 parts 1, 2, 3, 4, 5, 6, 8 & 9, ISO14443 type-A and type B [7].

The use of AIS allows the development to be easier: the possibility to add any new applications by adding applets to meet various needs (EMV, OTP, Match on Card, MPCOS, 3rd party applet), availability on all interfaces (contact, contactless, and dual) independently from the card body material, possibility of comprehensive range of tools and services development kit, middleware...

The developer has the access to a software library for

- Identification

- Authentication to establish a secured connection with a server

- Qualified or non-qualified signature (according to the security policy) to confirm an operation

- Data storage

- Confidentiality/Integrity of communication

!!!Iden&fica&on!!!!!!!!!!!Photocopy!!!!!!!!!!!!!!Library!!!!!!!!!!!!!!!!Access!!!!!!!!For!exams!!!!!!!!!!!!!!and!prin&ng!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!control!

!!!!!!!!!!!!!!!!!Photocopy!!!!!!!!!!!!!!!!Cafeteria!!!!!!!!!!!!!!!!!!!!!!!Vending!!!!!!!!!!!!!!!!!and!prin&ng!!!!!!!!!!!!!Self?service!!!!!!!!!!!!!!!!!!!!machine!!!!!!!!!!!!!!!!!!!!!!

interac&veTotem!

Theater!and!cultural!place!

Transporta&on!companies!

Sport! Swimming!pool!

Social!student!club!

1

2

3

186

- Authentication for Web services

- Encrypted communication with a remote application

- PKI management

So a particular Applet is easier to develop.

In this article we will describe only the contactless access control use case, based on the IAS capability of the card. There were two parts in our project:

- Development, on the card, of the “access control applet” and parameterized the SD corresponding. The figure 2 presents the software mapping of our multi-services IAS smart card where we can see that in the use case access control we have

- Connection to an existing control access architecture implemented by the Company “TIL Technologies”.

Figure 2. The card software mapping

For our implementation, IAS ECC cards were still not available so we have used IAS Classic cards (the previous generation of card) but the principle and the sequence diagram are the same for IAS ECC and IAS Classic.

III. THE IT INFRASTRUCTURE

A. The general infrastructure

The RUNN project (Normand Numerical University Network) aims at providing students with a multi-services smart card allowing them to access various services. In term of architecture, we can detail the 7 main blocks, as shown in the figure 3:

1. The users or students are registered in the university LDAP server when they first arrive. In this directory, the users are associated with trainings and courses.

2. The LDAP send information to the smart card management system (called Uni-Campus), where all the card applications are stored (Applet). For the access control the particular application is called Micro-Sesame. All applications can be stored on the card at the initial phase of personalization or can be sent to the card via the Front End and the Totem for a post personalization phase. So the University provides few services at first and is able to provide new services for the students when these are available [8] [9].

Figure 3. The IT architecture

3. The card management pilots the enrolment and personalization station where the card is initially issued and personalized. For the control access using IAS capability the system have to Select the ISD, follow the identification process, load and install the Applet, Enter the new Key for the Access control Security Domain, create a secure channel using a mutual authentication to initialize the Personal Identification Number (PIN) than creates the cardholder specific files. The sequence diagram is present figure 4:

187

Figure 4. Sequence diagram of card personalization for initial issuance

4. Then the card is given to the student.

5. The student is allowed to go to specific totems for the consultation of his rights. A totem then allows post issuance of the card when the student asks to beneficiate of new services that are still not implemented on his card like: city transportation capability, access to theater or swimming pool...

6. The Totems are directly managed by a Front End. The Front End is connected to the smart card management system.

7. The specific services are provided by different operators which have there own Front End and IT architecture The smart card management system, with the Micro-Sesame module, is connected to the different “Local Treatment Unit” of the access control system.

IV. THE ACCESS CONTROL SYSTEM

A. The RUNN access control The access control architecture is detailed on Fig. 5. The

users or students are registered in the university LDAP server. In this directory, the users are associated with certain groups. The Micro-Sesame server is in charge of associating each group with a set of permission regarding the physical access control. This Micro-sesame server is connected to Local Treatment Unit (LTU) through a TCP/IP link. The LTU

decides whether it should open the door or not. In order to make this decision, the LTU receives the list of authorized users from the Micro-sesame server daily. It is also connected through serial link to card readers at the entrance of each classroom that reads student smartcards and provides the student ID to the LTU.

Figure 5. Project access control architecture

The sequence diagram presented on Fig. 6 focuses on the interactions between the Host (where the Micro-Sesame software is implement) and the smart card (through the card reader and the UTL.

These interactions occur over a secure RFID link using symmetric key authentication. Each card reader is provided with a master key from which a symmetric key is derived. This key is stored on the smart card (in the access control security domain) and allows the authentication of the card.

In the process, the card reader's application first authenticates itself to the card by requesting a card challenge. The reader computes the cryptogram and MAC [10] associated with the challenge and sends it to the smart card that verifies it.

After that, the card also authenticates itself with the card reader and the card reader requests the user ID. The card reader decrypts the ID and sends it to the LTU to make the decision.

Figure 6. Access control sequence diagram

SELECLT&ISD&SELECT&&

INITIALIZE&UPDATE&

EXTERNAL AUTHENTICATE&AUTHENTICATIONPROCESS

INSTALL&[for&load]&

LOAD&

LOAD&final&

INSTALL&[for&install&(and&make&selectable)]&

INSTALL&[for&personalizaHon]&

STORE&DATA&

STORE&DATA&final&

LOAD,&INSTALL,&MAKESELECTABLE&&&PERSONALIZATION&(Test&student&applet)&&

PUT KEY&CHANGE ISD KEYSET VALUE

GET&DATA&

MSE&Set&&&&&

&&&&GET&CHALLENGE&

MUTUAL&AUTHENTICATE&

SELECT&IAS&&AID&

SYMETRIC&MUTUAL&AUTHENTICATION&(&IAS&)&&

INITIALIZE PIN&(&IAS&)&

CHANGE REFERENCE DATA&

CREATE&FILE&final&

CREATE&FILE&

UPDATE BINARY final&

CARDHOLDER&SPECIFIC FILESPERSONALIZATION&(&IAS&)&

UPDATE BINARY&

CARDHOLDER&SPECIFIC&&FILES&CREATION&(&IAS&)&&

Host&(Unicampus)&

Runn&Student&Card&

TCP/IP&

&&&Un)l&16&readers&for&1&LTU&.............................................&&&&&&&&&&&&&&&RS485&secure&Link&

Hardware'+'So+ware&.&LDAP&Data&.&Access&Right&Managment&

LDAP&

&&&&&&&&&&&&&LTU&Local&Treatment&Unit&&

PUT DATA&

GET DATA&CARD&DATA&

GET&DATA&

MSE&Set&&&&&

&&&&GET&CHALLENGE&

MUTUAL&AUTHENTICATE&

SELECT&IAS&Classic&AID&

SYMETRIC&MUTUAL&AUTHENTICATION&(&IAS&)&&

Host&(Unicampus)& Runn&Student&Card&

188

B. The prototype We have developed a prototype shown in figure 7, with

“TIL Technologies” Company. This “smart suite case” is composed of one UTL and two readers to simulate a building describes in the figure 8.

Figure 7. Prototype of the access control system

A Personal Computer is connected to the prototype and shows in real time the users location (inside or outside).

Figure 8. Building access control

The door in the middle of the building is the entrance and the door one the right is for exit. The system takes care of the number of people still in the building.

Today the test are OK and the card are well recognized. The security of the system is high because of the mutual authentication between the card and the reader and the use of a cession key each time different. Man in the middle attack looks like very difficult but not impossible, and it remains risks link to the chain complexity [11].

V. CONCLUSION

It is very instructive for our laboratory to work on the IAS Standard

As our multi-application smart card contains two profiles, Generic and protected AIS ECC we were allowed to develop in parallel two Applets: one in Java Card Global Platform and one in using the AIS library. If we compare the time for the two developments we can consider that the AIS Applet time development is half than the other.

These possibilities given by the multi-services IAS smart cards are very innovative. The IAS standard aims to implement Europe-wide mechanisms, as defined in the European Citizen Card specification. For the future it will be very important for students to be possible to go everywhere in Europe with the same student card which can works in all the European campus.

The actual limit is the price of the card. In fact for small quantities, about 100 the price is about 18€ /card and for biggest orders, about 80.000 card, it will cost 12€. It is expensive for universities which are not very rich but when this type of card will be more and more used the wafers will have there cost of development cover and the price would be about 8€ in a nearest future. More than this multi-services AIS smart card takes place of 5 or 6 old cards all issued by different companies or organizations. Each of these old cards had cost about 2€ which is not so different.

Even if the technical problems have been overcome, all these technical innovations have a cost and there still remain questions about the technical and economical model. First of all, which costs have to be imputed to these technical improvements? Then by whom these costs must be paid? How the costs can be distributed between the different stakeholders of the value chain [12] [13]: universities but also banks, industrials, transport operators, and so on. But these links between the technical chain, organisational and economical value chain will be studied in other article.

Our objectives are now to:

- Design a new type of e-student card environment fully interoperable and standard based.

- Design and test different devices for e-student card (NFC Phone, USB, dongle...) using the same Applet on different environment.

- Develop other new innovative services for e-student and multi-application cards (citizen card, children card...).

- Promote new e-student smart card architecture to others academics.

189

- Contribute to the definition of a new pan-European e-student card by contributing to European project.

ACKNOWLEDGMENT Thank a lot to the Company “TIL Technologies” which has

allowed the prototype.

REFERENCES

[1] J. Vincent, M. Pasquet, W. Chaisantikulwat, Security and privacy analysis of a physical access control solution, ICITIS 2011, 8 p, 2011

[2] Gixel, Carte Europeenne pour les applications (IAS ECC) de services electroniques (e-services) et d’identité electronique (e-ID), 2008

[3] “Java card platform specification 2.2.1,” Sun Microsystems, Inc, 4150 Network Circle Santa Clara, CA 95054, Tech. Rep., Oct 2003

[4] GlobalPlatform Card Specification Version 2.1, Global Platform, Inc,1515 Cordilleras Road, Redwood City, CA 94062, USA, March 2003. [Online Available]: http://www.globalplatform.org

[5] GlobalPlatform Card Specification Version 2.2, Global Platform, Inc,1515 Cordilleras Road, Redwood City, CA 94062, USA, 2006. [Online Available]: http://www.globalplatform.org/

[6] GlobalPlatform Card v2.2 Amendment A - Confidential Card Content Management, Global Platform, Inc, 1515 Cordilleras Road, Redwood City, CA 94062, USA, 2007. [Online Available]: http://www.globalplatform.org/

[7] ISO/IEC 14443: Identification cards – Contactless integrated circuit(s)cards – Proximity cards, ISO/IEC Std., 1999.

[8] M. Pasquet, M. Reveilhac, "Vers une nouvelle approche de la personnalisation des cartes étudiantes multiservices". Assises des Transactions Electroniques dans les Collectivités Territoriales (TECT), 2009.

[9] V. Alimi and M. Pasquet, “Post-distribution provisioning and personalization of a payment application on a uicc secure element,” In 1st International Workshop on Sensor Security, 2009.

[10] ISO/CEI 9797, Message Autentication Code (MAC) and Bloc cyphering, 1999

[11] M. Pasquet, S. Gerbaix, "The Complexity of Security Studies in the Near Field Communication (NFC) payment System", 8TH Australian Information Security Managment Conférence, Perth, Novembre 2010

[12] Porter, M. E. (1985). Competitive Advantage: Creating and Sustaining Superior Performance, New York, The Free Press

[13] Porter, M. E. (1996). What is strategy? Harvard Business Review, November–December, 61-78.The value chain

190