![22 e-ID and Smartcards - Current Status, Hopeful Developments and Best Practices
adequately protect the privacy of their constituents. The inability to satisfactorily address pri-
vacy issues resulted in the initiative being shelved after a sunk cost of $12M.
Privacy considerations include:
• what cardholder information can be collected and retained?
• how will cardholder information be kept secure?
• how will cardholder information be kept current?
• how will a cardholder be able to verify their information?
Card scheme operators fail to address these issues at their peril. Operators must be honest in
their dealing with the public and ensure their processes are transparent.
Fortunately the technology is quite able to acconmiodate multiple levels of access to card in-
formation. Most multi-application cards adopt access controls as defined under the Global
Platform program.
A subset is as follows:
Table 1: Authentication Classes
[Access control rule
1 Always
External authenticate
PIN protected
External authenticate or PIN
Update once
Secure channel (ISO)
Description |
The corresponding service can be provided without restrictions. |
The corresponding service can be provided only after a "get chal-
lenge" and subsequent "extemal authenticate APDUs." |
The corresponding service is provided if and only if the verifica-
tion code of the PIN associated with the service has been provided
in the current card session. |
Either one of the two controls gives access to the service. This al-
lows for a cardholder validation when a PIN pad is available and
for an extemal authentication when no PIN pad is available. Or,
this provides an authentication method when the application can-
not be trusted to perform an extemal authentication and to protect
the extemal authentication key. |
A target object can only be updated once during its lifetime. |
The corresponding service can be provided through a secure
channel managed by an ISO [IS04],[IS08] secure messaging
layer.
PIN protected data requires the cardholder to input their PIN before the data can be accessed.
Data protected under an extemal authenticate mechanism typically requires a card reader con-
taining the appropriate key in order for the data to be read.
These access controls, provided they are implemented correctly, allow scheme operators to
provide the required privacy protection.
3.2.1 Example: Australian Driver Licence Smartcard
The New Queensland Driver Licence is a good example of the implementation of card access
security to protect individual's privacy.
In Australia driver license administration is a state-level activity. This means that when the
Queensland state government embarked upon a project to issue a smartcard driver licence it
was necessary to gain agreement with the other states and territories on interoperability re-](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-40-320.jpg)
![European Citizen Card Combined with
Travel Document Function,
Convergence or Divergence?
Detlef Houdeau
Senior Director Business Development
Infineon Technologies AG
Neubiberg near Munich, Germany
detlef.houdeau@infineon.com
Abstract
Since 2.5 year is a new application standard for the European citizen card in development. Data struc-
ture, transport protocol, interoperability and the issuing are the pillar of this card and there application
for e-govemment services. The article start an early analysing about the expected implementation in
EU member states. In the conclusion is shown, that the standardisation work lag behind the govern-
ment request for implementation. The current solutions are more divergent in the solution themselves
and for the combination with the upcoming digital travel documents.
1 Introduction
The EU Commission has decided in October 2004, that the next generation of travel docu-
ments and the new border process must increase security and fraud protection as part of the
European Homeland Security program. Harmonized technology and synchronized timeframe
enabled this approach. The EU regulation 2252/200 [ 1 ] defined the roadmap for technology
and implementation. European Homeland Security program started a technology wave over
Europe, with the elements
• digital identity
• biometrics and
• PKI
The focus of this regulation is the electronic passport, the data structure, the security architec-
ture, the biometrics and the communication. By October 2006, 33 countries (27 VWP-
Countries, 5 non-VWP-countries and USA) will have started with the issuing of electronic
passports [ 2 ]. In Europe this captures 100% of the member countries, worldwide 30% of the
countries with MRZ-passports.
Many governments of the EU member nations think of issuing also a national electronic ID
(e-ID) card, after the ePassport is implemented and in use. Two reasons are keys for this ap-
proach:
S. Paulus, N. Pohlmann, H. Reimer (Editors): Securing Electronic Business Processes, Vieweg (2006), 25-29](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-43-320.jpg)
![26 European Citizen Card Combined with Travel Document Function
• Re-use of infrastructure
(data capturing, PKI, IT-network, border control system)
• increase security at border control
In Europe, about 20% of residents have passports and about 80% to 90% of residents hold ID
cards. For border control in Europe, the ID card is the typical travel document. For increasing
security at border control the e-Passport in combination with the e-ID card for EU residents
are required.
In autumn 2005, the EU Conmiission published the recommendation for minimum security
standards for such national e-ID card programs in its regulation 14351/2005.
These travel programs are typically controlled by Ministry of Interior (Mol) in each member
nation. This contain visa documents, immigration cards, national ID-cards and international
passports
A complete other discussion has run during the last six to seven years on national level in the
government comer Ministry of Economics (MoE). The main focus is cost reduction and in-
creasing of government services. One module of this discussion is the changing of the com-
munication location from the government office with face-to- face to the home PC in combi-
nation with the online authentication and commu-nication via internet. The new name was
found with "e-Govemment". For this online-authentication technology was a new identifica-
tion media requested, called citizen card. Since springtime 2004, there is a new application
standard in progress, see CEN/TC 224 and CEN/TS 15480 (CEN = Comite Europeen de
Normalisation). Harmonized data structure, security architecture and interoperability are on
the scope.
The standardisation work on European Citizen Card (ECC) could be closed till 2007 with the
work share:
• Part 1: Physical, Electrical and Transport Protocol Characteristics
• Part 2: Logical Data Structures and Security Services
• Part 3: ECC interoperability using and application interface
• Part 4: Recommendations for ECC issuance, operation and use.
The next points analyse the current situation in EU member nations.
2 The EU nation strategies and the new ECC-
Standard
National e-Card programs are not synchronized with the standardisation work. Some national
programs have started early and have non-standardized solution in place, like Finland (Start
2003), Belgium (Start 2005) [ 3 ], Sweden (Start 2005) [ 4 ], and Austria (Start 2005) [ 5 ].In
other countries are the decisions published for a citizen card function and e-govemment ser-
vice based on the new upcoming CEN-Standard. For example, the governments in France and
Germany have announced this approach .In many countries the decision has not been made
yet and/or published, like in UK, Spain, Italy and Netherlands.](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-44-320.jpg)
![European Citizen Card Combined with Travel Document Function TT_
3 Selected card interface for ECC
Under ISO there are the two interfaces possible: a) ISO 7816 = contact based and b) ISO
14443 = contact-less. Some countries would follow the contact-based interface, like Finland,
Italy, Belgium, Sweden, and Austria. France and Germany would take the contact-less ap-
proach. In many countries is the decision not made and/or published.
4 ECC and the "carrier"
France has announced a special citizen card (Carte de Vie Quotidienne = CVQ) on one car-
rier and the national e-ID (Identite Nationale Electronique Securisee = INES) on a second
carrier. Italy has started under the name Carta Nationale Servici (CNS) an e-ID-card pilot in
2005/6.The decision for an own carrier or a "host"-carrier is not made. Germany, Austria, and
Sweden have announced the "hosf'-carrier approach:
• Austria: ECC on social security card [ 5 ]
• Sweden: ECC on national e-ID card [ 4 ]
• Germany: ECC on national e-ID card [ 6 ]
In many countries are these decisions not made and/or published
5 ECC and addressable memory space
Some countries have in the upcoming e-ID card a microcontroller only for the ECC function.
This is the case in Sweden and France. Other countries would take one micro-Controller
which contains ECC and other data set:
• Germany: ECC + ICAO data set [ 6 ]
• Belgium: ECC + national e-ID data set [ 3 ]
• Finland: ECC + national e-ID data set
• Austria: ECC + social data set [ 5 ]
In many countries are these decisions not made/or published.
6 The legal framework for the ECC
In Germany is the "Gesetz iiber Rahmenbedingungen fiir elektronische Signaturen"(SigG)
since 16^ of Mai 2001 in place, with the last changing on 4* of January 2005. This defines:
• Electronic signature
• Advanced electronic signature
• Qualified electronic signature
Till November 2001 is the German regulation established (SigV).
In other countries is the legal situation unclear.](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-45-320.jpg)
![28 European Citizen Card Combined with Travel Document Function
7 ECC and the challenge for the supplier industry,
for example the semiconductor producer
To develop, qualify and certify the microcontroller for this market right in time. To support
software development companies and system integrators. To foster field trial, interoperability
and conformity tests.
8 Conclusion
The standardisation works lag behind the government request for implementation. The stan-
dardisation work would freeze till CY 2007. The development of the solution and implemen-
tation based on this new application standard is possible at earliest 2008.
For the key technologies, such as digital identity, online authentication and signing it is rec-
ommended to work out the same definition and create the same legal framework in each
member country.
The European citizen card could be one pillar of a multiapplication card system in the future.
From the industry point of view, we reconmiend the combination of the national electronic
ID-card with the European citizen card on one carrier with the three basic (pillar) functions
• visible optical identity
• travel function (ICAO standard)
• e-Govemment services (CEN standard),
to increase the convenience for the citizen in there daily life and reduce the acceptance of
such new digital identity document. To follow international standards reduce specification
money, time and effort, minimize technology risks and create more supplier for the govern-
ments. This opens the door for national (and international) interoperability tests of compo-
nents, like cards and card-reader.
References
[1] EU-Regulation, see http://europa.eu.int/eur-lex/lex/LexUriServ
/LexUriServ.do?uri=CELEX:32004R2252:EN:HTML
[2] Keesing Journal of Documents and Identity, Annual Report 2005 - 2006
[3] Information brochure of the Belgian ID card, see http://www.rijksregister.fgov.be/cie
/brochure/05145_bz_leaflet_fr.pdf
[4] Information about the Swedish ID card, see http://www.polisen.se
/lnter/nodeid=36624&pageversion= 1 .html
[5] DIN-Workshop MultiappUcationcard, on July, 13th and 14th, 2006, Berlin, Germany;
Presentation from Prof. Posch, Austria, Chancellor of the Confederation Bureau
[6] Global Security Forum, on July, 6th and 7th, Vienna, Austria, see
http://www.global-security-forum.com; Presentation from Andreas Reisen, Ministry
of Interior, Germany](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-46-320.jpg)
![Physical Unclonable Functions for enhanced security of tokens and tags . 31_
Physical Unclonable Functions (PUFs) [PRTG2002] have been proposed to solve this prob-
lem. A PUF is a physical system with a unique, random-looking input-output relation. Un-
clonability means that it is infeasible to produce either a physical copy or a mathematical
model that simulates the behaviour of the system. A final property of PUFs is their inherent
tamper resistance. An attacker who tries to attack a PUF will damage it in such a way that its
input-output behaviour is completely changed. Physical systems that are produced by an un-
controlled production process, e.g. by mixing several substances, turn out to be good candi-
dates for PUFs.
A 'Controlled PUF' (CPUF) [GCvDD2002a] is a PUF whose input and output are completely
controlled by a layer of control electronics. The control layer is inseparably bound to the PUF
in such a way that removal will damage the PUF. By preventing direct access to the PUF, and
by cryptographically manipulating the input and output, the control layer strengthens the se-
curity.
In this paper we first give an overview of PUF hardware and then describe three applications
of PUFs. In Section 3.1 we describe a token equipped with a PUF and list the advantages that
it offers. The way in which a PUF can be used to build a secure key storage device is ex-
plained in Section 3.2. Finally in Section 3.3 we show how a secure key storage device can be
implemented on an RFID-tag to make it unclonable and suitable for anti-counterfeiting pur-
poses.
2 Physical realisations
Several physical systems are known on which PUFs can be based. The main types are optical
PUFs [PRTG2002,Pap2001,STO2005], coating PUFs [TS2005], siHcon PUFs [Gas2003,
GCvDD2002b] and acoustic PUFs [TS2005]. We briefly discuss coating PUFs and optical
PUFs.
2.1 Coating PUFs
The idea of using an 'active coating' was originally proposed in [Posl998] and further devel-
oped in the context of PUFs in [TS2005] and [TSSW''2006]. Coating PUFs are integrated
with an IC (see Figure 1). The IC is covered with a protective (opaque) coating doped with
random dielectric particles. By random dielectric particles, we mean several kinds of particles
of random size and shape with a relative dielectric constant 8r differing from the dielectric
constant of the coating matrix. An array of metal sensors lies directly beneath the passivation
layer. Because of the presence of the coating material with its random dielectric properties,
the sensor wires with the material in between behave as a capacitor with a random capaci-
tance value. The measured capacitance values are converted into a bit string which can be
used as an identifier or a key.
Coating PUFs have the advantage of possessing a high degree of integration. The matrix con-
taining the random particles can be part of a tamper-resistance coating. A coating PUF addi-
tonally has the advantage that it is easily turned into a Controlled PUF (CPUF), as it is insepa-
rably bound to the underlying IC.](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-49-320.jpg)
![32 Physical UncLonable Functions for enhanced security of tokens and tags
l
i
i
i
i
i
i
^
^
^
^
^
^
^
^
^
^
(Si) substrate
Figure 1: Left: Schematic cross-section of a coating PUF.
Right: Scanning Electron Microscope image.
2.2 Optical PUFs
Optical PUFs consist of a transparent material (e.g. glass) containing randomly distributed
light scattering particles (e.g. air bubbles, plastic or aluminium). They exploit the uniqueness
of speckle patterns that result from multiple scattering of laser light in a disordered optical
medium. The challenge is a laser beam directed at the PUF. The response is a speckle pattern
(see Figure 2). The pattern is a function of the internal structtire of the PUF, the wave length
of the laser, its angle of incidence, focal distance and other characteristics of the wave front.
Figure 2: Example of a speckle pattern.
Optical probing of the PUF is difficult because the light diffusion obscures the locations of
the scatterers. At this moment the best physical techniques can probe diffusive materials up to
a depth of approximately 10 scattering lengths [MDR2001]. Moreover, even if an attacker
learns the positions of all the scatterers, this knowledge is of limited use to him. If he tries to
make a physical copy of the PUF, he runs into the problem that precise positioning of a large
number of scatterers is an arduous process. It would seem easier to make an "electronic"
clone, i.e. a device that simply computes the correct responses to all challenges in real time or
looks them up in a database, without bothering with physical reproduction. However, even
this turns out to be extremely hard, since it requires accurate optical modelling of multiple
coherent scattering.
PUF LC layer cover layer
Figure 3: Integrated optical PUF containing a laser, a PUF, a challenging mechanism and sensors.](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-50-320.jpg)
![Physical Unclonable Functions for enhanced security of tokens and tags 33^
An optical PUF can be employed (i) as a separate physical component, to be challenged by a
special reader device containing a laser and a camera, or (ii) as a Controlled PUF, if it is
properly integrated into an inseparable package together with the laser, challenging mecha-
nism and camera. Figure 3 schematically shows a highly integrated implementation of an op-
tical PUF. The CMOS sensor has detector pixels as well as switchable 'display' pixels. The
display pixels are used to locally switch the Liquid Crystal (LC) layer between two phase ro-
tation states, e.g. no rotation and 45° rotation. The configuration of the display pixels forms a
challenge. The optical PUF is situated in the top layer. The laser light enters the PUF, and the
light is eventually scattered downward. There it may directly enter a detector pixel. Alterna-
tively, it hits a display pixel, where it partly gets absorbed, and partly scatters with a phase ro-
tation depending on the LC state. At each detector pixel all contributions from the various
scattering paths are added coherently.
3 Overview of PUF applications
From a security perspective the uniqueness of the responses and unclonability of the PUF are
very useful properties. Because of these properties, PUFs can be used as unique identifiers
[Baul983,3DAS,Kir2004, BCJP''2005], means of tamper-detection and/or as a cost-effective
source for key generation (common randomness) between two parties [TS2005, STO2005].
The latter is very useful for authenticating objects and persons.
3.1 PUF-Based Tokens
PUFs with a large number of Challenge-Response Pairs (CRPs), such as optical PUFs, are
well suited for authentication tokens. In its simplest and cheapest form, the token contains
only a PUF and a serial number. The token can be inserted into a reader able to read the iden-
tifier and to measure the challenge-response behaviour of the PUF. The reader is connected to
a database.
Typically there are two phases: enrolment and verification. During the enrolment phase, a
number of challenges is chosen randomly for each token, and the corresponding PUF re-
sponses are measured and then stored, e.g. in a database or, if the token has an EEPROM, in
encrypted/hashed form in the EEPROM. During the verification phase, the PUF is subjected
to one or more of the enrolled challenges. The verifier checks the response against the en-
rolled response data. The same CRP is never used twice.
Several secure protocols based on CRPs have been worked out in [TS2005, GCvDD2002a,
Gas2003]. In the simplest case eavesdroppers can easily see the PUF responses in plaintext.
In more sophisticated protocols PUF responses are used to encrypt nonces or to generate
Message Authentication Codes. The latter protocols have the advantage that the token holder
and the verifier end up with a shared secret which they use as a session key for a secure trans-
action.
3.2 Secure Key Storage
Many hardware devices, such as DVD players and Trusted Platform Modules, need access to
secret 'Device Keys' that are stored somewhere inside the device. Often these Device Keys are
unique for each device. Hence, they have to be stored in the digital memory in a separate
process during or after manufacture. Special protective measures must be taken to ensure that
attackers cannot read this memory, not even with invasive means such as a Focused Ion Beam
(FIB).](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-51-320.jpg)
![34 Physical Unclonable Functions for enhanced security of tokens and tags
Regarding protection of memories against read-out, we make the following observation. Keys
stored in digital memory (such as ROM or EEPROM) are stored as strings of zeros and ones.
Attackers can employ known physical attacks to probe the content of the memory, even when
the IC is not active. In order to protect stored keys against invasive physical attacks, we pro-
pose that no key shall be stored in digitalform in the memory of a device. Since there is no
digital key in the memory, it can not be directly attacked.
Instead, we propose to generate the key K only at the time when it is needed. The key is ex-
tracted from a tamper evident physical structure, integrated with the IC, by applying a chal-
lenge, measuring the response and carrying out the reconstruction phase of the helper data al-
gorithm [LT2003] implemented on the IC. In the case of coating PUFs, the IC extracts the key
from the coating covering it, as described in Section 2.1.
Since the key is extracted from coating measurements, and measurements on a physical struc-
ture are inherently noisy, the responses can not be directly used as a secret key. This implies
that we need a helper data algorithm/fuzzy extractor [LT2003,DRS2004] for key reconstruc-
tion. A helper data algorithm consists of a pair of algorithms {G,W) and two phases: an en-
rolment and a reconstruction phase (see Figure 4). We use the following notation: x denotes
the measurement value of a response during the enrolment phase, while y denotes the corre-
sponding value during the reconstruction phase. During enrolment, the key K is randomly
chosen from a uniform distribution. The helper data algorithm W is used during the enrolment
phase and creates the helper data w based on x and K. The helper data is stored in the
EEPROM of the IC. The algorithm G{.,.) is used during the key reconstruction phase for re-
construction of the key K as follows: A'=Gfj,wj, where w is read from the EEPROM.
Enrollment
""
random K C^^
algorithm W
hash
*,
I stored •
w
h(K)
N _ _ _ _ ^
Authentication
algorithm G
com-
pare
h(K')
K'
hash
1 correct / incorrect
Figure 4: The helper data scheme
We have developed an IC equipped with a coating PUF having 30 capacitance sensors lying
undemeath the coating. We have shown that from each of the sensor measurements we can
derive 3 bits in a reliable way. In total a string of 90 bits is derived. Taking the noise into ac-
count, this leads to a secure key of 66 bits Additionally, we have performed several invasive
attacks on the IC with a Focused Ion Beam. Such an attack causes clearly visible errors in the
measured capacitance values (see Figure 5). Hence the attack is detected by the IC. This de-
tection can be used to let the chip shut down. Furthermore, it was shown that the damage even
destroys the key. In case of an 128-bit AES key, after a FIB attack the attacker still faces a
computation complexity in the order of l'^ to find the key.
^ We note that when more sensors are put on the IC, longer keys can be constructed.](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-52-320.jpg)
![36 Physical Unclonable Functions for enhanced security of tokens and tags
3. The tag proves to the reader that it knows the secret key K corresponding to the com-
mitment CK. This is done by running a secure identification protocol. The product is
considered authentic only if the tag passes this test.
In [TB2006] the security of this protocol was rigorously proven. Moreover it was shown there
that when the Schnorr identification protocol is used for secure identification, the complete
protocol can be implemented in less than 10k gates, which is feasible on a tag.
4 Conclusion
In this paper we have described Physical Unclonable Functions (PUFs) and explained their
use for security purposes. We have investigated three applications in more detail. Firstly, we
explained how PUFs are used to build an unclonable token. Secondly, we have shown how
coating PUFs are used to build hardware that is resistant against invasive physical attacks. Fi-
nally, we have shown how RFID-Tags can be made suitable for anti-counterfeiting purposes
by integrating them with a coating PUF.
References
[3DAS] Unicate BV's '3DAS' system, http://www.andreae.comAJnicate/Appendix
%201.htm, 1999.
[Baul983] Bauder D.W: An Anti-Counterfeiting Conceptfor Currency. Systems Re-
search Report PTK-11990, Sandia National Laboratories, 1983.
[BCJP'^2005] Buchanan J.D.R., Cowbum R.P., Jausovec A., Petit D., Seem P., Xiong G.,
Atkinson D., Fenton K., Allwood D.A., Bryan M.T.: Forgery: 'Finger-
printing' documents andpackaging. Nature 436 (28 Jul 2005), Brief
Conmiunications, p.475.
[DRS2004] Dodis Y., Reyzin M., Smith A.: Fuzzy Extractors: How to generate strong
keysfrom biometrics and other noisy data. In: Cachin and Camenisch,
(Eds.): Proceedings of Eurocrypt 2004, Lecture Notes in Computer Sci-
ence, volume 3027, Springer-Verlag, 2004, p. 523-540.
[Gas2003] Gassend B.: Physical Random Functions, Master's Thesis, MIT 2003.
[GCvDD2002a] Gassend B., Clarke D., van Dijk M., Devadas S.: Controlled Physical
Random Functions. Proc. 18th Annual Computer Security Applications
Conf., Dec. 2002.
[GCvDD2002b] Gassend B., Clarke D., van Dijk M., Devadas S.: Silicon Physical Random
Functions, Proc. 9th ACM Conf. on Computer and Communications Secu-
rity, Nov. 2002.
[Kir2004] Kirovski D.,: A Point-Subset Compression Algorithm for Fiber-based Cer-
tificates of Authenticity, IEEE Proc. ISIT 2004, p. 173.
[LT2003] Linnartz J.P., Tuyls. P.: New Shielding Functions to Enhance Privacy and
Prevent Misuse ofBiometric Templates, Proc. 4th International Confer-
ence on Audio and Video based Biometric Person Authentication (2003),
LNCS 2688, Springer-Veriag, p. 238-250.](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-54-320.jpg)
![unquenchable, has its counterparts in benighted regions now being
“civilised” after the time-honoured recipe: interference which upsets
peace and order, more interference to restore peace and order with
the naturally opposite result, occupation until peace and order will
be restored, gradual annexation. The East India Company’s mean
spirit of haggling was held in utter contempt by the native princes,
grands seigneurs in thought and action, too proud to pay the
hucksters with their own coin, though bad forebodings must have
filled the mind, for instance, of Susuhunan Puger, recognised at
Batavia as Mataram’s figurehead under the name of Paku Buwono I.,
[59] when near his capital a Dutch fort was built and garrisoned with
Dutch soldiers to back him in his exactions for the benefit of alien
usurers and sharpers. Like the rat of Ganesa, they penetrated
everywhere and the tale of their relations to the lords of the land is
one of tortuous insinuation until they had firmly established
themselves and could give the rein to their sordid commercialism in
always more exorbitant claims. Paku Buwono II., feeling his end
approach, was prevailed upon, in 1749, to bequeath his realm to the
Company, but one of the most influential members of the imperial
family decided that this was carrying it a little too far: Mangku Bumi,
[60] brother of Paku Buwono II., supported by Mas Saïd, son of the
exiled Mangku Negara,[61] and other pangerans (princes of the
blood), stood up in arms to defend their country’s rights and inflicted
severe losses on the Dutch troops in stubborn guerrilla warfare. This
led to the partition of Mataram between Paku Buwono III. and his
uncle Mangku Bumi, both acknowledging the supremacy of the
Company, the latter settling at Jogjakarta, the old capital Karta,
under the title and name of Sooltan Mangku Buwono,[62] while Mas
Saïd, who did not cease hostilities before 1757, gained also a quasi-
independent position as Pangeran Adipati Mangku Negara, which in
1796 became hereditary. With three reigning princes for one, the
power of Mataram was definitely broken and Batavia assumed the
direction of her affairs quite openly, the “thundering field-marshal”
Daendels emphasising her state of decline and the British
Interregnum bringing no change.](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-57-320.jpg)
![In 1825 the divided remnant of Mataram, viz. Surakarta with the
Mangku Negaran and Jogjakarta with the Paku Alaman,[63] was
deeply stirred by Pangeran Anta Wiria calling upon his compatriots to
chase the oppressors away. Born from a woman of low descent
among the wives of Mangku Buwono III., Sooltan of Jogjakarta, it
seems that, nevertheless, hopes of his succession to the throne had
been held out to him when he assisted his father against the
machinations of his grandfather, Sooltan Sepooh (Mangku Buwono
II.), banished by Raffles in 1812. However this may be, he resented
the settlement of the Sooltanate on the death of Mangku Buwono
III. upon Jarot, an infant son, and other circumstances adding to his
dislike of Dutch control, he raised the standard of revolt. The
Javanese responded with alacrity to an appeal which bore good
tidings of delivery as the wind, ridden by the Maroots who make the
mountains to tremble and tear the forest into pieces, bears good
tidings of coming rain to a parched earth. Anta Wiria, under his more
popular name of Dipo Negoro, and his lieutenants Ali Bassa Prawira
Dirja, or Sentot, and Kiahi Maja, gave the Dutch troops plenty of
bloody work in the five years during which the Java war lasted,
1825-1830. It was the last eruption on a large scale of the fire
imprisoned in the native’s heart, the last sustained effort at regaining
his independence, crushed by the white man’s superiority in military
appliances, but occasional throbbings, ruffling the surface as in
Bantam (1888), the Preanger Regencies (1902), Kediri (1910), etc.,
show that the volcano is by no means an extinguished one. Though
“kingdoms are shrunk to provinces and chains clank over sceptred
cities,” the love of liberty, laid by as a sword which eats into itself,
does not own foreign dominion, and the native princes, especially
the Susuhunan of Surakarta and the Sooltan of Jogjakarta, remain
objects of worshipful homage. Their genealogy remounts to the gods
whose essence took substance in the illustrious prophet Adam who
begat Abil and Kabil on the goddess Kawa; the history of their house
begins with the arrival in the island, in the Javanese year 1, of Aji
Soko; they are the panatagama and sayidin (shah ad-din), directors
and leaders of religion; their Courts set the fashion in high native](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-58-320.jpg)
![society, Solo[64] being more gay and extravagant, Jogja[64] more
sedate and solid, as a writer at the end of the eighteenth century
already remarked.
The Dutch Government recognises the imperial or royal dignity of
Susuhunan and Sooltan by the superior position of its Residents in
the capitals of their Principalities, who, directly responsible to the
Governor-General, correspond in rank to the general officers of the
army, while the administrative heads of the other residencies have to
content themselves with the honours due to a colonel; also by the
institution of dragoon body-guards whose ostensibly ornamental
presence can be and has been turned to good account when the
mental intoxication arising from meditation on gilded disgrace,
charged with the lightning of passion, produces effects irreconcilable
with the fiction that all is for the best in this best of worlds. With the
Government steadily encroaching on the native princes’ ancient
rights, bitterness grows apace and irritation at the recoiling weight
of bondage lives on, though colonial reports represent it as dead.
Truly, in the three centuries during which it pleased Kuwera, the fat
god of wealth, to inspire the strangers from the West, rich in
promise but slow in performance, exacting and pitiless, to deeds of
unprincipled rapacity, the people have learned to hide their thoughts
that worse may not follow, hoping that time will set things right. But
as everything points more clearly to the fixed purpose of the Dutch
Government to avail themselves of every pretext for swallowing the
Principalities as all the rest has been gobbled up, there are those
who cherish the memory of Dipo Negoro and consider the necessity
of new man-offerings: the greater the need, the greater must be the
propitiation. On the whole, however, better counsel prevails,
deliverance being sought on planes of mystic exercise, silent
submission being practised in expectation of the consummation of a
higher will, and this is the native’s secret as he repeats the lessons
inculcated in the Wulang Reh, the treatise on ethics written by one
of the eminent of the past, Sunan Paku Buwono IV.: May ye imitate
our ancestors, who were endowed with supernatural strength, and
may ye qualify for penitence, heeding closely the perfection of life;](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-59-320.jpg)
![this is my prayer for my children; be it granted! Meanwhile taxation
increases, but who can object to that when in days of old the good
people had to pay for the privilege of looking at the public dancers,
whether they cared to look at them or not; when compulsory
contributions to the exchequer were levied upon one-eyed persons
for their being so much better off than the totally blind; etc.... Fancy
a Minister of Finance in Holland defending a vexatious new
assessment on the ground of arbitrary cesses in the Middle Ages!
Hindu art had lost its vitality when the second empire of Mataram
arose in Central Java and the cult of the ideal was effected by
modernising currents from the eastern part of the island. Sanskrit,
as the vehicle of thought in Venggi and Nagari characters, made
place for Kawi which, related in its oldest forms to Pali and in its
symbols to the Indian alphabets, evolved soon afterward into a
specific Javanese type. Sivaïte literature paved the way for the Manik
Maya, the Bandoong, the Aji Saka, the Panji- and the Menak- or
Hamza-cycles, the Damar Wulan; as to Buddhist literature, Burnouf’s
comment upon its inferiority holds also good for Java: no trace exists
even of a life of the Buddha, of jataka-tales, except such as have
originated in the eastern kingdoms at a comparatively late date.
Literary culture in the seventeenth and eighteenth centuries was a
continuation of and throve on the efforts of the great authors
hospitably entertained at the Courts of Mojopahit and Kediri. The
Javanese language with the wealth of words it acquired and the
diversity of expression it developed,[65] exercised and still exercises
in its four dialects[66] a vivifying influence upon the Soondanese
speech in the west and the Madurese in the east. Its script, like the
people who speak and write it, and cling to their hadat, the manners
and customs of the jaman buda, which, notwithstanding their
Islāmitic veneer, they prefer to the law of the Prophet,—its script
rejects Moslim interference and refuses to employ the Arabic
characters, sticking to its equally beautiful aksaras and pasangans.
Religions succeeding one another, generally without discourteous
haste, Muhammadanism penetrated Central Java but slowly from the
north, first by the conversion of the great and mighty who profited](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-60-320.jpg)
![by the example of Mojopahit, then by grafting the idea of the one
righteous god upon the godless Buddhist or pantheistic Hindu creed
of the orang kechil, the man of slight importance who, up to this
day, though fervent in his outward duties as a Moslim, shows in
every act that his individual and national temperament is rooted in
pre-Islāmic idiosyncrasies. The heroes of the Brata Yuda and
Ramayana are just as dear to him as the pre-Islāmic saints whose
legends are gathered in the story of Raja Pirangon and the Kitab
Ambia, as the forerunners, companions and helpers of the Apostle of
God.
The sacred waringin, never wanting in the aloon aloon, the open
places before the dwellings of the rulers of the land and their
deputies, what is it but the bo-tree, the tree of enlightenment? One
of venerable age in the imperial burial-ground of Pasar Gedeh,
planted, according to tradition, by Kiahi Ageng Pamanahan or his
son Suta Wijaya, announces without fail the demise of a member of
one of the reigning families either at Solo or at Jogja, by shedding
one of its branches. Pasar Gedeh, Selo and Imogiri are silent spots,
peopled with the dead whose lives’ strength made history and is
mourned as the strength of a glorious past. Selo, an enclave
belonging to Surakarta, in Grobogan, residency Samarang, contains
the ancestral tombs of the rulers of Mataram; Imogiri and Pasar
Gedeh in Jogjakarta, which latter marks the site of the original seat
of empire and was comparatively recently put to its present use, are
the cemeteries common to the royalty of both Principalities, and
guarded by officials, amat dalam with the title of Raden
Tumenggoong, appointed by mutual consent. A Polynesian bias to
ancestor-worship, unabated by Hinduïsm, Buddhism and
Muhammadanism, accounts for the almost idolatrous adoration[67]
of the graves of the Susuhunans and Sooltans, their ancestors and
also their progeny that did not attain to thrones, receptacles of once
imperial dust, feeding the four elements from which it proceeded
and to which it returns like meaner human clay. Look, says Kumala
in the Buddhist parable, all in the world must perish! The religious
brethren of his faith used to repair at night to the sepulchres of](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-61-320.jpg)
![those taken to bliss and spend the lone hours in pondering on the
instability of conscious existence, desiring to gain the Nirvana by
their undisturbed meditations, but Sivaïte associations people the old
graveyards of Java with raksasas, monstrous giants, eaters of living
and dead men and women, and santons, bent on prayer amid the
last abodes of the departed, have been terrified, especially at Pasar
Gedeh, by weird noises and apparitions signalling their approach,
commending hasty retreat to the wise. It is advisable to distrust
darkness there and rather to choose the day for acts of devotion,
even if annoyed by worldlings who come to consult the big white
tortoise in the tank, ancient Kiahi Duda, widower of Mboq Loro
Kuning, presaging the better luck the farther he paddles forth from
his subaqueous habitation. At a little distance is the sela gilang, a
bluish stone with a more than half effaced inscription, only the
lettering of the border being legible. Tradition calls it the dampar
(throne) of Suta Wijaya, sitting on which he killed Kiahi Ageng
Mangir, his rival and owner of the miraculous lance Kiahi Baru, who
had been lured into his presence by one of his daughters to do
homage by means of the ujoong, the kissing[68] of the knee; near
by are a stone mortar and large stone cannon-balls, the largest
possessing the faculty of granting untold wealth to those strong
enough to carry it three times without stopping round the sela
gilang, whose legend, carved by a prisoner of war, either a spirit of
the air or a magician, reveals in its marginal commentary a
philosophic mind coupled with linguistic talents: zoo gaat de wereld
—così va il mondo—ita movet tuus mundus—ainsi va le monde.
Selo, Imogiri and Pasar Gedeh: so goes the world indeed, and the
nameless prisoner of war’s motto, preserved near the pasarahan
dalam, the imperial garden of rest, would be hardly less appropriate
over the gates leading to the kratons, the residences[69] of the
Susuhunan of Surakarta and the Sooltan of Jogjakarta, where they
do the grand in the grand old way, cherishing the memories of a
power gone by. A visit to the Principalities without an invitation to
attend some function at Court cannot be called complete and it is a
treat to watch the ceremonial exercises connected with one of the](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-62-320.jpg)
![three garebegs[70] or with the salutations on imperial birthdays and
coronation-days in the roomy pendopos, the open halls whose
general style betrays its Hindu origin no less than the aspect, the
dresses, the movements of the native nobility, officials and retainers,
an assemblage of a fairy tale, betray their Hindu parentage. The
bangsal kenchono, the audience-chamber of the Sooltan at Jogja, is
a masterpiece of construction in wood, the carved beams and joists,
richly gilt and painted in bright colours, forming a ceiling of
wonderful airiness and elegance; in the bangsal witono the Sooltan
shows himself to the people on days of great gala; in the bangsal
kemandoongan, a hall in one of the many open squares of the
palace grounds, seated on his dampar or throne, he used to witness
the execution of his subjects sentenced to death, who were
krissed[71] against the opposite wall; another of these open squares
was dedicated to pleasures which remind of the munera gladiatoria,
more especially of the ludi funebres, and kindred amusements with a
good deal of local colour: we find it chronicled of Sunan Mangku Rat
I., Java’s Nero, that once he beguiled a tedious afternoon in his
kraton at Kartasura by stripping a hundred young women and letting
a few tigers loose among them. The dining-hall (gedong manis:
room of sweets) in the kraton at Jogja, to the south of the audience-
chamber, can easily hold three hundred guests with the host of
servants they require; at Solo the imperial stables and coach-
houses[72] are scarcely inferior in interest to the friend of horses,
riding, driving and coaching, than the Kaiserlich-Königliche Marstall
at Vienna or the Caballerizas Reales at Aranjuez. But of all the sights
at the Courts of the Principalities of Central Java it is the human
element that fascinates most, a waving mass of silent figures in the
magnificent setting which reflects centuries of Sturm und Drang, the
new to the visitor’s eye being nothing but the very, very old; men
taught by fate to treasure their thoughts up in their hearts, as their
mountains do the hidden fire, worshipping tempu dahulu, sustained
by l’amour du bon vieulx tems, l’amour antique, even the rising
generation remaining apparently unaffected by the example of
western fickleness, an inconstancy ever more pronounced since the](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-63-320.jpg)
![illustrious citizen of Florence, of the Porta San Piera, commented on
it:
Che l’uso de’ mortali è come fronda
In ramo, che sen va, ed altra viene.
[73]
The country-seats of Susuhunans and Sooltans, where they sought
repose from cares of state, often contained temples erected, if not in
the name then in the spirit of their kind of sacrifice, to Kama, the
god of love, smuggled into the practice of a later creed. They had no
wish to become the victims of their virtue like the excellent King
Suvarnavarna; they did not aspire to the fame accruing to Rama in
his relations to the female demon Shoorpanakha, personification of
sublunar temptations. And the manifold functions assigned to water
in their pleasances, to the limpid, running water of the cool
mountain rills, are characteristic of an island where a bath, at least
twice a day, preferably in the open, is both a necessity and a luxury
which the poorest does not dream of denying himself. Observe the
crowds of men, women and children, always chaste and decent,
disporting themselves in lakes and rivers, every morning and every
evening; note the names of Pikataän, Kali Bening, Banyu Biru, idyllic
spots and equal to the classic chandi Pengilon, Sidamookti and
Wanasari to the lover of a plunge and a swim, screened by flowers
and foliage, with the blue heaven smiling on his joy. Passing by
Ambar Winangoon and Ambar Rookma, the remains of the so-called
water-castle at Jogjakarta convey some notion of the manner in
which royal personages sought recreation, amusing themselves in
their parks of delight, fragrant and tranquil like the restful Loombini,
where Maya gave birth to the Buddha; toying with their women in
and round the crystalline fluid. An abundant spring within the
boundaries of the palace grounds led to the conception of this
retreat or, rather, these retreats, for there were two, connected by a
system of canals which speaks highly for native hydraulics, though
the buildings erected to obey a capricious will, show in their present](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-64-320.jpg)
![Hartingh[74] wrote in 1761, and maker of “fountains, grotto-work
and conduits which, though completed, he orders immediately to be
pulled down, not finding them to his taste, thus squandering some
little money.” We possess a description[75] of the kraton at
Jogjakarta, dated September 1791, from the hand of Carl Friedrich
Reimer,[76] who speaks of “a collection of gardens, fish-ponds and
pleasure-pools.” He probably visited Pulu Gedong before proceeding
to Taman Sari[77] and expatiates on the spaciousness of the dwelling
room in Pulu Kananga, where it seems that the Court could find
plenty of accommodation. But what made the greatest impression
on the expert in hydraulics was the arrangement of passages and an
apartment for prayer and meditation under water, as if the Sooltan
deemed it an advantage to worship surrounded by the babbling
stream, light and fresh air being provided through turrets rising
above the surface. In the place called Oombool Winangoon, situated
on a low level, with three tanks, fed from the great lake of Taman
Sari, was a cool retreat where the Sooltan used to rest a while after
his bath, refreshing himself with a cup of tea. Alluding to the
Sumoor Gumuling, Reimer remarks that the architect must have
chosen a round form for his structure to make it the better resist the
pressure of the water all round. The strange building which went by
that name and consisted of two concentric walls with a flat roof,[78]
taken for a subaqueous house of prayer by the visitor of 1791, has
also been very differently explained: some see in its remains a
dancing-school, awakening visions of the Sooltan’s corps de ballet
practising in the first storey to the dulcet tones of the gamelan, the
native orchestra, that ascended from the basement and aided them
in going through their paces; others connect it with functions never
referred to in polite society and which have nothing in common with
praying, either with the heart or with the feet, more correctly
speaking: with the arms, hands and hips, for Javanese dancing is no
loose skipping and hopping about, but a graceful and expressive play
of the body and more particularly of the upper limbs in rhythmic,
undulating motion. Passing from one lake to the next, the Sooltan’s
means of conveyance was the prahu Niahi Kuning, a gorgeously](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-66-320.jpg)
![concealment thereof.... Writing this it occurs to me how properly a
western version of that universally approved maxim has been put in
the mouth of Gärtnerinnen, niedlich and galant:
Denn das Naturell der Frauen
Ist so nah mit Kunst verwandt.[79]
XIV. WATER-CASTLE AT JOGJAKARTA
(Centrum.)
Though Mangku Buwono I. was a contemporary of Goethe, his
knowledge of Faust is extremely doubtful, but being an artist in his
own way, he took care that the natural scenery, assisted by art,
should contribute to a pleasant general impression in the distribution
of the dwellings for his retinue: native princes (and of his rank too!)
do not move an inch inside or outside their kratons without
numberless attendants at their heels. In the “water-castle” were
apartments, not only for the Sooltan, for the Ratu, his first legitimate
spouse, for his other wives and concubines, for the little family they
had presented him with, but for the dignitaries of his Court, officials
of all degrees, secretaries, servants of every description, various](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-68-320.jpg)
![artificers from the armourers down to the kebon kumukoos, the
makers of tali api (fire-rope), necessary for lighting his Highness’
cigars. There were reception-, dining-, living- and sleeping-rooms for
the Sooltan, his Ratu and female relatives, each apart; common
rooms for the selir (wives of lower degree); rooms for the instruction
of their children; rooms where his Highness’ daughters spent a few
hours every day in batikking; guard-rooms for the prajurits, the male
guards; guard-rooms for the female guards under command of the
Niahi Tumanggoong, a lady of consequence, who kept and keeps the
dalam, the interior of the kraton, under constant observation so that
no illicit amourettes shall occur in the women’s quarters, and yet—!
There were store-rooms, kitchens, workshops, prisons, halls set
apart for the dancers, male and female; the cream of the female
dancers, the srimpis and girl bedoyos, were probably housed in or
near the principal pavilion on Pulu Kananga, of which the Sooltan
occupied the eastern and the Ratu the western portion. Above all
there were the bath-rooms, dedicated to Kama and his wife Rati of
Hindu memory; and since the parrot is the vahana of that frivolous
god, many are the unspeakable tales of revived rites of his luxurious
worship.
The etiquette at Court is fitly illustrated by the two tea-houses of
Taman Sari, the eastern one for the Grand Pourer-out-of-Tea of the
Right, who presided over the preparation of the delectable beverage
for the Sooltan, and the western ditto for the Grand Pourer-out-of-
Tea of the Left, who provided for the Ratu. A scrupulous punctilio is
ingrained in Javanese habits and customs, from high to low, on great
and small occasions, the native’s mentality always reverting to things
which were, but never more can be. The homage done to sacred
objects, arms, gamelans, etc., by giving them a human name and a
title,[80] venerating them as if endowed with supernatural faculties,
recalls Polynesian fetishism, Hinduïsm being blended with it in Siva’s
trishula, Vishnu’s chakra, etc., which are still carried behind the
native princes among their ampilan.[81] The upacharas or imperial
and royal pusakas[82] are treated with the utmost reverence when](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-69-320.jpg)
![shown at the appearance in public of Susuhunan or Sooltan, and
their bearers, the koncho ngampil, who hold an honoured position at
the Courts of Solo and Jogja, may be considered direct successors of
the envoys of King Dasharatha on the reliefs of the chandi Loro
Jonggrang, who bore his regalia when meeting Rama and Lakshama.
The strange ceremonial, preserved from the time when gods walked
amongst men, seems hardly antiquated, on the contrary very
germane to siti-inggil[83] surroundings. One need not visit the
kratons though, to notice how the spirit of the past permeates all
things Javanese; any well-dressed native getting out of his sado[84]
at the railway station or repairing thither on foot for a journey with
the fire-carriage, will do. Even if he cannot afford the few doits[85]
necessary and must impair his dignity by going afoot, he has his
retainers to look after his box and, stuck behind, he has his
magnificent kris in a sheath of gold, with a beautifully carved ivory
handle, in nine cases out of ten a pusaka, cherished like the kris
Kolo Munyang of the Prince of Kudoos or, as others allege, of a
Susuhunan of Surakarta, who sent the weapon, which killed its
master’s enemies without human direction, to the assistance of
Pangeran Bintoro, then oppressed by a king of Mojopahit. The
chronology of this legend is evidently a little faulty, but, O! the
wonders of Java’s golden age, and, O! the superstitious honour in
which their memory is held by these lovable people, whose actual
existence is a dream of days gone by. And that happy dream, they
ween, is a presage of the future, prophesying the restoration of their
fathers’ heritage. If, nevertheless, the hour draws near of
unconditional surrender, the Dutch Government steadily and surely
arrogating to itself the externals with the substance of power in the
Principalities, they will silently submit to the nivarana of their ancient
faith, the hindrance arising from torpor of mind appointed to them in
the sansara, the rotary sequence of the world, and seek consolation
in the promise of their new faith that the Lord will not deal wrongly
with his servants. The life of nations, like the life of men, starts
running as the mountain torrent and meets many an obstacle before](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-70-320.jpg)
![it swells to a broad river in the plains and flows tranquilly and
mightily to the sea; also for Java it is written:
... Non anche,
l’opra del secol non anche è piena.[86]](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-71-320.jpg)
![CHAPTER VI
EAST JAVA
cosi da l’ossa dei sepolti cantano
i germi de la vita e degli spiriti.[87]
Giosuè Carducci, Odi Barbare (Canto di marzo).
When, suddenly, for reasons still unknown, the classic period of art
in Central Java closed, about 850 Saka (a.d. 928), East Java
awakened and entered on an era of artistic activity in every
direction, which lasted until the fall of Mojopahit six centuries and a
half later. In architecture it offers nothing so grand and imposing as
the ancient temples of the Middle Empire, but much more diversity,
and numerous inscriptions, resembling, after 900 Saka (a.d. 978), in
form and contents, what we possess of old Javanese literature,
enable us in many cases to determine the dates and also the
character of the chandis, found principally along the course of the
Brantas in the residencies Pasuruan, Kediri and Surabaya. Moving
eastward, it was there that Hindu civilisation made greatest
progress, no more in the vigorous enthusiasm of a young faith eager
to proselyte, but modified by and finally succumbing to the
influences of the soil, the climate, the idiosyncrasies of the](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-72-320.jpg)
![aborigines. The oldest dates (Madioon, Kediri, Surabaya and
Pasuruan) fall between 890 and 1140; then we have a good many
again from Kediri (1120-1240 and 1270-1460) and from Surabaya
(1270-1490); also from Pasuruan, Probolinggo and Besuki (1340-
1470), Madura (1290-1440) and Rembang (1370-1390); finally, the
constructive energy returning to Central Java, from Samarang and
Surakarta (1420-1460), Suku and Cheto bringing up the rear. In the
palmy days of Daha and Tumapel a sort of transition style was
elaborated; under Ken Angrok and his descendants on the throne of
Mojopahit, East Java reached its architectural zenith, never equal in
the grandeur of its conceptions to the Boro Budoor or even the
Prambanan temples, to the symmetrical richness of the Mendoot,
but making up in fantastic decoration what it had lost in sobriety of
outline. The builders pandered to the unwholesome demand for that
perfection at any cost which Ruskin censures as the main mistake of
the Renaissance in its early stages, the workman losing his soul in
exchange for consummate finish. But, though they bear the impress
of decadence, the products of eastern Javanese constructive efforts
are not wholly degenerate, never coarse or vulgar and well worth
looking at from more than one point of view. The evolution of the
ornament alone is exceedingly suggestive: the “recalcitrant spiral”
which in Central Java ascends, decking the supports, topples, as it
were, in East Java, losing its character and becoming a meaningless
adornment of the casements of, e.g., the chandi Panataran; the
kala-heads remain but the makaras change into a flame-like
embellishment; where they are altogether dissolved, as in the chandi
Jago or Toompang, it is safe to conclude with Dr. Brandes to late
eastern Javanese influences.[88]
It has been conjectured that the migration of Hinduïsm to East Java
was the effect of Buddhism gaining ground in the central part of the
island; that the pronounced Sivaïte tendencies of Mojopahit were a
reaction against Buddhist innovations. But it remains still to be
proved that Mojopahit, though worshipping Siva as the supreme god
of the Trimoorti, adhered to his overlordship in all its orthodox purity.
There are, on the contrary, indications of Vishnuïte leanings, of](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-73-320.jpg)
![Buddhist heresy, of a syncretism no less pronounced than that of
Prambanan and the Mendoot. In the time of Old Mataram’s
hegemony, Buddhism must have ingratiated itself to some extent
with her eastern vassals and, though not one of the temples in East
Java is Buddhist after the fashion of the chandis Boro Budoor,
Mendoot and Sewu, vestiges of the Bhagavat’s doctrine are
undeniable in Kediri, Southern Surabaya and Northern Pasuruan. A
fusion of Sivaïsm and Buddhism has continuously controlled the
construction of the larger temples of the later eastern Javanese
period, says Rouffaer. Statues found in many places, e.g. in the
chandi Toompang, are distinctly Buddhist and, what is most
remarkable, though of later workmanship than those of Central Java
and of a different style, tainted by decadent methods, they possess
high merits as works of art. In their Sivaïtic surroundings they
confirm the statements of the Chinese traveller Hiuen Tsiang who,
perambulating India between 629 and 645, before the persecution of
the Buddhists commenced, remarked upon the tolerance of the
brahmins and vice versa, a virtue the Hindus carried with them to
Java as already observed in the chapter on Prambanan. The kings of
Mojopahit followed the example set in those regions: they were
Saivas, Vaishnavas, Buddhists or followers of no one creed in
particular, ready to protect and prefer each of them according to
circumstances. In codes of law and poetry, Sivaïte priests and
sugatas, pious brethren on the Buddhist road to perfection, are
mentioned in one breath as conductors of the religious exercises on
festive occasions, invoking the blessings of heaven on harvests and
enterprises of peace and war; the poet Tantular calls the Buddha
one with the Trimoorti.[89]
The Muhammadans were not so indulgent when the Pangerans of
Giri increased in authority as spiritual leaders of their faith,
successors of Maulana Ibrahim, its first apostle in East Java. The
hillock of Giri became a centre of incitement to the holy war,
particularly so under Raden Ratu Paku or Sunan Prabu Satmoto,
whose tomb is still an object of Moslim pilgrimage.[90] With his
approval, if not on his instigation, the Muhammadan states on the](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-74-320.jpg)
![north coast combined under Raden Patah of Demak to compass the
extermination of heathenism and he lived to see the overthrow of
Mojopahit, though dying shortly afterwards. If the Moslemin yearned
to gain Paradise, sword in hand, martyrs for their Prophet’s
dispensation, those of the old creed remembered the power of their
gods, blowing the sanka, the war-shell of Vishnu, who proved to
Sugriva and Hanoman his superiority over Wali by shooting his arrow
through seven palm-trunks; who, in his fourth avatar, as narasinha,
the man-lion, ripped open the belly of the sacrilegious demon
Hiranya Kasipu. But Raden Patah, marching with his allies,
marvellously helped in the way of the Lord against the idolaters of
Mojopahit, the swollen with pride, proved to be the giant in the
shape of a dwarf, Vamana, known from their god’s fifth avatar,
conqueror of the three worlds. And Mojopahit, so great that the
claims to the honour of her foundation, forwarded by as many
princely houses as existed in those days, were fused in the tradition
of her divine origin, her capital with its hundred gates and shining
streets and palaces, the like of which had never been seen, having
sprung from the earth in one night as a flower at the call of the
fragrant dawn,—Mojopahit was overthrown and, laments the
Javanese chronicle, the prosperity of the island disappeared. Not the
last but the strongest bulwark of Hinduïsm had ceased to exist,
bearing bitter fruit[91] of presumptuous pride indeed; the later Hindu
empires, even Balambangan, which gave so much trouble to New
Mataram and submitted only to the arms of the East India Company,
leaving the ancient creed to die of slow exhaustion in the Tengger
mountains, were nothing compared to her.
Like the remains, near the dessa Galang, of the kraton of the kings
of the older empire of Daha, what has escaped total destruction of
the capital of Mojopahit is constructed of brick. The ruins are
situated about eight miles to the southwest of Mojokerto[92] in the
valley of the Brantas; near Ngoomplak was the site of a royal
residence in the building of which stone seems also to have been
used. Raffles, visiting those heaps of debris scattered over quite a
large area, found but scanty evidence of the fact that he trod the](https://image.slidesharecdn.com/2202782-250602164552-f6fe7bd7/85/Isse-2006-Securing-Electronic-Busines-Processes-Highlights-Of-The-Information-Security-Solutions-Europe-2006-Conference-1st-Edition-Sachar-Paulus-75-320.jpg)
Isse 2006 Securing Electronic Busines Processes Highlights Of The Information Security Solutions Europe 2006 Conference 1st Edition Sachar Paulus
- 1. Isse 2006 Securing Electronic Busines Processes Highlights Of The Information Security Solutions Europe 2006 Conference 1st Edition Sachar Paulus download https://ebookbell.com/product/isse-2006-securing-electronic- busines-processes-highlights-of-the-information-security- solutions-europe-2006-conference-1st-edition-sachar- paulus-4405564 Explore and download more ebooks at ebookbell.com
- 2. Here are some recommended products that we believe you will be interested in. You can click the link to download. Isse 2008 Securing Electronic Business Processes Highlights Of The Information Security Solutions Europe 2008 Conference 1st Edition Lenka Fibikova https://ebookbell.com/product/isse-2008-securing-electronic-business- processes-highlights-of-the-information-security-solutions- europe-2008-conference-1st-edition-lenka-fibikova-4404152 Isse 2009 Securing Electronic Business Processes Highlights Of The Information Security Solutions Europe 2009 Conference 1st Edition Vittorio Bertocci Auth https://ebookbell.com/product/isse-2009-securing-electronic-business- processes-highlights-of-the-information-security-solutions- europe-2009-conference-1st-edition-vittorio-bertocci-auth-4405568 Isse 2004 Securing Electronic Business Processes Highlights Of The Information Security Solutions Europe 2004 Conference 1st Edition Sachar Paulus https://ebookbell.com/product/isse-2004-securing-electronic-business- processes-highlights-of-the-information-security-solutions- europe-2004-conference-1st-edition-sachar-paulus-4602358 Issesecure 2007 Securing Electronic Business Processes Highlights Of The Information Security Solutions Europesecure 2007 Conference 1st Edition Norbert Pohlmann https://ebookbell.com/product/issesecure-2007-securing-electronic- business-processes-highlights-of-the-information-security-solutions- europesecure-2007-conference-1st-edition-norbert-pohlmann-4240070
- 3. Desertification In The Mediterranean Region A Security Issue 1st Edition William G Kepner Auth https://ebookbell.com/product/desertification-in-the-mediterranean- region-a-security-issue-1st-edition-william-g-kepner-auth-4286694 Software Security Theories And Systems Mextnsfjsps International Symposium Isss 2002 Tokyo Japan November 810 2002 Revised Papers 1st Edition Roy Campbell https://ebookbell.com/product/software-security-theories-and-systems- mextnsfjsps-international-symposium-isss-2002-tokyo-japan- november-810-2002-revised-papers-1st-edition-roy-campbell-4604716 Software Security Theories And Systems Second Mextnsfjsps International Symposium Isss 2003 Tokyo Japan November 46 2003 Revised Papers 1st Edition Frederick Butler https://ebookbell.com/product/software-security-theories-and-systems- second-mextnsfjsps-international-symposium-isss-2003-tokyo-japan- november-46-2003-revised-papers-1st-edition-frederick-butler-4604744 Peace And Security In Northeast Asia Nuclear Issue And The Korean Peninsula Nuclear Issue And The Korean Peninsula Peter Hayes Young Whan Kihl https://ebookbell.com/product/peace-and-security-in-northeast-asia- nuclear-issue-and-the-korean-peninsula-nuclear-issue-and-the-korean- peninsula-peter-hayes-young-whan-kihl-44004308 Nanotechnology As A National Security Issue 1st Edition John F Sargent https://ebookbell.com/product/nanotechnology-as-a-national-security- issue-1st-edition-john-f-sargent-51357812
- 6. Sachar Paulus Norbert Pohlmann Helmut Reimer ISSE 2 0 0 6 - Securing Electronic Business Processes
- 7. vieweg-it Understanding MP3 by Martin Ruckert Neuro-Fuzzy Systems by Detlef Nauck, Christian Borgelt, Frank Klawonn and Rudolf Kruse Applied Pattern Recognition by Dietrich W. R. Paulus and Joachim Hornegger From Enterprise Arciiitecture to iT Governance by Klaus D. Niemann Beyond Compliance by Ralf-T. Grunendahl and Peter H. L Will Microsoft Navision 4.0 by Paul M. Diffenderfer and Samir El-Assar jr. Process Modeling with ARIS* by Heinrich Seidlmeier WWW.vieweg.de
- 8. Sachar Paulus Norbert Pohlmann Helmut Reimer ISSE 2006 - Securing Electronic Business Processes Highlights of the Information Security Solutions Europe 2006 Conference With 130 illustrations vieweg
- 9. Bibliographic information published by Die Deutsche Nationalibliothek Die Deutsche Nationalbibliothek lists this publication in the Deutsche Nationalbibliographie; detailed bibliographic data is available in the Internet at <http://dnb.d-nb.de>. Many of designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. 1st edition October 2006 AH rights reserved © Friedr. Vieweg & Sohn Verlag | GWV Fachverlage GmbH, Wiesbaden 2006 Editorial office: Gunter Schuiz / Andrea BroBler Vieweg is a company of Springer Science+Business Media. www.vieweg.de No part of this publication may be reproduced, stored in a retrieval system or transmitted, mechanical, photocopying or otherwise without prior permission of the copyright holder. Cover design: Ulrike Weigel, www.CorporateDesignGroup.de Typesetting: Oliver Reimer, llmenau Printing and binding: LegoPrint SpA, Lavis Printed on acid-free paper Printed in Italy ISBN-10 3-8348-0213-1 ISBN-13 978-3-8348-0213-2
- 10. Contents Preface xi About this Book xiii ISCOM: On the Way for ICT Security in Italy xv RFID, e-ID Cards, Trusted Computing, Interoperability 1 Radio Frequency Identification (RFID) and Data Protection Legal Issues Zoi Talido 3 e-ID and Smartcards - Current Status, Hopeful Developments and Best Practices Graham Williamson 17 European Citizen Card Combined with Travel Document Function, Convergence or Divergence? DetlefHoudeau 25 Physical Unclonable Functions for enhanced security of tokens and tags Pim TuylSy Boris Skoric 30 Hardware Security Features for Secure Embedded Devices Helena Handschuh, Elena Trichina 38 Security in Next Generation Consumer Electronic Devices Tom Kan, Tim Kerins, Klaus Kursawe 45 Security Architecture for Device Encryption and VPN Ammar Alkassar, Michael Scheibel, Christian Stable, Ahmad'Reza Sadeghi, Marcel Winandy 54 TPM Enterprise Key Management requires centralized Hardware-based Security Bemhard Weiss 64
- 11. vi Contents Implementation of DRM Systems under the EU Legal Framework Pius Alexander Benczek 72 IT-Grundschutz: Two-Tier Risk Assessment for a Higher Efficiency in IT Security Management Angelika Jaschob, Lydia Tsintsifa 95 ISO/IEC 24727 - A Future Standard for Smart Card Middleware Stephan Spitz, Jens Urmann, Gisela Meister 102 Information Security Standardization ~ the ETSI Perspective Charles Brookson, Dionisio Zumerle 108 Digital Signatures without the Headaches Nick Pope, Juan Carlos Cruellas 119 Could Test Standards Help on the Way to Achieve Global e-Passport Interoperability? Andreas M, Wolf 129 A New Standard Based Road to Interoperable Strong Authentication Philip Hoyer 139 Identity Management, Biometrics, PKi-SoJutions, Network Security 149 Identifying Patterns of Federation Adoption Heather Hinton, Mark Vandenwauver 151 Fidelity: Federated Identity Management Security based on Liberty Alliance on European Ambit Manel Medina, Miguel Colomer, Sandra Garcia Polo, Antoine de Poorter 161 Deflecting Active Directory Attacks • JanDe Clercq 168
- 12. Contents vu Implementing role based access control - How we can do it better! Marko Vogel 176 Identity and Access Control - Demonstrating Compliance Marc Sely Bart Van Rompay 186 Robust and Secure Biometrics: Some Application Examples T. Kevenaar, GJ, Schrijen, A. Akkermans, M. Damstra, P. TuylSy M. van der Veen 196 Selecting the Optimal Biometric 2-factor Authentication Method - a User's Viewpoint GunterBitz 204 A Face Recognition System for Mobile Phones Paolo Abeni Madalina Baltatu, Rosalia D'Alessandro 211 Advanced certificate validation service for secure Service-Oriented Architectures Antonio Ruiz-MartineZy Daniel Sanchez-Martinez, C. Inmaculada Marin-Lopez, Antonio F. Gomez-Skarmeta 218 An Introduction to Validation for Federated PKIs Robert Dulude, David Engberg, Seth Hitchings _ 228 MADSig: Enhancing Digital Signature to Capture Secure Document Processing Requirements Jean-Christophe Pazzaglia, Stefano Crosta 241 PKI Consolidation Project and MultiappUcative Smart Payment Cards Milan Markovic, Milos Kilibarda, Aleksandar Milosevic 249 Security Analysis and Configuration of Large Networks Antonio Lioy 259 S-VPN Policy: Access List Conflict Automatic Analysis and Resolution Simone Ferraresi, Stefano Pesic, Livia Trazza, Andrea Baiocchi 266
- 13. viii Contents Lock-Keeper: A New Implementation of Physical Separation Technology Feng Cheng, Christoph Meinel 275 SPEECH: Secure Personal End-to-End Conmiunication with Handheld A, Castiglione, G. Cattaneo, A. De Santis, F, Petagna, U, Ferraro Petrillo 287 Finding the Mobile Trusted Element Fabio Ricciato, Maura Turolla, Antonio Varriale 298 Security Management, Applications 309 Centrally Administered COIs Using Cross-Organizational Trust Kevin FoltZy Coimbatore Chandersekaran 311 Improving Assurance of Information Security Rol Michael D. Barwise 318 Modelling the Economics of Free and Open Source Software Security Anas Tawilehy Jeremy Hilton^ Steve Mcintosh 326 Securing service-oriented applications Anthony Nadalin, Nataraj Nagaratnam, Maryann Hondo 336 A Service Oriented Trust Development Platform Helena Rifa, Francisco Jordan 344 A Trust Label for Secure and Compliant e-ID AppUcations: The Belgian Experience Geert Somers, Jos Dumortier 356 Electronic signature in Italy after ten years of "running in" Giovanni Manca 363
- 14. Contents ix Awareness Raising, Compliance, Data Protection, Cyberspace Regulation 375 Internet Early Warning System: The Global View Norbert Pohlmann, Marcus Proest 377 IT Security Vulnerability and Incident Response Management WimHafkamp 387 Blending Corporate Governance with Information Security Yves Le Roux 396 On Privacy-aware Information Lifecycle Management in Enterprises: Setting the Context Marco Casassa Mont 405 Regulation of State Surveillance of the Internet Murdoch Watney 415 How Can NRA Contribute to the Improvement of IT Security? Rytis Rainys 426 Information Security Regulation: Tomorrow Never Dies? Andreas Mitrakas 433 Introducing Regulatory Compliance Requirements Engineering ShahbazAli, Jon Hall 439 Legal Issues in Secure Grid Computing Environments Irene Kafeza, Eleanna Kafeza, Felix Wai-Hon Chan 448 The Impact of Monitoring Technology on the Law Pieter Kleve, Richard De Mulder, Kees van Noortwijk 455 Index 467
- 15. Preface ENISA is proud to be working with eema, TeleTrusT, ISCOM (the Italian Institute for Communications and Infor- mation Technologies) and the German Federal Ministry of the Interior as well as the German Federal Office for Information Security for this year's 8th annual Information Security Solu- tions Europe Conference. The aim of ISSE has always been to support the development of a European information security culture. ENISA is com- mitted to this goal, in our work to assist and advise the Euro- pean Commission, Member States as well as business com- munity on network, information security and legislative re- quirements and we are delighted to support ISSE again this year. The security of communication networks and information systerns is of increasing concern. In order to face today's complex information security challenges it is clear that working collabo- ratively with one another is the key to generating new strategies to address these problems. It has been an exciting opportunity to facilitate this collaboration at ISSE 2006, and pull to- gether the wealth of industry knowledge, information and research that we hold in Europe, and across the globe. The success of this event in generating ideas and frank, lively debate around the complex topic of IT security is due also to the independent, varied nature of the progranmie, which was selected by world-wide industry speciaHsts. Some of the key topics explored at this year's conference have been chosen as the basis for this book, which is an invaluable reference point for anyone involved in the IT security indus- try. We hope that you will find it a thought-provoking and informative read. Andrea Pirotti, Executive Director, ENISA
- 16. About this Book The Information Security Solutions Europe Conference (ISSE) was started in 1999 by eema and TeleTrusT with the support of the European Commission and the German Federal Minis- try of Technology and Economics. Today the annual conference is a fixed event in every IT security professional's calendar. The integration of security in IT applications was initially driven only by the actual security issues considered important by experts in the field; currently, however, the economic aspects of the corresponding solutions are the most important factor in deciding their success. ISSE offers a suitable podium for the discussion of the relationship between these considerations and for the presentation of the practical implementation of concepts with their technical, or- ganisational and economic parameters. From the beginning ISSE has been carefully prepared. The organisers succeeded in giving the conference a profile that combines a scientifically sophisticated and interdisciplinary discus- sion of IT security solutions while presenting pragmatic approaches for overcoming current IT security problems. An enduring documentation of the presentations given at the conference which is available to every interested person thus became important. This year sees the publication of the third ISSE book - another mark of the event's success - and with about 50 carefully edited papers it bears witness to the quality of the conference. An international programme committee is responsible for the selection of the conference con- tributions and the composition of the programme: • Ronny Bjones, Microsoft (Belgium) • Alfred Biillesbach, Daimler Chrysler (Germany) • Lucas Cardholm, Emst&Young (Sweden) • Roger Dean, eema (UK) • Marijke De Soete, Security4Biz (Belgium) • Jos Dumortier, KU Leuven (Belgium) • Walter Fumy, Siemens (Germany) • Boaz Gelbord, ENISA (Greece) • David Goodman, eema (UK) • Michael Hange, Federal Office for Information Security (Germany) • John Hermans, KPMG (Netherlands) • Jeremy Hilton, Cardiff University (UK) • Alison James, eema (UK) • Frank Jorissen, SafeBoot (Belgium) • Matt Landrock, Cryptomathic (Denmark) • Tim Mertens, ENISA (Greece) • Andreas Mitrakas, ENISA (Greece) • David Naccache, ENS (France) • Sachar Paulus, SAP (Germany)
- 17. XIV About this Book • Daniele Perucchini, Fondazione Ugo Bordoni (Italy) • Attila Peterfalvi, Parliamentary Commissioner for Data Protection and Freedom of In- formation (Hungary) • Norbert Pohlmann, University of Applied Sciences Gelsenkirchen (Germany) • Bart Preneel, KU Leuven (Belgium) • Helmut Reimer, TeleTrusT (Germany) • Paolo Rossini, Telsy Italia (Italy) • Wolfgang Schneider, Fraunhofer SIT (Germany) • Robert Temple, BT (UK) The editors have endeavoured to allocate the contributions in these proceedings - which dif- fer from the structure of the conference programme - to topic areas which cover the interests of the readers. Sachar Paulus Norbert Pohlmann Helmut Reimer eema (www.eema.org): Established in 1987, eema is an independent association of IT professionals, businesses and governments providing business and technical networking opportunities at both local and regional levels in the broad areas associated with digital identity and its appli- cations, such as security. Our mission is to stimulate the growth and effectiveness of our members' business in these areas through increased market awareness, coop- eration and opportunity creation. We aim to bring over 1,500 member repre- sentatives together in a neutral environment for education and networking puposes. We enable members to share experiences and best practice by holding meetings and con- ferences, by facilitating working groups who produce reports on topical subjects, and by helping members to connect with the right person to help them solve business issues or develop beneficial business relationships. All work produced by members is available free to other members, and previous papers include: Towards Understanding Identity, Role Based Access Control - a Users Guide, Secure e-mail within a Corporate Environ- ment and Secure e-mail between Organisa- tions. For more information contact: [email protected]. TeleTrusT (www.teletmstde): In the 16 years of its existence TeleTrusT has evolved into a competence network for applied Cryptography and Biometrics with over 90 institutional members. The TeleTrusT working groups produce re- sults which create an advantageous frame- work for trustworthy solutions of daily busi- ness processes as well as contributing to their acceptance. TeleTrusT brings together the interests of users and vendors. Thus vendors can satisfy the users' demands more effectively with marketable products and services, in which scalable security mechanisms are imple- mented. TeleTrusT seeks and cultivates the coopera- tion with other organisations with similar objectives - in Germany and internationally. Thus ISSE has been organised in coopera- tion with EEMA, ENISA and ISCOM in Rome this year. For further information contact: [email protected]
- 18. ISCOM: On the Way for ICT Security in Italy The Istituto Superiore delle Comunicazioni e delle Tecnologie deirinformazione (ISCOM) was established in 1907 as a tech- nical-scientific department belonging to the Italian Communi- cation Ministry. Considering its role as a nonpartisan public in- stitution, the Institute's value added in terms of reliability and expertise is the aspect which characterizes the technical support and consultancy services it provides to businesses and entities in the TLC sector. The role of ISCOM in providing services to ICT Companies, government agencies and users is manifold, spanning from experimental and research activities to special- ized training and education in the TLC field. One of ISCOM's main missions is its proactive role in national and international law-making activities, in order to ensure greater transparency and better access to services for users, manufacturers and TLC network administrators alike. As far as research is concerned, ISCOM is essentially focused on developing and improving TLC and IT related services. Hence, activities involve almost all areas in these fields, from te- lephony to television, to signal processing and treatment, from network architecture to service implementation. ISCOM runs the Post-Graduate Specialization School in TLC (which began its activity in 1923), which provides higher education in electronic communication and information tech- nologies; it also provides technical training and updating courses on electronic communica- tions and information technologies, security, multimedia applications, and Quality of Service to both Ministry and government staff in general, to enhance their technical know-how and skills. ISCOM works with several Certification Bodies to verify and control Corporate Quahty Sys- tem compliance with UNI EN ISO 9000 standards, is involved in monitoring Accredited Laboratory compliance with UNI CEI EN ISO/IEC 17025 rules and is a Notified Body for ac- tivities envisaged by Legislative Decree n. 269 of May 9, 2001. It is also a Notified Body un- der the EU Directive on radio equipment and teleconmiunications terminal equipment as well as a Competent Body and Notified Body on electromagnetic compatibility. In 2002, the Insti- tute became the International Certification Body for the TETRA MoU. Among all the numerous ISCOM fields of activity, ICT security is getting an increasing rele- vance. Here, ISCOM plays a leading role in various contexts, some of which are briefly sum- marized below: • Due to his widely recognized non-partisan role, a government decree dated October 30, 2003 appointed ISCOM the Certification Body within the Italian certification scheme for commercial security systems and products. The Certification Body supervises all the
- 19. xvi ISCOM: On the Way for ICT Security in Italy activities carried out within the certification scheme, which operates according to the in- ternational evaluation criteria ITSEC and Common Criteria. • ISCOM is an Evaluation Center (Ce.Va.) for ICT systems and products dealing with classified data. The center, the only one belonging to the Italian Public Administration which has been accredited by the Autorita Nazionale per la Sicurezza (ANS), carries out evaluation activities according to ITSEC and Common Criteria. • ISCOM runs the Training Center on ICT Security for Public Administration personnel. The Training Center provides training and raises awareness amongst government em- ployees on ICT security, through the development of a centralized and coordinated Training and Awareness-Raising Plan aimed at disseminating security principles and methodologies throughout the Administration. • The Institute acts as promoter and leader of several initiatives aimed at raising the na- tional level of ICT security, by gathering the expertise of the major subjects operating in the ICT field. Among these initiatives we can recall the redaction of three guidelines, in EngUsh and Italian, on 'The quality of service in ICT networks'', ''Risk analysis and pro- tection strategies for network security'' and "Network security in critical infrastruc- tures", carried out with the contribution of experts from institutions and industry. Six more guidelines are being released; these will be focused on deepenings on risk analysis, on the outsourcing of security services, on QoS in UMTS, on QoS in broadband net- works, on local emergency handling and on security certification. Moreover, ISCOM has promoted the creation of ISAC on network security, currently involving all the ma- jor Italian network operating companies. ISCOM hosting of ISSE 2006 is a further prove of our desire to play a role in fostering the European information security debate. We look forward to a great opportunity for the ex- change of ideas and experiences. Luisa Franchina, PhD, General Director of Istituto Superiore delle Comunicazioni E delle Tecnologie dellTnformazione
- 21. Radio Frequency Identification (RFID) and Data Protection Legal Issues^ Zoi Talidou Hellenic Data Protection Authority Legal Auditor Kifisias 1-3, Athens [email protected] Abstract Radio Frequency Identification (RFID) Technology uses radio waves to identify automatically, wire- lessly, contact less and without visibility objects which, or people who have an RFID tag attached. It is being used in many sectors but raises data-protection concerns. The reasons for that are the world- wide unique identifier, the possibility of unnoticed remote reading, and the profiling through sporadic surveillance. For these reasons RFID-technology introduces new legal issues that have to be discussed: what is personal data, who is responsible for the data processing, whether the data-transmission is tele- communication, whether it presents a new way of direct marketing or if it constitutes an automatic de- cision. In the early 1970s fears about loss of privacy and worries concerning data protection were focused on large, centrally held data-bases containing files about named or numbered individuals processed by huge computers situated in big rooms. As the Web, its attendant search engines and the inter-link abil- ity of many databases in various networks have developed, the concept of "files" became trivial. Now the emerging RFID technology contributes to the realisation of the Ambient Intelligence Environment, where intelligent objects communicate with each other by exchanging information and taking deci- sions. That introduces us to the next step of the "Internet of the things". Technology innovation and the impact of its usage stress a rethinking and re-examining of the traditional legal principles and legal instruments in the field of data protection. 1 What RFIDs are all about Radio Frequency Identification (RFID) Technology belongs to the broad category of auto- matic identification technologies^ and uses radio waves to automatically identify wirelessly, contact less and without visibility^ objects which, or people who have an RFID tag attached. It consists of two parts: a tag that contains an identification number and a reader who works as a scanner. This number usually acts as an input to further data processing^. A typical RFID tag consists of a small integrated circuit attached to a radio antenna, capable of transmitting a unique serial number. The tag can easily be embedded onto or into (textile-) products, onto their packages or even direct implanted beneath human's skin. RFID tags can be active, semi- This paper is based on a report conducted for LEGAL-IST ^ What is RFID?, RFID Journal, available at: http://www.rfidjoumal.com/article/articleprint/1339/-l/129/ ^ See http://en.wikipedia.org/wiki/Rfid. ^ Hennig, Ladkin, Sieker, Privacy Enhancing Technology Concepts for RFID Technology Scrutinised, p.l. S. Paulus, N. Pohlmann, H. Reimer (Editors): Securing Electronic Business Processes, Vieweg (2006), 3-16
- 22. 4 Radio Frequency Identification (RFID) and Data Protection Legal Issues active or passive. Passive Tags do not have a power source; they simply reflect back energy coming from the reader antenna"^. Active RFID tags on the other hand, have their own internal power source that allows them having longer range and larger memories than passive tags, as well as the ability to store additional information sent by the transceiver. A typical reader is a device that has one or more antennas that emit radio waves and receive signals back from the tag. This RFID reader is a data-collection instrument, and a transmitter or broadcaster of in- formation, as it sends its data through the information network. The databases connected to these networks hold, use and disclose the gathered information. The innovation of RFID tags is that they provide for unique identification of each tagged unit whereas bar codes are identical for every unit of the same product^. Prices of RFID are drop- ping. Many postulate that they will be the essential drivers of ubiquitous computing and will introduce the so-called "Internet of the things". 2 Use of RFID technology 2.1 Retail/Consumer Goods Sector Companies across the retail and consumer packaged goods supply chains have been among the early adopters of RFID and Electronic Product Code (EPC) technologies. The use of this new technology is connected to the EPC Discovery Service, an aggregate database of tag "sightings" collected from independent readers. Anyone with access EPC Discovery can monitor or track the movement of a particular RFID-tagged item. The retail industry is using passive tags that implement no protection against unauthorised access to the information held. Hence the EPC can be read out directly by any RFID-reader from a six to eight meters dis- 2.2 Manufacturing Sector RFID technology can increase productivity and reduce costs by enabling to track inventory, reusable containers, work in process and finished products: they can manage parts inventory with active RFID, improve the tracking of work in process, reduce parts defects, and increase factory productivity by using active RFID tags. In some cases, RFIDs aim in such seemingly simple tasks as ensuring that the right label goes on a product or that a box contains every- thing it should. In other cases, RFID is put through more complex uses as tracking an item through every workstation and recording every tool that performed an operation on it. This in- formation can be used to quickly identify potential problems and correct them before they show up in the product. RFID can furthermore save companies a great amount of money spent on replacing lost tools, that can be easily traced through the tags. The basic of RFID Technology, RFBD Journal, available at: http://www.rfidjoumal.com/article/articleprint /1337/-1/129/ ^ See International Conference of Data Protection & Privacy Commissioners, Resolution on Radio-Frequency Identification, (Nov. 20, 2003) p. 2, available at: http://www.privacyconference2003org/resolutions/res5.DOC. ^ Auto-ID Centre (2003): Technical report 860MHz-930MHz Class I Radio Frequency Identification Tag Radio Frequency & Logical Communication Interface Specification Candidate Recommendation, Version 1.0.1., MIT, USA, available at: http://interval.hu-beriin.de/downloads/rfid/chipldassen/4_candidate_recommendation_l_0_l .pdf
- 23. Radio Frequency Identification (RFID) and Data Protection Legal Issues 5^ 2.3 Recycling & waste management The EPC tags may be used to automatically sort recyclable material and will also identify manufacturer, type and weight of disposable material (the manufacturer of a product that will eventually constitute hazardous waste may ultimate have to pay for its safe disposal). 2.4 Transportation/Logistics Sector Transportation and logistic companies are already tagging product for their customers. Some of them are still examining how they can benefit internally, by improving the utilization of containers and chassis with RFID tracking. Logistics hubs can benefit from a real-time locat- ing system, and they can improve the visibility of cargo in transit and cargo security with electronic seals. 2.5 Libraries Libraries began using RFID systems to replace their electro-magnetic and bar code systems in the late 1990s. RFID technology in libraries promises to relieve repetitive strain injury, speed patron self-checkout, make possible comprehensive inventory and automated sorting, retrieve hidden items and support security. Many libraries (more than 130 in North America and the Stadtbibliothek of the city Wien"^) are starting to tag every item in their collections with RFID tags. But current library RFID tags do not prevent unauthorised reading of tag data^. 2.6 Tracking of animals (dogs, cows and sheep) Pets can be implanted with small chips so that they may be returned to their owners if lost. They can also be used to satisfy the need to track herds and to be able to recognize when an animal is missing and, if the animal has died, locate its body^. Beside that, request on safe handling with animals as a result of repeated outbreaks of epidemics is pointing out electronic animal tracking through RFID as a significant solution. Following successful animal tracking trials^^, the European Council of Ministers (ECM) has adopted a law^^ throughout Europe re- quiring the individual electronic tagging of sheep and goats using RFID technology. Besides RFID tags are used for to identify big pets, such as dogs over 20 kilograms. Several laws at the European level make the wear of such a tag compulsory, that will have to contain at least following data: unique number for the chip, data of the pet and data of the owner of the pet. " ^ http://www.ekz.de/2110.htinl ^ See Molnar, Wagner, Privacy and Security in Library RFID issues, practices and architectures, CCS'04, Octo- ber 25-29 2004, Washington, DC, USA, p. 218, available at: http://www.cs.berkeley.edu/molnar/library.pdf ^ See http://www.rfidgazette.org/asset_tracking/. ^° See Balch, Feldman, Wilson, Assessment of a RFID System for Animal Tracking, The BORG Lab, Georgia Institute of Technology, Atlanta, 1.10.2004, available at: http://www.cc.gatech.edu/~storm/Feldman2004TR.pdf ^^ Council Regulation (EC) No 644/2005 of 27 April 2005 authorising a special identification system for bovine animals kept for cultural and historical purposes on approved premises as provided for in Regulation (EC) No 1760/2000 of the European Parliament and of the Council, available at: http://europa.eu.int/eur- lex/lex/LexUriServ/site/de/oj/2005/l_107/l_10720050428de00180019.pdf
- 24. 6 Radio Frequency Identification (RFID) and Data Protection Legal Issues 2.7 Health Care Sector Hospitals plan to deploy RFID to identify patients, call up records, reduce medical errors and improve overall productivity. A pilot project has started in July 2005 in clinical centre of Saarbrucken, where thousand of patients receive by admission a bracelet with an RFID tag on which the patient identifier is stored. Physicians and nurses may access the patient identifier and data stored on a database through a wireless network. The project is based on a solution already deployed in Jacobi Medical Centre, New York^^. 2.8 Tracking of people (schools, prisons, VIP clubs) A group of children in Yokohama City in Japan wears active tags to keep them safe on their way to and from school^^. Each child participating to the progranmie wears a bracelet with a RFID tag. Existing Wi-Fi access points used by the city for wireless Internet access work as RFID readers that receive signals send by the tags. The system can also be set up to notify parents or guardians automatically via e-mail on a cell phone or PC if a child passes a specific Wi-Fi access point on the way to or from the school. The VIP Baja Beach Club in Barcelona offers it's VIP clients the opportunity to have a syringe-injected RFID microchip implanted in their upper arms: this chip gives them special access to VIP lounges, but also acts as a debit account, from which they can pay for drinks^'^. A new tracking system has been developed which provides real-time identification and tracking of inmates and officers*^. It handles common prison complexities such as a multi-floor, mixed indoor/outdoor environment, as well as the need for cell-level accuracy. The tag immediately detects any attempt to remove or tamper with it. The Los Angeles County jail system has reportedly engaged in a pilot project to use RFID technology to track inmates at the Pitchess Detention Centre in Castaic*^. 2.9 Passports and Ids In May 2004 the International Civil Aviation Organisation (ICAO) adopted specifications for machine readable travel documents (MRTD) which demands for digital storage of the pass photo^^. In compliance with the recommendations of the ICAO the Council of the European Union adopted on 13/12/2004 a regulation^^ mandating the inclusion of both facial image and fingerprints in future passports and travel documents issued by EU Member States. The new regulation aims at better protecting EU passports against falsification, at enabling better iden- tification of passport holders and at harmonising security standard features used in the pro- duction of passports and travel documents issued by Member States^^. As a result in Novem- ber 2005 Germany introduced the first e-passport^°, equipped with biometric data stored on a ^ ^ Computer mit Augen und Ohren, at: Frankfurter Allgemeine Zeitung, 14.01.2006, p. 18. ^ ^ http://www.rfidjoumal.com/article/articleprint/2050/-1/1/ ^ " ^ See http://news.bbc.co.Uk/2/hi/technology/3697940.stm; http://www.heise.de/newsticker/meldung/53789 ^ ^ See http://www.technologynewsdaily.com/node/1900. ^^ See http://www.socaltech.com/fullstory/0001952.html. ^ ^ Available at: http://www.icao.int/cgi/goto_m.pl7/icao/en/strategic_objectives.htm. ^ ^ Council Regulation 2252/2004 on standards for security features and biometrics in passports and travel documents issued by Member States, OJ L 385, available at: http://europa.eu.int/eur-lex/lex/LexUriServ /site/en/oj/2004/l_385/l_38520041229en00010006.pdf ^^ See e-govemment of the European Union news available at: http://europa.eu.int/idabc/en/document/3669/330. ^^ http://www.epass.de/
- 25. Radio Frequency Identification (RFID) and Data Protection Legal Issues 1_ RFID tag. In Italy the Foreign Affairs Ministry issued on 17th January 2006 a decree concern- ing the introduction of a new electronic passport that will include biometric data contained in RFID chips^ The European Central Bank was moving forward with plans to embed RFID tags as thin as a human hair into the fibres of Euro bank notes by 2005^^. Hitachi Ltd. has de- veloped a RFID chip that requires no external antenna and makes possible the embedding of tracking and identification chips in bank notes, tickets and other paper products^^. But now it is still uncertain whether they will force this plan or not because, according to new state- ments, RFID technology is not safe enough to combat monetary counterfeit^"^. 2.10 Transportation: e-pass, e-plate, e-ticket Many countries, including Greece, have developed RFID-based Electronic Toll Collection systems for a variety of highways and bridges. As a vehicle equipped with a RFID trans- ponder enters a toll plaza equipped to accept RFID toll collection the radio frequency emitted by the electronic reader will activate the transponder. The transponder then sends out account or identification information pertaining to the vehicle. The information is received by the reader and through the antenna sent to the host computer system. The toll is then deducted from the account associated to that vehicle and the driver is signaled to proceed. The tags can be read at a speed of 100 miles per hour. Their use is simplifying the toll-collection procedure and so cutting traffic jams and the resulting levels of smog at toll booths. It is definitely clear, that these systems, once they are not designed to function anonymously, create a huge data- base recording the precise time and location of every toll crossing by every tagged car. For instance, the Greek "Taxes-Code for Books" poses the obligation of collecting and retaining for 6 years following data: name, residence, taxation-number, taxation authority, date of en- trance, hour and exact point of entrance of the highway/bridge user. The purpose of this data processing is limited to the performance of the contract between the toll collectors and their subscribers. Nevertheless of great importance is to establish policies that will prevent toll- crossing information from being used for purposes unrelated to traffic management. So that ETC databases are not routinely used by law enforcement agencies to track the movement of suspect cars and by both divorce lawyers and labor lawyers to track the movements of people under investigation. The British government is preparing to test new high-tech license plates containing micro- chips capable of transmitting unique vehicle identification numbers and other data to readers more than 300 feet away. United States are initiating their own tests of the plates, which in- corporate radio frequency identification to make vehicles trackable. Greece is in the very be- ginning of creating working groups with representatives of both governmental and private sector/university actors for planning their developement and eventually their deployment. ^^ See www.statewatch.org/news/2006/feb/08italy-biometric-passports.htm. Very critical: Juels /Molnar / Wag- ner, Security and Privacy Issues in E-Passports, lEE SecureComm 2005, available at: www.cs.berkeley.edu /-dmolnar/papers/papers.html; Rieback, Crispo, Tanenbaum, Is your cat infected with a computer virus?, 2006, available at: www.rfidvirus.org/papers/percom.06.pdf; Schulzki / Haddouti, Neue Reisepasse: Mit Sicherheit teuer, available at: http://www.sicherheit-heute.de/index.php?cccpage=Verkehr ^^ See Yoshida, Euro Bank Notes to Embed RHD Chips by 2005, EETimes, 19.12.2001, available at: http://www.eetimes.com/story/OEG20011219S0016 ^^ See http://www.computerworld.com/mobiletopics/mobile/story/0,10801,84543,00.html. ^^ See http://www.zeit.de/zeit-wissen/2006/01/Falschgeld.xml.
- 26. S Radio Frequency Identification (RFID) and Data Protection Legal Issues The public transportation network of big cities like London, Helsinki, Peking are already us- ing e-ticket. We are talking about a chip-card, used as a recharchable ticket, which will permit the passangers of easier and faster entrance of the transportation means and the public trans- port companies to avoid fare dodger and to use easier and faster the system of dynamic prices. 3 Legal Implications From the applications of RFID technology, as described above, following categories of RFID- tags arrear: We have the tags that contain only an item number. Their use is in giving infor- mation for the identification of an item. Through the linking of the RFID tag number with a products database one can find out what kind of item this is. Supposing the item information is linked to the purchaser during the payment procedure and further stored to a customers' da- tabase one may create customers' purchase profiles. Supposing the item information can be associated to a person either because this person is currently visible or this person is identifi- able by other means, for instance with its RFID identification card (i.e. passport) or em- ployee's card, this all may lead to a person's identification for various purposes (customers' profiling, surveillance of workers at workplace). The second category concerns tags that con- tain an identification number which reveals the identity of a person after the matching of the information contained on the tag with a backend data-base, which holds the information con- cerning the identity of the person. However the stronger relation to a person is to be found in the RFID tags of the third category. On these tags personal data are directly stored. They are normally active tags and contain information like name, age, nationality and so on. According to that following legal implications may arise. 3.1 Infringement of the right to privacy and data protection RFIDs tag may be related to personal information. Data protection and the information self- determination is a precious fundamental right that should be protected from the technical de- velopment, if this proceeds without taking into account the conformity to main constitutional values and rights. It should be assured that the right to privacy and to data protection will not turn into a caprice of the individual but will still remain an obligation of the democratic society. 3.1.1 Identification and profiling of a person RFID tags consist of a unique identification number. The use of the tag is to enable identify- ing and tracking every single item. Everyone who carries at least one so-tagged item is possi- ble to get allocated and tracked. RFID tags function as a unique identifier and the growing in- teroperability of the system makes allocating and tracking possible worldwide. Beyond that, the link-ability of RFID technology to other databases and their supersets-archives can facili- tate the identification process. RFID information can be used independent from information of other sources. But the facileness of the combination of both turns it into a main threat to privacy. As we saw in the application of RFID technology in the retail sector, once tagged ob- jects are owned by persons, it is possible to be related to them. The ability of tracking objects might become an ability to track individuals. Using RFID-Technology retailers might track customers within their shops in order to create profiles of movement which can be used to improve marketing strategies. One should mention that this is possible only by connecting the information obtained by the tagged object that individuals carry with them and their customer or credit cards that they submit at the purchase point. Only in that matter the data stored on the EPC tag relates to the person carrying it. In shopping malls several shops might interlink tracks and analyse the popularity of different parts of the centres by analysing the favourite shopping routes of customers that have already been identified by one of the shops in the
- 27. Radio Frequency Identification (RFID) and Data Protection Legal Issues 9_ mall. The advantage of it is a better management and promotion policy to increase consump- tion. 3.1.2 Unnoticed remote reading without iine-of-sight RFID tags can be read without line-of-sight and without overt evidence that they are being read. In addition their small size and their ability of working without any energy supply make them appropriate to be installed hidden. The problem is that radio waves allow data to be processed over a given distance without any need for a direct line-of-sight link with the chip and without the data subject having to take an active part in the process. In other words, data processing can take place without the knowledge of the data subject. Any data on RFID transponders that have not been destroyed or deleted can be read by visible or even invisible readers. The unnoticed remote reading may indeed be used for various purposes without the knowledge of the person in question, for instance for unnoticed surveillance of workers, un- noticed profiling of one's consuming preferences etc. 3.1.3 Use of RFID technology for law enforcement purposes The state might have an interest on making use of personal data obtained through RFID appli- cations for law enforcement purposes. Here all the applications mentioned above can be used by the Law Enforcement Authorities, under the conditions that every national legislation al- low this, for the puropses of prevention, investigation and prosecution of criminal offences. We could imagine the interest of these authorities for the exact identification of the owner of a consumer good related to a criminal offence, or the lists of the movement of cars passing through the toll-controls, the tracking of people carrying RFID enabled IDs or passports, or even RFID implanted tags. Even the use of RFID tags in banknotes can be highly problematic in this perspective. Through RFlDs it will be possible to determine which banknotes were withdrawn by whom from which automatic teller machine, or where those banknotes were then used to buy certain products or services. 3.2 Infringement of the right to personality RFID technology will contribute to the realisation of the Ubiquitous Computing: in a world of ubiquitous services the interaction of humans with computers should step behind and help us enter a digital world without realising it. The citizens must be fully aware of the innovation and of the data-processing procedures that enable this phenomenon but at the same time con- cerns them instantaneous^^. Within a densely populated world of smart and intelligent but in- visible communication and computation devices, no single part of our lives will per default be able to seclude itself from digitalisation^^. Nevertheless one should always be able to retrace the data-processing procedures and have the right to switch onto an "of-line" world. If there is no possibility to do so, this will affect the free expression of the personality of a human being. ^^ See Langheinrich, Die Privatsphare im Ubiquitous Computing - Datenschutzaspekte der RFID-Technologie, available at: http://www.vs.infethz.ch/publ/papers/langhein2004rfid.pdf ^^ Langheinrich, Privacy by Design-Principles of Privacy-Aware Ubiquitous Computing, p. 7 available at: http://www.vs.inf.ethz.ch/publ/papers/privacy-principles.pdf
- 28. 10 Radio Frequency Identification (RFID) and Data Protection Legal Issues 3.3 Infringement of the right to human dignity RFID systems introduce for the first time a new dimension of availability of trustworthy data about objects and about the movement of these objects in real time. They improve the congru- ence between real and virtual life^^. Consequently one could say that we enter a new era where the co-existence of two cognitive dimensions takes place while there is no assurance that the new technological aspects that lead us over are faultless. Beside the sociological as- pect of this observation, there is a legal impact too: complete reliance on technical systems and on-going dependency on them can turn into discrimination of individuals and breach of their constitutional rights. Here one could think of an obligation to carry RFID because there is no other way of acting in a future society. For instance we could imagine of future toU- controU systems using only RFID technology, where the right of travelling anonymous simply does not exist. The nature of RFID technology, identifying by sending information will first affect the right to privacy and to data protection of the individuals. However, the range of use of the new technology and the intensity of its application could contribute to the establish- ment of an environment, which does not respect basic values of a democratic society and fun- damental constitutional rights. In this regard, the Japanese program for the children (see sec. 3.1.8) might breach children's right to privacy and dignity by treating them like cattle or a piece of inventory and by familiarizing them with an environment and a world of absolute surveillance. 3.4 Unfair competition The interoperability of RFID systems is to be evaluated positively from a business perspec- tive: for a sustainable model, a retailer should avoid having to implement several different tag readers in order to scan tags produced by various manufacturers. Inexpensive tags simply do not have the memory to store lists of readers that can authenticate themselves to the tag, in order to avoid unwanted reading of tags; and they don't have the power to call out to an enter- prise server to get this information from a database^^. So they are exposed to unauthorised read- ing by competitors, for instance if a rival enters the shop of a competitor and "scans" by a mo- bile reader its inventory. In this respect concerns appear regarding unfair competition practices. 3.5 Labour iaw The deployment of RFID technology for the improvement of manufacturing, the supply and the logistics chain or for the end-customer service in the retail sector may raise implications for the employees. Besides, the use of the same RFID tags for other purposes, such as the sur- veillance of employees which is already mentioned above, this technology may affect the health of employees in terms of possible radiation emitted during the data communication be- tween tag and reader. It might also lead to cutting personnel as a result of rationalisation through the use of the technology. Such issues shall be treated as any other similar technology which is introduced at the workplace. For instance, according to national legislation in ques- tion prior approval by the workers' council might be necessary for the deployment of RFID ^^ See German Federal Authority for Information Systems Security (Bundesamt fiir Sicherheit in der Informa- tionstechnik), Security Aspects and Prospective Applications of RFID Systems, 2005, p. 85, available at: http://www.bsi.bund.de/fachthem/rfid/RIKCHA_englisch.pdf ^^ For more details concerning authentication in the RFID technology see Marlena Erdos, RFID and authentic- ity of goods, p. 137, in: Simson Garfinke/, Beth, Rosenberg, RFID Applications, Security and Privacy, 2006
- 29. Radio Frequency Identification (RFID) and Data Protection Legal Issues U^ technology^^. Moreover, as for any other technology deployed within the workplace, the em- ployer has a duty to monitor any negative effects to employees' health and take the appropri- ate counter-measures. 4 Existing and proposed Legislation Responding to worried constituents state legislators across the USA have already proposed new legislation that would Hmit the use of RFID technologies in businesses, schools, govern- ments and other apphcations. This initial response varies widely from state to state: Utah re- cently reviewed its laws on unauthorised access to networks and added wireless networks as it previously only addressed wire Hne networks: it clarifies that computer crimes laws apply to wireless networks. Virginia's law authorises research relating to methods of electronic toll collection. Also provides that data generated by automated electronic toll-collection systems on use of toll facilities can only be disclosed when so required by order of a court. Wyoming authorises telepharmacies to use automated inventory control including radio frequency tags. In many other states there exist pending legislature on RFID technology, which sometimes just seek to require only labelling and notice that RFID is in use, while in other cases like the California's approach would most tightly regulate the technology itself, including prohibi- tions of certain applications and technology-specific security requirements^^. At the European level the legislator did not take any initiative yet. Currently the subgroup "RFID and the interpretation of the term personal data" of the Article 29 Data Protection Working Party aims to specify and point out the legal implication of this new technology on the data protection rights of European citizens. At national level worthy to mention is Paragraph 6c of the German Federal Data Protection Law (BDSG is the German abbreviation), which applies to mobile data-storing and data proc- essing devices. Recently new interpretations^^ emerge, which consider RFID tags as such a mobile device and consequently extend the applicability of this provision to the RFID tech- nology as well. Aim of the new provision is to make the use of these devises transparent^^: it designs exhaustively both, the obligation of the controllers to give information to the data subjects and the right of access of the latter to the data concerned. It also requires that the conmiunication processing, which takes place on the mobile devices, should be clearly recog- nisable for the data subject. 5 Open Legal Issues 5.1 Do RFID tags contain personal data At a first glance, RFID products IDs look to be anonymous. But this data becomes person- related as soon as someone engages this product: it gets into contact with a customer wiUing ^^ The German Kaufhof AG has prior agreed with the employee's Council the exact purposes of RFID tags within its stores and its obligations regarding employees' health safety and a temporary prohibition of personnel reduction as a result of the use of RFID technology: RFID in Pilotphase - Gesamtvereinbarung bei der Kaufhof Warenhaus AG, in: RDV 2005, pp. 185 ^^ US privacy legislature related to RFID available at: http://www.ncsl.org/programs/lis/privacy/rfid05.htm. ^^ See Claus Mauricio Lahner, Anwendung des § 6 c BDSG auf RFID, available at DuD 2004, p. 723. ^^ See Bizer in Spiros Simitis, BDSG-Kommentar, 2003, § 6 c, p. 599.
- 30. ^2 Radio Frequency Identification (RFID) and Data Protection Legal Issues to buy it. This is a new person-relatable quality: the role of the tag is to bring the product and the consumer to a retraceable contact and to maintain it. The Data Protection Directive 95/46/EC sets out the general principles for the processing of personal data. In article 2 (a) defines the term "personal data" however in a very broad manner: ''any information relating to any identified or identifiable person". This also means that a person can be identified indi- rectly by reference to an identification number such as the one of RFID tag^^. From the mo- ment a person can make a link between the "anonymous RFID tag" and a person, even indi- rectly, Directive 95/46/EC is applicable. The data subject can be identified at an associative level because of the possibility of identifying her/him without difficulty due to the large mass of information surrounding her/him or stored about her/him. The perception of personal data has to be re-analysed in regard to specific characteristics of the RFID technology^"^. 5.2 Applicability of Directive 2002/58/EC When the RFID applications are not in use just for the organizational needs of a company but are settled in places that can be approached easily from everybody so that the data processing concerns the citizens and so touches their rights one should examine whether the transmission of data through radio frequencies can be considered as telecommunication: In this case the question is whether Directive 2002/58^^ on privacy and electronic conmiunications is appli- cable. The main points that are crucial for the discussion of the applicability of the Directive are following: • article 5 point 3 concerning the hidden identifiers such as cookies for Internet • article 9 concerning the location data • article 13 concerning the direct marketing One should take into account that according Article 3 of 58/2002 EC the provisions of the Di- rective apply only to the processing of personal data in connection with the provisions ofpub- licly available electronic communications services in public communications networks. Either we analyze these terms very broadly so that an RFID system can be considered as such a pub- lic electronic conmiunication network or we appeal to similar provisions taken on board of the Directive 95/46 EC. In Article 17 a supplementary provision should be added to provide for the adequate safeguards that contain all the three provisions of the E-privacy Directive mentioned above. Direct marketing with item-level tagging: It is to be settled down in which cases and under which conditions RFID technology can be used for the purposes of direct marketing (e.g. prior consent, opportunity to object of Art. 13 Directive 2002/58), and to appoint the safe- guards and the appropriate measures this will be prohibited. Location data: According to Art. 2 (c) Directive 2002/58 "location data" means any data processed in an electronic conmiunications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications services. The ^^ See Keuleers, Ewout, Reconciling RHD technology with data protection principles. Droit Nouvelles Tech- nologies, April 2005, p. 2. ^ " ^ Article 29 Data Protection Working Party, Working document on data protection issues related to RFID technology, WP 105, January 19, 2005, available at: http://europa.eu.int/comm/justice_home/fsj/privacy/docs/ wpdocs/2005wpl05_en.pdf ^^ OJ 2002 L 201/37.
- 31. Radio Frequency Identification (RFID) and Data Protection Legal Issues ^ 13_ data getting processed by RFID tags are location data, considering the fact that the readers that retrieve them are locally suited in a certain location in the network. That means that peo- ple's movements, and potentially their associations, can be tracked via a tag associated with them just as the widest application of RFID technology is to track items and consequently in- dividuals. Art. 9 Directive 2002/58 though stresses the need to inform the data subject of the type of location data which will be processed, of the purposes and the duration of the process- ing and whether data will be transmitted to third parties, so that they give to it. 5.3 Prior-checking One should examine whether according to Article 20 of the Directive 95/46 specific opera- tions performed with RFID technology are subjects to prior checking because they present specific risks and whether this can be replaced by the process of Privacy Impact Assessment (PIA). The latter can become an integral part of business process and can be made from the legislation of the Member States to a mandatory process. 6 Guidelines 6.1 Legal Guidelines to the deployers of RFID technology Data Protection Legislation in generally authorises the processing of personal data if data sub- jects consent to their data being processed, unless justified by a superior public or private in- terest or if there is a legal basis for the data to be processed. Consent is only valid if the pur- pose, place and manner of the data processing have been specified. The principle of good faith presupposes that data subjects are informed in a transparent manner. Notice and consent - The right to know whether a product contains an EPC RFID tag, and whether an RFID reader is being used in a public place. Participation in an RFID application should be strictly voluntary. Collection of data under informed consent means covert capture of information should not be permitted. Informed consent is recognised as the primary tool available to individuals to protect their privacy from technological invasion. Choice - The right to have the RFID tag in a purchased product deactivated without cost. Fur- thermore this means the right to RFID alternatives if the citizens decide to opt-out or "kill" the RFID tags and the right not to be discriminated by deny of use of this technology. We will have to ensure that for instance the option to return a product from which the RFID tag was removed or to travel on a particular road without using the RFID toll-system will still remain Data Quality Principle - Stipulates that personal data should be relevant to the purposes for which they are to be used and should be accurate, complete and up-to-date. Purpose Limitation Principle - The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the ful- filment of those purposes. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified under the preceding purpose specification princi- ple except with consent or by legal authority. Security Safeguards- Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access to personal data, destruction, use, modifica- tion or disclosure. Right of access - An individual should have the right to ascertain or confirm whether a data controller has data relating to him or her and to challenge that data.
- 32. J4 Radio Frequency Identification (RFID) and Data Protection Legal Issues 6.2 Technical recommendations Apart from these fundamental data-protection-principles that should be taken into account and should be embedded in a future RFID legislation^^, a provision should be also established that facilitates the proper data-security measure based on the one of the technical solutions below. Kill-Order Solution: The most common solution to the RFID privacy problem is to disable the tag at the point of sail by sending a "kill" command, the so called kill solution. Even though deactivated tags cannot be read anymore, this solution has several technical and economic drawbacks: This cannot be implemented to all tag functions, for instance to library book tags or toll road subscriptions. Deactivation of the tag at the point of sale ensures the privacy of the consumer (if the tag is properly killed) but it prevents natural post-purchase services such as warranty, access to product support, advanced recycling and waste management, advanced home applications, and all the other applications in the two last phases of the RFID-tag life cycle. The blocker tag: It is a cheap passive RFID device that can simulate many ordinary RFID tags simultaneously. When carried by a consumer, a blocker tag thus blocks RFID readers. It can do so universally by simulating all possible RFID tags. Or a blocker tag can block selec- tively by simulating only selected subsets of ID codes, such as those by a particular manufac- turer, or those in a designated "privacy zone"^^. Encryption-Solution: Encryption of the data being transmitted is one method of protecting against anyone eavesdropping on communication via the air interface. It is a way of insuring that information namely personal data carried in an RHD tag will not be read by an unauthor- ised reader. The use of encryption can be used on tags on books in libraries but also in the re- tail supply chain for protecting retailers from potential surveillance by other rivals^^. One should certainly take into account that not all of the tags support strong cryptographic proce- dures which exclude them from being strong protected from unauthorised retrieving of data. For the moment even specialists^^ insist on storing content data in a backend database and just a unique number on the tag that will be associated to the database as the most effective way of avoiding eavesdropping. Privacy Bit (proposal by RSA security): it represents a simple and cost-effective way of miti- gating the problems of RFID privacy while preserving the consumer benefits of RFID. A pri- vacy bit is a single logical bit resident in the memory of an RFID tag. It indicates the privacy properties of the tag. A tag's privacy bit might be off, indicating that the tag is freely subject to scanning, or it may be on, indicating that the tag's information cannot be scanned. The op- eration of changing the privacy bit should naturally require authorization via an RFID-tag- specific PIN. The RFID readers will be able to scan the tags either private or public: if the privacy-bit is on, only private scanning will be permitted, while when it is off both. This as- sure that the consumers will still enjoy the wide range of innovative end-user applications in the areas of home automation and ambient intelligence environments through controlled ac- ^^ See as a reference the proposal of an "RFID Bill of rights" available at: http://www.leginfo.ca.gov/cgi- bin/postquery. ^^ See Juels, Rivest, Szydlo, The Blocker Tag: Selective blocking of RFID tags for consumer privacy, p. 1. ^^ See Jonathan Collins, Tag Encryption for Libraries, available at: http://www.rfidjoumal.com/article /articleprint/1027/-l/l. ^^ See Security aspects and prospective applications of RFID systems, BSI, p. 46, available at: http://www.bsi.de/fachthem/rfid/RIKCHA_englisch_Layout.pdf.
- 33. Radio Frequency Identification (RFID) and Data Protection Legal Issues 15^ tivity of the tags after they pass the point of sail, without surrendering their privacy rights. And the crucial point for data protection is that the control of their data will be in their hands. 7 Conclusions - Recommendations First conceived in 1948, Radio Frequency Identification has taken many years for the tech- nology to mature to the point where it is sufficient affordable and reliable for widespread use'^^. The use of RFID technology for different purposes in increasingly more sectors and in various applications of everyday life may benefit business, individuals and public services. With increasing use comes increasing concern on privacy and security. Clearly there is con- siderable work to be undertaken before RFID becomes as pervasive as bar codes. Two in- struments could be put in force in order to work uncertainties and find out appropriate results: either amend and redefine the aforementioned Articles of the two Directives, or adopt a Posi- tion Paper concerning the particularisation and implementation of already existing data pro- tection instruments in the specific sector of RFID systems (Directives 95/46, 58/2002, "Data Retention"). References Article 29 Data Protection Working Party, Results of the Public Consultation on Article 29 Working Document 105 on Data Protection Issues Related to RFID Technology, WP 111, 28 September, 2005, available at: http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2005/wp 11 l_en.pdf Article 29 Data Protection Working Party, Working document on data protection issues re- lated to RFID technology, WP 105, January 19, 2005, available at: http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2005/wpl05_en.pdf Auto-ID Centre (2003): Technical report 860MHz-930MHz Class I Radio Frequency Identi- fication Tag Radio Frequency & Logical Communication Interface Specification Can- didate Recommendation, Version 1.0.1., MIT, USA, available at: http://interval.hu-berlin.de/downloads/rfid/chipklassen/4_candidate_recommendation _l_0_l.pdf Balch / Feldman / Wilson^ Assessment of a RFID System for Animal Tracking, The BORG Lab, Georgia Institute of Technology, Atlanta, Oct. 1 2004, available at: http://www.cc.gatech.edu/~storm/Feldman2004TR.pdf Collins, Jonathan, Tag Encryption for Libraries, available at: http://www.rfidjoumal.eom/article/articleprint/1027/-l/l Council Regulation 2252/2004 on standards for security features and biometrics in passports and travel documents issued by Member States, OJ L 385, available at: http://europa.eu.int/eur-lex/lex/LexUriServ/site/en/oj/2004/l_385/l_38520041229 en00010006.pdf Council Regulation 644/2005/EC of 27 April 2005 authorising a special identification system for bovine animals kept for cultural and historical purposes on approved premises as provided for in Regulation (EC) No 1760/2000 of the European Parliament and the Council, 2005, OJ 107, p. 18 ^ See CM. Roberts, Radio Frequency Identification (RFID), Computer & Security, 2006, p. 18.
- 34. 16 Radio Frequency Identification (RFID) and Data Protection Legal Issues EPCglobal ,^lectronic Product Code" available at: www.epcglobalus.org/Network/Electronic%20Product%20Code.html Erdos, Marlena, RFID and authenticity of goods, p. 137, in: Simson GarftnkeA Beth, Rosenberg, RFID Applications, Security and Privacy, 2006 Garfinkel, Simson / Rosenberg, Beth, RFID Applications, Security and Privacy, 2006, p. 533 German Associationfor the promotion of the public and not-public data traffic, (Verein zur Foerderung des oeffentlichen und nicht oeffentlichen Datenverkehrs e.V.) (FOEBUD), available at: http://www.foebud.org/rfid/positionspapier.pdf German Federal Authorityfor Information Systems Security (Bundesamt fiir Sicherheit in der Informationstechnik), Security Aspects and Prospective Applications of RFID Systems, 2005, available at: http://www.bsi.bund.de/fachthem/rfid/RIKCHA_engUsch.pdf Hennig /Ladkin /, Sieker, Privacy Enhancing Technology Concepts for RFID Technology Scrutinised, p. 1 International Conference ofData Protection & Privacy Commissioners, Resolution on Radio- Frequency Identification, (Nov. 20, 2003) p. 2, available at: http://www.privacyconference2003org/resolutions/res5.DOC Italian Data Protection Authority, Smart (RFID) Tags: Safeguards applying to their use, March 2005, available at: http://www.garanteprivacy.it/garante/doc.jsp?ID=1121107 Juels / Molnar / Wagner, Security and Privacy Issues in E-Passports, lEE SecureConmi 2005, available at: www.cs.berkeley.edu/-dmolnar/papers/papers.html Juels / Rivest / Szydlo, The Blocker Tag: Selective blocking of RFID tags for consumer pri- vacy, p. 1 Keuleers, Ewout, Reconciling RFID technology with data protection principles. Droit Nou- velles Technologies, April 2005, p. 2 Lahner, Claus Mauricio, Anwendung des par. 6c BDSG auf RFID, in: DuD 2(X)4, p. 723 Langheinrich, Die Privatsphare im Ubiquitous Computing - Datenschutzaspekte der RFID- Technologie, available at: http://www.vs.inf.ethz.ch/publ/papers/langhein2004rfid.pdf Langheinrich, Privacy by Design-Principles of Privacy-Aware Ubiquitous Computing, p. 7 available at: http://www.vs.inf.ethz.ch/publ/papers/privacy-principles.pdf Molnar/ Wagner, Privacy and Security in Library RFID issues, practices and architectures, CCS'04, October 25-29 2004, Washington, DC, USA, p. 210, available at: http://www.cs.berkeley.edu/molnarAibrary.pdf Rieback, Crispo, Tanenbaum, Is your cat infected with a computer virus?, 2006, available at: www.rfidvirus.org/papers/percom.06.pdf Roberts, CM,. Radio Frequency Identification (RFID), Computer & Security, 2006, p. 18 Schulzki / Haddouti, Neue Reisepasse: Mit Sicherheit teuer, available at: http://www.sicherheit-heute.de/index.php?cccpage=Verkehr U.S. Food and Drug Administration, Combating counterfeit Drugs, A Report of the Food and Drug Administration, February 2004, available at: www.fda.gov/oc/initiatives/counterfeit/report02__04.html Yoshida, Euro Bank Notes to Embed RFID Chips by 2005, EETimes, 19.12.2001, available at: http://www.eetimes.com/story/OEG20011219S0016
- 35. e-ID and Smartcards - Current Status, Hopeful Developments and Best Practices Graham Williamson Intemet Commerce Australia [email protected] Abstract Smartcards were first deployed in the early 1980s but it was not until the early 1990's that they were deployed in large numbers. During the 90's the number of smartcards in circulation grew exponen- tially. They are now in widespread use in credit card, ticketing and mobile phone applications. But they have yet to be deployed in large numbers in identification applications. There are several reasons for this but the lack of standards has hindered the deployment of smartcards in e-ID applications. Without standards interoperability between card schemes is severely hampered which limits the benefit that an ID card scheme operator can realise. The situation is changing, however, and the development of standards is progressing well. We are now seeing the publication of guidance on deploying e-ID smartcards that are interoperable with other card schemes. This bodes well for the expanded use of smartcards in the identification sector. 1 Background A prerequisite for the widespread adoption of smartcard technology is the development and publication of standards. This is illustrated by the areas in which smartcards are most widely used: 1.1 Financial Sector In the Financial sector the use of the EMV standards is now widespread. This means that a credit card issued in the USA can be used to make transactions in Rome, with the cardholder paying the bill a month later in the US. The EMV standards spawned the development of EFTPOS devices including the messaging protocols, card handling protocols, session encryption requirements and PIN management. This allows an Australian EFTPOS card tendered in London to dispense cash in the local cur- rency. The Financial sector has made smartcards work to fulfil consumer expectations. Without standards it would have been impossible for the widespread use of smartcards to occur. If there was no standard for the way to establish secure sessions the current array of keypad card readers could not operate; without standards ATMs that capture the card to avoid tearing would not exist and without standards it would be impossible to design a two-factor authenti- cation mechanism to ensure cardholders provide their PINs before a transaction is committed. 1.2 l/lobile Phone Sector In the mobile phone sector one of the elements that differentiates the GSM market from the CDMA market is the use of SIMs. This has been a factor in the widespread deployment of S. Paulus, N. Pohlmann, H. Reimer (Editors): Securing Electronic Business Processes, Vieweg (2006), 17-24
- 36. 18 e-ID and Smartcards - Current Status, Hopeful Developments and Best Practices GSM as opposed to the relatively limited use of CDMA. The GSM memorandum of under- standing defines how a SIM card in the UK phone should work in Malaysia, so that a phone call can be made, with the call costs appearing a month later on the user's regular phone bill. The phone industry has anticipated customer needs and has largely filled their expectations. (It is interesting to note that the industry has failed to learn from history and are currently de- veloping multiple standards for high capacity SIMs needed for multi-media functionality.) 1.3 Ticketing In the ticketing sector, standards development has occurred in some geographies but it has not been as prevalent as in the financial or mobile phone sectors. Vendors of ticketing systems have little incentive to promote interoperability between schemes, preferring to keep their systems proprietary. Customers have failed to force vendors to adopt open architectures be- cause most system deployments have been driven by project expediencies rather than by de- veloping the best solution for scheme operators or the travelling public. To be fair, other than in Europe, the ticketing scheme business model does not warrant large- scale interoperability between schemes. For instance, there are few requirements for a visitor from Brisbane to be able to use their TransLink card on a tram in Melbourne. There is more of a requirement for a visitor from London to be able to user their oyster card in Rome. It is hardly surprising that in Europe, the ITSO has worked hard to ensure that compatibility be- tween schemes is technically possible even if the ticketing system vendors do not promote it. It is interesting to note that the picture is now changing with the deployment of 2"^ & 3^^ gen- eration schemes. Customers are now demanding more open ticketing architectures and are fu- elling the standards development debate. Another influence of note is coming from the banks. It has not gone unnoticed that some card schemes maintain a significant "float" of funds on deposit that cardholders debit when they travel. The banks, until lately, have been unable to handle small financial transaction without the addition of high fees. With the advent of "touch and go" technology, card operators are enabling banks to take a share of this market. Ticketing applications will soon debit card- holder's accounts directly and small transactions will occur without two-factor authentication (note the EFTPOS definitions, originally enabled by the EMV standards, have allowed this to occur). This means that a ticketing application on a bankcard is entirely possible; it is frustrated only by the current proprietary nature of these ticketing schemes. The banks are likely to add their influence to standards adoption and it is expected that an expansion of the ITSO and/or Ca- lypso standards development activity will occur. 1.4 Identification In the e-ID space however interoperability is not so advanced. There are no international stan- dards yet in place. The USA is at the forefront of standards development with their experience with the Common Access Card. The Personal Identification Verification standards of FIPS201 and the smartcard methodology of NIST 6887 are now being internationalised in IS024727 which shows prom- ise as a card interoperability standard.
- 37. e-ID and Smartcards - Current Status, Hopeful Developments and Best Practices 19 1.5 Convergence Although the standardisation work is currently focussed on the use of smartcards for identifi- cation purposes, much of the methodology associated with the card design is conmion to all cards. This means that we can expect to see, over the next five years, convergence between card schemes and a blurring of the current division between the various sectors in which smartcards are used. The first will be between the financial cards and e-ID cards since they both have an identification requirement. But, as seen above, convergence between ticketing cards and financial cards is already taking place and if mobile phones become the ubiquitous payment device as currently promised by the marketplace - placing an e-ID applet and an EMV applet on a SIM card might soon be commonplace. Financial Mobile Phone Ticketing Identification EMV Standards GSM Memorandum ITSO/Cblypso European Standard ISO 24727, 1980 1990 2000 Fig 1: Smartcard Development Timeline 2010 2 Experience with e-ID It is true to say that the current experience with e-ID cards has been less than inspiring. Two schemes that have been at the frontier of nation-wide e-ID card deployment are the US De- partment of Defence Common Access Card (CAC) and the Belgian e-ID card scheme. 2.1 US Federal Government Initiatives The USA has been at the forefront of standards development for e-ID cards for some time. They began with their experience with the Common Access Card (CAC). The CAC came out of the realisation that many government agencies were issuing smartcards for their staff, but the schemes were incompatible. In some cases contractors were required to apply to multiple scheme operators for access cards to more than one facility. In order to reduce the escalating cost of closed card schemes in different geographies and between the services, the conmion access card defined a common card structure for access control to e-ID smartcards. This led to the development of NIST 6887 document, the first to define a complete smartcard model. This document provided a model for a comprehensive multi-application smartcard that provided facilities to enhance interoperability. A common card capability container provided the ability for the card to be interrogated to reveal the applications that resided on it. But at the same time as the NIST 6887 initiative was maturing as a US standard for the de- ployment of smartcards, a Department of Homeland Security directive instigated the devel- opment of a Personal Identification Verification (PIV) mechanism to allow compHant e-ID cards to provide cardholder identification details. A separate initiative under the FIPS 201
- 38. 20 e-ID and Smartcards - Current Status, Hopeful Developments and Best Practices program defined the PIV requirements specifying how a smartcard should respond to an iden- tity verification request. A new NIST initiative was then commenced to support the initialisation of the PIV. This has led to the IS024727 standards development which is an ambitious program to formalise a structure for a PlV-compliant card with capabilities to support various identity-based func- tionality within a standard smartcard definition. The experience with NIST 6887 is assisting in the development of IS024727 which shows promise as the first true smartcard interopera- bility standard. 2.2 Belgian Government Cards The Belgian e-ID initiative is an example of the problems that arise in a standards void. The scheme is currently deploying a basic e-ID smartcard to all citizens in the country. When ad- vised of the date for their card issuance, citizens must attend a government enrolment office to complete the formalities for their smartcard. The program provides a smartcard reader to cardholders and client software to enable citizens to read their card, to verify the accuracy of data on the card, and to alter certain self-service applications. In doing this, the scheme opera- tors did not seek interoperability with Belgium's social security smartcard. The result is the two card management programs cannot be co-resident on the cardholder's PC. Not only are Belgians on social security required to carry two government smartcards, they must also be sufficiently computer literate to be able to read their smartcards. 3 The Issues There are multiple challenges to the introduction of an e-ID card, but the most important are interoperability and privacy. 3.1 Interoperability Interoperability greatly increases the utilization of an e-ID card and significantly reduces the inconvenience users will experience with the cards they utilise. Banks have realized this with the combination of credit card facilities, bankcard features and ATM access on a single smartcard. Much work has been invested in back-end integration to allow one bank's card to be accepted by associated banks. This means that the cardholder has to carry only one card and remember one PIN for their banking needs. The same is required for the e-ID card. A single card should allow the cardholder to gain ac- cess to a building, provide identify at the company's HR office and grant access to computer facilities. The ability for an e-ID card scheme to interoperate with another scheme is a substantial bene- fit that will often justify the initiative. Without interoperability the economic justification for a scheme might be questionable; with interoperability card scheme costs can be spread over multiple applications. This also means that cardholders will gain benefits beyond the core ap- plication provided by the scheme operator. Just as standardisation in the financial sector means that a credit card can be used for EFTPOS transactions, the same is true for e-ID cards. Multiple applications on the same card will heighten the usefulness of the card making it more likely that the cardholder will carry the card. Card scheme operators will benefit from the potential spread of card costs over mul- tiple applications.
- 39. e-ID and Smartcards - Current Status, Hopeful Developments and Best Practices 21 3.1.1 ISO 24727 The nascent ISO 24727 standard seeks to provide a comprehensive model for a smartcard de- velopment. It is aimed at multi-application cards such as Javacards or MULTOS cards. The intent is to allow the scheme operator to decide at what level they wish to communicated with the card. There are three basic levels: Host- resident Card Service API's Generic Card Services Card Services ISO 24727-3 ISO 24727-2 ISO 7816-4 Card- resident Files Fig 2: ISO 24727 Architecture At the lowest level communication with the card can adhere to standard APDUs that are sup- ported by all smartcards. At the next level the standard recommends a set of calls that all compliant cards will support. These will initially be via host applications that will communicate with the standard card ser- vices. When fully compliant smartcards come on the market the generic card services as de- fined in the standard will be available directly from the card. Level 2 commands define the way in which a connection to the card can be established, the commands to be used for data loading, creation, selection and deletion, and the way in which cryptographic services can be used. The command set also supports a Differential Identity Service which describes how identify data can be created, retrieved, updated and deleted. At level 3 compliant smartcard host systems will provide a standard command set to which card scheme applications can interface. The standard assumes that these system calls will re- main host-based. Level 3 is still in development and it is expected that a number of sophisti- cated calls will be defined to perform standard card service tasks. It is standards such as this that enable interoperability. With the knowledge that compliant cards will support the same command sets, card scheme developers can define functions for their cards that will allow other card schemes to interoperate. This is particularly important for e-ID cards. An identification application should allow all compliant cards to access card- holder identification information to the extent permitted by the scheme operator. 3.2 Privacy A related challenge is that of privacy. It is the one issue that has the potential to derail a smartcard project. An attempt to introduce a smartcard in Ontario, Canada was terminated in 2001 because of privacy issues. The agencies involved could not agree on a mechanism to
- 40. 22 e-ID and Smartcards - Current Status, Hopeful Developments and Best Practices adequately protect the privacy of their constituents. The inability to satisfactorily address pri- vacy issues resulted in the initiative being shelved after a sunk cost of $12M. Privacy considerations include: • what cardholder information can be collected and retained? • how will cardholder information be kept secure? • how will cardholder information be kept current? • how will a cardholder be able to verify their information? Card scheme operators fail to address these issues at their peril. Operators must be honest in their dealing with the public and ensure their processes are transparent. Fortunately the technology is quite able to acconmiodate multiple levels of access to card in- formation. Most multi-application cards adopt access controls as defined under the Global Platform program. A subset is as follows: Table 1: Authentication Classes [Access control rule 1 Always External authenticate PIN protected External authenticate or PIN Update once Secure channel (ISO) Description | The corresponding service can be provided without restrictions. | The corresponding service can be provided only after a "get chal- lenge" and subsequent "extemal authenticate APDUs." | The corresponding service is provided if and only if the verifica- tion code of the PIN associated with the service has been provided in the current card session. | Either one of the two controls gives access to the service. This al- lows for a cardholder validation when a PIN pad is available and for an extemal authentication when no PIN pad is available. Or, this provides an authentication method when the application can- not be trusted to perform an extemal authentication and to protect the extemal authentication key. | A target object can only be updated once during its lifetime. | The corresponding service can be provided through a secure channel managed by an ISO [IS04],[IS08] secure messaging layer. PIN protected data requires the cardholder to input their PIN before the data can be accessed. Data protected under an extemal authenticate mechanism typically requires a card reader con- taining the appropriate key in order for the data to be read. These access controls, provided they are implemented correctly, allow scheme operators to provide the required privacy protection. 3.2.1 Example: Australian Driver Licence Smartcard The New Queensland Driver Licence is a good example of the implementation of card access security to protect individual's privacy. In Australia driver license administration is a state-level activity. This means that when the Queensland state government embarked upon a project to issue a smartcard driver licence it was necessary to gain agreement with the other states and territories on interoperability re-
- 41. e-ID and Smartcards - Current Status, Hopeful Developments and Best Practices 23 quirements. This led to the establishment of the Smartcard Licence Interoperability Protocol (SLIP) under the auspices of the national Austroads organization. It is this organisation that will decide which applications will be mandatory and which op- tional applications can be provided by the states. It will also decide on the access control rules to be supported. The following is a subset of the standard Global Platform access control rules as applied to driver Hcence card data: Table 2: Data mapping to Authentication Classes 1 Card Container Card public information Card holder public infor- mation Cardholder biometrics Cardholder private attrib- ute Card holder licence infor- mation Emergency contact infor- mation 1 Digital certificate Access control rule Always Always Extemal authenticate PIN or extemal authenti- cate PIN or extemal authenti- cate PIN or extemal authenti- cate always Attributes | Card serial number Smartcard issue date Card scheme operator Data model version # | Card holder name Digital signature | Digital photograph Digitised signature Fingerprint template | Gender Date of birth Address | Licence number Conditions Driver Class (1..N) Effective date Expiry Date Jurisdiction | Contact name Contact address Contact phone number 1 Contact phone number 2 Donor status | Digital certificate 3k J Note: the above access control rules provide the capability protect data. However, any imple- mentation of an e-ID scheme requires the appropriate use of these controls to achieve the re- quired privacy protection. In the driver licence application it is recognised that the driver li- cence is often used as an identity document. If the driver license number is used by relying parties it could be possible for the agencies or companies using the card to form transaction profiles on cardholders. This is of particular concern in situations in which the card is used for electronic transactions. To this end the Queensland card will expressly prohibit other government agencies, or com- mercial parties relying on the card, to use the driver licence number in their internal applica-
- 42. 24 e-ID and Smartcards - Current Status, Hopeful Developments and Best Practices tions. The card will carry a cardholder number which each relying entity will be required to map to their own internal customer number scheme. This will frustrate any attempt to form a transaction profile on card users. 4 Conclusion To properly exploit the capabilities of e-ID cards standards development must mature. This is occurring, and the speed at which the IS024727 standard has reached draft stage is impres- sive. This is largely the result of the previous work by NIST on the smartcard initiatives. In Australia much work has been expended on the smartcard licence interoperability protocol (SLIP) that seeks to gain agreement from all jurisdictions (5 states and 2 territories). All states and territories have participated in the definition of the data model and supported access control. Key management still needs definition with distribution of keys for externally authenticated data. Two states are leading the work to define these attributes. The SLIP definition will seek to influence the development of IS024727 to include applica- tions that the driver licence will need in order to be a compliant identity document and will likely mandate the standard as the access protocol to the driver license smartcard. Standards development is therefore of seminal importance to the adoption of e-ID smartcards. It will save scheme developers significant time in the design and development of their schemes. It will also significantly benefit users who will no longer need to carry multiple cards and remember different PINs for different identification functions. References ISO/IEC FDIS 24727-1 Integrated circuit card progranmiing interfaces - Part 1 Architecture ISO/IEC FCD 24727-2 Integrated circuit card programming interfaces - Part 2 Generic Card Interfaces ISO/IEC CD 24727-3 Integrated circuit card programming interfaces - Part 1 Application In- terface
- 43. European Citizen Card Combined with Travel Document Function, Convergence or Divergence? Detlef Houdeau Senior Director Business Development Infineon Technologies AG Neubiberg near Munich, Germany [email protected] Abstract Since 2.5 year is a new application standard for the European citizen card in development. Data struc- ture, transport protocol, interoperability and the issuing are the pillar of this card and there application for e-govemment services. The article start an early analysing about the expected implementation in EU member states. In the conclusion is shown, that the standardisation work lag behind the govern- ment request for implementation. The current solutions are more divergent in the solution themselves and for the combination with the upcoming digital travel documents. 1 Introduction The EU Commission has decided in October 2004, that the next generation of travel docu- ments and the new border process must increase security and fraud protection as part of the European Homeland Security program. Harmonized technology and synchronized timeframe enabled this approach. The EU regulation 2252/200 [ 1 ] defined the roadmap for technology and implementation. European Homeland Security program started a technology wave over Europe, with the elements • digital identity • biometrics and • PKI The focus of this regulation is the electronic passport, the data structure, the security architec- ture, the biometrics and the communication. By October 2006, 33 countries (27 VWP- Countries, 5 non-VWP-countries and USA) will have started with the issuing of electronic passports [ 2 ]. In Europe this captures 100% of the member countries, worldwide 30% of the countries with MRZ-passports. Many governments of the EU member nations think of issuing also a national electronic ID (e-ID) card, after the ePassport is implemented and in use. Two reasons are keys for this ap- proach: S. Paulus, N. Pohlmann, H. Reimer (Editors): Securing Electronic Business Processes, Vieweg (2006), 25-29
- 44. 26 European Citizen Card Combined with Travel Document Function • Re-use of infrastructure (data capturing, PKI, IT-network, border control system) • increase security at border control In Europe, about 20% of residents have passports and about 80% to 90% of residents hold ID cards. For border control in Europe, the ID card is the typical travel document. For increasing security at border control the e-Passport in combination with the e-ID card for EU residents are required. In autumn 2005, the EU Conmiission published the recommendation for minimum security standards for such national e-ID card programs in its regulation 14351/2005. These travel programs are typically controlled by Ministry of Interior (Mol) in each member nation. This contain visa documents, immigration cards, national ID-cards and international passports A complete other discussion has run during the last six to seven years on national level in the government comer Ministry of Economics (MoE). The main focus is cost reduction and in- creasing of government services. One module of this discussion is the changing of the com- munication location from the government office with face-to- face to the home PC in combi- nation with the online authentication and commu-nication via internet. The new name was found with "e-Govemment". For this online-authentication technology was a new identifica- tion media requested, called citizen card. Since springtime 2004, there is a new application standard in progress, see CEN/TC 224 and CEN/TS 15480 (CEN = Comite Europeen de Normalisation). Harmonized data structure, security architecture and interoperability are on the scope. The standardisation work on European Citizen Card (ECC) could be closed till 2007 with the work share: • Part 1: Physical, Electrical and Transport Protocol Characteristics • Part 2: Logical Data Structures and Security Services • Part 3: ECC interoperability using and application interface • Part 4: Recommendations for ECC issuance, operation and use. The next points analyse the current situation in EU member nations. 2 The EU nation strategies and the new ECC- Standard National e-Card programs are not synchronized with the standardisation work. Some national programs have started early and have non-standardized solution in place, like Finland (Start 2003), Belgium (Start 2005) [ 3 ], Sweden (Start 2005) [ 4 ], and Austria (Start 2005) [ 5 ].In other countries are the decisions published for a citizen card function and e-govemment ser- vice based on the new upcoming CEN-Standard. For example, the governments in France and Germany have announced this approach .In many countries the decision has not been made yet and/or published, like in UK, Spain, Italy and Netherlands.
- 45. European Citizen Card Combined with Travel Document Function TT_ 3 Selected card interface for ECC Under ISO there are the two interfaces possible: a) ISO 7816 = contact based and b) ISO 14443 = contact-less. Some countries would follow the contact-based interface, like Finland, Italy, Belgium, Sweden, and Austria. France and Germany would take the contact-less ap- proach. In many countries is the decision not made and/or published. 4 ECC and the "carrier" France has announced a special citizen card (Carte de Vie Quotidienne = CVQ) on one car- rier and the national e-ID (Identite Nationale Electronique Securisee = INES) on a second carrier. Italy has started under the name Carta Nationale Servici (CNS) an e-ID-card pilot in 2005/6.The decision for an own carrier or a "host"-carrier is not made. Germany, Austria, and Sweden have announced the "hosf'-carrier approach: • Austria: ECC on social security card [ 5 ] • Sweden: ECC on national e-ID card [ 4 ] • Germany: ECC on national e-ID card [ 6 ] In many countries are these decisions not made and/or published 5 ECC and addressable memory space Some countries have in the upcoming e-ID card a microcontroller only for the ECC function. This is the case in Sweden and France. Other countries would take one micro-Controller which contains ECC and other data set: • Germany: ECC + ICAO data set [ 6 ] • Belgium: ECC + national e-ID data set [ 3 ] • Finland: ECC + national e-ID data set • Austria: ECC + social data set [ 5 ] In many countries are these decisions not made/or published. 6 The legal framework for the ECC In Germany is the "Gesetz iiber Rahmenbedingungen fiir elektronische Signaturen"(SigG) since 16^ of Mai 2001 in place, with the last changing on 4* of January 2005. This defines: • Electronic signature • Advanced electronic signature • Qualified electronic signature Till November 2001 is the German regulation established (SigV). In other countries is the legal situation unclear.
- 46. 28 European Citizen Card Combined with Travel Document Function 7 ECC and the challenge for the supplier industry, for example the semiconductor producer To develop, qualify and certify the microcontroller for this market right in time. To support software development companies and system integrators. To foster field trial, interoperability and conformity tests. 8 Conclusion The standardisation works lag behind the government request for implementation. The stan- dardisation work would freeze till CY 2007. The development of the solution and implemen- tation based on this new application standard is possible at earliest 2008. For the key technologies, such as digital identity, online authentication and signing it is rec- ommended to work out the same definition and create the same legal framework in each member country. The European citizen card could be one pillar of a multiapplication card system in the future. From the industry point of view, we reconmiend the combination of the national electronic ID-card with the European citizen card on one carrier with the three basic (pillar) functions • visible optical identity • travel function (ICAO standard) • e-Govemment services (CEN standard), to increase the convenience for the citizen in there daily life and reduce the acceptance of such new digital identity document. To follow international standards reduce specification money, time and effort, minimize technology risks and create more supplier for the govern- ments. This opens the door for national (and international) interoperability tests of compo- nents, like cards and card-reader. References [1] EU-Regulation, see http://europa.eu.int/eur-lex/lex/LexUriServ /LexUriServ.do?uri=CELEX:32004R2252:EN:HTML [2] Keesing Journal of Documents and Identity, Annual Report 2005 - 2006 [3] Information brochure of the Belgian ID card, see http://www.rijksregister.fgov.be/cie /brochure/05145_bz_leaflet_fr.pdf [4] Information about the Swedish ID card, see http://www.polisen.se /lnter/nodeid=36624&pageversion= 1 .html [5] DIN-Workshop MultiappUcationcard, on July, 13th and 14th, 2006, Berlin, Germany; Presentation from Prof. Posch, Austria, Chancellor of the Confederation Bureau [6] Global Security Forum, on July, 6th and 7th, Vienna, Austria, see http://www.global-security-forum.com; Presentation from Andreas Reisen, Ministry of Interior, Germany
- 47. European Citizen Card Combined with Travel Document Function 29 Glossary e-ID electronic ID-card PKI Public Key Infrastructure CEN Comite Europeen de Normalisation ECC Europeen Citizen Card INES Identite Nationale Electronique Securis^e CVQ Carte de Vie Quotidienne VWP Visa Waiver Program MRZ Machine Readable Zone IT Information Technology ISO International Standardisation Organisation CNS Carta Nationale Servici
- 48. Physical Unclonable Functions for enhanced security of tolcens and tags Pirn Tuyls • Boris Skoric Philips Research, The Netherlands {pim.tuyls | boris.skoric}@philips.com Abstract Security tokens and RFID-tags are playing an increasingly important role in the authentication of per- sons and devices, e.g. controlling access to services and protecting the value of goods and digital con- tent. In order to provide the required security level they are used in combination with a cryptographic algorithm. State of the art algorithms are so sophisticated nowadays that they are virtually immune against mathematical attacks. Hence, the offered security level essentially depends on the secrecy of the employed keys. Several smdies have shown that the secrecy of keys stored in memory is not guar- anteed when physical attacks are used. Recently, Physical Unclonable Functions (PUFs) were introduced as an identification tool to build se- cure tokens. In this paper, we extend this setting and show how PUFs can be used for generating and storing keys in a way that is secure even against physical attacks. This enables new strong security de- vices such as unclonable tokens, secure key storage devices and unclonable RFID-tags. These are briefly described together with some applications. 1 Introduction In our society information, content and knowledge is becoming increasingly important. Often this information has some value and is therefore an attractive target for attackers. In order to protect the value of the information or content appropriate protection measures have to be ap- plied on the devices where the information is stored or on the communication links over which such information is conmiunicated. Such protection is provided, amongst others, by cryptographic algorithms. Those algorithms use a secret key and their security depends criti- cally on the secrecy of the key. The security of many cryptographic algorithms is well understood. State of the art crypto- graphic algorithms and protocols guarantee that only a negligible amount of information on the secret keys can be obtained from eavesdropping on conmiunications. Hence, when the de- vice can be considered as a black-box in which the secret key is stored and to which an at- tacker has no access, cryptographic protection is sufficient. It was shown at several places that the black-box assumption does not hold in real life. At- tackers have successfully demonstrated how secret keys can be extracted from devices by per- forming physical attacks. More importantly, they showed that in many cases such attacks are relatively simple. As a consequence, many attackers often choose to attack the hardware in which a key is stored instead of attacking the cryptographic algorithms used to protect the communication link. Cost-effective protection of secret keys against physical attacks in gen- eral and against invasive attacks in particular is a long-standing and challenging problem. S. Paulus, N. Pohlmann, H. Reimer (Editors): Securing Electronic Business Processes, Vieweg (2006), 30-37
- 49. Physical Unclonable Functions for enhanced security of tokens and tags . 31_ Physical Unclonable Functions (PUFs) [PRTG2002] have been proposed to solve this prob- lem. A PUF is a physical system with a unique, random-looking input-output relation. Un- clonability means that it is infeasible to produce either a physical copy or a mathematical model that simulates the behaviour of the system. A final property of PUFs is their inherent tamper resistance. An attacker who tries to attack a PUF will damage it in such a way that its input-output behaviour is completely changed. Physical systems that are produced by an un- controlled production process, e.g. by mixing several substances, turn out to be good candi- dates for PUFs. A 'Controlled PUF' (CPUF) [GCvDD2002a] is a PUF whose input and output are completely controlled by a layer of control electronics. The control layer is inseparably bound to the PUF in such a way that removal will damage the PUF. By preventing direct access to the PUF, and by cryptographically manipulating the input and output, the control layer strengthens the se- curity. In this paper we first give an overview of PUF hardware and then describe three applications of PUFs. In Section 3.1 we describe a token equipped with a PUF and list the advantages that it offers. The way in which a PUF can be used to build a secure key storage device is ex- plained in Section 3.2. Finally in Section 3.3 we show how a secure key storage device can be implemented on an RFID-tag to make it unclonable and suitable for anti-counterfeiting pur- poses. 2 Physical realisations Several physical systems are known on which PUFs can be based. The main types are optical PUFs [PRTG2002,Pap2001,STO2005], coating PUFs [TS2005], siHcon PUFs [Gas2003, GCvDD2002b] and acoustic PUFs [TS2005]. We briefly discuss coating PUFs and optical PUFs. 2.1 Coating PUFs The idea of using an 'active coating' was originally proposed in [Posl998] and further devel- oped in the context of PUFs in [TS2005] and [TSSW''2006]. Coating PUFs are integrated with an IC (see Figure 1). The IC is covered with a protective (opaque) coating doped with random dielectric particles. By random dielectric particles, we mean several kinds of particles of random size and shape with a relative dielectric constant 8r differing from the dielectric constant of the coating matrix. An array of metal sensors lies directly beneath the passivation layer. Because of the presence of the coating material with its random dielectric properties, the sensor wires with the material in between behave as a capacitor with a random capaci- tance value. The measured capacitance values are converted into a bit string which can be used as an identifier or a key. Coating PUFs have the advantage of possessing a high degree of integration. The matrix con- taining the random particles can be part of a tamper-resistance coating. A coating PUF addi- tonally has the advantage that it is easily turned into a Controlled PUF (CPUF), as it is insepa- rably bound to the underlying IC.
- 50. 32 Physical UncLonable Functions for enhanced security of tokens and tags l i i i i i i ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ (Si) substrate Figure 1: Left: Schematic cross-section of a coating PUF. Right: Scanning Electron Microscope image. 2.2 Optical PUFs Optical PUFs consist of a transparent material (e.g. glass) containing randomly distributed light scattering particles (e.g. air bubbles, plastic or aluminium). They exploit the uniqueness of speckle patterns that result from multiple scattering of laser light in a disordered optical medium. The challenge is a laser beam directed at the PUF. The response is a speckle pattern (see Figure 2). The pattern is a function of the internal structtire of the PUF, the wave length of the laser, its angle of incidence, focal distance and other characteristics of the wave front. Figure 2: Example of a speckle pattern. Optical probing of the PUF is difficult because the light diffusion obscures the locations of the scatterers. At this moment the best physical techniques can probe diffusive materials up to a depth of approximately 10 scattering lengths [MDR2001]. Moreover, even if an attacker learns the positions of all the scatterers, this knowledge is of limited use to him. If he tries to make a physical copy of the PUF, he runs into the problem that precise positioning of a large number of scatterers is an arduous process. It would seem easier to make an "electronic" clone, i.e. a device that simply computes the correct responses to all challenges in real time or looks them up in a database, without bothering with physical reproduction. However, even this turns out to be extremely hard, since it requires accurate optical modelling of multiple coherent scattering. PUF LC layer cover layer Figure 3: Integrated optical PUF containing a laser, a PUF, a challenging mechanism and sensors.
- 51. Physical Unclonable Functions for enhanced security of tokens and tags 33^ An optical PUF can be employed (i) as a separate physical component, to be challenged by a special reader device containing a laser and a camera, or (ii) as a Controlled PUF, if it is properly integrated into an inseparable package together with the laser, challenging mecha- nism and camera. Figure 3 schematically shows a highly integrated implementation of an op- tical PUF. The CMOS sensor has detector pixels as well as switchable 'display' pixels. The display pixels are used to locally switch the Liquid Crystal (LC) layer between two phase ro- tation states, e.g. no rotation and 45° rotation. The configuration of the display pixels forms a challenge. The optical PUF is situated in the top layer. The laser light enters the PUF, and the light is eventually scattered downward. There it may directly enter a detector pixel. Alterna- tively, it hits a display pixel, where it partly gets absorbed, and partly scatters with a phase ro- tation depending on the LC state. At each detector pixel all contributions from the various scattering paths are added coherently. 3 Overview of PUF applications From a security perspective the uniqueness of the responses and unclonability of the PUF are very useful properties. Because of these properties, PUFs can be used as unique identifiers [Baul983,3DAS,Kir2004, BCJP''2005], means of tamper-detection and/or as a cost-effective source for key generation (common randomness) between two parties [TS2005, STO2005]. The latter is very useful for authenticating objects and persons. 3.1 PUF-Based Tokens PUFs with a large number of Challenge-Response Pairs (CRPs), such as optical PUFs, are well suited for authentication tokens. In its simplest and cheapest form, the token contains only a PUF and a serial number. The token can be inserted into a reader able to read the iden- tifier and to measure the challenge-response behaviour of the PUF. The reader is connected to a database. Typically there are two phases: enrolment and verification. During the enrolment phase, a number of challenges is chosen randomly for each token, and the corresponding PUF re- sponses are measured and then stored, e.g. in a database or, if the token has an EEPROM, in encrypted/hashed form in the EEPROM. During the verification phase, the PUF is subjected to one or more of the enrolled challenges. The verifier checks the response against the en- rolled response data. The same CRP is never used twice. Several secure protocols based on CRPs have been worked out in [TS2005, GCvDD2002a, Gas2003]. In the simplest case eavesdroppers can easily see the PUF responses in plaintext. In more sophisticated protocols PUF responses are used to encrypt nonces or to generate Message Authentication Codes. The latter protocols have the advantage that the token holder and the verifier end up with a shared secret which they use as a session key for a secure trans- action. 3.2 Secure Key Storage Many hardware devices, such as DVD players and Trusted Platform Modules, need access to secret 'Device Keys' that are stored somewhere inside the device. Often these Device Keys are unique for each device. Hence, they have to be stored in the digital memory in a separate process during or after manufacture. Special protective measures must be taken to ensure that attackers cannot read this memory, not even with invasive means such as a Focused Ion Beam (FIB).
- 52. 34 Physical Unclonable Functions for enhanced security of tokens and tags Regarding protection of memories against read-out, we make the following observation. Keys stored in digital memory (such as ROM or EEPROM) are stored as strings of zeros and ones. Attackers can employ known physical attacks to probe the content of the memory, even when the IC is not active. In order to protect stored keys against invasive physical attacks, we pro- pose that no key shall be stored in digitalform in the memory of a device. Since there is no digital key in the memory, it can not be directly attacked. Instead, we propose to generate the key K only at the time when it is needed. The key is ex- tracted from a tamper evident physical structure, integrated with the IC, by applying a chal- lenge, measuring the response and carrying out the reconstruction phase of the helper data al- gorithm [LT2003] implemented on the IC. In the case of coating PUFs, the IC extracts the key from the coating covering it, as described in Section 2.1. Since the key is extracted from coating measurements, and measurements on a physical struc- ture are inherently noisy, the responses can not be directly used as a secret key. This implies that we need a helper data algorithm/fuzzy extractor [LT2003,DRS2004] for key reconstruc- tion. A helper data algorithm consists of a pair of algorithms {G,W) and two phases: an en- rolment and a reconstruction phase (see Figure 4). We use the following notation: x denotes the measurement value of a response during the enrolment phase, while y denotes the corre- sponding value during the reconstruction phase. During enrolment, the key K is randomly chosen from a uniform distribution. The helper data algorithm W is used during the enrolment phase and creates the helper data w based on x and K. The helper data is stored in the EEPROM of the IC. The algorithm G{.,.) is used during the key reconstruction phase for re- construction of the key K as follows: A'=Gfj,wj, where w is read from the EEPROM. Enrollment "" random K C^^ algorithm W hash *, I stored • w h(K) N _ _ _ _ ^ Authentication algorithm G com- pare h(K') K' hash 1 correct / incorrect Figure 4: The helper data scheme We have developed an IC equipped with a coating PUF having 30 capacitance sensors lying undemeath the coating. We have shown that from each of the sensor measurements we can derive 3 bits in a reliable way. In total a string of 90 bits is derived. Taking the noise into ac- count, this leads to a secure key of 66 bits Additionally, we have performed several invasive attacks on the IC with a Focused Ion Beam. Such an attack causes clearly visible errors in the measured capacitance values (see Figure 5). Hence the attack is detected by the IC. This de- tection can be used to let the chip shut down. Furthermore, it was shown that the damage even destroys the key. In case of an 128-bit AES key, after a FIB attack the attacker still faces a computation complexity in the order of l'^ to find the key. ^ We note that when more sensors are put on the IC, longer keys can be constructed.
- 53. Physical Unclonable Functions for enhanced security of tokens and tags 35 Figure 5: Left: Top view of a coated IC that has been attacked with a GaUium Focused Ion Beam. Right: Differences between the capacitance values before and after the FIB attack. 3.3 Unclonable RFID-Tags RFID tags are small devices, consisting of an antenna connected to a micro-chip. They are used for identification purposes in many applications nowadays. It is expected that they will enable many new applications and link the physical and the virtual world in the near future. Since the processing power of these devices is low, they are often in the line of fire when se- curity and privacy are concerned. An emerging application for RFID tags is to prevent counterfeiting of goods. This is done by embedding a tag with authentic reference information into a product or into the seal of its package. An attacker who aims to counterfeit the product has to make a copy of the tag. This is called a cloning attack. A cloning attack can be performed in two ways: 1. The attacker attacks the protocols between a tag and a reader (either actively or pas- sively) and tries to retrieve the tag's secrets (reference information) or 2. The attacker performs a physical attack on the tag (optical attack on the memory, Fo- cused Ion Beam attack,...) and retrieves the secrets in this way. Once the attacker has retrieved the secret reference information stored in the tag, she stores those data in new tags which she then embeds into counterfeit products. A legitimate RFID reader cannot tell an authentic tag from a cloned one, and hence cannot distinguish between authentic and counterfeit products. In order to make an RFID tag unclonable, it is equipped with a coating PUF as described in Section 2. During enrolment a secret key K is derived from the PUF using the techniques ex- plained in Section 3.2. Then a cryptographically secure commitment CK is computed. Finally, the product issuer signs the commitment CK with his secret key sk: O(CK)' The conmiitment CK and the signature ofCAT) are stored in the tag's EEPROM. In order to verify the authenticity of a product, a reader runs the following protocol with the tag that is embedded in the product. 1. The tag reads the public data CK, a(CK) from EEPROM and sends them to the reader. 2. The reader checks the signature a(CK) by using the public key pk associated with the secret key sk. If the signature is ok, the reader proceeds; otherwise the product is consid- ered fake.
- 54. 36 Physical Unclonable Functions for enhanced security of tokens and tags 3. The tag proves to the reader that it knows the secret key K corresponding to the com- mitment CK. This is done by running a secure identification protocol. The product is considered authentic only if the tag passes this test. In [TB2006] the security of this protocol was rigorously proven. Moreover it was shown there that when the Schnorr identification protocol is used for secure identification, the complete protocol can be implemented in less than 10k gates, which is feasible on a tag. 4 Conclusion In this paper we have described Physical Unclonable Functions (PUFs) and explained their use for security purposes. We have investigated three applications in more detail. Firstly, we explained how PUFs are used to build an unclonable token. Secondly, we have shown how coating PUFs are used to build hardware that is resistant against invasive physical attacks. Fi- nally, we have shown how RFID-Tags can be made suitable for anti-counterfeiting purposes by integrating them with a coating PUF. References [3DAS] Unicate BV's '3DAS' system, http://www.andreae.comAJnicate/Appendix %201.htm, 1999. [Baul983] Bauder D.W: An Anti-Counterfeiting Conceptfor Currency. Systems Re- search Report PTK-11990, Sandia National Laboratories, 1983. [BCJP'^2005] Buchanan J.D.R., Cowbum R.P., Jausovec A., Petit D., Seem P., Xiong G., Atkinson D., Fenton K., Allwood D.A., Bryan M.T.: Forgery: 'Finger- printing' documents andpackaging. Nature 436 (28 Jul 2005), Brief Conmiunications, p.475. [DRS2004] Dodis Y., Reyzin M., Smith A.: Fuzzy Extractors: How to generate strong keysfrom biometrics and other noisy data. In: Cachin and Camenisch, (Eds.): Proceedings of Eurocrypt 2004, Lecture Notes in Computer Sci- ence, volume 3027, Springer-Verlag, 2004, p. 523-540. [Gas2003] Gassend B.: Physical Random Functions, Master's Thesis, MIT 2003. [GCvDD2002a] Gassend B., Clarke D., van Dijk M., Devadas S.: Controlled Physical Random Functions. Proc. 18th Annual Computer Security Applications Conf., Dec. 2002. [GCvDD2002b] Gassend B., Clarke D., van Dijk M., Devadas S.: Silicon Physical Random Functions, Proc. 9th ACM Conf. on Computer and Communications Secu- rity, Nov. 2002. [Kir2004] Kirovski D.,: A Point-Subset Compression Algorithm for Fiber-based Cer- tificates of Authenticity, IEEE Proc. ISIT 2004, p. 173. [LT2003] Linnartz J.P., Tuyls. P.: New Shielding Functions to Enhance Privacy and Prevent Misuse ofBiometric Templates, Proc. 4th International Confer- ence on Audio and Video based Biometric Person Authentication (2003), LNCS 2688, Springer-Veriag, p. 238-250.
- 55. Another Random Document on Scribd Without Any Related Topics
- 56. the regalia in the subsequent war of succession, became master of the situation and laid in New Mataram the foundation of another state which, in the reign of his successor Ageng, 1613-1646, gained the ascendency over the rest of Java with Madura, subjugating even Sukadana in West Borneo. Not, however, without strenuous exertion for Balambangan gave a good deal of trouble in the East and the conquest of Sumedang in the West, in 1626, taxed the military strength of the rising empire to its utmost. When the East India Company began to make its influence felt, Moslim solidarity proved a valuable asset as, for instance, in the relations with Bantam and Cheribon, whose Pangeran proposed the title of Susuhunan for Ageng (1625) before Mecca promoted him to the Sooltanate (1630). In 1628 and 1629 he ventured to attack Batavia, the new settlement of the Dutch, but had to retire and, what was even worse, by provoking those upstart strangers, he damaged his trade: they closed the channels of export to Malacca and other foreign ports of rice, the principal produce of the land. “Mataram must now become our friend,” wrote the Governor-General to his masters, the Honourable Seventeen, and, indeed, Mangku Rat I., Ageng’s son, found himself obliged to sign a treaty of friendship with the Company—a dangerous friendship! Differences between their “friend” and Bantam with Cheribon were sedulously fostered by the authorities at Batavia; the Company took a hand in the putting down of disturbances created in East Java by Taruna Jaya of Madura and Kraëng Galesoong of Macassar; the Company patronised and protected the reigning Sooltans, who moved their residence from Karta to Kartasura, against pretenders and exacted payment in land, privileges, concessions, monopolies, etc., shamelessly in excess of the real or pretended assistance afforded in quelling purposely manufactured anarchy—precisely as we see it happen nowadays wherever western civilisation offers her “disinterested” services to eastern countries of promising complexion for exploitation by western greed. Mataram, trying to escape from the extortionate friendship of the honey-tongued strangers at Batavia, whose thirst for gold seemed
- 57. unquenchable, has its counterparts in benighted regions now being “civilised” after the time-honoured recipe: interference which upsets peace and order, more interference to restore peace and order with the naturally opposite result, occupation until peace and order will be restored, gradual annexation. The East India Company’s mean spirit of haggling was held in utter contempt by the native princes, grands seigneurs in thought and action, too proud to pay the hucksters with their own coin, though bad forebodings must have filled the mind, for instance, of Susuhunan Puger, recognised at Batavia as Mataram’s figurehead under the name of Paku Buwono I., [59] when near his capital a Dutch fort was built and garrisoned with Dutch soldiers to back him in his exactions for the benefit of alien usurers and sharpers. Like the rat of Ganesa, they penetrated everywhere and the tale of their relations to the lords of the land is one of tortuous insinuation until they had firmly established themselves and could give the rein to their sordid commercialism in always more exorbitant claims. Paku Buwono II., feeling his end approach, was prevailed upon, in 1749, to bequeath his realm to the Company, but one of the most influential members of the imperial family decided that this was carrying it a little too far: Mangku Bumi, [60] brother of Paku Buwono II., supported by Mas Saïd, son of the exiled Mangku Negara,[61] and other pangerans (princes of the blood), stood up in arms to defend their country’s rights and inflicted severe losses on the Dutch troops in stubborn guerrilla warfare. This led to the partition of Mataram between Paku Buwono III. and his uncle Mangku Bumi, both acknowledging the supremacy of the Company, the latter settling at Jogjakarta, the old capital Karta, under the title and name of Sooltan Mangku Buwono,[62] while Mas Saïd, who did not cease hostilities before 1757, gained also a quasi- independent position as Pangeran Adipati Mangku Negara, which in 1796 became hereditary. With three reigning princes for one, the power of Mataram was definitely broken and Batavia assumed the direction of her affairs quite openly, the “thundering field-marshal” Daendels emphasising her state of decline and the British Interregnum bringing no change.
- 58. In 1825 the divided remnant of Mataram, viz. Surakarta with the Mangku Negaran and Jogjakarta with the Paku Alaman,[63] was deeply stirred by Pangeran Anta Wiria calling upon his compatriots to chase the oppressors away. Born from a woman of low descent among the wives of Mangku Buwono III., Sooltan of Jogjakarta, it seems that, nevertheless, hopes of his succession to the throne had been held out to him when he assisted his father against the machinations of his grandfather, Sooltan Sepooh (Mangku Buwono II.), banished by Raffles in 1812. However this may be, he resented the settlement of the Sooltanate on the death of Mangku Buwono III. upon Jarot, an infant son, and other circumstances adding to his dislike of Dutch control, he raised the standard of revolt. The Javanese responded with alacrity to an appeal which bore good tidings of delivery as the wind, ridden by the Maroots who make the mountains to tremble and tear the forest into pieces, bears good tidings of coming rain to a parched earth. Anta Wiria, under his more popular name of Dipo Negoro, and his lieutenants Ali Bassa Prawira Dirja, or Sentot, and Kiahi Maja, gave the Dutch troops plenty of bloody work in the five years during which the Java war lasted, 1825-1830. It was the last eruption on a large scale of the fire imprisoned in the native’s heart, the last sustained effort at regaining his independence, crushed by the white man’s superiority in military appliances, but occasional throbbings, ruffling the surface as in Bantam (1888), the Preanger Regencies (1902), Kediri (1910), etc., show that the volcano is by no means an extinguished one. Though “kingdoms are shrunk to provinces and chains clank over sceptred cities,” the love of liberty, laid by as a sword which eats into itself, does not own foreign dominion, and the native princes, especially the Susuhunan of Surakarta and the Sooltan of Jogjakarta, remain objects of worshipful homage. Their genealogy remounts to the gods whose essence took substance in the illustrious prophet Adam who begat Abil and Kabil on the goddess Kawa; the history of their house begins with the arrival in the island, in the Javanese year 1, of Aji Soko; they are the panatagama and sayidin (shah ad-din), directors and leaders of religion; their Courts set the fashion in high native
- 59. society, Solo[64] being more gay and extravagant, Jogja[64] more sedate and solid, as a writer at the end of the eighteenth century already remarked. The Dutch Government recognises the imperial or royal dignity of Susuhunan and Sooltan by the superior position of its Residents in the capitals of their Principalities, who, directly responsible to the Governor-General, correspond in rank to the general officers of the army, while the administrative heads of the other residencies have to content themselves with the honours due to a colonel; also by the institution of dragoon body-guards whose ostensibly ornamental presence can be and has been turned to good account when the mental intoxication arising from meditation on gilded disgrace, charged with the lightning of passion, produces effects irreconcilable with the fiction that all is for the best in this best of worlds. With the Government steadily encroaching on the native princes’ ancient rights, bitterness grows apace and irritation at the recoiling weight of bondage lives on, though colonial reports represent it as dead. Truly, in the three centuries during which it pleased Kuwera, the fat god of wealth, to inspire the strangers from the West, rich in promise but slow in performance, exacting and pitiless, to deeds of unprincipled rapacity, the people have learned to hide their thoughts that worse may not follow, hoping that time will set things right. But as everything points more clearly to the fixed purpose of the Dutch Government to avail themselves of every pretext for swallowing the Principalities as all the rest has been gobbled up, there are those who cherish the memory of Dipo Negoro and consider the necessity of new man-offerings: the greater the need, the greater must be the propitiation. On the whole, however, better counsel prevails, deliverance being sought on planes of mystic exercise, silent submission being practised in expectation of the consummation of a higher will, and this is the native’s secret as he repeats the lessons inculcated in the Wulang Reh, the treatise on ethics written by one of the eminent of the past, Sunan Paku Buwono IV.: May ye imitate our ancestors, who were endowed with supernatural strength, and may ye qualify for penitence, heeding closely the perfection of life;
- 60. this is my prayer for my children; be it granted! Meanwhile taxation increases, but who can object to that when in days of old the good people had to pay for the privilege of looking at the public dancers, whether they cared to look at them or not; when compulsory contributions to the exchequer were levied upon one-eyed persons for their being so much better off than the totally blind; etc.... Fancy a Minister of Finance in Holland defending a vexatious new assessment on the ground of arbitrary cesses in the Middle Ages! Hindu art had lost its vitality when the second empire of Mataram arose in Central Java and the cult of the ideal was effected by modernising currents from the eastern part of the island. Sanskrit, as the vehicle of thought in Venggi and Nagari characters, made place for Kawi which, related in its oldest forms to Pali and in its symbols to the Indian alphabets, evolved soon afterward into a specific Javanese type. Sivaïte literature paved the way for the Manik Maya, the Bandoong, the Aji Saka, the Panji- and the Menak- or Hamza-cycles, the Damar Wulan; as to Buddhist literature, Burnouf’s comment upon its inferiority holds also good for Java: no trace exists even of a life of the Buddha, of jataka-tales, except such as have originated in the eastern kingdoms at a comparatively late date. Literary culture in the seventeenth and eighteenth centuries was a continuation of and throve on the efforts of the great authors hospitably entertained at the Courts of Mojopahit and Kediri. The Javanese language with the wealth of words it acquired and the diversity of expression it developed,[65] exercised and still exercises in its four dialects[66] a vivifying influence upon the Soondanese speech in the west and the Madurese in the east. Its script, like the people who speak and write it, and cling to their hadat, the manners and customs of the jaman buda, which, notwithstanding their Islāmitic veneer, they prefer to the law of the Prophet,—its script rejects Moslim interference and refuses to employ the Arabic characters, sticking to its equally beautiful aksaras and pasangans. Religions succeeding one another, generally without discourteous haste, Muhammadanism penetrated Central Java but slowly from the north, first by the conversion of the great and mighty who profited
- 61. by the example of Mojopahit, then by grafting the idea of the one righteous god upon the godless Buddhist or pantheistic Hindu creed of the orang kechil, the man of slight importance who, up to this day, though fervent in his outward duties as a Moslim, shows in every act that his individual and national temperament is rooted in pre-Islāmic idiosyncrasies. The heroes of the Brata Yuda and Ramayana are just as dear to him as the pre-Islāmic saints whose legends are gathered in the story of Raja Pirangon and the Kitab Ambia, as the forerunners, companions and helpers of the Apostle of God. The sacred waringin, never wanting in the aloon aloon, the open places before the dwellings of the rulers of the land and their deputies, what is it but the bo-tree, the tree of enlightenment? One of venerable age in the imperial burial-ground of Pasar Gedeh, planted, according to tradition, by Kiahi Ageng Pamanahan or his son Suta Wijaya, announces without fail the demise of a member of one of the reigning families either at Solo or at Jogja, by shedding one of its branches. Pasar Gedeh, Selo and Imogiri are silent spots, peopled with the dead whose lives’ strength made history and is mourned as the strength of a glorious past. Selo, an enclave belonging to Surakarta, in Grobogan, residency Samarang, contains the ancestral tombs of the rulers of Mataram; Imogiri and Pasar Gedeh in Jogjakarta, which latter marks the site of the original seat of empire and was comparatively recently put to its present use, are the cemeteries common to the royalty of both Principalities, and guarded by officials, amat dalam with the title of Raden Tumenggoong, appointed by mutual consent. A Polynesian bias to ancestor-worship, unabated by Hinduïsm, Buddhism and Muhammadanism, accounts for the almost idolatrous adoration[67] of the graves of the Susuhunans and Sooltans, their ancestors and also their progeny that did not attain to thrones, receptacles of once imperial dust, feeding the four elements from which it proceeded and to which it returns like meaner human clay. Look, says Kumala in the Buddhist parable, all in the world must perish! The religious brethren of his faith used to repair at night to the sepulchres of
- 62. those taken to bliss and spend the lone hours in pondering on the instability of conscious existence, desiring to gain the Nirvana by their undisturbed meditations, but Sivaïte associations people the old graveyards of Java with raksasas, monstrous giants, eaters of living and dead men and women, and santons, bent on prayer amid the last abodes of the departed, have been terrified, especially at Pasar Gedeh, by weird noises and apparitions signalling their approach, commending hasty retreat to the wise. It is advisable to distrust darkness there and rather to choose the day for acts of devotion, even if annoyed by worldlings who come to consult the big white tortoise in the tank, ancient Kiahi Duda, widower of Mboq Loro Kuning, presaging the better luck the farther he paddles forth from his subaqueous habitation. At a little distance is the sela gilang, a bluish stone with a more than half effaced inscription, only the lettering of the border being legible. Tradition calls it the dampar (throne) of Suta Wijaya, sitting on which he killed Kiahi Ageng Mangir, his rival and owner of the miraculous lance Kiahi Baru, who had been lured into his presence by one of his daughters to do homage by means of the ujoong, the kissing[68] of the knee; near by are a stone mortar and large stone cannon-balls, the largest possessing the faculty of granting untold wealth to those strong enough to carry it three times without stopping round the sela gilang, whose legend, carved by a prisoner of war, either a spirit of the air or a magician, reveals in its marginal commentary a philosophic mind coupled with linguistic talents: zoo gaat de wereld —così va il mondo—ita movet tuus mundus—ainsi va le monde. Selo, Imogiri and Pasar Gedeh: so goes the world indeed, and the nameless prisoner of war’s motto, preserved near the pasarahan dalam, the imperial garden of rest, would be hardly less appropriate over the gates leading to the kratons, the residences[69] of the Susuhunan of Surakarta and the Sooltan of Jogjakarta, where they do the grand in the grand old way, cherishing the memories of a power gone by. A visit to the Principalities without an invitation to attend some function at Court cannot be called complete and it is a treat to watch the ceremonial exercises connected with one of the
- 63. three garebegs[70] or with the salutations on imperial birthdays and coronation-days in the roomy pendopos, the open halls whose general style betrays its Hindu origin no less than the aspect, the dresses, the movements of the native nobility, officials and retainers, an assemblage of a fairy tale, betray their Hindu parentage. The bangsal kenchono, the audience-chamber of the Sooltan at Jogja, is a masterpiece of construction in wood, the carved beams and joists, richly gilt and painted in bright colours, forming a ceiling of wonderful airiness and elegance; in the bangsal witono the Sooltan shows himself to the people on days of great gala; in the bangsal kemandoongan, a hall in one of the many open squares of the palace grounds, seated on his dampar or throne, he used to witness the execution of his subjects sentenced to death, who were krissed[71] against the opposite wall; another of these open squares was dedicated to pleasures which remind of the munera gladiatoria, more especially of the ludi funebres, and kindred amusements with a good deal of local colour: we find it chronicled of Sunan Mangku Rat I., Java’s Nero, that once he beguiled a tedious afternoon in his kraton at Kartasura by stripping a hundred young women and letting a few tigers loose among them. The dining-hall (gedong manis: room of sweets) in the kraton at Jogja, to the south of the audience- chamber, can easily hold three hundred guests with the host of servants they require; at Solo the imperial stables and coach- houses[72] are scarcely inferior in interest to the friend of horses, riding, driving and coaching, than the Kaiserlich-Königliche Marstall at Vienna or the Caballerizas Reales at Aranjuez. But of all the sights at the Courts of the Principalities of Central Java it is the human element that fascinates most, a waving mass of silent figures in the magnificent setting which reflects centuries of Sturm und Drang, the new to the visitor’s eye being nothing but the very, very old; men taught by fate to treasure their thoughts up in their hearts, as their mountains do the hidden fire, worshipping tempu dahulu, sustained by l’amour du bon vieulx tems, l’amour antique, even the rising generation remaining apparently unaffected by the example of western fickleness, an inconstancy ever more pronounced since the
- 64. illustrious citizen of Florence, of the Porta San Piera, commented on it: Che l’uso de’ mortali è come fronda In ramo, che sen va, ed altra viene. [73] The country-seats of Susuhunans and Sooltans, where they sought repose from cares of state, often contained temples erected, if not in the name then in the spirit of their kind of sacrifice, to Kama, the god of love, smuggled into the practice of a later creed. They had no wish to become the victims of their virtue like the excellent King Suvarnavarna; they did not aspire to the fame accruing to Rama in his relations to the female demon Shoorpanakha, personification of sublunar temptations. And the manifold functions assigned to water in their pleasances, to the limpid, running water of the cool mountain rills, are characteristic of an island where a bath, at least twice a day, preferably in the open, is both a necessity and a luxury which the poorest does not dream of denying himself. Observe the crowds of men, women and children, always chaste and decent, disporting themselves in lakes and rivers, every morning and every evening; note the names of Pikataän, Kali Bening, Banyu Biru, idyllic spots and equal to the classic chandi Pengilon, Sidamookti and Wanasari to the lover of a plunge and a swim, screened by flowers and foliage, with the blue heaven smiling on his joy. Passing by Ambar Winangoon and Ambar Rookma, the remains of the so-called water-castle at Jogjakarta convey some notion of the manner in which royal personages sought recreation, amusing themselves in their parks of delight, fragrant and tranquil like the restful Loombini, where Maya gave birth to the Buddha; toying with their women in and round the crystalline fluid. An abundant spring within the boundaries of the palace grounds led to the conception of this retreat or, rather, these retreats, for there were two, connected by a system of canals which speaks highly for native hydraulics, though the buildings erected to obey a capricious will, show in their present
- 65. ruinous state how architecture had degraded since the Hindu period, its flimsy productions being unable to withstand the first serious earthquake. Of Pulu Gedong, to the northeast of the aloon aloon kidool, nothing is left but crumbling portions of the walls which jealously guarded the privacy of the Sooltan’s watersports. Of Taman Sari and Taman Ledok, situated in the western part of the kraton, a good deal is still recognisable, especially the structures on Pulu Kenanga in the largest of the artificial lakes which are now dry ground, the one here meant being incorporated into a kampong, one of the several groups of native dwellings inhabited by the Sooltan’s numerous retainers. The whilom islands convey in quite a picturesque way the lesson that human works must die like the hands that fashioned them. XIII. WATER-CASTLE AT JOGJAKARTA (Centrum.) The building of the “water-castle”, whose pavilions, artificial lakes, tanks and gardens spread over an area of about twenty-five acres, was begun in 1758 by a Buginese architect under the orders of Mangku Buwono I., a great raiser of edifices, as Nicolaas
- 66. Hartingh[74] wrote in 1761, and maker of “fountains, grotto-work and conduits which, though completed, he orders immediately to be pulled down, not finding them to his taste, thus squandering some little money.” We possess a description[75] of the kraton at Jogjakarta, dated September 1791, from the hand of Carl Friedrich Reimer,[76] who speaks of “a collection of gardens, fish-ponds and pleasure-pools.” He probably visited Pulu Gedong before proceeding to Taman Sari[77] and expatiates on the spaciousness of the dwelling room in Pulu Kananga, where it seems that the Court could find plenty of accommodation. But what made the greatest impression on the expert in hydraulics was the arrangement of passages and an apartment for prayer and meditation under water, as if the Sooltan deemed it an advantage to worship surrounded by the babbling stream, light and fresh air being provided through turrets rising above the surface. In the place called Oombool Winangoon, situated on a low level, with three tanks, fed from the great lake of Taman Sari, was a cool retreat where the Sooltan used to rest a while after his bath, refreshing himself with a cup of tea. Alluding to the Sumoor Gumuling, Reimer remarks that the architect must have chosen a round form for his structure to make it the better resist the pressure of the water all round. The strange building which went by that name and consisted of two concentric walls with a flat roof,[78] taken for a subaqueous house of prayer by the visitor of 1791, has also been very differently explained: some see in its remains a dancing-school, awakening visions of the Sooltan’s corps de ballet practising in the first storey to the dulcet tones of the gamelan, the native orchestra, that ascended from the basement and aided them in going through their paces; others connect it with functions never referred to in polite society and which have nothing in common with praying, either with the heart or with the feet, more correctly speaking: with the arms, hands and hips, for Javanese dancing is no loose skipping and hopping about, but a graceful and expressive play of the body and more particularly of the upper limbs in rhythmic, undulating motion. Passing from one lake to the next, the Sooltan’s means of conveyance was the prahu Niahi Kuning, a gorgeously
- 67. decorated barge, given to him by the East India Company; other boats, plying between Taman Sari and Taman Ledok, were at the disposal of the ladies of the royal household desirous of an outing with their babies; two small skiffs left their moorings every night alternately, at a signal given on a bendeh, to feed the fishes, which knew the sound and assembled in shoals. The guard-rooms near the northern watergate, of which the remaining one, i.e. the one not altogether fallen into ruin, shelters in the morning a motley crowd of sellers of fruit, vegetables, sweetmeats, etc., witnesses to the Company’s dragoons, protecting and shadowing their Highnesses of Surakarta and Jogjakarta with the princes of their blood, already having been entrusted with that task in the days of Mangku Buwono I. Of the delicately carved woodwork hardly a trace remains, but some foliage and birds among flowers, executed in stucco, give evidence of a good taste which knew how to make old motives subservient to new requirements. Though a Muhammadan pleasance, designed by a Muhammadan architect for a Muhammadan prince, the garuda over one of the entrances, the Banaspatis on gables and fronts in Taman Sari and Taman Ledok, the nagas coping the balustrades of the staircases, show that Hindu conceptions continued to leaven Javanese art. The relations with China and the consequent influx of Chinamen have also borne their fruit in Central Java as in Cheribon and the eastern kingdoms: Reimer informs us that the galleries and tops (now gone) of the several buildings were constructed like pointed vaults, and were wrought “in the manner of Chinese roofs”; Pulu Gedong was famous for the lofty Chinese tower erected near the spring which furnished the water for the “castle”, its lakes, ponds, tanks and canals, and for the irrigation of its grounds. The orchards, renowned for their mangoes and pine-apples, the vegetable-, sirih- and flower-gardens had a great reputation in the land; assiduous attention was paid to horticulture on the principle, well understood by oriental gardeners, that flower-beds, ornamental groves and bowers are like women; that however much art and pains are bestowed on their make-up, the art of arts is the
- 68. concealment thereof.... Writing this it occurs to me how properly a western version of that universally approved maxim has been put in the mouth of Gärtnerinnen, niedlich and galant: Denn das Naturell der Frauen Ist so nah mit Kunst verwandt.[79] XIV. WATER-CASTLE AT JOGJAKARTA (Centrum.) Though Mangku Buwono I. was a contemporary of Goethe, his knowledge of Faust is extremely doubtful, but being an artist in his own way, he took care that the natural scenery, assisted by art, should contribute to a pleasant general impression in the distribution of the dwellings for his retinue: native princes (and of his rank too!) do not move an inch inside or outside their kratons without numberless attendants at their heels. In the “water-castle” were apartments, not only for the Sooltan, for the Ratu, his first legitimate spouse, for his other wives and concubines, for the little family they had presented him with, but for the dignitaries of his Court, officials of all degrees, secretaries, servants of every description, various
- 69. artificers from the armourers down to the kebon kumukoos, the makers of tali api (fire-rope), necessary for lighting his Highness’ cigars. There were reception-, dining-, living- and sleeping-rooms for the Sooltan, his Ratu and female relatives, each apart; common rooms for the selir (wives of lower degree); rooms for the instruction of their children; rooms where his Highness’ daughters spent a few hours every day in batikking; guard-rooms for the prajurits, the male guards; guard-rooms for the female guards under command of the Niahi Tumanggoong, a lady of consequence, who kept and keeps the dalam, the interior of the kraton, under constant observation so that no illicit amourettes shall occur in the women’s quarters, and yet—! There were store-rooms, kitchens, workshops, prisons, halls set apart for the dancers, male and female; the cream of the female dancers, the srimpis and girl bedoyos, were probably housed in or near the principal pavilion on Pulu Kananga, of which the Sooltan occupied the eastern and the Ratu the western portion. Above all there were the bath-rooms, dedicated to Kama and his wife Rati of Hindu memory; and since the parrot is the vahana of that frivolous god, many are the unspeakable tales of revived rites of his luxurious worship. The etiquette at Court is fitly illustrated by the two tea-houses of Taman Sari, the eastern one for the Grand Pourer-out-of-Tea of the Right, who presided over the preparation of the delectable beverage for the Sooltan, and the western ditto for the Grand Pourer-out-of- Tea of the Left, who provided for the Ratu. A scrupulous punctilio is ingrained in Javanese habits and customs, from high to low, on great and small occasions, the native’s mentality always reverting to things which were, but never more can be. The homage done to sacred objects, arms, gamelans, etc., by giving them a human name and a title,[80] venerating them as if endowed with supernatural faculties, recalls Polynesian fetishism, Hinduïsm being blended with it in Siva’s trishula, Vishnu’s chakra, etc., which are still carried behind the native princes among their ampilan.[81] The upacharas or imperial and royal pusakas[82] are treated with the utmost reverence when
- 70. shown at the appearance in public of Susuhunan or Sooltan, and their bearers, the koncho ngampil, who hold an honoured position at the Courts of Solo and Jogja, may be considered direct successors of the envoys of King Dasharatha on the reliefs of the chandi Loro Jonggrang, who bore his regalia when meeting Rama and Lakshama. The strange ceremonial, preserved from the time when gods walked amongst men, seems hardly antiquated, on the contrary very germane to siti-inggil[83] surroundings. One need not visit the kratons though, to notice how the spirit of the past permeates all things Javanese; any well-dressed native getting out of his sado[84] at the railway station or repairing thither on foot for a journey with the fire-carriage, will do. Even if he cannot afford the few doits[85] necessary and must impair his dignity by going afoot, he has his retainers to look after his box and, stuck behind, he has his magnificent kris in a sheath of gold, with a beautifully carved ivory handle, in nine cases out of ten a pusaka, cherished like the kris Kolo Munyang of the Prince of Kudoos or, as others allege, of a Susuhunan of Surakarta, who sent the weapon, which killed its master’s enemies without human direction, to the assistance of Pangeran Bintoro, then oppressed by a king of Mojopahit. The chronology of this legend is evidently a little faulty, but, O! the wonders of Java’s golden age, and, O! the superstitious honour in which their memory is held by these lovable people, whose actual existence is a dream of days gone by. And that happy dream, they ween, is a presage of the future, prophesying the restoration of their fathers’ heritage. If, nevertheless, the hour draws near of unconditional surrender, the Dutch Government steadily and surely arrogating to itself the externals with the substance of power in the Principalities, they will silently submit to the nivarana of their ancient faith, the hindrance arising from torpor of mind appointed to them in the sansara, the rotary sequence of the world, and seek consolation in the promise of their new faith that the Lord will not deal wrongly with his servants. The life of nations, like the life of men, starts running as the mountain torrent and meets many an obstacle before
- 71. it swells to a broad river in the plains and flows tranquilly and mightily to the sea; also for Java it is written: ... Non anche, l’opra del secol non anche è piena.[86]
- 72. CHAPTER VI EAST JAVA cosi da l’ossa dei sepolti cantano i germi de la vita e degli spiriti.[87] Giosuè Carducci, Odi Barbare (Canto di marzo). When, suddenly, for reasons still unknown, the classic period of art in Central Java closed, about 850 Saka (a.d. 928), East Java awakened and entered on an era of artistic activity in every direction, which lasted until the fall of Mojopahit six centuries and a half later. In architecture it offers nothing so grand and imposing as the ancient temples of the Middle Empire, but much more diversity, and numerous inscriptions, resembling, after 900 Saka (a.d. 978), in form and contents, what we possess of old Javanese literature, enable us in many cases to determine the dates and also the character of the chandis, found principally along the course of the Brantas in the residencies Pasuruan, Kediri and Surabaya. Moving eastward, it was there that Hindu civilisation made greatest progress, no more in the vigorous enthusiasm of a young faith eager to proselyte, but modified by and finally succumbing to the influences of the soil, the climate, the idiosyncrasies of the
- 73. aborigines. The oldest dates (Madioon, Kediri, Surabaya and Pasuruan) fall between 890 and 1140; then we have a good many again from Kediri (1120-1240 and 1270-1460) and from Surabaya (1270-1490); also from Pasuruan, Probolinggo and Besuki (1340- 1470), Madura (1290-1440) and Rembang (1370-1390); finally, the constructive energy returning to Central Java, from Samarang and Surakarta (1420-1460), Suku and Cheto bringing up the rear. In the palmy days of Daha and Tumapel a sort of transition style was elaborated; under Ken Angrok and his descendants on the throne of Mojopahit, East Java reached its architectural zenith, never equal in the grandeur of its conceptions to the Boro Budoor or even the Prambanan temples, to the symmetrical richness of the Mendoot, but making up in fantastic decoration what it had lost in sobriety of outline. The builders pandered to the unwholesome demand for that perfection at any cost which Ruskin censures as the main mistake of the Renaissance in its early stages, the workman losing his soul in exchange for consummate finish. But, though they bear the impress of decadence, the products of eastern Javanese constructive efforts are not wholly degenerate, never coarse or vulgar and well worth looking at from more than one point of view. The evolution of the ornament alone is exceedingly suggestive: the “recalcitrant spiral” which in Central Java ascends, decking the supports, topples, as it were, in East Java, losing its character and becoming a meaningless adornment of the casements of, e.g., the chandi Panataran; the kala-heads remain but the makaras change into a flame-like embellishment; where they are altogether dissolved, as in the chandi Jago or Toompang, it is safe to conclude with Dr. Brandes to late eastern Javanese influences.[88] It has been conjectured that the migration of Hinduïsm to East Java was the effect of Buddhism gaining ground in the central part of the island; that the pronounced Sivaïte tendencies of Mojopahit were a reaction against Buddhist innovations. But it remains still to be proved that Mojopahit, though worshipping Siva as the supreme god of the Trimoorti, adhered to his overlordship in all its orthodox purity. There are, on the contrary, indications of Vishnuïte leanings, of
- 74. Buddhist heresy, of a syncretism no less pronounced than that of Prambanan and the Mendoot. In the time of Old Mataram’s hegemony, Buddhism must have ingratiated itself to some extent with her eastern vassals and, though not one of the temples in East Java is Buddhist after the fashion of the chandis Boro Budoor, Mendoot and Sewu, vestiges of the Bhagavat’s doctrine are undeniable in Kediri, Southern Surabaya and Northern Pasuruan. A fusion of Sivaïsm and Buddhism has continuously controlled the construction of the larger temples of the later eastern Javanese period, says Rouffaer. Statues found in many places, e.g. in the chandi Toompang, are distinctly Buddhist and, what is most remarkable, though of later workmanship than those of Central Java and of a different style, tainted by decadent methods, they possess high merits as works of art. In their Sivaïtic surroundings they confirm the statements of the Chinese traveller Hiuen Tsiang who, perambulating India between 629 and 645, before the persecution of the Buddhists commenced, remarked upon the tolerance of the brahmins and vice versa, a virtue the Hindus carried with them to Java as already observed in the chapter on Prambanan. The kings of Mojopahit followed the example set in those regions: they were Saivas, Vaishnavas, Buddhists or followers of no one creed in particular, ready to protect and prefer each of them according to circumstances. In codes of law and poetry, Sivaïte priests and sugatas, pious brethren on the Buddhist road to perfection, are mentioned in one breath as conductors of the religious exercises on festive occasions, invoking the blessings of heaven on harvests and enterprises of peace and war; the poet Tantular calls the Buddha one with the Trimoorti.[89] The Muhammadans were not so indulgent when the Pangerans of Giri increased in authority as spiritual leaders of their faith, successors of Maulana Ibrahim, its first apostle in East Java. The hillock of Giri became a centre of incitement to the holy war, particularly so under Raden Ratu Paku or Sunan Prabu Satmoto, whose tomb is still an object of Moslim pilgrimage.[90] With his approval, if not on his instigation, the Muhammadan states on the
- 75. north coast combined under Raden Patah of Demak to compass the extermination of heathenism and he lived to see the overthrow of Mojopahit, though dying shortly afterwards. If the Moslemin yearned to gain Paradise, sword in hand, martyrs for their Prophet’s dispensation, those of the old creed remembered the power of their gods, blowing the sanka, the war-shell of Vishnu, who proved to Sugriva and Hanoman his superiority over Wali by shooting his arrow through seven palm-trunks; who, in his fourth avatar, as narasinha, the man-lion, ripped open the belly of the sacrilegious demon Hiranya Kasipu. But Raden Patah, marching with his allies, marvellously helped in the way of the Lord against the idolaters of Mojopahit, the swollen with pride, proved to be the giant in the shape of a dwarf, Vamana, known from their god’s fifth avatar, conqueror of the three worlds. And Mojopahit, so great that the claims to the honour of her foundation, forwarded by as many princely houses as existed in those days, were fused in the tradition of her divine origin, her capital with its hundred gates and shining streets and palaces, the like of which had never been seen, having sprung from the earth in one night as a flower at the call of the fragrant dawn,—Mojopahit was overthrown and, laments the Javanese chronicle, the prosperity of the island disappeared. Not the last but the strongest bulwark of Hinduïsm had ceased to exist, bearing bitter fruit[91] of presumptuous pride indeed; the later Hindu empires, even Balambangan, which gave so much trouble to New Mataram and submitted only to the arms of the East India Company, leaving the ancient creed to die of slow exhaustion in the Tengger mountains, were nothing compared to her. Like the remains, near the dessa Galang, of the kraton of the kings of the older empire of Daha, what has escaped total destruction of the capital of Mojopahit is constructed of brick. The ruins are situated about eight miles to the southwest of Mojokerto[92] in the valley of the Brantas; near Ngoomplak was the site of a royal residence in the building of which stone seems also to have been used. Raffles, visiting those heaps of debris scattered over quite a large area, found but scanty evidence of the fact that he trod the
- 76. spot where great rulers had employed great architects, raising great structures for posterity to remember their great deeds by; Wardenaar, whom he had taken with him as a draughtsman, might have stayed at Batavia, though in his History of Java he gives an illustration of “one of the gateways” and says that the marks of former grandeur there are more manifest than at Pajajaran, which, well considered, is saying very little. Now, a century later, a century of continued neglect, the general impression is still less calculated to prompt a vision of heroes subjecting thrones and dominions in the short space left them by their ancestor Ken Angrok’s murderous kris, defying the grave, unmindful of Mpu Gandring’s curse. Walking round in an effort to fit the scenery to historical dramas of love, hate and ambition, extreme care is necessary to avoid stepping on snakes coiled in dangerous repose or crawling among the brickbats which represent the foundations of princely mansions, digesting their last meal or hungry after the lizards that move restlessly in and out of chinks and crannies, lively beasties, enjoying the sunshine until snapped up, far more interesting really than the piles of rubbish bearing meaningless names. The natives one meets, will spin yarns ad libitum anent the numerous graves and crumbling substructures, but few have an intelligible tale to tell. Here are portions of the city- wall; there the remnant of the gate Bajang Ratu; half a mile farther the aloon aloon, the taman or pleasance, the tanks for bathing. A road, in great need of repair, leads through the Trowulan, the interior; exterior roads may be taken through ricefields and teak- plantations to the tomb of Ratu Champa, distinguished by curtains which once may have been white. Before a small building, enclosed by a fence, lies a stone supposed to cover the entrance to a subterranean apartment, the hiding-place, it is said, of the last king of Mojopahit when his capital was taken by the Moslim enemy. More graves surround that cache, graves without and, to intimate the pre- eminent importance of the elect thus honoured, graves with dirty curtains, narrow strips of soiled cloth, sad offerings to the dead sovereigns of an empire of celestial fame. One feels almost inclined to refuse credence to the grand past this ragged display tries to commemorate and, from sheer disappointment, to join the ranks of
- 77. the sceptics who doubt of the capital of Mojopahit ever having amounted to much, and maintain that, in any case, it had come down and was of no consequence compared with Tuban and Gresik, already in 1416, a century before its falling into the hands of the Muhammadans. At Mojopahit it is the same old story of quarrying for building material: several sugar-mills in the neighbourhood with the dwellings of managers and employees, have been wholly or partly constructed of Mojopahit bricks. In 1887 I saw them used for the abutments of bridges, foremen of the Department of Public Works superintending. A short time before, twelve copper plates had been found with inscriptions in ancient characters, which disappeared in a mysterious way. The rechos of Mojopahit were mostly left alone, a respectful treatment they owed to their general clumsiness. Some two or three miles from the ruins of the capital, a goodly number stand or lie together fair samples of statuary of the first eastern Javanese period, in its extravagance and exaggeration a travesty of the classic art of Central Java, crudity of conception floundering in a redundancy of form also observable at the chandis Suku and Cheto; after the fall of Mojopahit, in the second period, the sculptor reverted to a close study of nature as manifested at the chandis Toompang and Panataran; in the third, Hindu methods getting crowded within ever narrower limits, his fancy betrayed him again into lavish detail as exemplified in old Balinese imagery. At the gradual extinction of Hindu ideals of beauty, realised in decaying stone and brick, in statues defaced and vanishing like dwindling phantoms, a growing sensation of emptiness, emphasised by vague reminiscences of the artistic fullness of the jaman buda, claiming amends from succeeding creeds, received little from Islām and absolutely nothing from Christianity. Under Dutch rule very few attempts at style in Java and the other islands of the Malay Archipelago have been made at all, and of these few only one has resulted in an achievement not altogether ridiculous, namely the old town-hall, begun in 1707 and finished in 1710, of old Batavia, where the Resident has his office, by the natives very appropriately called
- 78. Welcome to our website – the perfect destination for book lovers and knowledge seekers. We believe that every book holds a new world, offering opportunities for learning, discovery, and personal growth. That’s why we are dedicated to bringing you a diverse collection of books, ranging from classic literature and specialized publications to self-development guides and children's books. More than just a book-buying platform, we strive to be a bridge connecting you with timeless cultural and intellectual values. With an elegant, user-friendly interface and a smart search system, you can quickly find the books that best suit your interests. Additionally, our special promotions and home delivery services help you save time and fully enjoy the joy of reading. Join us on a journey of knowledge exploration, passion nurturing, and personal growth every day! ebookbell.com