(PIV-I) Trusted ID across States, Counties, Cities and Businesses in the US
|
|
- Brittney Mills
- 5 years ago
- Views:
Transcription
1 (PIV-I) Trusted ID across States, Counties, Cities and Businesses in the US Brian A. Kowal, cryptovision cv cryptovision GmbH T: +49 (0) F: +49 (0) info(at)cryptovision.com 1
2 Agenda Business motivation for PIV/ What is PIV, Credential Case Studies (Enterprise) 2
3 Business motivation for PIV/ President George W. Bush in August 2004 signed Homeland Security Presidential Directive 12 (HSPD-12) HSPD-12 mandates a standard for a secure and reliable form of identification to be used by all Federal employees and contractors. HSPD-12 initiated the development of a set of technical standards and issuance policies (referred to as Federal Information Processing Standard, FIPS 201 that create the Federal identity infrastructure required to deploy and support an identity credential that can be used and trusted across all Federal agencies, regardless of which agency issues the credential. Independently issued Logical (PC/Web Login) & Physical Access ID Card Interoperable ID Card Interoperable credentials (PKI, Physical Access) 3
4 What is PIV PIV-Personal Identity Verification: is a standard created by US government to establish common, Interoperable, Secure Identification mechanism for US Government employees. It covers Policy for credential issuance (ID Proofing, expiration...etc). Technical Specifications for the components in the Eco System. Testing and Validation Process. Privileges are managed by the accepting agencies. Based on PKI capable, Dual Interface Smart Card with durability of 5 years. NIST-National Institute of Standard and Technical-Technology arm of US Govt. defines technical specification for interoperability. FIPS 201 SP-800-X NIST and GSA test the cards and components to certify compliance. FIPS 201 GSA APL Unlike many other standards in the industry, PIV not only covers the cards, but also cover most of the connecting components such as Readers, Middleware, Biometric scanners, Data formats 4
5 PIV, PIV-I, PIV-C PIV standards not only define technical specifications for interoperability but also define oncard data and policy requirements. PIV Card: Can be issued ONLY by US federal government agencies to federal Govt. Employees and contractors because some elements in PIV Standard are applicable to only US Govt. Employees. PIV I (Interoperable) : Issued by non-federal Government organizations. No background checks needed. US federal government agencies may trust this Credential. Includes PIV Authentication Certificate that chains to Federal Bridge Certificate Authority via Cross- Certification. PIV C (Compatible) : Issued by NFI (Non-Federal Issuer). No background checks needed. It just means that the card is compatible at a technical level with the PIV Infrastructure elements such as reader.. Policy requirements are not applicable to this card, it is NOT trustworthy by US Govt. Agencies. 5
6 Success through interoperability and economies of scale PIV-I and PIV-C (CIV) looked to benefit form economies of scale. As PIV, PIV-I and PIV-C credentials gained marketplace traction, the card and card reader become commodities and supporting middleware is available in popular operating systems, helping reduce the cost of implementation, speed deployment and simplify use. The reality of the benefits of economies of scale, as of today, are mixed. 6
7 PIV Card Applications 7
8 NIST SP
9 Card Capability Container - CCC The Card Capability Container (CCC) is a mandatory data object whose purpose is to facilitate compatibility of Government Smart Card Interoperability Specification (GSC- IS) applications with PIV Cards. 9
10 Card Holder Unique IDentifier - CHUID The Card Holder Unique Identifier (CHUID) data object is defined in SP and includes the Federal Agency Smart Credential Number (FASC-N) and the Global Unique Identification Number (GUID), which uniquely identify each card. For PIV Cards the CHUID is common between the contact and contactless interfaces and shall be accessible from both. For dual chip implementations, the CHUID is copied in its entirety between the two chips. 10
11 Federal Agency Smart Credential Number- FASC-N The FACS-N is a unique number assigned to one PIV card and individual only. It is 25 bytes in length and constructed of the following fields: 11
12 PIV Card Containers 9a PIV Authentication Certificate 9b PIV Management Key (9b Key) 9c PIV Digital Signature Certificate 9d PIV Encryption Certificate 9e PIV Card Authentication Certificate 12
13 PIV Card Containers 9a 9a PIV Authentication Certificate: This certificate and its associated private key is used to authenticate the card and the cardholder. This slot is used for things like system login. The end user PIN is required to perform any private key operations. Once the PIN has been provided successfully, multiple private key operations may be performed without additional cardholder consent. PIV FASC-N UUID NACI Status User Principal Name (UPN) PIV-I UUID NACI Status User Principal Name (UPN) 13
14 PIV Card Containers 9b 9b PIV Management Key (9b Key): Triple-DES key for PIV management 14
15 PIV Card Containers 9c 9c PIV Digital Signature Certificate: This certificate and its associated private key is used for digital signatures for the purpose of document signing, or signing files and executables. The end user PIN is required to perform any private key operations. The PIN must be submitted every time immediately before a sign operation, to ensure cardholder participation for every digital signature generated. PIV PIV-I Governmental Enterprise PIN Policy vs Corporate Enterprise PIN Policy 15
16 PIV Card Containers 9d 9d PIV Encryption Certificate: This certificate and its associated private key is used for encryption for the purpose of confidentiality. This slot is used for things like encrypting s or files. The end user PIN is required to perform any private key operations. Once the PIN has been provided successfully, multiple private key operations may be performed without additional cardholder consent. PIV PIV-I 16
17 PIV Card Containers 9e 9e PIV Card Authentication Certificate: This certificate and its associated private key is used to support additional physical access applications, such as providing physical access to buildings via PIV-enabled door locks. The end user PIN is NOT required to perform private key operations for this slot. PIV FASC-N UUID NACI Status PIV-I UUID NACI Status 17
18 Biometric Data for PIV Card The mandatory Cardholder Fingerprint data object specifies the primary and secondary fingerprints for off-card matching in accordance with FIPS 201 and [SP800-76]. The mandatory Cardholder Facial Image data object supports visual authentication by a guard, and may also be used for automated facial authentication in operatorattended PIV issuance, reissuance, and verification data reset processes. The facial image data object shall be encoded as specified in [SP800-76]. The optional Iris Images data object specifies compact images of the cardholder s irises. The images are suitable for use in iris recognition systems for automated identity verification. The iris images data object shall be encoded as specified in [SP800-76]. 18
19 PIV Data Containers Card Capability Container Card Holder Facial Image 9A PIV Authentication Key CHUID Printed Information 9B Card Management Key Certificate for PIV Authentication Certificate for Digital Signature 9C Digital Signature key Card Holder Fingerprints Security Object Certificate for Key management Certificate for Card Authentication Discovery Object 9D Key Management Key 9E Card Authentication key Iris Image..Optional proprietary containers Retired Retired Certificates Retired Certificates (20) Retired Certificates Retired Key Management Keys...20 PIN Required Accessible over contactless interface NIST Optional Data Containers NIST Mandatory Data Containers Internal vault for secret data Asymmetric Key Symmetric Key 9B key Auth is required for Writing Reading is Free or PIN protected ISO
20 PIV Implementation Just using a card alone does not bring much benefit. Depending upon scope and scale, Implementation of PIV requires usage of multiple components indicated. PACS: Using the card for physical access control requires use of PIV compatible Door readers and compatible PACS back end. LACS: This requires use of compatible middleware and PKI Network set-up. Needs Credentialing and issuance infrastructure: CMS, IDMS, CA. Rule of thumb: In a typical PIV implementation, the cost of the PIV card is only a small fraction of the entire budget 20
21 PIV Eco System 21
22 PIV Card Life Cycle This process differs for PIV and PIV-I/ PIV-C 22
23 Terminal/PC Middleware Middleware provides Standard Interface between the card and the third party applications 23
24 Physical Access Control Readers 24
25 IDMS/CMS Background Verification Issuance Credential Lifecycle Management?? 25
26 Evolving and updated specifications Updated PIV Card specification Compliant with latest PIV Specifications (SP ) Supports On-Card Fingerprint Verification (fastest) Supports key history (up to 20 Certificates) AES based secure messaging (OT- SCP03) Supports Elliptic Curve Crypto Supports fast data access mechanism Available on various memory sizes up to 128 KB Perso is faster (Key and Certificate loading) 26
27 DERIVED CREDENTIAL - HOW IT WORKS 1. Request Derived Credential Applicant sends a formal request for a derived credential Applicant provides PIN or biometric authentication A higher level of assurance and authentication utilizes biometric information or PIN to verify that the applicant is physically present during the credentialling process. 2. Applicant presents existing trusted credential Checks that the smart card/mobile ID is a valid card from a trusted, specific secured source or authority and has not been tampered with. 4. Verify information for eligibility Checks that all policy conditions have been met and that the applicant is elegible for derived credentials. 27
28 DERIVED CREDENTIAL - HOW IT WORKS Set PIN for Derived Credential The applicant is then prompted to create a new, personalized PIN that will be used to verify their credentials from here on out. 7. Process Completed The derived credentials are now registered, allowing for the credential lifecycle to be managed fully. 6. Select Available Derived Credentials Applicants mobile device/card is checked wirelessly to ensure that the device has a FIPS validated credential store/secure element. Keys and certificates are then programed into the device/card. 8. Lifecycle Management The derived credentials are now registered, allowing for the credential lifecycle to be managed fully. 28
29 DERIVED CREDENTIAL PRESENTATION on MOBILE 29 Identity Verification Verify signature, demographic information, facial photos, fingerprints and other identity information on smart card chip. Communication Interface Contactless Interface of NFC, Contact Interface or Bluetooth. Credential Check Select any credential and perform health check so all data passes content signature Web Services Integration Connect with various applications using SOAP and REST web services. Multi-Factor Authentication Check user status (active or revoked) with flexible authentication such as PIN, Fingerprint, OTP or PKI. Additional Services Limitless services avilable at customer s request for elections, benefit programs, law enforcement, medical record management, transport security, access control, vehicle registration, driver identification. 29
30 BOOZ ALLEN HAMILTON PIV-I CASE STUDY In 2008, Booz Allen launched it s PIV-I implementation Business Drivers: improve network security by migrating to PKI-based authentication. Provide PIV consulting/services to Fed Govt. Requirements: CMS had to connect to PeopleSoft (Oracle) for human resource services and Active Directory (Microsoft) for logical access. Log on Microsoft-based network and to sign & encrypt Did not replace Physical Access door panels to support FASC- N/data container 9e PIV Card Authentication Certificate for physical access Has issued over 20,000 PIV-I Cards 30
31 BOOZ ALLEN HAMILTON PIV-I CASE STUDY: ISSUES SHA-1 vs SHA-256 Federal Bridge Certificate Policy requires that signatures on certificates generated after December 31, 2010 use the SHA-256 hash algorithm vendors slow to resolve compatibility issues and implement required changes to fully support SHA-256 on desktops and corporate information systems. Biometrics The PIV-I specification requires the capture and storage of biometric data. However, because of privacy considerations, Booz Allen does not require the capture of biometric data as a condition of employment. To address this issue, Booz Allen implemented a non-piv-i smart card that can be issued to individuals who decline to submit their fingerprints. These cards are fully functional within Booz Allen but are not enabled for Federal Government interoperability. Non-U.S. based employees. As Booz Allen issued new smart cards to their non-u.s. based employees, the different privacy laws of those countries needed to be addressed, including significant restrictions on what data can be collected, how and where it can be stored, and whether it can be exported to a U.S.-based corporate data store. Cost Will be discussed in following slide. 31
32 SAIC PIV-I CASE STUDY In 2012, SAIC launched it s PIV-I implementation Business Drivers: Improved security, streamlined operations, and increased accountability Provide PIV consulting/services to Fed Govt. Use-Cases: Strong authentication for remote and wireless access to corporate networks Encryption of messages containing sensitive and regulated information Digital signatures for official corporate correspondence Digital signatures to make internal forms and processes paperless Has issued over 41,000 PIV-I Cards 32
33 SAIC PIV-I CASE STUDY Requirements: Ensure that PIV-I does not cost significantly more than the smart card strong authentication systems currently in use. Ensure that PIV-I does not require replacing existing smart card and badge infrastructures. Enable seamless interoperability between SAIC and its vendors, teammates, and customers, including using SAIC cards on teammate s and customer s computers (and vice versa). Take advantage of widespread and rapidly growing support for PIV on Windows, Mac, Linux, and mobile devices. Take advantage of the PIV standards to drive down the costs of procurement, integration, deployment, and operation of an enterprise smart card solution. 33
34 SAIC PIV-I CASE STUDY: ISSUES Requirements: Ensure that PIV-I does not cost significantly more than the smart card strong authentication systems currently in use. Ensure that PIV-I does not require replacing existing smart card and badge infrastructures. Enable seamless interoperability between SAIC and its vendors, teammates, and customers, including using SAIC cards on teammate s and customer s computers (and vice versa). Take advantage of widespread and rapidly growing support for PIV on Windows, Mac, Linux, and mobile devices. Take advantage of the PIV standards to drive down the costs of procurement, integration, deployment, and operation of an enterprise smart card solution. 34
35 COMMONWEALTH OF VIRGINIA PIV-I CASE STUDY In 2005, Virginia launched it s PIV-I implementation Business Drivers: Enhance Virginia's response and recovery efforts Show other states providing a First Responder Authentication Credential (FRAC) no longer delays efforts in any scenario requiring the deployment of emergency responders. Use-Cases: Rapidly authenticate (electronically) the identity of a person at the scene of an incident. Electronically authenticate a first responder s key skills so that incident commanders can assign personnel to tasks quickly and appropriately. Provide a level of trust between emergency responders across multiple jurisdictions in times of critical incidents, thus enhancing cooperation and the efficiency of the response efforts between Federal, state, regional, local, and private sector emergency personnel. Has issued over 16,000 PIV-I (FRAC) Cards 35
36 COMMONWEALTH OF VIRGINIA PIV-I CASE STUDY: ISSUES The FRAC was not fully integrated with existing Physical Access Control Systems or Logical Access Control Systems so it was not widely used on a daily basis. Mobile card readers were not widely deployed, thus the cards were not utilized at their full potential. After issuance was completed, all of the equipment used to issue the FRACs was returned to the contractor, limiting the ability for areas of Virginia like Arlington and Alexandria to invest local resources in the program. 36
37 PIV-I in the Enterprise: considerations for improvement Managing certificate trust: Managing certificate trust at an enterprise level can be very challenging, especially when cross-organizational trust is involved, such as through the Federal Bridge. Alternative Authentication for Lost Card: Authentication systems have difficulty providing for alternative authentication in the case of a lost card. This situation can create computer logon problems. Multiple forms of strong auth technology can be beneficial: Smart card authentication is very powerful when it is combined with an alternative, strong authentication technology, such as a one-time password. Having both forms available makes it possible to handle more use cases gracefully. Lack of PKI support for non-windows clients: Deploying signed and encrypted systems enterprise-wide requires support for non- Windows users, mobile users, and Web access users. 37
38 PIV-I in the Enterprise: considerations for improvement Terminal vs Web/Cloud login: Users who use a smart card to logon to their computer, and then need to use a different smart card to access a Web site that does not support PIV (e.g. PIV vs CAC), will need two smart card readers in order to be able to simultaneously use both smart cards. This is problematic, as most computers are only equipped with a single reader, and removing the smart card used for computer logon causes that computer screen to lock, preventing use of the other card. Employee Training: A clear plan outlining the design, the deployment, application enablement plans, and communications to employees is critical, Legacy Credentials Transition: Transition of existing legacy credentials. Inability to login or gain access to facility. 38
39 PIV-I in the Enterprise: considerations for improvement Improved Automation Needed: Implement a solution that allows for full life-cycle management of the credential including personal identification number (PIN) management, certificate updates, revocation, and key recovery. A key focus was minimizing the need for a user to visit a specific office to accomplish a task. The solution requires functionality be pushed to the desktop, enabling end user self-service. Too many PIN Entries: PIV security policy requires PIN entry every time the PKI certificates are accessed. Everyday employees found this security policy to be irritating CMS systems need to be interoperable with each other: Cards issued by one CMS should be updateable by another CMS system. Though CMS systems support standards, they execute the standards via proprietary, locked-down middleware and agents. 39
40 Editorial: Govt System Integrator Cost to deploy PIV-I Cost (editorial) Government contractors such as Booz Allen Hamilton, SAIC, Northrop are different animals to corporate enterprises. They did not implement PIV out of function (value/return) but to demonstrate to their largest customer that "we do identity like you do". In such cases, these projects did not go through the same approval/analysis scrutiny that other IT projects do nor were they held to the same metrics for success. This, unfortunately has given a false sense of PIV penetration/success in the private sector. Northrop spent $654m over 5 years for PIV deployment internally across 200k users. By any measure that is a major expense that most enterprise couldn t entertain unless it was tied to their largest customer and demonstrating alignment - not function or security. Evolution of Cost/Benefit of eid solutions business models still need to evolve The cost of PIV-I deployed in the private sector space, at this time, remains hard to justify based on the merit of the technology/value itself.. 40
41 CONCLUSIONS: PIV-I BENEFITS FOR ENTERPRISES Over 10 Million PIV, PIV-I cards actively being used as Enterprise IDs Economies of Scale: readers and software become commoditized. Employee improved efficiency/speed: faster access to secured networks and applications Open Standards Interoperability: among vendor products and different organizations Multiple suppliers: offer products and services that support PIV-I credentials, reducing costs and providing a choice of vendors. Improved Security: The implementation of the PIV-I identity proofing process and strong authentication technologies improves security for an organization s physical facilities and information systems. 41
42 CONCLUSIONS: PIV-I BENEFITS FOR ENTERPRISES Proven Technology: All Federal agencies have now implemented PIV credentials, allowing organizations to build their infrastructure using proven technology that has industry-wide acceptance. Multi-Application eid: PIV-I cards support multiple applications, allowing an individual to have one card that can be used for physical access and for different logical access applications. A single credential per individual represents a significant cost savings in the long term. Future-proof solutions: By building on open standards and a technology platform with an open architecture, organizations can future-proof their systems and add capabilities after initial implementation. Scalable: PIV, PIV-I implementations have proven to be scalable to millions of employees, supporting the largest organization s requirements. 42
43 Extra Slides 43
44 COMPARISON OF PIV, PIV-I AND CIV Personal Identity Verification-Interoperable (PIV), Personal Identity Verification-Interoperable (PIV-I) and Commercial Identity Verification (CIV) credentials US Government s Personal Identity Verification (PIV) credential In 2004, US Federal government established HSPD-12, a policy directive for Common Identification Standard for Federal employees and contractors. The directive offers: Common, secure, reliable identification for employees and contractors Visual and electronic identity verification Government-wide technical interoperability and authentication Benefits for this standard are: Non-Proprietary, Compatible COTS solutions. Native support in products (Ex: Windows OS). Lower costs of implementation compared proprietary solutions. Field Proven and mature technologies. Policy PIV PIV-I CIV Breeder documents Follows FIPS 201 Follows FIPS 201 Follows the issuing organization s policies Background checks National Agency Check with Investigation None required, directly impacts level of suitability for access Follows the issuing organization s policies Process Application, Adjudication, Enrollment, Issuance, Activation Follows FIPS 201, including separation of roles, strong biometric binding Follows Federal Bridge crosscertification certificate policies Follows SP for Federal issuance Follows the issuing organization s policies For Federal relying parties, follows SP
45 COMPARISON OF PIV, PIV-I AND CIV PIV PIV-I CIV Technology Card data model Must follow SP Must follow SP SP (recommended) Current primary credential number FASC-N2 (requires Federal agency code) Object identifiers Federal Bridge Federal Bridge Trustworthiness Trust among organizations Trusted identity, credential and suitability Federal Bridge UUID (no Federal agency code required) Trusted basic identity and credential but not suitability Clustered through Federal Bridge UUID (no Federal agency code required) Organization Internet Assigned Number Authority (IANA) (if exists) Trusted credential only within the issuing organization. Clustered alone Origin Organization NIST Federal CIO Council SCA Access Control Council Defining documents Motivation Markets Organizations that may issue and/or use the credential FIPS 201, SP and other related NIST publications HSPD-12 Federal agencies PIV-Interoperability for Non- Federal Issuers and FICAM PIV-I organizations doing business with government & for first responders Federal agencies and contractors State and local governments First responder organizations CIV Credential Leveraging FIPS 201 and the PIV Specifications Commercial could take advantage of the PIV infrastructure Commercial organizations and Federal agencies who accept medium hardware assurance 45
Strategies for the Implementation of PIV I Secure Identity Credentials
Strategies for the Implementation of PIV I Secure Identity Credentials A Smart Card Alliance Educational Institute Workshop PIV Technology and Policy Requirements Steve Rogers President & CEO 9 th Annual
More informationSingle Secure Credential to Access Facilities and IT Resources
Single Secure Credential to Access Facilities and IT Resources HID PIV Solutions Securing access to premises, applications and networks Organizational Challenges Organizations that want to secure access
More informationSecuring Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS
Securing Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS Introduction The expectations and requirements on government contracts for safety and security projects
More informationInteragency Advisory Board Meeting Agenda, Wednesday, May 23, 2012
Interagency Advisory Board Meeting Agenda, Wednesday, May 23, 2012 1. Opening Remarks (Mr. Tim Baldridge, IAB Chair) 2. Revision of the Digital Signature Standard (Tim Polk, NIST) 3. Update on Content
More informationInteragency Advisory Board Meeting Agenda, Wednesday, February 27, 2013
Interagency Advisory Board Meeting Agenda, Wednesday, February 27, 2013 1. Opening Remarks 2. Discussion on Revisions Contained in Draft SP 800-63-2 (Bill Burr, NIST) 3. The Objectives and Status of Modern
More informationPIV-Interoperable Credential Case Studies
PIV-Interoperable Credential Case Studies A Smart Card Alliance Identity Council White Paper Publication Date: February 2012 Publication Number: IC-12001 Smart Card Alliance 191 Clarksville Rd. Princeton
More informationTransportation Worker Identification Credential (TWIC) Steve Parsons Deputy Program Manager, TWIC July 27, 2005
Transportation Worker Identification Credential (TWIC) Steve Parsons Deputy Program Manager, TWIC July 27, 2005 Who Am I? How do you know? 2 TWIC Program Vision A high-assurance identity credential that
More informationInteragency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008
Interagency Advisory Board HSPD-12 Insights: Past, Present and Future Carol Bales Office of Management and Budget December 2, 2008 Importance of Identity, Credential and Access Management within the Federal
More informationInteragency Advisory Board Meeting Agenda, February 2, 2009
Interagency Advisory Board Meeting Agenda, February 2, 2009 1. Opening Remarks (Tim Baldridge, NASA) 2. Mini Tutorial on NIST SP 800-116 AND PIV use in Physical Access Control Systems (Bill MacGregor,
More informationUnified PACS with PKI Authentication, to Assist US Government Agencies in Compliance with NIST SP (HSPD 12) in a Trusted FICAM Platform
Unified PACS with PKI Authentication, to Assist US Government Agencies in Compliance with NIST SP 800 116 (HSPD 12) in a Trusted FICAM Platform In Partnership with: Introduction Monitor Dynamics (Monitor)
More informationFIPS and NIST Special Publications Update. Smart Card Alliance Webinar November 6, 2013
FIPS 201-2 and NIST Special Publications Update Smart Card Alliance Webinar November 6, 2013 Today s Webinar Topics & Speakers Introductions: Randy Vanderhoof, Executive Director, Smart Card Alliance FIPS
More informationFiXs - Federated and Secure Identity Management in Operation
FiXs - Federated and Secure Identity Management in Operation Implementing federated identity management and assurance in operational scenarios The Federation for Identity and Cross-Credentialing Systems
More informationLeveraging HSPD-12 to Meet E-authentication E
Leveraging HSPD-12 to Meet E-authentication E Policy and an update on PIV Interoperability for Non-Federal Issuers December 2, 2008 Chris Louden IAB 1 Leveraging HSPD-12 to Meet E-Authentication E Policy
More informationNFC Identity and Access Control
NFC Identity and Access Control Peter Cattaneo Vice President, Business Development Agenda Basics NFC User Interactions Architecture (F)ICAM Physical Access Logical Access Future Evolution 2 NFC Identity
More informationNext Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop
Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop PACS Integration into the Identity Infrastructure Salvatore D Agostino CEO, IDmachines LLC 8 th Annual
More informationWill Federated Cross Credentialing Solutions Accelerate Adoption of Smart Card Based Identity Solutions?
Will Federated Cross Credentialing Solutions Accelerate Adoption of Smart Card Based Identity Solutions? Jack Radzikowski,, Northrop Grumman & FiXs Smart Card Alliance Annual Meeting La Jolla, California
More informationUsing PIV Technology Outside the US Government
Using PIV Technology Outside the US Government Author: Bob Dulude Publishing: 10/19/15 Introduction A common perception of many who have heard of the US Government s Personal Identity Verification (PIV)
More informationThere is an increasing desire and need to combine the logical access and physical access functions of major organizations.
Introduction There is an increasing desire and need to combine the logical access and physical access functions of major organizations. This can be as simple as merely having an access card that can be
More informationIMPLEMENTING AN HSPD-12 SOLUTION
IMPLEMENTING AN HSPD-12 SOLUTION PAVING THE PATH TO SUCCESS Prepared by: Nabil Ghadiali 11417 Sunset Hills Road, Suite 228 Reston, VA 20190 Tel: (703)-437-9451 Fax: (703)-437-9452 http://www.electrosoft-inc.com
More informationAn Overview of Draft SP Derived PIV Credentials and Draft NISTIR 7981 Mobile, PIV, and Authentication
An Overview of Draft SP 800-157 Derived PIV Credentials and Draft NISTIR 7981 Mobile, PIV, and Authentication Hildegard Ferraiolo PIV Project Lead NIST ITL Computer Security Division Hildegard.ferraiolo@nist.gov
More informationSecure Government Computing Initiatives & SecureZIP
Secure Government Computing Initiatives & SecureZIP T E C H N I C A L W H I T E P A P E R WP 700.xxxx Table of Contents Introduction FIPS 140 and SecureZIP Ensuring Software is FIPS 140 Compliant FIPS
More informationAXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure
AXIAD IDS CLOUD SOLUTION Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure Logical Access Use Cases ONE BADGE FOR CONVERGED PHYSICAL AND IT ACCESS Corporate ID badge for physical
More informationTWIC / CAC Wiegand 58 bit format
This document was developed by the Smart Card Alliance Physical Access Council to respond to requests for sample Wiegand message formats that will handle the additional fields of the Federal Agency Smart
More informationPhysical Access Control Systems and FIPS 201
Physical Access Control Systems and FIPS 201 Physical Access Council Smart Card Alliance December 2005 1 This presentation was developed by the Smart Card Alliance Physical Access Council. The goals of
More informationBiometric Use Case Models for Personal Identity Verification
Biometric Use Case Models for Personal Identity Verification Walter Hamilton International Biometric Industry Association & Saflink Corporation Smart Cards in Government Conference Arlington, VA April
More informationHITPC Stage 3 Request for Comments Smart Card Alliance Comments January, 14, 2013
HITPC Stage 3 Request for Comments Smart Card Alliance Comments January, 14, 2013 The Smart Card Alliance hereby submits the following comments regarding the Health Information Technology Policy Committee
More informationPaul A. Karger
Privacy and Security Threat Analysis of the Federal Employee Personal Identity Verification (PIV) Program Paul A. Karger karger@watson.ibm.com Outline Identify specific problem with FIPS 201 Problem of
More informationHelping Meet the OMB Directive
Helping Meet the OMB 11-11 Directive March 2017 Implementing federated identity management OMB Memo 11-11 Meeting FICAM Objectives Figure 1: ICAM Conceptual Diagram FICAM Targets Figure 11: Federal Enterprise
More informationPRODUCT INFORMATION BULLETIN
PRODUCT INFORMATION BULLETIN ID-One PIV v2.3.2 The electronic Identity card compliant with US specifications for electronic Table of contents 1. Foreword... 3 2. Introduction to PIV cards features... 4
More informationDHS ID & CREDENTIALING INITIATIVE IPT MEETING
DHS ID & CREDENTIALING INITIATIVE IPT MEETING October 14, 2004 Part 02 of 02 IMS/CMS Functional Specification General Issuance Requirements Issue a GSC-IS 2.1 compliant dual chip hybrid ICC/DESFire v0.5
More informationg6 Authentication Platform
g6 Authentication Platform Seamlessly and cost-effectively modernize a legacy PACS to be HSPD-12 compliant l l l l Enrollment and Validation Application Authentication Modules Readers HSPD-12 Enrollment
More informationThe Open Protocol for Access Control Identification and Ticketing with PrivacY
The Open Protocol for Access Control Identification and Ticketing with PrivacY For Secure Contactless Transactions and Enabling Logical and Physical Access Convergence October 2010 Actividentity 2 OPACITY
More informationEmergency Response Official Credentials: An Approach to Attain Trust in Credentials across Multiple Jurisdictions for Disaster Response and Recovery
Emergency Response Official Credentials: An Approach to Attain Trust in Credentials across Multiple Jurisdictions for Disaster Response and Recovery A Smart Card Alliance White Paper Publication Date:
More informationInteragency Advisory Board Meeting Agenda, December 7, 2009
Interagency Advisory Board Meeting Agenda, December 7, 2009 1. Opening Remarks 2. FICAM Segment Architecture & PIV Issuance (Carol Bales, OMB) 3. ABA Working Group on Identity (Tom Smedinghoff) 4. F/ERO
More informationRevision 2 of FIPS 201 and its Associated Special Publications
Revision 2 of FIPS 201 and its Associated Special Publications Hildegard Ferraiolo PIV Project Lead NIST ITL Computer Security Division Hildegard.ferraiolo@nist.gov IAB meeting, December 4, 2013 FIPS 201-2
More informationIDCore. Flexible, Trusted Open Platform. financial services & retail. Government. telecommunications. transport. Alexandra Miller
IDCore Flexible, Trusted Open Platform financial services & retail enterprise > SOLUTION Government telecommunications transport Trusted Open Platform Java Card Alexandra Miller >network identity >smart
More informationPKI and FICAM Overview and Outlook
PKI and FICAM Overview and Outlook Stepping Stones 2001 FPKIPA Established Federal Bridge CA established 2003 E-Authentication Program Established M-04-04 E-Authentication Guidance for Federal Agencies
More information000027
000026 000027 000028 000029 000030 EXHIBIT A 000031 Homeland Security Presidential Directive/Hspd-12 For Immediate Release Office of the Press Secretary August 27, 2004 Homeland Security Presidential Directive/Hspd-12
More informationENTRUST DATACARD DERIVED PIV CREDENTIAL SOLUTION
ENTRUST DATACARD DERIVED PIV CREDENTIAL SOLUTION A Guide to Meet NIST SP 800-157 Requirements +1-888-690-2424 entrust.com Table of contents The Need for Mobile Credentials Page 3 Entrust Datacard: The
More informationSecure Solutions. EntryPointTM Access Readers TrustPointTM Access Readers EntryPointTM Single-Door System PIV-I Compatible Cards Accessories
Secure Solutions l l l l BridgePointTM solutions that will take your security system to the next level EntryPointTM Access Readers TrustPointTM Access Readers EntryPointTM Single-Door System PIV-I Compatible
More informationMandate. Delivery. with evolving. Management and credentials. Government Federal Identity. and. Compliance. using. pivclasss replace.
Simplifying Compliance with the U.S. Government Federal Identity Mandate The first in a series of papers on HID Global ss Federal Identity Initiative and Delivery Strategy U.S. government agencies are
More informationMobile Validation Solutions
227 Mobile Validation Solutions John Bys Executive Vice President Copyright 2007, CoreStreet, Ltd. Who has requirements? Maritime Safety Transportation Act Ports / MTSA Facilities Vehicle check points
More informationSecure Lightweight Activation and Lifecycle Management
Secure Lightweight Activation and Lifecycle Management Nick Stoner Senior Program Manager 05/07/2009 Agenda Problem Statement Secure Lightweight Activation and Lifecycle Management Conceptual Solution
More informationOffice of Transportation Vetting and Credentialing. Transportation Worker Identification Credential (TWIC)
Office of Transportation Vetting and Credentialing Transportation Worker Identification Credential (TWIC) Program Briefing for the American Association of Port Authorities Chicago, IL 27 April 2005 TWIC
More informationMultiple Credential formats & PACS Lars R. Suneborn, Director - Government Program, HIRSCH Electronics Corporation
Multiple Credential formats & PACS Lars R. Suneborn, Director - Government Program, HIRSCH Electronics Corporation Insert Company logo here A Smart Card Alliance Educational Institute Course Multiple credential
More informationThe Leader in Unified Access and Intrusion
Unified PACS with PKI Authentication, to Assist US Government Agencies in Compliance with NIST SP 800-116, FIPS 201 and OMB M 11-11 in a High Assurance Trusted FICAM Platform In Partnership with: The Leader
More informationState of the Industry and Councils Reports. Access Control Council
State of the Industry and Councils Reports Access Control Council Chairman: Lars R. Suneborn, Sr. Manager, Technical Marketing, Government ID, Oberthur Technologies Property of the Smart Card Alliance
More informationInterfaces for Personal Identity Verification Part 1: PIV Card Application Namespace, Data Model and Representation
Draft NIST Special Publication 800-73-4 Interfaces for Personal Identity Verification Part 1: PIV Card Application Namespace, Data Model and Representation Ramaswamy Chandramouli David Cooper Hildegard
More informationDFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017
DFARS 252.204-7012 Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017 As with most government documents, one often leads to another. And that s the case with DFARS 252.204-7012.
More informationInteragency Advisory Board Meeting Agenda, April 27, 2011
Interagency Advisory Board Meeting Agenda, April 27, 2011 1. Open Remarks (Mr. Tim Baldridge, IAB Chair) 2. FICAM Plan for FIPS 201-2 (Tim Baldridge, IAB Chair and Deb Gallagher, GSA) 3. NSTIC Cross-Sector
More informationInteragency Advisory Board Meeting Agenda, February 2, 2009
Interagency Advisory Board Meeting Agenda, February 2, 2009 1. Opening Remarks (Tim Baldridge, NASA) 2. Mini Tutorial on NIST SP 800-116 AND PIV use in Physical Access Control Systems (Bill MacGregor,
More informationCREDENTSYS CARD FAMILY
CREDENTSYS CARD FAMILY Credentsys is a secure smart card family that is designed for national ID systems, passports, and multi-use enterprise security environments. The family is certified to FIPS 140-2
More informationLeveraging the LincPass in USDA
Leveraging the LincPass in USDA Two Factor Authentication, Digital Signature, Enterprise VPN, eauth Single Sign On February 2010 USDA Takes Advantage of the LincPass USDA is taking advantage of the LincPass
More informationConsiderations for the Migration of Existing Physical Access Control Systems to Achieve FIPS 201 Compatibility
Considerations for the Migration of Existing Physical Access Control Systems to Achieve FIPS 201 Compatibility A Smart Card Alliance Physical Access Council White Paper Publication Date: September 2006
More informationNo More Excuses: Feds Need to Lead with Strong Authentication!
No More Excuses: Feds Need to Lead with Strong Authentication! Dr. Sarbari Gupta sarbari@electrosoft-inc.com Annual NCAC Conference on Cybersecurity March 16, 2016 Electrosoft Services, Inc. 1893 Metro
More informationIAB Minutes Page 1 of 6 April 18, 2006
IAB Minutes Page 1 of 6 The Interagency Advisory Board (IAB) meeting convened on Tuesday, April 17, 2006 at 9:15 AM at the Sheraton National Hotel in Arlington. After opening remarks by Randy Vanderhoof
More informationNon Person Identities After all, who cares about me? Gilles Lisimaque & Dave Auman Identification technology Partners, Inc.
Identities Non Person Identities After all, who cares about me? Gilles Lisimaque & Dave Auman Identification technology Partners, Inc. Device Identifiers Most devices we are using everyday have (at least)
More informationcryptovision s Government Solutions Adam Ross, Ben Drisch cryptovision GmbH
cryptovision s Government Solutions Adam Ross, Ben Drisch cryptovision GmbH cv cryptovision GmbH T: +49 (0) 209.167-24 50 F: +49 (0) 209.167-24 61 info(at)cryptovision.com 1 cryptovision cryptovision Gelsenkirchen
More informationDoD Common Access Card Convergence of Technology Access/E-Commerce/Biometrics
DoD Common Access Card Convergence of Technology Access/E-Commerce/Biometrics IDENTITY Mary Dixon February 12, 2003 1 A Short Review and Update 2 DoD is issuing 4 million smart cards to: Active Duty Military
More informationTWIC Transportation Worker Identification Credential. Overview
TWIC Transportation Worker Identification Credential Overview TWIC Program Vision Goals Improve the security of identity management by establishing a system-wide common credential, universally acceptable
More informationhidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION
HID ActivOne USER FRIENDLY STRONG AUTHENTICATION We understand IT security is one of the TOUGHEST business challenges today. HID Global is your trusted partner in the fight against data breach due to misused
More informationOperated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA
Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA LANL s Multi-Factor Authentication (MFA) Initiatives NLIT Summit 2018 Glen Lee Network and Infrastructure Engineering
More informationChanges to SP (SP ) Ketan Mehta NIST PIV Team NIST ITL Computer Security Division
Changes to SP 800-73 (SP 800-73-4) Ketan Mehta NIST PIV Team NIST ITL Computer Security Division mehta_ketan@nist.gov Smart Card Alliance, Government Conference October 30, 2014 Draft SP 800-73-4 Removed
More informationThe Device Has Left the Building
The Device Has Left the Building Mobile Security Made Easy With Managed PKI Christian Brindley Principal Systems Engineer, Symantec Identity and Information Protection Agenda 1 2 3 Mobile Trends and Use
More informationOverview of cryptovision's eid Product Offering. Presentation & Demo
Presentation & Demo Benjamin Drisch, Adam Ross cv cryptovision GmbH T: +49 (0) 209.167-24 50 F: +49 (0) 209.167-24 61 info(at)cryptovision.com 1 General Requirements Government of Utopia Utopia Electronic
More informationAugust, Actividentity CTO Office
The Open Protocol for Access Control Identification and Ticketing with PrivacY For the Secure Enablement of converged Access and Contactless Transactions August, 2010 Actividentity CTO Office 2 What is
More informationPKI Credentialing Handbook
PKI Credentialing Handbook Contents Introduction...3 Dissecting PKI...4 Components of PKI...6 Digital certificates... 6 Public and private keys... 7 Smart cards... 8 Certificate Authority (CA)... 10 Key
More informationDATA SHEET. ez/piv CARD KEY FEATURES:
Personal Identity Verification (PIV) Card ez/piv Card satisfies FIPS 201, HSPD-12. It allows your users to authenticate to z/os Security Server through the use of a government PIV or CAC Card. KEY FEATURES:
More informationFICAM Configuration Guide
UTC Fire & Security Americas Corporation, Inc. 1212 Pittsford-Victor Road Pittsford, New York 14534 USA Tel 866.788.5095 Fax 585.248.9185 www.lenel.com Overview FICAM Configuration Guide The instructions
More informationCryptologic and Cyber Systems Division
Cryptologic and Cyber Systems Division OVERALL BRIEFING IS Someone Scraped My Identity! Is There a Doctrine in the House? AF Identity, Credential, and Access Management (ICAM) August 2018 Mr. Richard Moon,
More informationPIV Data Model Test Guidelines
This publication is available free of charge from http://csrc.nist.gov/publications/ Draft NIST Special Publication 800-85B-4 PIV Data Model Test Guidelines Ramaswamy Chandramouli Hildegard Ferraiolo Ketan
More informationInteragency Advisory Board Meeting Agenda, Tuesday, November 1, 2011
Interagency Advisory Board Meeting Agenda, Tuesday, November 1, 2011 1. Opening Remarks (Mr. Tim Baldridge, IAB Chair) 2. FIPS 201-2 Update and Panel Discussion with NIST Experts in Q&A Session (Bill MacGregor
More informationInteragency Advisory Board Meeting Agenda, Wednesday, April 24, 2013
Interagency Advisory Board Meeting Agenda, Wednesday, April 24, 2013 1. Opening Remarks 2. A Security Industry Association (SIA) Perspective on the Cost and Methods for Migrating PACS Systems to Use PIV
More informationDoD & FiXs : Identity Superiority
DoD & FiXs : Identity Superiority Implementing common authentication now & into the future. The Federation for Identity and Cross-Credentialing Systems (FiXs) www.fixs.org FiXs - The Federation for Identity
More informationManaging PIV Life-cycle & Converging Physical & Logical Access Control
Managing PIV Life-cycle & Converging Physical & Logical Access Control Ramesh Nagappan Sun Microsystems ramesh.nagappan@sun.com Smart cards in Government Conference Oct 23, 2008 Ronald Reagan International
More informationIdentity and Authentication PKI Portfolio
Identity and Authentication PKI Portfolio Gemalto offers comprehensive public key infrastructure (PKI) authentication solutions that provide optimal levels of security. Supporting a wide portfolio of IDPrime
More informationBiometrics. Overview of Authentication
May 2001 Biometrics The process of verifying that the person with whom a system is communicating or conducting a transaction is, in fact, that specific individual is called authentication. Authentication
More informationVersion 3.4 December 01,
FIXS OPERATING RULES Version 3.4 December 01, 2015 www.fixs.org Copyright 2015 by the Federation for Identity and Cross-Credentialing Systems, Inc. All Rights Reserved Printed in the United States of America
More informationGuardium UI Login using a Smart card
IBM Security Guardium Guardium UI Login using a Smart card Overview Guardium Smart card support meets the United States government mandate that all vendors must support multi-factor authentication for
More informationFICAM in Brief: A Smart Card Alliance Summary of the Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance
FICAM in Brief: A Smart Card Alliance Summary of the Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance A Smart Card Alliance Identity Council and Physical
More informationInteragency Advisory Board Meeting Agenda, Wednesday, June 29, 2011
Interagency Advisory Board Meeting Agenda, Wednesday, June 29, 2011 1. Opening Remarks (Mr. Tim Baldridge, IAB Chair) 2. Using PKI to Mitigate Leaky Documents (John Landwehr, Adobe) 3. The Digital Identity
More informationYubico with Centrify for Mac - Deployment Guide
CENTRIFY DEPLOYMENT GUIDE Yubico with Centrify for Mac - Deployment Guide Abstract Centrify provides mobile device management and single sign-on services that you can trust and count on as a critical component
More informationTo be covered: S&T Intro TTWG. Research/Pilots. Scope Goals Report
Personal Identity Verification- Interoperability/ First Responder Authentication Credential (PIV-I/FRAC) I/FRAC) Technology Transition Work Group (TTWG) Karyn Higa-Smith Research Program Manager Cyber
More informationI N F O R M A T I O N S E C U R I T Y
NIST Special Publication 800-73-2 2 nd DRAFT Interfaces for Personal Identity Verification Part 1: End-Point PIV Card Application Namespace, Data Model, and Representation James F. Dray Scott B. Guthery
More informationMobile: Purely a Powerful Platform; Or Panacea?
EBT: The Next Generation 2017 Mobile: Purely a Powerful Platform; Or Panacea? Evan O Regan, Director of Product Management Authentication & Fraud Solutions Entrust Datacard POWERFUL PLATFORM OR PANACEA
More informationKeith Ward Northrop Grumman IT Smart Card Security Solutions June 04, 2002
Physical and Logical Security Solutions Smart Card Alliance Keith Ward Northrop Grumman IT Smart Card Security Solutions June 04, 2002 1 Outline Homeland Security Mission Spectrum Market Assessment Identification
More informationSmart Card Alliance Comments and Considerations on Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance
Smart Card Alliance Comments and Considerations on Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance This document offers Smart Card Alliance comments on the
More informationMAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013
MAESON MAHERRY 3 Factor Authentication and what it means to business. Date: 21/10/2013 Concept of identity Access Control User Self-Service Identity and Access Management Authoritive Identity Source User
More informationCERTIFICATE POLICY CIGNA PKI Certificates
CERTIFICATE POLICY CIGNA PKI Certificates Version: 1.1 Effective Date: August 7, 2001 a Copyright 2001 CIGNA 1. Introduction...3 1.1 Important Note for Relying Parties... 3 1.2 Policy Identification...
More informationFederal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance
Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance November 10, 2009 Powered by the Federal Chief Information Officers Council and the Federal Enterprise Architecture
More informationTechnical Implementation Guidance: Smart Card Enabled Physical Access Control Systems Draft Version 2.3E
Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems Draft Version 2.3E Approved by: Government Smart Card Interagency Advisory Board Prepared by: Physical Access Interagency
More informationCertiPath TrustVisitor and TrustManager. The need for visitor management in FICAM Compliant PACS
CertiPath TrustVisitor and TrustManager The need for visitor management in FICAM Compliant PACS CertiPath TrustMonitor CertiPath TrustVisitor and TrustManager The need for visitor management in FICAM Compliant
More informationVMware PIV-D Manager Deployment Guide
VMware PIV-D Manager Deployment Guide AirWatch v9.2 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com. This product is protected
More informationUnlocking The CHUID. Practical Considerations and Lessons Learned for PIV Deployments. Eric Hildre 07/18/2006
Unlocking The CHUID Practical Considerations and Lessons Learned for PIV Deployments Eric Hildre 07/18/2006 Purpose Provide practical considerations and lessons learned to the IAB from the Access Card
More informationFederated Access. Identity & Privacy Protection
Federated Access Identity & Privacy Protection Presented at: Information Systems Security Association-Northern Virginia (ISSA-NOVA) Chapter Meeting Presented by: Daniel E. Turissini Board Member, Federation
More informationAWARD TOP PERFORMER. Minex III FpVTE PFT II FRVT PRODUCT SHEET. Match on Card. Secure fingerprint verification directly on the card
AWARD Speed Accuracy Interoperability TOP PERFORMER PRODUCT SHEET Minex III FpVTE PFT II FRVT Match on Card Secure fingerprint verification directly on the card WWW.INNOVATRICS.COM MATCH ON CARD Our solution
More informationInteragency Advisory Board Meeting Agenda, December 7, 2009
Interagency Advisory Board Meeting Agenda, December 7, 2009 1. Opening Remarks 2. FICAM Segment Architecture & PIV Issuance (Carol Bales, OMB) 3. ABA Working Group on Identity (Tom Smedinghoff) 4. F/ERO
More informationUsing the Prototype TWIC for Access A System Integrator Perspective
Using the Prototype TWIC for Access A System Integrator Perspective AAPA Port Security Seminar and Exhibition, Seattle, WA July 19, 2006 Management and Technology Consultants The Challenge How do I manage
More informationDirectTrust Governmental Trust Anchor Bundle Standard Operating Procedure
DirectTrust Governmental Trust Anchor Bundle Standard Operating Procedure Change Control Date Version Description of changes 15-December- 2016 1-December- 2016 17-March- 2016 4-February- 2016 3-February-
More informationpivclass FIPS-201 Reader Operation and Output Selections APPLICATION NOTE , F.0 February Barranca Parkway Irvine, CA 92618
15370 Barranca Parkway Irvine, CA 92618 pivclass FIPS-201 Reader Operation and Output Selections APPLICATION NOTE 6090-905, F.0 February 2014. Contents 1 Overview... 4 2 CHUID Definition... 4 3 FASC-N
More information