Module 5: Smart Card Usage Models Identity, Security and Access Control

Transcription

1 Module 5: Smart Card Usage Models Identity, Security and Access Control Smart Card Alliance Certified Smart Card Industry Professional Accreditation Program 1 For CSCIP Applicant Use Only

2 About the Smart Card Alliance The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit Important note: The CSCIP training modules are only available to LEAP members who have applied and paid for CSCIP certification. The modules are for CSCIP applicants ONLY for use in preparing for the CSCIP exam. These documents may be downloaded and printed by the CSCIP applicant. Further reproduction or distribution of these modules in any form is forbidden. Copyright 2015 Smart Card Alliance, Inc. All rights reserved. Reproduction or distribution of this publication in any form is forbidden without prior permission from the Smart Card Alliance. The Smart Card Alliance has used best efforts to ensure, but cannot guarantee, that the information described in this report is accurate as of the publication date. The Smart Card Alliance disclaims all warranties as to the accuracy, completeness or adequacy of information in this report. 2 For CSCIP Applicant Use Only

3 TABLE OF CONTENTS 1 INTRODUCTION SMART CARD DRIVERS AND BENEFITS FOR IDENTITY AND SECURITY APPLICATIONS HOW TODAY'S IDENTIFICATION SYSTEMS CAN FAIL WHAT MAKES AN IDENTIFICATION SYSTEM SECURE SMART CARD BENEFITS FOR IDENTIFICATION SYSTEMS Support for Physical and Digital Identity Authenticated and Authorized Information Access Strong ID Card Security ID Credential Security System Component Authentication Smart Card Support for Privacy Requirements Smart Card Support for Strong Authentication Smart Cards and Biometrics Enhanced Business Case with Multiple Applications Enhanced Convenience for Users Ease of Integration and Deployment in Information Technology Systems Improved Life Cycle Management Flexible Support for Migration Using Multiple Technologies Support for Multiple Form Factors Interoperable, Standards-Based Technology SUMMARY IDENTITY CARDS AND TOKENS IDENTITY CARDS Security Printing Features Security Devices USB TOKENS ONE-TIME PASSWORD TOKENS MOBILE DEVICES AND IDENTITY AUTHENTICATION AND ACCESS CONTROL APPLICATIONS STANDARDS FOR IDENTITY APPLICATIONS ON SMART CARDS EPASSPORTS EPASSPORT FEATURES AND SPECIFICATIONS Contactless Chip Biometrics Logical Data Structure epassport Security Measures EPASSPORT VALIDITY AND ICAO PUBLIC KEY DIRECTORY U.S. EPASSPORT SECURITY MEASURES AND USE PHYSICAL ACCESS PACS COMPONENTS PHYSICAL ACCESS CONTROL PROCESS (NON-U.S.-FEDERAL GOVERNMENT USE) The ID Credential The Card Reader The Control Panel Access Control Server PHYSICAL ACCESS CONTROL SYSTEM DATA FORMATS OPERATIONAL RANGE SECURITY CONSIDERATIONS For CSCIP Applicant Use Only

4 5.5.1 Card Security Data Protection Card and Data Authentication Card to Card Reader Communications Card Reader to Control Panel Communications RECENT TRENDS IN SYSTEM ARCHITECTURES LOGICAL ACCESS OVERVIEW OF LOGICAL ACCESS AUTHENTICATION TECHNOLOGIES Passwords Biometrics Public Key Cryptography Soft Tokens Smart Card Technology DRIVERS FOR SMART CARD TECHNOLOGY FOR LOGICAL ACCESS Strong Authentication Support Enhanced Security and Convenience for Users Enhanced Protection against Identity Fraud Standards-Based Application Coverage Ease of Integration Ease of Deployment Multi-Purpose Functionality THE NATIONAL STRATEGY FOR TRUSTED IDENTITIES IN CYBERSPACE: A KEY U.S. INITIATIVE DRIVING STRONGER AUTHENTICATION TECHNOLOGIES Smart Cards and NSTIC SMART CARDS AND BIOMETRICS BIOMETRIC SYSTEM COMPONENTS AND PROCESS SELECTING A BIOMETRIC TECHNOLOGY THE ROLE OF SMART CARDS WITH BIOMETRICS Example Programs Combining Smart Cards and Biometrics Key Considerations for Implementing Combined Smart Card / Biometric Systems Benefits of Combining Smart Cards and Biometrics in a Secure ID System IDENTITY, SECURITY AND ACCESS CONTROL APPLICATION EXAMPLES NATIONAL ID PROGRAMS eid in Europe and the European Citizen Card CORPORATE ID BADGE USE CASE HEALTHCARE ID USE CASES Sesam Vitale Health Card France German Health Card Smart Health Cards in the United States Taiwan Smart Health Card Smart Health Cards: Use and Benefits for Patients Smart Health Cards: Use and Benefits for Hospitals INTERNATIONAL DRIVER'S LICENSE U.S. FEDERAL GOVERNMENT USE CASES FIPS Personal Identity Verification Card Department of Defense Common Access Card Transportation Worker Identification Credential First Responder Authentication Credential MACHINE-TO-MACHINE APPLICATIONS PAY TV PRIVACY For CSCIP Applicant Use Only

5 9.1 DEFINING PRIVACY IN AN INFORMATION CONTEXT Privacy Parameters Security Parameters ID System Design and Implementation Goals SMART CARDS AND PRIVACY PROTECTION PRACTICAL GUIDELINES FOR PRIVACY PROTECTION IN SMART CARD-BASED ID SYSTEMS Business Practice Guidelines, System Design Considerations and Guidelines, RELEVANT STANDARDS AND SPECIFICATIONS STANDARDS RELEVANT TO SMART CARD PHYSICAL CHARACTERISTICS STANDARDS RELEVANT TO TECHNOLOGIES WHICH COULD BE FOUND ON A SMART CARD STANDARDS AND SPECIFICATIONS RELEVANT TO TECHNOLOGIES RELATED TO THE CARD INTERFACE STANDARDS AND SPECIFICATIONS RELEVANT TO THE CARD COMMANDS AND APPLICATION DATA STRUCTURES STANDARDS AND SPECIFICATIONS RELEVANT TO SECURITY OR CRYPTOGRAPHY STANDARDS AND SPECIFICATIONS RELEVANT TO ISSUERS OR SPECIFIC INDUSTRY SECTORS OTHER STANDARDS RELATED TO SMART CARDS OR THEIR SOFTWARE CLIENTS PRIMARY U.S. STANDARDS AND SPECIFICATIONS RELATED TO SMART CARDS FEDERAL INFORMATION PROCESSING STANDARDS (FIPS) BIOMETRICS STANDARDS OTHER STANDARDS AND SPECIFICATIONS THAT RELATE TO SMART CARD-BASED APPLICATIONS REFERENCES ACKNOWLEDGEMENTS For CSCIP Applicant Use Only

6 1 Introduction Both government and commercial organizations are implementing secure identification (ID) systems to improve confidence in verifying the identity of individuals seeking access to physical or virtual locations, with smart cards a fundamental component to ensure the security and privacy of information and transactions. This module describes how smart cards are used in identity, security and access control applications. After reviewing this module, CSCIP applicants should be able to answer the following questions: What are weaknesses in many identification systems? How do smart cards improve the privacy and security of identification systems? What forms of smart cards are used for identity and security applications? How is smart card technology used in electronic passports and what security features does it enable? What are the components of a physical access control system (PACS) and how are smart cards used in a PACS? What authentication technologies are used for logical access? What are logical access applications? What are drivers for smart card technology for logical access? How are digital certificates used with smart cards in logical access applications? What are biometrics? How are biometrics and smart cards used together in identification systems? What are example uses cases for smart cards as identity cards? What applications are typically implemented and what benefits do smart cards bring? What must be done to design privacy into an identification system? How can smart cards help? What are best practices for privacy-sensitive identification system design? 6 For CSCIP Applicant Use Only

7 2 Smart Card Drivers and Benefits for Identity and Security Applications 1 Identification systems are needed by both public and private organizations. ID systems may operate completely within a single organization (an employee ID), span multiple organizations (across Federal agencies and contractors, between businesses and their customers), or extend out to the general population. Smart cards play an important role in strengthening the security of identification systems and protecting the privacy of the information stored and used in the identification system. This section describes the vulnerabilities of ID systems, the steps that organizations need to take to improve ID system security and the role of smart cards in these systems. Examples of secure identification systems using smart cards today are: Bank, hospital and corporate employee ID cards, to authenticate employees and partners and protect networks and computer systems. U.S. and NATO defense department ID cards, to protect soldiers' identities and computer networks. U.S. federal government employee and contractor ID cards, to authenticate employee identities when accessing physical facilities, computers or networks. Electronic passports worldwide, to authenticate citizen identities and provide a more secure identity document. National ID cards in a number of countries, to authenticate citizens accessing government services. Healthcare ID cards (e.g., Gesundheitskarte, Germany; Sesam Vitale, France) to authenticate patient and provider identities and securely store and manage personal health information. 2.1 How Today's Identification Systems Can Fail Today, nearly everybody carries multiple identification cards (IDs), issued by multiple public and private organizations. Such IDs include driver s licenses, membership cards, credit cards, and corporate identification badges. The primary purpose of an ID is to identify the holder as having particular rights, privileges, and responsibilities. IDs verify a person s identity, both to the system that issued the ID (for example, a driver s license verifies the license-holder s right to operate a motor vehicle) and to other systems that do not issue their own IDs (for example, in the United States, a driver s license verifies the identity of someone trying to board an aircraft). Systems that issue IDs are typically one of two types: Systems that interface with citizens and country residents, such as a driver s license system, citizen entitlement system, or passport system. Such systems are citizen-facing systems. Systems that interface with employees or customers, such as an employee badge system, human resource benefits system, or online banking system. Such systems are employee- or customer-facing systems. Regardless of type, many of today s identification systems are vulnerable. They often use tamper-prone credentials or easily compromised passwords and limited initial identity verification processes that are insufficient to stand up against the sophistication of modern identity thieves. To be secure, identification systems must meet multiple challenges. 1 Smart Card Alliance, Secure Identification Systems: Building a Chain of Trust, March For CSCIP Applicant Use Only

8 2.2 What Makes an Identification System Secure A secure ID system is designed to address one primary requirement: verify that an individual is who the individual claims to be and has the attributes (privileges) the individual claims to have. When properly designed, secure ID systems implement a chain of trust, assuring everyone involved that the individual presenting an ID card is the person who owns the credentials on the ID and that the credentials are valid. (The term credential refers to information stored on the card that represents the individual s identity document and privileges.) A secure ID system can provide individuals with trusted credentials that are used for a wide range of applications, from enabling access to facilities or networks to proving entitlement for services to conducting online transactions. Secure ID system design requires a set of decisions that select and implement policies, procedures, architecture, technology, and staff. The design must implement the desired level of security and the appropriate chain of trust, starting with a secure identity vetting and enrollment process and including an authentication process incorporating appropriate security measures and technologies to deter impersonation and counterfeiting and assure the privacy of the credentials on the ID. Critical to any secure ID system is the ID card or device 2. The ID card is used as a portable, trusted and verifiable representation of an individual s identity and rights and privileges within the ID system. For an ID card to meet these requirements, the ID system must assure that a legitimate authority issued the ID, that the ID and the credential it carries are not counterfeit or altered, that the person carrying the ID matches the individual who enrolled in the ID system and that the same individual is not enrolled twice in the same system under different identities. The design of a secure ID system must include the following: A secure enrollment process 3 that establishes each individual s identity and determines that the person is entitled to the privileges that are being granted Procedures for securely issuing ID cards and ensuring that IDs are issued only by authorized issuing organizations, with a secure auditable process, and only to the correct person The ID card issued should include both physical and logical security authentication features. Examples of physical security features include secure printing, color-changing inks, holograms and laser laminates. Examples of logical security features include user PIN, device authentication and certificate-based authentication (certification of origin and integrity). Policies and procedures for monitoring the use of the ID Procedures for ID life-cycle management Training for users and issuers Policies, procedures and technologies that protect access to the information in the system about ID holders Security controls that provide only authorized viewers with access to information on the ID An authentication process that implements the defined chain of trust, verifying the identity of ID holders and the legitimacy of the ID cards and their credentials Combining match-on-card biometrics with smart IDs can also be used to verify the card holder at every use to ensure the user of the identity credential is indeed the person to whom it was issued. Table 1 lists the components required by most secure ID systems and provides examples of the types of decisions that must be made to select each component. 2 This document refers to the physical ID device as an ID or ID card. While the most prevalent form factor for an ID is a plastic card that incorporates other technologies (e.g., chip, barcode, magnetic stripe), smart card technology enables other form factors as well (e.g., USB token, SIM, epassport). 3 This process will vary depending on the ID system being implemented. 8 For CSCIP Applicant Use Only

9 Component Trusted Issuing Authority Network and Infrastructure Enrollment Stations Issuance Process ID Credential / Card Cryptography Biometrics ID Readers Table 1. Secure ID System Components Key Design Decision What trust model organizations participating in the ID system should adopt What types of digital credentials to use and what security algorithms to implement Whether to use a commercial trusted authority to create, protect, and distribute certificates or create certificates in house, in a protected environment What the key management processes are Whether communications should be distributed or centralized How to implement trusted channels How to design secured environments How to issue credentials: locally, regionally, or centrally How to protect individuals privacy and safeguard their personal information How to distribute trusted materials How to control and manage system access The environment and location of enrollment stations What method to adopt for operator self-authentication What method to adopt for verifying the credential applicant s identity How stations should interact with the network What the ID personalization process should be How to be sure the distribution process complies with the defined security policy How to implement ID inventory physical security How to audit ID cards How to implement data security What the life-cycle management process should be What types of applications to support, now and in the future What the ID card will look like, what information should be on it, whether anticounterfeiting and anti-tampering features are needed, whether a photo or other biometric is needed How often the ID should be used and under what conditions The type of ID technology The security certification level Which encryption technology to select Whether to implement symmetric or asymmetric keys How many keys to issue and what key space size is desirable Whether to use biometrics (e.g., fingerprint, facial, iris scan) What algorithm to use to process biometric information How many biometric measurements to store and where to store them Under what conditions to use biometrics Location, number, and architecture of ID readers and how to protect them Design and appearance of the readers How the ID should authenticate the readers How to manage security features and security certification level How to implement secure communication with the network What processes to use to manufacture readers 2.3 Smart Card Benefits for Identification Systems Smart card technology can strengthen the security and privacy of an ID system. Smart cards can act as the individual s ID card and allow secure access to information and services in both online and offline system designs. With the ability to store, protect and modify information written to the on-card electronic device (i.e., chip), smart cards offer unmatched flexibility and options for information sharing and transfer, while providing the unique ability to incorporate privacy-sensitive features. 9 For CSCIP Applicant Use Only

10 2.3.1 Support for Physical and Digital Identity Smart cards provide the unique capability to easily combine identification and authentication in both the physical and digital worlds. This can generate significant savings as the smart card-based ID card could not only be used to allow physical access to services, but also allow individuals access secure networks Authenticated and Authorized Information Access The information required to identify an individual typically depends on the individual s role in the situation. For example, some situations may only require proof that the individual is older than a certain age (e.g., 21) and not information about where the individual lives. An identification document that includes multiple types of information may provide more information than is needed for a particular transaction. The smart card s ability to process information and react to its environment gives it a unique advantage in providing authenticated information access. A smart card is able to release only the information required and only when it is required. Unlike other forms of identification (such as a passive printed driver s license), a smart card does not expose all of an individual s personal information (including potentially irrelevant information) when it is presented Strong ID Card Security When compared with other tamper-resistant ID cards, smart cards represent the best compromise between security and cost. When used with other technologies such as public key cryptography and biometrics, smart cards are almost impossible to duplicate or forge and data stored in the chip can t be modified without proper authorization (a password, biometric authentication or cryptographic access key). Smart cards can also help to deter counterfeiting and thwart tampering. Smart cards include a variety of hardware and software capabilities that detect and react to tampering attempts and help counter possible attacks. Where smart ID cards will also be used for manual identity verification, visual security features can be added to a smart card body ID Credential Security Protecting the privacy, authenticity, and integrity of the data encoded on an ID as credentials is a primary requirement for a secure ID system. Sensitive data is typically encrypted, both on the smart ID card and during communications with the external reader. Digital signatures can be used to ensure data integrity, with multiple signatures required if different authorities create the data. To ensure privacy, applications and data on the card must be designed to prevent information sharing System Component Authentication For the most robust security and privacy, the secure ID system may require that system components authenticate the legitimacy of other components during the identity verification process. The smart ID card can verify that the card reader is authentic, and the card reader in turn can authenticate the smart ID card. The smart ID card can also ensure that the requesting system has established the right to access the information being requested Smart Card Support for Privacy Requirements The use of smart cards strengthens the ability of a system to protect individual privacy. Unlike other identification technologies, smart cards can implement a personal firewall for an individual, releasing only the information required and only when it is required. The card s unique ability to verify the authority of the information requestor and its strong card and data security make it an excellent guardian of the cardholder s personal information. By allowing authorized, authenticated access only to the information 10 For CSCIP Applicant Use Only

11 required by a transaction, a smart card-based ID system can protect an individual s privacy while ensuring that the individual is properly identified. (Section 9 describes privacy requirements in more detail.) Smart Card Support for Strong Authentication More and more organizations today are looking for stronger authentication solutions beyond usernames and passwords to validate that the users accessing systems are who they say they are. Smart cards are used to enable multi-factor authentication, incorporating something that you have (the smart card), something that you know (typically a personal identification number (PIN) that activates the card s cryptographic functions), and something you are (a biometric). Smart card-based strong authentication not only improves the overall security of the IT infrastructure but also reduces costs associated with password management Smart Cards and Biometrics Secure ID systems that require a high degree of security and privacy are increasingly implementing both smart card and biometric technology. Smart cards and biometrics are a natural fit to provide two- or multi-factor authentication. A smart card is the logical storage medium for biometric information. During the enrollment process, the biometric template can be stored on the smart card chip for later verification. Only the authorized user with a biometric matching the stored enrollment template receives access and privileges. (Section 7 describes biometrics in more detail.) Enhanced Business Case with Multiple Applications Using smart cards enables an identification system to include multiple applications. By taking advantage of the smart card chip s capabilities, organizations can enhance the business case for implementing a new identification system and increase the ability of that system to handle future needs. Examples of applications included on a smart card-based ID card include Physical access control Logical access control (e.g., for securely accessing computers and networks) Payment (e.g., electronic purse or open credit/debit payment) Secure data storage (e.g., healthcare information, financial account information, biometric template) Privilege management (e.g., electronic benefits, citizenship status, healthcare insurance) Enhanced Convenience for Users A smart card-based ID card can provide enhanced convenience for users. A single corporate or government ID badge can be used for both physical access to facilities and logical access to computers and networks. Smart card-based strong authentication can simplify computer logon for users, eliminating the need to remember multiple, complex passwords. The same smart card ID card can support a variety of applications that secure communications and transactions for example, Windows logon, and document encryption, electronic signatures, VPN access and secure wireless network access Ease of Integration and Deployment in Information Technology Systems Management tools and deployment methods are available that facilitate large deployments of smart cards. Card management systems integrated into an organization s directory or procurement system provide the functionality needed to deploy and manage smart cards and their credentials. Reader drivers and smart card middleware are mature and easily deployed throughout an organization, supporting all operating system platforms. 11 For CSCIP Applicant Use Only

12 Improved Life Cycle Management Information and applications stored electronically on a smart card can be updated by authorized entities even after the card has been issued. This improves manageability and reduces the cost of an ID system, since new cards do not have to be issued to update data on the card or support new applications Flexible Support for Migration Using Multiple Technologies ID cards may be composed of many different elements, each specific to a particular use, such as: printed cardholder photo and name; barcode, magnetic stripe, contactless chip, contact chip, optical stripe; embossing, security markings 4, signature panel, issuing authority information. The use of a multi-technology smart ID card can be part of a migration strategy for an organization or the solution itself. The combination of a small number of compatible ID technologies into a single smart card is easier and can be more cost-effective than combining many technologies. While multi-technology cards may provide solutions for accommodating legacy systems, organizations must carefully consider the added complexity of implementing and maintaining multiple technologies and whether the combination desired is possible or practical to implement Support for Multiple Form Factors Smart card technology is available in multiple form factors so that the appropriate form can be selected for the function. Form factors include: plastic cards, mini-cards and tags, stickers, USB tokens, key fobs, watches and mobile phones Interoperable, Standards-Based Technology Smart cards are based on proven, robust industry standards, with an increasing number of standards also specifying how smart cards are used with applications. Standards-based solutions deliver a number of important benefits. Standardization fosters interoperability. Standardization simplifies implementation by driving the industry to develop products, applications, processes, and practices that meet the standard and are interoperable. Standardization provides enterprises with a greater variety of products at a lower cost. 2.4 Summary Smart cards are a vital and visible link in the chain of trust for secure ID systems. They serve as the issuer s agent of trust and deliver unique capabilities to securely and accurately verify the identity of the cardholder, authenticate the ID credential, and serve the credential to the ID system. Table 2 shows how smart cards help address the issues and challenges that cause vulnerabilities in today s ID systems. 4 Security markings can be used to deter tampering and counterfeiting. Technologies such as ornamental borders, microtext, ultraviolet text, holograms, kinegrams, multiple laser images and laser engraving are some examples. Although adding to printing costs, security markings may be required if tampering or counterfeiting is a real or perceived threat. 12 For CSCIP Applicant Use Only

13 Issues & Challenges Inadequate security and privacy Identity not sufficiently verified Difficult credential management Multiple credentials Proprietary and inflexible ID system Physical and logical convergence Usability problems Table 2. Smart Cards and ID System Challenges How Smart Cards Help Address ID System Issues & Challenges Smart cards strengthen the ID system s ability to protect individual privacy and secure personal information, providing authenticated and authorized information access, implementing a personal firewall for an individual and providing secure on-card storage of private information. Smart cards provide strong ID card security. Smart cards are almost impossible to duplicate or forge, and data in the chip cannot be modified without proper authorization. Smart cards increase the security and accuracy of identity authentication processes. Smart cards used for logical access can store passwords, PINs and/or certificates securely and support single sign-on capabilities, improving enterprise logical security and simplifying identity management. Smart cards strengthen the security of identity authentication processes. Smart cards provide a secure, convenient, and cost-effective technology that can store additional authentication factors (biometric, PIN, password, certificates) to more accurately verify that the cardholder is the individual authorized to use the ID. Smart cards provide strong ID card security, supporting features that deter counterfeiting and thwart tampering. A single smart ID card used for logical access can store passwords, PINs, and/or certificates securely and support single sign-on capabilities. A single smart ID card can support multiple applications, simplifying the identification process for security staff, ID system administrators, and individuals. The use of smart ID cards for logical access simplifies users access to systems and provides for more straightforward management of logical access applications. Information and applications stored on a smart card can be updated even after the card has been issued. This improves manageability and reduces the cost of an ID system, since new cards do not have to be issued to update data on the card or support new applications. A single smart ID card can support multiple applications, replacing multiple, hard-to-manage ID cards and implementing more straightforward logical access applications. Smart card technology is based on mature standards. Cards complying with these standards are developed commercially and have an established market presence. Multiple vendors are capable of supplying the standards-based components necessary to implement a smart card-based secure ID system, providing buyers with interoperable equipment and technology at a competitive cost. Smart cards support multiple applications, including both physical and logical access. Both contactless and contact smart card technologies can be used for access control applications. Smart cards supporting multiple applications on single ID card provide improved user convenience. Smart cards provide a convenient method for storing user information (e.g., password, biometric), making the authentication process easier and more convenient for the user. 13 For CSCIP Applicant Use Only

14 Issues & Challenges Little or no apparent ROI How Smart Cards Help Address ID System Issues & Challenges The ability of smart cards to support multiple applications is a real advantage. The return on investment becomes more attractive when the ID system provides multiple benefits, either to multiple groups within an organization or across organizations. A multiple technology smart card can ensure that a new ID system is interoperable with legacy systems and can provide a cost-effective migration path to new ID system technology. 14 For CSCIP Applicant Use Only

15 3 Identity Cards and Tokens Smart cards are widely acknowledged as one of the most secure and reliable forms of electronic identity cards for storing electronic identification and related data. However, the term "smart card" is something of a misnomer. While the plastic card was the initial smart card form factor, the smart chip technology that provides the capabilities and functionality used by identity and security applications is now available in wide variety of form factors, including plastic cards, key fobs, subscriber identification modules (SIMs) used in GSM mobile phones, watches, electronic passports and USB-based tokens. Currently, the most widely used forms of smart card technology for identity and security applications are cards, USB-based tokens, standalone one-time-password (OTP) tokens and the epassport (discussed in Section 4). Mobile devices with embedded smart card technology are expected to have a growing role for mobile identity applications (discussed in Section 3.4). 3.1 Identity Cards The most common form factor for a smart identity card is the plastic card. The smart ID card conforms to ISO/IEC 7810, ISO/IEC 7816 and ISO/IEC In the card form factor, smart card technology can also be used in a multi-function smart ID badge, providing a visual ID card as well as enabling automated, authenticated physical and logical access. The same physical smart ID card can contain multiple ID technologies, including the embedded chip, visual security markings, a printed photograph, printed bar code, magnetic stripe and/or optical stripe. Thus, a single card can be compatible with many forms of existing infrastructure. Figure 1 illustrates components on a typical smart ID card. Figure 1. Smart ID Card Example Sub-surface chip and antenna used for contactless applications Digital photo (visual biometric) Plastic card body, typically with security printing and features to verify card authenticity Smart card secure microcontroller chip for secure data storage, digital credential processing, on-card match of biometrics, logical access and other applications Organization Name and Logo Digital Photo Multiple technology card for compatibility with legacy systems Where smart ID cards will also be used for manual identity verification, security features can also be added to a smart card body, such as unique fonts, ink color and multicolor arrangements, micro printing, high quality ultraviolet ink on the front and rear, ghost imaging (secondary photograph of the holder in an alternative location on the card), and multiple-layered holograms, including three-dimensional images. 5 The following describes common security printing features and devices 5 State-wide Grand Jury Report: Identity Theft in Florida, November For CSCIP Applicant Use Only

16 3.1.1 Security Printing Features Printing Security Levels There are three levels of printing security that should be considered. Level 1: Level 1 security features are designed to easily identify a credential with little or no training and without tools. A few examples are holograms, watermarks, and color-shifting inks. Very simple to use and easy to see, these methods are common and easy to validate. Level 2: Level 2 security features are not visible to the naked eye. Authentication of Level 2 security printing require some training and simple tools. A few examples are: fluorescent inks and micro printing. Commonly used by airport screening staff, these methods require simple tools such as magnifying glass and ultraviolet light, and are familiar to most people. Another example is micro-printing with font mismatch and misspelled words. Level 2 methods are difficult to duplicate and simple to authentication by trained staff. Level 3: Level 3 security features require special training and equipment. Sometimes these are created by the issuer and distributed to a qualified and cleared printing service. A few examples include special material, special ink and specialized printing equipment not available on the public market Lithographic Printing Lithographic printing allows for very detailed design work and intricate patterns to be precisely duplicated from card to card. This technique can be performed to yield two different effects: Line Color The printing of one or more specific custom matched inks. The Pantone Matching System can be used for specific color requests. Process Printing - The printing from a series of two or more half-tone plates to produce intermediate colors and shades. In four-color process; yellow, magenta, cyan, and black Micro-Printing Lithographic micro-printing consists of printed copy in sizes so small that they can only be detected under magnification. The copy line appears as a solid line in the graphics design to the naked eye. This technique can be used as an enhanced security feature and can assist with fraud prevention. Copying will cause the line of type to become a solid rule. This feature can be found Figure 2. Micro Printing on driver s license credentials, bank cards, and currency and can be applied in custom lithographic ink(s). It can be used to outline a logo or photograph and appears as only an outline until greater magnification is applied. Batch codes can also be built into this feature for further identification and controls. Intentional misspellings are often used to validate an authentic credential Fine Line Guilloche Background Printing Lithographic ink(s) are printed in a very fine intricate surface pattern of curvilinear fine lines that cross each other in a complex fashion. They are often repeated over the face and back of the identification credential. The shape of the lines is determined by a mathematic formula. The various elements include protective grids, rosettes, borders, vignettes, and corners. A guilloche pattern can be either a symmetric, or an asymmetric one. The Figure 3. Fine Line Guilloche Pattern 16 For CSCIP Applicant Use Only

17 composition of a fine line guilloche background includes a multi-color pattern to enhance the design. These printed fine line surface elements make reproduction very difficult due to the very fine line width and alternating curve. This feature can often be found on bank cards and currency and can be applied in custom lithographic ink(s) Altered Font The altered font feature can be used to change or alter a font size or style as a covert security feature. Slight modifications of text characters are obvious only to those who are trained to look for them. This feature would be applied during the lithographic printing run and would need to be presented during the artwork creation. The proof prepared for content and text confirmation would include this subtle change in copy Full Color Ultraviolet Ultra-violet (UV) fluorescent inks can be printed during card body production as a security feature and detected only under ultraviolet light. There are two full color UV inks currently available (red and blue). This feature is easy to authenticate with a proper ultraviolet light source and is undetectable under normal light conditions. UV fluorescent effect is impossible to photocopy or digitally recreate. Figure 4. Ultraviolet Features Security Devices Several security devices that can be added to the card in addition to the optical variable ink (OVI) which is part of credential specifications. Holograms and Kinegrams can be developed to provide additional security. These features can also be added to the overlaminate applied during the personalization process Kinegram A Kinegram (trade name) is an optically variable device, which can be used to secure the identification credential. The device can be obtained in a metallic, partially metallic, or a transparent version. The device has image movement in the surface appearance and can have multiple designs incorporated in one Kinegram. Figure 5. Kinegram Hologram The hologram is an element with a pattern produced on a photosensitive medium that has been exposed by holography and then photographically developed. Bright eye-catching motion, colors, and depth are the key features to a hologram and it can be customized to include a specific design or logo. The hologram is applied by heat transfer and can contain multiple anticounterfeiting features and technologies. Figure 6. Hologram 3.2 USB Tokens Smart card technology is built into USB-based tokens that provide a portable authentication device that can be used with any computer with a USB port i.e., without a dedicated smart card reader. USBbased tokens can be used for any logical access application that a smart card can be used for secure data, password and PKI credential storage, encryption/decryption and support multi-factor access to the Internet, VPNs, computers or wireless networks. Smart card-based USB tokens can generate onetime passwords (OTP) and support digital signatures for transactions, documents and secure For CSCIP Applicant Use Only

18 USB-based tokens provide a portable, easy-to-use and secure authentication device for logical access applications. Smart card-based USB tokens may be designed with a SIM to provide field-serviceability. Figure 7 shows examples of smart-card-based USB tokens. 3.3 One-Time Password Tokens Figure 7. Examples of Smart Card USB Tokens 6 OTP tokens are used for portable, secure logon, generating a new one-time password every time a user remotely logs into a network. The user typically generates an OTP by pressing a button on the token, which then displays a new dynamic password. OTP tokens may or may not be smart card-based. With smart card technology, OTP tokens provide secure data storage and cryptographic computations. Smart cards can also be used to generate OTPs using portable readers, with a smart ID card. Figure 8 shows examples of smart-card-based OTP tokens and smart-card-enabled OTP readers. Figure 8. OTP Tokens and Readers 7 6 Images provided courtesy of ActivIdentity, Gemalto, HID Global and SCM Microsystems. 18 For CSCIP Applicant Use Only

19 While many OTP tokens are based on proprietary algorithms, the Initiative for Open Authentication (OATH) has been working with the Internet Engineering Task Force (IETF) to develop open standards. One standard has been published, HOTP: An HMAC-Based OTP Algorithm (IETF RFC 4226), with several other authentication methods and provisioning specifications now being discussed as IETF drafts. 3.4 Mobile Devices and Identity Authentication and Access Control Applications The use of mobile devices for secure payment, identity and access applications is an emerging market. The identity and access control applications may use Near Field Communication (NFC) technology, the secure element, or other mobile device functionality. Example identity authentication and access control applications using mobile devices may include: Storing identity credentials on a mobile device and using them for logon, digital signatures and encryption in secure mobile browser sessions. Generating and/or receiving one-time passwords for use with logon to secure sites. Storing identity credentials on an NFC-enabled mobile device and using the credentials for physical access. For example, in 2011, HID Global conducted a pilot with Arizona State University in which digital credentials were stored on NFC smartphones and then used for physical access to pilot participants residence halls and other selected rooms. 8 Storing identity credentials on an NFC-enabled mobile device and using the credentials for secure logon. For example, the Canadian government has a project to allow citizens to use contactless bank cards and contactless/nfc-enabled USB devices to access online government services; this would be equally relevant to NFC-enabled mobile phones. 9 In addition, NIST is evaluating how to use mobile devices with the FIPS Personal Identity Verification (PIV) credential for identity authentication and access control and the PIV derived credential defined in SP Three approaches being considered are: the use of hardware that would connect the PIV card physically to the mobile device; the use of NFC in the mobile device and a secure channel to read the PIV card and the use the PIV card s credentials for authentication and other tasks; and the generation of a derived credential that would be stored in the mobile device s secure element and then used for authentication. Additional information on the FIPS PIV cards can be found in Section Additional information on NFC and the secure element can be found in CSCIP Module 4, Smart Card Usage Models Mobile and NFC. 3.5 Standards for Identity Applications on Smart Cards Organizations implementing standards-based identity programs typically use the international standards for smart card technology ISO/IEC 7816 and ISO/IEC and for the cryptography and biometric features that are used on the ID card. (See CSCIP Module 1, Section 10, Relevant Standards and Specifications, and CSCIP Module 2, Security, for additional information). In addition, ISO/IEC is a multi-part standard aimed at achieving interoperability among various smart card systems. The goal is to provide the necessary interfaces and services to enable interoperability among divergent systems, with a particular focus on identification, authentication, and 7 Images provided courtesy of ActivIdentity and Gemalto. 8 HID Global Completes NFC Mobile Access Control Pilot at Arizona State University, HID Global press release, January 30, 2012, Mobile-Access-Control 9 Canadian banks to offer authentication backbone to government ID scheme, Finextra, November 7, 2011, 19 For CSCIP Applicant Use Only

20 signature services, and removing the dependence on vendor specific implementations. 10 ISO/IEC is a set of programming interfaces for interactions between integrated circuit cards and external applications, including generic services for multi-sector use. The organization and the operation of the ICC conform to ISO/IEC The standards used for the identity applications and data stored on the ID card, however, often vary by issuer or by industry. Examples include: The ICAO Doc 9303 standard, which defines the data model and technologies used with the contactless smart card chip in epassports. (See additional information in Section 4.) The FIPS and NIST SP PIV card standard, which defines the data model and technologies used for a secure smart identification card used by the U.S. Federal government. The U.S. Federal government's adoption of this standard and its expected use in many U.S. government and commercial markets is expected to further drive standards-based applications and simplify organization implementation of smart card-based systems. (See additional information in Section ) The Comite de Europe en Normalisation CEN TS standard, which defines logical data structure, security and privacy mechanisms of the data and interface and communication protocols for the European Citizen Card (ECC). The ECC was developed to provide an interoperable and cross-border e-services solution. (See additional information in Section ) ISO/IEC 18013, which establishes the design format and data content of an ISO-compliant driving license (IDL) with regard to the human-readable (visual) features and the placement of ISO machine-readable technologies on the card. Healthcare card standards, including: - ANSI INCITS 284, which specifies physical characteristics, layout, data access techniques, data storage techniques, numbering system, registration procedures (but not security requirements) of health identification cards - ISO/IEC 13606, which specifies the communication of part or all of the electronic health record (EHR) of a single identified subject of care between EHR systems, or between EHR systems and a centralized EHR data repository - ISO/IEC 18307, which specifies interoperability and compatibility in messaging and communication standards for health informatics - ISO/IEC 21549, which specifies patient health card data. 10 Source: NIST, 20 For CSCIP Applicant Use Only

21 4 epassports 11 The electronic passport, or epassport, is the same as a traditional passport book with the addition of a small, embedded integrated circuit (i.e., smart card chip) and antenna. While the location of the contactless chip and its antenna is at the discretion of the issuing country, in many countries, the chip is embedded in the epassport cover. The chip stores: The same data visually displayed on the data page of the passport; The passport holder picture stored in digital form; The unique chip identification number; A digital signature to detect data alteration and verify signing authority; Additional data, as defined by specific issuing governments. Standards for the epassport have been established by the International Civil Aviation Organization (ICAO) 12 and are followed by all countries implementing epassports. The ICAO is a United Nations agency that oversees international air travel. Its latest report shows not only that approximately 100 out of 193 U.N. member states are currently issuing epassports, but also that additional countries are set to issue epassports over the course of the next few years. 13 All epassports can be recognized by the internationally recognized symbol that is printed on the front cover. 14 This electronic passport symbol identifies the passport as an epassport. The symbol is also displayed at border crossing stations that have the capability to process epassports. All epassports follow the common ICAO standard. However, countries implement epassport programs according to their specific policies and may implement different options specified in the standard. This results in differences among country implementations of epassports even though they all conform to the ICAO specification. This section provides an overview of epassport features and specifications. 4.1 epassport Features and Specifications Contactless Chip ICAO specifies that a contactless smart card chip conforming to ISO/IEC Type A or Type B be built into all epassports, with operating system conforming to ISO/IEC and read range up to 10 centimeters. ICAO specifies that the data storage capacity of the chip be a minimum of 32 Kbytes to store the mandatory facial image, the duplicate MRZ data and the necessary elements to secure the data Biometrics ICAO specifies the facial image as a mandatory biometric for all epassports. ICAO also states that a country may optionally elect to use fingerprint and/or iris biometrics in addition to the facial image. The original captured biometric images must be stored on the epassport integrated circuit to enable global interoperability. 11 epassport Frequently Asked Questions, Smart Card Alliance FAQ, March Additional information can be found at Myths about epassports: Part I, ICAO MRTD Report, Vol. 5, No. 1, 2010, page=24 14 The symbol is defined in the ICAO Doc 9303 Machine Readable Travel Document specification. 15 ICAO Doc 9303 Machine Readable Travel Documents, Part 1 Machine Readable Passports, Volume 2 Specifications for Electronically Enabled Passports with Biometric Identification Capability, Sixth Edition For CSCIP Applicant Use Only

22 4.1.3 Logical Data Structure ICAO specifies a standardized logical data structure to enable global interoperability for electronically reading data stored in the epassport chip. The data structure includes both mandatory and optional data elements. Mandatory data elements include details recorded in the epassports machine-readable zone (MRZ) and the encoded facial image. MRZ data includes: document type, issuing state or organization, name of epassport holder, document number, document number check digit, nationality, date of birth (DOB), DOB check digit, sex, expiration date, expiration date check digit, optional data, composite check digit epassport Security Measures Basic Access Control Basic Access Control (BAC) is an optional feature defined in the ICAO epassport specification to protect the stored personal information from being read electronically without the consent of the epassport holder. While optional, BAC is now recommended by ICAO and is used by most issuing countries that are not already using Extended Access Control (EAC). Using BAC, in order to electronically unlock the epassport over the RF interface, it must be opened to allow the MRZ contained on the physical data page to be optically read and a derived activation code then presented via the RF interface to the epassport chip before the chip will communicate the passport information. BAC uses the printed machine readable zone (MRZ) information that is read by an optical reader to unlock the chip. Only then is a secure session initiated. During the secure session, communication between the epassport chip and the reader is encrypted, using a separate key that is unique for each session. The BAC mechanism was designed to ensure that the owner of an epassport can decide who can read the electronic contents of the epassport. The key used to unlock the epassport chip is extracted by optically reading the bottom of the epassport printed page called the MRZ. Because physical access to the epassport is needed to read the MRZ, it is assumed that the epassport s owner has given permission to read the epassport. Equipment for optically scanning the epassport MRZ is mandated by ICAO. This equipment uses an optical character recognition (OCR) system to read the text which is printed in a standardized format. The BAC mechanism was first introduced into the German epassport on 1 November 2005 and is used in most countries today (including other European country epassports and the United States epassport since August ) Extended Access Control Augmenting BAC, EAC is an additional optional security access mechanism to meet data protection requirements and to help protect the privacy of additional biometric data (for example, fingerprints). Implementation will be country-specific. EAC also ensures that access to biometric data is only possible if allowed by the issuing country. EAC uses additional cryptographic mechanisms to protect biometric data from being retrieved without proper authorization. An epassport equipped with EAC protects the additional biometric data using encryption and active mutual authentication. Each epassport will have unique keys to protect access to the sensitive information and the requestor needs to have a cryptographic key proving to the epassport it has the rights to access to the protected information. With the help of EAC, epassport readers at ports of entry can be authorized to read the additional optional data, and selective access rights can be defined. The retrieval of fingerprints requires sovereign powers (e.g., the permission of the country which issued the epassport). EAC makes it possible to For CSCIP Applicant Use Only

23 define whether an authorized entity is able to access the additional biometric information, with the issuing country deciding whether another country can access the data. EAC is mandatory for European Union (EU) member countries. The U.S. epassport does not implement EAC at this time Passive Authentication 17 To prove that the contents of the epassport chip are authentic and unchanged, ICAO specifies "passive authentication" as a mandatory requirement. The epassport chip contains a digitally signed "document security object" that stores hash values of logical data structure contents. The border inspection system can use the document signer public key from the issuing country to verify that the data in the epassport chip is authentic and unchanged Active Authentication 18 ICAO specifies optional "active authentication" to protect epassports from chip cloning, using the epassport's active authentication key pair in a challenge-response protocol between the inspection system and the epassport contactless chip. Active authentication will authenticate the epassport chip to the reader terminal Other Optional Security Methods Other optional security methods that may be used with epassports include: Comparison of the conventional MRZ (in optical format) with the MRZ data stored in the epassport chip. This proves that the contactless chip's content and the physical epassport belong together. Encryption of biometric data. This secures additional biometrics and would be country-specific. Passport cover shielding. This prevents unauthorized reading of the epassport contactless chip when the passport cover is closed. 4.2 epassport Validity and ICAO Public Key Directory Countries determine that an epassport is valid through a number of different techniques. First, the epassport must be current (not expired). Each epassport has an expiration date printed on the document and also written onto the electronic chip. The expiration date on the chip is protected against modification or forgery by a digital signature. The digitally-signed expiration date can be verified by electronic passport readers. Second, the information is checked to determine if it is authentic. The epassport printed material security features (e.g., watermarks, security threads, papers and inks) are checked to determine authenticity. epassport data (of which the expiration date is one element) is also protected by a digital signature. Third, the country must determine if the issuer (i.e., the printer of the information on paper and on the electronic chip) is trusted. This is accomplished by checking the issuer's digital signature. Countries use the epassport system's public key infrastructure (PKI) to do this check. This requires that the country checking the passport obtain a copy of the issuer s signing certificate ahead of time so its key can be compared with the certificate that signed the information in the epassport. This would need to be done 17 ICAO Doc 9303 Machine Readable Travel Documents, Part 1 Machine Readable Passports, Volume 2 Specifications for Electronically Enabled Passports with Biometric Identification Capability, Sixth Edition 2006, Section ICAO Doc 9303 Machine Readable Travel Documents, Part 1 Machine Readable Passports, Volume 2 Specifications for Electronically Enabled Passports with Biometric Identification Capability, Sixth Edition 2006, Section For CSCIP Applicant Use Only

24 for each issuer (i.e., each country whose epassports are accepted); the information (i.e., each country's signing certificate) must also be kept up to date to ensure that it is still valid. Managing individual relationships to obtain this information from all other countries is a complex task. ICAO has established a Public Key Directory, or PKD, as part of the global system for epassport validation. Every country issuing epassports digitally signs the data with the corresponding country signing keys. The ability to verify a country s digital signature is an essential element of epassport validation, and the PKD provides a means for border control authorities to verify that the digital signatures on an epassport are indeed valid. The ICAO PKD has been established to support the global interoperability of epassport validation and to act as a central broker to manage the exchange of certificates and certificate revocation lists among countries. This central role helps to manage the otherwise onerous public key certificate exchange activity that would take place among the many countries issuing epassports. As of the end of 2011, the ICAO PKD included: Australia, Austria, Bulgaria, Canada, China (three entries for the Chinese Government, Hong Kong China, Macao SAR), Czech Republic, France, Germany, Hungary, India, Japan, Kazakhstan, Latvia, Luxembourg, Morocco, Netherlands, New Zealand, Nigeria, Norway, Republic of Korea, Singapore, Slovakia, Sweden, Switzerland, Ukraine, United Arab Emirates, the United Kingdom and the United States. 19 Additional information regarding the ICAO PKD, including participating countries, can be found at: U.S. epassport Security Measures and Use As an illustration, the security measures used in the U.S. epassport are described in this section. Security measures are found throughout the epassport system, from the production of the book itself to the policies and procedures in place at border crossings. Starting with the document, the U.S. epassport is manufactured by the government, in governmentowned facilities. No one outside the government knows the full recipe which includes special papers, inks, and manufacturing techniques. The embedded chip is a secure microcontroller with advanced cryptography and built-in sensors to detect attacks. When an epassport is created, the same information is both securely printed on the paper and securely written to the chip. The information on the chip is digitally signed by the issuing country s passport authority. Once manufactured and personalized, writing to the chip is permanently blocked. The epassport book is designed to be handed to someone and opened before any information stored on the chip is read. U.S. epassports have a metallic RF shield built into the covers to prevent anyone from reading the epassport's electronic chip. This shield completely protects the chip from being read or detected while the epassport book is closed and prevents anyone from reading the information in the epassport without passport owner's knowledge. When the epassport is open, the chip will only respond to an RF ATQ protocol activation with a random chip ID number each time it is activated. This prevents anyone from being able to determine which authority issued the epassport. Without the activation keys, no other information can be obtained from the epassport. The U.S. epassport implements BAC as described in Section The epassport must be opened to allow the MRZ contained on the physical data page to be optically read; an authentication key is derived from the MRZ which is then presented via the RF interface to the epassport chip before the chip will communicate the passport information. A session key is negotiated and this key is then used to encrypt communication between the epassport s chip and the reading device For CSCIP Applicant Use Only

25 Last but not least, the government, manufacturers, and control personnel have enhanced their passport manufacturing, delivery and control processes to set up a stronger chain of trust. These improved processes protect citizens from identity theft and prevent criminals from obtaining official-looking passports with false identities. Anyone wanting to make an epassport copy would need to have the chip, the data, and all of the manufacturing components and know-how. But without the country signing key required to digitally sign all of the information, anyone trying to create, modify or use a forged passport would be stopped as the cryptography verification would fail, when the epassport's document security object is checked against the corresponding country signing certificate found at the ICAO PKD. Figure 9 shows how a U.S. epassport is used at border control. Figure 9. U.S. epassport Use at Border Control 25 For CSCIP Applicant Use Only

26 5 Physical Access 20 A physical access control system (PACS) is a coordinated network of ID cards, electronic readers, field control panels, specialized databases, software and computers designed to monitor and control traffic through access points. Smart card-based physical access control systems are a powerful and efficient security tool for protecting enterprise assets. Each employee or contractor is issued a smart ID card displaying enterprise information and printed designs, both to thwart the possibility of counterfeiting and to identify the card as official. The card typically displays a picture of the cardholder. The card stores personal information and a number used to uniquely identify the cardholder within the community for which the card data model was designed. When the person is initially enrolled in the PACS, the unique identifier is registered in the PACS and associated with a specific set of physical access privileges and authorizations. These privileges and authorizations determine when and at which access control points the cardholder is authorized. (If such privileges change, the new information can immediately be updated securely throughout the network.) When the card is placed in or near an electronic reader, access is securely and accurately granted or denied to all appropriate spaces (for example, a campus, a parking garage, a particular building, or an office). When an employee leaves an organization, all physical access privileges are removed at once. Any future attempt by that person to re-enter the premises using an expired or revoked card could be denied and recorded automatically. To the user, a PACS is composed of three elements: A card or token (an identity credential) that is presented to a card reader A card reader A control panel which contains a subset of the registered cards and authorization data A door or gate, which is unlocked when entry is authorized A server, with system-specific PACS application that is used to manage system functions such as user registration, authorization and audit records. Other functions vary by manufacturer. Behind the scenes is a complex network of data, computers, and software that incorporates robust security functionality. This section describes the operation and components of a typical smart cardbased physical access control system. It provides a context for understanding how contact and contactless smart card technologies are used in an access control application. 5.1 PACS Components A typical PACS is made up of the following components: ID credential (smart card) Door reader (smart card reader) Door lock Door position switch Control panel Access control server Software Database Figure 10 illustrates how these basic components interconnect, with each component described in the following sections. 20 Source: Smart Card Alliance, Using Smart Cards for Secure Physical Access, July 2003, with updates from Lars Suneborn, Hirsch Electronics. 26 For CSCIP Applicant Use Only

27 Figure 10. Physical Access Control System Schematic Control Panel Access Control Server Database ID Credential Reader Door Lock Additional Control Panels Software Head-end System ID Credential Reader Door Lock 5.2 Physical Access Control Process (Non-U.S.-Federal Government Use) The access control process begins when a user presents the credential 21 (typically an employee s smart card badge or ID) to the reader, which is usually mounted next to a door or entrance portal. The reader extracts data from the card, processes it, and sends it to the control panel. The request transaction includes at least three components: the time of day, day of week and date; the door location; and the card number. The control panel first validates the reader and then accepts the data transmitted by the reader. What happens next depends on whether the system is centralized or distributed. In both centralized and distributed systems, access parameters and specific user information are stored in individual user records in the PACS. Each user record is referenced by the unique number of the card issued to the user. The card number is simply a reference number used to locate the user record. Content of the user record varies from system to system as well as from one organization to another. However the door table, or set of authorizations, is always part of each user record. In a distributed system, the control panel stores the authorization for each user record and is capable of making proper access (authorization) decisions locally. The control panel then sends each transaction to the PACS server for archiving and record keeping. During periods when communication to the server is interrupted, access events are stored in a temporary memory (buffer) until server communication is restored. At that time, all access events are sent to the PACS server for logging and future reporting of past access transactions. These reports may include information such as "Who was in a specific area during the period between 0900 and 1130 AM, Saturday, August 2?" The access control server provides control panels with data updates, such as adding new users to the panel, removing users who leave the site, or changing the list of authorized doors. The control panel 21 This document uses the term credential to refer to the general identification device (both the physical device and the data it holds). This is commonly referred to as the ID token in physical access control systems. 27 For CSCIP Applicant Use Only

28 then performs the access control server functions described above and makes the decision to allow or deny entry. Enabling control panels to perform the decision function has the advantage of requiring less communication between control panels and a central access control server, thus improving overall system performance and reliability. When two-factor authentication is required (e.g., both a card and a personal identification number (PIN)), the process access and authorization process changes. Although different systems handle the multiple factors differently, the fundamentals are similar. In areas where this method is deployed, the user reference number for access authorization now consists of two components: the card number and the PIN. An example of the PIN-to-PACS access process is as follows. The user presents a card to the reader and the reader sends the card number to the control panel in a normal fashion. The panel uses the card number to locate the user record which in this case includes a secret PIN. The user is prompted to enter the PIN on the keypad and this PIN is matched with the secret PIN stored in the panel's user record. When the PIN is verified, the control panel processes the access request and determines if the user is authorized. In a PIN-to-reader configuration, the card data is read from the card and temporarily stored in the reader. The reader has a keypad and the user enters the PIN to cause the reader to release and send the card data to the PACS control panel. The card number is processed as in a card-only type system. (Note that this method is only used in non-u.s.-federal government deployments.) Biometric verification devices may be used as standalone units, or added as an additional authentication factor to card or PIN-based systems. Biometric verification may be performed by comparing the live biometric to a biometric template; the comparison is done either by the reader (match-on-reader), within the smart ID card (match-on-card) or within the PACS system (where the biometric data is sent to the control panel for processing). In a standalone deployment, the reader captures the live biometric data and compares it against biometric data of enrolled users. This data may be stored in the reader or in a server connected to the reader; this type of implementation is referred to as a "one-to-any search." (Note that this method is no longer used in U.S. Federal government deployments.) When used as a secondary or additional method, the user s specific biometric data is stored as a part of the user record. The record is accessed either by a PIN, or more commonly, by a card. The card (or PIN) is presented to the reader, and this information is used to locate the user s biometric data (often stored in the reader). When the user submits the live biometric, the reader performs the verification. When the verification process results in a valid match, the reader sends the card number to the control panel for processing as described above. As smart credentials are deployed, the process changes. The smart card enables mutual authentication between the card and reader before further processing occurs. In addition, the smart credential may store personal information in a secure container that is only accessed after the user enters a valid PIN. 22 When the verification process in successfully completed and valid, the card releases its card number to the panel for authorization processing as described above. If the card information is invalid, then the card reader indicates that result, and entry is denied. The response to an invalid card is defined by the company s security policy and procedures. The access control server or control panel may ignore the data and not send an unlock code to the controller or door lock. It may send a signal to have the reader emit a different sound, signaling that access was denied. It may be configured to notify security staff and activate other security systems (e.g., closed-circuit TV, alarms), indicating that an unauthorized card is being presented to the system. 22 See the Smart Card Alliance Access Control Council document, "Access Control Reader and Credential Architecture and Engineering Specification for Non-Government Facilities: Contactless Smart Card MHz High Frequency Technology, April For CSCIP Applicant Use Only

29 Each access control system component in this process is described in more detail below The ID Credential A number of different ID technologies are currently in use for commercial, non-government physical access control: magnetic stripe, Wiegand strips, barium ferrite, 125 khz proximity technology 23, and contact contactless smart card technology. These technologies can be packaged in a variety of form factors everything from a key fob or an employee badge to even more exotic forms, such as a wristwatch or ring. However, all credentials operate in basically the same way: they hold data that authenticate the credential and/or user. Some credential technologies are read-only. Information is permanently recorded on the credential, and when the credential is presented to a reader, the information is sent to the system. This type of credential only validates that the information itself is authentic. It does not confirm that the person presenting the credential is the person authorized to possess it, or that the credential itself is genuine. Contact smart card technology defined by ISO/IEC 7816 and contactless smart card technology defined by ISO/IEC and ISO/IEC have both read/write and data storage capabilities. Credentials that use these technologies are intelligent devices. They can store privileges, authorizations, and attendance records. They can store PINs and biometric templates, offering two- or three-factor authentication capability. The credential is no longer just a unique number holder, but is a secure, portable data carrier as well The Card Reader 24 The card reader can have one or more interfaces, accommodating some combination of both contact and contactless smart cards and including a PIN pad and biometric reader. How the reader responds depends on the type of credential presented and the organization s security policy. When the reader is used with a contactless smart card, it acts as a small, low-power radio transmitter and receiver, constantly transmitting an RF field or electromagnetic field called an excite field. When a contactless card is within range of the excite field, the internal antenna on the card converts the field energy into electricity that powers the chip on the card. The chip then uses the antenna to transmit data to the reader. When the reader is used with a contact smart card, the reader includes an opening that contains a smart card contactor. The card and the connector in the reader must make physical contact. Readers that include a PIN pad and a biometric reader (typically a fingerprint or hand geometry reader) generally support two- and three-factor authentication, if required. For example, a facility may require only the presentation of a contactless card when the security risk is low, but require biometric data as well when the threat level increases. When the security risk is high, it may be necessary to present a contact smart card and use the biometric reader and PIN pad. These multi-factor readers can be used when it is desirable to vary required inputs by time of day, day of week, or location. Requirements for additional authentication factors are determined by the organization s security policy. When the reader has received all required data, it typically processes the information in one of two ways. Either the information is immediately sent to the control panel, or the reader analyzes the data before sending it to the control panel. Both methods are widely deployed. Each has advantages and disadvantages. The simplest readers send data directly to the control panel. These readers do nothing to evaluate the data or determine the legitimacy of the credential. These readers are typically one-factor readers and khz proximity technology is commonly referred to as prox. 24 See the Smart Card Alliance Access Control Council document, "Access Control Reader and Credential Architecture and Engineering Specification for Non-Government Facilities: Contactless Smart Card MHz High Frequency Technology, April For CSCIP Applicant Use Only

30 are generic, so that they can be stocked in inventory and easily added to or replaced in an access control system. Readers that analyze data must be integrated into the PACS. That is, they must interpret and manipulate the data sent by the card and then transmit the data in a form that is usable by the control panel. Such a system can offer an increased level of security. The reader can determine the legitimacy of the card (and the card can determine the legitimacy of the reader), compare the biometric data or PIN entry, and manipulate the credential data so that what the reader sends to the control panel is not the same as what was read from the card. The process of authenticating the card to the reader and the reader to the card is called mutual authentication. Mutual authentication is one of the advantages of a smart card-based system The Control Panel The control panel (often referred to as the controller or simply the panel) is the central communications point for the PACS. It typically supplies power to and interfaces with multiple readers at different access points. The controller connects to the electro-mechanical door lock required to physically unlock a door or to the unlocking mechanism for an entrance portal (such as a turnstile, parking gate or elevator). It is often connected to a door position switch that monitors the state of the door and enables the panel to detect if the door is opened without a valid access or forced open, or if the door is left open after a valid opening. Both events cause the panel to generate and send an alarm message to the PACS operator. Some panels may be connected to different alarm annunciators (e.g., sirens, auto-dialers, lights, CCTV cameras). And finally, the control panel is usually connected to an access control server. Depending on the system design, the control panel may process data from the card reader and the access control server and make the final authorization decision, or it may pass the data to the access control server to make this decision. Typically, the control panel makes the decision to unlock the door and passes the transaction data to the host computer and unlocking signal to the reader. It is important for the control panel (vs. the reader) to generate the unlocking signal, since the control panel is located inside the facility or in a secure room, while the card reader is located in an insecure or open area. Finally, the control panel stores data format information. This information identifies what portion of the data stream received from a card is used to make access control decisions. Cards and readers implemented with different technologies can exchange data in different formats. However, the control panel needs to know how to interpret and process this data. For example, if a reader sends 35 bits of data and the control panel is designed to read only 26 bits, the panel must either reject the data or truncate 9 bits. The data format controls how the panel interprets received data Access Control Server The head-end system (also referred to as the back-end system or host system) includes the access control server, software, and a database. The database contains updated information on users access rights. In a centralized system, the access control server receives the card data from the control panel. The software correlates the card data with data in the database, determines the person s access privileges, and indicates whether the person can be admitted. For example, if a person is allowed in a building only between 8 AM and 5 PM and it is 7:45 AM, the person is not admitted. However, if it is 8:01 AM, then the computer should respond to the control panel, indicating that the door can be unlocked. Most PACS are decentralized. In a decentralized system, the access control server periodically sends updated access control information to the control panels and allows them to operate independently, making the authorization decision for the credential presented based on data stored in the panel. The operational characteristics for centralized or decentralized systems are determined from the specific implementing organization s access control requirements. 30 For CSCIP Applicant Use Only

31 5.3 Physical Access Control System Data Formats The physical access control system s data format is a critical design element. Data format refers to the bit pattern that the reader transmits to the control panel. The format specifies how many bits make up the data stream and what these bits represent. For example, the first few bits might represent the facility code, the next few a unique credential ID number, the next few parity, and so on. Many PACS vendors have developed their own formats, making every vendor s coding unique. Like the pattern of teeth on a door key, the formats are kept secret to prevent an unauthorized person or company from duplicating a card. Existing installed PACS formats must be considered when defining the requirements for implementing new physical access control system technologies. In the United States, the Federal Information Processing Standard (FIPS) standard and supporting NIST special publications defined a standard data format for information stored on the PIV card the PIV Card Holder Unique Identifier (CHUID) and Federal Agency Smart Credential Number (FASC-N, a 48-bit number) and Unique User Identifier (UUID, a 128-bit number). These differ from existing installed access control system data formats including more bits of information in the data field for the credential number and differing in how unique credential numbers are established. PACS that use proprietary card formats must be updated to accept the non-proprietary, open format of the PIV card. 5.4 Operational Range One important characteristic of PACS operation is the distance from the reader at which the credential is effective (called the operational range). This characteristic can affect the end user s perception of how convenient it is to use the system. For systems using contact smart cards, operational range is not an issue, as the card is inserted into the reader and physical contact is made. Operational range is determined by many factors, including both the system s design specifications and the environment in which the reader is placed. Factors that affect operational range include the antenna s shape, the number of antenna turns, the antenna material, surrounding materials, the credential s orientation to the reader, the electrical parameters of the chip, anti-collision features and the field strength of the reader. Government organizations (for example, the FCC, UL, and CE) are involved in approving or specifying frequency ranges or power transmission limits. Operational range can be increased by strengthening the antenna (for example, by increasing the number of antenna coils, the antenna size, or the power transmitted to the antenna). ISO/IEC specifications limit the read range for the MHz technology to no more than 10 cm (approximately 4 in). The location of the reader can affect the operational range of a contactless reader. For example, the proximity of the reader to metal can distort the excite field or even shield it from the card. So a reader mounted on a solid metal plate, next to an all-metal door or encased in a metal cage (to protect it from vandals), may have a very short operational range The ID credential operational range for any of the contactless technologies is a critical design decision for a physical access control system. The appropriate operational range will be determined as part of the organization s overall security policy, security architecture and requirements. 5.5 Security Considerations To mitigate against risks of unauthorized access or deliberate attacks, the security of the entire PACS must be considered. This begins with the initial card issuance process and includes the actual components of the system (such as the network, databases, software, hardware, cameras, readers, cards), system processes (e.g., guard procedures), and the protection of data within system components and during transmission. The system s design will consider what security features need to be implemented given the environment of the system and the actual likelihood of an attack. 31 For CSCIP Applicant Use Only

32 5.5.1 Card Security Smart cards can help to deter counterfeiting, thwart tampering with an ID card and prevent usage of an unauthorized card. Smart cards include a variety of hardware and software capabilities that detect and react to tampering attempts and help counter possible attacks, including: voltage, frequency, light and temperature sensors; clock filters; scrambled memory; constant power sources; and chip designs to resist analysis by visual inspection, micro probing or chip manipulation. Where smart ID cards will be used for manual identity verification, security features can be added to a smart card body, such as unique fonts, ink color and multicolor arrangements, micro printing, high quality ultraviolet ink on the front and rear, ghost imaging (secondary photograph of the holder in an alternative location on the card), and multiple-layered holograms, including three-dimensional images. When properly designed and implemented, smart cards are almost impossible to duplicate or forge, and data in the chip cannot be modified without proper authorization (e.g., with passwords, biometric authentication, or cryptographic access keys). As long as system implementations have an effective security policy and incorporate the necessary security services provided by smart cards, organizations and ID holders can have a high degree of confidence in the integrity of the ID information and its secure, authorized use Data Protection One of the most compelling arguments for the use of smart card-based systems for physical access control is the capability to use data scrambling or cryptography to protect information both on the chip and during transmission. The security and reliability of information required to identify individuals and their rights and privileges is key to the success of a physical access control system. Smart cards support both symmetric 26 and asymmetric 27 cryptographic algorithms. Symmetric key cryptography is widely used for physical access control and uses the same key for encryption and decryption, making it extremely fast and reliable. Asymmetric cryptography is often used for logical access applications and is starting to be used for physical access applications. Multiple keys can be stored on a single chip to address the security requirements for using multiple applications, thus providing better security for the growing complexity of today s systems Card and Data Authentication A secure PACS must have the unbiased assurance that both the ID card as presented to the reader and the data it contains are authentic. In some cases, it is important to verify that the reader is authentic as well (as determined by the card) to prevent counterfeit terminals being used to extract data. Separate from the use of a PIN and/or biometric which unlocks the card or authenticates the person, smart cards have the unique capability to offer internal chip-based authentication features that use symmetric or asymmetric cryptographic mechanisms to offer highly reliable solutions to prove the card and data are genuine. For secure card authentication, smart cards are uniquely able to use active cryptographic techniques to respond to a challenge from the reader to prove that the card possesses a secret that can authenticate that the card is valid. 25 See the Smart Card Alliance Access Control Council white paper, The Commercial Identity Verification (CIV) Credential Leveraging FIPS 201 and the PIV Specifications: Is the CIV Credential Right for You? 26 The most common symmetric key algorithms currently used are DES (Data Encryption Standard), Triple DES (either in two- or three-factor format), IDEA (International Data Encryption Standard), AES (Advanced Encryption Standard) and MIFARE. 27 The most common asymmetric cryptographic algorithms are RSA, ECC (Elliptic Curve Cryptography), and DSA (Digital Signature Algorithm). 32 For CSCIP Applicant Use Only

33 5.5.4 Card to Card Reader Communications 28 As with any process involving electronic signals, the data transmitted among components can be monitored. This possibility must be considered in the system security design in terms of the environment (for example, is the area under observation or could someone physically insert another device or place a monitoring device within signal range) and the actual likelihood of such an attack or effort. Depending on the environment and risk profile, an organization may be concerned that the data sent from a contact or contactless ID card to a card reader can be monitored, allowing an illegal entrance to be effected if a rogue card or device can duplicate the data. Smart cards support industry-standard encryption and security techniques that both secure communication between the card and the reader and enable card and reader authentication methods. The security keys used for both encryption and authentication are kept in secure tokens (smart card modules) on both the card and the reader and are highly resistant to attack Card Reader to Control Panel Communications 29 In an access point location that is not observed or that doesn t have physically secure wiring, organizations may be concerned that an intruder could remove a card reader from its mounting and read the data stream sent to the control panel or place a personal computer or other device on these wires and mimic the insertion of a valid card to gain authorization. Most card readers currently transmit data to the control panel using one of two formats: Wiegand or magnetic stripe. Wiegand format uses two signal lines: D0, for transmitting zero data pulses; and D1, for transmitting one data pulses. The magnetic stripe format uses two signal lines one for data and one for clock. These data strings are not considered secure. Providing a secure channel from the card to the reader and from the reader to the control panel overcomes this potential security threat. Providing secure channels neutralizes the most serious threats because the reader and the card are the two elements that are exposed and physically available to an attacker. The communication channel from the reader to the control panel can be secured in a way similar to that used to secure the channel between the card and the reader. The data exchanged between the two devices can be encrypted for maximum security and the reader and panel can be authenticated during the transaction. Because the connection between the control panel and the access control system is internal to a building or located in a secure room, it is generally not as susceptible to attack. If desired, however, this connection can be secured using the techniques described in this section so that the entire system has an end-to-end secure data channel. Figure 11 illustrates an example of how smart card-based physical access control systems can provide end-to-end security. 28 See the Smart Card Alliance Access Control Council document, "Access Control Reader and Credential Architecture and Engineering Specification for Non-Government Facilities: Contactless Smart Card MHz High Frequency Technology, April See the Smart Card Alliance Access Control Council document, "Access Control Reader and Credential Architecture and Engineering Specification for Non-Government Facilities: Contactless Smart Card MHz High Frequency Technology, April For CSCIP Applicant Use Only

34 Figure 11. Example of End-to-End Security in a Smart Card-Based Physical Access System Smart ID Card Smart Card Reader Control Panel Access Control Server Secure authenticated communication contact or contactless interfaces Secure encrypted channels 5.6 Recent Trends in System Architectures Physical access control systems traditionally have been controlled by the corporate security department. However, with the advent of network-centric systems based on Internet technology and TCP/IP, access control systems have evolved into networked systems that combine many functions and involve multiple departments. Modern systems can include not only access control functions, but also corporate functions such as credential management and personnel databases. Nor have networked access control systems reached their functionality limits: it is easy to conceive of the card reader acting as a time clock, thus extending the system into the HR and payroll departments (Figure 12), or an ID card that includes a payment application for the local transit system. This new multi-application, networked architecture requires the involvement and cooperation of the security, IT, HR, and other departments in the implementation of a corporate physical access control system. Figure 12. Example of Networked Physical Access Control System In addition in the United States, Federal Information Processing Standard (FIPS) standard and supporting NIST special publications define standards for the Personal Identity Verification (PIV) card, the identification card that is now being issued to all Executive Branch employees, and PIV-I credentials being issued to contractors. These credentials are being used for both physical and logical access. The PIV card uses smart card technology, cryptography, and a data model that are significantly different from 34 For CSCIP Applicant Use Only

35 traditional physical access tokens. The deployment of PIV-compliant cards and systems throughout the U.S. Federal government and PIV-compatible cards in related industries and state and local governments has already had a significant impact on PACS designs, including: Support for the PIV User Unique Identifier (UUID) and Federal Agency Smart Credential Number (FASC-N identifier), which include 128 and 48 bits of information (respectively) in the data field for the credential number and differ in how unique credential numbers are established. Support for multiple PIV authentication factors CHUID, Card Authentication Key (CAK), PKI- Auth and PKI-Authe+BIO are examples of one, two and three authentication factors. Support for communication with an online certificate status protocol (OCSP) or certificate revocation list (CRL) service to check the validity or revocation status of credentials. Changes in the enrollment and revocation processes to support FIPS requirements See FIPS 201-2, SP and PIV in e-pacs reference documents. 35 For CSCIP Applicant Use Only

36 6 Logical Access 31 In today s workplace, secure logical access is a critical concern. The Internet has enabled effective electronic collaboration among partners, customers, and suppliers. New technologies allow mobile workers to communicate outside of traditional security perimeters, using wireless technology or working remotely over a virtual private network (VPN). Increasing operational efficiencies motivate increasing numbers of enterprises and service organizations (such as banking, health, and insurance companies) to migrate to an enterprise network composed of corporate portals, application servers, and protected Web resources. The rising incidence of identity theft and advent of new regulations and legislation also contribute to an environment in which secure logical access is extremely important. For all of these reasons, organizations who manage user identities, authentication policies, and user privileges are challenged to prevent intruder access to proprietary information. The current password-based logical access infrastructure (introduced in the late 1960s) fails to address these new threats, new business models, and the growing complexity of networked resource access. Passwords are costly to manage (an estimated 30% to 50% of help desk costs are attributable to resetting passwords) and can be cracked using widely available tools. The security concerns raised by password-based systems and the added convenience that smart cards provide may be two major reasons why organizations are moving to smart-card-based logical access systems. According to a Frost & Sullivan survey, 39% of Fortune 500 companies plan to use smart cards within 3 years and 63% of Fortune 500 companies either have investigated or are investigating smart cards for network security implementations. Smart card technology is available in multiple form factors as a plastic card, a Universal Serial Bus (USB) token, or a Subscriber Identification Module (SIM) in a mobile phone. Smart card technology has advanced over the last 20 years to include improved storage and processing capacities, enhanced security, mature smart card management software, contactless technologies, and integration of multiple applications in a single smart ID badge. Smart cards can support a variety of applications used by organizations, including: Windows logon Password management One-time passwords (OTP) VPN authentication and data encryption Electronic signatures Enterprise single sign-on Secure wireless network logon Biometric authentication Cafeteria payments Personal data storage Role-based access Secure physical access Today, smart cards are essential to the security backbone of an organization s identity management system, supporting the strong authentication required to validate individuals accessing networked resources and providing a critical first step in blocking intruders. Standardization has enabled card issuers to combine solutions from multiple sources, thus ensuring large-scale interoperability and reducing the costs of ownership by providing an open market. Because significant investment is still required to integrate new authentication systems into a legacy infrastructure, ongoing commitment by top executives and dedicated project management are required to make new identity management system deployments successful. Organizations who adopt smart 31 Source: Logical Access Security: The Role of Smart Cards in Strong Authentication, Smart Card Alliance white paper, October 2004, with edits from Anna Fernezian, ActivIdentity. 36 For CSCIP Applicant Use Only

37 cards for logical access see a strong return on investment and significant benefits, including improvements in convenience and security, greater accountability and better security decisions, regulatory compliance, operational efficiencies, and new business opportunities. 6.1 Overview of Logical Access Authentication Technologies In the story Ali Baba and the Forty Thieves, a treasure stolen by 40 thieves is hidden in a cave protected by a magic stone. The only way to enter the cave is to speak the secret password, Open Sesame. It doesn t matter who the speaker is. Those words, said in that exact form, cause something magical to happen, moving the stone and allowing the speaker to enter. That same magic happens every time someone logs on to a computer network. The importance of authentication cannot be overstated. Once a person is authenticated to the network, the person s privileges and access rights are based on that authentication. The purpose of authentication is therefore to permit network access to everyone who is authorized while keeping all others out. Stopping imposters without hindering valid users is the goal of every authentication technique. Various approaches address this vital task. All rely on the incorporation of one or more of the three factors critical to authentication: Some knowledge the person has, such as a password. This factor is commonly referred to as something you know. Some physical characteristic, such as a fingerprint. This factor is commonly referred to as something you are. Some item the person possesses, such as a key, a token, or a smart card. This factor is commonly referred to as something you have. Each individual approach is uniquely designed to authenticate a user as completely as possible without imposing too much inconvenience. Each also has unique potential weaknesses. Used in combination, the strength of authentication security is magnified, reducing the potential for impostor entry Passwords The password is undoubtedly the most commonly used access control technique. The user simply provides a username and password, submits the information, and is granted or denied access. Within the computer system, this authentication method compares the username and password combination to stored information. An electronic response grants or denies access based on the results of this comparison. Protecting usernames, passwords, and the relationships between them is therefore critical to controlling logical access with passwords. There are many ways for unauthorized individuals to gain access to passwords. Several of the most common methods follow. Social engineering is probably the best known of all ways to gain access to a system. For example, unauthorized individuals use flattery or logical reasons to obtain another person s password. This risk is most easily mitigated by educating users on the need for strong and effective security. Password cracking programs use either brute force or dictionary look-up methods to attempt to decrypt protected passwords. Sniffer programs monitor packets traveling over a network. If an unencrypted password passes by, the sniffer captures and uses it, compromising the integrity of the system. However, the effectiveness of sniffing tools has decreased with widespread adoption of network switches and routers, greatly reducing the usefulness of sniffing utilities. Personal knowledge about legitimate users is used to try to guess their passwords. 37 For CSCIP Applicant Use Only

38 Access to employees desks. A person can sit at an employee s desk when nobody is around and look for passwords that have been written down. Look and see. By far the easiest way to get a password is to watch someone type it! In order to safeguard password integrity, security policies require users to change passwords regularly to deter access to their accounts through such methods as finding written passwords, watching the person enter information, using keyboard sniffing programs, or guessing. Such password security policies are effective but can become quite complicated. These policies usually direct users not to reuse passwords, forcing them to create new and equally guess resistant passwords that they can remember. The protection of stored information is also critical to a strong password security policy. Passwords can be implemented in a variety of ways. In all cases, implementation of a password security policy is highly recommended. The policy may be as simple as requiring a minimum number of letters and may require the inclusion of upper- or lowercase letters, numbers, and special characters Password Storage How passwords are stored on IT systems affect the overall security of the system Cleartext Passwords The most elementary approach to passwords is to store cleartext (i.e., unencrypted) passwords and usernames in a flat file stored on a network. Such a file might look like this: USERNAME AliceZ BobY CarolW PASSWORD mydogsparky Home4holidays getthejobdone This approach is easy to implement. The challenge is to protect the information from inappropriate access or manipulation while retaining instant accessibility for the logon process. While this approach is appropriate for certain situations, it is extremely vulnerable to attack. Once attackers find out how the logon function works and determine that passwords are maintained in the clear, access is greatly simplified. Once inside the system, the attacker simply reads the file and obtains network privileges and access based on existing user accounts Password Conversions In order to mitigate the vulnerability of storing cleartext passwords, three approaches rely on techniques that convert the password entered by the user from cleartext to some other form of data: Hashing Message authentication codes Cryptography All three approaches potentially suffer from the same vulnerability: they all rely on the ability of people to choose passwords that are easy to remember (without writing them down) but complicated enough to withstand attack. Converting a password protects the stored form of the password, thereby eliminating the value of gaining access to the password database. However, the password itself is still potentially vulnerable to guessing or sniffed replay (in which an attacker intercepts data containing the password and extracts it from the data). 38 For CSCIP Applicant Use Only

39 Hashing. Hashing, sometimes referred to as a message digest, uses a one-way mathematical algorithm that creates a fixed length result from a message of any length. Hashing essentially creates a digital fingerprint of a message and, in this case, is used to protect passwords. Hashing changes a password into binary format and divides it into code blocks of a predetermined size. Each block is then processed through the hash algorithm and combined with the next unprocessed block to be processed again until all blocks have been processed. The result is then reconverted to ASCII text. Hashing is a reliable method for converting passwords because the result of feeding the same password into the same algorithm is always the same. However, virtually no mathematical or logical approach can obtain the original password from the result. The two most popular hashing algorithms are MD5, which produces a 128-bit hash from any input, and the Secure Hash Algorithm (SHA), designed for use with the Digital Signature Standard by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). SHA-1 produces a 160-bit hash. An update to SHA, SHA-256, has been released and adopted for high-level security with encryption certificates. Since 2013, SHA-256 is universally accepted. A SHA-1 hashed password file looks like this: USERNAME AliceZ BobY CarolW PASSWORD c0f1ce0662f4a2f8d86613cf2e7ddc311fbcf3bd 6dc04707c1204dac18b73e5b388365deac43f70c 2a70467b07eb3acfb90944c90e0261a5cb44649d Message Authentication Codes. Protecting passwords using a message authentication code (MAC) depends on a process that first hashes the password and then adds a symmetric cryptographic key. Security is enhanced by the fact that the hashed password is encrypted. The verifying location compares the password to a stored value. The password is typically prepared for transport within the computer used to log on. Like hashing, MACs protect passwords only after they are submitted. Cryptography. Passwords can also be protected using cryptography. A cryptographic algorithm, generally residing on the logon computer, encrypts the password and sends it to the location where the password data resides. The password is then compared to the stored data and the result is sent back to the logon computer. Symmetric cryptographic algorithms are typically used, since they are fast and robust. Unlike hashing and MACs, the resulting length varies in relation to the length of the password. A file of encrypted passwords might look like this: USERNAME AliceZ BobY CarolW PASSWORD 60135d5b849c2700dc60ffc2606fb947 0c0dd92d4bd8d8ca864441d23e066d8b 7b ce3b2a049acaa0bd3c2 39 For CSCIP Applicant Use Only

40 One-time Passwords One-time passwords (OTPs) were developed to counter the potential problems of user-determined, static passwords and password security policy management. OTPs use a time-based and/or eventbased algorithm with a random number generator that is unique for each individual user. Each time the user authenticates to the system, a different password is used, after which that password is no longer valid. The password is computed either by software on the logon computer or OTP hardware tokens in the user s possession that are coordinated through a trusted system. Software-based OTPs. Software-based OTP programs reside completely on the network and the host machine. One of the most common software-based OTPs is S/KEY, which is freely available on the Internet and is used as an example in the following discussion. S/KEY uses a combination of a permanent S/KEY password that is never sent over the network and a one-time key. When the user connects to the remote machine, a dialog box displays a one-time key and prompts for a password. The one-time key and the user s permanent S/KEY password are entered into a local S/KEY client machine, which then generates a password that allows logon. Every time the user connects to the remote machine, the one-time key changes; however, the user s permanent S/KEY password remains the same. One of the advantages claimed for this approach is that no secrets are stored on the host server. However, the server does need to store the OTP most recently used for authentication. For this reason, software-based OTPs are vulnerable to intruders who obtain root privileges on a server. With the expiration of the basic patents on public key cryptography and the widespread use of laptop computers running SSH and other cryptographic protocols that can secure an entire session, not just the password, S/KEY is falling into disuse. Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. While many OTP approaches are based on proprietary algorithms, the Initiative for Open Authentication (OATH) has been working with the Internet Engineering Task Force (IETF) to develop open standards. One standard has been published, HOTP: An HMAC-Based OTP Algorithm (IETF RFC 4226), with several other authentication methods and provisioning specifications now being discussed as IETF drafts and have been implemented by a number of vendors. Software-based OTPs have gained momentum for the mobile environment with PDAs and smart phones as display devices. This is an area where the OATH-proposed HOTP standard is put to use. HOTP uses the SHA-1 hash function to create a secret key shared between a user device and validation server that synchronizes unique passwords for sequential use. OTP Tokens. Hardware-based OTPs are generated by a physical token or other device that users carry with them. Password generation is based on either time-based or challenge-response algorithms. The most popular time-based algorithm is incorporated in several companies' products. In this implementation, the user carries a special token that generates and displays a six-digit number that changes every 60 seconds. To log onto a system, the user enters a username and uses the six-digit number as the password. A server hosts software that uses a clock to coordinate with the hardware token and maintains a database with the correct passwords and challenge response. If the number is what the server expects, the password is accepted. In a challenge-response system, a challenge is issued by the host system, which is then used by the user to compute the appropriate response. The response can be computed by the token, an automatic program, or user software. Other companies tokens may use a combination of time- and event-based algorithms which capture the frequency of use and better manage the out-of-synch issues that occur with time-based algorithms. Alternative OTP techniques are available, including approaches that use a smart card or smart-cardbased USB token as the physical OTP device. 40 For CSCIP Applicant Use Only

41 Single Sign-on Single sign-on is an authentication mechanism that requires computer users to sign on to a system (i.e., present a password) once. The single sign-on then provides them with access to all applications and systems that they are authorized to access. Single sign-on solutions are typically being implemented to reduce human error and user frustration. The widespread implementation of single sign-on solutions has not been universal, since they often only reduce the number of passwords required or they can be too complex to integrate with all applications. Since single sign-on solutions rely on passwords, they also suffer from the potential weaknesses inherent to all password-based authentication unless other authentication factors are also implemented Biometrics Approaches that rely on biometric factors comprise a group of proven technologies and computerized methods that identify and verify individuals based on personal characteristics. These approaches match a characteristic in real time against a record of the characteristic that was created at enrollment. The main biometric technologies include fingerprint, face, hand geometry, iris, palm, signature, voice, and skin. Biometric technologies are being used more often as a primary or secondary authentication factor for logical access. A common approach is that the individual user, at the time of registration and provisioning for logical access privileges, submits a biometric to the system. This biometric is stored in the system as a reference. In a typical scenario, users enter a username and place a finger on a reader (instead of or in addition to providing a password). A server compares the biometric template created by the reader with the reference record stored on the server. As an alternative, a reference biometric may be written and securely stored in a smart card. During logon, users may insert their smart card in a card reader and submit a fingerprint to authenticate that they are the valid cardholders. The biometric captured by the reader is compared to the reference biometric data stored on the smart card. If the captured biometric matches the biometric stored on the card, the smart card then releases the secret information required to log the user onto the network. In this case, the biometric comparison may be done in the reader or on the card (called match-on-card or on-card comparison (OCC)). The value of using biometrics for logical access will increase as the technology becomes easier and faster to use. Personal traits are an attractive, convenient, and reliable authentication mechanism. Security concerns, however, center on the biometric data matching process, which typically either requires sending unprotected data over the network or storing the data on the logon computer. Such data is vulnerable to replay (resulting in illegal access) or replacement (resulting in denial of access). This concern can be mitigated by protecting biometric data in transit or by capturing and comparing the biometric data locally (e.g., within a reader or on a smart card) Public Key Cryptography Public key cryptography (also known as asymmetric key cryptography) encrypts information using mathematically related pairs of cryptographic keys. One key in the pair is used to encrypt information; the information can then only by decrypted using the other key. Users obtain the key pairs through a trusted authority and use them to exchange data securely and privately. Each key pair comprises a public key and a private key. The public key is used to encrypt confidential information. The private key authenticates the key holder and decrypts information that has been encrypted using the public key. The private key must be kept secret. The person using the private key can therefore be certain that information the key is able to decrypt was intended for them, and the person sending the information can be certain that only the holder of the private key can decrypt it. Information describing the public key is recorded in a certificate that is signed digitally by a certificate authority. A user can provide the public key to a sender, or the key can be retrieved from a directory in which it is published. 41 For CSCIP Applicant Use Only

42 The use of asymmetric keys is supported by a public key infrastructure (PKI). PKI is a combination of standards, protocols, and software composed of at least the following components: A certificate authority (CA), which issues and verifies digital certificates A registration authority (RA), which verifies the identity of the requestor before a digital certificate is generated and issued One or more directories where certificates (with their public keys) and the certificate revocation list (CRL) are stored Public key cryptography offers an additional level of security, since there are no shared secrets. Generally, the PKI certificate is stored on a logon computer or hardware token (for example, a smart card) and is used to encrypt the password before it is sent to be authenticated Soft Tokens 32 Soft tokens (also known as virtual cards) are software files that contain cryptographic keys used for authentication. Users authenticate themselves to a network by proving possession and control of this cryptographic key (typically stored on disk or some other media). The media used to store cryptographic keys is itself password-encrypted, with the password known only to the user. Each instance of an activation requires the entry of the password to decrypt the contents of the soft token. The unencrypted copy of the authentication key is erased after every authentication. Soft tokens are generally seen as inexpensive, easily managed, and disposable. However, this authentication method is not typically portable; users must be at a client machine to authenticate themselves. Some soft-token offerings support user mobility, either by allowing keys to be stored on servers and downloaded to the user s system as needed, or by employing key components generated from passwords combined with key components stored on servers. Soft tokens rely on a trusted client and a trusted server. In addition, the user must have another key to access the soft token; otherwise, anyone with access to the client machine can be authenticated Smart Card Technology When used for logical access, smart card technology typically comes in two form factors: a credit-cardsized plastic card or a USB device, each with an embedded computer chip. By far the most popular form factor is the plastic card, due to its ability to include a picture and visible corporate information and to host other security mechanisms such as a magnetic stripe or bar code. Regardless of form factor, smart cards can be used to implement any of the authentication techniques described above. Smart cards have the ability to: Securely store password files Generate asymmetric key pairs and securely store PKI certificates Securely store symmetric keys Securely store OTP token seed files Securely store biometric image templates Using a smart card to store password files is the simplest use of smart cards for logical access. The benefits of this type of system are: Users do not have to remember their passwords. Stored passwords can be very large and almost unbreakable using a dictionary attack. The card can be activated by a personal identification number (PIN) or biometric if required, adding an authentication factor. This implementation is usually the lowest entry-cost system. 32 Electronic Authentication Guideline, NIST Special Publication , August For CSCIP Applicant Use Only

43 Smart cards can also be used to support stronger authentication schemes. For example, in a system that uses symmetric keys, the card can securely store a shared secret injected at the point of manufacture. This key can then be used during the authentication process with a secure server as part of an algorithmic challenge and response session. Smart cards are also widely acknowledged as the ideal carrier of PKI credentials; smart cards can support on-card key generation, can store public key certificates securely, and protect the user s private key. The use of a smart card with one or more of these approaches can provide a more secure means of logical access, even if the combination does not necessarily meet the criteria of two- or three-factor authentication. For example, a smart card alone cannot authenticate a user to a network, but a smart card can store information that provides a logon mechanism. A smart card that stores a user s PKI logon certificate can authenticate that user to the network but only satisfies the requirement for something you have. However, combining a smart card with a PIN or biometric protection achieves twofactor authentication. A smart card used with both a PIN and biometric data provides three-factor authentication. Table 3 summarizes the advantages that smart cards can provide for logical access when used with different authentication mechanisms. Table 3. Enhancing Authentication with Smart Cards Authentication Mechanism Issue Value Added by Smart Cards Single-Factor Authentication Static passwords Easy to guess, sniff, or steal Difficult to enforce strong password policies User frustration and resistance to changing and memorizing passwords Cost to manage Passive or active token without a PIN Biometric reader Replay attack Masquerade attack Biometric credential and matching security One-time password token with PIN A smart card system provides a secure container for passwords and automates the user s logon, relieving the user of the requirement to manage passwords. Strong password policies are easy to enforce. Token loss or theft A smart card system provides security for the token seed and also adds PIN-based access to the card, implementing two-factor strong authentication. Two-Factor Authentication Complex infrastructure Man-in-the-middle attack Single function product OTP seed protection Token life-cycle cost A smart card system provides secure storage for the biometric template, performs the biometric match on the card, and adds PINbased access to the card, implementing three-factor authentication. A smart card system replaces a single-function token with multifunction capability (securing application and network access) and reduces overall complexity and life-cycle cost. Smart card investment can be leveraged by using the card as a smart ID badge for secure access to buildings. Smart cards are programmable. Cards can be reused easily, 43 For CSCIP Applicant Use Only

44 Authentication Mechanism Issue Value Added by Smart Cards Biometric reader and password Complex back-end infrastructure Credential security Three-Factor Authentication Token, biometric, PIN Credential security, whether on the server or workstation Complex infrastructure supporting a more cost-effective approach to issuing temporary access cards. New smart card functions can be added after issuance, supporting upgrades to systems or new applications A smart card system provides secure storage for the biometric template and performs the biometric match on the card. A smart card system provides the least complex mechanism for three-factor authentication when integrated with biometric matchon-card capability 6.2 Drivers for Smart Card Technology for Logical Access The following are the primary drivers for smart card technology use for logical access Strong Authentication Support As described in Section 6.1, more and more organizations today are looking for stronger authentication solutions beyond usernames and passwords to validate that the users accessing systems are who they say they are. Smart cards significantly increase the security of a user s digital credentials, regardless of the nature of the credentials. The credentials are permanently stored on the card, which is in the possession of the end user, and never available in software or on the network for an unauthorized user to steal. Smart cards are typically used to enable two-factor authentication, incorporating something that you have (the smart card) and something that you know (typically a PIN that activates the card s cryptographic functions). Smart card technology also supports the addition of biometric technologies (something you are) to enable three-factor authentication. When using a smart card, taking control of a user s digital identity requires stealing the smart card and guessing the PIN. Users know very quickly when a card is stolen and can contact the network administrator to revoke the stolen credentials. In addition, too many incorrect password guesses can lock the card Enhanced Security and Convenience for Users Users in most organizations face the challenge of managing multiple passwords for multiple systems and applications. This requirement has implications for security and user productivity. Some IT departments choose the path of least resistance, allowing users to use the same password for every application. This practice represents the greatest security risk, since all applications are compromised if a single password is guessed or stolen. Other IT departments may establish a stronger policy, requiring a different password for each application and a more complex password, containing a mix of character types (alphanumeric, uppercase, lowercase, symbols). In addition, a secure password policy may require that passwords be changed on a regular basis. Establishing stronger password policies is an important step when access relies on a static password alone, but enforcing these policies can be challenging. Most users have difficulty remembering multiple complex passwords, so they write them down or store them in plain text on their computers, where they can easily be stolen. 44 For CSCIP Applicant Use Only

45 IT departments also face the challenge of administering passwords for multiple users and multiple applications without sacrificing productivity and without creating unhappy users. Industry statistics show that 30% to 50% of IT help desk resources are consumed by managing and resetting passwords. Enduser productivity is also affected, since users cannot access applications until a new password is assigned. The U.S. Department of State reported that password-reset related calls to their help desk were reduced from 35% to 5% after they implemented smart card logon. Various identity management solutions are currently available that address these productivity issues. Consolidating users identities in central directories and implementing provisioning tools to manage those identities minimize the productivity losses attributable to managing different identities for different accounts. Such solutions also address the security vulnerabilities posed by accounts that remain on a system long after the owner s access is no longer valid. Similar solutions are available for Web-based content and applications. However, such solutions cannot be implemented overnight. In addition, they require a gradual change in an organization s back-end infrastructure. And users still need to juggle multiple passwords for their applications. Other identity management solutions simplify the end-user experience by using password synchronization, self-service password management, or single sign-on, but these also typically require modifications to the IT infrastructure and do not address the security concerns raised by using passwords. When used with PKI certificates, an additional benefit is a simple, enterprise wide revocation process when an employee leaves the organization. Organizations that use smart card technology for logical access do not have to wait for back-end identity management system implementation to realize operational efficiencies and return on investment. User identities and credentials can be consolidated onto a smart card immediately, providing users with a single, consistent approach to logical access, regardless of whether the user is logging onto a workstation or a network or accessing the network remotely using a VPN. The user experience remains consistent when the organization updates its identity management infrastructure: insert a smart card and enter a PIN. A smart card is a user s personal key to all of the user s data and applications. In addition, because the key is portable, users are not tied to a single workstation on which their credentials are located. They can travel from machine to machine, a critical advantage for users who work at multiple locations Enhanced Protection against Identity Fraud Smart cards can help defend against ever-more-cunning attempts at phishing. Phishing uses messages or the Internet to attempt to fool individuals into divulging information about their accounts. For example, a phishing attempt might use to send a potential victim what appears to be a genuine request from a trusted party (e.g., a bank or an Internet service provider). The individual would then respond to the request by providing account numbers, PINs or passwords to a rogue Web site posing as the legitimate entity. Phishing attacks exploit the lack of authentication between the sender and recipient and between the rogue Web site and the individual. Smart cards can be used to combat phishing attacks by applying two-way mutual authentication for secure access to Web site services. When account issuers offer a Web service (e.g., for account management), they can issue smart cards to account holders that allow access to the legitimate Web site. The smart card credential can both authenticate the user to the Web site and authenticate the Web site as legitimate. By providing strong, multi-factor authentication and by enabling mutual authentication, smart cards can help defeat phishing attacks. Individuals can be assured that they are communicating with a legitimate site and that their identity credentials are protected from unauthorized access Standards-Based Application Coverage Smart card technology is becoming a preferred approach for logical access, not only for the smart card s increased security, but also for its ease of use, broad application coverage, ease of integration, and 45 For CSCIP Applicant Use Only

46 multi-purpose functionality. Smart cards provide organizations with a cost-effective solution that can be deployed easily and is widely accepted by the end user. Different applications impose different requirements on users before granting access. Some applications support only one method of granting access; others support multiple methods. Few applications allow credentials to be shared. Of the most common application access methods described previously (username and password combination, password only, shared secret, OTP, biometrics, and PKI or digital certificate), the username and password combination, while the least secure approach, is currently the primary method used for access control. As the methods required to access different applications multiply, user acceptance decreases, often leading to decreased security. Smart cards, unlike other solutions, can provide the user with all of these access methods built into a single card, while requiring only the entry of the user s PIN. Additional functionality enables smart cards to generate OTPs that replace single-use tokens and use biometrics to replace the PIN. Commercial products are available that leverage the security and portability of smart cards to store usernames and passwords for all applications. In addition, smart cards are more flexible than traditional token technology, because they are cryptographic devices that can support a wide range of functionality. They are not dependent on the presence of a server, and they can be erased and reprogrammed for continued use within an organization. Smart cards can now provide a user with a single interface for access to all applications, regardless of the credential required by the application. This capability increases user acceptance and convenience, while implementing and enforcing the organization s security policies. Over the last several years, standards have evolved that provide the interoperability needed to allow a smart card to access multiple organization resources. For example, cryptographic standards and services such as PKCS #11 and Microsoft Crypto API (CAPI) allow applications to use a digital certificate stored on a smart card to authorize end-user access. The private key is stored on the smart card chip and can only be accessed by a user who provides the correct PIN when the application opens. The adoption of the Personal Computer/Smart Card (PC/SC) standard and the proliferation of readers and reader drivers have also contributed to a wider acceptance of smart cards for logical access. The price of readers has decreased, and their quality and availability has increased to the point that many of the major computer manufacturers now build a reader into a computer keyboard or laptop for little additional charge. In addition, international, regional or industry-specific standards are used to specify the identity application, data model and technologies used with smart identity cards. (See additional information in Section 3.4 and in Module 1, Section 10, Relevant Standards and Specifications.) Ease of Integration Smart cards include built-in functionality that simplifies their integration into an organization s IT infrastructure. Most applications requiring credentials other than a username adhere to one of the standards listed above. For this reason, enabling smart cards for logical access is typically simple, requiring installation of a small middleware application on the computer. Smart cards can then be used for logon, VPN access, signing and encrypting , SSL-based Web access, and biometric-based logon. Most of the leading CAs have adopted smart cards as the preferred platform for storing and using digital certificates. A CA can use either the PKCS #11 or Microsoft CAPI interface to generate keys, load certificates, and perform required cryptographic functions. Configuring a CA to use a smart card is straightforward and typically consists only of selecting the correct interface. Smart card readers are now easily integrated with applications and desktop operating systems through two standards: the PC/SC standard and the CCID, or Chip Card Interface Device, specification. 46 For CSCIP Applicant Use Only

47 The PC/SC standard allows smart card readers to be integrated easily with middleware or other applications, regardless of manufacturer or command set. Although this standard was developed for use in a Microsoft environment, it is now considered the de facto standard for many other platforms as well. The CCID specification was developed for USB smart card readers. It was designed to support easy integration of smart card readers with desktop operating systems, thereby removing the need to install additional reader driver software onto the user s desktop. The specification was defined by the USB Implementer s Forum (USB-IF) 33 in conjunction with the smart card industry. CCID defines a command set and transport protocol over the USB so that a host system can communicate with a smart card reader. A specific USB class is now defined for smart card readers. In addition, Microsoft Windows 7 provides built-in support for standards-based smart cards, such as the PIV card and the European Citizen Card Ease of Deployment Management tools and deployment methods are available that facilitate large deployments of smart cards. Card management systems integrated into an organization s directory or procurement system provide the functionality needed to deploy and manage smart cards and their credentials. Reader drivers and smart card middleware are mature and easily deployed throughout an organization as well. Both top management and dedicated project management support are still critical to successful implementation. Deploying a new, organization-wide identity management system that includes smart cards can be a complex project that extends across multiple organizations and affects core business processes Multi-Purpose Functionality Plastic cards are a common fixture within many organizations and have many uses, such as identification, physical access, and time and attendance. Smart cards allow organizations to realize the benefits of combining all such applications on one card. The user can then carry a single card for physical access, logical access, identification, and other business functions. Smart cards can also host applications that require contactless identification, such as physical access to buildings and transportation services. Other technologies often associated with a plastic card, such as magnetic stripes, bar codes, radio frequency (RF) technology, and security laminates can be used in conjunction with the smart card. 6.3 The National Strategy for Trusted Identities in Cyberspace: A Key U.S. Initiative Driving Stronger Authentication Technologies Individuals are increasingly using the Internet for sensitive transactions, like banking, mortgage applications, buying and trading stocks, and reviewing healthcare information. Given this, there are very real problems of identity management, privacy and security in cyberspace. The National Strategy for Trusted Identities in Cyberspace (NSTIC) 34 is an Obama administration initiative that broadly defines an Identity Ecosystem that would re-establish trust and better protect online identities. NSTIC aims to give individuals and organizations the ability to complete online transactions with confidence and trust. According to the Howard A. Schmidt on the White House blog 35, Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacyenhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc.) from a variety of service providers both public and private to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending , etc.). 33 Additional information about CCID can be found at the USB Implementer s Forum web site, For CSCIP Applicant Use Only

48 According to the White House 36, the goals for the NSTIC are as follows: 1. Design the Identity Ecosystem 2. Build the Identity Ecosystem infrastructure 3. Strengthen privacy protections for end users and increase awareness of risks 4. Manage the Identity Ecosystem NIST is currently leading the effort to facilitate private sector involvement in defining and establishing the Identity Ecosystem. The Identity Ecosystem will be created and run primarily by the private sector. According to the NSTIC web site: The role of the federal government is to facilitate and help jump start the private sector's efforts by convening workshops and bringing together the many different stakeholders important for establishing the Identity Ecosystem. The government will also protect individuals by ensuring that the Identity Ecosystem meets these four guiding principles: (1) privacyenhancing and voluntary, (2) secure and resilient, (3) interoperable, and (4) cost-effective and easy to use. Lastly, the government can help drive the market by accepting Identity Ecosystem credentials for its online services Smart Cards and NSTIC The NSTIC Framework is technology-agnostic; however, it identifies smart card technology as one example of an identity medium a card, USB token or other device storing identity credentials used to validate online identities and transactions and one that is suitable for high-value transactions and identities. For high assurance online identity transactions (for example, for a mortgage application or health record access), using smart card technology for an identity credential will protect identities in cyberspace in a secure, privacy-sensitive way For CSCIP Applicant Use Only

49 7 Smart Cards and Biometrics 37 Biometric technologies are defined as automated methods of identifying or verifying the identity of a living person based on unique physiological or behavioral characteristics. Biometrics can provide very secure and convenient verification or identification of an individual since they cannot be stolen or forgotten and are very difficult to forge. A physiological characteristic is a relatively stable physical characteristic, such as an individual s fingerprint, hand geometry, iris pattern, facial image, or blood vessel pattern in the hand. This type of biometric measurement is usually unchanging and unalterable without significant duress to the individual. A behavioral characteristic is more a reflection of an individual's psychological makeup. Speech patterns provide a method of speaker verification and is the most common behavioral biometric used for identification. Another example of a behavioral biometric is dynamic signature verification. Because most behavioral characteristics vary over time, an identification system using these must allow updates to enrolled biometric references. 7.1 Biometric System Components and Process Four major components are usually present in a biometric system: A mechanism to scan and capture a digital representation of a living person s biometric characteristic. Software to process the raw data into a format (called a template) that can be used for storing and matching. Matching software to compare a previously stored biometric template with a template from a live sample. An interface with the application system to communicate the match result. Two different stages are involved in the biometric system process enrollment and verification. Enrollment. As shown in Figure 13, the biometric sample of the individual is captured during the enrollment process (e.g., using a sensor for fingerprint, microphone for speaker verification, camera for face recognition, camera for iris recognition). The unique characteristics are then extracted from the biometric image to create the user s biometric template. This biometric template is stored in a database or on a machine-readable ID card for later use during an identity verification process. Figure 13. Example Enrollment Process 37 Source: Smart Cards and Biometrics in Privacy-Sensitive Secure Personal Identification Systems, Smart Card Alliance white paper, May 2002, with updates from Walter Hamilton, Identification Technology Partners. 49 For CSCIP Applicant Use Only

50 Matching. Figure 14 illustrates the biometric matching process. The biometric sample is again captured. The unique characteristics are extracted from the biometric sample to create the user s live biometric template. This new template is then compared with the template previously stored and a numeric matching (similarity) score is generated based on a determination of the common elements between the two templates. System designers determine the threshold value for this identity verification score based upon the security requirements of the system. Figure 14. Example Matching Process Biometrically-enabled security systems use biometrics for two basic purposes: identification and verification. Identification (1-to-many of 1:N comparison) determines if the individual exists within an enrolled population by comparing the live sample template to all stored templates in the system. Identification can confirm that the individual is not enrolled with another identity or is not on a predetermined list of prohibited persons. The biometric for the individual being considered for enrollment would be compared against all stored biometrics. For some credentialing applications, a biometric identification process is used at the time of enrollment to confirm that the individual is not already enrolled. Verification (one-to-one or 1:1 comparison) determines whether the live biometric template matches with a specific enrolled template record. This requires that there be a claim of identity by the person seeking verification so that the specific enrolled template record can be accessed. An example would be presentation of a smart card credential and matching the live sample biometric template with the enrolled template stored in the smart card memory. Another example would be entry of a user name or ID number which would point to an enrolled template record in a database. 7.2 Selecting a Biometric Technology The selection of the appropriate biometric technology will depend on a number of application-specific factors, including the environment in which the identification or verification process is carried out, the user profile, requirements for matching accuracy and throughput, the overall system cost and capabilities, and cultural issues that could affect user acceptance. Table 4 shows a comparison of different biometric modalities, with their performance rated against several metrics. 50 For CSCIP Applicant Use Only

51 Table 4. Comparison of Biometric Technologies 38 Biometric Identifier Maturity Accuracy Uniqueness Failure-to- Enroll Rate Record Size (Bytes) Universality Durability Face M M M L H 84-2,000 H M Fingerprint (one print) H H M L-M M 250-1,000 H H Hand M L L L L 9 M M Iris M M H L M 688 M H Signature L L M L M 500-1,000 M M Vascular M M H L M 512 H H Voice L L M M H 1,500-3,000 H L Source: Report of the Defense Science Board Task Force on Defense Biometrics- March 2007 A key factor in the selection of the appropriate biometric technology is its accuracy. When the live biometric template is compared to the stored biometric template (in a verification application), a similarity score is used to confirm or deny the identity of the user. System designers set the threshold (match or no match decision point) for this numeric score to accommodate the desired level of matching performance for the system, as measured by the False Acceptance Rate (FAR) and False Rejection Rate (FRR). The False Acceptance Rate indicates the likelihood that a biometric system will incorrectly verify an individual or accept an impostor. The False Rejection Rate indicates the likelihood that a biometric system will reject the correct person. Biometric system administrators will tune system sensitivity to FAR and FRR to get to the desired level of matching performance supporting the system security requirements (e.g., for a high security environment, tuning to achieve a low FAR and tolerating a higher FRR; for a high convenience environment, tuning to achieve a higher FAR and a lower FRR). 7.3 The Role of Smart Cards with Biometrics Smart cards are widely acknowledged as one of the most secure and reliable forms of electronic identification. To provide the highest degree of confidence in identity verification, biometric technology is considered to be essential in a secure identification system design. Combining smart card technology with biometrics provides the means to create a positive binding of the smart card (a difficult-to-clone token) to the cardholder thereby enabling strong verification and authentication of the cardholder s identity. 38 High, medium and low are denoted by H, M, and L, respectively. Values assigned for the various qualities are subjective judgments, based on expert opinion and review of (several) current published sources. 51 For CSCIP Applicant Use Only

52 7.3.1 Example Programs Combining Smart Cards and Biometrics There are numerous ID systems implemented worldwide that are using smart card and biometric technology, including: U.S. FIPS Personal Identity Verification (PIV) Card with photo, biometrics (fingerprint) and smart card. U.S. Department of Defense Common Access Card (CAC) with photo, biometrics (fingerprint), and smart card. U.S. Transportation Worker Identification Credential (TWIC) with photo, biometrics (fingerprint), and smart card. ICAO epassport specification with photo, optional biometrics and smart card chip Singapore Immigration Automated Clearance System with fingerprint and smart card chip Canadian Airport Restricted Area Identification Card with fingerprint and smart card Amsterdam Schiphol Airport with iris and smart card Malaysia s national ID (Government Multi-Purpose Card) with photo, biometrics (fingerprint) and smart card. Spain s social security card with biometrics and smart card. Netherlands Privium automated border crossing system with photo, biometrics (iris) and smart card. Brunei s national ID with photo, biometrics (fingerprint) and smart card. U.K. s Asylum Seekers Card with photo, biometrics (fingerprint) and smart card Key Considerations for Implementing Combined Smart Card / Biometric Systems The National Institute of Standards and Technology (NIST) included recognized standards for fingerprint templates in its Personal Identity Verification (PIV) standard for federal workers and contractors. This encouraged multiple vendors to develop and offer interoperable access control readers that supported three-factor authentication. As a result, unit costs have decreased and such readers are now widely available. Three-factor access control readers are now accepted by a growing number of organizations. Standardization has reduced the fear of being locked-in to a proprietary fingerprint technology solution and there are now multiple sources of readers that use biometric algorithms that conform to recognized fingerprint template standards. Procurement officers today have the comfort of knowing that readers will work within existing access control systems even if they are sourced from different vendors. With the growing acceptance of small and self-contained multi-factor access control readers, unit prices will continue to fall Biometric Processing Biometric processing consists of two separate and sequential tasks. First, the live biometric template of the user must be extracted and processed. Second, the live template must be compared with the trusted, stored template (i.e., performing the biometric match). The live biometric template extraction is a processor intensive task. A fingerprint extraction, for example, requires approximately 10 times more processing effort than a 1-to-1 fingerprint template comparison. Smart card processors are capable of performing live template extraction and executing the comparison on the card itself. Two main smart card and biometric implementation approaches are "match off-card" and "on-card comparison" (also known as match on-card ). Match-off-card. For this type of implementation, the enrolled template is initially loaded onto the smart card and then transferred from the smart card via either contact or contactless interface when requested by the external biometric system. The external equipment then compares a new live scan template of the biometric with the one being presented from the smart 52 For CSCIP Applicant Use Only

53 card. (The external equipment could be either the reader or a central computer system. This implementation clearly has some security risks associated with transmitting the enrolled template off the smart card for every biometric comparison. Appropriate security measures should be implemented to ensure the confidentiality and integrity of the released template. With this technique, the smart card is storing a template (or multiple templates), but has no significant knowledge of the type of biometric information, nor the ability to process it in any way. This implementation method is appropriate for all types of smart cards; this technique will work with memory, wired logic or microcontroller-based smart cards. On-card comparison (or match-on-card). This implementation technique initially stores the enrollment template into the smart card s secure memory. When a biometric match is requested, the external equipment submits a new live template to the smart card. The smart card then performs the matching operation within its secure processor and securely communicates the result to the external equipment. This method protects the initial enrollment template since it is maintained within the smart card and never transmitted off-card. Cardholder privacy is also maintained with this technique since the cardholder s biometric template information is not readable from the smart card. With this technique, the smart card must be a microcontroller-based device and be capable of computing the one-to-one comparison. Both smart cards and smart card readers are available that support on-card comparison. The National Institute of Standards and Technology (NIST) Minutiae Interoperability Exchange (MINEX) II program is dedicated to the evaluation and development of the capabilities of fingerprint minutia matchers running on ISO/IEC 7816 smart cards. The MINEX II test plan was released in February NIST conducted two rounds of public testing and released an updated test report on June 9, The final results of the most recent evaluation have been released as a revision of NIST Interagency Report Biometric Data Either the raw biometric data (usually in the form of a bitmap image) or an extracted template of the biometric can be stored. For matching purposes, only the template is used. Storing the complete biometric typically requires substantially more memory. For example, a complete fingerprint image will require 50 to 100 Kbytes, while a fingerprint template requires only 300 bytes to 2 Kbytes. Given the storage restrictions, most smart card applications that use biometrics are based on template storage rather than image storage. Some template formats are proprietary so there is a consideration for retaining the image in offline storage in the event that the template generation and matching software needs to change. If the images are retained, it is possible to generate new templates from the original images without requiring reenrollment. Some biometric modalities, such as fingerprint, now support an interoperable template standard that works with template generation and matching software products provided by multiple vendors. The interoperability and performance characteristics for both proprietary and interoperable templates are reported in the NIST MINEX report. 40 In the case of iris recognition, non-proprietary interoperability is supported by storing a compact image format in applications (like those used with smart cards) with storage or bandwidth limitations. These compact formats support iris images usable for verification matching that are in the 2 to 4 Kbyte size range. Performance results of testing compact image formats are provided in NIST Iris Interoperability Exchange (IREX) test report Biometric Storage Biometric data may be stored on the smart card, in the local reader, or in a central database. For a smart card-based ID system, the biometric template would typically be stored in the smart card. This offers increased privacy and portability for the user and ensures the information is always with the 39 See link to NIST IR 7477 and other information about MINEX II testing at 40 NIST MINEX test program information can be accessed at 41 NIST IREX test program information can be accessed at 53 For CSCIP Applicant Use Only

54 cardholder, thus supporting matching without dependence on the availability of an online database connection. This design does require the smart card to have sufficient memory to store the appropriate biometric data. In some applications (such as door entry systems employing contactless smart cards with very little memory), the biometric template may be stored in the reader. This application would require that the smart card be used with a single reader, or where several access points exist, that the biometric database and readers be networked. Central database or reader storage of biometric data may provide a higher level of throughput since the biometric data on the card does not have to be read Biometric Standards A number of published standards relate to biometrics, including standards for data format, technical interfaces, application profiles, performance measurement and reporting. Standards are generally promulgated by recognized standards bodies. Within the U.S., the main standards work in biometrics is performed by the American National Standards Institute (ANSI)/International Committee for Information Technology Standards (INCITS) and NIST. ANSI's customary practice is to adopt International Organization for Standardization (ISO) standards as direct replacements to corresponding ANSI standards when such standards are approved by ISO for international use. Biometric standards can contribute to the success of system implementation where interoperability and choice of interchangeable vendor products are important considerations 42, Multi-modal Biometrics Some of the accuracy and usability limitations imposed by the use of a single biometric modality can be overcome by using multiple biometric modalities. Multi-modal biometrics enhance the overall matching accuracy through the use of multiple and independent biometric measurements. For example, the similarity score from a fingerprint measurement can be mathematically fused with an independent measurement of the vein pattern in the finger to yield a higher level of confidence in the identity of a person. In addition, multi-modal biometrics can provide a solution for those individuals who are unable to present a suitable biometric sample in one modality. An example would be offering the option to present either a fingerprint or iris for authentication. A person who has poorly defined fingerprint patterns due to age, occupation, or medical condition would be given the choice to enroll and use iris as their biometric modality of choice. If both sensors are present, the user can use whatever modality that they are best suited for. In this situation, there is no fusion of independent biometric measurements. As can be seen in Figure 15, multi-biometric systems can incorporate information from multiple modalities, instances, algorithms, sensors, samples, or any combination of the five 44. Arguably, such systems may also include other sources of information, including biographic or travel document-based information. 42 A useful reference to biometric standards can be found at 43 A summary of biometrics standards can be accessed at 44 A. Ross, K. Nandakumar, and A. Jain, Handbook of Multibiometrics, Springer-Verlag New York, Inc., For CSCIP Applicant Use Only

55 Left Profile Frontal Right Profile Optical Multi-Sample Fingerprint Solid-State Multi-Sensor Multi-biometric Sources Multi-Modal Face Iris Multi-Algorithm Multi-Instance Minutiae Texture Right Eye Left Eye Figure 15. Multi-Biometric Source of Input The trend toward multi-biometric systems has been particularly prevalent in large-scale U.S. government systems. The Department of Defense Automated Biometric Identification System (ABIS), Department of Homeland Security (DHS) Automated Biometric Identification System (IDENT), and Federal Bureau of Investigation (FBI) Next Generation Identification System (NGI) are all examples of systems which are currently multi-biometric in nature 45,46,47. Furthermore, all three systems are increasing the number of biometric sources which can be leveraged Benefits of Combining Smart Cards and Biometrics in a Secure ID System The combination of smart cards and biometrics deliver a number of significant benefits to organizations implementing secure identification system Enhanced Privacy Using smart card technology significantly enhances privacy in biometric ID systems. The smart card provides the individual with a personal database, a personal firewall and a personal terminal. It secures personal information on the card through advanced cryptography and digital signatures to prevent alteration or replacement of biometric data and to prevent cloning of the card. This allows the individual to control access to their biometric information and eliminates the need for central database access during identity verification. When used in combination with biometrics, a smart card ID becomes even more personal and private. A biometric provides a strong and unique binding between the cardholder and the personal database on the card, identifying the cardholder as the rightful owner of this card. The biometric cannot be borrowed, lost, or stolen like a PIN or a password, and so strengthens the authentication of an individual s identity. 45 Next Generation ABIS Goes Operational, Now Referred To as DoD ABIS, DoD biometrics web site, January, Next Generation Identification, FBI web site, June 2009, Fingerprint Scanners to Deploy at all Ports of Entry, DHS website, Nov. 2007, 55 For CSCIP Applicant Use Only

56 A smart card based ID system also gives the cardholder control over who can access personal information stored on the card. A biometric further enhances this control, ensuring that only the rightful cardholder can authorize access to personal information. Because of their cryptographic processing capabilities, smart cards can be used in ID systems to increase the trustworthiness of terminals. This can translate into increased privacy for individuals and can allow cardholders to use anonymous devices as personal terminals. The increase in terminal trustworthiness is especially critical for biometric systems. Biometric ID systems rely on terminals to perform live-scan captures of some biometric trait. The ID system should be able to trust the biometric reader to capture and process a user s biometric. If it cannot, the integrity of the whole authentication process is compromised. Smart card technology can help to address this vulnerability. Using well-established security protocols, a smart card can participate in the exchange of digital certificates (or cryptographic secrets) with a terminal to determine its authenticity and trustworthiness. In essence, the smart card asks the terminal to prove that it is certified by the ID system. The terminal, in turn, asks the card to prove that it is a genuine member of the system. Once trust is established between the terminal and the smart card, it can then be extended to include the cardholder. By using biometric data captured from the cardholder at the point of use, the system can perform a match against enrollment data stored on the smart card. The ID system can thus authenticate that this user is the rightful owner of this card, and that the personal information stored on this card belongs to this cardholder. This completes the trust relationship between the user, the card, the terminal being used, and the ID system Enhanced Security Biometric technologies are used with smart card technology for ID system applications specifically due to their ability to identify people with minimal ambiguity. A biometric based ID allows for the verification of who you claim to be (information about the cardholder printed or stored in the card) based on who you are (the biometric information stored in the smart card), instead of, or possibly in addition to, checking what you know (such as a PIN). As shown in Figure 16, this increases the security of the overall ID system and improves the accuracy, speed, and control of cardholder authentication. Figure 16. Impact of Smart Cards and Biometrics on Security 56 For CSCIP Applicant Use Only

57 As the importance of accurate identification grows, new technologies are being added to ID systems to improve their security. Table 5 summarizes the features that smart card technology and smart cards with biometrics provide to increase the overall security of an ID system. Each ID application needs to determine the level of risk management required to counter security threats and then choose the level of technology appropriate for the desired level of assurance. Table 5. Security Feature Summary Smart Cards Smart Cards with Biometrics Visual inspection of card for non-machineread applications. Automated inspection using readers. Security markings and materials to help thwart counterfeiting. Integrated Circuit Chip (ICC), allowing cryptographic functionalities to protect information and programs for multiple applications stored on the card. Cryptographic co-processor on card, allowing protection of information stored in the chip, authentication of the trust level of the reader and establishment of secure communications. High trust of information shared with the reader. High security and strong user-to-card authentication. All attributes of smart cards. Biometric templates stored on the smart card ICC and used to authenticate the cardholder, provide access to on-card data and enable the trusted terminal. Counterfeiting attempts reduced due to enrollment process that verifies identity and captures biometric. Extremely high security and excellent user-to-card verification. An ID system using a contact or contactless smart card, cryptographic functions and biometrics has significant security advantages. The biometric template can be digitally signed and stored on the smart card at the time of enrollment and checked between the biometric capture device and the smart card itself each time the card is used. The template and other personal information stored on the cards can be encrypted to improve security against external attacks. Cardholder authentication can be performed by the smart card comparing the live template with the template stored in the card. The biometric template never leaves the card, protecting the information from being accessed during transmission and helping to address the user s privacy concerns. A smart card ID can authenticate its legitimacy, and that of the reader, by creating a mutually authenticated cryptographic challenge between the ID card and the reader before identity verification is started. Once that process has been accomplished, access to a specific application can be granted. This ensures a very high level of privacy for the cardholder, prevents inappropriate disclosure of sensitive data, and helps to thwart skimming of data that might be used for identity theft. The smart card ID can also challenge the biometric reader to ensure that a previously captured template is not being retransmitted in a form of playback attack. 57 For CSCIP Applicant Use Only

58 Smart cards have sufficient memory to store growing amounts of data including programs, one or more biometric templates, and multiple cryptographic keys to restrict data access and ensure that data is not modified, deleted, or appended. The smart card can also be used to prove the digital identity of its cardholder using cryptographic keys and algorithms stored in its protected memory, making smart cards ideal for applications that need both physical and logical authentication Improved System Performance and Availability Storing the biometric template on a smart card also increases overall system performance and cardholder convenience by allowing local identity verification. The identity of an individual is established and validated at the time the smart card is issued and the individual has proven eligibility to receive the identity card. From that point on, the user s identity is authenticated through the presentation of the smart card to a card reader, without the need to perform a search and match against a remote database over a network. This local processing can reduce the time to authenticate an individual s identity to one second or less, allowing faster security checks, and reduce the need for the card readers to be online with a central system. The question may arise regarding how to handle a comparison failure (i.e., false rejection) without accessing a remote database. With smart card technology, it is straightforward for the security staff to revert to a visual comparison of a digitally signed, digitized photo or backup biometric also stored on the card. In the event of a false rejection, the cardholder can simply repeat the process. For applications where fast and frequent use is necessary (e.g., controlling access to buildings and at airports), contactless smart cards can speed the transfer of biometric templates and eliminate the need to make a physical connection. Low cost, contactless smart cards with high communication speeds are now available that have enough memory to store a unique fingerprint template or photographic representation. This means higher security biometrics-based ID systems can use contactless smart cards to achieve a range of security, throughput and cost goals. When biometric data is transmitted over a contactless interface between a smart card and a reader device, it is advised that the data transmission or data be encrypted to avoid any chance of unauthorized reading of the biometric data through eavesdropping or other surveillance methods Improved Efficiency Using the combination of smart cards with biometrics for identification and authentication of individuals provides the most cost-effective implementation of a secure identification system. Several ID and security technologies can be combined with a smart card, allowing deployment of different authentication mechanisms based on the degree of security required and the budget available for implementation. Biometrics may be absolutely essential for those security checkpoints in the system where the user must be firmly linked to their ID card as the rightful owner and a password or PIN is not secure enough or lacks ease of use. Examples of systems requiring this stronger verification of identity include airport security gates or border crossings. A government or corporate enterprise identification system may include a variety of physical and logical access checkpoints that have different levels of security requirements. Biometric readers may be required at main entrances to the buildings, but internal access doors may only require the use of a magnetic stripe on the back of a smart card. When on a network, accessing different types of information may also have different security requirements. Some information may only require a password to access (which the smart card can store and remember for the user); other more sensitive information may require the use of a biometric; still other transactions may require the use of features on the smart card to digitally sign the transaction. Contactless smart card technology can be used in environments where high usage or environmental conditions are expected to affect the cost of maintaining the system. Because the contactless card chip and the reader communicate using radio waves, there is no need to physically make an electrical connection but this may require the communication to be encrypted or, at least, not be able to be 58 For CSCIP Applicant Use Only

59 replayed. Maintenance of readers is minimized while reliability is improved since there are no worn contacts to be replaced or openings to be protected. Cards also last longer because removing them from their regular carrying place is not necessary for use. Readers or kiosks can be sealed, allowing contactless ID systems to be deployed in almost any environment. Smart cards uniquely provide a single device that can function as an individual s identity card and allow the combination of several technologies to cost-effectively address varying security needs of a system Upgradability and Flexibility A key requirement for any identification system is the ability for the system to be upgraded without needing large investments in new infrastructure. For example, there may be a need to modify the system without replacing the individual ID cards if a security scheme is compromised or if enhanced capabilities become available. Because smart cards contain rewritable data storage, and in some cases rewritable program storage, they allow the most flexibility for updates to card data and card-system interaction algorithms and for secure management of multiple applications on a single card. When used in biometric-based identity systems, a smart card ID can be upgraded, after issuance, as follows. Smart card IDs can have sufficient storage to upgrade or add new biometric content (e.g., new or different biometric templates). Smart card IDs can have on-card content partitioned into mutually private sections to be used by several different secure ID systems. For example, physical access activities and card content may be kept separate from transaction authentication activities and content. With a single multipartition-capable identity card, new and private uses of the biometric content may be added to the card by any authorized issuing entity at any time. This last capability makes use of another key smart card attribute -- flexibility. Smart cards, due to their on-card processor and software, have the best ability to adapt to varying and evolving requirements. Their ability to be both securely read and written by authorized issuers adds system capabilities unavailable with other technologies. Their ability to actively detect tampering with information stored on the card is also unavailable except with smart cards. A smart card-based ID can support several biometrics: fingerprint, photographic facial image, iris, vascular or hand geometry template, or any combination of these, simultaneously or incrementally over time Stored reference biometrics can also be updated as needed. Smart card-based IDs may have both the traditional contact interface to reader/writer mechanisms and a contactless interface for applications that require high throughput and usage without mechanical wear. The same physical smart card can contain multiple storage media, such as a printed photograph, printed bar code, magnetic stripe and/or optical stripe. Thus, a single card can be compatible with many forms of existing infrastructure. In multi-application smart card IDs, each application can have its own degree of challenge and response activity depending upon the respective application s requirements. For example, a simple fingerprint comparison with the stored on-card template may be sufficient to authenticate a person s right to access certain premises, while the same card and fingerprint template may be used in conjunction with an encrypted digital signature exchange to authorize sensitive transaction rights. In summary, the unique features of smart card technology can deliver enhanced privacy, security, performance and return on investment to a secure ID system implementation. Their upgradability and flexibility for securely handling multiple applications and accommodating changing requirements over time are unmatched by other ID technology. Smart card technology, coupled with biometrics and 59 For CSCIP Applicant Use Only

60 privacy-sensitive architectures and card management processes, provides a proven, cost-effective foundation for a highly secure personal ID system. 60 For CSCIP Applicant Use Only

61 8 Identity, Security and Access Control Application Examples This section presents several examples of smart card-based identity cards and applications, including: National ID programs Corporate ID badge use case Healthcare ID use cases - Sesam Vitale Health Card France - German Health Card - Smart Health Cards in the United States - Taiwan Health Card International driving license standard Corporate ID badge use case U.S. Federal government smart ID card use cases - FIPS Personal Identity Verification (PIV) Card - Department of Defense Common Access Card (CAC) - Transportation Worker Identification Credential (TWIC) - First Responder Authentication Credential (FRAC) Machine-to-machine applications Pay TV 8.1 National ID Programs National identity cards are in use in approximately 100 countries, 48 with the primary purpose for the card to prove citizens' identities within the country where they are citizens. The technology of national ID cards varies from simple paper or plastic cards to microcontroller-based smart cards. When smart card technology is used, countries often implement additional applications that take advantage of the smart card features to provide e-government services to citizens. Table 6 shows examples of national ID programs using smart card technology. Smart card-based national healthcare cards are discussed in Section 8.3, Table 7. Table 6. Examples of National ID Programs Using Smart Card Technology 49 Belgium Estonia Finland Country Card Type National identity card; allows for legally binding electronic signatures National identity card National identity card; allows for logging into government services on the Internet For CSCIP Applicant Use Only

62 Country Card Type Germany National identity card that complies with ICAO Doc 9303, ISO/IEC and ISO/IEC 7816; allows for legally binding electronic signatures and for accessing egovernment services 50 India Malaysia Portugal Spain National identity card; includes a biometric and a digital signature National identity card; includes a biometric National identity card; includes digital certificates National identity card; allows for digital signatures eid in Europe and the European Citizen Card The following content is from the Eurosmart position paper, "European Citizen Card: One Pillar of Interoperable eid Success." The Smart Card Alliance thanks the Eurosmart for their contribution. 51 National ID cards are issued by national government bodies or agencies for citizens of the respective country. Personal identity documents confirm the identity of individual citizens, thus proving their legitimate residency within their homeland. An e-id in this context is a national ID card with visible and invisible security features and a secured microprocessor. These cards use the ID-1 format which is well known from credit cards. Traditionally an ID card serves as personal document for visual identification. By including a chip, the security will be increased because smart card microprocessors are virtually impossible to counterfeit. This chip could carry the biographic data of the citizen. Additional storage of biometric features in the chip could create a binding between the document and the cardholder as successfully realized in epassports. The European e-id is intended to carry credentials in order to provide all or some of the following services: Act as an inter-european Union travel document; Facilitate logical access to e-government or local administration services. Smart card technology has multiple advantages for e-id: e-id smart chip technology protects the individual's privacy while securely assuring their identity by using personal identification number (PIN) codes or biometrics; e-id s proven security increases confidence in a national credentialing system; Using e-ids does not require online access to central databases since citizen verification and identity authentication is performed offline; Virtually impossible to counterfeit, the e-id provides a strong countermeasure against Identity theft; e-id s digital signatures contribute to the accountability of government officials and employees; 50 The German Citizen ID Card: 1 st Anniversary Lessons Learned, Dietmar Wendling, SCM Microsystems, presentation, Smart Cards and Government Conference, November 3, For CSCIP Applicant Use Only

63 e-ids enable citizen s authentication and accountability; An e-id reduces government expenses by eliminating multi-claim benefit fraud. The trend is set in Europe. Electronic passports have been deployed successfully. In addition, most European countries have a national ID card and several (e.g., Belgium, Estonia, Finland, France, Germany, Italy) have adopted or are adopting an electronic national ID card. Figure 17 illustrates European countries with eid programs. Figure 17. European eid Programs Motivation for a European Citizen Card Definition European governments are motivated to move from the existing situation to a new one in order to reinforce security after the events of 11th September This is true for border control and is also true for simple control in the street done by the police. At the same time, e-services are motivated by the societal move from paper to paperless transactions and by the necessity for governments to reduce their budget (i.e., reducing the cost for some applications for citizen services and government-to-government exchanges). The requirements for a more secure ID document and for citizen electronic services were the two pillars which motivated the CEN definition of the European Citizen Card. With the European Citizen Card standard, the European Union can take the leadership in e-id as it did in the past with the GSM standard for mobile communication. 63 For CSCIP Applicant Use Only

64 Benefits of the European Citizen Card The European Citizen Card (ECC 52 ) is an open application standard, defining the logical data structure, security and privacy mechanisms for the data, and interface and communication protocols. It is open, because it allows the governments to select options. For example, both contact and contactless smart card interfaces are defined and biometrics and/or PIN can be used for two-factor authentication. The complete framework for an electronic signature is specified. The standard has no limits for the project quantity scale and/or the type or number of online services. ECC is a key pillar for an interoperable and cross border e-services solution. ECC is open for various services, like egovernment, ebusiness, evoting, edemocracy, ebanking and others. With the decision to take this application standard into a national government and/or industry program, the decision maker reduces development time, decreases technical risks and reduces the needed budget for the period of definition, specification and tendering ECC Implementation The ECC standard defines the services and mechanisms to be adopted for the provision of features in products that need to comply with functional requirements, the user capability to use the product, and the integration in the environment. The standards provide a certain level of interoperability. However, the high level of definition introduces different interpretations and the options that can be part of a standard may introduce interoperability difficulties. The specifications contain an implementation view that determines choices left open by standards, and thus lead to a high level of interoperability. In addition, the level of definition made in the specifications allows test suites to be produced that will be used to show interoperability. In France, the Gixel association has published the Identification Authentication Signature European Citizen Card (IAS ECC) specification that fully complies with the ECC standard while providing a high level of interoperability with a former IAS specification used for the new generation of French healthcare card (Vitale 2). The ECC standard is a central element for an interoperable e-id management system. It is a key enabler for the achievement of the i2010 objectives proposed by the European Commission and it is already used by some Members States (e.g., France and very soon as Germany, which is looking for compliance with ECC for its future national e-id card) The ECC Standard The European standardization body Comite Europe en de Normalisation (CEN) published the technical specification (CEN TS 15480), the European Citizen Card (ECC), as an offer to be used for governmental purposes. The European Citizen Card standard is neither a physical card nor a specific card application or set of applications by itself; the standard includes a definition of logical data groups and services that can be provided by any governmental card issued for any application context (e.g., ID cards or health cards). The European Citizen Card specification includes four parts to date: part 1 and 2 were published in 2007; part 3 and 4 are currently under development in CEN TC 224 WG 15: Part 1: Physical, electrical properties and transport protocols (physical card interface); Part 2: Logical data structures and card services (logical card interface); Part 3 (preliminary): Interoperability using an application interface (middleware); Part 4 (preliminary): Recommendations for issuance, operation and use (card profiles) 52 It is important to note that this section and many public documents use ECC as the acronym used for the European Citizen Card; it should not be confused with using the same acronym for elliptic curve cryptography. 64 For CSCIP Applicant Use Only

65 ECC Part 1 Part 1 of the ECC specifications describes the physical and the electrical characteristics of the ECC. It defines the basic requirements for the format, the design, the security features, the electrical properties of the chip, and the transport protocols used for the communication between the smart card and a terminal. In doing so, the specification does not introduce any new smart card definitions nor limit the ECC chip technology requirement to a certain interface. The specification refers to the standardized ISO/IEC specifications for smart cards, such as ISO/IEC 7810, ISO/IEC 7816 and ISO/IEC Furthermore it follows the ICAO recommendations for the machine readable travel document (MRTD) in ID-1 format. There are no restrictions related to the smart card interface used. In principle it is up to the issuer of the card to decide whether the card supports contact-only, contactless-only or dual-interface technology. This non-constraining approach will lead to multiple, different implementations which could all be called ECC-compliant. An elaboration on the pros and cons of choosing one of the abovementioned technologies contact, contact or dual-interface can be found in the Eurosmart white paper, Durability of Smartcards for Government ID ECC Part 2 Part 2 of the ECC specification defines the card services that are mandatory for a European Citizen Card as well as optional extensions. It specifies the logical data structure on the card, the logical card interface itself, and the security architecture/mechanism. Furthermore, it defines a common set of commands for the ECC as one key part to ensure interoperability with system infrastructures. There is a differentiation between basic and extended electronic card services. The electronic services for identification, authentication and signature creation (IAS services) are mainly based on public key procedures, essentially, on RSA cryptographic operations, as used by the German electronic health card, egk, and the French identity card, INES. However, elliptic curve cryptography is gaining ground and offers equivalent security. In general, the definitions of the services and the commands are not limited to a specific chip interface technology. However, depending on the different nature of these interfaces, there is the need for special treatments of particular mechanisms for example, an additional securing of the contactless interface during communication as compared to the contact interface. In order to reach the interoperability objective, IAS services are also compliant to pren 14890, Application Interface for Smartcards used as Secure Signature Devices, part 1 and part 2. Since a card used as an ECC can have many different primary applications (e.g., as an ID card or as a health card), various instantiations of an ECC are imaginable. This leads to the definition of so-called card application profiles in ECC part ECC Part 3 ECC part 3 will provide an interoperability model, which will enable a PC client application that is compliant with ECC technical requirements to interoperate with different implementations of the European Citizen Card. In addition to the ECC card description in parts 1, 2 and 4, this part of the ECC specification describes generic middleware that enables the ECC to be used securely in online transactions. The middleware 53 Durability of Smartcards for Government ID, Eurosmart white paper, July 2008, 65 For CSCIP Applicant Use Only

66 architecture will be based on ISO/IEC with additional technical specifications. The API provides the client application with the abovementioned IAS services that are supported by the ECC. The specific ECC card implementation type will be transparent for the ECC middleware. The ECC middleware checks the supported card functionality by reading specific card content. It is up to the ECC middleware to detect the card capabilities. As long as the services on the card are available, the middleware can interoperate with the card regardless of the nature of the card whether it is contactless or contact- only or whether it is a native or Open Platform implementation. Interoperability is achieved by the standardized API ECC Part 4 Specific application profiles are contained in part 4, to present use cases which can act as a reference and to exemplify use cases which are based on actual implementations. Two application profiles have been developed in the past drafts, with the expectation that others will be added by the time the specification is adopted. Each of these profiles contains one or more applications which use the interfaces and transport protocols described in part 1 of the specification and services described in part 2. Each profile thereby is linked to a distinct object identifier (OID) to be used as interoperable reference (e.g., to ease the discovery of the card s and/or application s capabilities). In any other case, the middleware according ECC part 3, must detect the services on the card. For this purpose, one so-called global profile is integrated in Part 4, to retrieve the card capabilities as well as application capabilities. This profile can be used as complementary to the application profiles, in case the card/application contains additional information which is not covered by the specific profile in use. Profile 1 ID Card. ECC Profile 1 describes a card which is used as an identity document. Profile 2 ESIGN-K. Profile 2 describes a card with an ESIGN application and the option for an additional functionality for digital signatures. Other Profiles. More profiles can be included and existing profiles are subject to further development and improvement before the specification is finally adopted. Even after it has been released, new profiles can still be added to the specification through the CEN TC224 WG 15 working group. Therefore, the standard provides a profile template to design new profiles in a comparable manner. The template contains guidelines in order to support anyone developing a profile; it clearly states which information has to be included in a profile. In general, any country will always have the option to define and bring in its own profiles to have countryspecific use cases Profile a) eid This ID scheme is presented by profile 1 of part 4 of ECC specification. ECC Profile a) describes a card which is used as an identity document. One single mandatory contactless interface conforming to ISO/IEC is specified for all applications. The following three applications are envisioned: eid: This application implements electronic identity card services and data structure. The cardholder s data (corresponding to the data on conventional identity documents) are stored in distinct data groups. ICAO: Since ID cards are accepted as travel documents within Schengen States, this profile contains an MRTD application in conformance with ICAO specifications, comparable to the epassport. The mandatory card services are passive authentication, Basic Access Control (BAC), Extended Access Control (EAC) chip and terminal authentication referenced by the specific OIDs, and secure messaging for the ICAO application. 66 For CSCIP Applicant Use Only

67 SIG: The card includes a signature application in accordance with CEN pren which contains the signature service itself on the card, with the added possibility of installing the necessary certificates or keys at time of issuance or alternatively having them already installed during the personalization process Profile b) ehealth Card (ESIGN-K) Profile b) describes a card with an ESIGN application and the option for additional functionality for digital signatures. It supports a contact-based interface according to ISO/IEC and the T=1 transport protocol. The protocols, services, and formats used in profile b) are largely based on the CEN pren standards Profile c) ehealth card (II) The objective of profile c) is to list features for a contact smart card supporting an ehealth application and a legacy application. The card profile supports RSA-based digital signature functionality and symmetric device authentication using 2TDES (112 bit) with subsequent secure messaging. It can be used as an authentication token for RSA-based client/server authentication. Two different card types are described for cards complying with the profile: a patient card (e.g., health insurance card (HIC)) and a health professional s card (HPC). The profile gives some simple use cases illustrating how to use the HIC/HPC cards: access of patients' insurance data by the health professional or by the patient, creation of an electronic prescription Profile d) eid (IAS) France has chosen to be ECC-compliant and selected IAS ECC as the specification for its national e-id card. The specification is a concrete implementation of ECC and freezes some technical options proposed by the ECC. As an association of several standards (see Figure 18 below), IAS ECC allows complete interoperability among smart card manufacturers and also with previous IAS versions. The architecture is built as shown in the Figure 19 and can be easily upgraded with new functionalities (e.g., biometrics) or security features (e.g., elliptic curve cryptography). The travel functionality is contactless as for the epassport when the e-service is contact. This is motivated by the opportunity to reuse both existing infrastructures (epassport and RSA PKI). Nevertheless, the e-services could be easily used into a contactless approach. Figure 18. Standards Used for IAS-ECC 67 For CSCIP Applicant Use Only

68 Figure 19. IAS-ECC Architecture 8.2 Corporate ID Badge Use Case To illustrate what happens when organizations provide employees with a smart ID badge that is used for both logical and physical access, consider a typical day in the life of Kay Smith, the fictitious customer service manager for a fictitious company, Enterprise Systems. Enterprise Systems implemented a smart ID badge system for its employees 2 years ago to integrate security across the organization and comply with corporate-wide security policies. Before Enterprise Systems adopted the single smart ID card/badge solution, the company parking lot was accessed by using a magnetic stripe card. The new smart IDs include magnetic stripes so that Enterprise Systems can continue to use their existing parking access application. At the start of her day, Kay Smith accesses the parking lot in the same way she always has, by swiping her badge through a reader. Once inside the building, Kay must present her smart ID badge to the guard to verify that the badge is indeed her badge. The guard checks the photo on the badge and waves her through. Next, Kay waves her badge close to the RF-based door reader so she can leave the lobby and enter the main office area. Enterprise Systems incorporated a dual-interface smart card chip on its new employee ID badge and uses the contactless interface with the company's physical access control system. Now employees can use the same ID card to get into both the company parking lot and the main office area. Now that Kay is at her desk, she turns on her computer and inserts her badge in the attached smart card reader. The standard Windows logon process recognizes the smart card reader, and Kay is prompted to enter the PIN for her badge, which only Kay knows. Kay is now logged onto her computer and can get to work. As she accesses her various applications (e.g., , customer database, support database) she is prompted for a password or other credential. The smart ID card automatically provides the required information to access those applications, providing Kay with single sign-on (using the PIN in the initial authentication to the card). Before Kay was given her new badge, she had to remember 12 different passwords for different corporate applications, which frustrated her. She often wrote her passwords down on notepads next to her computer. Kay loves her new badge, because the process is now the same for her no matter what application she accesses. The smart ID card is also configurable so that Enterprise Systems can require different authentication processes or credentials for each application if needed (for example, requiring smart card PIN entry for each application). Kay is required to adhere to certain company policies. Sensitive messages regarding new product information or human resource issues must be signed and encrypted. Enterprise Systems uses digital certificates for . To secure an message, Kay accesses the security options for the message and clicks on sign and encrypt. The system automatically accesses the digital signature information on Kay s smart ID badge. Only the valid recipient can now open and read Kay s message. It is also a policy at Enterprise Systems that employees must carry their smart ID badges with them at all times. Kay heads for a meeting, grabbing her badge as she goes. As soon as the card is removed from the desktop reader, the Windows desktop is inaccessible until Kay returns, reinserts her badge, and reenters her PIN. 68 For CSCIP Applicant Use Only

69 Home at the end of day, Kay decides to access her and also confirm a customer order. Enterprise Systems uses digital certificates for VPN access. Kay uses her smart card in conjunction with a VPN client on her home computer to connect to the Enterprise Systems intranet. The only information she needs to provide is her smart card PIN, and she s connected. During the course of her working day, Kay has used a single smart-card-based ID badge to replace multiple cards granting physical access to her employer s facilities. The same badge has facilitated and secured access to her employer s information resources, both on site and remotely, and allowed her to use these resources more efficiently. As this use case illustrates, smart cards are an effective approach to combining robust security with ease of use. Many corporations are now using smart card-based ID badges for their employees including: the U.S. Federal government (PIV card); Unisys; Northrop Grumman; Lockheed Martin; Microsoft; Boeing; Rabobank; Shell; Pfizer; Sun Microsystems. 8.3 Healthcare ID Use Cases 54 Countries throughout Europe and Asia are providing their citizens with smart cards. Some use smart cards as part of their national healthcare programs. Others have smart card-based national ID programs. Table 7 lists examples of national health smart card deployments worldwide; in addition to the countries listed, smart health card programs are also active in other countries, including China, Finland, Jordan, Poland, and Turkey. 55 Table 7. Examples of National Health Smart Card Deployments Worldwide Country Card Type Number of Cards Launch Year Algeria 56 CNAS 7 million 2007 Austria 57 e-card 11 million patient 24,000 professional 2005 Belgium 58 Social system identity 11 million 1998 France 59 Sesame Vitale Sesame Vitale-2 Germany 60 Gesundheitskarte 80 million 60 million (combined) ,000 professional Italy (Tuscany) 61 Carta Sanitaria Elettronica 3.6 million patient n/a Mexico 62 Seguro Popular health insurance cards Slovenia 63 Health insurance card 2 million patient 70,000 professional million Spain 14 Carte Santé 5.5 million Smart Card Technology in Healthcare, Smart Card Alliance FAQ, May Sources: Gemalto and CardLogix Source: Gemalto Source: Gemalto For CSCIP Applicant Use Only

70 Country Card Type Number of Cards Launch Year Taiwan 64 United Kingdom 9 National health insurance card NHS Connection for Health (health professional cards) Sesam Vitale Health Card France million patient 350,000 professional million n/a Starting in 1997, France began a complete reform of health care organizations and professionals. The purpose was to develop a program meeting the data exchange expectations and needs of everyone involved in French health care, from insured patients to health care professionals and insurance funds. France was one of the first countries in the world to introduce large scale deployment of smart cards as part of a health insurance system. The system, known as Sesam Vitale, was the first completely automatic system in which smart cards were used in the health sector. Today, there are approximately 57 million cards in use. That number is expected to rise to 65 million in the near future. Health care in France is funded partly by the French government and partly by private insurance companies. This situation leads to a complex process for reimbursement for the individuals involved, both patients and professionals. The old paper system was prone to error, fraud, and long delays before final payment was received Sesam Vitale Sesam Vitale is a highly secure dual-card system. The cards (one for patients and one for health care professionals) are the heart of a French health care system that links every individual with health care resources, including public hospitals, private clinics, general practitioners, specialist doctors, nurses, and midwives, all through a secure network. The Sesam Vitale system simplifies the procedure by which health care costs are cleared and also dramatically reduces the risks that refunds to insured patients will be delayed by replacing an annual 1 billion pages of health care information with electronic transactions. The result is that the average reimbursement time has been reduced from up to 6 weeks to 2 or 3 days. In addition, payments are made directly to health professionals by the insurance companies. The system also tracks health care spending and, in the future, will be used to transfer electronic prescriptions to the health care funds responsible for reimbursement Sesam Vitale Patient s Card The Sesam Vitale patient s card is a microcontroller (MCU) card containing approximately 4 pages of text. The patient s surname, first name, and Nume ro d inscription au Re pertoire (NIR) are printed on the front of the card. On the back is the card serial number. The data stored in the chip are separated into two zones and include the NIR, health insurance system code, branch, entitlement start date, proof of entitlement, presence of permanent entitlement, surname, first name, date of birth, status of beneficiary, information specific to the health insurance system, and entitlement end date. The card replaces the standard soft copy individual health insurance card. The first, family version of the card (Vitale1) contains administrative data that is available to health professionals (such as physicians, pharmacists, dentists, physiotherapists, and nurses). The data is read immediately and stored as a secure electronic health care cost claim sheet (e-sheet) during the patient visit. (The data cannot be read without the presence of a health care professional s card, or 64 Giesecke & Devrient GmbH Health Systems Relying on Smart Cards, Dr. Klaus Vedder Giesecke%20&%20Devrient-%20%20Seguridad%20en%20Smartcards.ppt. 65 French Sesam Vitale Health Card, Smart Card Alliance profile, 2005, 70 For CSCIP Applicant Use Only

71 CPS, described below.) Depending on the software application and the smart card reader, this e-sheet can be stored either in programmable secure reader memory or on the health professional computer s hard disk. The sheets are bound daily into secure electronic batches and transmitted through the secure national health intranet, the RSS (Réseau Santé Social), to the health insurance front-end servers. There the sheets are automatically processed by a back-office system for further cost clearing Sesam Vitale Health Care Professional s Card The Sesam Vitale health care professional s card, called the Carte de Professionnel de Sante (CPS), is also a highly secure smart card that is easily recognized by its color. The MCU embedded in the card includes a crypto-processor that manages public keys and generates digital signatures. The card identifies the health care professional and provides authentication, digital signatures, and data encryption. Pharmacists and medical staff also receive a card. More than 425,000 cards have already been issued to health care professionals, with more than 90,000 to physicians German Health Card 66 Health insurance is required in Germany, and the majority of the population is served by public health insurance. Currently, Germans carry a health care card that can be characterized as an insurance card. Its primary function is administrative. The current German health card program was rolled out in 1993 and is fully implemented. A total of 80 million people now carry the card. The card contains a 256-byte protected memory chip (not a microprocessor) and stores the following data: Identity of the insurance Insured person s name, address, and date of birth Status of the insurance Expiration date for the insurance This data supports the following administrative benefits: Patient identification Elimination of duplicate records Reduced paperwork and cost associated with mailing health insurance forms Streamlined admission process Reduced transaction costs A 1997 study by the German Ministry of Health showed that the cost of the cards was fully amortized in the 3 years after introduction. When data on the card become obsolete, insurers reissue the card (even though overwriting the obsolete data is possible). Between 15 and 20 million cards are issued annually. In 2011, Germany started issuing the new electronische Gesundsheitskarte that included online verification of insurance status, e-prescription/drug interaction, emergency data and European insurance certificate. 67 The Patient Data Card (PDC) is a microcontroller-based smart card with cryptographic functions; the card contains administrative insurance information, is the transportation media for electronic prescriptions, supports electronic signatures for egovernment and ebusiness services and grants physicians secure access to personal medical data (in connection with the Health Professional Card [HPC]). The HPC is used for authenticating the healthcare professional to the PDC and to computer data servers, among other functions. 66 German Health Card Profile, Smart Card Alliance, 2005, 67 The German Health Card, Fabiola Bellersheim, Giesecke & Devrient, presentation, Smart Cards and Government Conference, November 18, For CSCIP Applicant Use Only

72 8.3.3 Smart Health Cards in the United States The United States has no national health insurance or national health card program. Healthcare cards are issued by health insurance companies, by the state governments (for Medicare and Medicaid programs) or by hospitals. To date, most cards in use are simple plastic cards, many with no machine readable technology. The situation is starting to change, with smart cards making some progress for patient health ID cards. Within the U.S. healthcare industry, the American Recovery and Reinvestment Act of 2009 (ARRA), the associated provisions under the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are driving the use of smart cards for both patients and providers to improve the security of healthcare IT systems and protect the privacy of patient information. 68 ARRA and the HITECH Act, the federal government will be investing over $19 billion in healthcare information technology. 69 This investment will provide significant incentives for healthcare providers to implement electronic medical record (EMR) systems over the next five years. The increasing use of EMRs and electronic health records (EHRs) drives the need to address privacy and security across the healthcare system through a strong identity management infrastructure to protect patient data. Smart cards are now being used in a number of hospitals to provide patient ID cards, including: New York s Mount Sinai Hospital 70, one of the oldest and largest voluntary teaching hospitals in the United States, has led the trend towards smart healthcare cards. Mount Sinai has joined with nine other institutions in the greater New York City area to create a regional HealthSmart Network that accepts a common smart card-based Personal Health Card (PHC) for regional patients. Elmhurst Hospital (part of the Health and Hospitals Corporation, New York City s public hospital system) is one of the member organizations and a collaborator in the development of the PHC system. Texas-based Lake Pointe Medical Center, one of 55 Tenet hospital locations, The Memorial Hospital of North Conway, NH, Sarasota Memorial Hospital and Wyckoff Heights Medical Center 71 are deploying smart patient health cards using the LifeMed TM Personal Health Smart Card Platform. LifeMed TM smart cards are issued to patients to more accurately identify the patients, grant them a more streamlined admission, and connect and synchronize patient medical information from sources outside the hospital. Patients with the LifeMed TM card have the ability to view and contribute to their overall medical records, giving the provider a more complete medical picture. Current programs focus on patient identification streamlining admissions, managing payments, and moving patient data from point to point and provider identification providing an identification credential for accessing patient electronic health records. Four factors have driven smart card use to date: Identification and patient authentication Matching patients to their particular data 68 HIPAA Compliance and Smart Cards: Solutions to Privacy and Security Requirements, Smart Card Alliance white paper, September On February 17, 2009, President Obama signed the $728 billion American Recovery and Reinvestment Act of 2009 (ARRA) into law. The Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of ARRA in Title XIII, represents an investment of more than $19 billion towards healthcare IT related initiatives. HITECH specifically outlines how the federal stimulus money will be used to advance the design, development, and operation of a nationwide health information infrastructure that promotes the electronic use and exchange of information, but also includes significant changes in privacy and security provisions for health information technology. 70 Mount Sinai Medical Center Personal Health Card, Smart Card Alliance profile, For CSCIP Applicant Use Only

73 Synchronizing data from disparate sources Security and access control In addition to hospital-based patient health cards, several industry and government initiatives are including or advocating smart card technology. The Work Group for Electronic Data Interchange (WEDI) has established specifications for health insurance cards. Version 1.1 of the WEDI Health Identification Card Implementation Guide includes smart cards as an appropriate card type. 72 The American Medical Association is implementing a pilot program for a smart card technologybased Health Security Information Card, that would be used during natural disasters for identification and for medical information storage. 73 A bi-partisan group of U.S. senators and representatives led by Senators Mark Kirk (R-IL) and Ron Widen (D-OR) have introduced legislation to use existing smart card technology to protect seniors and to combat a reported $60 billion lost to waste, fraud and abuse within the Medicare system. The Medicare Common Access Card Act of 2011 (S and H.R. 2925) 74, which would establish a pilot program to develop a secure Medicare card using smart card technology to protect seniors personal information, prevent fraud and speed payment to doctors and hospitals. It is estimated that upgrading the Medicare system with globally proven smart card technology could save the American taxpayer $30 billion or more per year in fraud and waste reductions Taiwan Smart Health Card 76 Taiwan has implemented a national smart health card, with cards being issued since As of 2005, the total population of Taiwan was 22.5 million, and 96% of Taiwan citizens joined the National Health Insurance (NHI) program. A total of 16,558 hospitals and clinics (90% of the total) registered in the NHI program, creating a service network for insured applicants nationwide. Taiwan had a strong IT foundation: the original paper-based health care system included 92% of contracted medical institutions with a computerization rate of at least 70% and public satisfaction levels of 71%. The NHI program recognized revenue from insurance premiums of US$8.3 billion in Total health expenditure is 5.5% of Taiwan s GDP. Before the smart card was introduced, paper cards were used by the Bureau of National Health Insurance (BNHI) to audit patient information, and then reimburse service providers monthly. The card is renewed after the patient uses medical services up to six times. Even though reporting and information handling is well run and maintained, the system has certain problems, such as identity fraud, excess false insurance premium claims from health care institutions, complex program vouchers, waste of resources due to high frequency of card replacement, and high losses due to discontinuity of insured applicants. To solve these problems, in April 2001 the Bureau of National Health Insurance (BNHI) issued 22 million smart health care cards using Java Card technology to Taiwanese citizens. 72 Complementary Smart Card Guidance for the WEDI Health Identification Card Implementation Guide, Smart Card Alliance Healthcare Council publication, October 2011, 73 Health Security Information Card, Dr. James J. James, AMA Center for Public Health Preparedness and Disaster Response, presentation, Smart Card Alliance webinar, September 13, 2011, Secure ID Coalition, Sept. 23, 2011, 76 The Taiwan Health Care Smart Card Project, Smart Card Alliance profile, 2005, 73 For CSCIP Applicant Use Only

74 The new smart card-based system was integrated with the original back-end database for the paper card system. The NHI health care smart card (illustrated below) can be used for 5 to 7 years, making annual replacement unnecessary. The front side of the card includes the card s serial number and the cardholder's photo, name, ID number, and date of birth. People are not required to present an additional ID when they use the card for NHI health care services. Figure 20. Taiwan Health Card The smart card is a microcontroller-based card and has 32 kilobytes (KB) of memory, of which 22 KB will be used for four kinds of information: Personal information, including the card serial number, date of issue and cardholder s name, gender, date of birth, ID number, and picture. NHI-related information, including cardholder status, remarks for catastrophic diseases, number of visits and admissions, use of NHI health prevention programs, cardholder s premium records, accumulated medical expenditure records and amount of cost-sharing. Medical service information, including drug allergy history and long-term prescriptions of ambulatory care and certain medical treatments. This information is planned to be gradually added depending on how health care providers adapt to the system. Public health administration information (such as the cardholder s personal immunization chart and instructions for organ donation). The Taiwanese government has reserved the other 10 KB of memory for future use. Moving to the smart card system has resulted in the following changes: Hospitals and clinics upload electronic records daily to BNHI. After every six patient visits, card information is uploaded online for data analysis, audit, and authentication. The reimbursement process is faster. BNHI has strong privacy and security requirements for the Taiwan health care smart card, including a defined privacy policy, multiple smart card security mechanisms to prevent counterfeiting and protect cardholder information, mechanisms to protect the security of information during transmission, practices to prevent computer viruses and a crisis management and response plan. The overall system architecture was designed to implement these policies, protecting the cardholder s private information while allowing access by authorized health care professionals. Key smart card security and privacy mechanisms are: High-grade card printing, comparable to payment cards. Encryption of information stored on the card. BNHI-issued SAM card for each smart card reader, with a strict authorization and mutual authentication process to access on-card data. Cardholder personal identification numbers (PINs) to protect on-card personal information. Plans for a health professional card that would be used to authorize health care provider access to medical information on the card. 74 For CSCIP Applicant Use Only

75 As of 2010, 24 million patient cards have been issued and 350,000 health professional cards. The project reached breakeven in the first year with $190 million in savings vs. the $170 million budget Smart Health Cards: Use and Benefits for Patients There are a number of ways that smart card technology can help patients, all stemming from the ability to authenticate the patient's identity when seeking medical care. This may seem simple, but it s actually the cornerstone of quality medical care and good health systems management. Accurate identification of each person that receives healthcare: Decreases medical errors. Optimal medical care requires that a healthcare provider have access to all relevant medical history and know what medications have been prescribed. This can be challenging as individuals seek care from more than one healthcare organization and fill prescriptions at more than one pharmacy chain. A validated patient identity can be linked to a healthcare organization s medical records. Using a smart card also allows the storage of patient record numbers across different medical providers in a secure, privacy-sensitive way. Other personal information such as prescription history, name, address, insurance information, allergies, emergency contact information and other key data elements can also be securely stored on the card. Expedites the admissions process. Use of a smart card-based healthcare ID card allows patients to bypass the usual lines at inpatient admission offices or ambulatory care admissions stations. Instead, when entering a healthcare facility, registration can be quickly and easily achieved by inserting the smart healthcare card in a reader at a kiosk or station. This instantly gives the provider current information and the link to the patient's medical records, delivering increased convenience, customer service, and accuracy in record time! Reduces medical identity theft and fraud. Medical identity theft and fraud is a growing concern to healthcare consumers and providers. Using smart card technology enables the addition of security elements such as a picture, personal identification number (PIN) or biometric (e.g., a fingerprint) so that a lost or stolen healthcare ID card cannot be used or accessed by anyone else. The data kept on the card can also be encrypted so that no one can access the patient's data without permission. Reduces healthcare costs. In addition to streamlining administrative procedures for the healthcare provider and reducing the resources dedicated to those functions, the ability to link to and quickly access all of the patient's medical history makes it less likely that the doctor would need to order duplicate tests or procedures. These significant cost savings start during the admissions process and continue all the way through the claims management process. Expedites claims reimbursement. Providing complete and accurate information during the registration process and removing issues with language barriers or human error greatly reduce the incidence of denied or delayed claims. Smart card-based technology can help patients get better quality healthcare, delivered faster and more cost effectively Smart Health Cards: Use and Benefits for Hospitals 78 Smart card-based technology offers a way to significantly reduce hospital administrative costs while maintaining or increasing quality of care and customer service. Smart card technology can help hospitals achieve: Smart Card Technology in Heatlhcare FAQ, Smart Card Alliance, f 75 For CSCIP Applicant Use Only

76 Better patient identification. Smart cards serve as highly reliable and secure identity tokens. The cards can securely store various identity credentials (such as a PIN, photo, or biometric) directly on the card and make it very difficult to forge or steal the credentials on the card. A smart card can also create a digital signature. A digital signature serves as a guarantee that information received has not been modified, as if it were protected by a tamper-proof seal that is broken if the content is altered. Smart cards can present a considerable barrier to medical identity theft and fraud. Realtime verification is a superior method of confirming the identity of the incoming patient. Administrative efficiencies. The time and resources required to admit a patient are critical measurements of hospital efficiency. Busy waiting rooms, thin staffing levels, language barriers and manual transcription of important data from handwritten forms create many opportunities for error. Smart cards cut down the time for admissions by providing ready access to accurate, up-todate patient information. Moreover, the standard set of information provided by the patient can be obtained via an online pre-registration process, which can be downloaded onto a smart card. Lastly, admissions can be streamlined when patients use smart cards at unmanned kiosks taking out the labor element altogether. These efficiency gains lower cost 79,80, reduce errors and improve the patient experience. Better medical records management. Linking a patient to their medical records seems like a simple process, but human errors often lead to many issues with matching the right patient and the right records. Using a smart card to match a patient to a specific medical record ensures a more comprehensive and accurate patient health record. Smart card-based healthcare IDs can significantly decrease the incidence of and expenses associated with duplicate record creation 81. This improves administrative functions such as billing and registration and also provides for better continuity of care. Quality of care. A key benefit for smart patient healthcare cards is the potential reduction of medical errors and duplicative medical testing. As an example, more than 195,000 deaths occur in the United States because of medical error 82, with 10 out of medical error deaths each year due to wrong patient errors. Smart cards help ensure better quality of care by authenticating the identity of the person receiving medical treatment. The ability to accurately link a patient to an institution s medical records potentially reduces the number of adverse events and medical errors due to lack of patient information. Privacy, security and confidentiality. Since smart cards are physically held by patients, and because information is supplied by providers in an approved network with audit capabilities, smart cards provide privacy and security measures. Information on smart cards can be encrypted using robust, standard cryptography methods that have been proven to be extremely secure and that are used for government and military security. Thus, a patient s information is very secure and private. Smart card technology offers solutions to a number of challenges that healthcare organizations are looking to address. Smart card technology offers the ability to automate much of the admissions process, eliminate costly duplicate and overlaid records, and enable the creation of and access to a comprehensive medical record across a broad spectrum of healthcare providers. Smart card technology can also buttress internal hospital security systems. Use of smart cards for employee IDs enable hospital security to limit a hospital employee s physical access to those specific buildings and areas within the facilities that are appropriate for their immediate set of responsibilities, including access to medication cabinets. Smart employee IDs can also be used for strong authentication to networks and computers. 79 In-Hospital Deaths From Medical Errors at 195,000 per Year, Health Grades Study Finds, Health Grades, July Stanching Hospitals Financial Hemorrhage with Information Technology, J.Pesce, Health Management Technology, August A Healthcare CFO s Guide to Smart Card Technology and Applications, Smart Card Alliance, February In-Hospital Deaths From Medical Errors at 195,000 per Year, Health Grades Study Finds, Health Grades, July Identity Crisis, Robin Hess, For the Record, January 17, For CSCIP Applicant Use Only

77 Table 8 summarizes the benefits of smart card technology for healthcare industry stakeholders. Table 8. Smart Card Benefits in Healthcare 84 Stakeholder Benefit Patient Positive identification at initial registration Secure and portable health record Personal ownership and control of access to medical records Easier and faster registration Improved and faster treatment and medical care Positive identification for payer coverage, treatment, and billing Accelerated treatment in emergencies Audit trail through a course of treatment that crosses multiple organizations Healthcare Provider Instant patient identification Accurate link between patients and institutional medical records Elimination of duplicate and overlaid records Faster care delivery in emergency care settings Rapid accessibility to patient medical history Potential reduction in adverse events and medical errors due to lack of patient information Reduction in claims denials Faster access to key medical record data Integration with legacy systems with nominal IT costs Audit trail through a course of treatment that crosses multiple organizations Reduction in unnecessary/duplicate diagnostic tests or procedures by showing results from other medical providers Healthcare Delivery Organization Payer (Insurance, Pharmacy Benefits Manager) Healthcare Employer 8.4 International Driver's License Accurate patient identity Reduced medical record maintenance costs (duplicate/overlaid) Streamlined administrative processing Increased awareness of provider brand, in and out of the service area Strengthened voluntary physician/referral relationships Ability to support value-added service to patient community Positive identification of the insured Verification of eligibility and health plan information Reduction in medical fraud Reduction of duplicate tests and reduction in payments Enforced formulary compliance Immediate adjudication at point of care Potential integration with payment accounts Highly secure identity credential for both physical and logical access Single sign-on capabilities (reduction in help desk calls/password management requirements) Link to other employee services (ID badge, parking, cafeteria) Countries have historically had their own driver's license standards, with some countries having multiple regional, state or provincial versions of driver's licenses. In most cases, the driver's licenses do not use smart card technology. Examples of countries using smart card-based driver's licenses are: El Salvador; India; Japan; some Mexican states; Morocco A Healthcare CFO's Guide to Smart Card Technology and Applications, Smart Card Alliance white paper, February Electronic Driving Licence A Pan-European Long Term Solution, Eurosmart white paper, September For CSCIP Applicant Use Only

78 ISO/IEC has defined the standard for a potential internationally recognized driver's license. The standard "establishes the design format and data content of an ISO-compliant driving license (IDL) with regard to the human-readable (visual) features and the placement of ISO machine-readable technologies on the card. It creates a common basis for international use and mutual recognition of the IDL without restricting individual domestic or regional driver licensing authorities from incorporating their specific needs on the IDL." 86 The standard includes the minimum common data element set, a common layout for ease of recognition and a minimum set of security requirements. ISO/IEC provides driver licensing authorities with flexibility to: Include other optional data elements; Choose the desired ISO/IEC JTC1/SC17 machine-readable technology (including magnetic stripe, integrated circuit with contacts, contactless integrated circuit, optical memory technology) or JTC1/SC311 technologies (e.g., one-dimensional or two-dimensional barcodes) and incorporate future technologies (e.g., biometrics, cryptography) Add other physical document security features. The ISO/IEC standard had three parts, as follows: Part 1: Physical Characteristics and Basic Data Set. Part 1 describes the basic terms for this standard including physical characteristics, basic data element set, visual layout, and physical security features. Part 2: Machine-Readable Technologies. Part 2 describes the technologies that may be used for this standard, including the logical data structure and data mapping for each technology. Part 3: Access Control, Authentication and Integrity Validation. Part 3 describes the electronic security features that may be incorporated under this standard, including mechanisms for controlling access to data, verifying the origin of an IDL, and confirming data integrity. 8.5 U.S. Federal Government Use Cases FIPS Personal Identity Verification Card 87 The U.S. Federal Government has been issuing smart card-based employee identity credentials for some time. One of the earliest and most influential government deployments is the Department of Defense (DoD) Common Access Card (CAC), which was designed to be the standard DoD ID card and the primary card enabling both physical access to buildings and other controlled spaces and logical access to DoD computer networks and systems. Since October 2000, when deployment began, DoD has issued over 12 million CACs and implemented the issuance infrastructure worldwide. Support for the CAC can be found on Windows, Apple, and Linux systems, and it can even be used with portable mobile devices (such as the Blackberry smart phone). DoD has reported compelling results in reducing fraud as a result of using the CAC to log onto DoD networks and sign messages a 46 percent decrease in DoD network intrusions and 30 percent decrease in socially engineered attacks 88. The Federal Government's move to smart cards accelerated with the issuance of Homeland Security Presidential Directive 12 (HSPD-12) on August 27, HSPD-12 mandates the need to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification Using FIPS 201 and the PIV Card for Corporate Enterprises, Smart Card Alliance white paper, October DoD Implementation of Homeland Security Presidential Directive-12, Inspector General, U.S. Department of Defense, Report No. D , June 23, 2008, p. 38 ( 78 For CSCIP Applicant Use Only

79 HSPD-12 specifically calls for the use of a common identification credential for gaining physical access to Federally controlled facilities and logical access to Federally controlled information systems. As a result of this directive, the National Institute of Standards and Technology (NIST) published FIPS 201, which was updated in August 2013 to FIPS FIPS defines the identity vetting, enrollment, and issuance requirements for a common identity credential and the technical specifications for a government employee and contractor ID card the PIV card. The FIPS 201 PIV card is a smart card with both contact and contactless interfaces that is now being issued to all Federal employees and contractors. To support a variety of authentication mechanisms, the PIV card's logical credentials contain multiple data elements that are used to verify the cardholder's identity at graduated assurance levels, including: 89 A personal identification number (PIN) A card holder unique identifier (CHUID, FASC-N identifier and UUID) PIV authentication data (one asymmetric key pair and corresponding certificate) Two biometric fingerprints Electronic facial image (in FIPS 201-2) Asymmetric Card Authentication Key (CAK) The PIV card may also include optional data to meet department or agency-specific requirements for additional applications, including: An asymmetric key pair and corresponding certificate for digital signatures An asymmetric key pair and corresponding certificate for key management Asymmetric or symmetric card authentication keys for supporting additional physical access applications Symmetric key(s) associated with the card management system The success of the FIPS 201 PIV program is largely due to the development of goals, issuance policies, and technical specifications that all agencies follow. A cross-certification policy enables trust to be established between agencies, so that employees from one agency can use their PIV credentials to access controlled resources while visiting other agencies. Products and systems that conform to the defined technical interoperability standards are offered by a variety of suppliers. New standardscompliant products are introduced frequently. Today, well over 5 million PIV cards have been issued by the Federal government to employees and contractors. One of the main advantages of the PIV credentials is that they adhere to a set of standards that is accepted by suppliers, issuers, and users. A standards-based credential means that any government employee s credential can be accepted by any government facility and IT network. In addition, vendors of both logical and physical access control products can build equipment that complies with one common standard. As a result, the Federal government can now choose from a wide range of conforming access control products, which can be purchased from a variety of suppliers, and be assured that their choice will work with every employee s or contractor s credential Standards-Based Secure Identity Credentials for Commercial Organizations Organizations outside of the Federal government can benefit from following the FIPS standard and issuing identity credentials. Two additional credentials have been defined the Personal Identity Verification- Interoperable (PIV-I) and Commercial Identity Verification (CIV) credentials with the goal of taking advantage of the infrastructure created by the PIV program. The policy, process and 89 Federal Information Processing Standard Publication (FIPS 201-2), Personal Identity Verification (PIV) of Federal Employees and Contractors, Section 4.2, August For CSCIP Applicant Use Only

80 technology applied to each of these credentials results in a level of assurance and interoperability, and ultimately the extent to which it can be used and trusted in its intended application PIV-Interoperable (PIV-I) Credential As a result of non-federal issuers (NFIs) of identity cards expressing a desire to produce identity cards that can technically interoperate with Federal government PIV systems and can be trusted by Federal government relying parties, the Federal CIO Council published the guidance document, Personal Identity Verification Interoperability for Non-Federal Issuers 90. The PIV-interoperable (PIV-I) credential is an identity credential that meets the PIV technical specifications to work with PIV infrastructure elements such as card readers, and is issued by a non-federal issuer (NFI) in a manner that allows federal government relying parties to trust the credential. The PIV-I credentials are technically interoperable with the PIV infrastructure. PIV-I issuers comply with the identity-proofing, registration, and issuance policies described in FIPS and are cross-certified with the Federal PKI Bridge. Following the FIPS process for credential issuance allows Federal relying parties to trust the PIV-I credential, across organizations. This trust is established by an enrollment, registration, and issuance process that is trusted across organizations, and a strong authentication credential that leverages a cross-certified and federated public key infrastructure. The PIV and PIV-I technology and infrastructure are based on standards at many levels from the physical token (the smart card) to the identity credential components to the public key infrastructure (PKI) that enable interoperable trust. A PIV I credential would be of great value to organizations that collaborate or do business with the Federal government and have a requirement to issue interoperable identity credentials. PIVinteroperable (PIV-I) cards are now being issued by Federal contractors to those employees who need access to Federal buildings and networks. In addition, many state and local organizations point to the PIV standard as a way to achieve a more holistic approach to issuing identity credentials and improving their own business processes. Early state adoption of PIV-I credentials and infrastructure in the Commonwealth of Virginia, the State of Colorado, and the State of Illinois has established baselines for achieving interoperability with Federal credentials, services, and systems. These PIV-I credentials are being used in regional and national interoperability exercises sponsored by the Federal Emergency Management Agency (FEMA) and for piloting operations in other areas, such as accessing Federal systems. In the July 2010 FEMA white paper, Moving towards Credentialing Interoperability: Case Studies at the State, Local and Regional Level 91, seven states highlighted ongoing and planned activities for deploying PIV-I credentials within their jurisdictions Commercial Identity Verification (CIV) Credential The CIV credential was defined by the Smart Card Alliance Access Control Council in response to requests to provide guidance on how enterprises can take advantage of FIPS 201 and the PIV credential specifications to implement a standards-based commercial identity credentialing program. The definition leverages earlier Federal government work to define a credential that was technically-compatible with the PIV specifications. An October 2011 Smart Card Alliance white paper defines the CIV credential and discusses corporate benefits of adopting the CIV credential Personal Identity Verification Interoperability for Non-Federal Issuers, Federal CIO Council, July 2010, 91 Moving towards Credentialing Interoperability: Case Studies at the State, Local and Regional Level, Federal Emergency Management Agency (FEMA) white paper, July 2010, 8DFEFCA0C382/0/2aMovingTowardsCredentialingInteroperability_7810.pdf 92 The Commercial Identity Verification (CIV) Credential Leveraging FIPS 201 and the PIV Specifications: Is the CIV Credential Right for You?, Smart Card Alliance Access Control Council whit e paper, October 2011, 80 For CSCIP Applicant Use Only

81 The CIV credential is technically compatible with the PIV-I credential specifications. However, a CIV credential issuer need not comply with the strict policy framework associated with issuance and use of the PIV and PIV-I credentials. This freedom allows corporate enterprises to deploy the standardized technologies in a manner that is suitable for their own corporate environments, taking advantage of the standards-based products and services available in the market. Any enterprise can create, issue, and use CIV credentials according to requirements established within that enterprise s unique environment Comparison of PIV, PIV-I and CIV Credentials 93 Table 9 shows the key differences among PIV, PIV-I and CIV credentials and the organizations that would issue or use each type of credential. Policy Table 9. Comparison of PIV, PIV-I and CIV Credentials PIV PIV-I CIV Breeder documents Follows FIPS Follows FIPS Follows the issuing organization s policies Background checks Process Application Adjudication Enrollment Issuance Activation Technology National Agency Check with Investigation Follows FIPS 201-2, including separation of roles, strong biometric binding None required, directly impacts level of suitability for access Follows Federal Bridge cross-certification certificate policies 94 Follows SP for Federal issuance Based on FIPS 201-2, including separation of roles, strong biometric binding Follows the issuing organization s policies Follows the issuing organization s policies For Federal relying parties, follows SP Card data model Must follow SP Must follow SP Follows SP (recommended) Current primary credential number FASC-N 95 (requires Federal agency code) UUID (no Federal agency code required) UUID (recommended) (no Federal agency code required) Object identifiers Federal Bridge Federal Bridge Organization Internet Assigned Number Authority (IANA) (if exists) Types of Federation and Levels of Assurance Trustworthiness Trusted identity, credential and suitability Trusted basic identity and credential but not suitability Trusted credential only within the issuing organization. 93 A Comparison of PIV, PIV-I and CIV Credentials, Smart Card Alliance Access Control Council publication, March 2012, The FASC-N contains a federal agency code which is managed by NIST. PIV-I and CIV credential numbers (UUIDs) are generated by the issuing organization. See NIST SP for additional information. 81 For CSCIP Applicant Use Only

82 PIV PIV-I CIV Trust among organizations Federal Bridge Clustered through Federal Bridge Origin Clustered alone Organization NIST Federal CIO Council Smart Card Alliance Access Control Council 96 Defining documents FIPS 201, SP and other related NIST publications Personal Identity Verification Interoperability for Non-Federal Issuers 97 FICAM PIV-I FAQ 98 Motivation HSPD-12 Interoperable credential for organizations doing business with the government and for first responders Markets Organizations that may issue and/or use the credential Resources that the credential may be used for Federal agencies Federal agencies Federal contractors Commercial organizations doing business with the Federal government State and local governments Critical infrastructure providers First responder organizations Commercial organizations who are part of an industry initiative and require an interoperable, trusted credential The Commercial Identity Verification (CIV) Credential Leveraging FIPS 201 and the PIV Specifications 99 Commercial credential that could take advantage of the PIV infrastructure Commercial organizations seeking a credential for use for their employees, subcontractors, nonemployee visitors and customers Federal agencies who accept credentials with medium hardware assurance 100 Credential can be used in a wide range of both employment-related and consumerbased transactions. Examples include physical access, logical access 101, mass transit, and closed loop payments Department of Defense Common Access Card The Department of Defense (DoD) Common Access Card (CAC) was the first enterprise smart card program in the Federal Government. The DoD began deploying the CAC in 2000, and since then the CAC has been a single unifying card for the entire department with a growing number of applications. 96 The Smart Card Alliance Access Control Council selected the name CIV and documented the specifications that would define a credential that was technically compatible with the PIV specifications Requires that the CIV credential have a medium hardware certificate. 101 Logical access includes: computer logon, digital signatures, network access, application access, data/communication encryption. 82 For CSCIP Applicant Use Only

83 The goal of the CAC program was to provide individuals with physical access to buildings and controlled spaces and logical access to networks and systems. These individuals are members of the active duty military personnel, civilian employees, and eligible contractor personnel. In addition to the original goals of physical and logical access the CAC is also used for benefits and privileges as well as being the Geneva Conventions card for United States. This diverse range of uses and applications requires advanced card features. The CAC uses a K smart card platform, providing the flexibility to accommodate emerging space requirements and provide a solution for a growing range of technologies. The CAC includes four PKI certificates: identity certificate, signing certificate, encryption certificate and PIV authentication certificate. In order to be interoperable, the CAC card includes a PIV Card Application which, when selected, behaves as would any other government issued PIV Card. The card also includes basic demographic data, fingerprint biometrics and facial image, and contactless technology. The card also includes basic demographic data, fingerprint biometrics and facial image, and contactless technology. The CAC program has been successful for many reasons. The CAC is integral to DoD business practices which means card holders are routinely using the card. Any changes to the card must be approved by the user community through a robust configuration management program. Also, the card is supported by policies and governance that clearly outline the uses and limitations of the card. In compliance with Homeland Security Presidential Directive 12/HSPD-12, the DoD began issuing its FIPS 201-compliant CAC in October Because of the maturity of the CAC program, a significant transition strategy was required to ensure continuity of operations. The CAC now fully complies with PIV standards and provides interoperability when used in other Federal Agencies, but the primary functionality of the card remains DoD focused. The CAC is currently being considered for additional functions and applications. Some potential new areas of use are transportation and banking. Some applications could use the card as a payment system for transit systems and use the card instead of a bank card DoD Identity Management The DoD has unique challenges that must be solved through its personnel identity management solutions. In addition to those individuals that receive CACs, the DoD population includes millions of dependents and retirees and other individuals that require routine access to DoD facilities and assets. DoD is working to align the needs of the populations with the current solutions and to `provide additional services where necessary. To serve these populations, the DoD has a number of identity management solutions including: the family of DoD ID cards, the Defense Biometrics Identification System (DBIDS), the Defense National Visitors Center (DNVC), and the Defense Cross-Credentialing Identification System (DCCIS). DBIDS is a readily deployable system for capturing, storing, and comparing biometric data to use for authentication. The system also provides a means of registering all personnel requiring access, incorporating complex rules of sponsorship and access, linking access to sponsor, and limiting access by location, building, and force protection level. In addition, DBIDS allows installation security personnel to control access and authenticate identity for population elements not eligible for other DoD credentials, including maintenance personnel, janitorial staff, and contractor personnel from non-dod organizations. The ability to rapidly electronically authenticate credentials and cardholders is critical to being able to operate in a federated environment. DNVC is the system that can electronically validate any centrally issued DoD credential. DNVC can accommodate different readable formats and provides a real-time determination of validity in a privacy-friendly manner. The DNVC is web-based and provides a means for strengthening security across the DoD down to the lowest levels. DCCIS is an extension of DNVC. DCCIS is an initial proof-of-concept system that proposes to resolve cross-credentialing interoperability difficulties between DoD and certain of its commercial partners. 83 For CSCIP Applicant Use Only

84 DNVC can be DCCIS-enabled, in which case a participating DNVC facility connects with the DCCIS member organization database to authenticate visiting personnel from those organizations. Not all needs are being met by current capabilities. Access to online applications for non-cac populations has been difficult and is under consideration. A potential solution to meet this need may include federated electronic credentials for these populations. DoD is also working to align its capabilities with the requirements of the Federal Identity, Credentialing and Access Management Sub- Committee. As such, DoD will continue to evolve and transform to meet the changing needs Transportation Worker Identification Credential 102 The Transportation Worker Identification Credential (TWIC) program is a joint program of the Transportation Security Administration (TSA) and the U.S. Coast Guard (USCG) within the Department of Homeland Security (DHS). The objective of TWIC is to strengthen the security of the U.S. maritime infrastructure through background vetting of civilian maritime workers and issuance of tamper-proof biometrically-enabled identification credentials to eligible workers. TWIC was developed in response to the legislative requirements contained in the Maritime Transportation Security Act (MTSA) of 2002 (Public Law ) and the Security and Accountability for Every Port (SAFE Port) Act of 2006 (PL ). As of April 2015, over 3 million maritime workers have enrolled in the TWIC program. Possession of a TWIC card since April 2009 is required for unescorted access at 3,200 land-based and outer continental shelf (OCS) facilities and on over 14,000 vessels that are subject to MTSA regulations. Workers pay for the TWIC which is $ for a five-year card as of February TWIC is aligned with FIPS 201 and includes the following technical features: K of non-volatile memory Dual-interface smart card chip with both contact and contactless interfaces Physical security features, color shifting inks Magnetic stripe and linear bar code Logical security features, including: encrypted fingerprint templates, signed data (CHUID and biometrics), security objects, and PKI certificates (for the PIV application). In the early stages of defining the technical requirements for the TWIC card, the maritime industry expressed concerns about the proposed approach, which called for the TWIC card to be fully compliant with the FIPS 201 standard. The maritime community felt that FIPS 201 was not an appropriate standard for high volume physical access control situations in which rapid access is an operational requirement. Their concerns were based on the fact that FIPS 201 allows access to the biometric data on the smart card only through a contact interface, thereby requiring insertion of the card into a contact interface slot on a reader. Given that many of the fixed mounted reader devices would be exposed to the extremes of weather at seaports, there was concern that contact readers would allow airborne contaminants to infiltrate the reader electronics, resulting in maintenance problems. The maritime industry also objected to the FIPS 201 requirement for entry of a PIN to access the biometric data on the smart card after insertion of the card into the reader. 102 Source: Authentication Mechanisms for Physical Access Control, Smart Card Alliance Physical Access Council white paper, October Transportation Worker Identification Credential: An Overview of TWIC Reader Hardware and Card Application Specification, Walter Hamilton, IBIA, presentation, Smart Cards in Government Conference, October For CSCIP Applicant Use Only

85 The resulting "TWIC Reader Hardware and Card Application Specification," initially published by TSA on September 11, 2007, implements an alternative authentication mechanism that allows contactless reading of the reference fingerprint template from a separate TWIC card application without requiring PIN entry. The TWIC card supports a GSA approved PIV Card application in addition to this specialized TWIC card application. To protect personal privacy, the fingerprint templates stored on the TWIC card application are pre-enciphered by the issuer prior to being loaded to the TWIC card application. Deciphering of these TWIC card application fingerprint templates is accomplished through the use of a randomized, unique per card symmetric key called the TWIC Privacy Key (TPK). The TPK is generated during card personalization by TSA. The TPK can be accessed through the contact interface or through a swipe read of the magnetic stripe or from an off-card database supported by some TWIC reader implementations. The point is the TPK cannot be accessed using the contactless interface as such access would break the security against a third party observing a contactless transaction. This approach to using a contactless biometric read without PIN presents some unique challenges for the implementer. If the pre-enciphered biometric templates are to be read from the TWIC card application through the contactless interface, the reader must have some way of first obtaining the TPK prior to performing the biometric match. This can be achieved by storing the TPK in the local PACS server after a one-time local PACS registration process. Another alternative is to use a reader that has both magnetic stripe and contactless smart card read capability. In this scenario, the cardholder would swipe the magnetic stripe of TWIC card before presenting the card to the contactless interface. Finally, one might use a contact interface where the enciphered fingerprint templates and the TPK are accessible. As noted above, a TWIC card consists of two card applications: a TWIC card application to support contactless, PIN-less biometric reads independent of smart card interface, and a separate FIPS 201- compliant PIV Card application, each of which are co-located in the memory of a TWIC card. A reader device can access each application independently by selecting the appropriate application identifier (AID). Table 10 shows a summary of the primary differences between the TWIC and PIV credentials. Table 10. Differences between TWIC and PIV Credentials Category PIV TWIC Stored fingerprint templates Data not encrypted. Requires PIN to read via contact or contactless interface. Data encrypted. No PIN required to read via contact or contactless interface. TWIC Privacy Key (TPK) Not applicable Stored in magnetic stripe. Also accessible through contact interface. Required to decrypt stored fingerprint templates. In late 2012, Congress passed legislation requiring TWIC to implement an issuance solution requiring only one visit to an enrollment center. This option is referred to as the OneVisit option. The OneVisit option presented significant FIPS 201 challenges to the TWIC program as the applicant has the TWIC card mailed to a location they designate. Direct mailing removes the possibility of in-person card activation (after a biometric match or alternative identification verification step). It is estimated 7 out of 10 TWIC applicants select the OneVisit option. Current regulations do not require the use of TWIC readers that automatically read the TWIC card, match the biometric to the cardholder, and validate other electronic security features in the card. As of April 2009, only visual inspection of TWIC cards is required for unescorted entry into regulated facilities and vessels. 85 For CSCIP Applicant Use Only

86 8.5.4 First Responder Authentication Credential 104 The First Responder Authentication Credential (FRAC) is an excellent example of the use of a PIVinteroperable credential. In the wake of 9/11 and Hurricane Katrina, U.S. homeland security professionals learned that responding to a disaster requires a multi-disciplinary response team including law enforcement, firefighters, medical professionals, and critical infrastructure workers. These emergency responders represent a broad array of disciplines within the local and state emergency management organizations and it is crucial for the incident command to recognize, in real-time, the certifications and abilities of each individual responding to the incident. The Office of National Capital Region Coordination coordinated a major initiative to leverage a smart card identity system (the First Responder Authentication Credential) for emergency response officials (EROs). These smart cards would provide first responders from across the region with the ability to quickly and easily access government buildings and reservations in the event of a terrorist attack or other disaster. The initiative was designed to remedy access problems such as those encountered by state and local emergency officials responding to the 9/11 attack on the Pentagon. FRAC is a secure and interoperable identity credential designed for the emergency management community. NIST, DHS and the Federal Emergency Management Agency (FEMA) have worked together to specify the recommendations for the FRAC card for all emergency responders nationwide. Adherence to these recommendations ensures a common framework to trust the identities and capabilities of those emergency response team members arriving at incidents to assist during emergencies. By leveraging the US Government FIPS-201 Personal Identity Verification standard, and the accompanying PIV-interoperable guidance from the CIO Council 105, interoperable identity verification is achieved among federal, state, local, non-profit and commercial organizations responding to an incident. Under DHS National Incident Management System (NIMS) draft credentialing guidelines, three distinct and necessary components are required for an emergency responder credential: Identity: personal attributes that uniquely define a person Knowledge, skills and attributes (KSAs): certifications, trainings and NIMS resource typing that allow an incident commander to make access and deployment decisions Deployment authorizations: the invitation from a requesting jurisdiction, and authorization from the supporting jurisdiction, for an emergency response individual or team to respond to a mutual aid incident. Deployment authorizations are widely used in multi-jurisdictional responses crossing state boundaries. Deployment authorizations typically follow Emergency Management Assistance Compacts (EMAC) processes. At an incident scene, it is imperative to accurately verify both a person s identity and KSAs. In locales around the country, there are regular news and online stories of individuals pretending to be a police officer or a firefighter or an emergency medical technician. Official-looking badges and clothing are available for purchase via catalogs and websites and, during the high intensity of a disaster, these fraudulent items can fool even the most experienced veteran responders. Unfortunately there are also cases where valid emergency responders are detained or delayed because they do not have an easy way to establish identity or KSAs at a checkpoint. A person s identity can only be trusted if it s confirmed, issued and verifiable via a trusted issuing source. The NIMS has published the resource typing categories and certifications for Emergency Support Functions (ESFs) and National Infrastructure Protection Plan (NIPP). States and jurisdictions are 104 Sources: DHS web site, Probaris: First Responder Authentication Credentials white paper. 105 Personal Identity Verification Interoperability for Non-Federal Issuers, CIO Council, May 2009, 86 For CSCIP Applicant Use Only

87 required to identify and maintain lists of individuals who have the correct training and certifications for each of these NIMS categories. Privileges granted at an incident depend upon knowing the emergency responder s ESF codes or NIPP sectors, training, certifications and licensure information FRAC Demonstrations Public Law : Implementing Recommendations of the 9/11 Commission Act of 2007, was introduced into Congress on January 5, 2007 and signed into law by the President on August 3, Under Public Law , FEMA, in collaboration with the Department of Health and Human Services (HHS), is responsible for creating credentialing and attribute guidance for emergency response across the nation. The first step is to establish federal preparedness, to be followed by outreach to state and local communities, the critical infrastructure communities, and the volunteer communities. During the development of Public Law and after its inception, several demonstrations were held to test the credentialing and attributes of the various emergency response communities. These demonstrations were named Winter Fox 107 (February 2006), Winter Storm 108,109 (February 2007), Summer Breeze (July 2007), Winter Blast 110,111 (March 2008), Spring Blitz 112 (May 2008), Summer Sizzle (July 2008), Autumn Rush (October 2008), and Spring Ahead 113 (May 2009). All early adopter organizations issuing FRACS to date are issuing dual-interface or tri-interface smart cards with PKI credentials, with some including magnetic stripes or bar codes for legacy system compatibility FRAC and PIV Interoperable Credentials In late 2009, the Command, Control and Interoperability (CCI) Division within the Science & Technology (S&T) Directorate, the FEMA Office of National Capital Region Coordination (NCRC), and the FEMA Office of Security (OS) partnered to convene the PIV-I/FRAC Technology Transition Working Group (TTWG). The TTWG is composed of state and local emergency management representatives, many of whom have already implemented innovative and secure identity management solutions in their own jurisdictions. Local and state participants in the work group include Colorado, Maryland, Virginia, District of Columbia, Missouri, Southwest Texas, Pennsylvania, West Virginia, Hawaii, and Illinois. The working group is focused on exploring PIV interoperable (PIV-I) credentials as the standard that will enable interoperability between local and state emergency response officials. 114 The FRAC is one usage scenario of the PIV-I credential which is successfully driving adoption in the state, local and commercial sectors. Early adopter organizations issuing FRAC/PIV-I cards to date have attempted to closely align with the maturing PIV-I recommendations to ensure current and future interoperability and trust. In some cases, such as the Commonwealth of Virginia, early pilots for issuing "PIV-like cards generated feedback to the federal community which was used to help define the PIV-I recommendations. Early adopter organizations have also been leveraging the PIV-I technology for a range of additional applications in-development and pilot phase. Some of these applications closely mirror the Federal Identity, Credentialing and Access Management (ICAM) objectives, with an added benefit of extended Electronic Designation and Validation of Federal/Mutual Aid Emergency Response Officials (F/EROs) in support of National Preparedness, Craig Wilson, FEMA, presentation, CTST 2009, May PIV-I/FRAC Technology Transition Working Group, U.S. Department of Homeland Security Command, Control and Interoperability Division 87 For CSCIP Applicant Use Only

88 focus on daily usage external to an enterprise. A sampling of the population of credentials issued and applications implemented includes: Credentialing of emergency response teams (with FRAC), including doctors and nursing professionals Credentialing of employees, contractors and volunteers Credentialing of jurisdictional licensed workers such as taxi cab drivers Access to parking garages (low assurance access leveraging tri-interface PIV smart cards) Logical access to networks Physical access to buildings Digital signatures The following sections provide sample case studies from two of the states currently deploying FRAC/PIV-I credentials Commonwealth of Virginia First Responder Authentication Credentials 115 EROs from across the region were present at the Pentagon site on 9/11, including EROs from Arlington County and the City of Alexandria. Immediately following the attacks, onlookers were able to mingle with rescuers. This presented a serious challenge for incident commanders to make sure that only credentialed EROs had access to the most sensitive areas. It became evident that a credentialing process was needed to simplify this effort in the future. In February 2007, as part of the DHS National Capitol Region (NCR) First Responder Partnership Initiative, the Virginia Department of Transportation and Commonwealth of Virginia began issuing FRACs. The Virginia FRAC identity proofing and registration processes follow FIPS 201 as closely as possible for a non-federal entity and use products from the FIPS 201 GSA Approved Products List. The design of the Virginia FRAC card was also based upon FIPS 201. The goal of the FRAC initiative, now being deployed in the NCR and Hampton Roads area, is to provide state and local EROs with a new, Federally-approved PIV-interoperable smart credential designed to achieve the following: Securely establish emergency responders' identities at the scene of an incident Confirm first responders' qualifications and expertise, allowing incident commanders to dispatch them quickly and appropriately Enhance cooperation and efficiency between state and local first responders and their federal counterparts 116 Using a wireless handheld device, commanders at an incident scene can read and validate data from the FRAC and authenticate the ERO's identity and attributes. Among the first localities in Virginia to be issued the new FRACs were Arlington County and the City of Alexandria. Virginia is now working on a FRAC deployment in the Hampton Roads region. This 115 Emergency Response Official Credentials: An Approach to Attain Trust in Credentials across Multiple Jurisdictions for Disaster Response and Recovery, Smart Card Alliance white paper, October 2008, For CSCIP Applicant Use Only

89 deployment includes eight locations for the biometric enrollment and issuance of PIV-interoperable credentials, 39 handhelds for offline credential validation and 11,495 FRACs Colorado First Responder Authentication Credential 118 Colorado identified as a high priority the need for an interoperable first responder credential. The Colorado first responder authentication credential (COFRAC) initiative provides the ability to electronically validate the identity and the knowledge, skills and attributes of those who are required or volunteer to respond to natural or man-made disasters or acts of terror. In June 2007, a Statewide Credentialing Working Group was formed, chaired by the Governor's Office of Information Technology (OIT). This Working Group, comprised of individuals at the State, regional and local levels, developed a program that addresses the needs of Colorado, while being mindful of the Federal standards and the need for interoperability with Federal agency responders. The overall goal of this working group was to provide recommendations for a common identification standard for State and local first responders that promotes interoperable first responder credentials across the State and: Primarily, to achieve appropriate security assurance by efficiently verifying the claimed identity of individuals seeking physical access to all-hazard incidents and events in the State of Colorado. Secondarily, to communicate the qualifications, skills and training of first responder personnel to the Receiving Authority Incident Command. Finally, to base the program upon recognized standards, open-system architectures, and nonproprietary technologies. The COFRAC standard is focused on incident management and interoperability, and does not specify access control policies or requirements for State departments and local agencies. State and local departments and agencies were encouraged, however, to investigate how the FRAC technology can be leveraged for both physical and logical access. The Colorado credentialing standard was published in April Colorado s North Central Region (metropolitan Denver area) began its COFRAC deployment in October 2008 with plans to issue between 10,000 and 15,000 FRACs in the North Central Region Machine-to-Machine Applications Machine-to-machine (M2M) technology allows devices to communicate with each other in wireless or wired systems without human interaction. While the M2M market is still in a very early phase, analysts are projecting strong growth for wireless M2M applications, with government regulations for smart metering and vehicle safety key drivers for the growth. The M2M market is expected to support wide variety of applications, including Smart metering/smart power grid applications, where smart meters collect and transmit consumption data and help to manage power consumption. Vehicle systems: emergency call systems; anti-theft systems; fleet management systems POS and vending systems 117 Source: Commonwealth of Virginia First Responder Authentication Credential (FRAC) Program, Mike McAllister, Governor's Office of Commonwealth Preparedness, Smart Cards in Government Conference, October Emergency Response Official Credentials: An Approach to Attain Trust in Credentials across Multiple Jurisdictions for Disaster Response and Recovery, Smart Card Alliance white paper, October Colorado State First Responder Authentication Credential Standards: Best Practice Standard, Colorado Governor's Office of Information Technology, April 10, 2008, New/OITX/ ?rendermode=preview-lplunkett First Responder Credentials Expedite Access, NLECTC TechBeat, Winter For CSCIP Applicant Use Only

90 Alarm and security management Healthcare applications -- remote monitoring of patient data and prevention of medical device cloning Industrial data collection Remote maintenance and control of mechanical systems Smart card technology is built into M2M modules and is used in M2M applications when the security of the application is critical (e.g., there is a high risk of fraud or system compromise). Smart card functions in M2M applications include: Authentication of the device to the mobile network and with other devices communicating M2M Encryption of data transmitted from M2M Prevention of manipulation of data in the end device. Smart card technology M2M modules are manufactured to specifications required by the industrial marketplace, so that they work in more hostile environments (with extended operation ranges for temperature, vibration and humidity) and with longer lifespan (typically ten year data retention). M2M modules are available in multiple form factors, including: A standard-sized plug-in SIM card (2FF) A microsim plug-in card (3FF) A solderable small SIM (MFF1 or MFF2) A SIM component in surface mount device (SMD) packaging to allow the component to soldered onto printed circuit boards (to resist theft) Standards for M2M technology cover the M2M module or secure element, the device interface and the different M2M applications. The European Telecommunications Standards Institute (ETSI) has defined the entry level M2M secure element specification, ETSI TS V9.1.0 ( ), Smart Cards; Machine to Machine UICC; Physical and Logical Characteristics. 121 The ETSI specification defines the environmental classes for the M2M UICC, two form factors (MFF1 and MFF2), the electrical and logical specifications of the MFF UICC-terminal interface and the device pairing mechanism. The specification also relies on other underlying smart card specifications for the UICC, including ISO/IEC 7816, ETSI TS , ETSI TS , ETSI TS and ETSI TS Communications with M2M modules may be wired or wireless. Wireless communications may be GSM-based, may use point-to-point communication protocols (e.g., Bluetooth) or may be IPbased (e.g., WiFi). Each M2M application will also be governed by its own set of standards (for example, for smart metering). 8.7 Pay TV Smart card technology is incorporated into conditional access systems used for digital pay TV. Conditional access systems control consumer access to content and allow broadcasters and operators to offer different fee-based content that is delivered via satellite, cable or other over-the-air systems. Conditional access modules descramble content being broadcast and protect consumer codes authorizing access to the content. Smart card technology built into the consumer's set-top box is used to encrypt and decrypt user control codes and transparently descramble broadcast signals. By For CSCIP Applicant Use Only

91 incorporating a smart card module, broadcasters can update a consumer's set-top box by providing a new smart card rather than a complete new box and take advantage of smart card features to prevent compromises to the conditional access system security. Figure 21 illustrates the use of smart cards in a pay TV application. Figure 21. Pay TV Application Additional information on conditional access modules and smart card use in pay TV systems can be found in the following Wikipedia articles: "Television encryption," "Conditional access," "Card sharing," "Pirate decryption," "Conditional access to television service," 91 For CSCIP Applicant Use Only