g6 Authentication Platform

Transcription

1 g6 Authentication Platform Seamlessly and cost-effectively modernize a legacy PACS to be HSPD-12 compliant l l l l Enrollment and Validation Application Authentication Modules Readers

2 HSPD-12 Enrollment Application & 2-Door Authentication Module Upgrade Legacy Physical Access Systems to Meet HSPD-12 Requirements For Strong Authentication For nearly a decade, Federal Government agencies have struggled with how to modernize their existing physical access control systems (PACS) to operate in the HSPD- 12 environment. The challenge has been elusive: legacy systems are proprietary and based on 30-year old Wiegand communication while HSPD-12 requires use of modern cryptographic tools. Many physical access system providers offer readers that are listed as FIPS-201 compliant on the GSA Approved Products List. Agencies have purchased these components under the implication that their legacy PACS will then be HSPD-12 compliant. Unfortunately, this is not the case. For example, replacing legacy readers with smart card readers capable of reading PIV and CAC credentials is not a secure solution. To trust that a card it is not a clone or copy of the genuine card, the public key certificates on the card must be utilized. The g6 activates use of PKI between the PIV and the legacy PACS to insure the credential can be trusted. The g6 Authentication Platform can modernize many existing PACS to be HSPD-12 compliant. It offers the most modern, streamlined option for agencies to implement PKI cost effectively and one that is: - Simple to implement, - Seamless to operate - Preserves the legacy PACS infrastructure The diagram shows the g6 Architecture for upgrading two doors. The new platform includes 2 g6 Readers, a g6 Authentication Module and the BridgePoint TrustAlert Enrollment and Validation Suite. The only new cables required are two short CAT 6 (or equivalent) patch-cables between the Legacy Panel and the Authentication Module (shown in red). The remaining legacy system components, including the cabling, panels, server and software remain in place, preserving the current investment. HOW the g6 Authentication Platform WORKS The same PKI operations used to secure access to IT networks are used to secure physical access, but they are deployed differently because of latency factors inherent in online real-time validation: one will wait a few seconds for the authentication process when logging onto a network, but those same people will not tolerate that same length of time at a door to be granted access. One solution is to perform the validation operation in advance, cache the results and deny access to any revoked certificates. Latest Government guidance has set a maximum of 6 hours between certificate status checks. The g6 system implements PKI in physical access in 3 seamless steps: 1. At enrollment, the public key-private key pair is verified and the certificates are validated to establish a high degree of confidence the PIV is genuinely issued and has not been revoked. 2. During the enrolled period, frequent re-validation and immediate denial-of-access for any credential that becomes revoked. 3. At a request for access, cryptographic verification that the PIV has the same unique public key-private key pair that was on the credential when enrolled.

3 TRUSTALERT SOFTWARE COMPONENTS Enrollment Application Provides the GUI interface through which the enrollment process is performed. PACS Enrollment Service Provides a uniform interface between Enrollment Software components and a range of PACS systems. Adds personnel and credentials into an integrated PACS system, assigns a default access privilege (level) and disables credentials in the event of a relying certificate being revoked. Credential Repository Service Maintains a secure (FIPS140) credential repository containing copies of relying credentials used during the enrollment process. CERTIFICATE VALIDATION SERVICE (NOTE: not included with the Enrollment Application) TrustAlert enables the PKI validation, solving a major problem for implementing trusted solutions in physical access systems. TrustAlert Enrollment and Validation Application The Service validates presented credentials via OCSP (Online Certificate Status Protocol), SCVP (Server-based Certificate Validation Protocol) or CRL (Certificate Revocation List). TrustAlert is a tightly integrated hardware and software solution that optimizes authentication and enrollment of PIV, CAC, TWIC and PIV-I credentials into compatible access control systems. By importing data directly from the credential, errors that result from manual entry are eliminated and enrollment time is reduced from an average of 10 minutes to 15 seconds. Built on Open Standard RFC-2560 for revocation status and RFC-2580 path validation module. Works both on-premise and in-the-cloud validation models Supports both direct and CA-delegated trust models. Pre-configured for DoD and Federal PKI deployments PDVAL compliant path discovery and validation TrustAlrert includes a Certificate Repository that stores Public Key Certificates from the credentials as they are enrolled. This data store can be used to frequently re-validate the status of enrolled certificates and notify the legacy PACS whenever a certificate is revoked and a credential should be denied access. TrustAlert Enrollment Readers provide strong authentication including PIN challenge, biometric match (optional), and PKI challenge-response verification to both the personal and card authentication certificates on the credential. The GUI displays the results of each step in the authentication process along with data retrieved from the credential. Once the authentication factors are confirmed, data from the credential can be enrolled into a compatible PACS with one simple click on the ENROLL button. The Certificate Repository collects and stores the information necessary from the certificates to validate the current certificate status. Collecting this information on Enrollment enables validation to be implemented at a later date, saving the inconvenience and expense of re-enrolling users at a later date to capture certificates. 2-FACTOR AND 3-FACTOR ENROLLMENT READERS Features: Sturdy construction and Integrated design simplifies the enrollment process for the user Presents same user experience as the BridgePoint Access Readers Eliminates multiple desktop components Eliminates data entry errors Less than 15 Seconds for complete enrollment process Supports PIN challenge Supports PKI Challenge-Response to both personal authentication key (PAK) and card authentication key (CAK) Extracts PHOTO image from chip for displaying in a compatible PACS Data presented in structured XML or ASCII text format suitable for direct input to a compatible PACS Plug and Play USB Interface BridgePoint Systems, Inc. l 530 McCormick St. l San Leandro CA USA l

4 g6 Authentication Module The g6 Authentication Module is installed in series between new g6 Access Readers and the existing Wiegand-based legacy panels. It can be located nearer to the readers or nearer to the panel, which ever is easier. Depending on which location is selected, a short set of cables will be required to connect the Module to either the readers or the legacy panel. BridgePoint s crypto-optimization tools provide the CAK verify operation in approximately 2-seconds for RSA 2048 certificates over the contactless interface and even faster for the PAK over the contact interface. No competitive products match this speed. The g6 Module supports 4 different authentication modes that can be selectable using control lines from the legacy panel: MODE: CAK CAK + Pin to Panel PIV AUTH PIV + PIN + BIO The g6 Authentication Module is compatible with these major systems in addition to the BridgePoint PACS. Features and Functionality No installation of a new network Utilizes existing cabling infrastructure Supports RS-485 serial communication (1,000 times faster than legacy Wiegand communication) No new server required to process certificates g6 Module is optimized to securely operate with BridgePoint Readers Supports 2 Readers and 2 sets of Weigand control lines (Data0, Data1, LED1 and LED2) Supports all PIV, PIV-I, TWIC and CAC credentials including 128 bit GUID 25,000 event History Log (back-up log) AES-256 bi-directional encrypted communication with Readers Diffie-Hellman Key Exchange eliminates need for private keys Supports NSA/NIST Suite B including RSA 1024 & 2048 and ECC 256 Physical Tamper Detection sends alert to legacy PACS on physical attack Logical Tamper Detection mitigates attack by multiple invalid credentials Field upgradable firmware secured with 8-character password protection USB Port supports flash programming and configuration settings LED s provide Power & Connectivity Status Standard ½ Conduit Fitting eliminates mounting box

5 SPECIFICATIONS DIMENSIONS 6-3/8 Wide X 7-1/2 High X 2-1/4 Deep WEIGHT 1 LB 10 OZ MECHANICAL SPECIFICATIONS Enclosure: Fully enclosed UL-94 polycarbonate case with cam lock. Steel back plate provides rigidity and cable strain relief. All cable connections are protected from tampering. Installation: Designed to mount on dry wall or concrete surfaces. Compatible with standard single-gang or double-gang electrical wall boxes. Includes integral ½ Conduit Fitting and space for service loop that maintains low-profile and eliminates need for separate electrical box. Visual LED Indicators: Power, Legacy Controller Connectivity, Access Granted, Access Denied & Tamper Condition. Tamper Detection: Tamper switch provides alarm indication if Cover is removed. Standard Inputs: Supports 2 BridgePoint Readers (1F, 2F or 3F) and 2 Auxiliary Relay Inputs for Authentication Mode Control. Standard Outputs: supports 2 sets of Wiegand Control Lines: Data0, Data1, LED1 and LED2 Legacy Panel Connection: Industry Standard Wiegand Reader Connection: RS-485 bi-directional with AES encryption Local Control: On-board USB Command Line Interface for Application Programming, Configuration and Diagnostics. HARDWARE SPECIFICATIONS Microcontroller: 32-bit 80 MHz RISC Processor with 512K bytes internal RAM and 576K external RAM. Micro OS is strongly resistant to external attack. Memory: 1-Gigabyte Flash Memory Reader Interface: Industry Standard Wiegand or RS-485 Serial Protocol with AES Encryption. Lithium Battery-backed Real Time Clock CABLE REQUIREMENTS AND DISTANCES Readers: Up to 300 feet with CAT5, CAT6 or 4 Conductor 18 AWG cable Legacy PACS Network: 300 feet Interface Controller to Legacy Panel with Cat 6 Cable or 18 AWG cable INPUT POWER 12 Volt DC 1 Amp (2 Readers Connected) DC Power Supply: VAC Cycle V-Infinity EPSA Switching Power Supply - Energy Star Rated (Included) OUTPUT POWER 12Volt DC 300 ma (each Reader Port) ENVIRONMENTAL Indoor Installation Recommended Outdoor: Requires NEMA 4 enclosure - Temperature: -20F to 150F - Humidity: 5% to 95% non-condensing FIRMWARE FEATURES Stand-alone operation transparent to legacy PACS Supports all HSPD-12 Strong Authentication Mechanisms MEMORY: Audit List: 25,000 most recent events (audited locally through USB Port) CREDENTIALS SUPPORTED: PIV, CAC, TWIC, FRAC (48, 56, 75 or 200 bit FASCN are standard; many other formats are supported) PIV-I, BridgePoint CryptoID (128 bit UUID) MiFare, DESfire (UID 32 bit Silicon ID) CERTIFICATE SIGNATURE MATCH USING efasc-n or eguid (Mitigation of Cloned Credentials) - Personal Certificate (32 to 256 bit SHA-2) - Card Auth Certificate (32 to 256 bit SHA-2) SUPPORTED LEGACY PANEL INPUT COMMANDS Commands implemented by Control of two Legacy Panel Auxiliary Relays (up to 4 controllable authentication modes) Scheduled switching of Authentication Mode is dependent on PACS Panel ability to program state of Auxiliary Relays AUTHENTICATION MODES (CAN BE SET IIN AUTHENTICATION MODULE AND CONTROLLED BY TIME & DAY BY PANEL): 1-Factor CAK 2-Factor CAK + PIN to Panel 2-Factor PAK AUTH 3-Factor PIV + PIN + BIO PKI CRYPTOGRAPHIC MODULE PKI Cryptographic Support: 32-bit cryptographic processor with hardware acceleration supports NIST/NSA Suite B Algorithms including: PKI VERIFY (via RSA or ECC Public-Private Key Pair) - PAK Challenge-Response (Personal Certificate) - CAK Challenge-Response (Card Authentication Key) Communication Encryption: Supports AES-256 encryption between Readers and Interface Controllers with Diffie-Helman Dynamic Key Exchange to mitigate man-in-the-middle attacks. No cryptographic keys stored in system. WARRANTY 24 Months from date of installation (25 months from date of shipment) Copyright BridgePoint Systems BridgePoint, TrustPoint, TrustAlert, and epacs are trademarks of BridgePoint Systems, Inc.