g6 Authentication Platform

Similar documents
Secure Solutions. EntryPointTM Access Readers TrustPointTM Access Readers EntryPointTM Single-Door System PIV-I Compatible Cards Accessories

Interagency Advisory Board Meeting Agenda, Tuesday, November 1, 2011

FACIAL RECOGNITION TERMINAL SYSTEM

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

Unified PACS with PKI Authentication, to Assist US Government Agencies in Compliance with NIST SP (HSPD 12) in a Trusted FICAM Platform

Single Secure Credential to Access Facilities and IT Resources

TWIC / CAC Wiegand 58 bit format

SYSTEM GALAXY HARDWARE. 635-Series

Interagency Advisory Board Meeting Agenda, Wednesday, June 29, 2011

Strategies for the Implementation of PIV I Secure Identity Credentials

Corporate Commitment to Excellence

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

INNOMETRIKS INC. Rhino Quick Start Guide

Identiv FICAM Readers

There is an increasing desire and need to combine the logical access and physical access functions of major organizations.

Axway Validation Authority Suite

FICAM Configuration Guide

DFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017

Multiple Credential formats & PACS Lars R. Suneborn, Director - Government Program, HIRSCH Electronics Corporation

Interagency Advisory Board Meeting Agenda, Wednesday, February 27, 2013

Powering the enterprise-grade mobile access experience.

Using the Prototype TWIC for Access A System Integrator Perspective

Mandate. Delivery. with evolving. Management and credentials. Government Federal Identity. and. Compliance. using. pivclasss replace.

ACTPRO ACCESS CONTROL. Specification Guide

ACX Series. Access Controller for Ethernet

Securing Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS

FIPS SECURITY POLICY FOR

The SafeNet Security System Version 3 Overview

The Open Protocol for Access Control Identification and Ticketing with PrivacY

FIPS and NIST Special Publications Update. Smart Card Alliance Webinar November 6, 2013

Web-based Access Control System. Employee access. EMBEDDED Web Browser

IDCore. Flexible, Trusted Open Platform. financial services & retail. Government. telecommunications. transport. Alexandra Miller

Using PIV Technology Outside the US Government

ENTRUST DATACARD DERIVED PIV CREDENTIAL SOLUTION

DATA SHEET. ez/piv CARD KEY FEATURES:

Physical Access Control Systems and FIPS 201

Web-based Access Control System. Lower Cost of Ownership

ISC GB-XX ISC GB-XX ISC GB-XX ISC GB-XX

Interagency Advisory Board Meeting Agenda, February 2, 2009

Strategies for the Implementation of PIV I Secure Identity Credentials

CREDENTSYS CARD FAMILY

The Leader in Unified Access and Intrusion

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

FiXs - Federated and Secure Identity Management in Operation

PRODUCT INFORMATION BULLETIN

Quick Start Installation Guide

Power LogOn s Features - Check List

Security Statement Revision Date: 23 April 2009

(PIV-I) Trusted ID across States, Counties, Cities and Businesses in the US

Changes to SP (SP ) Ketan Mehta NIST PIV Team NIST ITL Computer Security Division

This Security Policy describes how this module complies with the eleven sections of the Standard:

Security and Certificates

Leveraging HSPD-12 to Meet E-authentication E

TAC I/NETTM 1284, 1280, Security Control Unit

Interagency Advisory Board Meeting Agenda, February 2, 2009

6222 Two Door Module Technical Operations Manual

Secure Government Computing Initiatives & SecureZIP

L-1 Fingerprint Reader Solutions. V-Flex 4G

Xceedium Xsuite. Secured by RSA Implementation Guide for 3rd Party PKI Applications. Partner Information. Last Modified: February 10 th, 2014

TDSi EXpert type door controllers offer a fully featured door controller with up to 48,000 card memory.

U.S. E-Authentication Interoperability Lab Engineer

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

Frequently asked Questions:

TFS WorkstationControl White Paper

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA

TECHNOLOGY LEADER IN GLOBAL REAL-TIME TWO-FACTOR AUTHENTICATION

Multi Card Technology

STANLEY MANUFACTURED ACCESS CONTROL ACCESS STARTER KIT EASY-TO-USE AND HIGHLY RELIABLE ACCESS CONTROL

Managing PIV Life-cycle & Converging Physical & Logical Access Control

Interagency Advisory Board Meeting Agenda, July 28, 2010

TECHNOLOGY SOLUTIONS BRIEF

iclass SE Platform Solutions The New Standard in Access Control

INNOMETRIKS INC. Rhino Implementation Guide

NetGen Hardware Installation Guide. for NetGen Ethernet Door Controllers

GSE/Belux Enterprise Systems Security Meeting

Physical Access End-to-End Security

AC-115 Compact Networked Single-Door Controller Hardware Installation and Programming

Transportation Worker Identification Credential (TWIC) Steve Parsons Deputy Program Manager, TWIC July 27, 2005

Cryptologic and Cyber Systems Division

Configuring SSH with x509 authentication on IOS devices

ACR880 GPRS Portable Smart Card Terminal

CoSign Hardware version 7.0 Firmware version 5.2

Velocity 3.6 SP2.1 Product Release Bulletin. August 2017

DHS ID & CREDENTIALING INITIATIVE IPT MEETING

Access Control Reader and Credential Architecture and Engineering Specification: Contactless Smart Card MHz High Frequency Technology

PW6000 Modular Access Control System PW6000 Intelligent Controllers and Modules

pivclass How to Order Guide

DBsign for HTML Applications Version 4.0 Release Notes

Security+ SY0-501 Study Guide Table of Contents

FIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2

TWIC Readers What to Expect

RFID Electronic Hotel Locking

Paul A. Karger

Alcatel OmniAccess 200 Series

Nov ember 14, Memo

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

Architectural and Engineering Specification. Brivo ACS 5000 Control Panels and ACS Service

SSH Communications Tectia SSH

icam7000s SERIES HARDWARE GUIDE Packing List CONTACTLESS CARD READER RECESS MOUNT (Optional) ISO/ANSI COMPLIANT EASY INSTALLATION What s in the Box

Transcription:

g6 Authentication Platform Seamlessly and cost-effectively modernize a legacy PACS to be HSPD-12 compliant l l l l Enrollment and Validation Application Authentication Modules Readers

HSPD-12 Enrollment Application & 2-Door Authentication Module Upgrade Legacy Physical Access Systems to Meet HSPD-12 Requirements For Strong Authentication For nearly a decade, Federal Government agencies have struggled with how to modernize their existing physical access control systems (PACS) to operate in the HSPD- 12 environment. The challenge has been elusive: legacy systems are proprietary and based on 30-year old Wiegand communication while HSPD-12 requires use of modern cryptographic tools. Many physical access system providers offer readers that are listed as FIPS-201 compliant on the GSA Approved Products List. Agencies have purchased these components under the implication that their legacy PACS will then be HSPD-12 compliant. Unfortunately, this is not the case. For example, replacing legacy readers with smart card readers capable of reading PIV and CAC credentials is not a secure solution. To trust that a card it is not a clone or copy of the genuine card, the public key certificates on the card must be utilized. The g6 activates use of PKI between the PIV and the legacy PACS to insure the credential can be trusted. The g6 Authentication Platform can modernize many existing PACS to be HSPD-12 compliant. It offers the most modern, streamlined option for agencies to implement PKI cost effectively and one that is: - Simple to implement, - Seamless to operate - Preserves the legacy PACS infrastructure The diagram shows the g6 Architecture for upgrading two doors. The new platform includes 2 g6 Readers, a g6 Authentication Module and the BridgePoint TrustAlert Enrollment and Validation Suite. The only new cables required are two short CAT 6 (or equivalent) patch-cables between the Legacy Panel and the Authentication Module (shown in red). The remaining legacy system components, including the cabling, panels, server and software remain in place, preserving the current investment. HOW the g6 Authentication Platform WORKS The same PKI operations used to secure access to IT networks are used to secure physical access, but they are deployed differently because of latency factors inherent in online real-time validation: one will wait a few seconds for the authentication process when logging onto a network, but those same people will not tolerate that same length of time at a door to be granted access. One solution is to perform the validation operation in advance, cache the results and deny access to any revoked certificates. Latest Government guidance has set a maximum of 6 hours between certificate status checks. The g6 system implements PKI in physical access in 3 seamless steps: 1. At enrollment, the public key-private key pair is verified and the certificates are validated to establish a high degree of confidence the PIV is genuinely issued and has not been revoked. 2. During the enrolled period, frequent re-validation and immediate denial-of-access for any credential that becomes revoked. 3. At a request for access, cryptographic verification that the PIV has the same unique public key-private key pair that was on the credential when enrolled.

TRUSTALERT SOFTWARE COMPONENTS Enrollment Application Provides the GUI interface through which the enrollment process is performed. PACS Enrollment Service Provides a uniform interface between Enrollment Software components and a range of PACS systems. Adds personnel and credentials into an integrated PACS system, assigns a default access privilege (level) and disables credentials in the event of a relying certificate being revoked. Credential Repository Service Maintains a secure (FIPS140) credential repository containing copies of relying credentials used during the enrollment process. CERTIFICATE VALIDATION SERVICE (NOTE: not included with the Enrollment Application) TrustAlert enables the PKI validation, solving a major problem for implementing trusted solutions in physical access systems. TrustAlert Enrollment and Validation Application The Service validates presented credentials via OCSP (Online Certificate Status Protocol), SCVP (Server-based Certificate Validation Protocol) or CRL (Certificate Revocation List). TrustAlert is a tightly integrated hardware and software solution that optimizes authentication and enrollment of PIV, CAC, TWIC and PIV-I credentials into compatible access control systems. By importing data directly from the credential, errors that result from manual entry are eliminated and enrollment time is reduced from an average of 10 minutes to 15 seconds. Built on Open Standard RFC-2560 for revocation status and RFC-2580 path validation module. Works both on-premise and in-the-cloud validation models Supports both direct and CA-delegated trust models. Pre-configured for DoD and Federal PKI deployments PDVAL compliant path discovery and validation TrustAlrert includes a Certificate Repository that stores Public Key Certificates from the credentials as they are enrolled. This data store can be used to frequently re-validate the status of enrolled certificates and notify the legacy PACS whenever a certificate is revoked and a credential should be denied access. TrustAlert Enrollment Readers provide strong authentication including PIN challenge, biometric match (optional), and PKI challenge-response verification to both the personal and card authentication certificates on the credential. The GUI displays the results of each step in the authentication process along with data retrieved from the credential. Once the authentication factors are confirmed, data from the credential can be enrolled into a compatible PACS with one simple click on the ENROLL button. The Certificate Repository collects and stores the information necessary from the certificates to validate the current certificate status. Collecting this information on Enrollment enables validation to be implemented at a later date, saving the inconvenience and expense of re-enrolling users at a later date to capture certificates. 2-FACTOR AND 3-FACTOR ENROLLMENT READERS Features: Sturdy construction and Integrated design simplifies the enrollment process for the user Presents same user experience as the BridgePoint Access Readers Eliminates multiple desktop components Eliminates data entry errors Less than 15 Seconds for complete enrollment process Supports PIN challenge Supports PKI Challenge-Response to both personal authentication key (PAK) and card authentication key (CAK) Extracts PHOTO image from chip for displaying in a compatible PACS Data presented in structured XML or ASCII text format suitable for direct input to a compatible PACS Plug and Play USB Interface BridgePoint Systems, Inc. l 530 McCormick St. l San Leandro CA 94577 USA l 510.346.1510 3

g6 Authentication Module The g6 Authentication Module is installed in series between new g6 Access Readers and the existing Wiegand-based legacy panels. It can be located nearer to the readers or nearer to the panel, which ever is easier. Depending on which location is selected, a short set of cables will be required to connect the Module to either the readers or the legacy panel. BridgePoint s crypto-optimization tools provide the CAK verify operation in approximately 2-seconds for RSA 2048 certificates over the contactless interface and even faster for the PAK over the contact interface. No competitive products match this speed. The g6 Module supports 4 different authentication modes that can be selectable using control lines from the legacy panel: MODE: CAK CAK + Pin to Panel PIV AUTH PIV + PIN + BIO The g6 Authentication Module is compatible with these major systems in addition to the BridgePoint PACS. Features and Functionality No installation of a new network Utilizes existing cabling infrastructure Supports RS-485 serial communication (1,000 times faster than legacy Wiegand communication) No new server required to process certificates g6 Module is optimized to securely operate with BridgePoint Readers Supports 2 Readers and 2 sets of Weigand control lines (Data0, Data1, LED1 and LED2) Supports all PIV, PIV-I, TWIC and CAC credentials including 128 bit GUID 25,000 event History Log (back-up log) AES-256 bi-directional encrypted communication with Readers Diffie-Hellman Key Exchange eliminates need for private keys Supports NSA/NIST Suite B including RSA 1024 & 2048 and ECC 256 Physical Tamper Detection sends alert to legacy PACS on physical attack Logical Tamper Detection mitigates attack by multiple invalid credentials Field upgradable firmware secured with 8-character password protection USB Port supports flash programming and configuration settings LED s provide Power & Connectivity Status Standard ½ Conduit Fitting eliminates mounting box

SPECIFICATIONS DIMENSIONS 6-3/8 Wide X 7-1/2 High X 2-1/4 Deep WEIGHT 1 LB 10 OZ MECHANICAL SPECIFICATIONS Enclosure: Fully enclosed UL-94 polycarbonate case with cam lock. Steel back plate provides rigidity and cable strain relief. All cable connections are protected from tampering. Installation: Designed to mount on dry wall or concrete surfaces. Compatible with standard single-gang or double-gang electrical wall boxes. Includes integral ½ Conduit Fitting and space for service loop that maintains low-profile and eliminates need for separate electrical box. Visual LED Indicators: Power, Legacy Controller Connectivity, Access Granted, Access Denied & Tamper Condition. Tamper Detection: Tamper switch provides alarm indication if Cover is removed. Standard Inputs: Supports 2 BridgePoint Readers (1F, 2F or 3F) and 2 Auxiliary Relay Inputs for Authentication Mode Control. Standard Outputs: supports 2 sets of Wiegand Control Lines: Data0, Data1, LED1 and LED2 Legacy Panel Connection: Industry Standard Wiegand Reader Connection: RS-485 bi-directional with AES encryption Local Control: On-board USB Command Line Interface for Application Programming, Configuration and Diagnostics. HARDWARE SPECIFICATIONS Microcontroller: 32-bit 80 MHz RISC Processor with 512K bytes internal RAM and 576K external RAM. Micro OS is strongly resistant to external attack. Memory: 1-Gigabyte Flash Memory Reader Interface: Industry Standard Wiegand or RS-485 Serial Protocol with AES Encryption. Lithium Battery-backed Real Time Clock CABLE REQUIREMENTS AND DISTANCES Readers: Up to 300 feet with CAT5, CAT6 or 4 Conductor 18 AWG cable Legacy PACS Network: 300 feet Interface Controller to Legacy Panel with Cat 6 Cable or 18 AWG cable INPUT POWER 12 Volt DC 1 Amp (2 Readers Connected) DC Power Supply: 110-20 VAC 50-60 Cycle V-Infinity EPSA Switching Power Supply - Energy Star Rated (Included) OUTPUT POWER 12Volt DC 300 ma (each Reader Port) ENVIRONMENTAL Indoor Installation Recommended Outdoor: Requires NEMA 4 enclosure - Temperature: -20F to 150F - Humidity: 5% to 95% non-condensing FIRMWARE FEATURES Stand-alone operation transparent to legacy PACS Supports all HSPD-12 Strong Authentication Mechanisms MEMORY: Audit List: 25,000 most recent events (audited locally through USB Port) CREDENTIALS SUPPORTED: PIV, CAC, TWIC, FRAC (48, 56, 75 or 200 bit FASCN are standard; many other formats are supported) PIV-I, BridgePoint CryptoID (128 bit UUID) MiFare, DESfire (UID 32 bit Silicon ID) CERTIFICATE SIGNATURE MATCH USING efasc-n or eguid (Mitigation of Cloned Credentials) - Personal Certificate (32 to 256 bit SHA-2) - Card Auth Certificate (32 to 256 bit SHA-2) SUPPORTED LEGACY PANEL INPUT COMMANDS Commands implemented by Control of two Legacy Panel Auxiliary Relays (up to 4 controllable authentication modes) Scheduled switching of Authentication Mode is dependent on PACS Panel ability to program state of Auxiliary Relays AUTHENTICATION MODES (CAN BE SET IIN AUTHENTICATION MODULE AND CONTROLLED BY TIME & DAY BY PANEL): 1-Factor CAK 2-Factor CAK + PIN to Panel 2-Factor PAK AUTH 3-Factor PIV + PIN + BIO PKI CRYPTOGRAPHIC MODULE PKI Cryptographic Support: 32-bit cryptographic processor with hardware acceleration supports NIST/NSA Suite B Algorithms including: PKI VERIFY (via RSA or ECC Public-Private Key Pair) - PAK Challenge-Response (Personal Certificate) - CAK Challenge-Response (Card Authentication Key) Communication Encryption: Supports AES-256 encryption between Readers and Interface Controllers with Diffie-Helman Dynamic Key Exchange to mitigate man-in-the-middle attacks. No cryptographic keys stored in system. WARRANTY 24 Months from date of installation (25 months from date of shipment) Copyright BridgePoint Systems 2002-2013 BridgePoint, TrustPoint, TrustAlert, and epacs are trademarks of BridgePoint Systems, Inc.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback