Paul A. Karger

Similar documents
Strategies for the Implementation of PIV I Secure Identity Credentials

Secure Government Computing Initiatives & SecureZIP

Transportation Worker Identification Credential (TWIC) Steve Parsons Deputy Program Manager, TWIC July 27, 2005

Interagency Advisory Board Meeting Agenda, February 2, 2009

Securing Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS

Privacy and Security Threat Analysis of the Federal Employee Personal Identity Verification (PIV) Program

There is an increasing desire and need to combine the logical access and physical access functions of major organizations.

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

Changes to SP (SP ) Ketan Mehta NIST PIV Team NIST ITL Computer Security Division

Interagency Advisory Board Meeting Agenda, Wednesday, February 27, 2013

Biometric Use Case Models for Personal Identity Verification

Office of Transportation Vetting and Credentialing. Transportation Worker Identification Credential (TWIC)

TWIC / CAC Wiegand 58 bit format

FiXs - Federated and Secure Identity Management in Operation

Federal Information Processing Standard (FIPS) What is it? Why should you care?

CREDENTSYS CARD FAMILY

000027

HITPC Stage 3 Request for Comments Smart Card Alliance Comments January, 14, 2013

DATA SHEET. ez/piv CARD KEY FEATURES:

Payment Security: Attacks & Defences

Interagency Advisory Board Meeting Agenda, Wednesday, May 23, 2012

IMPLEMENTING AN HSPD-12 SOLUTION

Interagency Advisory Board Meeting Agenda, December 7, 2009

The SafeNet Security System Version 3 Overview

Getting to Grips with Public Key Infrastructure (PKI)

Computer Security: Principles and Practice

Physical Access Control Systems and FIPS 201

Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) Evaluation Vendor Questionnaire Version 2.

I N F O R M A T I O N S E C U R I T Y

Certicom Security for Government Suppliers developing products to meet the US Government FIPS security requirement

PKI Knowledge Dissemination Program. PKI Standards. Dr. Balaji Rajendran Centre for Development of Advanced Computing (C-DAC) Bangalore

WAP Security. Helsinki University of Technology S Security of Communication Protocols

FIPS Security Policy

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Inside the World of Cryptographic Algorithm Validation Testing. Sharon Keller CAVP Program Manager NIST ICMC, May 2016

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

APNIC elearning: Cryptography Basics

This Security Policy describes how this module complies with the eleven sections of the Standard:

Appendix 12 Risk Assessment Plan

Key Management and Elliptic Curves

g6 Authentication Platform

White Paper for Wacom: Cryptography in the STU-541 Tablet

Strong Authentication for Physical Access using Mobile Devices

Will Federated Cross Credentialing Solutions Accelerate Adoption of Smart Card Based Identity Solutions?

The Benefits of Strong Authentication for the Centers for Medicare and Medicaid Services

FIPS and NIST Special Publications Update. Smart Card Alliance Webinar November 6, 2013

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

Cryptography Standard

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Secure Solutions. EntryPointTM Access Readers TrustPointTM Access Readers EntryPointTM Single-Door System PIV-I Compatible Cards Accessories

Appendix 12 Risk Assessment Plan

(PIV-I) Trusted ID across States, Counties, Cities and Businesses in the US

pivclass FIPS-201 Reader Operation and Output Selections APPLICATION NOTE , F.0 February Barranca Parkway Irvine, CA 92618

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Security+ SY0-501 Study Guide Table of Contents

TopSec Product Family Voice encryption at the highest security level

Unified PACS with PKI Authentication, to Assist US Government Agencies in Compliance with NIST SP (HSPD 12) in a Trusted FICAM Platform

6. Security Handshake Pitfalls Contents

Past & Future Issues in Smartcard Industry

This paper focuses on the issue of increased biometric content. We have also published a paper on inspection systems.

Federated Access. Identity & Privacy Protection

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

Single Secure Credential to Access Facilities and IT Resources

Smart cards are made of plastic, usually polyvinyl chloride. The card may embed a hologram to prevent counterfeiting. Smart cards provide strong

DMDC Card Technologies & Identification Systems Division. Evaluation of NIST SP End State Reference Implementation. Version 1.

PRODUCT INFORMATION BULLETIN

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

IDCore. Flexible, Trusted Open Platform. financial services & retail. Government. telecommunications. transport. Alexandra Miller

No More Excuses: Feds Need to Lead with Strong Authentication!

White paper. Combatant command (COCOM) next-generation security architecture

PKI and FICAM Overview and Outlook

ID-One PIV (Type A) FIPS Security Policy. (PIV Applet Suite on ID-One Cosmo V7-n) Public Version

WLAN Security Overview

Easy Incorporation of OPTIGA TPMs to Support Mission-Critical Applications

Multiple Credential formats & PACS Lars R. Suneborn, Director - Government Program, HIRSCH Electronics Corporation

Cryptologic and Cyber Systems Division

Password. authentication through passwords

The Open Protocol for Access Control Identification and Ticketing with PrivacY

Introduction to Post-Quantum Cryptography

Introduction to Post-Quantum Cryptography

Chapter 8 Information Technology

Electronic Signature Policy

FIPS Compliance of Industry Protocols in Edward Morris September 25, 2013

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Helping Meet the OMB Directive

Version 3.4 December 01,

XenApp 5 Security Standards and Deployment Scenarios

Trust Services for Electronic Transactions

Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems Draft Version 2.3E

How to Plan, Procure & Deploy a PIV-Enabled PACS

8/30/17. Introduction to Post-Quantum Cryptography. Features Required from Today s Ciphers. Secret-key (Symmetric) Ciphers

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Kurose & Ross, Chapters (5 th ed.)

Biometrics. Overview of Authentication

Guidance for Requirements for qualified trust service providers: trustworthy systems and products

Test Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,

Advanced Security Mechanisms for Machine Readable Travel Documents and eidas Token

Transcription:

Privacy and Security Threat Analysis of the Federal Employee Personal Identity Verification (PIV) Program Paul A. Karger karger@watson.ibm.com

Outline Identify specific problem with FIPS 201 Problem of multiple authentication protocol options Recommend use of single, formally proven secure, standards-based authentication protocol

Homeland Security Presidential Directive 12 HSPD 12 August 2004 Government-wide standard for identification of Federal Employees and Contractors Primarily for access to federal buildings, world-wide Must be secure and reliable NIST developed Federal Information Processing Standard (FIPS) 201 Plus series of accompanying documents Two kinds of cards PIV I and PIV II PIV I is for quick deployment for single agencies PIV II is for inter-agency interoperability focus of this talk

What is Secure and Reliable Identification? Strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation Can be rapidly authenticated electronically Strong criteria for verifying employee s identity Issued only by accredited providers

Contact and Contactless Smart Cards FIPS 201 requires dual-interface smart cards Contact cards must be inserted into a reader provide better security Contactless cards communicate via radio frequencies and therefore could be intercepted Contactless smart cards are similar to RFID tags, but use different standards and have more powerful computational abilities Contactless smart cards receive broadcast power from the reader and have no batteries RF transmissions can be intercepted Reports of successful interceptions at distances from 9 to 50 meters. Interception is MUCH easier when the card is in use and powered by a legitimate reader Therefore, encryption is essential for security, but FIPS 201 does not require encryption over the contactless interface

Card Holder Unique ID (CHUID) CHUID evolved from an earlier DoD working group (SEIWG-12) that included a social security account number (SSAN) as part of the unique ID of a card holder DoD puts the SSAN on all military IDs Due to potential identity theft problems, the newer CHUID strongly discourages the use of SSAN CHUID includes a number of other fields including an agency code that identifies for which federal agency the card holder works

CHUID transmitted in cleartext FIPS 201 explicitly declares that reading the CHUID is not a privileged operation, and therefore need not be encrypted Agency code (part of CHUID) is sensitive information Very fine grained code 12K3 = Animal and Plant Health Inspection Service 571A = Air Force Command and Control (C2) & Intelligence, Surveillance and Reconnaissance This level of detail could be of great interest to an eavesdropper, and could put federal employees in danger

Attack Scenarios Using Agency Code Espionage agents Select individuals likely to have high security clearances to recruit as spies Terrorists Select individuals to target for kidnapping or assassination Encryption could NOT prevent identification if terrorist gets physical access to the ID card, as in TWA 847 hijacking Encryption could interfere with attempt by terrorists to select particular targets off the street, as in the DC sniper case Journalists Identify Valerie Plame as a CIA employee just by remotely reading her FIPS 201 card

Outline Identify specific problem with FIPS 201 Problem of multiple authentication protocol options Recommend use of single, formally proven secure, standards-based authentication protocol

Usability Issues For cardholder, usability is excellent Contactless smart cards merely need to be waved near the readers For agency developers, usability is not good FIPS 201 is supposed to provide inter-agency interoperability, but it offers many options for authentication that will make interoperability difficult Furthermore, it assumes that each agency can make good security choices, yet it is well-known that selecting appropriate wireless security protocols is very difficult Each agency will choose its own card vendors

Recommendation Even if just one agency s cards are broken, there could be serious problems for the employees Require a single, proven to be secure, authentication protocol for ALL agencies Assures interoperability Removes agency need to have in-house cryptographic experts IBM has developed such a protocol and offered it to various standardization bodies Caernarvon authentication protocol

Outline Identify specific problem with FIPS 201 Problem of multiple authentication protocol options Recommend use of single, formally proven secure, standards-based authentication protocol

Caernarvon Castle North Wales

Privacy Preserving Protocol Based on SIGMA (SIGn and Mac) family of protocols, including IKE Part of IPSEC Formally proven SIGMA protocols better protect privacy Key is negotiated before any identities are exchanged Once key is agreed upon, all further communications are encrypted Caernarvon protocol Requires that the reader authenticate first, then the card Underlying protocol is symmetric, but someone has to go first Needs for privacy are NOT symmetric Once the reader has authenticated, the card can make a security policy determination of whether to reveal the card holder s identify SOUPS 2006

Non-Mathematical Summary of Protocol First, the reader and the card negotiate a Diffie-Hellman session key This provides cryptographic privacy for all subsequent messages No authentication has taken place yet neither the reader nor the card knows who is on the other end they only know that eavesdroppers have been excluded Second, the reader authenticates itself to the card Third, to protect the privacy of the card holder, the card now decides whether this particular reader is authorized Only if the reader is authorized, the card finally reveals the card holder s identity, so that the reader can decide whether the card holder is to be allowed access. SOUPS 2006

Standards Process IBM has submitted the Caernarvon Authentication Protocol for international standardization as part of the European Electronic Signature effort IBM has not asserted IP rights over the protocol Based on existing IKE standards in IPSEC Part of a draft CEN standard When completed, the CEN standard will be submitted to ISO SOUPS 2006

Conclusions Problem: FIPS 201 has weaknesses CHUID is transmitted unencrypted putting card holder safety at risk Inter-agency interoperability will be difficult to achieve Each agency has to make difficult security trade-offs without good guidance Problem: Does this meet HSPD-12? Is it strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation? Solution: Fix the next version of FIPS 201 by mandating a formally proven, standards-compliant, privacy-preserving protocol for ALL cards Solution: Limit use to PIV I (no interagency authentication) for now SOUPS 2006

Backup Slides Mathematical summary of the protocol SOUPS 2006

Algorithms Protocol can use elliptic curves and AES algorithms Examples that follow use regular Diffie-Hellman, RSA signatures, and triple DES, because our first prototype smart card chip only supported those algorithms SOUPS 2006

Privacy Preserving Protocol 1 Simple Diffie-Hellman A chooses a random number a with 1 a q-1, computes a key token K A = g a mod p, and transmits it to B. A K A B B chooses a random number b with 1 b q-1, computes a key token K B = g b mod p, and transmits it to A. A K B Neither A nor B has revealed his identity. They now can compute a mutual key K AB, as in simple Diffie-Hellman, and then derive encrypting and message authentication keys, K ENC and K MAC Since we have a session key, the rest of the protocol is protected from third-party eavesdroppers. B SOUPS 2006

Privacy Preserving Protocol 2 Reader Proves Identity A sends its certificate to B by encrypting it with K ENC. A computes: E 01 = 3DES KENC (Cert(A)) A B responds with a challenge E 01 MAC KMAC (E 01 ) B A RND.B A now computes: E 1 = 3DES KENC (A Sig SKA [K A A RND.B K B DH(g p q)]) Diffie-Hellman key parameters are included to provide their authenticity B A E 1 MAC KMAC (E 1 ) B SOUPS 2006

Access Control Decisions At this point, the smart card can check the reader s identity, and make a policy decision about the reader. Any security policy could be implemented here Even no policy at all SOUPS 2006

Privacy Preserving Protocol 3 Card Proves Identity B sends its certificate to A by encrypting it with K ENC. B computes: E 02 = 3DES KENC (Cert(B)) A A responds with a challenge A E 02 MAC KMAC (E 02 ) RND.A B now computes: E 2 = 3DES KENC (B Sig SKB [K B B RND.A K A ]) B B A E 2 MAC KMAC (E 2 ) B Finally, the reader can now verify the card s identity, make its own access control policy decisions and proceed. SOUPS 2006

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback