Strategies for the Implementation of PIV I Secure Identity Credentials A Smart Card Alliance Educational Institute Workshop PIV Technology and Policy Requirements Steve Rogers President & CEO 9 th Annual Smart Cards in Government Conference Washington DC Convention Center November 16-19, 2010
Why Smart Cards?
What is a Smart Card? A Smart Card is one of the latest additions in Information Technology Processing power to serve many different applications (multi-application card) Business and personal information stored securely and only accessible to the appropriate user In short: Data portability, security and convenience
Contact Smart Cards
Contact-less Smart Cards
ISO 14443-4 Dual-Interface Smart Card Contact module with chip Internal antenna with connection points for chip A single chip for both contact and contactless
ISO 14443-4 Dual-Interface Smart Card Dual interface contact and contactless smart card. SmartMX chip technology ISO 7816 (T=0 and T=1) contact interface. ISO 14443A/B-4 (T=CL) contactless interface. DES3 encryption. Suitable for high level languages and multi-application OS (Operating Systems) such as JAVA, JCOP, MULTOS. Available with 36k, 72k, 128k, <1M (EEPROM) memory Max number of user applications and files is OS dependent.
RFID vs. RF-Enabled Understanding the differences between RFID and RF-enabled smart card technologies is critical in order to correctly assess each technology's fit with a specific application's security and privacy requirements.
RF-Enabled Applications
RFID Security RFID and RF-enabled smart card technologies comply with different standards, have different operating ranges and widely varying ability to support security features needed by RF-enabled applications.
RFID Security Levels
RFID Tags & Readers
Contactless RF-Enabled Smart Cards & Readers Stronger security via long keys, encrypted communication, and mutual authentication
ISO 14443 Contactless Smart Reader 13.56 MHz contactless Host Application CPU ISO 14443-4 Reader CPU Smartcard CPU
Contactless Smart Reader Multi-Applications Administrator Smart Reader Logical Access Biometrics Configuration Identification Payment Logical/Physical Access System monitoring Devices control Smart cards edocuments Security Management Transactions Users Information Physical Access Money Digital Signature
Contactless Smart Card Major Benefits Security Contactless Chip is tamper-resistant Information stored can be read/write protected Capable of performing high security encryption Challenge Response Mutual Authentication Smart Cards have unique serial numbers Biometrics support provides One-to-One Match Intelligence Capable of Processing, not just storing information Multi-Application support Information and Applications on a card can be updated without having to issue new cards. PKI & Encryption support
Contactless Smart Card Major Benefits (cont.) Convenience Portable easy-to-use form factor High speed access for high throughput Useable in harsh or dirty environments (RF) Fast positive Authentication of Identity Reliable and Inexpensive Durable - card bodies Contactless - manual dexterity, speed, no maintenance Passive no batteries Low Cost - ownership Flexible Reader Interface Options = TCP/IP, USB 2.0, Wiegand, Serial data Many Form Factors
IDENTITY PAST & PRESENT
US Government Identity Credential Timeline >1991 Department of Defense DoD ID card 1995 Murrah building bombing Oklahoma City, OK, creation of Federal Security Levels 1997 Secure networks with smart card on Navy Smart Battleship ~2000 Common Access Card (CAC) 2003 Executive Office of the President OMB M-04-04 E- Authentication Guidance for Federal Agencies 2004 Homeland Security Presidential Directive (HSPD) 12, one credential for Federal employees and contractors for logical and physical access.
US Government Identity Credential Timeline (cont.) 2005 National Institute of Standards (NIST) Federal Information Processing Standard (FIPS 201), Personal Identity Verification (PIV), 2006 First Responder Authentication Credential (FRAC) CertiPath Aerospace and Defense Industrial Base Bridge, initial Personal Identity Verification Interoperability (PIV-I) deployments 2007 Transportation Worker Identification Credential (TWIC) 2008 Special Publication 800-116, Guidance on Physical Access Control; bi-directional reader comm s, Certificates, PKI 2009 Federal Identity, Credentialing, and Access Management (FICAM) Roadmap, PIV-i baseline
US Government Identity Credential Timeline (cont.) 2010 National Strategy for Trusted Identities in Cyberspace (NSTIC), PIV-i 1.1, PIV-i FAQ, FICAM Part B Guidance (expected Q4), Department of Commerce; Cyber security, Innovation and the Internet Economy, Fed PKI-Policy Authority; Citizen and Commerce Class Common Certificate Policy.
HSPD-12 and FIPS-201 HSPD-12 (Homeland Security Presidential Directive 12) Issued by President George W. Bush on August 27, 2004 Mandates the establishment of a standard for identification of Federal Government employees and contractors. Requires the use of a common identification credential for both logical and physical access to Federally controlled facilities and information systems. Intends to enhance security, increase efficiency, reduce identity fraud, and protect personal privacy. FIPS-201 (Federal Information Processing Standard Publication 201) Issued by National Institute of Standards and Technology (NIST) Feb 25, 2005. Defines the standard for Personal Identity Verification (PIV) of Federal Employees and Contractors. Applies to both physical and logical access control, and other applications as determined by the individual agencies. Provides guidance for implementing the HSPD-12 requirements for a common Federal identification credential that is to be used to access both physical and logical facilities and information systems.
FIPS 201 Standards Benefits The most important benefits of the FIPS 201 model is the strong assurance that the identity associated with a credential belongs to the correct individual. Specifies a useful and secure identity card that supports a wide range of use cases. Enables card support across a wide range of PCs, servers, controllers, systems, and mobile devices. Defines Policy & Infrastructure. Defines processes and technical specifications that enable interoperability across organizations. Fosters competition to reduce prices.
FIPS 201 PIV Card Advantages It is supported by a wide range of manufacturers and integrators. It does not compel an organization to use a single vendor for key components (see APL). It provides flexible authentication, signature, and encryption functionality. It is well positioned to take advantage of emerging technologies, such as biometrics. As a standard that will be used by Federal agencies to issue credentials to millions of U.S. Federal employees and contractors, it has the advantage of scale. It provides the framework to support interoperable identity credentials across organizations PIV-i
PIV Cards Personal Identification Verification (PIV) Cards Cornerstone Electronic Credential in U.S. Federal Government used in Authentication to both Information Resources and Facilities. In HSPD-12 U.S. Federal Departments and Agencies are Required to Issue PIV Cards to Permanent Government Personal and Contractors. Issued ONLY by U.S. Federal Entities. Is Relied On by U.S. Federal and Non-Federal Entities. Background Investigation Minimum NACI. Assert Federal Common Policy Framework (FCPF) Certificate Policy Object ID s for PIV.
PIV & PIV-i Technology PIV Personal Identity Verification Card an identity card that meets the PIV technical specifications to work with PIV infrastructure elements such as card readers, and is issued by the Federal government in a manner that allows relying parties to trust the card. PIV-I - Interoperable Card an identity card that meets the PIV technical specifications to work with PIV infrastructure elements such as card readers, and is issued by a Non-Federal Issuer (NFI). in a manner that allows Federal government relying parties to trust the card. 79
PIV-i PIV Interoperable Cards Personal Identification Verification Interoperable (PIV-i) Cards Cornerstone Credential For All Security Controls For Both Information Resources (LACS) And Facilities Protection (PACS). Issued by Non-Federal Issuers (NFI). Intended Primarily For Issuance By Non-Federal Entities. May Be Relied On By Federal And Non-federal Entities. Identity and Affiliation Certainty Equivalent to PIV. No Issuer Background Investigation of Cardholders. Asserts Federal Bridge Certificate Authority (FBCA) Certificate Policy Object ID s for PIV-i.
Credential Identifiers PIV = FASC-N Federal Agency Smart Credential Number Defined and assigned by U.S. Federal Agencies Place holder for GUID PIV-i = GUID / UUID FASC-N May Not Be Used GUID is defined by RFC 4122
IDENTITY FUTURE
ICAM Defined What is ICAM? The intersection of digital identities, credentials and access control into one comprehensive approach.
FICAM Initiatives Create Digital Identity Achieve Compliance Enable System Interoperability Protect Personally Identifiable Information (PII) Integrate PACS and LACS
FICAM Goals Enhance security across the government by closing gaps. Improve government agency compliance. Improve accessibility of federal agencies to each other and the American public. Address identity management and physical access control issues for federal employees. Reduce costs and improve efficiencies.
FICAM Outcomes Create trusted digital identity representations. Bind those identities to credentials used for access transactions. Leverage credentials to grant authorized access. Enable digital signatures (applications, documents, authorizations )
FICAM Benefits Enhance Security Improve Efficiencies Reduce Costs Improves Accessibility Establishes Common PACS and LACS Protocols Fosters Agency Compliance
HSPD-12, FIPS-201, SP Pubs, & ICAM, PIV, TWIC, PIV-i HSPD-12 TWIC PIV-i / FRAC ICAM FIPS -201 SP-800-73-1 Interfaces for PIV SP 800-87 Codes for the Identification of Federal and Federally- Assisted Organizations SP-800-76-1 Biometric Data Specification for PIV SP-800-96 PIV Card / Reader Interoperability Guidelines SP-800-78 Cryptographic Algorithms and Key Sizes for PIV SP-800-79 Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations SP-800-116 A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)
FIPS 201 SCA Decoder Docs www.smartcardalliance.org Physical Access Control System Migration Options for Using FIPS 201-1 Compliant Credentials, Smart Card Alliance Physical Access Council white paper developed in collaboration with the Open Security Exchange, Security Industry Association and International Biometric Industry Association, September 2007 FIPS 201 PIV II Card Use with Physical Access Control Systems: Recommendations to Optimize Transaction Time and User Experience, Smart Card Alliance Physical Access Council white paper, May 2007 Considerations for the Migration of Existing Physical Access Control Systems to Achieve FIPS 201 Compatibility, Smart Card Alliance Physical Access Council white paper, September 2006 FIPS 201 and Physical Access Control: An Overview of the Impact of Physical Access Control Systems and FIPS 201, a Smart Card Alliance Physical Access Council briefing presentation, January 2006 FIPS 201 on Federal Physical Access Control Systems, a Smart Card Alliance Physical Access Council white paper, September 2005
Steve Rogers President 115 Southport Commons Suites I and J Spartanburg, SC 29306 Smart Card Alliance P: (800) 689-1412 191 Clarksville Rd. Princeton Junction, NJ 08550 (800) 556-6828 www.smartcardalliance.org steve.rogers@iceware.com www.iceware.com