Interagency Advisory Board Meeting Agenda, February 2, 2009

Similar documents
Interagency Advisory Board Meeting Agenda, February 2, 2009

Interagency Advisory Board Meeting Agenda, Wednesday, May 23, 2012

Interagency Advisory Board Meeting Agenda, Wednesday, February 27, 2013

Interagency Advisory Board Meeting Agenda, Wednesday, June 29, 2011

Interagency Advisory Board Meeting Agenda, February 2, 2009

Securing Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS

Multiple Credential formats & PACS Lars R. Suneborn, Director - Government Program, HIRSCH Electronics Corporation

Transportation Worker Identification Credential (TWIC) Steve Parsons Deputy Program Manager, TWIC July 27, 2005

Interagency Advisory Board Meeting Agenda, Tuesday, November 1, 2011

Guidelines for the Use of PIV Credentials in Facility Access

Revision 2 of FIPS 201 and its Associated Special Publications

Interagency Advisory Board Meeting Agenda, March 5, 2009

Strategies for the Implementation of PIV I Secure Identity Credentials

Leveraging HSPD-12 to Meet E-authentication E

Biometric Use Case Models for Personal Identity Verification

FIPS and NIST Special Publications Update. Smart Card Alliance Webinar November 6, 2013

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

TWIC / CAC Wiegand 58 bit format

Unified PACS with PKI Authentication, to Assist US Government Agencies in Compliance with NIST SP (HSPD 12) in a Trusted FICAM Platform

IMPLEMENTING AN HSPD-12 SOLUTION

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

Physical Access Control Systems and FIPS 201

IAB Minutes Page 1 of 6 April 18, 2006

IAB Minutes Page 1 of 6 January 18, 2006

000027

Interagency Advisory Board (IAB) Meeting. August 09, 2005

FiXs - Federated and Secure Identity Management in Operation

I N F O R M A T I O N S E C U R I T Y

TWIC Transportation Worker Identification Credential. Overview

An Overview of Draft SP Derived PIV Credentials and Draft NISTIR 7981 Mobile, PIV, and Authentication

Strong Authentication for Physical Access using Mobile Devices

Secure Solutions. EntryPointTM Access Readers TrustPointTM Access Readers EntryPointTM Single-Door System PIV-I Compatible Cards Accessories

DHS ID & CREDENTIALING INITIATIVE IPT MEETING

TWIC Readers What to Expect

Paul A. Karger

Considerations for the Migration of Existing Physical Access Control Systems to Achieve FIPS 201 Compatibility

Identiv FICAM Readers

(PIV-I) Trusted ID across States, Counties, Cities and Businesses in the US

TWIC Update to Sector Delaware Bay AMSC 8 June 2018

The Leader in Unified Access and Intrusion

Interagency Advisory Board Meeting Agenda, Wednesday, April 24, 2013

Interfaces for Personal Identity Verification Part 1: PIV Card Application Namespace, Data Model and Representation

Smart Card Alliance Comments and Considerations on Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance

Mandate. Delivery. with evolving. Management and credentials. Government Federal Identity. and. Compliance. using. pivclasss replace.

Interagency Advisory Board Meeting Agenda, December 7, 2009

State of the Industry and Councils Reports. Access Control Council

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

Secure Lightweight Activation and Lifecycle Management

Interagency Advisory Board Meeting Agenda, August 25, 2009

Interagency Advisory Board Meeting Agenda, April 27, 2011

Helping Meet the OMB Directive

Using PIV Technology Outside the US Government

PKI and FICAM Overview and Outlook

Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems Draft Version 2.3E

There is an increasing desire and need to combine the logical access and physical access functions of major organizations.

Interagency Advisory Board Meeting Agenda, December 7, 2009

Office of Transportation Vetting and Credentialing. Transportation Worker Identification Credential (TWIC)

Physical Access Control Systems and FIPS 201 Physical Access Council Smart Card Alliance December 2005

I N F O R M A T I O N S E C U R I T Y

Smart Cards & Credentialing in the Federal Government

PIV Data Model Test Guidelines

No More Excuses: Feds Need to Lead with Strong Authentication!

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

Strategies for the Implementation of PIV I Secure Identity Credentials

Leveraging the LincPass in USDA

HITPC Stage 3 Request for Comments Smart Card Alliance Comments January, 14, 2013

Velocity Certificate Checking Service Installation Guide & Release Notes

Single Secure Credential to Access Facilities and IT Resources

Credentialing Project Technical Architecture

Unlocking The CHUID. Practical Considerations and Lessons Learned for PIV Deployments. Eric Hildre 07/18/2006

CertiPath TrustVisitor and TrustManager. The need for visitor management in FICAM Compliant PACS

TWIC Reader Technology Phase

pivclass FIPS-201 Reader Operation and Output Selections APPLICATION NOTE , F.0 February Barranca Parkway Irvine, CA 92618

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

Interagency Advisory Board Meeting Agenda, July 28, 2010

CREDENTSYS CARD FAMILY

NFC Identity and Access Control

g6 Authentication Platform

Emergency Response Official Credentials: An Approach to Attain Trust in Credentials across Multiple Jurisdictions for Disaster Response and Recovery

Changes to SP (SP ) Ketan Mehta NIST PIV Team NIST ITL Computer Security Division

Cryptologic and Cyber Systems Division

To be covered: S&T Intro TTWG. Research/Pilots. Scope Goals Report

Using the Prototype TWIC for Access A System Integrator Perspective

Smart Card Alliance Update. Update to the Interagency Advisor Board (IAB) June 27, 2012

Version 3.4 December 01,

How to Plan, Procure & Deploy a PIV-Enabled PACS

Secure Government Computing Initiatives & SecureZIP

Will Federated Cross Credentialing Solutions Accelerate Adoption of Smart Card Based Identity Solutions?

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA

EU Passport Specification

FICAM Configuration Guide

DATA SHEET. ez/piv CARD KEY FEATURES:

Match On Card MINEX 2

I N F O R M A T I O N S E C U R I T Y

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop. Scalability: Dimensions for PACS System Growth

FICAM in Brief: A Smart Card Alliance Summary of the Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance

Overview of cryptovision's eid Product Offering. Presentation & Demo

The Future of Smart Cards: Bigger, Faster and More Secure

CA3000 Plug-in Manual. Codebench, Inc 6820 Lyons Technology Circle Ste. 140 Coconut Creek, FL 33073

The Open Protocol for Access Control Identification and Ticketing with PrivacY

Transcription:

Interagency Advisory Board Meeting Agenda, February 2, 2009 1. Opening Remarks (Tim Baldridge, NASA) 2. Mini Tutorial on NIST SP 800-116 AND PIV use in Physical Access Control Systems (Bill MacGregor, NIST) 3. Impact of Agreement Among Four PKI Bridges (Tim Pinegar, Protiviti Government Services (PGS) representing GSA/OGPGSA) 4. Microsoft s Roadmap for PIV Products: The Impact that will have on PIV Use and Interoperability (Vernon Lee, Microsoft) 5. Adobe s Roadmap for PIV Products: The impact that will have on PIV Use and Interoperability (John Harris, Adobe) 6. PAIIWG Update (Tim Baldridge, NASA) 7. Closing Remarks (Tim Baldridge, NASA)

A Mini-Tutorial on Special Publication 800-116 William I. MacGregor National Institute of Standards and Technology IAB Meeting, 2 Feb 2009 4

Employee & Contractor Sample PIV Cards from SP800-104 United States Government FEB2010 United States Government FEB2010 Color Photograph DOE, JOHN H. Affiliation Employee Agency/Department Department of Homeland Security Expires 2010FEB24 Employees Color Photograph DOE, JOHN H. Affiliation Employee Agency/Department Department of Homeland Security Expires 2010FEB24 Contact Chip Contact Chip United States Government FEB2010 United States Government FEB2010 Emergency Response Official Color Photograph Affiliation Contractor Agency/Department Department of Homeland Security Color Photograph Affiliation Contractor Agency/Department Department of Homeland Security DOE, JOHN H. Expires 2010FEB24 G Contractors DOE, JOHN H. Expires 2010FEB24 G Contact Chip 5 Contact Chip Emergency Response Official

PIV Card Data Objects Just 11 objects and 4 authentication methods! MANDATORY CHUID (Card Holder Unique Identifier) PIV Authentication Key and Certificate Fingerprint Template Object Security Object Card Capability Container OPTIONAL Card Authentication Key, and Certificate Key Management Key and Certificate Digital Signature Key and Certificate Facial Image Object Printed Information Object Discovery Object 6

HSPD-12 Status 28 Oct 2008 1.6 million PIV Cards issued. Some US agencies above 95% issuance. Application integration underway: System logon Document signing & verification Secure Messaging Physical Access Control Systems (PACS) 7

NIST Special Publication 800-116 A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS) Conforms to FIPS 201-1 and SP s in effect Reviews current limitations & threat environment States the PIV-in-PACS vision and benefits Recommends a PACS security model and PIV integration approach Proposes a PIV Implementation Maturity Model (PIMM) 8

Threat Environment Threats Considered: Identifier Collisions Terminated PIV Cards Visual Counterfeiting Skimming Sniffing Social Engineering Electronic Cloning Electronic Counterfeiting Main Conclusions: The CHUID mechanism is weaker than other PIV authentication mechanisms. PKI path validation is necessary for complete trust. 9

PIV Benefits The PIV System is an identity infrastructure for Federal employees and contractors. Enhanced identity assurance at three levels. Rapid electronic verification. Resistance to forgery, cloning, and transfer. Credential status services. Integrated provisioning (over time). One enrollment used by multiple applications. 10

A PACS Model Unrestricted, Controlled, Limited, Exclusion Unrestricted area Controlled Limited area area Exclusion area Access Point B Lab Space Access Point C Trade Secret HQ Admin Facility services Access Buildings Point A 11

Authentication Presenting Person Reader / Verifier If Match FASC-N Identifier PIV PACS Controller/ Server 12

The FASC-N Identifier Federal Agency Smart Credential Number (FASC-N) is the primary PIV identifier FIPS 201-1 requires a 14 decimal digit subset to be unique over all PIV Cards: (Agency Code, System Code, Credential Number) 4 digits 4 digits 6 digits 13

PIV Authentication Mechanisms Characteristics Method Type Use of PKI Assurance Level CHUID Data Token Optional Sig. Verification SOME CAK Challenge/ Certificate SOME (Optional) Response Validity BIO Fingerprint Optional Sig. HIGH Biometric Verification BIO-A Fingerprint Optional Sig. VERY HIGH (Attended) Biometric Verification PKI Challenge/ Certificate VERY HIGH Response Validity 14

PIV Trust Model All of the PIV electronic authentication mechanisms rely on Public Key Infrastructure (PKI) trust. If PKI credential and path validation are not done, authentication assurance is reduced. Credential and path validation must be done with the PKI and CAK mechanisms. Credential and path validation should be done with all PIV authentication mechanisms. 15

How to select mechanisms at access points? To enter <left column> area, factors in <right column> are required Security Areas Authentication Factors Required Controlled 1 Limited 2 Exclusion 3 16

Converting Mechanisms to Factors PIV Authentication Mechanism Have Know Are Authentication Factors (HKA Vector) Interface CAK + BIO (-A) x x x 3 Contact BIO-A x x 2 Contact PKI x x 2 Contact BIO x 1 Contact CAK x 1 Contact/ Contactless CHUID + VIS x 1 Contact/ Contactless 17

and, the mechanisms must be used at or below the perimeter shown. Acc ess Point C BIO-A PKI CAK + BIO(-A) Acc ess Point B BI O Acc ess Point A VIS + CHUID CAK 18

Key Concepts Illustrated on next slide 1. Access to Controlled Area (most common case. 2. Two factor authentication to Limited Area. 3. Authentication-in-Context. 4. Three factor authentication to Exclusion Area. 5. A single perimeter may separate areas with a difference of more than one impact level. 19

Physical Access Control Examples 5 PKI + BIO(-A) Controlled area 3 BIO-A Access Point B Limited area 5 3 PKI PKI+BIO (-A) Exclusion area 3 PKI 3 BIO-A Exclusion area Access Point B Limited area Access Point A 5 PKI+BIO (-A) Exclusion area BIO-A PKI 2 2 CAK VIS 1 + 1 CHUID BIO 1 20 CAK + BIO (-A) 4

PIV Implementation Maturity Model (PIMM) 1. PIV Cards accepted on ad hoc basis 2. PIV Cards accepted at the main entrance 3. Only PIV Cards accepted for Exclusion 4. Only PIV Cards accepted for Limited 5. Only PIV Cards accepted for Controlled Note: levels are cumulative; only applies to PIVeligible persons. 21

Lessons Learned Practical, effective high assurance ID systems are within reach today. Multi-factor authentication (two or three factors) are needed for HIGH confidence. Good approaches use cryptography to protect all transactions, and authentication-in-context. Key management remains a challenging aspect of system architecture and design. Public Key Infrastructure (PKI) is well understood, Symmetric Key Infrastructure less so. 22

Thanks for listening! William I. MacGregor NIST PIV Coordinator (301) 975-8721 william.macgregor@nist.gov http://csrc.nist.gov 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback