Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Property of the Smart Card Alliance © 2010
PIV Technology and Policy Requirements Steve Rogers
President & CEO
Strategies for the Implementation of PIV – I Secure Identity Credentials A Smart Card Alliance Educational Institute Workshop
9th Annual Smart Cards in Government Conference Washington DC Convention Center ― November 16-19, 2010
Property of the Smart Card Alliance © 2010
Why Smart Cards?
Property of the Smart Card Alliance © 2010
What is a Smart Card ?
• A Smart Card is one of the latest additions in Information Technology
• Processing power to serve many different applications (multi-application card)
• Business and personal information stored securely and only accessible to the appropriate user
• In short: Data portability, security and convenience
Property of the Smart Card Alliance © 2010
Contact Smart Cards
Property of the Smart Card Alliance © 2010
Contact-less Smart Cards
Property of the Smart Card Alliance © 2010
ISO 14443-4 Dual-Interface Smart Card
Contact module with
chip
Internal antenna with connection points for chip
A single chip for both contact and contactless
Property of the Smart Card Alliance © 2010
ISO 14443-4 Dual-Interface Smart Card
• Dual interface contact and contactless smart card. • SmartMX chip technology • ISO 7816 (T=0 and T=1) contact interface. • ISO 14443A/B-4 (T=CL) contactless interface. • DES3 encryption. • Suitable for high level languages and multi-application OS
(Operating Systems) such as JAVA, JCOP, MULTOS. • Available with 36k, 72k, 128k, <1M (EEPROM) memory • Max number of user applications and files is OS dependent.
Property of the Smart Card Alliance © 2010
RFID vs. RF-Enabled
Understanding the differences between RFID and RF-enabled smart card technologies is critical in order to correctly assess each technology's fit with a specific application's security and privacy requirements.
Property of the Smart Card Alliance © 2010
RF-Enabled Applications
Property of the Smart Card Alliance © 2010
RFID Security
RFID and RF-enabled smart card technologies comply with different standards, have different operating ranges and widely varying ability to support security features needed by RF-enabled applications.
Property of the Smart Card Alliance © 2010
RFID Security Levels
Property of the Smart Card Alliance © 2010
RFID Tags & Readers
Property of the Smart Card Alliance © 2010
Contactless RF-Enabled Smart Cards & Readers
Stronger security via long keys, encrypted communication, and mutual authentication
Property of the Smart Card Alliance © 2010
ISO 14443 Contactless Smart Reader
Host Application CPU
Smartcard CPU
13.56 MHz contactless
ISO 14443-4 Reader CPU
Property of the Smart Card Alliance © 2010
Contactless Smart Reader Multi-Applications
Smart Reader
Biometrics
Physical Access
Administrator
eDocuments
Security Management
Transactions
Users Information
Money
Configuration
Identification
Payment
Smart cards Logical/Physical Access
System monitoring
Devices control
Logical Access
Digital Signature
Property of the Smart Card Alliance © 2010
Contactless Smart Card Major Benefits
Security • Contactless Chip is tamper-resistant • Information stored can be read/write protected • Capable of performing high security encryption • Challenge Response Mutual Authentication • Smart Cards have unique serial numbers • Biometrics support provides One-to-One Match
Intelligence • Capable of Processing, not just storing information • Multi-Application support • Information and Applications on a card can be updated without
having to issue new cards. • PKI & Encryption support
Property of the Smart Card Alliance © 2010
Contactless Smart Card Major Benefits (cont.)
Convenience • Portable easy-to-use form factor • High speed access for high throughput • Useable in harsh or dirty environments (RF) • Fast positive Authentication of Identity
Reliable and Inexpensive • Durable - card bodies • Contactless - manual dexterity, speed, no maintenance • Passive – no batteries • Low Cost - ownership
Flexible • Reader Interface Options = TCP/IP, USB 2.0, Wiegand, Serial data • Many Form Factors
Property of the Smart Card Alliance © 2010
IDENTITY PAST & PRESENT
Property of the Smart Card Alliance © 2010
US Government Identity Credential Timeline
• >1991 Department of Defense DoD ID card
• 1995 Murrah building bombing Oklahoma City, OK, creation of Federal Security Levels
• 1997 Secure networks with smart card on Navy “Smart Battleship”
• ~2000 Common Access Card (CAC)
• 2003 Executive Office of the President OMB M-04-04 E-Authentication Guidance for Federal Agencies
• 2004 Homeland Security Presidential Directive (HSPD) 12, one credential for Federal employees and contractors for logical and physical access.
Property of the Smart Card Alliance © 2010
US Government Identity Credential Timeline (cont.)
• 2005 National Institute of Standards (NIST) Federal Information Processing Standard (FIPS 201), Personal Identity Verification (PIV),
• 2006 First Responder Authentication Credential (FRAC) CertiPath Aerospace and Defense Industrial Base Bridge, initial Personal Identity Verification Interoperability (PIV-I) deployments
• 2007 Transportation Worker Identification Credential (TWIC)
• 2008 Special Publication 800-116, Guidance on Physical Access Control; bi-directional reader comm’s, Certificates, PKI
• 2009 Federal Identity, Credentialing, and Access Management (FICAM) Roadmap, PIV-i baseline
Property of the Smart Card Alliance © 2010
US Government Identity Credential Timeline (cont.)
2010 • National Strategy for Trusted Identities in Cyberspace (NSTIC), • PIV-i 1.1, • PIV-i FAQ, • FICAM Part B Guidance (expected Q4), • Department of Commerce; Cyber security, Innovation and the Internet Economy, • Fed PKI-Policy Authority; Citizen and Commerce Class Common Certificate Policy.
Property of the Smart Card Alliance © 2010
HSPD-12 and FIPS-201
HSPD-12 (Homeland Security Presidential Directive 12) • Issued by President George W. Bush on August 27, 2004 • Mandates the establishment of a standard for identification of Federal
Government employees and contractors. • Requires the use of a common identification credential for both logical and
physical access to Federally controlled facilities and information systems. • Intends to enhance security, increase efficiency, reduce identity fraud, and
protect personal privacy.
FIPS-201 (Federal Information Processing Standard Publication 201) • Issued by National Institute of Standards and Technology (NIST) Feb 25, 2005. • Defines the standard for Personal Identity Verification (PIV) of Federal
Employees and Contractors. • Applies to both physical and logical access control, and other applications as
determined by the individual agencies. • Provides guidance for implementing the HSPD-12 requirements for a common
Federal identification credential that is to be used to access both physical and logical facilities and information systems.
Property of the Smart Card Alliance © 2010
FIPS 201 Standards Benefits
The most important benefits of the FIPS 201 model is the strong assurance that the identity associated with a
credential belongs to the correct individual.
• Specifies a “useful” and “secure” identity card that supports a wide range of use cases. • Enables card support across a wide range of PCs, servers, controllers, systems, and mobile devices. • Defines Policy & Infrastructure. • Defines processes and technical specifications that enable interoperability across organizations. • Fosters competition to reduce prices.
Property of the Smart Card Alliance © 2010
FIPS 201 PIV Card Advantages
• It is supported by a wide range of manufacturers and integrators.
• It does not compel an organization to use a single vendor for key components (see APL).
• It provides flexible authentication, signature, and encryption functionality.
• It is well positioned to take advantage of emerging technologies, such as biometrics.
• As a standard that will be used by Federal agencies to issue credentials to millions of U.S. Federal employees and contractors, it has the advantage of scale.
• It provides the framework to support interoperable identity credentials across organizations…PIV-i
Property of the Smart Card Alliance © 2010
PIV Cards
Personal Identification Verification (PIV) Cards • Cornerstone Electronic Credential in U.S. Federal
Government used in Authentication to both Information Resources and Facilities.
• In HSPD-12 U.S. Federal Departments and Agencies are Required to Issue PIV Cards to Permanent Government Personal and Contractors.
• Issued ONLY by U.S. Federal Entities. • Is Relied On by U.S. Federal and Non-Federal Entities. • Background Investigation – Minimum NACI. • Assert Federal Common Policy Framework (FCPF)
Certificate Policy Object ID’s for PIV.
Property of the Smart Card Alliance © 2010
PIV & PIV-i Technology
• PIV – Personal Identity Verification Card – an identity card that meets the PIV technical specifications to work with PIV infrastructure elements such as card readers, and is issued by the Federal government in a manner that allows relying parties to trust the card.
• PIV-I - Interoperable Card – an identity card that meets the PIV technical specifications to work with PIV infrastructure elements such as card readers, and is issued by a Non-Federal Issuer (NFI). in a manner that allows Federal government relying parties to trust the card.
79
Property of the Smart Card Alliance © 2010
PIV-i … PIV Interoperable Cards
Personal Identification Verification – Interoperable (PIV-i) Cards • Cornerstone Credential For All Security Controls For Both Information Resources (LACS) And Facilities Protection (PACS). • Issued by Non-Federal Issuers (NFI). • Intended Primarily For Issuance By Non-Federal Entities. • May Be Relied On By Federal And Non-federal Entities. • Identity and Affiliation Certainty Equivalent to PIV. • No Issuer Background Investigation of Cardholders. • Asserts Federal Bridge Certificate Authority (FBCA) Certificate Policy Object ID’s for PIV-i.
Property of the Smart Card Alliance © 2010
Credential Identifiers
PIV = FASC-N • Federal Agency Smart Credential Number –
Defined and assigned by U.S. Federal Agencies • Place holder for GUID
PIV-i = GUID / UUID • FASC-N May Not Be Used • GUID is defined by RFC 4122
Property of the Smart Card Alliance © 2010
IDENTITY FUTURE
Property of the Smart Card Alliance © 2010
ICAM Defined
What is ICAM?
“The intersection of digital identities, credentials and access control into one comprehensive approach.”
Property of the Smart Card Alliance © 2010
FICAM Initiatives
• Create Digital Identity
• Achieve Compliance
• Enable System Interoperability
• Protect Personally Identifiable Information (PII)
• Integrate PACS and LACS
Property of the Smart Card Alliance © 2010
FICAM Goals
• Enhance security across the government by closing gaps.
• Improve government agency compliance. • Improve accessibility of federal agencies to each
other and the American public. • Address identity management and physical
access control issues for federal employees.
• Reduce costs and improve efficiencies.
Property of the Smart Card Alliance © 2010
FICAM Outcomes
• Create trusted digital identity representations. • Bind those identities to credentials used for access
transactions. • Leverage credentials to grant authorized access. • Enable digital signatures (applications, documents,
authorizations…)
Property of the Smart Card Alliance © 2010
FICAM Benefits
• Enhance Security • Improve Efficiencies • Reduce Costs • Improves Accessibility • Establishes Common PACS and LACS
Protocols • Fosters Agency Compliance
Property of the Smart Card Alliance © 2010
HSPD-12, FIPS-201, SP Pubs, & ICAM, PIV, TWIC, PIV-i
HSPD-12
FIPS -201
SP-800-73-1
Interfaces for PIV
SP-800-76-1
Biometric Data Specification for PIV
SP-800-78 Cryptographic Algorithms and Key Sizes for PIV
SP-800-116 A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)
SP-800-96
PIV Card / Reader Interoperability Guidelines
SP-800-79
Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations
SP 800-87 Codes for the Identification of Federal and Federally-Assisted Organizations
TWIC ICAM PIV-i / FRAC
www.smartcardalliance.org • Physical Access Control System Migration Options for Using FIPS 201-1
Compliant Credentials, Smart Card Alliance Physical Access Council white paper developed in collaboration with the Open Security Exchange, Security Industry Association and International Biometric Industry Association, September 2007
• FIPS 201 PIV II Card Use with Physical Access Control Systems: Recommendations to Optimize Transaction Time and User Experience, Smart Card Alliance Physical Access Council white paper, May 2007
• Considerations for the Migration of Existing Physical Access Control Systems to Achieve FIPS 201 Compatibility, Smart Card Alliance Physical Access Council white paper, September 2006
• FIPS 201 and Physical Access Control: An Overview of the Impact of Physical Access Control Systems and FIPS 201, a Smart Card Alliance Physical Access Council briefing presentation, January 2006
• FIPS 201 on Federal Physical Access Control Systems, a Smart Card Alliance Physical Access Council white paper, September 2005
FIPS 201 SCA Decoder Docs
Property of the Smart Card Alliance © 2010
Smart Card Alliance 191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828 www.smartcardalliance.org
Steve Rogers President
115 Southport Commons Suites I and J Spartanburg, SC 29306
P: (800) 689-1412 [email protected] www.ICEware.com