Strategies for the Implementation of PIV – I Secure Identity …d3nrwezfchbhhm.cloudfront.net/media/piv-i-workshop-2010/... · 2016-05-02 · Strategies for the Implementation of

Property of the Smart Card Alliance © 2010

PIV Technology and Policy Requirements Steve Rogers

President & CEO

Strategies for the Implementation of PIV – I Secure Identity Credentials A Smart Card Alliance Educational Institute Workshop

9th Annual Smart Cards in Government Conference Washington DC Convention Center ― November 16-19, 2010


Why Smart Cards?


What is a Smart Card ?

•  A Smart Card is one of the latest additions in Information Technology

•  Processing power to serve many different applications (multi-application card)

•  Business and personal information stored securely and only accessible to the appropriate user

•  In short: Data portability, security and convenience


Contact Smart Cards


Contact-less Smart Cards


ISO 14443-4 Dual-Interface Smart Card

Contact module with

chip

Internal antenna with connection points for chip

A single chip for both contact and contactless


ISO 14443-4 Dual-Interface Smart Card

•  Dual interface contact and contactless smart card. •  SmartMX chip technology •  ISO 7816 (T=0 and T=1) contact interface. •  ISO 14443A/B-4 (T=CL) contactless interface. •  DES3 encryption. •  Suitable for high level languages and multi-application OS

(Operating Systems) such as JAVA, JCOP, MULTOS. •  Available with 36k, 72k, 128k, <1M (EEPROM) memory •  Max number of user applications and files is OS dependent.


RFID vs. RF-Enabled

Understanding the differences between RFID and RF-enabled smart card technologies is critical in order to correctly assess each technology's fit with a specific application's security and privacy requirements.


RF-Enabled Applications


RFID Security

RFID and RF-enabled smart card technologies comply with different standards, have different operating ranges and widely varying ability to support security features needed by RF-enabled applications.


RFID Security Levels


RFID Tags & Readers


Contactless RF-Enabled Smart Cards & Readers

Stronger security via long keys, encrypted communication, and mutual authentication


ISO 14443 Contactless Smart Reader

Host Application CPU

Smartcard CPU

13.56 MHz contactless

ISO 14443-4 Reader CPU


Contactless Smart Reader Multi-Applications

Smart Reader

Biometrics

Physical Access

Administrator

eDocuments

Security Management

Transactions

Users Information

Money

Configuration

Identification

Payment

Smart cards Logical/Physical Access

System monitoring

Devices control

Logical Access

Digital Signature


Contactless Smart Card Major Benefits

Security •  Contactless Chip is tamper-resistant •  Information stored can be read/write protected •  Capable of performing high security encryption •  Challenge Response Mutual Authentication •  Smart Cards have unique serial numbers •  Biometrics support provides One-to-One Match

Intelligence •  Capable of Processing, not just storing information •  Multi-Application support •  Information and Applications on a card can be updated without

having to issue new cards. •  PKI & Encryption support


Contactless Smart Card Major Benefits (cont.)

Convenience •  Portable easy-to-use form factor •  High speed access for high throughput •  Useable in harsh or dirty environments (RF) •  Fast positive Authentication of Identity

Reliable and Inexpensive •  Durable - card bodies •  Contactless - manual dexterity, speed, no maintenance •  Passive – no batteries •  Low Cost - ownership

Flexible •  Reader Interface Options = TCP/IP, USB 2.0, Wiegand, Serial data •  Many Form Factors


IDENTITY PAST & PRESENT


US Government Identity Credential Timeline

•  >1991 Department of Defense DoD ID card

•  1995 Murrah building bombing Oklahoma City, OK, creation of Federal Security Levels

•  1997 Secure networks with smart card on Navy “Smart Battleship”

•  ~2000 Common Access Card (CAC)

•  2003 Executive Office of the President OMB M-04-04 E-Authentication Guidance for Federal Agencies

•  2004 Homeland Security Presidential Directive (HSPD) 12, one credential for Federal employees and contractors for logical and physical access.


US Government Identity Credential Timeline (cont.)

•  2005 National Institute of Standards (NIST) Federal Information Processing Standard (FIPS 201), Personal Identity Verification (PIV),

•  2006 First Responder Authentication Credential (FRAC) CertiPath Aerospace and Defense Industrial Base Bridge, initial Personal Identity Verification Interoperability (PIV-I) deployments

•  2007 Transportation Worker Identification Credential (TWIC)

•  2008 Special Publication 800-116, Guidance on Physical Access Control; bi-directional reader comm’s, Certificates, PKI

•  2009 Federal Identity, Credentialing, and Access Management (FICAM) Roadmap, PIV-i baseline


US Government Identity Credential Timeline (cont.)

2010 • National Strategy for Trusted Identities in Cyberspace (NSTIC), • PIV-i 1.1, • PIV-i FAQ, • FICAM Part B Guidance (expected Q4), • Department of Commerce; Cyber security, Innovation and the Internet Economy, • Fed PKI-Policy Authority; Citizen and Commerce Class Common Certificate Policy.


HSPD-12 and FIPS-201

HSPD-12 (Homeland Security Presidential Directive 12) •  Issued by President George W. Bush on August 27, 2004 •  Mandates the establishment of a standard for identification of Federal

Government employees and contractors. •  Requires the use of a common identification credential for both logical and

physical access to Federally controlled facilities and information systems. •  Intends to enhance security, increase efficiency, reduce identity fraud, and

protect personal privacy.

FIPS-201 (Federal Information Processing Standard Publication 201) •  Issued by National Institute of Standards and Technology (NIST) Feb 25, 2005. •  Defines the standard for Personal Identity Verification (PIV) of Federal

Employees and Contractors. •  Applies to both physical and logical access control, and other applications as

determined by the individual agencies. •  Provides guidance for implementing the HSPD-12 requirements for a common

Federal identification credential that is to be used to access both physical and logical facilities and information systems.


FIPS 201 Standards Benefits

The most important benefits of the FIPS 201 model is the strong assurance that the identity associated with a

credential belongs to the correct individual.

• Specifies a “useful” and “secure” identity card that supports a wide range of use cases. • Enables card support across a wide range of PCs, servers, controllers, systems, and mobile devices. • Defines Policy & Infrastructure. • Defines processes and technical specifications that enable interoperability across organizations. • Fosters competition to reduce prices.


FIPS 201 PIV Card Advantages

•  It is supported by a wide range of manufacturers and integrators.

•  It does not compel an organization to use a single vendor for key components (see APL).

•  It provides flexible authentication, signature, and encryption functionality.

•  It is well positioned to take advantage of emerging technologies, such as biometrics.

•  As a standard that will be used by Federal agencies to issue credentials to millions of U.S. Federal employees and contractors, it has the advantage of scale.

•  It provides the framework to support interoperable identity credentials across organizations…PIV-i


PIV Cards

Personal Identification Verification (PIV) Cards • Cornerstone Electronic Credential in U.S. Federal

Government used in Authentication to both Information Resources and Facilities.

•  In HSPD-12 U.S. Federal Departments and Agencies are Required to Issue PIV Cards to Permanent Government Personal and Contractors.

•  Issued ONLY by U.S. Federal Entities. •  Is Relied On by U.S. Federal and Non-Federal Entities. • Background Investigation – Minimum NACI. • Assert Federal Common Policy Framework (FCPF)

Certificate Policy Object ID’s for PIV.


PIV & PIV-i Technology

•  PIV – Personal Identity Verification Card – an identity card that meets the PIV technical specifications to work with PIV infrastructure elements such as card readers, and is issued by the Federal government in a manner that allows relying parties to trust the card.

•  PIV-I - Interoperable Card – an identity card that meets the PIV technical specifications to work with PIV infrastructure elements such as card readers, and is issued by a Non-Federal Issuer (NFI). in a manner that allows Federal government relying parties to trust the card.

79


PIV-i … PIV Interoperable Cards

Personal Identification Verification – Interoperable (PIV-i) Cards • Cornerstone Credential For All Security Controls For Both Information Resources (LACS) And Facilities Protection (PACS). • Issued by Non-Federal Issuers (NFI). • Intended Primarily For Issuance By Non-Federal Entities. • May Be Relied On By Federal And Non-federal Entities. • Identity and Affiliation Certainty Equivalent to PIV. • No Issuer Background Investigation of Cardholders. • Asserts Federal Bridge Certificate Authority (FBCA) Certificate Policy Object ID’s for PIV-i.


Credential Identifiers

PIV = FASC-N •  Federal Agency Smart Credential Number –

Defined and assigned by U.S. Federal Agencies •  Place holder for GUID

PIV-i = GUID / UUID •  FASC-N May Not Be Used •  GUID is defined by RFC 4122


IDENTITY FUTURE


ICAM Defined

What is ICAM?

“The intersection of digital identities, credentials and access control into one comprehensive approach.”


FICAM Initiatives

•  Create Digital Identity

•  Achieve Compliance

•  Enable System Interoperability

•  Protect Personally Identifiable Information (PII)

•  Integrate PACS and LACS


FICAM Goals

•  Enhance security across the government by closing gaps.

•  Improve government agency compliance. •  Improve accessibility of federal agencies to each

other and the American public. •  Address identity management and physical

access control issues for federal employees.

•  Reduce costs and improve efficiencies.


FICAM Outcomes

•  Create trusted digital identity representations. •  Bind those identities to credentials used for access

transactions. •  Leverage credentials to grant authorized access. •  Enable digital signatures (applications, documents,

authorizations…)


FICAM Benefits

•  Enhance Security •  Improve Efficiencies •  Reduce Costs •  Improves Accessibility •  Establishes Common PACS and LACS

Protocols •  Fosters Agency Compliance


HSPD-12, FIPS-201, SP Pubs, & ICAM, PIV, TWIC, PIV-i

HSPD-12

FIPS -201

SP-800-73-1

Interfaces for PIV

SP-800-76-1

Biometric Data Specification for PIV

SP-800-78 Cryptographic Algorithms and Key Sizes for PIV

SP-800-116 A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)

SP-800-96

PIV Card / Reader Interoperability Guidelines

SP-800-79

Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations

SP 800-87 Codes for the Identification of Federal and Federally-Assisted Organizations

TWIC ICAM PIV-i / FRAC

www.smartcardalliance.org •  Physical Access Control System Migration Options for Using FIPS 201-1

Compliant Credentials, Smart Card Alliance Physical Access Council white paper developed in collaboration with the Open Security Exchange, Security Industry Association and International Biometric Industry Association, September 2007

•  FIPS 201 PIV II Card Use with Physical Access Control Systems: Recommendations to Optimize Transaction Time and User Experience, Smart Card Alliance Physical Access Council white paper, May 2007

•  Considerations for the Migration of Existing Physical Access Control Systems to Achieve FIPS 201 Compatibility, Smart Card Alliance Physical Access Council white paper, September 2006

•  FIPS 201 and Physical Access Control: An Overview of the Impact of Physical Access Control Systems and FIPS 201, a Smart Card Alliance Physical Access Council briefing presentation, January 2006

•  FIPS 201 on Federal Physical Access Control Systems, a Smart Card Alliance Physical Access Council white paper, September 2005

FIPS 201 SCA Decoder Docs


 Smart Card Alliance  191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828  www.smartcardalliance.org

Steve Rogers President

115 Southport Commons Suites I and J Spartanburg, SC 29306

P: (800) 689-1412 [email protected] www.ICEware.com