HSPD 12 Workshop

About This Presentation

Title:

HSPD 12 Workshop

Description:

Buying Cards without knowing the applications and systems they will be used in, is like buying a car without knowing if roads are available ... – PowerPoint PPT presentation

Number of Views:72

Avg rating:3.0/5.0

Slides: 40

Provided by: randyvan

Category:

more less

Transcript and Presenter's Notes

Title: HSPD 12 Workshop

1
Smart Card Industry PanelDelivering PIV
compliant products

HSPD 12 Workshop
May 5, 2005
Washington, DC

2
Moderator Randy Vanderhoof, SCA

Industry Panel
Gilles Lisimaque, Partner
ID Technology Partners, Inc.
GLisimaque_at_idtp.com
Phone 301-320-5146
Stephen P. Howard, Partner
ID Technology Partners
SteveHoward_at_idtp.com
703.319.3171
Dwayne M. Pfeiffer, CISSP
Northrop Grumman Corp
dwayne.pfeiffer_at_ngc.com
703.556.2963

3
Topics to be covered

Standards Smart Cards
PIV Data Model
When do I Use What in the PIV?
PIV Card and Physical Access
How can I use the PIV card in physical access
control systems (PACS)?

4
Standards Smart Cards

Gilles Lisimaque
ID Technology Partners
GLisimaque_at_IDTP.com

5
In the Beginnings .

The World of Smart Cards was formless and empty
And ISO WG4 said let there be a standard for
smart cards and there was ISO/IEC 7816
After the fifteen parts of the standard were
finished, ISO WG4 saw this was good and handed
the standard to vendors to work with it, built
from it and take care of it.
And the vendors sinned and used the standard for
their own selfish proprietary interests instead
of sharing the good news and develop
interoperability .

6
In the Land of North America

A new standard for smart cards (GSC-IS) was
develop on the top of ISO 7816 in an attempt to
restore interoperability. It provided
Interoperable source of products (procurement)
Interoperable data models (data definition)
But it still allow applications to be on their
own and did not succeed in providing
interoperable applications using the various
products.
Without enough guidance, and using too often the
letter of the law instead of its spirit, users
of GSC-IS developed incompatible application
languages and could not built the interoperable
unified tower their leaders dreamed about.

7
The Quest for Interoperability

The PIV application required true
interoperability for cards, systems, back ends,
between systems and during issuance in order to
provide true security.
A new law for smart cards was developed for the
land and was called SP 800-73.
In parallel, an international effort (ISO 24727)
based on GSC-IS was launched to develop a true
interoperable language, all smart cards around
the world (including North America) could use and
be interoperable.

8
The new Law for Smart Cards in the US
government SP 800-73

Scope limited to a specific application PIV
Provides strict guidance for GSC-IS applications
on how to ensure the PIV application loaded on
any US government smart card will interoperate.
Protects investment of GSC-IS systems allowing
them to adapt and interoperate at the card level
Provides a simple, unambiguous solution for
future cards to be used in final systems (back
ends, CMS, client-applications, etc.) when they
become available
Developed as close as possible to the
international effort (ISO 24727) to guarantee
global interoperability of the card and the
various elements of the systems.

9
The Heart of Interoperability

A Common Data Model with unambiguous names and
owners has been developed for all PIV cards
whatever technology they use (GSC-IS Transitional
or SP 800-73 End-State)
Simple commands and functions are nailed down
defining how to access and use the various data
elements defined in the application
Instead of allowing all cards with all type of
languages to be accepted by the system, a limited
number of card interfaces have been defined,
limiting the translation work of the middleware
and the options to work from in applications

10
The Challenges Ahead

In all systems, defining the card is the easy
part.
Defining the applications to use it is much more
complex
Making sure all cards are issued with the
required level of security is a daunting task

And finally, having back end systems from various
issuers (agencies) able to cooperate in their
security critical missions is a lot of headaches.

Buying Cards without knowing the applications and
systems they will be used in, is like buying a
car without knowing if roads are available
11
Who is working on the solutions?

In order to get true interoperable solutions,
some more work is required to define
unambiguously the application software, the
middleware layers, the issuance systems, the card
management systems (if required) and the other
elements of the card itself (how other
applications can co-exist in the PIV card).
ISO 24727 is working on the international
framework allowing to built interoperable
application using smart cards. The work is moving
very fast for an ISO work but is acknowledged as
fundamental by all countries.
NCITS B10 is working out a bridge allowing to
move from GSC-IS to SP 800-73 and later to ISO
24727

12
The delicate choice ahead

SP 800-73 allows to use existing GSC-IS systems
in an interoperable manner. These systems and
cards are available and SP 800-73 proposes fixes
to GSC-IS to provide enough interoperability for
the PIV application.
SP 800-73 offers a new solution for cards,
middleware and systems helping new applications
to be developed in a better interoperable manner.
New cards will soon be available and they will
have to be qualified for security and
conformance.
Middleware will be developed in order to work
with these new cards
New applications will take advantage of the new
cards

Until Compliance Tests are defined, no one knows
its drawbacks and limitations
13
The delicate choice ahead

SP 800-73 allows to use existing GSC-IS systems
in an interoperable manner. These systems and
cards are available and SP 800-73 proposes fixes
to GSC-IS to provide enough interoperability for
the PIV application.
SP 800-73 offers a new solution for cards,
middleware and systems helping new applications
to be developed in a better interoperable manner.
New cards will soon be available and they will
have to be qualified for security and
conformance.
Middleware will be developed in order to work
with these new cards
New applications will take advantage of the new
cards

14
FIPS 140 SCA Working Group Company Working Group
Members

Gemplus
IBM
ID Technology Partners
Infogard
Litronic
Lockheed Martin
MartSoft
MasterCard
Mobile Mind
NIST
Oberthur
Philips
Raak Technologies

ActivCard
Atlan Labs
Atmel
Axalto
Cygnacom
Department of Defense
Dept. of Transportation/TWIC
DMDC
Dreifus
GD

15
The Goal of a Common Platform

The goal of the group is to define a common card
platform allowing to establish a reference for
applet developers
Would allow OS and Card manufacturers to keep the
qualification of a FIPS 140 qualified platform
when new qualified application functions
(applets) are added.
Would allow application developers to have their
applet FIPS 140 certified only once on any FIPS
140 qualified platform and keep this
certification when used on another FIPS certified
card platform

16
FIPS 201 PIV applications benefits from a FIPS
140 common card platform

Faster qualification
Better interoperability
Lower costs

Smart Card Alliance FISP 140 Working Group
17
Thank you

Gilles Lisimaque
Partner
ID Technology Partners, Inc.
316-B Cross Green Street
Gaithersburg, MD 20878
Phone 301-320-5146
GLisimaque_at_idtp.com
WEB www.idtp.com

18
PIV Data Model

When do I Use What in the PIV?
Stephen P. HowardID Technology
PartnersSteveHoward_at_idtp.com

19
Structure of the Data Model
20
PIV Data Model
Buffer Description Interface Available Access Rule
Card Capabilities Container Contact Always Read
Card Holder Unique ID Contact and Contactless Always Read
X.509 for PIV Authentication Contact PIN
Card Holder Fingerprint I Contact PIN
Card Holder Fingerprint II Contact PIN
Printed Information Contact PIN
Card Holder Facial Image Contact PIN
X.509 for Digital Signature Contact PIN Always
X.509 for Key Management Contact PIN
X.509 for Card Authentication Contact and Contactless Always
Security Object Contact Always Read
Mandatory issuer controlled data
Issuer optional
21
States Rights

If PIV requires it, you must do it
Mandatory for inter-agency interoperability
PIV does not restrict issuers from adding
additional applications and data
Demographic information buffers
ePurse schemes
Contactless Biometrics
Contactless CCC
Contactless Security Object buffer
Mutual authentication schemes
BUT Issuer specific apps and data are not
considered interoperable across agencies
Enables appropriate, controlled testing of new
capabilities
Enables consideration for future PIV extensions

22
Back-end Transactions

SP800-73 defines operational use cases
Requires back-end transactions to verify against
the issuer
Not covered in this presentation
Focus here on structure and support from PIV Data
Model to enable these transactions and other
operational modes

23
When Do I Use What?

Making Sense of it For Real Applications!

24
Registration Wheres the stuff you need?

Credential Number
In the CHUID ? FASC-N SystemCodeCredentialNumbe
r or GUID
Employee Number
In the CHUID, buried in the FASC-N ?
PersonIdentifier (PI) DoD EDI-PI
Employee Name
In the Printed Information buffer
Who is the issuer?
Two places ? In the CHUID, buried in the FASC-N
as Agency code PIV Auth. Cert.
Expiration Date of Credential
Two places ? CHUID Expiration Date PIV
Authentication Cert. Expiration Date

25
Registration Wheres the stuff you need?

Issuer Integrity Did they really put this
there?
CHUIDs Issuer Asymmetric Signature and
Certificate
Delivers Public key for Signature Object
Signature Object
Individually signed objects ? Biometrics,
Certificates
Verified signatures Trust in issuer
Is this the real PIV chip?
Two methods ? Card Authentication Key or PIV
Authentication Key to sign a challenge
CAK proves valid card PAK proves valid card and
confirms bearer through PIN
Is this the rightful bearer of the PIV?
Use Card Holder Fingerprints for Match-to-Card
biometric identification that bearer is rightful
cardholder
Verified signature of fingerprints Trust in
issuer

26
Physical Access

Which credential is asking for access?
CHUID
Primarily the FASC-N fields Agency CodeSystem
CodeCredential Number which are concatenated
for full Credential Number
OR Global Unique ID (GUID) ? next generation to
replace FASC-N credential number
Who is asking for access?
Card Holder Fingerprints
Match-to-Card
Card Holder Facial Image and Printed Information
Look at the picture in the chip to confirm it
matches the person
Check their name
Is this card authentic?
Verify issuer signatures ? CHUID, Fingerprints
OR, single verification using Signature Object
(printed info, images)
Is this the chip or a copy?
Use Card Authentication Key to challenge for a
digital signature

27
Logical Access

Mandatory PIV Authentication Key
Windows Login, Web Access, etc.
Requires pin, proving Card and Card Holder
Optional
Digital Signature ? PIN Always enabling
Non-Repudiation for critical applications
Key Management ? PIN enabling Email encryption,
session key generation
Card Authentication ? No PIN required, trust card
before using other services
Consistent with DoD PKI key usage

28
Summary
29
PIV is a Very Powerful Tool

Enables trust in identity of bearer of the token
Enables a range of security models
Logical/Physical
Biometrically enhanced
Integrity with issuer signatures
Enables range of transactional options depending
on Facility and System/Network security
requirements
Needs continued focus to assure interpretation of
PIV leads to strong cross agency interoperability
Maximize its potential!

30
Thank you for your time!
Stephen P. Howard ID Technology
Partners SteveHoward_at_idtp.com 703.319.3171
31
PIV Card and Physical Access

How can I use the PIV card in physical access
control systems (PACS)?
Dwayne PfeifferNorthrop Grumman
Corp.dwayne.pfeiffer_at_ngc.com

32
PIV Data Model
Buffer Description Interface Available Access Rule
Card Capabilities Container Contact Always Read
Card Holder Unique ID (CHUID) Contact and Contactless Always Read
X.509 for PIV Authentication Contact PIN
Card Holder Fingerprint I Contact PIN
Card Holder Fingerprint II Contact PIN
Printed Information Contact PIN
Card Holder Facial Image Contact PIN
X.509 for Digital Signature Contact PIN Always
X.509 for Key Management Contact PIN
X.509 for Card Authentication Contact and Contactless Always
Security Object Contact Always Read
For PACS Usage
Mandatory issuer controlled data
Issuer optional
33
Whats in the CHUID?
34
Whats in the CHUID? (continued)

Federal Agency Smart Credential Number (FASC-N)
Part 1

Field name Length (BCD digits) Field description
AGENCY CODE 4 Identifies the government agency issuing the credential
SYSTEM CODE 4 Identifies the system the card is enrolled in and is unique for each site (can be concatenated with credential number to create a 10 digit credential number)
CREDENTIAL NUMBER 6 Encoded by the issuing agency. For a given system no duplicate numbers are active
CS 1 CREDENTIAL SERIES (SERIES CODE) Field is available to reflect major system changes
ICI 1 INDIVIDUAL CREDENTIAL ISSUE (CREDENTIAL CODE) Initially encoded as 1, will be incremented if a card is replaced due to loss or damage
35
Whats in the CHUID? (continued)

Federal Agency Smart Credential Number (FASC-N)
Part 2

Field name Length (BCD digits) Field description
PI 10 PERSON IDENTIFIER - Numeric Code used by the identity source to uniquely identify the token carrier. (e.g. DoD EDI PN ID)
OC 1 ORGANIZATIONAL CATEGORY 1 - Federal Government Agency 2 - State Government Agency 3 - Commercial Enterprise 4 - Foreign Government
OI 4 ORGANIZATIONAL IDENTIFIER OC1 FIPS 95-2 Agency Code OC2 State Code OC3 Company Code OC4 Numeric Country Code
POA 1 PERSON/ORGANIZATION ASSOCIATION CATEGORY 1 Employee, 2 Civil, 3 Executive Staff, 4 Uniformed Service 5 Contractor, 6 Organizational Affiliate, 7 Organizational Beneficiary
36
Whats in the CHUID? (continued)

Global Unique Identification Number (GUID)
Issuer assigned IPv6 number included to enable
future migration away from the FASC-N into a
robust numbering scheme for all issued
credentials.

37
Whats in the CHUID? (continued)

Expiration Date
8 bytes in length and encoded as YYYYMMDD.
Authentication Key Map
Defined as part of the High Assurance Profile in
TIG SCEPACS v2.2
Can be used as a proof of an authentic PIV and
its bearer (when used with PIN)
Is an optional field which enables the
application to discover the key reference.
A method of implementing the symmetric
challenge/response protocols using the Card
Authentication Key in SP800-73
Issuer Asymmetric Signature
Is implemented as a SignedData Type, as specified
in RFC 3369

38
CHUID Usage (Authentication)
39
PACS Device Requirements

PIV Card Readers
Contactless Card-to-reader interface ISO/IEC14443
Contact Card-to-reader interface ISO/IEC 7816
Able to read and process CHUID
Reader-to-panel/host interface is not specified
(PACS specific)
Access Control Panels
Minimum be able to process FASC-N and Exp. Date
Migration to process GUID
Optionally be able to check CHUIDs issuer
digital signature
PACS Host
Minimum be able to process FASC-N and Exp. Date
Migration to process GUID
Minimum at registration, be able to check CHUIDs
issuer digital signature

40
PACS Options

PIN
PIN pad must be integrated with reader
Biometrics
Prior to SP800-76, local use only not
interoperable
SP800-76 will state interoperability requirements
Verify CHUID Issuer Digital Signature
Requires interface to issuers Certificate
Authority (CA) (e.g., Certificate Revocation List
(CRL) or Online Certificate Status Responder
(OCSP)

41
Physical Access Council (PAC)

The Physical Access Council is the first of
several new Smart Card Alliance Technology and
Industry Councils
This council has been created to foster increased
collaboration within the physical access control
system industry and market segment and to produce
tangible results
Speeding smart card adoption and industry growth.

42
PAC Mission

To accelerate the widespread acceptance, usage,
and application of smart card technology in the
physical access world by bringing together, in an
open forum, leading users and technologists from
both the public and private sectors.

43
Fulfilling the PAC Mission

How Do We Do It
Networking and sharing of information
Education
Industry outreach
Multi-vendor collaborative documents
Media positioning
Melting pot of new ideas

44
PAC Participants

The Physical Access Council includes participants
from across the smart card and physical access
control industry, including
End users
Smart Card Chip developers
Smart Card manufacturers
Smart Card Reader manufacturers
Smart Card Software developers
Physical access control systems vendors
Integration service providers
Government

45
PAC Steering Committee
46
PAC Members

Broad cross-section of smart card and physical
access control industry vendors and users
Members Accu-Time Systems, ADT Federal Systems,
Anteon, BearingPoint, Bordes Group, Condortech,
Corestreet, CTS, EDS, Fargo Electronics, GE, GSA,
GTSI, HID Corp., Hirsch Electronics, Honeywell,
IBM, ID TECH, Identicard, IDTP, Indala,
Integrated Command Software, ISR Solutions,
Johnson Controls, Legic, Lenel, Lockheed Martin,
MartSoft, MDI, NARA, NBS Technologies, Omnikey,
ORGA, Proctor Gamble, Precise Biometrics,
Raytheon, RSA Labs, SafeNet, SafLink, SAIC, SC
Solutions, SECOM, Sharp, SIA, Siemens,
SoftwareHouse, Sun Microsystems, SuperCom,
Translore, US Dept of Justice, US Dept of
Transportation/Volpe Center, US Marshal Service,
Veridt, Xtec