Creating a Trusted Identity

May 19, 2011

When CardKey Systems Inc., (part of Johnson’s Controls’ Group) replaced a lock and key with a card and reader more than 50 years ago, it started a continuous technology evolution in the physical access control systems (PACS) market that seems to have accelerated in recent times. Modern notions of identity — its representation and meaning — are challenging the way we will think of PACS systems of the future.
Today, helped by robust encryption technology, ubiquitous computing power and always-on, mobile intelligent devices, a new paradigm for identity management is emerging, as internet access becomes a necessity for normal functioning of society.
Leading the way are government security initiatives based on the Homeland Security Presidential Directive 12 (HSPD-12) on how to improve the safety and security of access control. As part of these efforts, the Personal Identity Verification (PIV) card was introduced to allow — for the first time — a formal and absolute method of assigning a trusted identity to a PACS card user.
In the context of these changes, I offer a look at how PACS is developing to help commercially savvy security system designers understand what they should embrace — and what they should avoid.

The Meaning of You
Cardkey’s innovative card technology, based on magnetized barium ferrite domains on a credit-card sized template, revolutionized PACS. This was followed by Wiegand wire cards, which also used magnetization to represent the data on the card.
Within the last 20 years, the contactless proximity technology first pioneered by Hughes Identification Devices (now HID Global Corporation) has become the card technology of choice, purely because of the convenience and efficiency of entering a door with a wave of a card. The current technologies use contactless smart cards based on the ISO standards of 15693 and 14443, such as HID’s iCLASS and NXP’s MiFare technologies.
Yes, cards and readers are still here after 50 years, but will they continue to be used in the future? Doors are not going away, and the cards and readers work, are reliable and easy to configure and install. The answer may be in the way we treat “identity.” More to the point, perhaps, is what we actually mean by “identity.”
Googling “identity” does not help (422 million hits!). But we should have a clue — after all we are in the PACS business right? The reality is that none of us sit around thinking about how to define identity.
A card is printed, it is programmed with site-specific data, a photo ID is possibly added, and then it is issued to you, the employee. You and the card are one (from the PACS viewpoint). We add some clever rules about two-factor use, PIN and card, and even add your biometric template to make sure that you are you and that no one else can use your card. These work as intended, when the system designer applies risk-appropriate controls at the door such as anti-tailgating, or even a two-man rule. But seriously, what percentage of installations has these types of layered security controls? I think you know the answer.
But there has been considerable movement to make card issuance more difficult, in the name of higher security. The primary driver has been the federal government, aided and abetted by the availability of technology. I am referring to the Personal Identity Verification (PIV) system promoted by the NIST Computer Security Division. In response to HSPD-12, which was issued in the aftermath of the 9/11 attacks, the government decided to outline a common control and security objective, including the personal identity proofing process for employees and contractors. This alone was an important milestone in establishing a policy for asserting an identity.
The Federal Information Processing Standards (FIPS) 201 was developed to satisfy the technical requirements of HSPD-12 (approved by the Secretary of Commerce and issued on February 25, 2005). FIPS 201, together with NIST SP 800-78 (Cryptographic Algorithms and Key Sizes for PIV), is required for U.S. Federal Agencies. According to the latest Office of Management and Budget data more than 4.3 million PIV credentials have been issued as of the end of 2010.
Additionally, the SmartCard Interagency Advisory Board has indicated that to comply with FIPS 201 PIV II, U.S. government agencies should use smart card technology. This means that to support the complex cryptographic operation of FIPS 201, a smart card is essential.

Asymmetry
The NIST proposals target the fact that the federal government does not have a central authority for identity management. With more than 15 million civilian employees, it is the largest employer of personnel. Centralized control does not and cannot exist because it is not a single, homogeneous organization.
In the past, the many thousands of military and government facilities used whatever PACS system was approved (and funded) using many hundreds of contract initiatives. The state of the nation, when it comes to PACS, was that there are just as many vendors selling into the government as there are vendors. Cards issued by one facility did not necessarily work in another — even if they came from the same vendor. The same had been true of logical access control systems (LACS) for computer and network access, and perhaps more importantly, systems for national security. This was the sorry state the government found itself in after 9/11 when it decided to issue the directive that led to the NIST PIV proposals.
PIV is a clever, though complicated, way of verifying identity. It relies on the issuance of a cryptographic certificate (your credential), from a trusted authority that cannot be forged. It is based on cryptographic key pairs — one is the private key (yours) and the other is the public key (the government’s). This enables a user to verify his or her identity by authenticating the private key to a publically signed access point. This is how PKI (Public Key Infrastructure) asymmetry works: the key-pair is not identical, and it allows a many-to-one relationship between the host and its users. It is the way the Internet operates.
For the PACS (and LACS) security designer, FIPS 201-compliant smart cards require both a contact and a contactless interface. For ease of issuance, so-called dual-interface cards have been the de facto standard, but the two interfaces technically do not have to share a common microprocessor, and in fact, in most cases, do not. In effect, we have two cards in one body, and commensurate cost. There is also the overhead of upgrading the reader infrastructure to support PKI access.
It is precisely this problem of knowing who works for you that the government has sought to issue PIV credentials to all federal employees and their contractors. If you add state employees, their contractors and the uniformed military, then the market size for PIV is considerable. The opportunities are immense, but so is the cost and complication.
Anyone who has seen the cost of PIV cards and the PKI system to support them will ask two questions:
1. Will this become a de facto standard that enterprises and small businesses will have to adopt?
2. Is there an alternative that offers the same level of security?

A Perfect Symmetry: An Alternative Approach?
In organizations where there are large card user populations and no central authority, the veracity of the card is questionable. This is a consequence of unbounded systems where the verifying agency does not know the constituent. The Internet works this way also, and represents the ultimate many-to-one relationship system. For example, Amazon.com relies on HTTPS protocol in the browser to issue and manage certificates to you.
We are somewhat fortunate being PACS people. Why? Because by definition, PACS is a “bounded system.” Every security designer, working with security policies and risk assessment, knows the entry and exit point of the facility. The system is known; thus it is bounded. PACS card users are also known; cards are only issued to known and vetted individuals (per the security policies); therefore, the card users are also bounded.
Bounded systems have a special property which unbounded systems do not possess. Because we know the population of users and we know the trust boundary — and there is an implicit self-authentication in a bounded system — the system by design is trusted.
However, one difficulty remains: We also have to trust all the components that service the system. And not surprisingly, this can also be solved.
By establishing a trusted identity authority that can verify that the identity data used by cards, readers, printers, nodes, and so on, the PACS operates in a completely secure and trusted way (just like NIST intended with PIV) but without the overhead of PKI-based cryptography. And even better than PIV, with bounded systems, we can use symmetric key-pairs with both secret keys sharing the same value. Of course this idea is not new — it is practiced daily. The GSM mobile phone network uses symmetric key-pairs to authenticate the phone to the network. It is secure and works because it is a bounded system; all phones are known and their SIM cards are issued by a single central authority, which is analogous to any other PACS system.
So how can we create an analog to the GSM network?
Setting up a trusted component architecture is not trivial; it requires the investment of a secure, cryptographic vault operating under generally accepted security policies for key management, and the distribution mechanism to certify all PACS components
Recent developments by HID Global have taken precisely this approach. To simplify trusted card issuance and trusted reader points, HID set up a central Trusted Identity Platform (TIP) capability, which provides a trusted service for all card and reader key programming. All PACS components that are so-called TIP-enabled are trusted and can be used to create a completely secure infrastructure, without the need for PKI.

One Big Soup: The Universal ID
Meanwhile, the digital universe demands that we log in each time we access a portal. Cloud computing only exacerbates this need for Web identities. As we go through each day asserting our various identities to access the Web, the office, our network — is there a way we can establish a universal ID for all access functions?
Surely there must be a way to register once and be able to many sites. Fortunately, there is. The OpenID initiative (www.OpenID.net) provides such an aggregation service and is supported by the internet’s largest players. Unfortunately, however, Open ID is for personal Web use, and it is unlikely that any enterprise would allow my trusted, but personal ID to be used to access the corporate network or my office door.
The point of all of this is that ID aggregation must evolve to be able to link different systems together via your universal ID. The ultimate goal is to bring together multiple identity systems into one — truly a many-to-many relationship model. Until that time comes, when my personal cryptographic assertion is accepted by everyone, PACS and LACS users and designers who want the benefits of trusted identity will have to rely on the current, limited range of options.
One option today is by using products and components that operate under the Trusted Identity Platform umbrella. These will ultimately allow security designers to develop fully trusted systems that use symmetric key cryptography, without PKI levels of complexity. ?

Tam Hulusi is the senior vice president responsible for innovation and intellectual property for HID Global. In this role, he is responsible for expanding the value of HID’s worldwide technology assets for customers and partners by optimizing the value-added component of current technologies, as well as leveraging his experience to bring emerging technologies to market. A graduate of Harvard Business School, Dr. Hulusi holds a Ph.D. in physics.