TWIC update: Initiative prepares for pilot projects

Port security program examines biometrics applications, throughput issues and threat levels

"The FIPS 201 PIV requirements recognize that biometrics are privacy items and protect the release of any biometric template to a reader for comparison by requiring entry of a PIN. The FIPS 201 approach further restricted the transmission of the template from the card to the reader to a contact reader to avoid risk or concerns about sniffing. However, the NMSAC committee that developed the reader spec heard the insistence of the port operators and other interested bodies that a PIN not be required and that a contactless reader was necessary in lieu of a contact reader."

"The pilot projects are heavily focused on the fact that they need to get trucks through the port access points quickly," continued Zivney. "If a trucker forgets his PIN [which is needed to access the individual's biometrics], they can't just back up because there is a line of trucks behind them.

"But because of the environmental conditions and concern of foreign objects, they also didn't want a slot for a contact reader on the TWIC reader stations. So the idea was that the second set of fingerprint templates would be encrypted and stored in a second 'container' on the card. These encrypted templates could be transmitted securely over a contactless interface without the requirement of an unblocking PIN. But then they had to consider how to decrypt these templates for comparison to an unencrypted template produced by a live fingerprint read. Since the original charter was for a standalone reader without a PACS, the spec provided for encoding the decryption key onto the TWIC's magnetic stripe to be read by a mag stripe reader attached to the TWIC reader. The swipe of the TWIC through the mag stripe reader would transfer the de-encryption key to decrypt the biometric template once it was transferred to the reader."

"Fortunately the final spec acknowledged the existence of a PACS and also placed the TPK (TWIC Privacy Key) in the smart chip to be available on the contact interface accessible by a PIN. The process of registering a TWIC with a PACS to verify the card and assign authorization privileges at a given port, can be done in an office and not when the truck is at the gate, explained Zivney. "The TPK is a good thing in that it allows the TWIC to be presented to a contactless reader -- after registering to a PACS -- and does not require use of a PIN except at registration. But it does require registration to a PACS at each port, so there is this extra step before all is smooth for use with electronic readers. Testing out this technology and the operational issues is what the pilot is all about. Changes will no doubt be made based on lessons learned."

But because entering a PIN is the primary method to get to the privacy information like a photo or biometrics for most applications, that also presents operational challenges for the officers doing TWIC card enforcement with a handheld reader. The photo in the card stored on the smart chip is much more reliable than the photo printed on the card due to the availability today of sophisticated machines and apparatuses to print counterfeit cards.

"When the Coast Guard is doing their spot checks at the ports, the only way they can get your digitized and encoded photo is to have you enter your PIN. But if you can't remember your PIN, how do they get to your biometric photo to verify you are who you say you are? You can see the security challenge there."

With so many different technologies in place and used in an outdoor environment -- from tropical to arctic, from dry to rainy, from clean to salty or even polluted conditions -- these are going to be "the biggest and most hardened readers in the world."

But Zivney says that even with the latest technology and best equipment in use, the pilot projects (which will be occurring at select ports, including the Port of Long Beach, Calif.) have to determine the effects on throughput.

"With the extra encryption, there is a concern about how long it takes. They want the pass-through to be no more than 8 seconds - from the time truck pulls up and starts the process until the gate starts to open."

In the process, the TWIC pilot projects are expected to uncover all manners of operational challenges before a final rule is issued to all ports.

One of the problems is that TWIC is designed for a single worker. That presents a problem when you have interactions with long-haul truck drivers picking up loads from U.S. ports. It's not uncommon for many of these drivers to use trucks with sleeping cabins and to have spouses and children with them. The rule for use of the TWIC card is to allow unescorted access for the card holder, and that means port operators may have to develop waiting areas for family members not allowed in due to port security restrictions.