One of the revelations that came out of 9-11 was how easy it was to obtain a false ID and masquerade as someone else. Clearly, as a nation, we put a tremendous amount of trust in the simple documents people show us every day that indicate who they are and what organization they work for. In reality, the current system of identifying ourselves to each other here in the United States is often not worthy of that trust. That observation has convinced the U.S. government to kick off a program that promises to fix the problem for government agencies.
At the core is a fundamental question: Is what we have good enough? In the area of network and Internet security, few would disagree that we need more. In this age of identity theft, phishing and network hackers, a moment's reflection should make it clear that the number of people who wish to misstate their identity in order to harm an innocent bystander is large and growing. Passwords are not the answer. When it comes to physical security, however, opinions vary more widely.
The badge technology used by federal agencies for access control today varies all over the map, just as it does in commercial enterprises. Since many view even magstripe technology as close to magic, it is sometimes difficult to sell how vulnerable the existing technologies are. In fact, with the exception of smart cards, all of today's technologies are easy to copy or tamper with and are missing key features we will need in the future.
The PIV Initiative
U.S. government agencies in particular need a secure identification technology to ensure that the people who are allowed to enter federal facilities are supposed to be there and have permission to access sensitive government computer data. They need to "create a standard where everyone can carry the same technology on their credential and be interoperable between different, federally funded projects," said Ken Francis, vice president of sales for AMAG Technology.
Translating an obvious need into action is often not the strength of government, but this time things seem to be different. In August of 2004, President Bush signed Homeland Security Presidential Directive 12 (HSPD 12). To date, the executive branch has issued only 13 of these directives. HSPD 12 calls for the mandatory government-wide issuance of a common form of identification. "HSPD 12 is an endorsement for smart card technology by the President of the United States. It's a ringing testimonial that will drive even more opportunity for secure credentials," said David Ludin, vice president of sales and solutions for Gemplus.
Ordinarily, when an edict of this type is issued by government, it calls for massive amounts of study, huge programs, and most significantly, extraordinarily long implementations. By all accounts, however, this project has not moved at normal government speed. The directive called for the issuance of a new federal standard for personal identity verification, or PIV cards, no later than the end of February 2005-only six months from the directive's signing. As this article goes to press, that new standard, FIPS 201, has just been published and is available on the Web site of the National Institute of Standards and Technology (http://csrc.nist.gov/piv-project/).
Compliance-Already?
While it will take some time for the industry to respond with compliant products, it may not take too long. "We have something that is pretty close and are adjusting the roadmap accordingly. We can put something into the marketplace fairly quickly," said Ludin.
HID seems somewhat ahead of the curve, having already released its first GSC-compliant readers. "We are committed to (developing) product in compliance with FIPS 201," said Nathan Cummings, manager of partner integration for HID.
All told, this project has moved so quickly that most people in the security industry are unaware it is going on. "I am really proud that the government has managed to work its way through this. We have gotten more work done in the last three months than we probably have in the last three years in government and 12 years in the standards bodies," said Michael Butler, chief of smart card programs for the DOD.
Whom Do You Trust?
The basis for building this type of system is what engineers call "chain of trust." Credentials must be issued by a trusted agency, using a technology that cannot be altered without detection, and based on original identity information that can also be trusted. These three factors are critical to minimizing identity fraud. It is often the last piece-coming up with trusted identity documentation on which to base the new credential-that is the most vexing.
FIPS 201 calls for the presentation of multiple forms of ID and a "national agency check" before an ID can be issued for even the least-sensitive federal positions. National agency checks are full background investigations that include personal interviews and employment, education and court record checks. Existing employees may make use of existing NACs to renew their credentials.
As for the requirement that credentials be issued only by a trusted agency, major progress is being made here as well. Each agency of the federal government wishing to issue PIV cards will be required to follow a standard and uniform process of investigations and issuance. They will also be required to certify in writing that they are following these procedures, and each card issued will be traceable back to the issuing agency.
Current Solutions Won't Cut It
This brings us to the difficult question: What technology should be used for the credential? The cards that most of us use for identification in the commercial world today work well for access control. However, looking into the future, they have two clear shortcomings. First, they lack data storage on the card, and second, they lack security.
Why storage? There is a wealth of information you might want to store on the card that would benefit the end user. But from a purely security point of view, biometric information and computer logon information, called digital certificates, are the items with the most obvious benefits.
Biometrics requires a verified, stored template that can be compared to scanned information to prove you are you. While the template size varies depending on the technology, 500 to 1000 bytes of information is a typical range for each biometric.
Digital certificates are the credit cards of the online world. They establish your electronic identity over the network or Web, and they contain your name, a serial number, expiration dates, and a copy of your public encryption data.
For computer log-on applications, both the templates and certificates are typically stored on the computer hard drive, which is not ideal from a security point of view. For physical access applications, biometric template storage would have to be centralized in the field panel or host computer, which is again not ideal from either a security or a system performance standpoint.
Why doesn't the government just store these items in a large central database? Keeping a central database would raise privacy questions and would be largely impractical. Imagine the level of interagency cooperation that would be required to design, install and maintain such a system, and you can start to see the problem. Smart cards solve this problem by eliminating the need for a central database and the need for transmitting potentially sensitive data across insecure networks.
Of course, if you are going to store this information on a card, it needs to be secure. This is why smart cards exist: to provide secure storage for data. Unlike today's proximity cards, smart cards do not just talk to any reader that will listen. Instead, when higher security is needed, they go through a complicated dance called authentication in which they exchange messages with the reader to prove that both the card and reader are valid and authorized to talk to each other. These messages use encryption and secret keys that only a friendly device could understand.
After authentication is complete, encryption is again used to ensure that any transmitted data cannot be eavesdropped on or tampered with. The DOD uses smart cards because "they are proven to be the most secure solution," said Butler.
"Today's smart card technologies are capable of providing a very high level of security through the use of mutual authentication, digital signatures, well-tested encryption schemes and robust key management," said John Menzel, president of XceedID, a Colorado-based reader manufacturer. When you combine those technology safeguards with the fact that the data rests in your pocket, and you control who gets to use it and when, there is no more secure or more private storage available.
The Essence of FIPS 201
FIPS 201 consists of five important elements. First, it outlines the method that will be used to verify identity prior to the issuance of a card. This "identity proofing" is key to the issuance of secure and reliable credentials.
Second, it lists the techniques that will be used for issuance, management, and termination of the card.
Third, it defines the minimum level of data the card will contain. The most basic of the data is the cardholder unique identifier, or CHUID. It contains a personal identification number, an agency identifier, an expiration date, and a cryptographic signature to ensure the data has not been tampered with.
In addition to the CHUID, all cards will contain three biometric data elements: two fingerprints and a facial image. The format of these biometrics is to be spelled out in a yet-to-be finalized sub-standard, which NIST calls Special Publication 800-76. While the format of the biometric data specified in the current draft of SP 800-76 is a controversial full image rather than a template, rumor has it that this may change by the time the final specification is issued.
Fourth, FIPS 201 specifies that each card must support both a contact and contactless interface, and it specifies the standards for doing so. One area the original draft of the specification did not cover in detail was the use of biometrics over the contactless interface. This seems to be an area of contention. "There has been lots of pressure not to do a temporary and potentially risky contactless interface for biometrics now," said Butler.
"We have not seen the market demand yet to integrate biometrics and the contactless interface," said Ludin. On the other side of the table, some suppliers believe the need is now. "We have enough installations in the field that are planning on going this route, that our biometric partners are already adding contactless compatibility," said Cummings.
Finally, FIPS 201 specifies the look and mechanics of the card. This includes the layout and information to be printed, the inclusion of a hologram, the materials the card must be made from, and a prohibition against slot-punched cards.
Will It Spill Into Commercial?
The crystal ball is still hazy on whether this initiative will open a door to the commercial market. The PIV program will cover all federal employees and on-site contractors. By some estimates, this could entail as many as 50 million credentials.
Implementation on this massive a scale is bound to drive standard implementations and software support, taking smart cards in the United States out of the experimental stage and into the category of useful tools in most decision-makers' minds. "The next five years will be the busiest time the security vendors have had in many years," said Butler.
Most certainly, this scale of deployment will drive down costs for both the government and commercial sectors. "This is a good thing for the industry. We have already seen the cost of contactless smart cards come down to a 10 to 15 percent premium over conventional prox cards," said Francis.
Whether the commercial world will adopt FIPS 201 in its entirety, however, is a more difficult question. The government, after all, was trying to solve a physical and network security issue spanning numerous agencies with no common systems or procedures. Few commercial institutions have that level of complexity, although much of the Fortune 500 suffers from pieces of the problem. "The government's current movement towards smart card technology will likely push the government suppliers to follow with company-wide initiatives," said Randall Provoost, product marketing manager for GE's Security Business.
Early indications are that many will see the wisdom of a broad-based standard. If your company has a need for a new solution for network login or a desire to start using biometrics, keep an eye on FIPS 201. "We already have people outside of the government buying on the expectation that it will proliferate and drive prices down," said Cummings.
Rich Anderson is the president of Phare Consulting, a firm providing technology and growth strategies for the security industry. A 25-year veteran of high-tech electronics, Mr. Anderson previously served as the VP of Marketing for GE Security and the VP of Engineering for CASI-RUSCO. He can be reached at [email protected].
