Clock Is Ticking on U.S. Government ID Cards

Under orders from U.S. President George Bush to create a new standard ID card for government employees and contractors by February 2005, officials have set an aggressive schedule for developing a draft proposal that is sure to be based on current government smart card programs. Then they must seek comment and refine the draft document.

"This usually takes about two years," says William C. Barker, program manager for the ID project at the National Institute of Standards and Technology. "We will do it within six months."

Once the document, known as Federal Information Processing Standard (FIPS) 201, is approved, U.S. agencies will have eight months to begin implementing it. While it is not clear exactly how many individuals will receive the new ID cards, Barker says the best estimate is 7 million. About half of them are employees of companies that do business with the U.S. government and the rest government workers.

The impact of FIPS 201, however, is likely to be felt far beyond the borders of the United States.

Global standard?

As one of the earliest large-scale implementers of smart cards for use as employee IDs, the U.S. government has already proposed its existing smart card protocol to the International Organization for Standardization as the basis for a new ISO standard. And government officials say they are in talks with Microsoft Corp. about incorporating U.S. requirements into future versions of Windows, a step that would go further than any ISO committee's approval toward creating a common model for ID cards worldwide.

While Barker calls the deadlines outlined by Bush's order "extraordinarily aggressive," a working paper issued by his group nonetheless advises government officials that the project "should be treated with extremely high priority." That is because the Aug. 27 presidential order placed the ID project in the context of combating terrorism by better securing government facilities and computer networks.

Starting point

Fortunately for Barker and his colleagues, the U.S. government is hardly starting from scratch. Several U.S. agencies have begun issuing smart cards to their employees, led by the largest of them all, Defense, which is 91% of the way to issuing a chip-based Common Access Card to the 3.45 million civilian and military employees and government contractors who need it.

The projects at Defense and other agencies provided the basis for NIST's Government Smart Card Interoperability Specification, or GSC-IS, which is aimed at ensuring that smart card IDs can be used throughout the U.S. government.

It is the GSC-IS protocol that a new ISO smart card committee last year agreed to consider as the starting point for a new international standard for employee ID cards.

The U.S. government was instrumental in getting this ISO 24727 committee launched on a fast track. But even before that committee adopts its first set of specifications, the sheer "momentum and size" of the U.S. government ID card project could turn it into a global de facto standard, says Olivier Piou, president of France-based Axalto, a major supplier of the Defense Department's Common Access Card.

The work of the U.S. government, combined with the product of the new ISO committee, could deliver what amounts to a worldwide ID card application-roughly comparable to the GSM application on SIM cards and EMV for chip-based credit and debit cards.

The GSC-IS spec is about to embark on a shakedown cruise to identify any errors or ambiguities. That will be in the form of a "reference implementation" at the Department of Homeland Security due to begin this fall.

"We're filling the holes in a standard," says Joseph Broghamer, the security architect in the office of the chief information officer at Homeland Security.

The goal is to issue and use GSC-IS in a live setting, creating a model that others can follow. At the same time, Homeland Security will be exposing the government interoperability spec to attack for the first time in a live environment.

"We don't know where the vulnerabilities are until we put the spec out and have a reference implementation," he says. "You can't attack a spec; you need an implementation." Ultimately, Homeland Security expects to issue 250,000 smart cards to government employees.

Windows Support Broghamer has been among the government officials who have discussed with Microsoft incorporating elements of the U.S. government's smart card spec into the Windows operating system. He says it would be much easier for government agencies and private corporations to deploy smart cards if Windows had built into its underlying code functions that today must be performed by customized software, called middleware. He cites as an example links to card-issuing systems.

While he says he cannot go into detail because of confidentiality agreements, he expresses confidence that elements of the federal smart card standards will be part of future versions of Windows.

The New Standard

Because there has been so much work done on smart cards by U.S. agencies, many of the features of the new ID card standard already are set.

Barker says the card will have a contact smart card chip with a digital certificate for authenticating users to computer networks and digitally signing documents. Those have been the primary functions of the Defense Department Common Access Card, which is one of the largest implementations worldwide of digital certificates based on public key infrastructure, or PKI.

The card will also have a contactless interface so that cardholders can enter facilities by waving a card or tapping it on a reader. Most likely, that will require a separate contactless chip, rather than a single dual-interface chip. That is because some U.S. officials remain concerned that the contactless interface on a dual-mode chip could enable unauthorized access to the secret keys stored on the chip as part of the PKI system.

Several U.S. agencies are issuing cards with both contact and contactless chips, including the Department of Veterans Affairs, which began issuing its smart card ID nearly two years ago. The agency, which manages several large hospitals for veterans, has issued more than 15,000 smart cards IDs and expects to complete its rollout of 500,000 One-VA cards by 2006.

Online Threats

Broghamer notes that the government is especially concerned about computer network security because there is no way to check the identity of someone logging onto a Web site, whereas there are often guards at building entrances to check a suspicious person trying to enter.

The card will also carry biometrics for verifying the cardholder's identity, scans of the left and right index fingers. And the chip will carry one or two digital photographs of the individual.

Unresolved Issues

Among the issues to be settled, Barker says, is who should receive the card. While the directive clearly includes private contractors who work on government contracts, does it include other employees of those companies? Should it include "first responders," those police, fire and ambulance personnel who would have to be quickly identified and put to work in an emergency? What about journalists accredited to work in the White House?

Also needed are common policies for verifying identity before issuing an ID card. That is required so that an agency other than the one that issues the card can be confident that the cardholder is who he or she claims to be. There will not be one single card format, but Barker says the cards may have some common elements so that officials can quickly recognize fakes.

There remains much to be done, and insiders say agencies that have not yet embarked on smart card programs will be hard pressed to meet the implementation deadline of October 2005.

Regardless, by then the presidential order will have served its purpose, says U.S. smart card consultant Henry Dreifus. "Even if they don't make it," he says, "you've got everybody moving in the same direction."