PIVMan Takes a Step Beyond FIPS

Sept. 18, 2006

Corestreet Ltd. recently released the PIVMan, a handheld card reader system that validates and authenticates a variety of credentials in the field, with or without an available network connection. Security Technology & Design’s Marleah Blades spoke with Phil Libin, Corestreet’s president, about the new product and its place in the FIPS 201 landscape.

MB: Tell me a bit about the PIVMan. PL: Well, the whole point of all of these smart credential programs, like FIPS, CAC in the DoD, FRAC for first responders, and many of these initiatives underway now, is to produce smart cards that can be given to people as identity cards to make it much easier and faster and more secure to tell who everyone is and whether they’re allowed to be getting into someplace, and to track who and where and to what…. If you have a FIPS card and you just use it as a flash badge, it defeats the purpose of having these cards in the first place. The (HSPD-12) directive calls for them to be electronically verified, but surprisingly, even though there’s been this huge amount of effort to get the cards out there, there are actually very few products that work with them. So PIVMan is the first real solution that takes advantage of the FIPS infrastructure, the CAC infrastructure, the FRAC infrastructure, so that it can read any of these kinds of cards in the field. It can determine whether the card is real, it can authenticate the person, it can tell the card is still active—that it hasn’t been stolen or revoked—and it can display any attributes or privileges associated with the person. So it can make an access decision very quickly using the full infrastructure.

MB: Does the product also work with TWIC and other cards? PL: It works right now with TWIC, MAC—the maritime access card—it works with a couple of the European national ID programs, so it’s very much targeted at the FIPS and FIPS-like community.

MB: PIVMan has recently been tested in the Winter Fox exercises. Can you tell us a little about that? PL: PIV Man has been tested in five different exercises now. Winter Fox was the first major one. It’s a government exercise intended to test cross-jurisdictional interoperability for first responders in emergency situations. So it’s a simulation of a disaster or emergency. And there are lots of different officials from different government agencies, state, federal and local, that have to show up at different scenes and use their cards—they all have different cards from different programs—and scan them through the PIVMAN handheld and actually show that they are allowed to be there, produce the logs and reports after the exercise showing who got in where, who didn’t get in, what they did, all of that kind of stuff.

MB: What’s the technology of the product, and what types of interfaces does it have? For strictly FIPS cards they use the contact interface because they all have a contact interface. For cards that don’t have a contact interface, the thing’s got a barcode scanner on it, so it could read a 2D barcode off of a drivers’ license. It has a contactless reader as well.

Let’s say there’s a natural disaster. First responders show up, they secure the perimeter; they’re responsible for controlling access to that perimeter. Then a bunch of other people start showing up. Some of those people are allowed to be there, some aren’t allowed to be there. They all have some kind of card, so if you’re a first responder and you have an EMT show up, he swipes his FIPS card or his state of Pennsylvania card or whatever he has into the handheld. The handheld authenticates him and shows his picture and asks his for my fingerprint or PIN depending on the card. And then it shows you, yep, that’s really Phil, he’s valid, and he’s authorized for hazardous material cleanup, for example, so that you can efficiently direct them to where they need to go.

Now it does all this in a combination of hardware and software, so it’s a complete solution that a customer gets bundled. There’s the software piece—server-side software—that does all the data collection and aggregation. Then there’s some software that runs on the handheld, and then there’s the actual handheld itself. The hardware is provided by our manufacturing partner called DAP in Canada. We picked the best ruggedized outdoor handheld device we could find.

What really sets us apart are the software capabilities of being able to read any card, and show the identity and the privileges, and that without requiring any network connectivity.

You can’t assume that there’s any network connectivity available. This is meant to be used in an emergency or disaster, when the cell networks are usually the first to go down. But even if there’s no disaster, you’re outside, and you don’t want to say, we can only scan cards under this tree where you have good network reception, but not over here. Whenever (the handhelds) can get network connectivity, they automatically look for it. Then they download all this data and refresh themselves, but when you actually put a card into a handheld, it already has all the information on it at that time so it can very quickly do the authentication and the validation and the identity and the privileges without making any network connections. So you know it’s going to work even if everything else is broken.