Commentary: HSPD-12 Shaping Identity Management

Oct. 27, 2008
The Presidential directive will be the catalyst for the next generation of physical access control systems

Today, there are tremendous dynamics for change facing the business of access control. It’s not just about a one card solution for logical and physical access ­— or other IT-prelated “convergence” themes. Nor is it just about the new standards coming from the Security Industry Association (SIA) which raise the bar for interoperability. Rather, the greatest global driver of change today across all vertical sectors might well be new policies executed by President Bush in 2004 — Homeland Security Presidential Directive-12 (HSPD-12).
Perhaps you think HSPD-12 is about protection against terrorism, or even a new smart card for employees and contractors of the U.S. government — it is those things, but the directive has a much greater impact on the security industry. On Aug. 9 2007, when I testified before Congress on behalf of SIA regarding the progress of HSPD-12, Karen Evans of the Office of Management and Budget (OMB) also testified. During the ensuing question-and-answer session with Congressman Ed Towns (D-N.Y.), Evans made it clear that everything is about eAuthentication, and HSPD-12 was developed in furtherance of that goal.

What is eAuthentication, and how does this dynamic impact the access control business? Among other things, it is about policy, process, infrastructure and new technologies for identity management systems. Michael Butler, immediate past chair of the Interagency Advisory Board for Smart Cards (IAB) has been quoted as saying that there was no doubt that every reader in the federal space would have to be replaced. It is now becoming more obvious that it doesn’t just stop with the readers, but in all likelihood extends to the access control systems as well.

Why would a Presidential directive and associated standards such as Federal Information Processing Standard 201 (FIPS 201), published by the National Institute of Standards and Technology (NIST), create a reason to replace or upgrade existing access control systems? It’s only been about a decade since the Y2K scare caused a similar mass upgrading of most systems with a clock. This time the driver is a need for strong identity management, the lead technology is Public Key Infrastructure (PKI), and the catalyst is HSPD-12 with its associated standards that establish a common methodology.

Everyone is concerned about identity theft. Many of us have been impacted directly or know someone who has. New solutions are required to ensure that a person seeking access through a door or desiring to log onto a computer workstation is the authorized person. Simple magnetic strip or proximity cards are no longer sufficient where higher levels of identity assurance are required. We are now turning to smart cards, which provide a means to support four-factor authentication for the credential holder. The four factors are the card (what you have), a PIN (what you know), a biometric fingerprint template (what you are), and the new one, a digital PKI certificate (what someone else knows about you). The PKI certificate is much like a digital version of a notary public’s seal. It is a third party’s assertion of the identity of one party to another. But this takes a new infrastructure — most commonly over an intranet or even the Internet to reach out to the third party — called a certificate authority (CA), to confirm the status of the digital certificate. HSPD-12 calls for graduated security, and multiple and various combinations of these four factors can be used for higher assurance objectives.

We are essentially moving towards an interoperable visitor management system. Although, the administrator of the local access control system still determines rights and privileges for who goes where when, we now have the opportunity to respect a card issued by another organization and enroll that card into our access control system for authorization to controlled or restricted areas — but this takes trust. HSPD-12 and the companion specifications outline the processes to collect the identity information of an individual and thoroughly vet that information by trusted individuals. This process involves collection of biometric fingerprint templates, photographs, breeder documents (e.g., birth certificates), and storing these into an encrypted protected database, then securely encoding the corresponding data into the smart card for issuance to the cardholder as their credential. These concepts of technology and trust are not new — passports, for example, are recognized internationally for travel.

PKI also contributes to a strong assertion of identity in ways other than multi-factor authentication. In order to confirm that the smart card is authentic and not counterfeit, cryptographic methods use the power of the card’s on-board computer. This includes challenge-response techniques between the card and the reader or access controller. Simple one-way Wiegand communications between the card and a reader/controller cannot handle the larger data streams available from the computer in a smart card, nor can they support the crypto-process required for secure data transfer.

We haven’t seen great changes in the technologies that we use for our identity credentials and systems for a decade, since well before 2000. Sure we came a long way with client/server architectures and IP communications between server and controllers - but now, with next-generation technology driving change, HSPD-12 is not only a catalyst for change, it provides a roadmap.

Rob Zivney directs Hirsch Electronics’ worldwide marketing group. He is on the Board of Directors of the Security Industry Association (SIA), and serves as SIA’s chair of the Personal Identity Verification Working Group and represents SIA to the Smart Card Interagency Advisory Board Physical Access Committee. Mr. Zivney is active in standards activities with SIA, ASHRAE/BACnet, and OASIS/oBIX.