Verifying Personal Identity
The gap between physical and information security remains wide, but a Presidential directive called HSPD-12 — and a resulting standard dubbed PIV (Personal Identity Verification) FIPS 201 — are poised to act as major bridges. Under these initiatives, all federal agencies will ultimately use the same type of smart card-based identification system for accessing both physical facilities and computer systems. Just as importantly, to make these initiatives work, physical security and information security departments will need to collaborate more closely.
“Physical security and information security each have their own philosophies, and their own strengths and weaknesses,” says Benjamin Jun, vice president of technology for Cryptography Research, a vendor that produces security technology for encrypting — or “scrambling” — data.
Physical security is far ahead of information security in terms of screening out unwanted visitors, Jun says. It has also done a much better job with “nested security,” or combining multiple layers of security — such as proving employees’ identities and keeping out intruders — within a single process.
“But physical security has had many years to get where it is today, in comparison to only about 20 years for information security,” Jun adds. “Furthermore, information security holds a big lead over physical security when it comes to cryptography.”
Moreover, some have criticized physical security products for being generally more “proprietary” — or less likely to be based on industry standards — than their information security counterparts.
Since Sept. 11, however, concerns have heightened on both sides of the security wall about how to achieve better identity management, so as to make sure that people such as cyber interlopers and terrorist bombers are not able to mascarade as good guys.
Last August, President Bush issued HSPD-12, a directive that calls for the U.S. Secretary of Commerce to develop a federal standard for secure and reliable identification. After the standard has been promulgated, heads of federal executive departments and agencies will be required to use the standard to identify all federal employees and contractors for both “gaining physical access to federally controlled facilities, and logical access.”
The National Institute of Standards and Technologies (NIST) has responded to the directive with a three-phase standardization approach. In Phase I, NIST is developing a smart card-based employee identification standard called PIV FIPS 201, which is slated for delivery this month.
On the technological front, it has been feasible for quite some time to issue the same smart card for use in both physical and logical access, notes Steve Asche, a director at security vendor ActivCard. Interoperability, however, has been another matter.
Inside the computer industry, large vendors such as Sun Microsystems and Microsoft Corp. have been using cards that do both jobs for several years now, although using different software approaches. At the end of 2002, Microsoft completed deployment of a Windows-enabled smart card identity system to handle both admission to physical facilities and remote access to Microsoft’s corporate computer network.
Among its own 31,000 employees, Sun has implemented a smart card system that relies on another underlying software architecture, known as Java. Sun’s “Java Badges” come with both a magnetic stripe for use with legacy access control systems, and with a contactless chip for use with some of the newer card readers. The same cards can also be used for accessing Sun’s corporate computer network from special “diskless” desktop computers, known as SmartRays.
In the government community, the earliest pioneers of integrated card access have included the Department of Defense and the State Department. With more than 5.4 million common access cards (CAC) already issued, CAC has been the principal mechanism for accessing DoD computer networks and systems. It has also been eyed as becoming the main card for accessing DoD physical facilities.
Several other federal agencies, including the Department of Homeland Security, have been working in a similar direction. On the whole, however, smart card systems that can work for both sorts of security are still relatively rare.
“Hybrid” cards — containing chip technology supporting both types of systems — are already widely available, Asche notes. “But beyond that, you really need to have the right software and hardware infrastructure in place.”
As Asche sees it, some customers and vendors have been hanging back from integrated support for both types of security because they have not been sure which technologies will ultimately become standardized.
Yet some third-party software makers are now looking to start supporting smart cards for both physical and computer access. “Our software is designed to manage individual user identities from the time people are hired to the time they depart an organization,” says Bill Tompkins, vice president of market and business development at Alacris.
Alacris’ idNexus products support a range of technologies for authentication. To date, the software has been focused mainly on the computer access needs of enterprise customers. “But support for physical access is definitely on our future roadmap, as is support for biometrics,” Tompkins says.
There are architectural differences on the hardware side, too. PC manufacturers such as Dell, IBM and Acer are already providing built-in smart card readers. Plug-in smart card readers can also be purchased.
Although contactless cards appeal to some practitioners of physical security, Asche points to resistance among some PC makers, due to the added expense of a contactless reader architecture. “Readers for contactless cards can cost eight to ten times as much,” he says. ActivCard uses cards produced by multiple manufacturers to provide smart card solutions enabled with security capabilities such as authentication and encryption. Customers have included the DoD’s CAC program, for instance.
NIST set the following as minimum technical requirements for PIV FIPS 201: A card with an integrated ICC (integrated circuit chip); biometric mechanisms; a PIN (personal identification number); and cryptographic capabilities. Also at a minimum, the card will include these two cryptographic mechanisms: digital certificates and private keys. The card will support both contactless and contact interfaces.
In Phase II of its initiative, NIST plans to provide a wide variety of implementation guidelines and recommendations to federal agencies. In the interests of interoperability, these are currently expected to incorporate specifications for card issuance in external interfaces; biometric capture; PIN capture and use; card data access control; issuer data access control; digital signature; and digital certificate acquisition and management. Phase III will revolve around maintenance of the federal identity management standard.
Customers and vendors on both sides of the security fence are eagerly waiting. “I think it’s fair to say that just about everyone in this sector of the security industry will be watching how the HSPD-12 directive evolves, and what standards are established,” Tomkins says.