card and reader overview gerald smith sr. consultant id technology partners

13
Card and Reader Overview Gerald Smith Sr. Consultant ID Technology Partners

Upload: maliyah-hawse

Post on 11-Dec-2015

214 views

Category:

Documents


0 download

TRANSCRIPT

Card and Reader Overview

Gerald Smith

Sr. Consultant

ID Technology Partners

November 19, 2007 2

Agenda• Characteristics of a TWIC™ Card• Data Models Supported• Identification / Authentication Methods• Revocation Hot List• Reader Specification Overview• Biometric Interoperability

November 19, 2007 3

What a TWIC™ Looks Like• Front and Back views of a TWIC™

<FACIAL IMAGE>

November 19, 2007 4

TWIC™ is a Smart Card• 64K of non-volatile memory• Dual interfaces share memory

o Contact interface (ISO/IEC 7816)o Contactless interface (ISO/IEC 14443)

• Physical security featureso Tamper resistanto Color shifting inks

• Logical security featureso Two encrypted fingerprint templateso Signed datao PKI certificates

<FACIAL IMAGE>

November 19, 2007 5

TWIC ™ Application Data Models

PIV Application Data Model (SP 800-73.1)

Buffer Description Access Rule Contact / Contactless

Card Capability Container Read Always Contact

CHUID Buffer Read Always Contact & Contactless

PIV Authentication Certificate Buffer

Read Always Contact

Fingerprint Buffer PIN Contact

Printed Information Buffer PIN Contact

Facial Image Buffer PIN Contact

Digital Signature Certificate Buffer Read Always Contact

Key Management Certificate Buffer

Read Always Contact

Card Authentication Certificate Buffer

Read Always Contact

Security Object Buffer Read Always Contact

TWIC™ Application Data ModelBuffer Description Access Rule Contact / Contactless

Unsigned CHUID Buffer Read Always Contact & Contactless

(Signed) CHUID Buffer Read Always Contact & Contactless

TWIC Privacy Key Buffer Read Always Contact (+Out of Band)

Fingerprint Buffer Read Always Contact & Contactless

Security Object Buffer Read Always Contact & Contactless

TWIC Differences from PIV

PIV Differences from TWIC

Shading broadly indicates:

November 19, 2007 6

What is a CHUID?Card Holder Unique

Identifier

0x3000 Always Read

Data Element (TLV) Type Max. Bytes

FASC-N (Compact Form) Fixed 25

Agency Code ( if with Alpha characters) Fixed 4

Organization Identifier (if with Alpha characters) Fixed 4

GUID (IPv6 format or 0) Fixed Numeric 16

Expiration Date Date (YYYYMMDD) 8

Authentication Key Map (Optional) Variable 512

Issuer Asymmetric Signature Variable 2816

Error Detection Code LRC 0

Field name

Length (BCD digits) Field description

AGENCY CODE 4Identifies the government agency issuing the credential

SYSTEM CODE 4Identifies the system the card is enrolled in and is unique for each site

CREDENTIAL NUMBER 6

Encoded by the issuing agency. For a given system no duplicate numbers are active

CS 1 CREDENTIAL SERIES

ICI 1 INDIVIDUAL CREDENTIAL ISSUE

PI 10 PERSON IDENTIFIER

OC 1 ORGANIZATIONAL CATEGORY

OI 4 ORGANIZATIONAL IDENTIFIER

POA 1PERSON/ORGANIZATION

ASSOCIATION CATEGORY

SS 1Start Sentinel. Leading character which is read first when card is swiped

FS 1 Field Separator

ES 1 End Sentinel

LRC 1 Longitudinal Redundancy Character

What is a FASC-N within the CHUID?

FASC-N Federal Agency Smart Credential Number

November 19, 2007 7

Identification / Authentication Methods• Visual Check – Perform a visual inspection of the TWIC™ and verify the

presence of security features, expiration date and a visual comparison of the photo on the card to the individual presenting the card

• CHUID Check – Verify the CHUID is granted access in the PACS and / or verify the digital signature of the CHUID and verify the CHUID is not on the Hot list

• Biometric Check – Authenticate the individual by performing a 1:1 fingerprint biometric match against the fingerprint template stored in the TWIC™

• PIN Verification – Require the cardholder to enter the correct PIN number that is stored in the TWIC™

• Digital Photo Check – Visually compare the photo stored in the TWIC™ with the individual presenting the card

• Card Authentication – Verify the card is authenticate and not cloned by performing a private key operation

November 19, 2007 8

Authentication types using a TWIC™Authentication Type Contact / Contactless

 

Biometric and PIN Authentication  

  PIN + Biometric Contact Only

Biometric Authentication  

 

CHUID + Card Authentication + Biometric / Card Both

CHUID + Biometric / Card Both

CHUID + Biometric / System Both

Dual Factor Authentication  

 

CHUID + Card Authentication + PIN + Digital Photo Contact Only

CHUID + Card Authentication + PIN Contact Only

Flash Pass + CHUID + Digital Signature Both

Flash Pass + CHUID + Card Authentication Both

Single Factor Authentication  

 

CHUID + Digital Signature Both

CHUID + Card Authentication Both

Flash Pass w/ Human N/A

CHUID Both

November 19, 2007 9

Credential Revocation Hot List• Available now on the pre-Enrollment website

o - Publicly available for reading

• Simple format compatible with many PACSo - Small record contains the revoked credential

number and date of revocationo - Reason for revocation not stated in the record

• Each revoked credential stays on the list until the original credential expiration date has passed

• The hot list is updated daily

November 19, 2007 10

Reader Specification Overview• TSA published the TWIC™ reader “working” specification September 11, 2007• Three reader types defined

o - Fixed mount for outdoor useo - Fixed mount for indoor useo - Handheld for mobile use

• May operate as standalone or network attachedo - Network attached readers should support 2-way communications

− * Allows for upload of TWIC™ Privacy Key from server

• Outdoor reader specified to meet diverse environmental conditionso - Operating temperature range: -20ºC to +70ºCo - Operating condensing humidity range: 5% to 100%

• Transaction time of 3 seconds (or less)o - As measured from presentation of contactless card to completion of biometric match

• Biometric matching equal error rate of 1% or less• Biometric sensor should provide “liveness” detection

November 19, 2007 11

Reader Specification and the TPK Concept

• The TWIC™ Privacy Key (TPK) Concepto - Biometric data is encrypted on the card using this symmetrical keyo - TPK enables confidentiality of biometric data over the contactless interfaceo - Contactless transfer of biometric data allowed without PIN verification

• TPK and Contactless communicationso - Inspired by the ICAO ePassport cryptographic solution for confidentialityo - TPK is a diversified key unique to each cardo - TPK is a data object in the TWIC™ Data Modelo - TPK is used as a “public” key that is obtained “out of band” from the datao - The TPK solution obviates the need for shared key management

• TPK accessible from either the magnetic stripe or Contact interfaceo - May be stored in each local access control system server to eliminate the

need for reading the magnetic swipe (or performing a contact read) on each use

November 19, 2007 12

Biometric Interoperability “ It should be noted that biometric interoperability is defined as the ability of a

biometric reader to perform a match from a presented biometric with the ANSI/INCITS 378 formatted enrolled templates provided on the TWIC card by the TSA. Such templates shall be in compliance with NIST Special Publication 800-76-1 INCITS 378 profile for PIV Card templates.”

Source: Section 8 of the TWIC™ Reader Hardware and Card Application Specification (11 Sep 2007)

NOTE: The reader specification requires compliance to SP 800-76-1. Section 7.3 of 800-76-1 requires NIST certification of template matchers.

Source: SP 800-76-1 Section 7.3Test Overview

November 19, 2007 13

Contact Details:

Email: [email protected]