card and reader overview gerald smith sr. consultant id technology partners
TRANSCRIPT
November 19, 2007 2
Agenda• Characteristics of a TWIC™ Card• Data Models Supported• Identification / Authentication Methods• Revocation Hot List• Reader Specification Overview• Biometric Interoperability
November 19, 2007 4
TWIC™ is a Smart Card• 64K of non-volatile memory• Dual interfaces share memory
o Contact interface (ISO/IEC 7816)o Contactless interface (ISO/IEC 14443)
• Physical security featureso Tamper resistanto Color shifting inks
• Logical security featureso Two encrypted fingerprint templateso Signed datao PKI certificates
<FACIAL IMAGE>
November 19, 2007 5
TWIC ™ Application Data Models
PIV Application Data Model (SP 800-73.1)
Buffer Description Access Rule Contact / Contactless
Card Capability Container Read Always Contact
CHUID Buffer Read Always Contact & Contactless
PIV Authentication Certificate Buffer
Read Always Contact
Fingerprint Buffer PIN Contact
Printed Information Buffer PIN Contact
Facial Image Buffer PIN Contact
Digital Signature Certificate Buffer Read Always Contact
Key Management Certificate Buffer
Read Always Contact
Card Authentication Certificate Buffer
Read Always Contact
Security Object Buffer Read Always Contact
TWIC™ Application Data ModelBuffer Description Access Rule Contact / Contactless
Unsigned CHUID Buffer Read Always Contact & Contactless
(Signed) CHUID Buffer Read Always Contact & Contactless
TWIC Privacy Key Buffer Read Always Contact (+Out of Band)
Fingerprint Buffer Read Always Contact & Contactless
Security Object Buffer Read Always Contact & Contactless
TWIC Differences from PIV
PIV Differences from TWIC
Shading broadly indicates:
November 19, 2007 6
What is a CHUID?Card Holder Unique
Identifier
0x3000 Always Read
Data Element (TLV) Type Max. Bytes
FASC-N (Compact Form) Fixed 25
Agency Code ( if with Alpha characters) Fixed 4
Organization Identifier (if with Alpha characters) Fixed 4
GUID (IPv6 format or 0) Fixed Numeric 16
Expiration Date Date (YYYYMMDD) 8
Authentication Key Map (Optional) Variable 512
Issuer Asymmetric Signature Variable 2816
Error Detection Code LRC 0
Field name
Length (BCD digits) Field description
AGENCY CODE 4Identifies the government agency issuing the credential
SYSTEM CODE 4Identifies the system the card is enrolled in and is unique for each site
CREDENTIAL NUMBER 6
Encoded by the issuing agency. For a given system no duplicate numbers are active
CS 1 CREDENTIAL SERIES
ICI 1 INDIVIDUAL CREDENTIAL ISSUE
PI 10 PERSON IDENTIFIER
OC 1 ORGANIZATIONAL CATEGORY
OI 4 ORGANIZATIONAL IDENTIFIER
POA 1PERSON/ORGANIZATION
ASSOCIATION CATEGORY
SS 1Start Sentinel. Leading character which is read first when card is swiped
FS 1 Field Separator
ES 1 End Sentinel
LRC 1 Longitudinal Redundancy Character
What is a FASC-N within the CHUID?
FASC-N Federal Agency Smart Credential Number
November 19, 2007 7
Identification / Authentication Methods• Visual Check – Perform a visual inspection of the TWIC™ and verify the
presence of security features, expiration date and a visual comparison of the photo on the card to the individual presenting the card
• CHUID Check – Verify the CHUID is granted access in the PACS and / or verify the digital signature of the CHUID and verify the CHUID is not on the Hot list
• Biometric Check – Authenticate the individual by performing a 1:1 fingerprint biometric match against the fingerprint template stored in the TWIC™
• PIN Verification – Require the cardholder to enter the correct PIN number that is stored in the TWIC™
• Digital Photo Check – Visually compare the photo stored in the TWIC™ with the individual presenting the card
• Card Authentication – Verify the card is authenticate and not cloned by performing a private key operation
November 19, 2007 8
Authentication types using a TWIC™Authentication Type Contact / Contactless
Biometric and PIN Authentication
PIN + Biometric Contact Only
Biometric Authentication
CHUID + Card Authentication + Biometric / Card Both
CHUID + Biometric / Card Both
CHUID + Biometric / System Both
Dual Factor Authentication
CHUID + Card Authentication + PIN + Digital Photo Contact Only
CHUID + Card Authentication + PIN Contact Only
Flash Pass + CHUID + Digital Signature Both
Flash Pass + CHUID + Card Authentication Both
Single Factor Authentication
CHUID + Digital Signature Both
CHUID + Card Authentication Both
Flash Pass w/ Human N/A
CHUID Both
November 19, 2007 9
Credential Revocation Hot List• Available now on the pre-Enrollment website
o - Publicly available for reading
• Simple format compatible with many PACSo - Small record contains the revoked credential
number and date of revocationo - Reason for revocation not stated in the record
• Each revoked credential stays on the list until the original credential expiration date has passed
• The hot list is updated daily
November 19, 2007 10
Reader Specification Overview• TSA published the TWIC™ reader “working” specification September 11, 2007• Three reader types defined
o - Fixed mount for outdoor useo - Fixed mount for indoor useo - Handheld for mobile use
• May operate as standalone or network attachedo - Network attached readers should support 2-way communications
− * Allows for upload of TWIC™ Privacy Key from server
• Outdoor reader specified to meet diverse environmental conditionso - Operating temperature range: -20ºC to +70ºCo - Operating condensing humidity range: 5% to 100%
• Transaction time of 3 seconds (or less)o - As measured from presentation of contactless card to completion of biometric match
• Biometric matching equal error rate of 1% or less• Biometric sensor should provide “liveness” detection
November 19, 2007 11
Reader Specification and the TPK Concept
• The TWIC™ Privacy Key (TPK) Concepto - Biometric data is encrypted on the card using this symmetrical keyo - TPK enables confidentiality of biometric data over the contactless interfaceo - Contactless transfer of biometric data allowed without PIN verification
• TPK and Contactless communicationso - Inspired by the ICAO ePassport cryptographic solution for confidentialityo - TPK is a diversified key unique to each cardo - TPK is a data object in the TWIC™ Data Modelo - TPK is used as a “public” key that is obtained “out of band” from the datao - The TPK solution obviates the need for shared key management
• TPK accessible from either the magnetic stripe or Contact interfaceo - May be stored in each local access control system server to eliminate the
need for reading the magnetic swipe (or performing a contact read) on each use
November 19, 2007 12
Biometric Interoperability “ It should be noted that biometric interoperability is defined as the ability of a
biometric reader to perform a match from a presented biometric with the ANSI/INCITS 378 formatted enrolled templates provided on the TWIC card by the TSA. Such templates shall be in compliance with NIST Special Publication 800-76-1 INCITS 378 profile for PIV Card templates.”
Source: Section 8 of the TWIC™ Reader Hardware and Card Application Specification (11 Sep 2007)
NOTE: The reader specification requires compliance to SP 800-76-1. Section 7.3 of 800-76-1 requires NIST certification of template matchers.
Source: SP 800-76-1 Section 7.3Test Overview