All Company and/or product names are trademarks and/or registered trademarks of their respective owners.

Smart Cards and Biometricsin Physical Access Control Systems

Robert J. Merkert, Sr.Vice President of Sales – Americas

Smart Card Alliance Annual ConferenceOctober 12, 2005

10/19/2005 © Copyright SCM Microsystems Inc. 2

HSPD-12/FIPS 201/SP 800-73/SP 800-76 -1-

• Homeland Security Presidential Directive 12(HSPD-12), issued on August 27, 2004, requires that the Federal credential the Personal Identity Verification (PIV) card be secure and reliable. This is defined as a credential that • Is issued based on sound criteria for verifying an

individual’s identity• Is strongly resistant to identity fraud, tampering,

counterfeiting, and terrorist exploitation• Can be rapidly authenticated electronically, and• Is issued only by providers whose reliability has been

established by an official accreditation process

10/19/2005 © Copyright SCM Microsystems Inc. 3

HSPD-12/FIPS 201/SP 800-73/SP 800-76 -2-

• The Department of Commerce and the National Institute of Standards and Technology (NIST) were tasked with producing a standard for secure and reliable forms of identification.

• In response, NIST published Federal Information Processing Standard Publication 201 (FIPS 201), Personal Identity Verification (PIV) of Federal Employees and Contractors (February 25, 2005).

• The FIPS 201 PIV Card is to be used for both Physical andLogical access, as well as agency specific applications.

• FIPS 201 - PIV, part II specifies standards for implementing identity credentials on integrated circuit cards (smart cards) for use in a Federal PIV system.

10/19/2005 © Copyright SCM Microsystems Inc. 4

HSPD-12/FIPS 201/SP 800-73/SP 800-76 -3-

• FIPS 201 requires that the PIV be a smart card.

• The card must contain both contact and contactless interfaces, which may be provided by two separate integrated circuit chips or by one dual-interface ICC.

• The contact interface must conform to the ISO 7816 specification.

• The contactless interface must conform to the ISO 14443 specification.

• The card body is similar to a bank credit card and conforms to the ISO 7810 specification.

10/19/2005 © Copyright SCM Microsystems Inc. 5

HSPD-12/FIPS 201/SP 800-73/SP 800-76 - 4 -• Draft NIST Special Publication 880-76 (SP 800-76), Biometric

Specification for Personal Identity Verification, is referenced in FIPS 201 and currently states that, at a minimum, twocompressed fingerprint images must be stored on the PIV smart card contact chip.

• NIST SP 800-76 currently specifies the use of fingerprint images rather than templates because there is no current test data thatproves the interoperability of standards-based fingerprint templates. NIST expects test results in February, 2006.

• This brings up three very important issues in the physical access control area• Time to read and process the image with the resultant wait time for

access• The size of the integrated circuit chip being used – 64K or 128K• Reader type required at access points

10/19/2005 © Copyright SCM Microsystems Inc. 6

HSPD-12/FIPS 201/SP 800-73/SP 800-76 - 5 -

• Another issue that arises is the use by a specific agency to place biometric templates on the contactless portion of the smart card.

• This would be an agency specific implementation that is permitted within the FIPS 201 guidelines. However, this could result in the implementation a system that is notinteroperable with another agency. The system would be agency specific.

• And yet another issue to be considered is how the biometric matching is to be done –• Match on Card (MOC)• Match on Reader• Match on Server

10/19/2005 © Copyright SCM Microsystems Inc. 7

PACS 2.2 (2.3) GuidanceThe Government Smart Card Interagency Advisory Board (GSC-IAB)and the Physical Access Interagency Interoperability Working Group (PAIIWG)saw that the procurement of Physical Access Control Systems (PACS)and components required a standardized approach to ensure that governmentagencies deploy equipment that meet both their specific needs and, at thesame time, facilitate cross-agency interoperability.

The PACS 2.2 guidance specifies that on a Federal Agency Smart Credential(FASC) that a standardized numbering scheme, called the Federal AgencySmart Credential Number (FASC-N) be used as the individual identifier.

The FASC-N is part of the Cardholder Unique Identification file (CHUID)

The FASC-N is the primary identification string to be used on allgovernment issued credentials.

Reference:Technical Implementation Guidance:Smart Card Enabled Physical AccessControl Systems – Version 2.2July 30, 2004

10/19/2005 © Copyright SCM Microsystems Inc. 8

CHUID EF and FASC-N - CUID

• CHUID (EF 0x3000)• FASC-N (Tag 0x30) BCD digits

• Agency Code 4• System Code 4• Credential Number 6• Credential Series 1• Individual Credential Issue 1• Person Identifier 10• Organization Category 1• Organizational Identifier 4• Person/Organization Association 1

• GUID (Tag 0x34)• Expiration Date (Tag 0x35)• Authentication Key Map (Tag 0x3D)• Issuer Asymmetric Signature

CUID –Card UniqueIdentifier

10/19/2005 © Copyright SCM Microsystems Inc. 9

PACS 2.2 Guidance

PACS 2.2 allows for a range of assurance profiles

- LOW – FASC-N fields (i.e., Agency Code, System Code,Credential Number, Credential Series)

- MEDIUM – FASC-N fields plus Hashed MessageAuthentication Code (HMAC)

- HIGH – FASC-N fields, after a valid Challenge-Response that authenticates both the Card andthe Data. (Currently only applicable to contactsmart cards.)

10/19/2005 © Copyright SCM Microsystems Inc. 10

Smart Cards

Embedded computer chip that is either a microprocessor with internal memory or memory chip alone– Contact or contactless designs– Highly secure

• On-card security functions• Intelligent interactions with reader

– Used worldwide in financial, telecommunications, transit, healthcare, secure identification and other applications

Images courtesy of Gemplus

10/19/2005 © Copyright SCM Microsystems Inc. 11

Available Combined Technologies

• Different technologies can be combined:

• 125 kHz Proximity• 14443A & 14443B, 15693

13.56MHz Smart cards• Contact smart cards• Magnetic stripe• Bar Code• Photo Printing• Holograms• Special inks• ISO/IEC 7810, 7811, 7816, …

Diagram courtesy

Of HID Corporation

HSPD-12/FIPS201/SP 800-73 specifies ISO 14443 for the contactless interface

10/19/2005 © Copyright SCM Microsystems Inc. 12

Biometrics: Added Value

• Individual-unique biometric information• Fingerprints• Hand geometry• Retinal or iris patterns• Facial patterns• Voice prints

• Biometrics used with card technologies • Biometric information stored on the

ID card and verified with actual biometric at point of interaction

Image courtesy of Gemplus

Currently FIPS 201/SP 800-76 specifies full image fingerprints for the card biometric

10/19/2005 © Copyright SCM Microsystems Inc. 13

Typical Three-Factor Card Reader

LCD display ContactSmart Card

Reader

Fingerprintsensor

PinpadStatus LEDs indicating Security Level

Acoustic alarmContactless reader

10/19/2005 © Copyright SCM Microsystems Inc. 14

Security Levels

PIN, Password

Something you know

Solutions

Security levels

Low

High

Something you have + Something you know + Something you are

++

PIN, Password

Something you have + Something you know

++

+

10/19/2005 © Copyright SCM Microsystems Inc. 15

Access Control System Overview

• Card• Reader• Control Panel• Door/Gate Lock• Access Control

Server• Software• Database

10/19/2005 © Copyright SCM Microsystems Inc. 16

Simplified Physical Access System

Simplified Physical Access SystemAccess Control

Access Control Readers and Controlled Doors

Badging Guard Workstation

LAN/IF

TCP/IP

LAN/WAN

MODEM

RS-485

LAN/WAN

MODEM

Control

Panels

Servers

1 to 32

Readers

RS-485

Wiegand

10/19/2005 © Copyright SCM Microsystems Inc. 17

Simplified Access Control Path

Simplified Access Control Path

Access Control

Server

Control

Panel

Card

Reader

Smart

Card

Controlled Door

PACS 2.2 (2.3)Card to ReaderSpecification

No SecurityInterface

Specification

Secure Channel Path

Secure Area

Unsecured Area

10/19/2005 © Copyright SCM Microsystems Inc. 18

Concluding remarks

• Smart Cards and Biometrics will play a significant role in the Personal Identity Verification systems of the future

• There are issues to be resolved in the definition of these systems but they are vigorously being worked on.

• Biometric implementations will not be limited to physical access; there will be applications of biometrics in logical access systems.

• Biometrics and Smart cards will be a strong partnership for years to come.

All Company and/or product names are trademarks and/or registered trademarks of their respective owners.

Bob MerkertVice President Sales, Americas

rmerkert@scmmicro.com856-784-7177