smart cards and biometrics in physical access …...2005/10/11 · • smart cards and biometrics...
TRANSCRIPT
All Company and/or product names are trademarks and/or registered trademarks of their respective owners.
Smart Cards and Biometricsin Physical Access Control Systems
Robert J. Merkert, Sr.Vice President of Sales – Americas
Smart Card Alliance Annual ConferenceOctober 12, 2005
10/19/2005 © Copyright SCM Microsystems Inc. 2
HSPD-12/FIPS 201/SP 800-73/SP 800-76 -1-
• Homeland Security Presidential Directive 12(HSPD-12), issued on August 27, 2004, requires that the Federal credential the Personal Identity Verification (PIV) card be secure and reliable. This is defined as a credential that • Is issued based on sound criteria for verifying an
individual’s identity• Is strongly resistant to identity fraud, tampering,
counterfeiting, and terrorist exploitation• Can be rapidly authenticated electronically, and• Is issued only by providers whose reliability has been
established by an official accreditation process
10/19/2005 © Copyright SCM Microsystems Inc. 3
HSPD-12/FIPS 201/SP 800-73/SP 800-76 -2-
• The Department of Commerce and the National Institute of Standards and Technology (NIST) were tasked with producing a standard for secure and reliable forms of identification.
• In response, NIST published Federal Information Processing Standard Publication 201 (FIPS 201), Personal Identity Verification (PIV) of Federal Employees and Contractors (February 25, 2005).
• The FIPS 201 PIV Card is to be used for both Physical andLogical access, as well as agency specific applications.
• FIPS 201 - PIV, part II specifies standards for implementing identity credentials on integrated circuit cards (smart cards) for use in a Federal PIV system.
10/19/2005 © Copyright SCM Microsystems Inc. 4
HSPD-12/FIPS 201/SP 800-73/SP 800-76 -3-
• FIPS 201 requires that the PIV be a smart card.
• The card must contain both contact and contactless interfaces, which may be provided by two separate integrated circuit chips or by one dual-interface ICC.
• The contact interface must conform to the ISO 7816 specification.
• The contactless interface must conform to the ISO 14443 specification.
• The card body is similar to a bank credit card and conforms to the ISO 7810 specification.
10/19/2005 © Copyright SCM Microsystems Inc. 5
HSPD-12/FIPS 201/SP 800-73/SP 800-76 - 4 -• Draft NIST Special Publication 880-76 (SP 800-76), Biometric
Specification for Personal Identity Verification, is referenced in FIPS 201 and currently states that, at a minimum, twocompressed fingerprint images must be stored on the PIV smart card contact chip.
• NIST SP 800-76 currently specifies the use of fingerprint images rather than templates because there is no current test data thatproves the interoperability of standards-based fingerprint templates. NIST expects test results in February, 2006.
• This brings up three very important issues in the physical access control area• Time to read and process the image with the resultant wait time for
access• The size of the integrated circuit chip being used – 64K or 128K• Reader type required at access points
10/19/2005 © Copyright SCM Microsystems Inc. 6
HSPD-12/FIPS 201/SP 800-73/SP 800-76 - 5 -
• Another issue that arises is the use by a specific agency to place biometric templates on the contactless portion of the smart card.
• This would be an agency specific implementation that is permitted within the FIPS 201 guidelines. However, this could result in the implementation a system that is notinteroperable with another agency. The system would be agency specific.
• And yet another issue to be considered is how the biometric matching is to be done –• Match on Card (MOC)• Match on Reader• Match on Server
10/19/2005 © Copyright SCM Microsystems Inc. 7
PACS 2.2 (2.3) GuidanceThe Government Smart Card Interagency Advisory Board (GSC-IAB)and the Physical Access Interagency Interoperability Working Group (PAIIWG)saw that the procurement of Physical Access Control Systems (PACS)and components required a standardized approach to ensure that governmentagencies deploy equipment that meet both their specific needs and, at thesame time, facilitate cross-agency interoperability.
The PACS 2.2 guidance specifies that on a Federal Agency Smart Credential(FASC) that a standardized numbering scheme, called the Federal AgencySmart Credential Number (FASC-N) be used as the individual identifier.
The FASC-N is part of the Cardholder Unique Identification file (CHUID)
The FASC-N is the primary identification string to be used on allgovernment issued credentials.
Reference:Technical Implementation Guidance:Smart Card Enabled Physical AccessControl Systems – Version 2.2July 30, 2004
10/19/2005 © Copyright SCM Microsystems Inc. 8
CHUID EF and FASC-N - CUID
• CHUID (EF 0x3000)• FASC-N (Tag 0x30) BCD digits
• Agency Code 4• System Code 4• Credential Number 6• Credential Series 1• Individual Credential Issue 1• Person Identifier 10• Organization Category 1• Organizational Identifier 4• Person/Organization Association 1
• GUID (Tag 0x34)• Expiration Date (Tag 0x35)• Authentication Key Map (Tag 0x3D)• Issuer Asymmetric Signature
CUID –Card UniqueIdentifier
10/19/2005 © Copyright SCM Microsystems Inc. 9
PACS 2.2 Guidance
PACS 2.2 allows for a range of assurance profiles
- LOW – FASC-N fields (i.e., Agency Code, System Code,Credential Number, Credential Series)
- MEDIUM – FASC-N fields plus Hashed MessageAuthentication Code (HMAC)
- HIGH – FASC-N fields, after a valid Challenge-Response that authenticates both the Card andthe Data. (Currently only applicable to contactsmart cards.)
10/19/2005 © Copyright SCM Microsystems Inc. 10
Smart Cards
Embedded computer chip that is either a microprocessor with internal memory or memory chip alone– Contact or contactless designs– Highly secure
• On-card security functions• Intelligent interactions with reader
– Used worldwide in financial, telecommunications, transit, healthcare, secure identification and other applications
Images courtesy of Gemplus
10/19/2005 © Copyright SCM Microsystems Inc. 11
Available Combined Technologies
• Different technologies can be combined:
• 125 kHz Proximity• 14443A & 14443B, 15693
13.56MHz Smart cards• Contact smart cards• Magnetic stripe• Bar Code• Photo Printing• Holograms• Special inks• ISO/IEC 7810, 7811, 7816, …
Diagram courtesy
Of HID Corporation
HSPD-12/FIPS201/SP 800-73 specifies ISO 14443 for the contactless interface
10/19/2005 © Copyright SCM Microsystems Inc. 12
Biometrics: Added Value
• Individual-unique biometric information• Fingerprints• Hand geometry• Retinal or iris patterns• Facial patterns• Voice prints
• Biometrics used with card technologies • Biometric information stored on the
ID card and verified with actual biometric at point of interaction
Image courtesy of Gemplus
Currently FIPS 201/SP 800-76 specifies full image fingerprints for the card biometric
10/19/2005 © Copyright SCM Microsystems Inc. 13
Typical Three-Factor Card Reader
LCD display ContactSmart Card
Reader
Fingerprintsensor
PinpadStatus LEDs indicating Security Level
Acoustic alarmContactless reader
10/19/2005 © Copyright SCM Microsystems Inc. 14
Security Levels
PIN, Password
Something you know
Solutions
Security levels
Low
High
Something you have + Something you know + Something you are
++
PIN, Password
Something you have + Something you know
++
+
10/19/2005 © Copyright SCM Microsystems Inc. 15
Access Control System Overview
• Card• Reader• Control Panel• Door/Gate Lock• Access Control
Server• Software• Database
10/19/2005 © Copyright SCM Microsystems Inc. 16
Simplified Physical Access System
Simplified Physical Access SystemAccess Control
Access Control Readers and Controlled Doors
Badging Guard Workstation
LAN/IF
TCP/IP
LAN/WAN
MODEM
RS-485
LAN/WAN
MODEM
Control
Panels
Servers
1 to 32
Readers
RS-485
Wiegand
10/19/2005 © Copyright SCM Microsystems Inc. 17
Simplified Access Control Path
Simplified Access Control Path
Access Control
Server
Control
Panel
Card
Reader
Smart
Card
Controlled Door
PACS 2.2 (2.3)Card to ReaderSpecification
No SecurityInterface
Specification
Secure Channel Path
Secure Area
Unsecured Area
10/19/2005 © Copyright SCM Microsystems Inc. 18
Concluding remarks
• Smart Cards and Biometrics will play a significant role in the Personal Identity Verification systems of the future
• There are issues to be resolved in the definition of these systems but they are vigorously being worked on.
• Biometric implementations will not be limited to physical access; there will be applications of biometrics in logical access systems.
• Biometrics and Smart cards will be a strong partnership for years to come.
All Company and/or product names are trademarks and/or registered trademarks of their respective owners.
Bob MerkertVice President Sales, Americas