02 December, 2009
By Salvatore D’Agostino, IDmachines
The Smart Cards in Government conference was held in Washington and ran concurrently with the Interagency Advisory Board meeting.
IDmachines long ago concluded that the path to convergence runs through the use of the same method of authentication for logical access, physical access and device authentication. In a federated environment such as that evolving in the world of PIV-I it also requires validation of the authentication token. Validation in this case means determining that the token is current, not revoked, has a trusted issuer and that a chain of trust exists between the issuer and the relying party or organization.
Cryptographic log-on, digital signatures and many other information technology applications use certificate-based authentication in commercial off-the-shelf offerings. Device authentication, or more specifically port-based network access control, is out there as IEEE 802.1x and has native support in Windows, MAC OS X and other modern operating systems, as well as in most vendor networking gear and even in internet protocol cameras. Given this level of support by the vendor community there should be no argument about availability of using PKI with logical or device access.
So the last piece of digital certificates and the underlying PKI as a multi-purpose identity infrastructure is physical access control. At these meetings there was a particular focus on the fact that this capability for federated PKI physical access control systems is available. Recent discussions point out the extent to which these solutions are being promoted–with varying degrees of completeness–at physical security trade shows.
While it is not exactly news that PKI and digital certificates are an option for some modern physical access control systems, what is news is that the IAB chose to highlight a demonstration of this technology. It sends a clear message to government agencies that these solutions exist and that they need to be part of their migration plan.
Let’s hope the argument is finally put to bed about whether these solutions exist, work well and are cost effective. There was even a standalone lock solution that implemented challenge and response over a contactless interface using the card authentication certificate. So agencies have a range of reader vendors and device types to meet the authentication levels called out in National Institute of Standards Special Publication 800-116.
The other item for discussion here from these meetings is the continued evolution of FIPS 201. As is typical with specifications from NIST a review is done after a five year period of time.
IDmachines finds the most interesting areas of discussion involve the use of match-on-card for biometric authentication factors, which addresses privacy concerns by eliminating the need for templates to leave a smart card or token. The expansion of supported biometrics to include other modalities beyond fingerprint–iris being the most likely extension–and facial image–mostly used by humans and not automated.
Another area of investigation involves the potential for mutual registration. This implies the use of the PIV credential as a means of registering an individual to an application, for example physical access control, and then being able to write an identifier back to the credential.
A number of different protocols were demonstrated that perform mutual registration and mutual authentication. These included OPACITY, MR-PIV, PLAID and SPAKE. Tightly bound to the ability to do mutual registration is the ability to do mutual authentication. This enables both card and reader to establish trust before an exchange of information.
All of these things point to the maturation of the digital certificate-based identity infrastructure established in the U.S. More importantly it points to a mature market with well defined applications and multiple vendors. This is what would be expected given the level of investment over the last five years. As the hype cycle shows, we can now proceed down the path of enlightenment.