Security in the clouds—and airports—plus registered traveler redux
22 December, 2009
category:
Another reason to leverage FIPS 201 and PIV-I
By Salvatore D’Agostino, IDmachines
IDmachines attended the American Association of Airport Executive (AAAE) Aviation Security Summit in Washington DC. This 9th annual program brings together operators, federal, state and local government, including representatives from the legislative branch, architects and consultants.
The program provided a good overview of aviation security practices in the U.S. Aviation security remains a focus of Homeland Security and the Transportation Security Administration with upgrades planned for most airport security and screening equipment. It is an area that has and continues to receive funding for capital equipment and training.
Coincidentally a number of other events and incidents in the last few weeks related to security and the aviation domain generated a background for considering the conference and topic of aviation security and credentialing. The TSA publishing operations documentation on FedBizOps, Registered Traveler possible coming back to life, a police officer in Denver who perhaps skipped security lines, examination of duplicate NYPD badges and the White House State Dinner crashers were all on the mind of attendees.
The obvious point to make is that strong identity and strong authentication cuts across these items. To quote a New York Times article: “The current commissioner, Raymond W. Kelly, does not carry a badge, only an ID card, a spokesman said.” And it’s another in this blog’s litany of arguments to use strong interoperable multi-application credentials based on existing NIST specifications and special publications.
The posting of the TSA security manual debate is interesting in that few people, if anyone, talks about why this security protocol required secrets. The best concept of operations documents should be able to be released to the public. The best security is vetted by public review, just as peer review of algorithms or publications increasing its likelihood of being technically sound and even well constructed. Airports are not very different than any other critical infrastructure facility when it comes to screening employees, contractors and visitors, except for the volume of individuals and parcels that require screening.
Vulnerabilities need attention not black outs. Details on vulnerabilities should not be in the manuals in the first place even if it’s a gaping hole. Simply point out the need for close, consistent manual attention to the types of threats not highlighted by current sensors and applications.
In particular there was hoopla made over the fact that there were pictures of all the badge types. This ignores the fact that security by “flash pass”, even with ultraviolet or other optical loupes is weak. In fact TSA is engaged in upgrading the Credential Authentication Technology – Boarding Pass Scanning Systems (CAT/BPSS). I would guess that TSA agrees that any motivated attacker with access to resources can find out credential topology and copy for show, and what can present a challenge is raising the bar to beat the cryptography and multiple factors on strong assurance credentials.
At the conference it was refreshing to hear TSA representatives with Airport Policy, Threat Assessment and Aviation Credential portfolios get behind PIV and PIV-I as recommended credential solutions. There was a necessary evolution from the Aviation and Credentialing Interoperability Specification (ACIS) to PIV-I that now synchronizes with CIO Council guidance for non-Federal issuers. Airports have the option of issuing their own aligned credentials or they can procure them as a service same as other critical infrastructure providers.
IDmachines did not hear, nor at this point have we seen federal guidance, for the rebirth of Registered Traveler. On last go round the RT Interoperability Specification missed the boat–actually it missed on both TWIC and PIV.
They specified interoperability in an airport-only silo and not across government, critical or other infrastructure. RT interoperability is a non-starter if you can’t trust the credential, the most useful paradigm for trust being PIV and PIV-I.
I have listed the value in taking this approach in enough posts not to have to repeat the reasons here. When you combine this with the history and requirements of the aviation domain going the PIV-I route for RT it creates a credential that is good for more than an EZ-Pass lane at security–even when it evolves to a globally accepted one.
In fact any RT program needs to reach a critical mass of users or else it makes airport problems worse by taking up valuable lanes where there is limited real estate in airports. Otherwise it becomes open to the “Lexus lane” arguments for electronic tolling and congestion pricing.
At the end of the day the registered traveler program is more viable and valuable if it goes the PIV-I route and simplifies as opposed to complicates credential validation. The same goes for the migration of other airport credentials. Hopefully this post puts this stake in the ground for TSA, RT and airport credentialing to come together with the PIV-I world.