Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

FIPS 201 / PIV


Published on

This presentation is smartcard and reader centric view of FIPS 201 / PIV program for Federal agencies for physical and logical access. FIPS 201 is a standard developed to comply by 12th presidential directive (HSPD-12).

Published in: Technology, Business
  • Be the first to comment

FIPS 201 / PIV

  1. 1. PIV (FIPS 201) Anshuman Sinha
  2. 2. What is PIV (FIPS 201)? <ul><li>Response to HSPD-12. “ Policy for a common identification standard for Federal Employees and Contractors. ” </li></ul><ul><li>Common Identity Standards For Federal Employees and contractors to get physical as well as logical access to Federal assets or Information Systems </li></ul><ul><li>Graduated security to different assurance levels for different applications. Too much of security may be expensive and redundant. </li></ul>Anshuman Sinha <>
  3. 3. What does PIV replace? <ul><li>Drivers license as Identity of the Federal Employee and contractor </li></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><ul><ul><li>=> => </li></ul></ul></ul><ul><li>Passwords to gain access to a service of or data in information system </li></ul><ul><ul><ul><ul><li>“ xxxxxxyyyy ” => </li></ul></ul></ul></ul>Anshuman Sinha <>
  4. 4. Goals of PIV? <ul><li>Strong verification before issuance of Identity credentials, done by Issuance System or Card Mgmt. System </li></ul><ul><li>Authenticate rapidly and electronically which means paperless issuance. Reduce fraudulent issuance of Identity credentials </li></ul><ul><li>Reduce tampering of Identity credentials </li></ul>Anshuman Sinha <>
  5. 5. What is PIV II? <ul><li>Two Parts of PIV </li></ul><ul><ul><ul><li>Part 1 (PIV I) : Minimum requirement to meet HSPD-12. It includes personal identity proofing, registration and issuance </li></ul></ul></ul><ul><ul><ul><li>Part 2 (PIV II) : Detailed specifications to support interoperability b/w different Federal agencies </li></ul></ul></ul>Anshuman Sinha <>
  6. 6. PIV Timeline Anshuman Sinha <> 2004 2005 2006 Feb FIPS 201 HSPD-12 Aug ‘ 04 NPIVP Test Aug More Test Facilities Nov Biometry Specs. Dec ‘ 05 FIPS 201-1 June PIV Card / Reader IOP July Oct ‘ 06 PIV Target
  7. 7. PIV Technology <ul><li>PIV doesn ’ t invent new technology, it only bases from the existing ones which are available </li></ul><ul><li>As technology evolves, PIV is bound to change </li></ul><ul><li>PIV is neutral, it doesn ’ t specify proprietary technology which will favor one (or a set) of vendors </li></ul><ul><li>The requirements of PIV can be met best by using the latest in technology </li></ul><ul><li>PIV is pushing the engineering limits of the product -> “ Upgrade to latest identity/credentialing technology!! ” </li></ul>Anshuman Sinha <>
  8. 8. PIV Card Technology – Physical Req. <ul><li>ISO 7810 ID-1 Size (85.6 x 53.98 mm) of ICC </li></ul><ul><li>FIPS 201-1 and ISO 7816-1 Dimensions of chip </li></ul><ul><li>Card Plastic to Bear Slotting and Security Identification Printing </li></ul><ul><li>ISO 10373 Part 1-6 Test Methods </li></ul><ul><li>FIPS 140-2 Compatible Cryptographic Module </li></ul><ul><li>Metal contacts Placement as per ISO 7816 · </li></ul><ul><li>Card Body Test Methods per ANSI 322 </li></ul>Anshuman Sinha <>
  9. 9. PIV Card Technology – Platform Req. <ul><li>Programmable Smartcards </li></ul><ul><li>True Dual Interface Card </li></ul><ul><ul><ul><li>ISO 7816 </li></ul></ul></ul><ul><ul><ul><li>ISO 14443 A/B </li></ul></ul></ul><ul><li>RSA with 2048 bit keys (3072 preferred) </li></ul><ul><li>On Card key Generation </li></ul><ul><li>Biometric Capable </li></ul>Anshuman Sinha <>
  10. 10. PIV Card Technology – Platform Req. <ul><li>Support Biometrics for identification and verification </li></ul><ul><li>Support to Store and retrieve Digital Certificates </li></ul><ul><li>Backward compatible with file system based smartcards </li></ul><ul><ul><ul><li>File system Cards : Cards with ISO 7816 type of data storage. (Java Card 1.0/2.0/non Java Cards) </li></ul></ul></ul><ul><ul><ul><li>Object-Oriented Card : All non primitive data types are either arrays or Objects </li></ul></ul></ul><ul><li>Interface b/w card and reader standardized and defined in specifications [Specifications deprecated.] </li></ul>Anshuman Sinha <>
  11. 11. PIV – Java Card Architecture Card Operating System Java Card Virtual Machine Java Card Runtime Environment Java Card API Applet 3 Applet 2 Applet 1 Card Manager Currently Selected Applet Smartcard Controller + Crypto Co-processor Anshuman Sinha <> APDU Response
  12. 12. PIV – Multos Architecture MEL Java Basic C Editor Compiler Compiler Compiler Assembler Linker / Optimizer Loader Terminal Sim Debug Anshuman Sinha <>
  13. 13. PIV – Java Card Application .Java Files .class Files AID .CAP Files .EXP Files Converter Compiler Loader Anshuman Sinha <> Smartcard
  14. 14. PIV – Global Platform <ul><li>Defines the loading of applets to card </li></ul><ul><li>Registers Applets to Security Domain </li></ul><ul><li>Verifies source of application code by validating signature </li></ul><ul><li>Opening and closing of (SSL like) secure channel </li></ul><ul><li>Application Management – Install and Delete </li></ul><ul><li>Card Management and life cycle </li></ul>Anshuman Sinha <>
  15. 15. PIV - Subsystems <ul><ul><ul><li>Logical Access Control </li></ul></ul></ul><ul><ul><ul><ul><li>Card, Reader and Middleware </li></ul></ul></ul></ul><ul><ul><ul><li>Physical Access Control </li></ul></ul></ul><ul><ul><ul><ul><li>Contact/Contactless Card, Access Control Readers, Interface Unit and Door Controllers </li></ul></ul></ul></ul><ul><ul><ul><li>Card Issuance [Cameras, Fingerprint Capture, Documentation, Encoder] </li></ul></ul></ul><ul><ul><ul><ul><li>Card Management System </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Card Layout design and Printing </li></ul></ul></ul></ul>Anshuman Sinha <>
  16. 16. PIV Card Data Model Mandatory Data Optional Data Anshuman Sinha <> Description Interface Access Rule Card Capabilities Container Contact Always Read Card Holder Unique Id Contact and Contactless Always Read X.509 for PIV Authentication Contact and Contactless Always Read Card Holder Finger Print I Contact PIN Printed Information Buffer Contact PIN Card Holder Facial Image Contact PIN X.509 for Digital Signature Contact PIN X.509 for Key Management Contact Always Read X.509 for Card Authentication Contact Always Read Security Object Contact Always Read
  17. 17. Card Cryptographic Objects <ul><li>X.509 Certificates for each Asymmetric Key </li></ul><ul><li>Digitally signed CHUID </li></ul><ul><li>Digitally signed biometrics using CBEFF signature </li></ul><ul><li>Security Object, which is digitally signed hash table </li></ul>Anshuman Sinha <>
  18. 18. Key Sizes – Time Bound <ul><li>Key sizes change with time </li></ul><ul><li>Size changes at the end of this decade (TA) or 12/31/2008 (TB) </li></ul><ul><li>PIV Authentication Key is 1024 or 2048 bits </li></ul><ul><li>Card Authentication Key – Symm or Asymm </li></ul><ul><ul><ul><ul><ul><li>TA: 2TDEA, AES, 1024/2048 </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>TB: 3TDEA, AES, 2048 </li></ul></ul></ul></ul></ul><ul><ul><li>Digital Signature / Key Mgmt – RSA 2048 by TB </li></ul></ul>Anshuman Sinha <>
  19. 19. PIV Card Biometry <ul><li>Two finger prints stored on card </li></ul><ul><li>All 10 fingerprint enrolled. (Others stored on enrollment server.) </li></ul><ul><li>Facial Image printed on card </li></ul><ul><li>Facial image can be stored on card (Optional) </li></ul><ul><li>Biometric image specified (TBD) </li></ul>Anshuman Sinha <>
  20. 20. PIV II Graduations - Physical Access Anshuman Sinha <> Assurance Levels PIV Auth Mechanism Some Confidence VIS, CHUID High Confidence BIO Very High Confidence BIO-A , PKI
  21. 21. PIV II Graduations - Logical Access Anshuman Sinha <> Assurance Levels Local Auth Mechanism Remote Auth Mechanism Some Confidence CHUID PKI High Confidence BIO Very High Confidence BIO-A, PKI
  22. 22. PIV II Auth Mechanisms <ul><li>Visual </li></ul><ul><ul><ul><ul><li>Authenticate by verifying what ’ s printed </li></ul></ul></ul></ul><ul><li>CHUID </li></ul><ul><ul><ul><ul><li>CHUID is read. One of the CHUID Data Elements checked to grant access </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Digital signature is verified (Optional) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Expiration Date is Checked </li></ul></ul></ul></ul><ul><ul><ul><ul><li>CHUID can be used for contact as well as contactless reader </li></ul></ul></ul></ul>Anshuman Sinha <>
  23. 23. PIV II Auth Mechanisms <ul><li>BIO (CTE Auth) – BIO and BIO-A </li></ul><ul><ul><ul><ul><li>CHV by PIN </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Signed BIO template verified off card </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Digital signature is verified (Optional) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Used only with contact -based readers </li></ul></ul></ul></ul><ul><li>PKI Auth </li></ul><ul><ul><ul><ul><li>CHV by PIN </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Auth by Online PKI Cert Check </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Digital signature verification mandatory </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Used only with contact -based readers </li></ul></ul></ul></ul>Anshuman Sinha <>
  24. 24. PIV II CHUID Auth Anshuman Sinha <>
  25. 25. PIV II BIO AUTH Anshuman Sinha <>
  26. 26. PIV II PKI AUTH Anshuman Sinha <>
  27. 27. PIV II – Reader Design Goals Anshuman Sinha <> Assurance Levels PIV Auth Mechanism Readers Some Confidence VIS, CHUID Design 1 High Confidence BIO Design 2 Very High Confidence BIO-A , PKI Design 3
  28. 28. PIV II – Reader Design Goals <ul><li>Implement for physical access </li></ul><ul><ul><ul><li>SELECT APDU </li></ul></ul></ul><ul><ul><ul><li>GET DATA APDU </li></ul></ul></ul><ul><li>Implement PIN caching in reader?? </li></ul><ul><li>Low assurance readers need to have optional signature verification … </li></ul><ul><li>High assurance readers need to be PKI aware </li></ul>Anshuman Sinha <>
  29. 29. PIV II - Physical Access Rdr. IOP <ul><li>PIV Contact Card Reader (Physical Access) </li></ul><ul><ul><ul><li>Achieves Higher Assurance Level </li></ul></ul></ul><ul><li>PIV Contactless Card Reader (Physical Access) </li></ul><ul><ul><ul><li>APDU Support </li></ul></ul></ul><ul><ul><ul><li>Type A and Type B </li></ul></ul></ul><ul><ul><ul><li>4k of data in < 2 sec </li></ul></ul></ul><ul><li>PIV Contactless Card Reader (Physical Access) </li></ul><ul><ul><ul><li>Readability Range : < 10 cm </li></ul></ul></ul><ul><ul><ul><li>Transmission Speeds : 106, 212 and 424 kBits/s </li></ul></ul></ul>Anshuman Sinha <>
  30. 30. PIV II - Card End Point Card [Single Chip Dual Interface] <ul><li>Mifare 14443 A [P] / 125 kHz </li></ul><ul><li>ISO 7816 </li></ul><ul><li>F.S. Card or Java Card 1.0 </li></ul><ul><li>EEPROM Data thru contact only </li></ul><ul><li>ISO 14443 A/B with commands </li></ul><ul><li>ISO 7816 </li></ul><ul><li>Java Card 2.1 </li></ul><ul><li>DES / AES / RSA </li></ul><ul><li>EEPROM Data thru contact and contactless </li></ul>Transition Card [Dual Chip Dual (contact + contactless) Interface] Anshuman Sinha <>
  31. 31. PIV II - Card End Point Card [Single Chip Dual Interface] Transition Card [Dual Chip Dual Interface] Transition II Card [Dual Chip Dual Interface] PIV II Applet CAC Applet PIV II Applet CAC Applet Anshuman Sinha <>
  32. 32. PIV II - SP 800-73 <ul><li>Part 1: Common Data Model and Migration Considerations </li></ul><ul><li>Part 2: The transitional interfaces for backward compatibility </li></ul><ul><ul><ul><li>For agencies with GSC-IS deployment ONLY </li></ul></ul></ul><ul><li>Part 3: The end-point interfaces </li></ul><ul><ul><ul><li>Mandatory for agencies with new deployment </li></ul></ul></ul>Anshuman Sinha <>
  33. 33. Assurance Levels Anshuman Sinha <> Assurance Levels PIV Physical Auth Mechanism PIV Logical Auth Mechanism Some Confidence VIS, CHUID CHUID High Confidence BIO BIO Very High Confidence BIO-A , PKI BIO-A, PKI
  34. 34. When to ReIssue Identity Cards? <ul><li>[A] Card </li></ul><ul><ul><ul><li>Lost -> Search -> Notify -> Interim/Emergency -> Reissue </li></ul></ul></ul><ul><ul><ul><li>Stolen -> Notify -> Interim/Emergency -> Reissue </li></ul></ul></ul><ul><li>[B] Credential Expired (4/5 year term) </li></ul><ul><ul><ul><li>Get -> Destroy -> Reissue </li></ul></ul></ul><ul><ul><ul><li>Go through the verification again </li></ul></ul></ul><ul><ul><li>[C] Card Found </li></ul></ul><ul><ul><ul><li>Lost Card can be recovered and found </li></ul></ul></ul>Anshuman Sinha <>
  35. 35. When to ReIssue? <ul><li>Person quits </li></ul><ul><li>Person looses badge </li></ul><ul><li>Policy Changes </li></ul><ul><li>Card End of life </li></ul>Anshuman Sinha <>
  36. 36. Upon Lost Notification [Person in Organization] <ul><li>CMS should provide mechanism to block the card. The lost card should be promptly blocked. Host will need to have an interface which will notify the CMS that the card is lost -> therefore block it. </li></ul><ul><li>Host needs to inform about the lost or stolen card and request to generate a new card. </li></ul><ul><li>Credentialing organization receives the request and processes it to generate another plain card with platform keys that is sent to the card issuer. </li></ul>Anshuman Sinha <>
  37. 37. Temporary Badge Creation <ul><li>Need to generate an emergency badge for the interim. The expiration date should be short, exact length is not specified, depends on the type of employee and agency ’ s policy regarding the same. </li></ul><ul><li>PIV doesn ’ t specify the type of temporary badge. For physical access, a visitor badge may suffice, but for logical access? </li></ul>Anshuman Sinha <>
  38. 38. ReIssuance of PIV Credentials <ul><li>Go through the approval process again </li></ul><ul><ul><ul><li>Approval from signature authority </li></ul></ul></ul><ul><ul><ul><li>Determine turnaround time and notify card holder about it </li></ul></ul></ul><ul><ul><ul><li>Adjudication and Vetting process </li></ul></ul></ul><ul><ul><ul><li>Determine if card centralized/decentralized policy will be used </li></ul></ul></ul><ul><ul><ul><li>Develop materials/ handling requirements of card stock </li></ul></ul></ul><ul><ul><ul><li>Define Activation Policies </li></ul></ul></ul>Anshuman Sinha <>
  39. 39. New / Replacement Badge Creation <ul><li>Format the badge with new set of keys and certificates. Since the badge is lost, new credentials are needed. </li></ul><ul><li>Increment the “ ICI ” (Individual Credential Issue Number), all physical access controllers should have the new ICI. </li></ul><ul><li>Usually its best idea to check every badge ’ s ICI. If not, the distinction could be done in credential number </li></ul>Anshuman Sinha <>
  40. 40. Security Policies Upto Agency <ul><li>ReIssuance Vetting Policy </li></ul><ul><li>Temporary Badge </li></ul><ul><ul><ul><li>Technology </li></ul></ul></ul><ul><ul><ul><li>Process </li></ul></ul></ul><ul><ul><ul><li>Length of Issue </li></ul></ul></ul><ul><li>Implementation of Weigand Data Format </li></ul><ul><ul><ul><li>75 bit popular choice, necessary for certification </li></ul></ul></ul><ul><ul><ul><li>200 bit next option, but invites confusion since multiple 200 bit data format prevalent </li></ul></ul></ul>Anshuman Sinha <>
  41. 41. 75 bit Weigand (Truncated FASC-N) <ul><li>The 75-bit PIV is represented as: </li></ul><ul><li>E AAAAAAAAAAAAAA SSSSSSSSSSSSSS CCCCCCCCCCCCCCCCCCCC DDDDDDDDDDDDDDDDDDDDDDDDD O </li></ul><ul><li>E: Even parity bit computed over the first 37 bits of data – this is the first bit transmitted </li></ul><ul><li>AAAAAAAAAAAAAA : Agency code (14 bits) </li></ul><ul><li>SSSSSSSSSSSSSS: Site code (14 bits) </li></ul><ul><li>CCCCCCCCCCCCCCCCCCCC : Credential number (20 bits) </li></ul><ul><li>DDDDDDDDDDDDDDDDDDDDDDDDD : expiration date YYYYMMDD (25 bits) </li></ul><ul><li>O: Odd parity bit computed over the last 36 bits of data </li></ul><ul><li>75 bit Weigand can ’ t identify the ICI number </li></ul>Anshuman Sinha <>
  42. 42. 200 bit Weigand (FASCN) <ul><li>This format outputs the entire FASC-N. </li></ul><ul><ul><li>Example of FASC-N: </li></ul></ul><ul><ul><li>AC (agency code – 4 digits): 1111 </li></ul></ul><ul><ul><li>SC (site code – 4 digits): 2222 </li></ul></ul><ul><ul><li>C# (credential number – 6 digits): 333333 </li></ul></ul><ul><ul><li>CS (credential series – 1 digit): 4 </li></ul></ul><ul><ul><li>ICI (individual credential issue – 1 digit): 5 </li></ul></ul><ul><ul><li>PI (person Identifier – 10 digits): 6666666666 </li></ul></ul><ul><ul><li>0C (organizational category – 1 digit): 7 </li></ul></ul><ul><ul><li>OI (organizational identifier – 4 digits): 8888 </li></ul></ul><ul><ul><li>POA (person/organization association – 1 digit): 9 </li></ul></ul>Anshuman Sinha <>
  43. 43. 200 bit Weigand (FASCN + E.Date) <ul><li>This format outputs the FASC-N with the expiration date. The expiration is represented in a 8 digit number (YYYY MM DD) and replaces the 8 least significant digits of the PI. The 2 most significant digits of the PI are replaced with zeros. </li></ul><ul><ul><li>Example: </li></ul></ul><ul><ul><li>AC (agency code – 4 digits): 1111 </li></ul></ul><ul><ul><li>SC (site code – 4 digits): 2222 </li></ul></ul><ul><ul><li>C# (credential number – 6 digits): 333333 </li></ul></ul><ul><ul><li>CS (credential series – 1 digit): 4 </li></ul></ul><ul><ul><li>ICI (individual credential issue – 1 digit): 5 </li></ul></ul><ul><ul><li>Expiration date (10 digits): 0020110416 (2011, April 16) </li></ul></ul><ul><ul><li>0C (organizational category – 1 digit): 7 </li></ul></ul><ul><ul><li>OI (organizational identifier – 4 digits): 8888 </li></ul></ul><ul><ul><li>POA (person/organization association – 1 digit): 9 </li></ul></ul>Anshuman Sinha <>
  44. 44. 200 bit Weigand (FASCN + HMAC) <ul><li>This format outputs the FASC-N with the HMAC. The HMAC is represented in a 10 digit decimal number and replaces the PI. The LRC is recomputed to account for the change. </li></ul><ul><ul><li>Example: </li></ul></ul><ul><ul><li>AC (agency code – 4 digits): 1111 </li></ul></ul><ul><ul><li>SC (site code – 4 digits): 2222 </li></ul></ul><ul><ul><li>C# (credential number – 6 digits): 333333 </li></ul></ul><ul><ul><li>CS (credential series – 1 digit): 4 </li></ul></ul><ul><ul><li>ICI (individual credential issue – 1 digit): 5 </li></ul></ul><ul><ul><li>HMAC (10 digits): 1571179234 </li></ul></ul><ul><ul><li>0C (organizational category – 1 digit): 7 </li></ul></ul><ul><ul><li>OI (organizational identifier – 4 digits): 8888 </li></ul></ul><ul><ul><li>POA (person/organization association – 1 digit): 9 </li></ul></ul>Anshuman Sinha <>
  45. 45. Reissuance Policy for PACS <ul><li>ReIssuance Policy </li></ul><ul><ul><ul><li>Desirable to have configurable </li></ul></ul></ul><ul><ul><ul><li>Who configures the ReIssuance policy? </li></ul></ul></ul><ul><ul><ul><li>Can use Prox technology for temporary badges </li></ul></ul></ul><ul><ul><ul><li>Picture Perfect takes care of the issuing the notifications </li></ul></ul></ul><ul><ul><ul><li>Picture talks to the CMS ? </li></ul></ul></ul>Anshuman Sinha <>
  46. 46. Certificate Revocation <ul><li>PACS Manager could maintain a list of revoked list and convey to the system on a regular basis. </li></ul><ul><li>If PIV authentication certificate is revoked, PACS ACL should change </li></ul><ul><li>Message based request from IDMS to PACS for revoking access when card is revoked </li></ul><ul><li>Person based synchronization of the PACS and the list of ID(s) revoke </li></ul>Anshuman Sinha <>
  47. 47. References <ul><li>Java Card Specifications </li></ul><ul><li>FIPS 201 Publications </li></ul><ul><li>NIST Publications </li></ul><ul><li>SP 800-73 etc. </li></ul><ul><li>Other Standards … </li></ul>Anshuman Sinha <>