This document discusses managing the Personal Identity Verification (PIV) life-cycle and converging physical and logical access control systems. It explores the challenges of the PIV life-cycle from issuance through retirement. Key challenges include managing identity information across different systems, establishing administrative controls and workflows, and provisioning/de-provisioning with disparate solutions. The document also examines challenges of enabling PIV credentials to authenticate physical and logical access systems and managing authentication processes. Finally, it presents a logical PIV architecture solution to integrate identity enrollment, life-cycle management services, and physical/logical access control.

1. Managing PIV Life-cycle
&
Converging
Physical & Logical Access Control
Ramesh Nagappan
Sun Microsystems
ramesh.nagappan@sun.com
Smart cards in Government Conference
Oct 23, 2008
Ronald Reagan International Center, Washington DC

2. Setting Expectations
What you can take away !
 Explore the Personal Identity Verification (PIV)
Life-cycle and its pre- and post-issuance
deployment challenges.
 Architectural characteristics of managing PIV
Life-cycle and converging Physical and Logical
Access Control Systems.
 Role and relevance of adopting to an Identity
Management Solution (IDMS) for delivering and
managing an end-to-end PIV lifecycle.
2

3. Personal Identity Verification (PIV)
• Personal Identity Verification has become a
Fiduciary Responsibility of many National
Governments.
> Adopting to common credentials with verified identity
enables secure and reliable form of personal
identification.
• Host of PIV standards initiatives and regulatory
mandates currently being adopted on a
national/global basis.
> US Homeland Security Presidential Directive (HSPD-12
2004)‫‏‬
> UK Identity Cards Act (2006)‫‏‬
> French INES (Identité Nationale Electronique Sécurisée)‫‏‬
> ICAO 9303 ePassport / eId
> EU Citizen Card, EU EAC (EC 2252/2004)‫‏‬
> Belgian eID, Finesse eID, Taiwan eID, India ePassport and
several others (in progress). 3

4. 4

5. PIV Card Issuance and Management
FIPS-201 defined PIV Card Issuance and Management
Source: FIPS 201-1
5

6. The PIV Life-cycle
PIV Identity Management Activities (From registration to till its retirement)
Identity
Registration
PIV Identity
Credential Enrolment &
Termination Adjudication
PIV PIV
Credential Credential
Maintenance Issuance
PIV
Physical &
Logical Access
Control
6

7. The PIV Ecosystem
Core technology components of a PIV Lifecycle
Demographic
Data/
Documents
Security
Event Biometric
Monitoring samples
Enroll
Identity
Physical/
Management
Te
Logical Solution
rm
Access ge Identity
in
Control n Proofing &
ha
at
Systems C Adjudication
e
Credentials Public-Key
Issuance Infrastructure
( Smartcard/PKI/
Biometrics)
7

8. PIV Card Credentials
FIPS-201 Mandatory and Optional On-Card Credentials
Mandatory Credentials
PIN (Personal Identification Number)
Cardholder Unique Identifier (CHUID)‫‏‬
PIV Authentication Data (asymmetric key pair and
corresponding PKI certificate)‫‏‬
Two biometric fingerprints (CBEFF)‫‏‬
Optional Credentials
An asymmetric key pair and corresponding certificate
for digital signatures Source: GSA USAccess
An asymmetric key pair and corresponding certificate
for key management
Asymmetric or symmetric card authentication keys for
supporting additional physical access applications
Symmetric key(s) associated with the card
management system 8

9. PIV Lifecycle: Known Challenges
Understanding Real-world Pain Points
• Defining an authoritative source for managing and
maintaining PIV information life-cycle.
 Silos of point solutions and repositories - Biometric/Enroll
middleware, CMS, PACS, LACS, SIEM, IAM and more !
 No single administration console for management.
 Too many PIV life-cycle events and operations - right from
identity registration and till its retirement !
• Establishing administrative controls, authorization
workflows and authority approvals/denials for lifecycle
operations.
 Managing and maintaining authorization workflow,
approval/denial actions and notification.
 Enforcing segregation of duties (separation of powers).
 Enforcement of access control policies, Role based Access
control (RBAC) and procedures (ex. Emergency access/exit).
9

10. PIV Lifecycle: Known Challenges …continued
Understanding Real-world Pain points
• Provisioning and De-Provisioning complexities with
disparate PIV/FIPS-201 solutions and downstream
applications.
 Initiating instantaneous Provisioning and De-provisioning of PIV
enrollment data and its changes to support Identity lifecycle
events - Identity registration to till its termination.
 Detecting and thwarting dormant/back-door user account
creation/modification and circumventing controls.
• Managing changes and re-verification/re-enrollment
issues related to profiles, roles, privileges and policies.
 Identity attribute changes and propagation to heterogeneous
PIV based applications ?
 Supporting re-verification and re-enrollment requirements
related to lifecycle events and attribute changes.
 Certify and attest role and access privileges changes.
10

11. Converging Physical/Logical Access:
Known Challenges
• Enabling PIV credentials to authenticate disparate
Physical Access Control Systems (PACS) and Logical
Access Control Systems (LACS).
 Using PIV credentials such as CHUID, PIN, PKI certificates and
Biometrics for authentication.
 Use PIV credentials based digitally-signed approvals or denials
for authorization workflow and maintaining tamper-proof
logs/records of authorization information.
 Enabling PIV credentials based Single Sign-on (SSO) to IT
applications and Desktops and furthering SSO to participate in
Federation (eAuthentication Scenarios).
 Integration, extensibility limitations and maintenance issues are
common due to proprietary nature of interfaces related to
PACS.
11

12. Converging Physical/Logical Access:
Known Challenges …. continued
• Initiating and managing the authentication process using
PIV Credentials.
 PKI certificate validation via OCSP or CRL DPs of the PKI SSP.
 Enabling PACS authentication using CHUID/PKI/PIN credentials
(Based on Contact/Contact-less/Hybrid readers).
 On/Off-the-card Biometric authentication using Biometric
authentication middleware.
• Managing requests and reporting the status of scenarios
such as Forgotten PIN, Temporary card requests and Lost
PIV card scenarios ?
 Managing and reporting the status of Lost/Forgotten card-
requests/approvals, certificate revocation, key escrow and
recovery operations.
12

13. Logical PIV Architecture Solution
Putting it all together
Identity Enrollment and Adjudication Services
Identity Identity
Registration/ Demographic PIV Request w/
Document Biometric Proofing/
Enrollment data Credentials samples
Sponsor approval Adjudication
Identity Life-cycle Management Services Smartcard
Issuance/
Auditing Authorization Credential Management
Provisioning User/Role Services
Logging Workflow Change
De-provisioning Management
Compliance Signed Approvals Management
Physical and Logical Access Control Services
IT Applications Public
PKI / Biometric Physical Access eAuthentication Key
Authentication Control Systems Single Sign-on / Federation Infrastructure
13

14. PIV Authorization Workflow
Hiring Enrollment HR
Manager Officer Officer
Approval/ Approval/ Approval/
Denial Denial Denial
Biometrics Identity Card Issuance &
Applicant Breeder Documents Proofing &
Registration Activation
Enrollment Adjudication
HR Enrollment Hiring
Manager Officer Manager
Approval/ Approval/ Approval/
Denial Denial Denial
Retirement / Credential Physical &
Termination Maintenance Logical Access
• IDMS manages the authorization workflow and authority approval and denials.
> Digitally signed approvals using PIV card credentials verified against a PKI provider.
• IDMS facilitates Work-flow driven provisioning and de-provisioning of PIV
information and credentials to PIV/FIPS-201 mandated resources.
14

15. Choosing an IDMS
IDMS Requirements for managing PIV lifecycle
• Automated Provisioning & De-Provisioning and
Synchronization Services
 Automated operations for Creation, Maintenance and Termination of
Identity profile (s) and its access privileges .
 Integration and interoperability with FIPS-201 compliant Biometric
middleware, Document verification, CMS, PACS, IAM and other
supporting IT applications.
 Instantaneous provisioning/de-provisioning and synchronization of
User profile attributes, PIV credentials (PIN/PKI/Biometrics), roles,
status/attribute changes, access privileges, rules and policies to/from
target resources.
• Automated Authorization and Approval/Denial workflows and
notifications.
 Workflow-driven provisioning/de-provisioning/change requests,
approvals/denials, notifications and escalations.
 PIV credentials based digitally-signed approvals and denials.
15

16. Choosing an IDMS …. continued
Core IDMS Requirements for managing PIV lifecycle
• Role Engineering and Management
• Establish internal controls for enforcing “Segregation of Duties” and
“Least privilege”. (Ex. FISMA compliance)
• Auditing, Access Certification and Compliance reporting
• Who has access ? Who accessed it ?
• What went wrong ? Who authorized it ? When it happened ?
• Periodic access review (Attestation and Recertification)
• Detect and report potential violations
• Integration with Security Information and Event monitoring (SIEM).
• Single administration console and dashboard for all PIV user
profile information and status of requests/operations for all target
resources.
• Self-service user administration and delegated administration.
• Message and Transport-level Security (FIPS-140 mode)
16

17. Industry Standards
Contributing standards for Managing PIV and Convergence of P/LACS
• OASIS SPML 2.0 - Service Provisioning Markup Language.
 XML Protocol for Identity Provisioning and De-Provisioning.
• OASIS SAML 2.0 - Security Assertions Markup Language.
 XML Protocol for representing Authentication and Authorization
assertions.
• OASIS XACML 2.0 - eXtensible Access Control Markup
Language.
 XML Protocol for representing Access Control Policies.
• Liberty Alliance Standards (ID-*)
 Open Standards for representing Identity Federation across
networks.
• OASIS WS-Security and WS-* Standards for Securing
XML Web Services.
• Finally….FIPS-201 and its related special publications. 17

18. PIV Solution from Sun and ISV Partners
Pre-Integrated, Pre-Verified and Pre-Tested for PIV Deployment
Smartcard
Identity Issuance and
Enrollment & Management
Adjudication
• Aware BioSP • ActivIdentity CMS
• CrossMatch • Bell-ID ANDiS
• Secugen
Aware BioSP
Sun Public-key
Identity Infrastructure SSP
Security Information
& Event Monitoring Management • Entrust
(SIEM) Suite • Cybertrust
• Verisign
• ArcSight • Exostar
• LogLogic
Physical & Logical Verisign PKI
Access control
• Quantum Secure SAFE
• Aware BioSP
• BioBex
• ActivIdentity ESSO
18

19. Thank You
Ramesh Nagappan
Sun Microsystems
ramesh.nagappan@sun.com
Smart cards in Government Conference
Oct 23, 2008
Ronald Reagan International Center, Washington DC 19