Personal Identity Verification (PIV) Enablement Solutions

Transcription

1 Prsonal Idntity Vrification (PIV) Enablmnt Solutions pivclass Govrnmnt Solutions

2 Affordabl Prsonal Idntity Vrification (PIV) Enablmnt Solutions from a Singl, Trustd Supplir Complt Solution for PIV Enablmnt HID Global s pivclass Govrnmnt Solutions portfolio is an xtnsiv product family that maks it asy for U.S. Fdral Govrnmnt, govrnmnt contractors and othr facilitis to comply with scurity rgulations and to us thir Prsonal Idntity Vrification (PIV) and othr smart cards for physical accss control, rsulting in complianc, introprability and high scurity. FIPS 201 Complianc Without Th Nd to Rip and Rplac Th pivclass modular approach provids govrnmnt agncis th ability to us thir PIV idntity cards for strong public ky infrastructur (PKI)-basd validation for physical accss control. Th solution nabls this functionality without th nd to rip and rplac xisting physical accss control systms (PACS), rducing costs, and rmoving complxitis to mak it asy and affordabl to acquir, install and maintain compliant physical accss control systms. pivclass accomplishs this in part by communicating with an agncy s PACS and xtrnal trust authority PKIs to dlivr functionality spcifid by National Institut of Standards and Tchnology (NIST) Fdral Information Procssing Standards Publication 201 (FIPS 201). An Intgratd Solution from a Singl Providr Dlivring fully tstd and validatd turnky govrnmnt solutions from a singl, trustd sourc, pivclass authnticats PIV crdntials across th full rang of assuranc lvls as dfind by th fdral govrnmnt s Spcial Publication (SP ). pivclass products also support th Transportation Workr Idntification Crdntial (TWIC) Radr Spcification. Th pivclass portfolio includs pivclass Rgistration Engin, pivclass Crtificat Managr, pivclass Radr Srvics, pivclass Authntication Modul (PAM) and a complt lin of pivclass radrs, nabling agncis to quickly and asily acquir all of th ncssary componnts for thir PIV-nabld accss control systms.

3 Achiving Complianc Mad Simpl How it Works Working togthr to dlivr strong authntication at th door and during th initial cardholdr rgistration, th pivclass solution nsurs th card is th originally rgistrd card and th cardholdr is th prson h/sh claims to b. It also vrifis th card has not bn forgd, altrd, clond, lost, stoln, shard, rvokd or xpird. pivclass accomplishs this by prforming th following functions: Automatically rgistrs cards into th PACS databas with no manual data ntry. Excuts full path discovry and crtificat rvocation chcking using CRL, OCSP or SCVP. Priodically rtrivs card rvocation status from issuing crtificat authoritis. Cachs validation data and offrs dgradd mod sttings to allow continud validation whn accss to card issur validation data (.g., CRL) is unavailabl. Validats cardholdr crdntials both during a card s rgistration into local accss control softwar and at th door. Validats visiting cardholdr crdntials from othr agncis (i.., provids crtificat path discovry and validation ssntial for introprability across govrnmnt agncis and any othr ntitis cross-crtifid with th Fdral Bridg). Provids cntralizd configuration and managmnt of pivclass products via a graphical usr intrfac. Allows configuration of trustd card issurs, authntication mods, Wigand output format and mor. Provids cntralizd distribution of firmwar updats to pivclass Authntication Moduls. Collcts dtaild log activity for display and xport. PIV-Enablmnt for Existing PACS Th pivclass modular approach allows agncis to dploy diffrnt pivclass componnts ovr tim as thir budgt allows and as thy work toward achiving complianc. Th pivclass off-th-shlf softwar is intgratd with mor than 30 physical accss control systms and dos not rquir any softwar dvlopmnt.

4 pivclass Radrs Mt Any Authntication Mod and Any Assuranc Lvl Controlld Aras Limitd Aras Exclusion Aras pivclass Radrs Th pivclass Govrnmnt Solution suit includs a broad slction of radrs for agncis to mt any scurity lvl and th NIST SP guidlins. pivclass radrs work with th pivclass Authntication Modul to mt rquirmnts for: Any assuranc lvl: controlld, limitd or xclusion. Any authntication mod: CHUID, CAK, PIV + PIN, or PIV + PIN + BIO; also, FASC-N rads for non-sp uncontrolld aras, and th additional TWIC authntication mods, CHUID + BIO and CAK + BIO. Narly any card typ, contact or contactlss, including PIV, PIV-I, CIV (a.k.a., PIV-C), TWIC, FRAC and CAC. Additionally, pivclass radrs provid fully functional backward compatibility with xisting iclass and HID Prox radrs, asing th transition from lgacy cards to PKI-basd crdntials. Th radrs also support bidirctional communication to th PAM. Assuranc Lvls and Authntication Mods Most Fdral facilitis hav likly compltd a risk assssmnt that dsignatd ach door and portal as rquiring an uncontrolld, controlld, limitd or xclusion assuranc lvl. NIST SP spcifis which authntication mods ar rquird for which assuranc lvls. For instanc, a door lading to a high scurity ara will rquir a mor advancd radr (in ordr to prform additional idntity chcks, such as biomtric fingrprint match) than a lowr scurity door. Figur 1 illustrats th diffrnt scurity lvls and th attack vctors addrssd by th pivclass solution. Mt Any Assuranc Lvl Scurs against cards that ar... Scurity Ara (pr NIST SP & Risk Assssmnt) Authntication Factors Authntication Mods Rvokd Countrfit or Altrd Copid or Clond Lost or Stoln Uncontrolld Non FASC-N Controlld 1 CHUID + VIS Controlld 1 CAK Limitd 2 PIV + PIN Exclusion 3 PIV + PIN + BIO Shard BIO: Biomtric; CAK: Card Authntication Ky; CHUID: Cardholdr Uniqu Idntifir; FASC-N: Fdral Agncy Smart Crdntial Numbr; PIN: Prsonal Idntification Numbr; PIV: Prsonal Idntity Vrification (PIV) Authntication Ky; VIS: Visual Figur 1

5 pivclass Authntication Modul Dos th Havy Lifting for PIV Validation pivclass Authntication Modul Th pivclass Authntication Modul (PAM) is an mbddd computr packagd in a small form factor with pr-installd, updatabl firmwar. Th PAM is installd btwn a supporting radr (such as a pivclass radr) and th xisting accss control panl, and provids configurabl Wigand output to th controllr. This nabls th systm to b upgradd to support PIV cards for accss control; th accss control panls do not hav to b rplacd or vn rconfigurd, and th hadnd accss control softwar dos not nd to b nhancd with nw faturs. Similarly, much of your xisting wiring may b rusabl. Radrs pass card information to th PAM, which prforms th rquird authntication to validat (or invalidat) th cardholdr crdntial. If validatd, th badg ID is thn passd to th xisting accss control panl for th accss authorization dcision. Sinc th PAM rgularly rcivs and cachs cardholdr crdntial status from th pivclass Crtificat Managr, th rsult is narly raltim PKI-basd high scurity at th door. In its rol, th PAM dos th havy lifting of cryptographic oprations for PIV cardholdr crdntial authntication ach tim a card is prsntd to a radr. Each PAM can procss up to two radrs at on or two doors. Incrasd Ovrall Systm Scurity Th pivclass solution is architctd for th scurity-conscious yt cost-snsitiv scurity administrator. Th pivclass Authntication Modul typically sits insid th scur primtr, whr it not th radr prforms th critical cryptographic functions. This architctur locats th PKI oprations within th scur primtr rathr than in an xpnsiv, PKI-capabl radr placd on th inscur/attack sid of th door.

6 pivclass Softwar Communicats with Trust Authoritis pivclass Softwar Componnts: pivclass Rgistration Engin: rads, validats, authnticats and automatically rgistrs valid crdntials into PACS databas without any manual data ntry. pivclass Crtificat Managr: priodically rvalidats th status of digital crtificats and updats th PACS with any chang in status; can automatically suspnd any card associatd with a rvokd crtificat; can snd an mail to a distribution list for notification. pivclass Radr Srvics: configurs and manags pivclass radrs via th PAM. pivclass Rgistration Engin and pivclass Crtificat Managr Th pivclass Rgistration Engin is a softwar modul that rads, validats, authnticats and rgistrs crdntials with a PACS automatically without manual data ntry. Th softwar validats multipl card typs, including PIV, PIV-I, CIV (PIV-C), CAC NG, CAC EP, TWIC and FRAC. Th pivclass Crtificat Managr is a softwar modul that, aftr crdntial rgistration, rgularly communicats with xtrnal trust authoritis to chck th status of cachd crtificats. Upon dtrmining a status chang, th softwar can suspnd any card associatd with a rvokd crtificat and/or snd an mail to a distribution list for notification. pivclass Crtificat Managr also snds that information via Ethrnt (AES256 ncryption optional) to th pivclass Authntication Moduls (PAMs) for nforcmnt. pivclass Radr Srvics snds mod updats, TWIC Privacy Kys (TPKs), and othr information to PAMs and supports multipl authntication mods including FASC-N, CHUID, CAK, PIV + PIN, CHUID + BIO, CAK + BIO, and PIV + PIN + BIO. Typically, an agncy will install th pivclass Rgistration Engin on ach workstation whr crdntial rgistration is to occur. pivclass Crtificat Managr softwar is rquird for ongoing rvalidation of crtificats aftr rgistration and is usually placd on th PACS srvr, although altrnativ configurations can b implmntd to mt spcific nds. Th communication flow btwn pivclass lmnts and othr parts of th architctur is dtaild in Figur 2. Gnuin HID With Gnuin HID, th U.S. Fdral Govrnmnt, govrnmnt contractors and othr facilitis bnfit from th broadst product lin of trustd, fully introprabl scur idntity solutions in th markt. Gnuin HID solutions ar dsignd and built in IS crtifid facilitis; includ worldwid agncy crtifications; and ar backd by global product warrantis. Supportd by industrylading xprtis and th strongst dlivry and rspons platform availabl, Gnuin HID solutions rinforc th long-standing trust that whn customrs purchas from HID Global, thy ar invsting with absolut confidnc. G s E c u r N U i d I t n N t i E y pivclass Systm Diagram PACS Controllr/Panl Existing Physical Accss Control Systm (PACS) PACS Softwar Existing Scurity Mgmt Systm Had-nd Validation Authoritis Fdral Bridg, CRL, OCSP, SCVP, TWIC Canclld Card List pivclass Authntication Modul pivclass Rgistration Engin & pivclass Crtificat Managr Authntication Modul & Radr Functions Signatur chcks Privat ky challng Conformity & frshnss chcks PIN & BIO chcks Rgistration Engin & Crtificat Managr Functions Crdntial Rgistration Path discovry and validation Rvocation chcking Figur 2

7 hidglobal.com

8 G E N U I N E s c u r i d t n t i y An ASSA ABLOY Group brand North Amrica: Toll Fr: Europ, Middl East, Africa: Asia Pacific: Latin Amrica: HID Global Corporation/ASSA ABLOY AB. All rights rsrvd. HID, HID Global, th HID Blu Brick logo, th Chain Dsign, Gnuin HID, iclass, pivclass and pivclass Authntication Modul ar tradmarks or rgistrd tradmarks of HID Global or its licnsor(s)/supplir(s) in th US and othr countris and may not b usd without prmission. All othr tradmarks, srvic marks, and product or srvic nams ar tradmarks or rgistrd tradmarks of thir rspctiv ownrs pivclass-solutions-br-n hidglobal.com