Smart Cards and Biometrics in Physical Access Control Systems Robert J. Merkert, Sr. Vice President of Sales Americas Biometric Consortium 2005 Conference September 21, 2005 All Company and/or product names are trademarks and/or registered trademarks of their respective owners.
HSPD-12/FIPS 201/SP 800-73/SP 800-76 -1- Homeland Security Presidential Directive 12 (HSPD-12), issued on August 27, 2004, requires that the Federal credential the Personal Identity Verification (PIV) card be secure and reliable. This is defined as a credential that Is issued based on sound criteria for verifying an individual s identity Is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation Can be rapidly authenticated electronically, and Is issued only by providers whose reliability has been established by an official accreditation process 9/28/2005 Copyright SCM Microsystems Inc. 2
HSPD-12/FIPS 201/SP 800-73/SP 800-76 -2- The Department of Commerce and the National Institute of Standards and Technology (NIST) were tasked with producing a standard for secure and reliable forms of identification. In response, NIST published Federal Information Processing Standard Publication 201 (FIPS 201), Personal Identity Verification (PIV) of Federal Employees and Contractors (February 25, 2005). The FIPS 201 PIV Card is to be used for both Physical and Logical access, as well as agency specific applications. FIPS 201 - PIV, part II specifies standards for implementing identity credentials on integrated circuit cards (smart cards) for use in a Federal PIV system. 9/28/2005 Copyright SCM Microsystems Inc. 3
HSPD-12/FIPS 201/SP 800-73/SP 800-76 -3- FIPS 201 requires that the PIV be a smart card. The card must contain both contact and contactless interfaces, which may be provided by two separate integrated circuit chips or by one dual-interface ICC. The contact interface must conform to the ISO 7816 specification. The contactless interface must conform to the ISO 14443 specification. The card body is similar to a bank credit card and conforms to the ISO 7810 specification. 9/28/2005 Copyright SCM Microsystems Inc. 4
HSPD-12/FIPS 201/SP 800-73/SP 800-76 - 4 - Draft NIST Special Publication 880-76 (SP 800-76), Biometric Specification for Personal Identity Verification, is referenced in FIPS 201 and currently states that, at a minimum, two compressed fingerprint images must be stored on the PIV smart card contact chip. NIST SP 800-76 currently specifies the use of fingerprint images rather than templates because there is no current test data that proves the interoperability of standards-based fingerprint templates. NIST expects test results in February, 2006. This brings up three very important issues in the physical access control area Time to read and process the image with the resultant wait time for access The size of the integrated circuit chip being used 64K or 128K Reader type required at access points 9/28/2005 Copyright SCM Microsystems Inc. 5
HSPD-12/FIPS 201/SP 800-73/SP 800-76 - 5 - Another issue that arises is the use by a specific agency to place biometric templates on the contactless portion of the smart card. This would be an agency specific implementation that is permitted within the FIPS 201 guidelines. However, this could result in the implementation a system that is not interoperable with another agency. The system would be agency specific. And yet another issue to be considered is how the biometric matching is to be done Match on Card (MOC) Match on Reader Match on Server 9/28/2005 Copyright SCM Microsystems Inc. 6
The Government Smart Card Interagency Advisory Board (GSC-IAB) and the Physical Access Interagency Interoperability Working Group (PAIIWG) saw that the procurement of Physical Access Control Systems (PACS) and components required a standardized approach to ensure that government agencies deploy equipment that meet both their specific needs and, at the same time, facilitate cross-agency interoperability. The PACS 2.2 guidance specifies that on a Federal Agency Smart Credential (FASC) that a standardized numbering scheme, called the Federal Agency Smart Credential Number (FASC-N) be used as the individual identifier. The FASC-N is part of the Cardholder Unique Identification file (CHUID) The FASC-N is the primary identification string to be used on all government issued credentials. Reference: Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems Version 2.2 July 30, 2004 PACS 2.2 (2.3) Guidance 9/28/2005 Copyright SCM Microsystems Inc. 7
CHUID EF and FASC-N - CUID CHUID (EF 0x3000) FASC-N (Tag 0x30) Agency Code 4 System Code 4 Credential Number 6 Credential Series 1 Individual Credential Issue 1 Person Identifier 10 Organization Category 1 Organizational Identifier 4 Person/Organization Association 1 GUID (Tag 0x34) Expiration Date (Tag 0x35) Authentication Key Map (Tag 0x3D) Issuer Asymmetric Signature BCD digits CUID Card Unique Identifier 9/28/2005 Copyright SCM Microsystems Inc. 8
Smart Cards Embedded computer chip that is either a microprocessor with internal memory or memory chip alone Contact or contactless designs Highly secure On-card security functions Intelligent interactions with reader Used worldwide in financial, telecommunications, transit, healthcare, secure identification and other applications Images courtesy of Gemplus 9/28/2005 Copyright SCM Microsystems Inc. 9
Available Combined Technologies Different technologies can be combined: 125 khz Proximity 14443A & 14443B, 15693 13.56MHz Smart cards Contact smart cards Magnetic stripe Bar Code Photo Printing Holograms Special inks ISO/IEC 7810, 7811, 7816, Diagram courtesy Of HID Corporation HSPD-12/FIPS201/SP 800-73 specifies ISO 14443 for the contactless interface 9/28/2005 Copyright SCM Microsystems Inc. 10
Biometrics: Added Value Individual-unique biometric information Fingerprints Hand geometry Retinal or iris patterns Facial patterns Voice prints Image courtesy of Gemplus Biometrics used with card technologies Biometric information stored on the ID card and verified with actual biometric at point of interaction Currently FIPS 201/SP 800-76 specifies full image fingerprints for the card biometric 9/28/2005 Copyright SCM Microsystems Inc. 11
Typical Three-Factor Card Reader LCD display Contact Smart Card Reader Fingerprint sensor Pinpad Status LEDs indicating Security Level Acoustic alarm Contactless reader 9/28/2005 Copyright SCM Microsystems Inc. 12
Security Levels Security levels High Something you have + Something you know + Something you are + + Something you have + Something you know + PIN, Password Low Something you know PIN, Password Solutions 9/28/2005 Copyright SCM Microsystems Inc. 13
Access Control System Overview Card Reader Control Panel Door/Gate Lock Access Control Server Software Database 9/28/2005 Copyright SCM Microsystems Inc. 14
Simplified Physical Access System Simplified Physical Access System Access Control MODEM MODEM Wiegand Badging LAN/WAN LAN/WAN RS-485 Guard Workstation Servers TCP/IP LAN/IF RS-485 Control Panels 1 to 32 Readers Access Control Readers and Controlled Doors 9/28/2005 Copyright SCM Microsystems Inc. 15
Simplified Access Control Path Simplified Access Control Path Access Control Control Card Smart Server Panel Reader Card Secure Area Unsecured Area No Security Interface Specification PACS 2.2 (2.3) Card to Reader Specification Controlled Door Secure Channel Path 9/28/2005 Copyright SCM Microsystems Inc. 16
Concluding remarks Smart Cards and Biometrics will play a significant role in the Personal Identity Verification systems of the future There are issues to be resolved in the definition of these systems but they are vigorously being worked on. Biometric implementations will not be limited to physical access; there will be applications of biometrics in logical access systems. Biometrics and Smart cards will be a strong partnership for years to come. 9/28/2005 Copyright SCM Microsystems Inc. 17
Bob Merkert Vice President Sales, Americas rmerkert@scmmicro.com 856-784-7177 All Company and/or product names are trademarks and/or registered trademarks of their respective owners.