Beyond the Flash
Fewer than 1 percent.
That’s how many feds and government contractors have new HSPD-12 personal identity verification (PIV) cards, estimates Michael Butler. Even so, the government is looking ahead to the cards’ secure wireless use, says Butler, chief of HSPD-12 managed services for the General Services Administration.
The program’s planners tried to anticipate future uses and related security exposures in Federal Information Processing Standard 201. The 2005 FIPS specifies both contact and contactless interfaces for a smart card that can store a photo, agency logo, biometric fingerprints, digital certificates, expiration date, personal identification number, cardholder unique identifier (CHUID) and other individual data.
The HSPD-12 cards promise to streamline federal workers’ physical and logical access to government facilities. But what about signing on through a virtual private network while traveling or teleworking, or when using handheld and portable computers and devices? It is just such uses that Butler and others expect will lead to the cards’ expansion throughout government. Establishing remote access via VPN, testing and validation of products for wireless use and securing the cards themselves against attacks are all steps toward this end-to-end secure future.
Tunnel Vision
VPNs employ security protocols such as Internet Protocol Security, Secure Sockets Layer and others for safe remote access, encapsulating the IP data packets to “tunnel” back and forth through the network services stack and bypass ordinary routing. Some vendors for years have tailored VPNs at fixed, dedicated sites for agencies and their contractors.
Present VPN users log on with smart cards, key-ring tokens or other two-factor ID schemes and special client software. Depending on the protocols in use, HSPD-12 cards might be able to serve the same purpose, which is to negotiate for appropriate rights within internal agency networks. Rights can be restricted according to the location where a user signs on.
Network vendors caution, however, that revoking such user rights takes time, especially in a geographically separated enterprise involving public- and private-sector employees. Urgent requests to suspend or terminate one individual’s rights might have to work their way up through the hierarchy and temporarily block VPN access to whole groups of workers.
“VPN client software normally can accept authentication certificates and private keys” such as those stored on the HSPD-12 card, says Baber Amin, senior product manager for Novell’s Security and Identity Management Group. “When you enter your personal identification number, the client software recognizes your certificate,” provided the software can interface with standard smart-card services under leading operating systems, such as the PC/SC Workgroup specifications for integrating smart-card services with Microsoft Windows. There are also client schemes for smart-card use with Mac OS X, Linux and Unix OSes.
To ease the multiple types of transactions resulting from such distributed use of the HSPD-12 card, GSA is setting up a Personal Identity Verification ID Management System (PIV IDMS) to store and manage the HSPD-12 records of federal cardholders and contractors.
Helping the Cause
GSA also has been testing hundreds of HSPD-12 products, including handheld devices, “to be sure they can access and retrieve data for whatever use,” says David Temoshok, the agency’s director of ID policy and management.
The number of HSPD-12 cards that GSA expects will be in circulation by November.
“We’re beginning to approve wireless devices with smart-card readers.” The GSA Advantage.gov purchasing site already lists more than 130 tested HSPD-12 products, ranging from $2 connectors to $175,000 services packages.
Most recently, the National Institute of Standards and Technology further tweaked the card’s visual topology in Special Publication 800-104, which specifies white color-coding for federal employee cards, green for contractors and blue for foreign nationals. The coloring will facilitate simple flash-pass entry without limiting future electronic validation.
“All civilian and military agencies are required to comply [with HSPD-12], except for the intelligence community,” Temoshok adds. “The agencies are gearing up to enroll their personnel, which means an encounter for every federal employee and every contractor,” in which the applicants provide their source documents and biometrics. “There are enrollment offices in many locations — the number of cards issued may not be substantial yet, but the activity is substantial,” he says.
The average HSPD-12 card cost to agencies is running just less than $100 apiece, counting operations, infrastructure, overhead and related systems, says Steve Kempf, acting deputy assistant commissioner of GSA for integrated technical services. The Transportation Security Administration’s compliant Transportation Worker Identification Credential will cost its private-sector applicants a little more — about $137 each.
All Wrapped Up
Most HSPD-12 users will insert or swipe their cards to enter federal buildings and sign onto networks. But future wireless users will rely on the card’s contactless interface plus a powered metallic sleeve that’s electromagnetically shielded to guard stored data as well as user location from eavesdroppers. Even if the sleeve was absent, “the only data that would be transmitted is the CHUID, not the other data,” GSA’s Butler says.
“The credentialing can be consistent and auditable through middleware, independent of the hardware,” says Novell’s Amin.
Workers that TSA expects to enroll each day once its TWIC program is up and running.
Debate continues, however, about safe wireless transmission of biometric data. For example, fingerprint minutiae could be stored on a card’s magnetic strip rather than wirelessly broadcast from the chip, he says. “The best protection is to use some sort of hashing technique to differentiate the output on the contactless side of the card — not like the older proximity cards that transmit the same number all the time.”
Future chip-based passports will raise the same questions about security and vulnerability, he adds.
Coming to a Card Near You
Down the road, Amin sees possibilities for integrating the HSPD-12 card with video analytics and event correlation. “Every agency has visitors and meetings,” he says. “Instead of giving out paper badges, they could issue smart cards with digital photos taken at registration, and build in analytics to match the photos against watch databases, or to restrict admittance to certain areas.”
Another future advantage of the card’s multiple security protections, he says, could lie in consolidating government work sites and giving workers secure access to their own applications and security classifications, regardless of location.
“Once we have the more traditional uses of the card for physical and LAN access, there’s a wide range of potential future uses,” says GSA’s Temoshok. “We’ll have a standard, trusted card” that will be able to migrate other types of information to create a single,
highly secure credential.
