[ISN] ITL Bulletin for March 2005

From: InfoSec News (isn@private)
Date: Fri Mar 25 2005 - 01:34:03 PST

Forwarded from: Elizabeth Lennon <elizabeth.lennon@private>



Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Technology Administration
U.S. Department of Commerce

A new Federal Information Processing Standard (FIPS) for a
governmentwide personal identity verification (PIV) system was
approved by Carlos M. Gutierrez, the U.S. Secretary of Commerce, on
February 25, 2005. The system is based on the use of smart cards,
which will be issued by all federal government departments and
agencies to their employees and contractors who require access to
federal facilities and information systems.

Homeland Security Presidential Directive (HSPD) 12, issued by
President Bush on August 27, 2004, cited the wide variations in the
quality and security of the forms of identification used to gain
access to federal and other facilities, and called for the development
of a mandatory standard for secure and reliable forms of
identification to be used throughout the federal government. The
directive stated the government's requirements for a common
governmentwide identification system that would enhance security,
increase government efficiency, reduce identity fraud, and protect
personal privacy. The Information Technology Laboratory of the
National Institute of Standards and Technology (NIST) developed the
standard, working in conjunction with private industry and with other
federal agencies, including the Office of Management and Budget (OMB),
the Office of Science and Technology Policy, and the Departments of
Defense, State, Justice, and Homeland Security.

How the Standard Was Developed

HSPD 12 stated that the secure and reliable forms of identification
should be:

* Based on sound criteria for verifying an individual's 
* Strongly resistant to identity fraud, tampering, 
  counterfeiting, and terrorist exploitation;
* Rapidly authenticated electronically; and
* Issued only by providers whose reliability has been 
  established by an official accreditation process.

NIST, the Department of Commerce (DoC), and the Office of Management
and Budget (OMB) held public meetings in October and November 2004 to
discuss the technical and policy issues related to developing the
needed standard. NIST drafted the FIPS and announced it in the Federal
Register for public review and comment in November. NIST also issued
drafts of two supporting technical documents in December.  Another
public meeting was held in January 2005 to address privacy and
security issues that might affect individuals to whom PIV cards are
issued. The comments received in the open forums and from more than 80
organizations and individuals during the formal review process were
carefully considered and helped to shape the final standard. In
addition, the Federal Identity Credentialing Committee and the Smart
Card Interagency Advisory Board made many valuable contributions to
the technical framework of the standard.

The standard does not apply to identification systems for national
security systems and facilities.

Technical and Operational Requirements

FIPS 201 specifies the technical and operational requirements for
interoperable PIV systems that issue smart cards as identification
credentials and that use the cards to authenticate an individual's
identity. Authentication of an individual's identity is an essential
component of secure access control to facilities and to information
systems. In the past, hand-held credentials such as driver's licenses
and badges have been used to control access to facilities, and
passwords have been widely employed for access to information systems.
More recently, cryptographic and biometric technologies have been
employed to replace the older methods.

FIPS 201 has been issued in two parts to allow for a smooth migration
to a secure, reliable personal identification process. The first part
of FIPS 201 (PIV I) describes the minimum requirements needed to meet
the control and security objectives of HSPD 12, including the process
to prove an individual's identity. Agencies may issue credentials only
to applicants whose identity has been established and who have had a
background investigation.  Agencies must inspect at least two identity
source documents submitted by an applicant for the PIV credential. At
least one of the documents presented by the applicant must be a valid
state- or federal government-issued picture identification (ID).
Applicants for credentials must be examined through an Office of
Personnel Management (OPM) background investigation process, the
National Agency Check with Written Inquiries (NACI), to establish
assurance of identity. While the National Agency Check has been a
requirement for federal government employees since the 1950s, it may
be a new requirement for some contractors. The initial phase of the
NACI must be completed before the new ID card is issued.  When the
written inquiries part of the NACI is completed, the agency reviews
the results and takes appropriate action if negative results are
received.  These are current practices for most agencies.

The PIV Card

HSPD 12 stated that the standard should include graduated criteria,
from least secure to most secure, to give agencies flexibility in
selecting the appropriate level of security for each application.
Agencies will continue to have full flexibility in determining who is
allowed to have access to their systems and facilities.

The PIV card is the primary component of the system. The size of a
credit card, the PIV card will use cryptographic and biometric
technologies to support the required graduated levels of security for
agency applications. Cards will contain a Personal Identification
Number (PIN); this is the data used to authenticate the cardholder to
the card, as a PIN is used with an ATM card. The PIN never leaves the
card, and it cannot be read from the card. The card will also have a
Cardholder Unique Identifier (CHUID), which identifies the individual
within the PIV system.  There will also be two electronic
fingerprints, which will be securely stored and protected on
integrated circuit chips. Public Key Infrastructure (PKI)-based
cryptography will be used to protect the integrity of information that
will be stored on the card.

No other personal information, such as Social Security number,
address, or telephone number, is required by FIPS 201 to be stored on
the card. The release of biometric information required to be stored
on the card by FIPS 201 and use of the private key takes place only
after the cardholder provides the correct PIN. Only the CHUID will be
available through a wireless interface.

Fingerprints were chosen as the biometric information to be stored on
the cards because fingerprints are the least invasive and most
cost-effective, reliable, repeatable, and accurate means of
verification available using public available technology. Two
fingerprints will be stored on the cards. An electronic facial image
is not required, but may be used. A printed photograph of the
cardholder is required to be printed on the card for visual inspection
and verification. Also the cardholder's name and the expiration date
of the card will be printed on the card.  Agencies may include other
optional information such as their agency seals and the issue date of
the card if they wish to do so.

PIV II Requirements

The second part (PIV II) of FIPS 201 explains the many 
components and processes that will support a 
smart-card-based platform, including the PIV card and card 
and biometric readers. The specifications for PIV 
components support interoperability between components in 
systems and among the different department and agency 
systems. An operational system contains three subsystems:

* PIV Front-End Subsystem - PIV card, card and biometric
  readers, and personal identification (PIN) input device.

* PIV Card Issuance and Management Subsystem - components
  responsible for identity proofing and registration, card
  and key issuance and management, and repositories and
  services such as the public key infrastructure (PKI directory).

* Access Control Subsystem - physical and logical access
  control systems, the protected resources, and the
  authorization data.

PIV II also describes a means to collect, store, and maintain
information and documentation needed to authenticate and assure an
individual's identity.

Schedule for Implementation of FIPS 201

By June 27, 2005, agencies must establish a program to ensure that the
identification forms issued by their organizations meets the PIV
standard. By August 27, 2005, they are required to identify any
additional applications, beyond the scope of the standard, for which
the standard should be used, and report them to the Assistant to the
President for Homeland Security and to OMB. By October 27, 2005,
agencies must have procedures in place for verifying employees'
identities and for issuing smart cards that meet the requirements of
PIV I. To operate and maintain PIV systems, agencies will have to
obtain the services of an accredited PIV card issuer, and adopt
procedures for PIV card applicants to provide acceptable identity
source documents. Agencies also will need to acquire services for
capturing biometric information, as well as PIV card readers and PKI

With the October 27th implementation of PIV I by all federal agencies,
there will be a basis for trust among agencies and for the mutual
recognition of their employee and contractor credentials. PIV II,
which will take longer to implement because of the many electronic
credential systems now in place, focuses on the common technical
interoperability requirements of HSPD 12. When this part is
implemented, a card from one agency will be electronically recognized
by any other agency so that a decision about granting access to the
cardholder can be made.

NIST Supporting Activities

NIST is developing three key companion documents that will support the
implementation of FIPS 201 by vendors and users. The first
publication, Interfaces for Personal Identity Verification, to be
issued as NIST Special Publication 800-73, will specify interface
requirements for retrieving and using data from the PIV card. SP
800-73 provides the PIV data elements, identifiers, structure, and
format, and describes the Application Programming Interface (API) and
the card interface requirements that will enable PIV identity
credentials to be used interchangeably throughout federal agencies. SP
800-73 includes two specifications to help agencies make the
transition to conformance with FIPS 201: a transitional card
specification that is derived from the Government Smart Card
Interoperability Specification and that agencies already invested in
smart card implementations might want to consider using; and a FIPS
201 PIV II card specification for agencies choosing to move directly
to the PIV II target architecture.

The second publication, Biometric Data Specification for Personal
Identity Verification, by Charles Wilson, Patrick Grother, and
Ramaswamy Chandramouli, will be issued as NIST Special Publication
800-76 and will specify technical acquisition and formatting
requirements for the biometric credentials of the PIV system. Designed
to ease agency implementation of FIPS 201 by facilitating
interoperability and ensuring performance of PIV systems, the
specification selects options from published biometric standards. It
includes specifications for the fingerprints used in the PIV systems,
facial image optional specifications, the format for all PIV biometric
data representation, and the requirements for biometric devices.

The third publication, Cryptographic Algorithms and Key Sizes, will be
issued as NIST Special Publication 800-78 and will specify
cryptographic algorithms and key sizes that will be authorized for use
in PIV systems in current and future time frames.

Draft versions of NIST Special Publications 800-73 and 800-76 have
been made available for public review and comment. See the "For More
Information" section below for details about accessing these two draft

Insofar as its resources permit, NIST also plans to investigate other
technical issues that will help support the use of the standard. Some
of these requirements include: reference implementations and
conformance tests to enable testing of implementations for conformance
with the standard; measures to protect privacy of users of PIV
systems; ways to authenticate identity source documents;  and methods
to incorporate data needed by different agencies while assuring
appropriate levels of security and providing for interoperability
among federal PIV systems.

Other Federal Agency Support Activities

OMB is responsible for overseeing agency implementation of HSPD 12 and
will develop implementation guidance for federal agencies, including
privacy and implementation guidelines to federal agencies. OMB will
determine the timeline for agencies to comply with the second part of
the standard.

The General Services Administration (GSA) is responsible for assisting
agencies in procuring and operating PIV subsystems such as card and
biometric readers. OPM is responsible for assisting agencies in
authenticating and vetting applicants for the PIV card.

Protecting Privacy

Privacy is an issue of special concern and a basic obligation
established by the presidential directive. The standard requires
federal department and agencies to ensure the privacy of applicants
for identity credentials. Some of the requirements include:

* Assigning an individual to the role of senior agency
  official for privacy;

* Conducting a comprehensive Privacy Impact Assessment
  (PIA) on systems containing personal information in
  identifiable form for the purpose of implementing PIV;

* Writing, publishing, and maintaining a clear and
  comprehensive document listing the types of information
  that will be collected about individuals, the purpose of
  collection, what information may be disclosed to whom
  during the life of the credential, how the information will
  be protected, and the complete set of uses of the
  credential and related information at the department or agency;

* Assuring that systems containing personal information
  adhere to fair information practices;

* Maintaining appeals procedures for those who are denied a
  credential or whose credentials are revoked;

* Auditing compliance of PIV systems with stated privacy
  policies and practices governing the collection, use, and
  distribution of information; and

* Limiting access for information in PIV systems to those
  persons with a legitimate need for the information.

FIPS 201 does not require that the federal government establish a
central database to track movement of employees and contractors or the
systems that they access. Personally identifiable information stored
on the card is minimal, and the information stored on the PIV card,
such as electronic fingerprints, will be protected since the
cardholder must enter a PIN to release the information.

The technology on the card does not allow for tracking movement of
contractors and employees while moving throughout a building. Because
the information on the PIV card may be read by a wireless device,
there has been some concern that data can be inadvertently or
maliciously captured. To alleviate this concern, employees will be
required to keep the card in an electronically opaque sleeve when not
in use to minimize the risk of unauthorized reading of data from the
card without the consent of the cardholder.

For More Information

FIPS 201 is available on the NIST website

Draft NIST Special Publications 800-73 and 800-76 are available on the
NIST website http://csrc.nist.gov/publications/nistpubs/index.html.

The NIST website 
http://csrc.nist.gov/piv-project/index.html provides links to other
information about the PIV project, including workshops held in 2004
and 2005, and HSPD 12. Also available on the web pages are answers to
frequently asked questions about the PIV standard and contact
information.  The comments received by NIST concerning the draft FIPS
201 are also available.

Any mention of commercial products or reference to commercial
organizations is for information only; it does not imply
recommendation or endorsement by NIST nor does it imply that the
products mentioned are necessarily the best available for the purpose.

Elizabeth B. Lennon
Information Technology Laboratory
National Institute of Standards and Technology
100 Bureau Drive, Stop 8900
Gaithersburg, MD 20899-8900
Telephone (301) 975-2832
Fax (301) 840-1357

Bellua Cyber Security Asia 2005 -

This archive was generated by hypermail 2.1.3 : Fri Mar 25 2005 - 02:52:08 PST