The latest smart card specification for U.S. government employees was released by the National Institute of Standards and Technology. Federal agencies will now have 12-months to issue cards that comply with the revised FIPS 201-2 standard.
The standard followed the path laid out in previous drafts, says Bob Dulude, director of Federal Identity Initiative at HID Global. “It’s pretty much what we expected,” he adds.
The industry seems positive about the path forward with the new spec. “FIPS 201-2 is a major improvement and update of FIPS 201-1, which was published in March, 2006, more than seven years ago,” says Steve Howard, vice president of credentials at CertiPath. “During this time, we have seen a tremendous uptake in the use of PIV technology, and with that uptake, a laundry list of desired changes had accumulated.”
More than two-years has passed since the first draft of FIPS 201-2 was released, so a lot of time and effort went into perfecting the draft, Howard explains.
One of the bigger accomplishments with the latest spec is that it didn’t wipe away existing systems, says Neville Pattinson, senior vice president of government affairs for Gemalto. “They didn’t break the legacy and didn’t strand the entire installed base. It could have been a nightmare of backward incompatibility,” he explains.
As expected, FIPS 201-2 will enable derived PIV credentials on mobile devices as well as a virtual contact interface that expands the functionality of the contactless portion of the card, says Hildegard Ferraiolo, a computer scientist in the Computer Security Division, Cryptographic Technology Group at NIST.
The derived credential specification will be detailed in a special publication due out soon, Ferraiolo says. At a high level the derived credential will enable an agency to place a type of PIV credential on a mobile device so the user can access enterprise applications, virtual private networks or other uses.
“As mobile and alternative devices become more prevalent, using them within the PIV identity ecosystem has been established as a top priority,” Howard says. “This is a welcome change, bringing the use of high-assurance PIV identity into the mobile device ecosystem. This paves the way for a new level of security in iPads, iPhones, Android phones and tablets, BlackBerry’s and new devices yet to be introduced.”
But the derived credential could also enable a more secure and faster physical access control system, says Dulude. OPACITY, a contactless interface standard, can be used with the derived credential and the virtual contact interface.
The virtual contact interface will play a role in the realm of mobile devices as well. This interface will enable some of the contact functionality of the credential on the contactless interface. A special publication detailing this portion is being circulated as a draft.
One possible use for this could be the tapping of a PIV onto a NFC mobile device to gain access to secure networks and services, Ferraiolo says. “It’s taking advantage of the NFC channel,” she explains. “The virtual contact interface will protect that channel if it’s used with the mobile device.”
FIPS 201-2 mandates that the cardholder’s facial image be placed on the smart card, Ferraiolo says. The facial image could then be used at guard checkpoints and for automatic comparison when reissuing credentials. Facial images were optional in the previous specification.
The spec also offers iris biometric and match-on-card fingerprints as additional authentication options. “Contactless biometric on-card-comparison is provided as a new means to activate the card, minimizing the need for the use of the PIN in some settings,” Howard says.
The new spec also enables post-issuance credential updates, Ferraiolo says. Agencies had run into problem because digital certificates on the device would expire before the card and post-issuance updates were not enabled.
FIPS 201-2 alleviates prior reliance on the Cardholder Unique Identifier and puts the focus on the Universal Unique Identifier, which will bring PIV and PIV-I closer together.
“PIV now provides a mandatory Universally Unique Identifier for each credential issued,” Howard explains. “PIV issuers are now required to issue Asymmetric Card Authentication Keys. Both of these changes align PIV with PIV-I, easing the engineering costs of relying parties supporting both credential types and significantly increasing interoperability between federally and non-federally issued credentials.”
Revised ‘chain of trust’
The new spec enables federal employees to transfer agencies without requiring that a completely new background check be performed.
“This is achieved using the new concept of the ‘chain of trust’ in identity management,” says Howard. “The chain of trust is essential to ensure proper linkage of the individual to the source of authority for the identity record and thus to the credential and the background investigation. Using biometrics, agencies can now swap identity records safely and securely as individual move within the federal enterprise. This represents significant cost savings and security improvement by avoiding re-vetting of individuals by multiple agencies during the individual’s service to the federal government.”
Usability issues confound NFC and derived credentials
Part of the reason it took two years for FIPS 201-2 to be released was that issues had to be worked out to allow use of a PIV with a mobile device. The early draft of the spec didn’t enable this functionality and was criticized by federal agencies and industry.
The ratified version released in September 2013 rectified this issue by enabling derived credentials, using the PIV to spawn credentials on to mobile devices. Exactly how the derived credentials will be placed on the mobile devices has yet to be detailed, and there will likely be more than one way.
One option is to use a mobile device manager and trusted service manager to place the derived credential on the handset’s secure element, be it the SIM or another embedded hardware module.
Another option – with Android handsets embracing NFC and the virtual contact interface enabling a more secure contactless channel – is using the short-range communication protocol to place the derived credential on the handset.
But that might not be the best way, says Neville Pattinson, senior vice president of government affairs at Gemalto. “It’s a little impractical,” he explains. “Holding the card with the phone is a little awkward and I’m not sure people will enjoy that for decrypting and signing emails.”
A potentially larger issue is that most NFC handsets are acting as card emulators and not card readers with that functionality turned off, Pattinson says. Then there are battery issues that arise when using handsets as readers. Only a couple of Samsung handsets have addressed this using a special battery capable of handling the extra NFC power demand.