Senior Program Manager Access Control Solutions,
Sagem Morpho, Inc.
Match-on-Card (MOC) with secure messaging (SBMOC) has the potential to become part of the Federal Information Processing Standard 201 (FIPS201) and may prove useful for the maritime Transportation Worker Identity Credential (TWIC) program.
MOC is the process of sending a biometric template from a live capture device to the card. The card processor receives the biometric template and matches it to the reference biometric template stored on the card. Secure messaging is the process of encrypting the biometric template created by a biometric sensor and sending it to the card for decrypting. What makes this significant is the protection the secure messaging process provides to personal identity information (PII) as it is transmitted across a contactless interface using radio frequency technology.
Identity verification access control applications over the past ten years have steadily migrated from contact readers to contactless readers to read data from an identity credential card.
FIPS201 requires a PIN be entered before the biometric template may be accessed through the contact interface. It also prohibits reading and transmitting PII data across a contactless interface due to concern that data may be “sniffed” or stolen as it is passed along the RF interface.
This has created a disconnect between operational environments and the specifications of the FIPS201 standard. When the maritime community, implementing the TWIC card based on FIPS201, stated that contact readers and PIN entry were unsuitable for the harsh marine environment, the TWIC biometric reader specifications were modified to allow contactless readers. To address the security concern, specifications were developed to require that individual keys for encryption and decryption be written onto a magnetic strip and be accessible from the chip on the card through a contact interface.
A DHS sponsored demonstration of Match-on-Card technology caught the attention of both NIST FIPS201 and TWIC program management. What captured their interest was the execution of MOC as a separate application in concert with the Personal Identity Verification (PIV) application on a certified FIPS201 card.
This resulted in a NIST feasibility study of MOC technology with secure messaging in which two separate tests were conducted. One focused on performance accuracy and speed of match-on-card algorithms. The other focused on the speed of match-on-card algorithms when using encryption to protect the live biometric template sent to the card for matching (SBMOC).
Performance accuracy and speed testing has moved to a second Phase (MINEX II) and is in progress. The aim of the SBMOC feasibility test was to determine if electronic verification in less than 2.5 seconds was attainable while still meeting functionality, biometric accuracy and security requirements. NIST reported that 17 cards from four suppliers met the goal.
Match-on-card technology would replace PIN entry when authenticating the cardholder to the card. The successful performance of secure messaging with match-on-card may influence NIST to modify the FIPS201 standard to include the transmission of PII information across the contactless interface. This would eliminate the need for individual privacy keys to be written to the TWIC card.
Ms. Bangs can be reached at [email protected]
About the AVISIAN Publishing Expert Panel
At the close of each year, AVISIAN Publishing’s editorial team selects a group of key leaders from various sectors of the ID technology market to serve as Expert Panelists. Each individual is asked to share their unique insight into what lies ahead. During the month of December, these panelist’s predictions are published daily at the appropriate title within the AVISIAN suite of ID technology publications: SecureIDNews.com, ContactlessNews.com, CR80News.com, RFIDNews.org, FIPS201.com, NFCNews.com, ThirdFactor.com, and DigitalIDNews.com.
Research and evaluate FIPS 201 Approved Products and get the latest info on compliant credentialing systems at FIPS201.com. Click to visit FIPS201.com.