Security Technology Executive

SEP-OCT 2015

Issue link: https://securitytechnologyexecutive.epubxp.com/i/571504

Contents of this Issue

Navigation

Page 19 of 99

20 SECURITY TECHNOLOGY EXECUTIVE • September/October 2015 www.SecurityInfoWatch.com federal agencies require a drastically longer cre- dential identifier to eliminate the risk of dupli- cation, or identifier collision. To mitigate this potential vulnerability, PIV uses a 14-digit iden- tifier, a 48-bit subset of the full Federal Agency Smart Credential Number (FASC-N). Organized using a central registry approach, the FASC-N is controlled by NIST and the CIO of the issuing agency. T h e F A S C - N i d e n t i f i e r c o n - sists of three data o b j e c t s : a f o u r digit Agency Code d e t e r m i n e d b y NIST; a four digit System Code; and a six digit Creden- tial Number. The issuing agency is r e s p o n s i b l e f o r a l l o c a t i n g t h e System Code and Credential Num- b e r w i t h i n t h e agency in a man- ner that guaran- tees that each card i s u n i q u e . T h i s c e n t r a l re g i s t r y approach is shared among NIST and the agencies and is working well. Is the Card Authentic and Valid? As stated in the HSPD-12, the PIV credential is strongly resistant to duplication, alteration and forgery. To achieve these goals, technical stan- dards include specific cryptographic methods and cryptographic keys. Authentication methods include use of both hash algorithms, symmetric keys as well as asymmetric key pairs, and valida- tion dates. Part of the solution includes cryptog- raphy to create a digital signature (hash) of the PIV data objects. When using the card for access requests, one part of the process is that the PACS must authen- ticate the card's credential by comparing the hash values of the original with that of the presented card. This effectively eliminates the risk of an adversary being able to successfully substitute a data object that contains the authentic biomet- ric of the authorized cardholder with one of his own. The hash is the encrypted by the private key stored in the smart chip of the card. Only the matching public key can decrypt the hash for ver- ification. (See Figure 1) Let us take a look at what this cryptographic FEDERAL SECURITY MANDATES process actually accomplishes. First, using cryp- tography achieves more than the secrecy (i.e., confidentiality, where only the intended recipient can read the sent data) most commonly associ- ated with cryptographic deployments. In addition to confidentiality, cryptography is a tool that is also used to ensure: • Integrity (no alteration of original data), • Non-Repudiation (proof of trusted origin) and • Authenticity (proof that the identity of the sender, or receiver, is true). A Public Key Infrastructure (PKI) approach using digitally signed X.509 certificates is one of the tools used to protect the credential data from unauthorized modification of any kind. The hash algorithm, key size, public key and expiration date are some of the information included in an X.509 Public Key Certificate. (See Figure 2) For today's PACS, two PIV certificates are com- monly used and electronically authenticated. One is the Card Authentication Key (CAK); the other is the PIV Authentication Key (PIV Auth Cert). These certificates with their unique keys are cre- ated by the smart chip of the card at the time of issuance. To authenticate the card, the credential data is digitally signed by the issuer at the time of production. In addition the PACS' certificate validation service establishes communication to the card and requests the CAK certificate, per- forms challenge-response with the asymmetric CAK, and sends a validation status request to the issuer certificate authority (CA). When an employee separates from the parent agency, the agency must revoke the employee's certificates within 18 hours. The CA updates the status of the certificate(s) to "revoked" and add the certificate to a Certificate Revocation List, CRL. The revoked certificate is add Any further attempts to use the certificate to gain access to facilities, or agency networks, will be declined. This approach enables near-instant, global de-provisioning of a revoked certificate at every location enterprise-wide from one single loca- tion mitigate potential threats of a disgruntled former employees to access agency, or company recourses and is a significant security enhance- ment from the previous approach which focused on a single location. For PIV, each issuing CA must support an Online Certificate Status Proto- col (OCSP) responder as well as regularly publish a CRL. To find the appropriate CRL, each certifi- cate includes URLs to where the CRL and OCSP responder may be located. In addition, CRLs may be downloaded to local PACS. The content of each certificate is also signed by Figure 2. The content of each certificate is also signed by a CA, which is managed by an entity authorized and certified under the common PIV policies to sign such certificates.

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - SEP-OCT 2015