Q&A: HID’s Trusted Identity Platform
14 December, 2010
category: Contactless, Digital ID, Library, NFC
HID Global’s Trusted Identity Platform was first introduced in March but the identity provider is rolling out more features to the system as the year progresses.
A recent partnership aims to enable HID’s iCLASS credentials on NFC chips. This would allow mobile handsets to function as access control tokens and more, says Tam Hulusi, senior vice president of strategic innovation and intellectual property at HID.
The credentials will be delivered to the devices via HID’s Trusted Identity Platform that verifies all points in a system or network so that transactions can be trusted, explains Hulusi.
We spoke with Hulusi to understand the significance of the Trusted Identity Platform.
Q: What is the Trusted Identity Platform?
*A:* The Trusted Identity Platform, or TIP, is a secure network that provides the framework for creating, delivering and managing secure identities.
Simply put, the architecture is a central secure vault that serves known endpoints–such as credentials, readers and printers–on a secure network connection and within a published cryptographic key management security policy. HID Global refers to this as a bounded-type system, where all the devices attached to it are known and therefore trusted to exchange information securely.
The TIP architecture is scalable, its transmission protocol and encryption models are standards-based, and it can support multiple applications. TIP systems also can be virtualized and cloud-based, and therefore can provide services across the Internet without compromising security.
TIP’s secure delivery infrastructure will provide the framework for all future security identity products from HID Global.
Q: Why did HID Global develop TIP?
*A:* Access control system equipment is migrating well beyond cards and readers into a whole new era of configurable credentials, contactless technologies, and a world in which mobile phone and other devices can carry “digital keys” that they receive over the air or via the Internet.
Near Field Communications is a promising technology that makes this possible, but the only way to make it secure is if the industry can establish an identity methodology based on a comprehensive chain of custody, in which all end points in a system or network can be validated so that identity transactions between them can be trusted at any time.
HID Global has spent three-years creating a solution to this challenge, and the resulting TIP secure identity system is a simple but protected identity transaction system that we believe represents the future of the physical security world.
Q: What does TIP consist of?
*A:* The TIP model consists of three central elements:
- The Secure Vault, which provides a secure storage capability for encryption keys, available to known, and trusted endpoints,
- A Secure Messaging methodology to secure messages to the node endpoints using industry-standard transmission protocols and nested symmetric key methods, and
- A Key Management Policy and Practices (KMPP) governance that sets the rules by which the Secure Vault is accessed and keys are distributed to endpoints.
Q: How does TIP work?
*A:* TIP provides a protected identity transaction network that enables validation of all endpoints, or nodes, in the network so that transactions between the nodes are trusted. At the heart of the TIP framework is a central secure vault that serves known endpoints, such as credentials, readers and printers, on a secure Internet connection, within a published security policy.
Data security, privacy and reliability are ensured using symmetric-key cryptography, so that all endpoints can execute trustworthy transactions. This approach delivers security beyond the hardware level, extending trust boundaries to other third-party platforms supporting TIP protocols.
Q: How does TIP establish endpoints and trusted transactions?
*A:* Endpoints are created by implementing a TIP node protocol and a resident Genesis Key so that they can be recognized and registered by the Secure Vault as a trusted member of the network. This means that they are allowed to exchange data with the Secure Vault.
Endpoints–such as credentials, readers and printers–communicate with the Vault via rules governed by HID Global’s Key Management Policy and Practices (KMPP). Using industry-standard cryptography, TIP messages between endpoints are encrypted by two nested symmetric keys to form Secure Identity Objects.
Several Secure Identity Objects can be nested in a TIP message to deliver multiple instructions to different devices such as access cards, smart phones and computers, each with different access control characteristics, if required. The simplest Secure Identity Objects is the emulation of credential data from an iCLASS card. Once a “handshake” is accomplished between the Secure Vault and an endpoint device, the device is deemed to be trusted in the network.
Trusted devices no longer need to communicate with the Vault and can operate independently. In this way the transaction between endpoints, such as a credential and a reader, is trusted and resulting transactions, such as opening a door or logging onto a computer, can also be trusted.
Q: What are HID’s plans for deploying TIP?
*A:* HID Global will announce and begin deploying TIP later this year, and has already taken a first, big step toward realizing its vision of a trusted, virtual and on-demand identification network with the announcement of the partnership with NFC chip provider INSIDE Contactless.
The partnership will enable NFC phones to hold the same iCLASS access control and credential information as our physical smart card and it will be delivered via the TIP system.
HID plans to announce other partnerships that will combine contactless solutions, NFC and other widely deployed technologies to create a variety of platforms, from mobile phones to laptops, for applications ranging from user authentication to cashless vending and PC log-on security. These platforms and applications will significantly extend the value proposition for contactless smart card credentials.