By Marisa Torrieri, Contributing Editor
With a long workday behind him, Mr. Government Worker leaves the building, heading for the massive parking lot. He passes a gentleman (Mr. Man), but little does Mr. Government Worker know that beneath the stranger’s briefcase hides an RFID Reader with an antenna short enough to remain out of sight but long enough to communicate with a FIPS 201 PIV Card. Mr. Man captures the ‘free-read’ ID number from the card and now can in essence replay this information to the access control reader at the entry door to the building to gain access.
A preposterous scenario? Not really, says Walt Augustinowicz, founder of Identity Stronghold, though others disagree.
“It’s called the ‘leech-and-ghost theory,'” says Mr. Augustinowicz, noting that a handful of white papers have been written on such topics. “It’s pretty realistic.”
The company is one of a handful of manufacturers of protective shields and sleeves designed to protect contactless cards from eavesdroppers. Identity Stronghold is marketing its electromagnetic smart card sleeves in consumer, financial, and government markets, including federal agencies shopping around for FIPS 201-compliant products. The electromagnetically opaque “Secure Sleeve” products help ensure that invasive communications such as relaying, eavesdropping, or cloning and tracking of ID, debit and credit cards, U.S. passports, and the new FIPS 201 PIV cards don’t occur.
“The new government PIV card has a contactless interface, which, basically will get you into several pieces, including the CHUID (the unique ID number), and it can be read by any ISO 14443 reader,” he says.
Mr. Augustinowicz refers to section 2.4 of the FIPS 201-1 publication, which states: “Ensure that technologies used to implement PIV sustain and do not erode privacy protections relating to the use, collection and disclosure of information in the identifiable form. Specifically, employ an electromagnetically opaque sleeve or other technology to protect against any unauthorized contactless access to information stored on a PIV credential.”
But whether federal agencies will embrace added security and the notion that such sleeves are a necessity remains to be seen. Factors that will influence such decisions include perceived threat and cost.
If recent conferences are any indication, the product could pick up some serious momentum in the near future: Mr. Augustinowicz says he gave out 250 sleeves or so at a recent government CIO conference. “People were coming back,” he says, “asking for extras for their wife’s credit’s card.”
The company is submitting technical specs to the National Institute of Standards and Technology (NIST) for testing to receive a listing on the FIPS 201 approved products list.
A 170-year old physics experiment lives today in the Faraday cage
The sleeves works on the Faraday cage principle, notes Mr. Augustinowicz. According to online resource Wikipedia, a Faraday cage is an enclosure designed to exclude electromagnetic fields. It is an application of Gauss’s law which describes the distribution of electrical charge on a conducting form, such as a sphere or a plane. Intuitively, since like charges repel each other, charge will “migrate” to the surface of the conducting form. In the case of the smart card sleeve, its ‘cage’ routes the external RF field away from the contactless antenna inside. The application is named after physicist Michael Faraday who built the first Faraday cage in 1836 to demonstrate his finding.
“Our sleeves are made with a special laminate material that contains a shielding layer and several other layers that make it very durable and tear and water resistant as well as printable,” Mr. Augustinowicz continues. “The shielding layer forms a faraday cage around the card preventing the electromagnetic energy necessary to power the chip from reaching it.”
Randy Vanderhoof, Executive Director of Smart Card Alliance, says the notion of adding a protective sleeve to a contactless card came up for discussion when the government was planning for the new electronic passports, which use contactless technology.
The passport sleeve is not required by any spec, says Mr. Augustinowicz, noting that the new U.S. passports have an anti-skimming mesh embedded in the top cover. It operates on a similar principle to the cage, relying on a metal mesh to shield the antenna from an external RF field.
For FIPS 201 PIV cards, Mr Vanderhoof says he hasn’t heard a lot of lengthy discussion or debate about such sleeves, though the issue has come up at conferences and meetings. He stresses that the new ID cards contain “the most secure card specification that’s ever been created for implementation of an ID card.”
Furthermore, the new PIV cards will be dual-interface, containing both a contact and a contactless interface. The contactless interface is most often used for physical access, and is read by a contactless reader. The contact interface will be required to access the biometric component for authentication processes, to validate that the card is being held by the appropriate user. Most agree, however, that though the biometric may be required for physical access in certain situations, it is unlikely that it will always be mandated as agencies develop their customized access control strategies.
There’s another issue, technology aside. Even if an agency were to use electromagnetic sleeves, employees might not care.
“(Many) people who are issued a sleeve by federal agencies would probably toss it in the drawers and not use it after they are issued their cards,” Mr. Vanderhoof says.
Still, there is, technically, an opportunity for someone to know there is some limited data on a card using an RF reader. Even though you can’t pick up the data, you can technically use an antenna to learn that someone is holding a PIV government card. And there are all sorts of scenarios for why someone would want to know you’re a government employee.
“There’s folks whose job it is to look at worse case scenarios for government applications,” says Mr. Vanderhoof, “and the industry has to respond to that and it has.” But if interest in the Secure Sleeve and related products is an indication, the concern – real or imagined – continues to exist.
For more on Identity Stronghold’s sleeves, click here.
Research and evaluate FIPS 201 Approved Products and get the latest info on compliant credentialing systems at FIPS201.com. Click to visit FIPS201.com.