New government ID spec adds mobile use, expands contactless, biometrics
The latest draft of FIPS 201-2 has been much anticipated. The first revision was released in March 2011 and was met with groans as it also received more than 1,200 submitted public comments. Some 15-months later another draft has been released by the National Institute of Standards and Technology, and this version is seeing a much more positive reaction.
Additions include both improvements to the contactless interface and the use of mobile devices as credentials. There are, however, lingering questions as special publications need to be written to detail how the new credentials and infrastructure will work. “These are good revisions that will move us into the next five to 10 years of functionality,” says Neville Pattinson, senior vice president for government sales at Gemalto.
The emphasis on the new draft is on strong authentication, says Rick Uhrig, manager of identity and access management at XTec. Visual inspection of the card and the cardholder unique identifier (CHUID) on the contactless portion of the card has been deprecated in favor of the new Universal Unique Identifier. “The message is that agencies need to use strong cryptography for each and every transaction,” he says.
Adding to that strong authentication is additional use of biometrics, says Pattinson. Enabling on card matching of fingerprints and the addition of iris are changes that will bind the holder to the credential.
Iris is an option that issuing agencies can choose to add to the card, Uhrig says. But, he adds, it’s likely to be mandatory in five years when FIPS 201-3 is developed. “There’s nothing in FIPS 201-2 that wasn’t optional in FIPS 201-1,” he explains.
This is a trend that has been seen between the two drafts. Previously it was mandatory to have the PIV authentication certificate and other certificates were optional. Those optional certificates would now be mandatory under the new draft.
Other changes have been suggested that would enable more functionality on the contactless interface, Pattinson says. The new spec states that most functions on the contact interface will also be available via contactless.
The revised draft introduces the concept of a virtual contact interface, a contactless mode via which all functionality of the PIV would be accessible. “Cryptographic functions over the contactless interface had been limited and it was missed greatly,” Pattinson adds.
The add-on to the contactless interface is also opening up the use of PIV with mobile devices, Pattinson says. The concept of derived credentials has been introduced that would enable a PIV holder to spawn credentials on their mobile devices.
This derived credential has the PIV presented to a mobile device manager that then assigns a sub-credential to a device using a parent/child model. The derived credential would be placed on a secure element within the handset or tablet. Only a portion of the PIV functionality would be available with the derived credential and it’s possible that different derived credentials could be issued depending on the level of assurance necessary.
Derived credentials were mentioned in NIST’s Special Publication 800-63-1 which focuses on electronic authentication. But this prior mention of derived credentials was in a generic form and not specific to PIV.
Special publications will flesh out the details of how derived credentials, the virtual contact interface and other changes from the spec will work, Uhrig says. These publications will be needed so that vendors can create new products conforming to the revised spec.
After the U.S. Commerce Department secretary signs the new FIPS 201-2 specification, which is expected by early 2013, agencies will have to start implementing new systems within 12 months. “It will be a challenge for the industry to respond to these needs in that timeframe,” Pattinson says.
Vendors will need to produce products that are interoperable with the existing generation of cards, Pattinson says. “There are some major revision in terms of functionality and we need to worry about the installed infrastructure as well as move to the new generation,” he explains.
Some of these changes will be more difficult than others. XTec has physical access control readers in place at the U.S. State Department, Uhrig says. “What we have been able to do when the standards change in the past is upgrade the firmware,” he explains. “It’s been pretty painless.”
Other changes won’t be as painless and may call for changes to the U.S. General Services Administration Approved Products List, Pattinson says. To get new products to the market in time, changes will have to be made to how products are certified. “We have to have the changes ripple down so everything is set in concrete and people can implement the next generation of cards and infrastructure,” he adds.
Changes to PIV-I?
Because the PIV-I specification is built on FIPS 201, these the changes will impact these deployments as well, says Rick Uhrig, manager of identity and access management at XTec.
PIV-I issuers should pay close attention to the revisions NIST puts in place, Uhrig says. The deadline for them to deploy systems and new credentials that adhere to the new standard will be the same as the one federal agencies must meet.
Significant changes in FIPS 201-2
- A mandatory facial image added to the card
- Additional functionality to the contactless interface including optional biometric match on card
- Improved interoperability of the contactless interface by mandating the previously optional card authentication certificate and keys
- Less reliance on the Cardholder Unique Identifier
- General movement away from visual inspection to electronic authentication
Certificate changes for FIPS 201-2
The PIV must contain PIV authentication data and card authentication data, each of which includes an asymmetric key pair and corresponding certificates.
If the applicant already has a federal government email address the credential will also have an asymmetric key pair and corresponding certificate for digital signatures and another for key management.
Optional keys include a symmetric card authentication key for supporting physical access applications and a symmetric PIV Card Application Administration key associated with the card management system.