CSCIP Module 4, Smart Card Usage Models – Mobile and NFC

Module 5: Smart Card Usage Models – Identity, Security and Access Control

Smart Card Alliance Certified Smart Card Industry Professional Accreditation Program

About the Smart Card Alliance

The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit http://www.smartcardalliance.org.

Important note: The CSCIP training modules are only available to LEAP members who have applied and paid for CSCIP certification. The modules are for CSCIP applicants ONLY for use in preparing for the CSCIP exam. These documents may be downloaded and printed by the CSCIP applicant. Further reproduction or distribution of these modules in any form is forbidden.

Copyright © 2015 Smart Card Alliance, Inc. All rights reserved. Reproduction or distribution of this publication in any form is forbidden without prior permission from the Smart Card Alliance. The Smart Card Alliance has used best efforts to ensure, but cannot guarantee, that the information described in this report is accurate as of the publication date. The Smart Card Alliance disclaims all warranties as to the accuracy, completeness or adequacy of information in this report.

TABLE OF CONTENTS 1 INTRODUCTION ...... 6 2 SMART CARD DRIVERS AND BENEFITS FOR IDENTITY AND SECURITY APPLICATIONS ...... 7 2.1 HOW TODAY'S IDENTIFICATION SYSTEMS CAN FAIL...... 7 2.2 WHAT MAKES AN IDENTIFICATION SYSTEM SECURE ...... 8 2.3 SMART CARD BENEFITS FOR IDENTIFICATION SYSTEMS ...... 9 2.3.1 Support for Physical and Digital Identity ...... 10 2.3.2 Authenticated and Authorized Information Access ...... 10 2.3.3 Strong ID Card Security ...... 10 2.3.4 ID Credential Security ...... 10 2.3.5 System Component Authentication ...... 10 2.3.6 Smart Card Support for Privacy Requirements ...... 10 2.3.7 Smart Card Support for Strong Authentication ...... 11 2.3.8 Smart Cards and Biometrics ...... 11 2.3.9 Enhanced Business Case with Multiple Applications...... 11 2.3.10 Enhanced Convenience for Users ...... 11 2.3.11 Ease of Integration and Deployment in Information Technology Systems ...... 11 2.3.12 Improved Life Cycle Management ...... 12 2.3.13 Flexible Support for Migration Using Multiple Technologies ...... 12 2.3.14 Support for Multiple Form Factors ...... 12 2.3.15 Interoperable, Standards-Based Technology ...... 12 2.4 SUMMARY ...... 12 3 IDENTITY CARDS AND TOKENS ...... 15 3.1 IDENTITY CARDS ...... 15 3.1.1 Security Printing Features ...... 16 3.1.2 Security Devices ...... 17 3.2 USB TOKENS ...... 17 3.3 ONE-TIME PASSWORD TOKENS ...... 18 3.4 MOBILE DEVICES AND IDENTITY AUTHENTICATION AND ACCESS CONTROL APPLICATIONS ...... 19 3.5 STANDARDS FOR IDENTITY APPLICATIONS ON SMART CARDS ...... 19 4 EPASSPORTS ...... 21 4.1 EPASSPORT FEATURES AND SPECIFICATIONS ...... 21 4.1.1 Contactless Chip ...... 21 4.1.2 Biometrics ...... 21 4.1.3 Logical Data Structure ...... 22 4.1.4 ePassport Security Measures ...... 22 4.2 EPASSPORT VALIDITY AND ICAO PUBLIC KEY DIRECTORY ...... 23 4.3 U.S. EPASSPORT SECURITY MEASURES AND USE ...... 24 5 PHYSICAL ACCESS ...... 26 5.1 PACS COMPONENTS ...... 26 5.2 PHYSICAL ACCESS CONTROL PROCESS (NON-U.S.-FEDERAL GOVERNMENT USE) ...... 27 5.2.1 The ID Credential ...... 29 5.2.2 The Card Reader ...... 29 5.2.3 The Control Panel ...... 30 5.2.4 Access Control Server ...... 30 5.3 PHYSICAL ACCESS CONTROL SYSTEM DATA FORMATS ...... 31 5.4 OPERATIONAL RANGE ...... 31 5.5 SECURITY CONSIDERATIONS ...... 31

5.5.1 Card Security ...... 32 5.5.2 Data Protection ...... 32 5.5.3 Card and Data Authentication ...... 32 5.5.4 Card to Card Reader Communications ...... 33 5.5.5 Card Reader to Control Panel Communications ...... 33 5.6 RECENT TRENDS IN SYSTEM ARCHITECTURES ...... 34 6 LOGICAL ACCESS ...... 36 6.1 OVERVIEW OF LOGICAL ACCESS AUTHENTICATION TECHNOLOGIES ...... 37 6.1.1 Passwords ...... 37 6.1.2 Biometrics ...... 41 6.1.3 Public Key Cryptography ...... 41 6.1.4 Soft Tokens ...... 42 6.1.5 Smart Card Technology ...... 42 6.2 DRIVERS FOR SMART CARD TECHNOLOGY FOR LOGICAL ACCESS ...... 44 6.2.1 Strong Authentication Support ...... 44 6.2.2 Enhanced Security and Convenience for Users ...... 44 6.2.3 Enhanced Protection against Identity Fraud ...... 45 6.2.4 Standards-Based Application Coverage...... 45 6.2.5 Ease of Integration ...... 46 6.2.6 Ease of Deployment ...... 47 6.2.7 Multi-Purpose Functionality ...... 47 6.3 THE NATIONAL STRATEGY FOR TRUSTED IDENTITIES IN CYBERSPACE: A KEY U.S. INITIATIVE DRIVING STRONGER AUTHENTICATION TECHNOLOGIES ...... 47 6.3.1 Smart Cards and NSTIC ...... 48 7 SMART CARDS AND BIOMETRICS ...... 49 7.1 BIOMETRIC SYSTEM COMPONENTS AND PROCESS ...... 49 7.2 SELECTING A BIOMETRIC TECHNOLOGY ...... 50 7.3 THE ROLE OF SMART CARDS WITH BIOMETRICS ...... 51 7.3.1 Example Programs Combining Smart Cards and Biometrics ...... 52 7.3.2 Key Considerations for Implementing Combined Smart Card / Biometric Systems...... 52 7.3.3 Benefits of Combining Smart Cards and Biometrics in a Secure ID System ...... 55 8 IDENTITY, SECURITY AND ACCESS CONTROL APPLICATION EXAMPLES ...... 61 8.1 NATIONAL ID PROGRAMS ...... 61 8.1.1 eID in Europe and the European Citizen Card ...... 62 8.2 CORPORATE ID BADGE USE CASE ...... 68 8.3 HEALTHCARE ID USE CASES ...... 69 8.3.1 Sesam Vitale Health Card – France ...... 70 8.3.2 German Health Card ...... 71 8.3.3 Smart Health Cards in the United States ...... 72 8.3.4 Taiwan Smart Health Card ...... 73 8.3.5 Smart Health Cards: Use and Benefits for Patients ...... 75 8.3.6 Smart Health Cards: Use and Benefits for Hospitals ...... 75 8.4 INTERNATIONAL DRIVER'S LICENSE ...... 77 8.5 U.S. FEDERAL GOVERNMENT USE CASES ...... 78 8.5.1 FIPS 201-2 Personal Identity Verification Card ...... 78 8.5.2 Department of Defense Common Access Card...... 82 8.5.3 Transportation Worker Identification Credential ...... 84 8.5.4 First Responder Authentication Credential ...... 86 8.6 MACHINE-TO-MACHINE APPLICATIONS ...... 89 8.7 PAY TV ...... 90 9 PRIVACY ...... 92

9.1 DEFINING PRIVACY IN AN INFORMATION CONTEXT ...... 92 9.1.1 Privacy Parameters ...... 93 9.1.2 Security Parameters ...... 93 9.1.3 ID System Design and Implementation Goals ...... 94 9.2 SMART CARDS AND PRIVACY PROTECTION ...... 95 9.3 PRACTICAL GUIDELINES FOR PRIVACY PROTECTION IN SMART CARD-BASED ID SYSTEMS ...... 96 9.3.1 Business Practice Guidelines, ...... 97 9.3.2 System Design Considerations and Guidelines, ...... 97 10 RELEVANT STANDARDS AND SPECIFICATIONS ...... 99 10.1 STANDARDS RELEVANT TO SMART CARD PHYSICAL CHARACTERISTICS ...... 99 10.2 STANDARDS RELEVANT TO TECHNOLOGIES WHICH COULD BE FOUND ON A SMART CARD ...... 99 10.3 STANDARDS AND SPECIFICATIONS RELEVANT TO TECHNOLOGIES RELATED TO THE CARD INTERFACE 100 10.4 STANDARDS AND SPECIFICATIONS RELEVANT TO THE CARD COMMANDS AND APPLICATION DATA STRUCTURES ...... 100 10.5 STANDARDS AND SPECIFICATIONS RELEVANT TO SECURITY OR CRYPTOGRAPHY ...... 100 10.6 STANDARDS AND SPECIFICATIONS RELEVANT TO ISSUERS OR SPECIFIC INDUSTRY SECTORS ...... 100 10.7 OTHER STANDARDS RELATED TO SMART CARDS OR THEIR SOFTWARE CLIENTS ...... 101 10.8 PRIMARY U.S. STANDARDS AND SPECIFICATIONS RELATED TO SMART CARDS – FEDERAL INFORMATION PROCESSING STANDARDS (FIPS) ...... 101 10.9 BIOMETRICS STANDARDS ...... 101 10.10 OTHER STANDARDS AND SPECIFICATIONS THAT RELATE TO SMART CARD-BASED APPLICATIONS102 11 REFERENCES ...... 103 12 ACKNOWLEDGEMENTS ...... 107

1 Introduction Both government and commercial organizations are implementing secure identification (ID) systems to improve confidence in verifying the identity of individuals seeking access to physical or virtual locations, with smart cards a fundamental component to ensure the security and privacy of information and transactions. This module describes how smart cards are used in identity, security and access control applications. After reviewing this module, CSCIP applicants should be able to answer the following questions:  What are weaknesses in many identification systems?  How do smart cards improve the privacy and security of identification systems?  What forms of smart cards are used for identity and security applications?  How is smart card technology used in electronic passports and what security features does it enable?  What are the components of a physical access control system (PACS) and how are smart cards used in a PACS?  What authentication technologies are used for logical access? What are logical access applications? What are drivers for smart card technology for logical access? How are digital certificates used with smart cards in logical access applications?  What are biometrics? How are biometrics and smart cards used together in identification systems?  What are example uses cases for smart cards as identity cards? What applications are typically implemented and what benefits do smart cards bring?  What must be done to design privacy into an identification system? How can smart cards help? What are best practices for privacy-sensitive identification system design?

2 Smart Card Drivers and Benefits for Identity and Security Applications1 Identification systems are needed by both public and private organizations. ID systems may operate completely within a single organization (an employee ID), span multiple organizations (across Federal agencies and contractors, between businesses and their customers), or extend out to the general population. Smart cards play an important role in strengthening the security of identification systems and protecting the privacy of the information stored and used in the identification system. This section describes the vulnerabilities of ID systems, the steps that organizations need to take to improve ID system security and the role of smart cards in these systems. Examples of secure identification systems using smart cards today are:  Bank, hospital and corporate employee ID cards, to authenticate employees and partners and protect networks and computer systems.  U.S. and NATO defense department ID cards, to protect soldiers' identities and computer networks.  U.S. federal government employee and contractor ID cards, to authenticate employee identities when accessing physical facilities, computers or networks.  Electronic passports worldwide, to authenticate citizen identities and provide a more secure identity document.  National ID cards in a number of countries, to authenticate citizens accessing government services.  Healthcare ID cards (e.g., Gesundheitskarte, Germany; Sesam Vitale, France) to authenticate patient and provider identities and securely store and manage personal health information.

2.1 How Today's Identification Systems Can Fail Today, nearly everybody carries multiple identification cards (IDs), issued by multiple public and private organizations. Such IDs include driver’s licenses, membership cards, credit cards, and corporate identification badges. The primary purpose of an ID is to identify the holder as having particular rights, privileges, and responsibilities. IDs verify a person’s identity, both to the system that issued the ID (for example, a driver’s license verifies the license-holder’s right to operate a motor vehicle) and to other systems that do not issue their own IDs (for example, in the United States, a driver’s license verifies the identity of someone trying to board an aircraft). Systems that issue IDs are typically one of two types:  Systems that interface with citizens and country residents, such as a driver’s license system, citizen entitlement system, or passport system. Such systems are citizen-facing systems.  Systems that interface with employees or customers, such as an employee badge system, human resource benefits system, or online banking system. Such systems are employee- or customer-facing systems. Regardless of type, many of today’s identification systems are vulnerable. They often use tamper-prone credentials or easily compromised passwords and limited initial identity verification processes that are insufficient to stand up against the sophistication of modern identity thieves. To be secure, identification systems must meet multiple challenges.

1 Smart Card Alliance, Secure Identification Systems: Building a Chain of Trust, March 2004

2.2 What Makes an Identification System Secure A secure ID system is designed to address one primary requirement: verify that an individual is who the individual claims to be and has the attributes (privileges) the individual claims to have. When properly designed, secure ID systems implement a chain of trust, assuring everyone involved that the individual presenting an ID card is the person who owns the credentials on the ID and that the credentials are valid. (The term “credential” refers to information stored on the card that represents the individual’s identity document and privileges.) A secure ID system can provide individuals with trusted credentials that are used for a wide range of applications, from enabling access to facilities or networks to proving entitlement for services to conducting online transactions. Secure ID system design requires a set of decisions that select and implement policies, procedures, architecture, technology, and staff. The design must implement the desired level of security and the appropriate chain of trust, starting with a secure identity vetting and enrollment process and including an authentication process incorporating appropriate security measures and technologies to deter impersonation and counterfeiting and assure the privacy of the credentials on the ID. Critical to any secure ID system is the ID card or device2. The ID card is used as a portable, trusted and verifiable representation of an individual’s identity and rights and privileges within the ID system. For an ID card to meet these requirements, the ID system must assure that a legitimate authority issued the ID, that the ID and the credential it carries are not counterfeit or altered, that the person carrying the ID matches the individual who enrolled in the ID system and that the same individual is not enrolled twice in the same system under different identities. The design of a secure ID system must include the following:  A secure enrollment process3 that establishes each individual’s identity and determines that the person is entitled to the privileges that are being granted  Procedures for securely issuing ID cards and ensuring that IDs are issued only by authorized issuing organizations, with a secure auditable process, and only to the correct person  The ID card issued should include both physical and logical security authentication features. Examples of physical security features include secure printing, color-changing inks, holograms and laser laminates. Examples of logical security features include user PIN, device authentication and certificate-based authentication (certification of origin and integrity).  Policies and procedures for monitoring the use of the ID  Procedures for ID life-cycle management  Training for users and issuers  Policies, procedures and technologies that protect access to the information in the system about ID holders  Security controls that provide only authorized viewers with access to information on the ID  An authentication process that implements the defined chain of trust, verifying the identity of ID holders and the legitimacy of the ID cards and their credentials  Combining match-on-card biometrics with smart IDs can also be used to verify the card holder at every use to ensure the user of the identity credential is indeed the person to whom it was issued. Table 1 lists the components required by most secure ID systems and provides examples of the types of decisions that must be made to select each component.

2 This document refers to the physical ID device as an “ID” or “ID card.” While the most prevalent form factor for an ID is a plastic card that incorporates other technologies (e.g., chip, barcode, magnetic stripe), smart card technology enables other form factors as well (e.g., USB token, SIM, ePassport). 3 This process will vary depending on the ID system being implemented.

Table 1. Secure ID System Components Component Key Design Decision  What trust model organizations participating in the ID system should adopt  What types of digital credentials to use and what security algorithms to implement Trusted Issuing  Whether to use a commercial trusted authority to create, protect, and distribute Authority certificates or create certificates in house, in a protected environment  What the key management processes are  Whether communications should be distributed or centralized  How to implement trusted channels  How to design secured environments Network and  How to issue credentials: locally, regionally, or centrally Infrastructure  How to protect individuals’ privacy and safeguard their personal information  How to distribute trusted materials  How to control and manage system access  The environment and location of enrollment stations  What method to adopt for operator self-authentication Enrollment Stations  What method to adopt for verifying the credential applicant’s identity  How stations should interact with the network  What the ID personalization process should be  How to be sure the distribution process complies with the defined security policy  How to implement ID inventory physical security Issuance Process  How to audit ID cards  How to implement data security  What the life-cycle management process should be  What types of applications to support, now and in the future  What the ID card will look like, what information should be on it, whether anti- counterfeiting and anti-tampering features are needed, whether a photo or other ID Credential / biometric is needed Card  How often the ID should be used and under what conditions  The type of ID technology  The security certification level  Which encryption technology to select Cryptography  Whether to implement symmetric or asymmetric keys  How many keys to issue and what key space size is desirable  Whether to use biometrics (e.g., fingerprint, facial, iris scan)  What algorithm to use to process biometric information Biometrics  How many biometric measurements to store and where to store them  Under what conditions to use biometrics  Location, number, and architecture of ID readers and how to protect them  Design and appearance of the readers  How the ID should authenticate the readers ID Readers  How to manage security features and security certification level  How to implement secure communication with the network  What processes to use to manufacture readers

2.3 Smart Card Benefits for Identification Systems Smart card technology can strengthen the security and privacy of an ID system. Smart cards can act as the individual’s ID card and allow secure access to information and services in both online and offline system designs. With the ability to store, protect and modify information written to the on-card electronic device (i.e., chip), smart cards offer unmatched flexibility and options for information sharing and transfer, while providing the unique ability to incorporate privacy-sensitive features.

2.3.1 Support for Physical and Digital Identity Smart cards provide the unique capability to easily combine identification and authentication in both the physical and digital worlds. This can generate significant savings as the smart card-based ID card could not only be used to allow physical access to services, but also allow individuals access secure networks.

2.3.2 Authenticated and Authorized Information Access The information required to identify an individual typically depends on the individual’s role in the situation. For example, some situations may only require proof that the individual is older than a certain age (e.g., 21) and not information about where the individual lives. An identification document that includes multiple types of information may provide more information than is needed for a particular transaction. The smart card’s ability to process information and react to its environment gives it a unique advantage in providing authenticated information access. A smart card is able to release only the information required and only when it is required. Unlike other forms of identification (such as a passive printed driver’s license), a smart card does not expose all of an individual’s personal information (including potentially irrelevant information) when it is presented.

2.3.3 Strong ID Card Security When compared with other tamper-resistant ID cards, smart cards represent the best compromise between security and cost. When used with other technologies such as public key cryptography and biometrics, smart cards are almost impossible to duplicate or forge and data stored in the chip can’t be modified without proper authorization (a password, biometric authentication or cryptographic access key). Smart cards can also help to deter counterfeiting and thwart tampering. Smart cards include a variety of hardware and software capabilities that detect and react to tampering attempts and help counter possible attacks. Where smart ID cards will also be used for manual identity verification, visual security features can be added to a smart card body.

2.3.4 ID Credential Security Protecting the privacy, authenticity, and integrity of the data encoded on an ID as credentials is a primary requirement for a secure ID system. Sensitive data is typically encrypted, both on the smart ID card and during communications with the external reader. Digital signatures can be used to ensure data integrity, with multiple signatures required if different authorities create the data. To ensure privacy, applications and data on the card must be designed to prevent information sharing.

2.3.5 System Component Authentication For the most robust security and privacy, the secure ID system may require that system components authenticate the legitimacy of other components during the identity verification process. The smart ID card can verify that the card reader is authentic, and the card reader in turn can authenticate the smart ID card. The smart ID card can also ensure that the requesting system has established the right to access the information being requested.

2.3.6 Smart Card Support for Privacy Requirements The use of smart cards strengthens the ability of a system to protect individual privacy. Unlike other identification technologies, smart cards can implement a personal firewall for an individual, releasing only the information required and only when it is required. The card’s unique ability to verify the authority of the information requestor and its strong card and data security make it an excellent guardian of the cardholder’s personal information. By allowing authorized, authenticated access only to the information

required by a transaction, a smart card-based ID system can protect an individual’s privacy while ensuring that the individual is properly identified. (Section 9 describes privacy requirements in more detail.)

2.3.7 Smart Card Support for Strong Authentication More and more organizations today are looking for stronger authentication solutions – beyond usernames and passwords – to validate that the users accessing systems are who they say they are. Smart cards are used to enable multi-factor authentication, incorporating something that you have (the smart card), something that you know (typically a personal identification number (PIN) that activates the card’s cryptographic functions), and something you are (a biometric). Smart card-based strong authentication not only improves the overall security of the IT infrastructure but also reduces costs associated with password management.

2.3.8 Smart Cards and Biometrics Secure ID systems that require a high degree of security and privacy are increasingly implementing both smart card and biometric technology. Smart cards and biometrics are a natural fit to provide two- or multi-factor authentication. A smart card is the logical storage medium for biometric information. During the enrollment process, the biometric template can be stored on the smart card chip for later verification. Only the authorized user with a biometric matching the stored enrollment template receives access and privileges. (Section 7 describes biometrics in more detail.)

2.3.9 Enhanced Business Case with Multiple Applications Using smart cards enables an identification system to include multiple applications. By taking advantage of the smart card chip’s capabilities, organizations can enhance the business case for implementing a new identification system and increase the ability of that system to handle future needs. Examples of applications included on a smart card-based ID card include  Physical access control  Logical access control (e.g., for securely accessing computers and networks)  Payment (e.g., electronic purse or open credit/debit payment)  Secure data storage (e.g., healthcare information, financial account information, biometric template)  Privilege management (e.g., electronic benefits, citizenship status, healthcare insurance)

2.3.10 Enhanced Convenience for Users A smart card-based ID card can provide enhanced convenience for users. A single corporate or government ID badge can be used for both physical access to facilities and logical access to computers and networks. Smart card-based strong authentication can simplify computer logon for users, eliminating the need to remember multiple, complex passwords. The same smart card ID card can support a variety of applications that secure communications and transactions – for example, Windows logon, email and document encryption, electronic signatures, VPN access and secure wireless network access.

2.3.11 Ease of Integration and Deployment in Information Technology Systems Management tools and deployment methods are available that facilitate large deployments of smart cards. Card management systems integrated into an organization’s directory or procurement system provide the functionality needed to deploy and manage smart cards and their credentials. Reader drivers and smart card middleware are mature and easily deployed throughout an organization, supporting all operating system platforms.

2.3.12 Improved Life Cycle Management Information and applications stored electronically on a smart card can be updated by authorized entities even after the card has been issued. This improves manageability and reduces the cost of an ID system, since new cards do not have to be issued to update data on the card or support new applications.

2.3.13 Flexible Support for Migration Using Multiple Technologies ID cards may be composed of many different elements, each specific to a particular use, such as: printed cardholder photo and name; barcode, magnetic stripe, contactless chip, contact chip, optical stripe; embossing, security markings4, signature panel, issuing authority information. The use of a multi-technology smart ID card can be part of a migration strategy for an organization or the solution itself. The combination of a small number of compatible ID technologies into a single smart card is easier and can be more cost-effective than combining many technologies. While multi-technology cards may provide solutions for accommodating legacy systems, organizations must carefully consider the added complexity of implementing and maintaining multiple technologies and whether the combination desired is possible or practical to implement.

2.3.14 Support for Multiple Form Factors Smart card technology is available in multiple form factors so that the appropriate form can be selected for the function. Form factors include: plastic cards, mini-cards and tags, stickers, USB tokens, key fobs, watches and mobile phones.

2.3.15 Interoperable, Standards-Based Technology Smart cards are based on proven, robust industry standards, with an increasing number of standards also specifying how smart cards are used with applications. Standards-based solutions deliver a number of important benefits. Standardization fosters interoperability. Standardization simplifies implementation by driving the industry to develop products, applications, processes, and practices that meet the standard and are interoperable. Standardization provides enterprises with a greater variety of products at a lower cost. 2.4 Summary Smart cards are a vital and visible link in the chain of trust for secure ID systems. They serve as the issuer’s agent of trust and deliver unique capabilities to securely and accurately verify the identity of the cardholder, authenticate the ID credential, and serve the credential to the ID system. Table 2 shows how smart cards help address the issues and challenges that cause vulnerabilities in today’s ID systems.

4 Security markings can be used to deter tampering and counterfeiting. Technologies such as ornamental borders, microtext, ultraviolet text, holograms, kinegrams, multiple laser images and laser engraving are some examples. Although adding to printing costs, security markings may be required if tampering or counterfeiting is a real or perceived threat.

Table 2. Smart Cards and ID System Challenges Issues & Challenges How Smart Cards Help Address ID System Issues & Challenges  Smart cards strengthen the ID system’s ability to protect individual privacy and secure personal information, providing authenticated and authorized information access, implementing a personal firewall for an individual and providing secure on-card storage of private information.  Smart cards provide strong ID card security. Smart cards are almost Inadequate security and impossible to duplicate or forge, and data in the chip cannot be modified privacy without proper authorization.  Smart cards increase the security and accuracy of identity authentication processes.  Smart cards used for logical access can store passwords, PINs and/or certificates securely and support single sign-on capabilities, improving enterprise logical security and simplifying identity management.  Smart cards strengthen the security of identity authentication processes.  Smart cards provide a secure, convenient, and cost-effective technology that can store additional authentication factors (biometric, PIN, password, certificates) to more accurately verify that the cardholder is the individual Identity not sufficiently authorized to use the ID. verified  Smart cards provide strong ID card security, supporting features that deter counterfeiting and thwart tampering.  A single smart ID card used for logical access can store passwords, PINs, and/or certificates securely and support single sign-on capabilities.  A single smart ID card can support multiple applications, simplifying the identification process for security staff, ID system administrators, and individuals.  The use of smart ID cards for logical access simplifies users’ access to Difficult credential systems and provides for more straightforward management of logical management access applications.  Information and applications stored on a smart card can be updated even after the card has been issued. This improves manageability and reduces the cost of an ID system, since new cards do not have to be issued to update data on the card or support new applications.  A single smart ID card can support multiple applications, replacing multiple, Multiple credentials hard-to-manage ID cards and implementing more straightforward logical access applications.  Smart card technology is based on mature standards. Cards complying with these standards are developed commercially and have an established Proprietary and inflexible market presence. Multiple vendors are capable of supplying the ID system standards-based components necessary to implement a smart card-based secure ID system, providing buyers with interoperable equipment and technology at a competitive cost.  Smart cards support multiple applications, including both physical and Physical and logical logical access. Both contactless and contact smart card technologies can convergence be used for access control applications.  Smart cards supporting multiple applications on single ID card provide improved user convenience. Usability problems  Smart cards provide a convenient method for storing user information (e.g., password, biometric), making the authentication process easier and more convenient for the user.

Issues & Challenges How Smart Cards Help Address ID System Issues & Challenges  The ability of smart cards to support multiple applications is a real advantage. The return on investment becomes more attractive when the ID system provides multiple benefits, either to multiple groups within an Little or no apparent ROI organization or across organizations.  A multiple technology smart card can ensure that a new ID system is interoperable with legacy systems and can provide a cost-effective migration path to new ID system technology.

3 Identity Cards and Tokens Smart cards are widely acknowledged as one of the most secure and reliable forms of electronic identity cards for storing electronic identification and related data. However, the term "smart card" is something of a misnomer. While the plastic card was the initial smart card form factor, the smart chip technology that provides the capabilities and functionality used by identity and security applications is now available in wide variety of form factors, including plastic cards, key fobs, subscriber identification modules (SIMs) used in GSM mobile phones, watches, electronic passports and USB-based tokens. Currently, the most widely used forms of smart card technology for identity and security applications are cards, USB-based tokens, standalone one-time-password (OTP) tokens and the ePassport (discussed in Section 4). Mobile devices with embedded smart card technology are expected to have a growing role for mobile identity applications (discussed in Section 3.4).

3.1 Identity Cards The most common form factor for a smart identity card is the plastic card. The smart ID card conforms to ISO/IEC 7810, ISO/IEC 7816 and ISO/IEC 14443. In the card form factor, smart card technology can also be used in a multi-function smart ID badge, providing a visual ID card as well as enabling automated, authenticated physical and logical access. The same physical smart ID card can contain multiple ID technologies, including the embedded chip, visual security markings, a printed photograph, printed bar code, magnetic stripe and/or optical stripe. Thus, a single card can be compatible with many forms of existing infrastructure. Figure 1 illustrates components on a typical smart ID card. Figure 1. Smart ID Card Example

Sub-surface chip and antenna used for contactless applications Digital photo (visual biometric) Organization Name and Logo Plastic card body, typically with security printing and features to Digital verify card authenticity Photo Smart card secure microcontroller chip for secure data storage, digital credential processing, on-card match of biometrics, logical access and other applications

Multiple technology card for compatibility with legacy systems

Where smart ID cards will also be used for manual identity verification, security features can also be added to a smart card body, such as unique fonts, ink color and multicolor arrangements, micro printing, high quality ultraviolet ink on the front and rear, ghost imaging (secondary photograph of the holder in an alternative location on the card), and multiple-layered holograms, including three-dimensional images.5 The following describes common security printing features and devices

5 State-wide Grand Jury Report: Identity Theft in Florida, November 2002

3.1.1 Security Printing Features

3.1.1.1 Printing Security Levels There are three levels of printing security that should be considered.  Level 1: Level 1 security features are designed to easily identify a credential with little or no training and without tools. A few examples are holograms, watermarks, and color-shifting inks. Very simple to use and easy to see, these methods are common and easy to validate.

 Level 2: Level 2 security features are not visible to the naked eye. Authentication of Level 2 security printing require some training and simple tools. A few examples are: fluorescent inks and micro printing. Commonly used by airport screening staff, these methods require simple tools such as magnifying glass and ultraviolet light, and are familiar to most people. Another example is micro-printing with font mismatch and misspelled words. Level 2 methods are difficult to duplicate and simple to authentication by trained staff.

 Level 3: Level 3 security features require special training and equipment. Sometimes these are created by the issuer and distributed to a qualified and cleared printing service. A few examples include special material, special ink and specialized printing equipment not available on the public market.

3.1.1.2 Lithographic Printing Lithographic printing allows for very detailed design work and intricate patterns to be precisely duplicated from card to card. This technique can be performed to yield two different effects:

 Line Color – The printing of one or more specific custom matched inks. The Pantone Matching System can be used for specific color requests.

 Process Printing - The printing from a series of two or more half-tone plates to produce intermediate colors and shades. In four-color process; yellow, magenta, cyan, and black.

3.1.1.3 Micro-Printing Lithographic micro-printing consists of printed copy in sizes so small that they can only be detected under magnification. The copy line appears as a solid line in the graphics design to the naked eye. This technique can be used as an enhanced security feature and can assist with fraud prevention. Copying will cause the line of type to become a solid rule. This feature can be found Figure 2. Micro Printing on driver’s license credentials, bank cards, and currency and can be applied in custom lithographic ink(s). It can be used to outline a logo or photograph and appears as only an outline until greater magnification is applied. Batch codes can also be built into this feature for further identification and controls. Intentional misspellings are often used to validate an authentic credential.

3.1.1.4 Fine Line Guilloche Background Printing Lithographic ink(s) are printed in a very fine intricate surface pattern of curvilinear fine lines that cross each other in a complex fashion. They are often repeated over the face and back of the identification credential. The shape of the lines is determined by a mathematic formula. The various elements include protective grids, rosettes, borders, vignettes, and corners. A guilloche Figure 3. Fine Line Guilloche pattern can be either a symmetric, or an asymmetric one. The Pattern

composition of a fine line guilloche background includes a multi-color pattern to enhance the design. These printed fine line surface elements make reproduction very difficult due to the very fine line width and alternating curve. This feature can often be found on bank cards and currency and can be applied in custom lithographic ink(s).

3.1.1.5 Altered Font The altered font feature can be used to change or alter a font size or style as a covert security feature. Slight modifications of text characters are obvious only to those who are trained to look for them. This feature would be applied during the lithographic printing run and would need to be presented during the artwork creation. The proof prepared for content and text confirmation would include this subtle change in copy.

3.1.1.6 Full Color Ultraviolet Ultra-violet (UV) fluorescent inks can be printed during card body production as a security feature and detected only under ultraviolet light. There are two full color UV inks currently available (red and blue). This feature is easy to authenticate with a proper ultraviolet light source and is undetectable under normal light Figure 4. Ultraviolet Features conditions. UV fluorescent effect is impossible to photocopy or digitally recreate.

3.1.2 Security Devices Several security devices that can be added to the card in addition to the optical variable ink (OVI) which is part of credential specifications. Holograms and Kinegrams can be developed to provide additional security. These features can also be added to the overlaminate applied during the personalization process.

3.1.2.1 Kinegram

A Kinegram (trade name) is an optically variable device, which can be used to secure the identification credential. The device can be obtained in a metallic, partially metallic, or a transparent version. The device has image movement in the surface appearance and can have multiple designs incorporated in one Kinegram. Figure 5. Kinegram

3.1.2.2 Hologram The hologram is an element with a pattern produced on a photosensitive medium that has been exposed by holography and then photographically developed. Bright eye-catching motion, colors, and depth are the key features to a hologram and it can be customized to include a specific design or logo. The hologram is applied by heat transfer and can contain multiple anti- Figure 6. Hologram counterfeiting features and technologies. 3.2 USB Tokens Smart card technology is built into USB-based tokens that provide a portable authentication device that can be used with any computer with a USB port – i.e., without a dedicated smart card reader. USB- based tokens can be used for any logical access application that a smart card can be used for – secure data, password and PKI credential storage, encryption/decryption – and support multi-factor access to the Internet, VPNs, computers or wireless networks. Smart card-based USB tokens can generate one- time passwords (OTP) and support digital signatures for transactions, documents and secure email.

USB-based tokens provide a portable, easy-to-use and secure authentication device for logical access applications. Smart card-based USB tokens may be designed with a SIM to provide field-serviceability. Figure 7 shows examples of smart-card-based USB tokens.

Figure 7. Examples of Smart Card USB Tokens6 3.3 One-Time Password Tokens OTP tokens are used for portable, secure logon, generating a new one-time password every time a user remotely logs into a network. The user typically generates an OTP by pressing a button on the token, which then displays a new dynamic password. OTP tokens may or may not be smart card-based. With smart card technology, OTP tokens provide secure data storage and cryptographic computations. Smart cards can also be used to generate OTPs using portable readers, with a smart ID card. Figure 8 shows examples of smart-card-based OTP tokens and smart-card-enabled OTP readers.

Figure 8. OTP Tokens and Readers7

6 Images provided courtesy of ActivIdentity, Gemalto, HID Global and SCM Microsystems.

While many OTP tokens are based on proprietary algorithms, the Initiative for Open Authentication (OATH) has been working with the Internet Engineering Task Force (IETF) to develop open standards. One standard has been published, HOTP: An HMAC-Based OTP Algorithm (IETF RFC 4226), with several other authentication methods and provisioning specifications now being discussed as IETF drafts.

3.4 Mobile Devices and Identity Authentication and Access Control Applications The use of mobile devices for secure payment, identity and access applications is an emerging market. The identity and access control applications may use Near Field Communication (NFC) technology, the secure element, or other mobile device functionality. Example identity authentication and access control applications using mobile devices may include:  Storing identity credentials on a mobile device and using them for logon, digital signatures and encryption in secure mobile browser sessions.  Generating and/or receiving one-time passwords for use with logon to secure sites.  Storing identity credentials on an NFC-enabled mobile device and using the credentials for physical access. For example, in 2011, HID Global conducted a pilot with Arizona State University in which digital credentials were stored on NFC smartphones and then used for physical access to pilot participants’ residence halls and other selected rooms.8  Storing identity credentials on an NFC-enabled mobile device and using the credentials for secure logon. For example, the Canadian government has a project to allow citizens to use contactless bank cards and contactless/NFC-enabled USB devices to access online government services; this would be equally relevant to NFC-enabled mobile phones.9 In addition, NIST is evaluating how to use mobile devices with the FIPS 201-2 Personal Identity Verification (PIV) credential for identity authentication and access control and the PIV derived credential defined in SP 800-157. Three approaches being considered are: the use of hardware that would connect the PIV card physically to the mobile device; the use of NFC in the mobile device and a secure channel to read the PIV card and the use the PIV card’s credentials for authentication and other tasks; and the generation of a derived credential that would be stored in the mobile device’s secure element and then used for authentication. Additional information on the FIPS 201-2 PIV cards can be found in Section 8.5.1. Additional information on NFC and the secure element can be found in CSCIP Module 4, Smart Card Usage Models – Mobile and NFC.

3.5 Standards for Identity Applications on Smart Cards Organizations implementing standards-based identity programs typically use the international standards for smart card technology – ISO/IEC 7816 and ISO/IEC 14443 – and for the cryptography and biometric features that are used on the ID card. (See CSCIP Module 1, Section 10, Relevant Standards and Specifications, and CSCIP Module 2, Security, for additional information). In addition, ISO/IEC 24727 is a multi-part standard aimed at achieving interoperability among various smart card systems. The goal is to provide the necessary interfaces and services to enable interoperability among divergent systems, with a particular focus on identification, authentication, and

7 Images provided courtesy of ActivIdentity and Gemalto. 8 HID Global Completes NFC Mobile Access Control Pilot at Arizona State University, HID Global press release, January 30, 2012, http://www.businesswire.com/news/home/20120130005393/en/HID-Global-Completes-NFC- Mobile-Access-Control 9 Canadian banks to offer authentication backbone to government ID scheme, Finextra, November 7, 2011, http://www.finextra.com/News/Fullstory.aspx?newsitemid=23132

signature services, and removing the dependence on vendor specific implementations.10 ISO/IEC 24727 is a set of programming interfaces for interactions between integrated circuit cards and external applications, including generic services for multi-sector use. The organization and the operation of the ICC conform to ISO/IEC 7816-4. The standards used for the identity applications and data stored on the ID card, however, often vary by issuer or by industry. Examples include:  The ICAO Doc 9303 standard, which defines the data model and technologies used with the contactless smart card chip in ePassports. (See additional information in Section 4.)  The FIPS 201-2 and NIST SP 800-73-4 PIV card standard, which defines the data model and technologies used for a secure smart identification card used by the U.S. Federal government. The U.S. Federal government's adoption of this standard and its expected use in many U.S. government and commercial markets is expected to further drive standards-based applications and simplify organization implementation of smart card-based systems. (See additional information in Section 8.5.1.)  The Comité de Européen Normalisation CEN TS 15480 standard, which defines logical data structure, security and privacy mechanisms of the data and interface and communication protocols for the European Citizen Card (ECC). The ECC was developed to provide an interoperable and cross-border e-services solution. (See additional information in Section 8.1.1.)  ISO/IEC 18013, which establishes the design format and data content of an ISO-compliant driving license (IDL) with regard to the human-readable (visual) features and the placement of ISO machine-readable technologies on the card.  Healthcare card standards, including: - ANSI INCITS 284, which specifies physical characteristics, layout, data access techniques, data storage techniques, numbering system, registration procedures (but not security requirements) of health identification cards - ISO/IEC 13606, which specifies the communication of part or all of the electronic health record (EHR) of a single identified subject of care between EHR systems, or between EHR systems and a centralized EHR data repository - ISO/IEC 18307, which specifies interoperability and compatibility in messaging and communication standards for health informatics - ISO/IEC 21549, which specifies patient health card data.

10 Source: NIST, http://www.itl.nist.gov/ITLPrograms/IDMS/external/standards_metrics.html

4 ePassports11 The electronic passport, or ePassport, is the same as a traditional passport book with the addition of a small, embedded integrated circuit (i.e., smart card chip) and antenna. While the location of the contactless chip and its antenna is at the discretion of the issuing country, in many countries, the chip is embedded in the ePassport cover. The chip stores:  The same data visually displayed on the data page of the passport;  The passport holder picture stored in digital form;  The unique chip identification number;  A digital signature to detect data alteration and verify signing authority;  Additional data, as defined by specific issuing governments. Standards for the ePassport have been established by the International Civil Aviation Organization (ICAO)12 and are followed by all countries implementing ePassports. The ICAO is a United Nations agency that oversees international air travel. Its latest report shows not only that approximately 100 out of 193 U.N. member states are currently issuing ePassports, but also that additional countries are set to issue ePassports over the course of the next few years.13 All ePassports can be recognized by the internationally recognized symbol that is printed on the front cover.14 This electronic passport symbol identifies the passport as an ePassport. The symbol is also displayed at border crossing stations that have the capability to process ePassports. All ePassports follow the common ICAO standard. However, countries implement ePassport programs according to their specific policies and may implement different options specified in the standard. This results in differences among country implementations of ePassports even though they all conform to the ICAO specification. This section provides an overview of ePassport features and specifications. 4.1 ePassport Features and Specifications15

4.1.1 Contactless Chip ICAO specifies that a contactless smart card chip conforming to ISO/IEC 14443 Type A or Type B be built into all ePassports, with operating system conforming to ISO/IEC 7816-4 and read range up to 10 centimeters. ICAO specifies that the data storage capacity of the chip be a minimum of 32 Kbytes to store the mandatory facial image, the duplicate MRZ data and the necessary elements to secure the data.

4.1.2 Biometrics ICAO specifies the facial image as a mandatory biometric for all ePassports. ICAO also states that a country may optionally elect to use fingerprint and/or iris biometrics in addition to the facial image. The original captured biometric images must be stored on the ePassport integrated circuit to enable global interoperability.

11 ePassport Frequently Asked Questions, Smart Card Alliance FAQ, March 2009 12 Additional information can be found at http://www2.icao.int/en/mrtd/Pages/default.aspx. 13 39 Myths about ePassports: Part I, ICAO MRTD Report, Vol. 5, No. 1, 2010, http://www2.icao.int/en/MRTD2/ReportsPastIssues/ICAO%20MRTD%20Report%20Vol.5%20No.1,%202010.pdf# page=24 14 The symbol is defined in the ICAO Doc 9303 Machine Readable Travel Document specification. 15 ICAO Doc 9303 Machine Readable Travel Documents, Part 1 Machine Readable Passports, Volume 2 Specifications for Electronically Enabled Passports with Biometric Identification Capability, Sixth Edition 2006

4.1.3 Logical Data Structure ICAO specifies a standardized logical data structure to enable global interoperability for electronically reading data stored in the ePassport chip. The data structure includes both mandatory and optional data elements. Mandatory data elements include details recorded in the ePassports machine-readable zone (MRZ) and the encoded facial image. MRZ data includes: document type, issuing state or organization, name of ePassport holder, document number, document number check digit, nationality, date of birth (DOB), DOB check digit, sex, expiration date, expiration date check digit, optional data, composite check digit.

4.1.4 ePassport Security Measures

4.1.4.1 Basic Access Control Basic Access Control (BAC) is an optional feature defined in the ICAO ePassport specification to protect the stored personal information from being read electronically without the consent of the ePassport holder. While optional, BAC is now recommended by ICAO and is used by most issuing countries that are not already using Extended Access Control (EAC). Using BAC, in order to electronically unlock the ePassport over the RF interface, it must be opened to allow the MRZ contained on the physical data page to be optically read and a derived activation code then presented via the RF interface to the ePassport chip before the chip will communicate the passport information. BAC uses the printed machine readable zone (MRZ) information that is read by an optical reader to unlock the chip. Only then is a secure session initiated. During the secure session, communication between the ePassport chip and the reader is encrypted, using a separate key that is unique for each session. The BAC mechanism was designed to ensure that the owner of an ePassport can decide who can read the electronic contents of the ePassport. The key used to unlock the ePassport chip is extracted by optically reading the bottom of the ePassport printed page called the MRZ. Because physical access to the ePassport is needed to read the MRZ, it is assumed that the ePassport’s owner has given permission to read the ePassport. Equipment for optically scanning the ePassport MRZ is mandated by ICAO. This equipment uses an optical character recognition (OCR) system to read the text which is printed in a standardized format. The BAC mechanism was first introduced into the German ePassport on 1 November 2005 and is used in most countries today (including other European country ePassports and the United States ePassport since August 200716).

4.1.4.2 Extended Access Control Augmenting BAC, EAC is an additional optional security access mechanism to meet data protection requirements and to help protect the privacy of additional biometric data (for example, fingerprints). Implementation will be country-specific. EAC also ensures that access to biometric data is only possible if allowed by the issuing country. EAC uses additional cryptographic mechanisms to protect biometric data from being retrieved without proper authorization. An ePassport equipped with EAC protects the additional biometric data using encryption and active mutual authentication. Each ePassport will have unique keys to protect access to the sensitive information and the requestor needs to have a cryptographic key proving to the ePassport it has the rights to access to the protected information. With the help of EAC, ePassport readers at ports of entry can be authorized to read the additional optional data, and selective access rights can be defined. The retrieval of fingerprints requires sovereign powers (e.g., the permission of the country which issued the ePassport). EAC makes it possible to

16 http://travel.state.gov/passport/eppt/eppt_2788.html#Eleven

define whether an authorized entity is able to access the additional biometric information, with the issuing country deciding whether another country can access the data. EAC is mandatory for European Union (EU) member countries. The U.S. ePassport does not implement EAC at this time.

4.1.4.3 Passive Authentication17 To prove that the contents of the ePassport chip are authentic and unchanged, ICAO specifies "passive authentication" as a mandatory requirement. The ePassport chip contains a digitally signed "document security object" that stores hash values of logical data structure contents. The border inspection system can use the document signer public key from the issuing country to verify that the data in the ePassport chip is authentic and unchanged.

4.1.4.4 Active Authentication18 ICAO specifies optional "active authentication" to protect ePassports from chip cloning, using the ePassport's active authentication key pair in a challenge-response protocol between the inspection system and the ePassport contactless chip. Active authentication will authenticate the ePassport chip to the reader terminal.

4.1.4.5 Other Optional Security Methods Other optional security methods that may be used with ePassports include:  Comparison of the conventional MRZ (in optical format) with the MRZ data stored in the ePassport chip. This proves that the contactless chip's content and the physical ePassport belong together.  Encryption of biometric data. This secures additional biometrics and would be country-specific.  Passport cover shielding. This prevents unauthorized reading of the ePassport contactless chip when the passport cover is closed.

4.2 ePassport Validity and ICAO Public Key Directory Countries determine that an ePassport is valid through a number of different techniques. First, the ePassport must be current (not expired). Each ePassport has an expiration date printed on the document and also written onto the electronic chip. The expiration date on the chip is protected against modification or forgery by a digital signature. The digitally-signed expiration date can be verified by electronic passport readers. Second, the information is checked to determine if it is authentic. The ePassport printed material security features (e.g., watermarks, security threads, papers and inks) are checked to determine authenticity. ePassport data (of which the expiration date is one element) is also protected by a digital signature. Third, the country must determine if the issuer (i.e., the “printer” of the information on paper and on the electronic chip) is trusted. This is accomplished by checking the issuer's digital signature. Countries use the ePassport system's public key infrastructure (PKI) to do this check. This requires that the country checking the passport obtain a copy of the issuer’s signing certificate ahead of time so its key can be compared with the certificate that signed the information in the ePassport. This would need to be done

17 ICAO Doc 9303 Machine Readable Travel Documents, Part 1 Machine Readable Passports, Volume 2 Specifications for Electronically Enabled Passports with Biometric Identification Capability, Sixth Edition 2006, Section 5.6.1 18 ICAO Doc 9303 Machine Readable Travel Documents, Part 1 Machine Readable Passports, Volume 2 Specifications for Electronically Enabled Passports with Biometric Identification Capability, Sixth Edition 2006, Section 5.6.2

for each issuer (i.e., each country whose ePassports are accepted); the information (i.e., each country's signing certificate) must also be kept up to date to ensure that it is still valid. Managing individual relationships to obtain this information from all other countries is a complex task. ICAO has established a Public Key Directory, or PKD, as part of the global system for ePassport validation. Every country issuing ePassports digitally signs the data with the corresponding country signing keys. The ability to verify a country’s digital signature is an essential element of ePassport validation, and the PKD provides a means for border control authorities to verify that the digital signatures on an ePassport are indeed valid. The ICAO PKD has been established to support the global interoperability of ePassport validation and to act as a central broker to manage the exchange of certificates and certificate revocation lists among countries. This central role helps to manage the otherwise onerous public key certificate exchange activity that would take place among the many countries issuing ePassports. As of the end of 2011, the ICAO PKD included: Australia, Austria, Bulgaria, Canada, China (three entries for the Chinese Government, Hong Kong China, Macao SAR), Czech Republic, France, Germany, Hungary, India, Japan, Kazakhstan, Latvia, Luxembourg, Morocco, Netherlands, New Zealand, Nigeria, Norway, Republic of Korea, Singapore, Slovakia, Sweden, Switzerland, Ukraine, United Arab Emirates, the United Kingdom and the United States.19 Additional information regarding the ICAO PKD, including participating countries, can be found at: http://www2.icao.int/en/MRTD/Pages/icaoPKD.aspx

4.3 U.S. ePassport Security Measures and Use As an illustration, the security measures used in the U.S. ePassport are described in this section. Security measures are found throughout the ePassport system, from the production of the book itself to the policies and procedures in place at border crossings. Starting with the document, the U.S. ePassport is manufactured by the government, in government- owned facilities. No one outside the government knows the full “recipe” which includes special papers, inks, and manufacturing techniques. The embedded chip is a secure microcontroller with advanced cryptography and built-in sensors to detect attacks. When an ePassport is created, the same information is both securely printed on the paper and securely written to the chip. The information on the chip is digitally signed by the issuing country’s passport authority. Once manufactured and personalized, writing to the chip is permanently blocked. The ePassport book is designed to be handed to someone and opened before any information stored on the chip is read. U.S. ePassports have a metallic RF shield built into the covers to prevent anyone from reading the ePassport's electronic chip. This shield completely protects the chip from being read or detected while the ePassport book is closed and prevents anyone from reading the information in the ePassport without passport owner's knowledge. When the ePassport is open, the chip will only respond to an RF ATQ protocol activation with a random chip ID number each time it is activated. This prevents anyone from being able to determine which authority issued the ePassport. Without the activation keys, no other information can be obtained from the ePassport. The U.S. ePassport implements BAC as described in Section 4.1.4.1. The ePassport must be opened to allow the MRZ contained on the physical data page to be optically read; an authentication key is derived from the MRZ which is then presented via the RF interface to the ePassport chip before the chip will communicate the passport information. A session key is negotiated and this key is then used to encrypt communication between the ePassport’s chip and the reading device.

19 http://www2.icao.int/en/MRTD/Downloads/PKD%20Documents/PKD%20participation%20-%20World%20Map.pdf

Last but not least, the government, manufacturers, and control personnel have enhanced their passport manufacturing, delivery and control processes to set up a stronger chain of trust. These improved processes protect citizens from identity theft and prevent criminals from obtaining official-looking passports with false identities. Anyone wanting to make an ePassport copy would need to have the chip, the data, and all of the manufacturing components and know-how. But without the country signing key required to digitally sign all of the information, anyone trying to create, modify or use a forged passport would be stopped as the cryptography verification would fail, when the ePassport's document security object is checked against the corresponding country signing certificate found at the ICAO PKD. Figure 9 shows how a U.S. ePassport is used at border control.

Figure 9. U.S. ePassport Use at Border Control

5 Physical Access20 A physical access control system (PACS) is a coordinated network of ID cards, electronic readers, field control panels, specialized databases, software and computers designed to monitor and control traffic through access points. Smart card-based physical access control systems are a powerful and efficient security tool for protecting enterprise assets. Each employee or contractor is issued a smart ID card displaying enterprise information and printed designs, both to thwart the possibility of counterfeiting and to identify the card as official. The card typically displays a picture of the cardholder. The card stores personal information and a number used to uniquely identify the cardholder within the community for which the card data model was designed. When the person is initially enrolled in the PACS, the unique identifier is registered in the PACS and associated with a specific set of physical access privileges and authorizations. These privileges and authorizations determine when and at which access control points the cardholder is authorized. (If such privileges change, the new information can immediately be updated securely throughout the network.) When the card is placed in or near an electronic reader, access is securely and accurately granted or denied to all appropriate spaces (for example, a campus, a parking garage, a particular building, or an office). When an employee leaves an organization, all physical access privileges are removed at once. Any future attempt by that person to re-enter the premises using an expired or revoked card could be denied and recorded automatically. To the user, a PACS is composed of three elements:  A card or token (an identity credential) that is presented to a card reader  A card reader  A control panel which contains a subset of the registered cards and authorization data  A door or gate, which is unlocked when entry is authorized  A server, with system-specific PACS application that is used to manage system functions such as user registration, authorization and audit records. Other functions vary by manufacturer. Behind the scenes is a complex network of data, computers, and software that incorporates robust security functionality. This section describes the operation and components of a typical smart card- based physical access control system. It provides a context for understanding how contact and contactless smart card technologies are used in an access control application. 5.1 PACS Components A typical PACS is made up of the following components:  ID credential (smart card)  Door reader (smart card reader)  Door lock  Door position switch  Control panel  Access control server  Software  Database Figure 10 illustrates how these basic components interconnect, with each component described in the following sections.

20 Source: Smart Card Alliance, Using Smart Cards for Secure Physical Access, July 2003, with updates from Lars Suneborn, Hirsch Electronics.

Figure 10. Physical Access Control System Schematic

Access Control Control Database Panel Server

ID Reader Credential Software Head-end System Door Lock Additional Control Panels ID Reader Credential

Door Lock

5.2 Physical Access Control Process (Non-U.S.-Federal Government Use) The access control process begins when a user presents the credential21 (typically an employee’s smart card badge or ID) to the reader, which is usually mounted next to a door or entrance portal. The reader extracts data from the card, processes it, and sends it to the control panel. The request transaction includes at least three components: the time of day, day of week and date; the door location; and the card number. The control panel first validates the reader and then accepts the data transmitted by the reader. What happens next depends on whether the system is centralized or distributed. In both centralized and distributed systems, access parameters and specific user information are stored in individual user records in the PACS. Each user record is referenced by the unique number of the card issued to the user. The card number is simply a reference number used to locate the user record. Content of the user record varies from system to system as well as from one organization to another. However the door table, or set of authorizations, is always part of each user record. In a distributed system, the control panel stores the authorization for each user record and is capable of making proper access (authorization) decisions locally. The control panel then sends each transaction to the PACS server for archiving and record keeping. During periods when communication to the server is interrupted, access events are stored in a temporary memory (buffer) until server communication is restored. At that time, all access events are sent to the PACS server for logging and future reporting of past access transactions. These reports may include information such as "Who was in a specific area during the period between 0900 and 1130 AM, Saturday, August 2?" The access control server provides control panels with data updates, such as adding new users to the panel, removing users who leave the site, or changing the list of authorized doors. The control panel

21 This document uses the term “credential” to refer to the general identification device (both the physical device and the data it holds). This is commonly referred to as the “ID token” in physical access control systems.

then performs the access control server functions described above and makes the decision to allow or deny entry. Enabling control panels to perform the decision function has the advantage of requiring less communication between control panels and a central access control server, thus improving overall system performance and reliability. When two-factor authentication is required (e.g., both a card and a personal identification number (PIN)), the process access and authorization process changes. Although different systems handle the multiple factors differently, the fundamentals are similar. In areas where this method is deployed, the user reference number for access authorization now consists of two components: the card number and the PIN. An example of the PIN-to-PACS access process is as follows. The user presents a card to the reader and the reader sends the card number to the control panel in a normal fashion. The panel uses the card number to locate the user record which in this case includes a secret PIN. The user is prompted to enter the PIN on the keypad and this PIN is matched with the secret PIN stored in the panel's user record. When the PIN is verified, the control panel processes the access request and determines if the user is authorized. In a PIN-to-reader configuration, the card data is read from the card and temporarily stored in the reader. The reader has a keypad and the user enters the PIN to cause the reader to release and send the card data to the PACS control panel. The card number is processed as in a card-only type system. (Note that this method is only used in non-U.S.-Federal government deployments.) Biometric verification devices may be used as standalone units, or added as an additional authentication factor to card or PIN-based systems. Biometric verification may be performed by comparing the live biometric to a biometric template; the comparison is done either by the reader (match-on-reader), within the smart ID card (match-on-card) or within the PACS system (where the biometric data is sent to the control panel for processing). In a standalone deployment, the reader captures the live biometric data and compares it against biometric data of enrolled users. This data may be stored in the reader or in a server connected to the reader; this type of implementation is referred to as a "one-to-any search." (Note that this method is no longer used in U.S. Federal government deployments.) When used as a secondary or additional method, the user’s specific biometric data is stored as a part of the user record. The record is accessed either by a PIN, or more commonly, by a card. The card (or PIN) is presented to the reader, and this information is used to locate the user’s biometric data (often stored in the reader). When the user submits the live biometric, the reader performs the verification. When the verification process results in a valid match, the reader sends the card number to the control panel for processing as described above. As smart credentials are deployed, the process changes. The smart card enables mutual authentication between the card and reader before further processing occurs. In addition, the smart credential may store personal information in a secure container that is only accessed after the user enters a valid PIN.22 When the verification process in successfully completed and valid, the card releases its card number to the panel for authorization processing as described above. If the card information is invalid, then the card reader indicates that result, and entry is denied. The response to an invalid card is defined by the company’s security policy and procedures. The access control server or control panel may ignore the data and not send an unlock code to the controller or door lock. It may send a signal to have the reader emit a different sound, signaling that access was denied. It may be configured to notify security staff and activate other security systems (e.g., closed-circuit TV, alarms), indicating that an unauthorized card is being presented to the system.

22 See the Smart Card Alliance Access Control Council document, "Access Control Reader and Credential Architecture and Engineering Specification for Non-Government Facilities: Contactless Smart Card 13.56 MHz High Frequency Technology,” April 2015

Each access control system component in this process is described in more detail below.

5.2.1 The ID Credential A number of different ID technologies are currently in use for commercial, non-government physical access control: magnetic stripe, Wiegand strips, barium ferrite, 125 kHz proximity technology23, and contact contactless smart card technology. These technologies can be packaged in a variety of form factors – everything from a key fob or an employee badge to even more exotic forms, such as a wristwatch or ring. However, all credentials operate in basically the same way: they hold data that authenticate the credential and/or user. Some credential technologies are read-only. Information is permanently recorded on the credential, and when the credential is presented to a reader, the information is sent to the system. This type of credential only validates that the information itself is authentic. It does not confirm that the person presenting the credential is the person authorized to possess it, or that the credential itself is genuine. Contact smart card technology defined by ISO/IEC 7816 and contactless smart card technology defined by ISO/IEC 14443 and ISO/IEC 15693 have both read/write and data storage capabilities. Credentials that use these technologies are intelligent devices. They can store privileges, authorizations, and attendance records. They can store PINs and biometric templates, offering two- or three-factor authentication capability. The credential is no longer just a unique number holder, but is a secure, portable data carrier as well.

5.2.2 The Card Reader24 The card reader can have one or more interfaces, accommodating some combination of both contact and contactless smart cards and including a PIN pad and biometric reader. How the reader responds depends on the type of credential presented and the organization’s security policy. When the reader is used with a contactless smart card, it acts as a small, low-power radio transmitter and receiver, constantly transmitting an RF field or electromagnetic field called an excite field. When a contactless card is within range of the excite field, the internal antenna on the card converts the field energy into electricity that powers the chip on the card. The chip then uses the antenna to transmit data to the reader. When the reader is used with a contact smart card, the reader includes an opening that contains a smart card contactor. The card and the connector in the reader must make physical contact. Readers that include a PIN pad and a biometric reader (typically a fingerprint or hand geometry reader) generally support two- and three-factor authentication, if required. For example, a facility may require only the presentation of a contactless card when the security risk is low, but require biometric data as well when the threat level increases. When the security risk is high, it may be necessary to present a contact smart card and use the biometric reader and PIN pad. These multi-factor readers can be used when it is desirable to vary required inputs by time of day, day of week, or location. Requirements for additional authentication factors are determined by the organization’s security policy. When the reader has received all required data, it typically processes the information in one of two ways. Either the information is immediately sent to the control panel, or the reader analyzes the data before sending it to the control panel. Both methods are widely deployed. Each has advantages and disadvantages. The simplest readers send data directly to the control panel. These readers do nothing to evaluate the data or determine the legitimacy of the credential. These readers are typically one-factor readers and

23 125 kHz proximity technology is commonly referred to as “prox.” 24 See the Smart Card Alliance Access Control Council document, "Access Control Reader and Credential Architecture and Engineering Specification for Non-Government Facilities: Contactless Smart Card 13.56 MHz High Frequency Technology,” April 2015

are generic, so that they can be stocked in inventory and easily added to or replaced in an access control system. Readers that analyze data must be integrated into the PACS. That is, they must interpret and manipulate the data sent by the card and then transmit the data in a form that is usable by the control panel. Such a system can offer an increased level of security. The reader can determine the legitimacy of the card (and the card can determine the legitimacy of the reader), compare the biometric data or PIN entry, and manipulate the credential data so that what the reader sends to the control panel is not the same as what was read from the card. The process of authenticating the card to the reader and the reader to the card is called mutual authentication. Mutual authentication is one of the advantages of a smart card-based system.

5.2.3 The Control Panel The control panel (often referred to as the controller or simply the panel) is the central communications point for the PACS. It typically supplies power to and interfaces with multiple readers at different access points. The controller connects to the electro-mechanical door lock required to physically unlock a door or to the unlocking mechanism for an entrance portal (such as a turnstile, parking gate or elevator). It is often connected to a door position switch that monitors the state of the door and enables the panel to detect if the door is opened without a valid access or forced open, or if the door is left open after a valid opening. Both events cause the panel to generate and send an alarm message to the PACS operator. Some panels may be connected to different alarm annunciators (e.g., sirens, auto-dialers, lights, CCTV cameras). And finally, the control panel is usually connected to an access control server. Depending on the system design, the control panel may process data from the card reader and the access control server and make the final authorization decision, or it may pass the data to the access control server to make this decision. Typically, the control panel makes the decision to unlock the door and passes the transaction data to the host computer and unlocking signal to the reader. It is important for the control panel (vs. the reader) to generate the unlocking signal, since the control panel is located inside the facility or in a secure room, while the card reader is located in an insecure or open area. Finally, the control panel stores data format information. This information identifies what portion of the data stream received from a card is used to make access control decisions. Cards and readers implemented with different technologies can exchange data in different formats. However, the control panel needs to know how to interpret and process this data. For example, if a reader sends 35 bits of data and the control panel is designed to read only 26 bits, the panel must either reject the data or truncate 9 bits. The data format controls how the panel interprets received data.

5.2.4 Access Control Server The head-end system (also referred to as the back-end system or host system) includes the access control server, software, and a database. The database contains updated information on users’ access rights. In a centralized system, the access control server receives the card data from the control panel. The software correlates the card data with data in the database, determines the person’s access privileges, and indicates whether the person can be admitted. For example, if a person is allowed in a building only between 8 AM and 5 PM and it is 7:45 AM, the person is not admitted. However, if it is 8:01 AM, then the computer should respond to the control panel, indicating that the door can be unlocked. Most PACS are decentralized. In a decentralized system, the access control server periodically sends updated access control information to the control panels and allows them to operate independently, making the authorization decision for the credential presented based on data stored in the panel. The operational characteristics for centralized or decentralized systems are determined from the specific implementing organization’s access control requirements.

5.3 Physical Access Control System Data Formats The physical access control system’s data format is a critical design element. Data format refers to the bit pattern that the reader transmits to the control panel. The format specifies how many bits make up the data stream and what these bits represent. For example, the first few bits might represent the facility code, the next few a unique credential ID number, the next few parity, and so on. Many PACS vendors have developed their own formats, making every vendor’s coding unique. Like the pattern of teeth on a door key, the formats are kept secret to prevent an unauthorized person or company from duplicating a card. Existing installed PACS formats must be considered when defining the requirements for implementing new physical access control system technologies. In the United States, the Federal Information Processing Standard (FIPS) 201-2 standard and supporting NIST special publications defined a standard data format for information stored on the PIV card – the PIV Card Holder Unique Identifier (CHUID) and Federal Agency Smart Credential Number (FASC-N, a 48-bit number) and Unique User Identifier (UUID, a 128-bit number). These differ from existing installed access control system data formats – including more bits of information in the data field for the credential number and differing in how unique credential numbers are established. PACS that use proprietary card formats must be updated to accept the non-proprietary, open format of the PIV card.

5.4 Operational Range One important characteristic of PACS operation is the distance from the reader at which the credential is effective (called the operational range). This characteristic can affect the end user’s perception of how convenient it is to use the system. For systems using contact smart cards, operational range is not an issue, as the card is inserted into the reader and physical contact is made. Operational range is determined by many factors, including both the system’s design specifications and the environment in which the reader is placed. Factors that affect operational range include the antenna’s shape, the number of antenna turns, the antenna material, surrounding materials, the credential’s orientation to the reader, the electrical parameters of the chip, anti-collision features and the field strength of the reader. Government organizations (for example, the FCC, UL, and CE) are involved in approving or specifying frequency ranges or power transmission limits. Operational range can be increased by strengthening the antenna (for example, by increasing the number of antenna coils, the antenna size, or the power transmitted to the antenna). ISO/IEC 14443 specifications limit the read range for the 13.56 MHz technology to no more than 10 cm (approximately 4 in).

The location of the reader can affect the operational range of a contactless reader. For example, the proximity of the reader to metal can distort the excite field or even shield it from the card. So a reader mounted on a solid metal plate, next to an all-metal door or encased in a metal cage (to protect it from vandals), may have a very short operational range The ID credential operational range for any of the contactless technologies is a critical design decision for a physical access control system. The appropriate operational range will be determined as part of the organization’s overall security policy, security architecture and requirements.

5.5 Security Considerations To mitigate against risks of unauthorized access or deliberate attacks, the security of the entire PACS must be considered. This begins with the initial card issuance process and includes the actual components of the system (such as the network, databases, software, hardware, cameras, readers, cards), system processes (e.g., guard procedures), and the protection of data within system components and during transmission. The system’s design will consider what security features need to be implemented given the environment of the system and the actual likelihood of an attack.

5.5.1 Card Security Smart cards can help to deter counterfeiting, thwart tampering with an ID card and prevent usage of an unauthorized card. Smart cards include a variety of hardware and software capabilities that detect and react to tampering attempts and help counter possible attacks, including: voltage, frequency, light and temperature sensors; clock filters; scrambled memory; constant power sources; and chip designs to resist analysis by visual inspection, micro probing or chip manipulation. Where smart ID cards will be used for manual identity verification, security features can be added to a smart card body, such as unique fonts, ink color and multicolor arrangements, micro printing, high quality ultraviolet ink on the front and rear, ghost imaging (secondary photograph of the holder in an alternative location on the card), and multiple-layered holograms, including three-dimensional images. When properly designed and implemented, smart cards are almost impossible to duplicate or forge, and data in the chip cannot be modified without proper authorization (e.g., with passwords, biometric authentication, or cryptographic access keys). As long as system implementations have an effective security policy and incorporate the necessary security services provided by smart cards, organizations and ID holders can have a high degree of confidence in the integrity of the ID information and its secure, authorized use.25

5.5.2 Data Protection One of the most compelling arguments for the use of smart card-based systems for physical access control is the capability to use data scrambling or cryptography to protect information both on the chip and during transmission. The security and reliability of information required to identify individuals and their rights and privileges is key to the success of a physical access control system. Smart cards support both symmetric26 and asymmetric27 cryptographic algorithms. Symmetric key cryptography is widely used for physical access control and uses the same key for encryption and decryption, making it extremely fast and reliable. Asymmetric cryptography is often used for logical access applications and is starting to be used for physical access applications. Multiple keys can be stored on a single chip to address the security requirements for using multiple applications, thus providing better security for the growing complexity of today’s systems.

5.5.3 Card and Data Authentication A secure PACS must have the unbiased assurance that both the ID card as presented to the reader and the data it contains are authentic. In some cases, it is important to verify that the reader is authentic as well (as determined by the card) to prevent counterfeit terminals being used to extract data. Separate from the use of a PIN and/or biometric which unlocks the card or authenticates the person, smart cards have the unique capability to offer internal chip-based authentication features that use symmetric or asymmetric cryptographic mechanisms to offer highly reliable solutions to prove the card and data are genuine. For secure card authentication, smart cards are uniquely able to use active cryptographic techniques to respond to a challenge from the reader to prove that the card possesses a secret that can authenticate that the card is valid.

25 See the Smart Card Alliance Access Control Council white paper, “The Commercial Identity Verification (CIV) Credential – Leveraging FIPS 201 and the PIV Specifications: Is the CIV Credential Right for You?” 26 The most common symmetric key algorithms currently used are DES (Data Encryption Standard), Triple DES (either in two- or three-factor format), IDEA (International Data Encryption Standard), AES (Advanced Encryption Standard) and MIFARE™. 27 The most common asymmetric cryptographic algorithms are RSA, ECC (Elliptic Curve Cryptography), and DSA (Digital Signature Algorithm).

5.5.4 Card to Card Reader Communications28 As with any process involving electronic signals, the data transmitted among components can be monitored. This possibility must be considered in the system security design in terms of the environment (for example, is the area under observation or could someone physically insert another device or place a monitoring device within signal range) and the actual likelihood of such an attack or effort. Depending on the environment and risk profile, an organization may be concerned that the data sent from a contact or contactless ID card to a card reader can be monitored, allowing an illegal entrance to be effected if a rogue card or device can duplicate the data. Smart cards support industry-standard encryption and security techniques that both secure communication between the card and the reader and enable card and reader authentication methods. The security keys used for both encryption and authentication are kept in secure tokens (smart card modules) on both the card and the reader and are highly resistant to attack.

5.5.5 Card Reader to Control Panel Communications29 In an access point location that is not observed or that doesn’t have physically secure wiring, organizations may be concerned that an intruder could remove a card reader from its mounting and read the data stream sent to the control panel or place a personal computer or other device on these wires and mimic the insertion of a valid card to gain authorization. Most card readers currently transmit data to the control panel using one of two formats: Wiegand or magnetic stripe. Wiegand format uses two signal lines: D0, for transmitting “zero” data pulses; and D1, for transmitting ”one” data pulses. The magnetic stripe format uses two signal lines – one for data and one for clock. These data strings are not considered secure. Providing a secure channel from the card to the reader and from the reader to the control panel overcomes this potential security threat. Providing secure channels neutralizes the most serious threats because the reader and the card are the two elements that are exposed and physically available to an attacker. The communication channel from the reader to the control panel can be secured in a way similar to that used to secure the channel between the card and the reader. The data exchanged between the two devices can be encrypted for maximum security and the reader and panel can be authenticated during the transaction. Because the connection between the control panel and the access control system is internal to a building or located in a secure room, it is generally not as susceptible to attack. If desired, however, this connection can be secured using the techniques described in this section so that the entire system has an end-to-end secure data channel. Figure 11 illustrates an example of how smart card-based physical access control systems can provide end-to-end security.

28 See the Smart Card Alliance Access Control Council document, "Access Control Reader and Credential Architecture and Engineering Specification for Non-Government Facilities: Contactless Smart Card 13.56 MHz High Frequency Technology,” April 2015 29 See the Smart Card Alliance Access Control Council document, "Access Control Reader and Credential Architecture and Engineering Specification for Non-Government Facilities: Contactless Smart Card 13.56 MHz High Frequency Technology,” April 2015

Figure 11. Example of End-to-End Security in a Smart Card-Based Physical Access System

Access Smart Smart Card Control Control ID Card Reader Panel Server

Secure authenticated communication – Secure encrypted channels contact or contactless interfaces

5.6 Recent Trends in System Architectures Physical access control systems traditionally have been controlled by the corporate security department. However, with the advent of network-centric systems based on Internet technology and TCP/IP, access control systems have evolved into networked systems that combine many functions and involve multiple departments. Modern systems can include not only access control functions, but also corporate functions such as credential management and personnel databases. Nor have networked access control systems reached their functionality limits: it is easy to conceive of the card reader acting as a time clock, thus extending the system into the HR and payroll departments (Figure 12), or an ID card that includes a payment application for the local transit system.

This new multi-application, networked architecture requires the involvement and cooperation of the security, IT, HR, and other departments in the implementation of a corporate physical access control system. Figure 12. Example of Networked Physical Access Control System

In addition in the United States, Federal Information Processing Standard (FIPS) 201-2 standard and supporting NIST special publications define standards for the Personal Identity Verification (PIV) card, the identification card that is now being issued to all Executive Branch employees, and PIV-I credentials being issued to contractors. These credentials are being used for both physical and logical access. The PIV card uses smart card technology, cryptography, and a data model that are significantly different from

traditional physical access tokens. The deployment of PIV-compliant cards and systems throughout the U.S. Federal government and PIV-compatible cards in related industries and state and local governments has already had a significant impact on PACS designs, including:  Support for the PIV User Unique Identifier (UUID) and Federal Agency Smart Credential Number (FASC-N identifier), which include 128 and 48 bits of information (respectively) in the data field for the credential number and differ in how unique credential numbers are established.  Support for multiple PIV authentication factors – CHUID, Card Authentication Key (CAK), PKI- Auth and PKI-Authe+BIO are examples of one, two and three authentication factors.  Support for communication with an online certificate status protocol (OCSP) or certificate revocation list (CRL) service to check the validity or revocation status of credentials.  Changes in the enrollment and revocation processes to support FIPS 201-2 requirements.30

30 See FIPS 201-2, SP 800-73-4 and “PIV in e-PACS” reference documents.

6 Logical Access31 In today’s workplace, secure logical access is a critical concern. The Internet has enabled effective electronic collaboration among partners, customers, and suppliers. New technologies allow mobile workers to communicate outside of traditional security perimeters, using wireless technology or working remotely over a virtual private network (VPN). Increasing operational efficiencies motivate increasing numbers of enterprises and service organizations (such as banking, health, and insurance companies) to migrate to an enterprise network composed of corporate portals, application servers, and protected Web resources. The rising incidence of identity theft and advent of new regulations and legislation also contribute to an environment in which secure logical access is extremely important. For all of these reasons, organizations who manage user identities, authentication policies, and user privileges are challenged to prevent intruder access to proprietary information. The current password-based logical access infrastructure (introduced in the late 1960s) fails to address these new threats, new business models, and the growing complexity of networked resource access. Passwords are costly to manage (an estimated 30% to 50% of help desk costs are attributable to resetting passwords) and can be cracked using widely available tools. The security concerns raised by password-based systems and the added convenience that smart cards provide may be two major reasons why organizations are moving to smart-card-based logical access systems. According to a Frost & Sullivan survey, 39% of Fortune 500 companies plan to use smart cards within 3 years and 63% of Fortune 500 companies either have investigated or are investigating smart cards for network security implementations. Smart card technology is available in multiple form factors – as a plastic card, a Universal Serial Bus (USB) token, or a Subscriber Identification Module (SIM) in a mobile phone. Smart card technology has advanced over the last 20 years to include improved storage and processing capacities, enhanced security, mature smart card management software, contactless technologies, and integration of multiple applications in a single smart ID badge. Smart cards can support a variety of applications used by organizations, including:  Windows logon  Password management  One-time passwords (OTP)  VPN authentication  E-mail and data encryption  Electronic signatures  Enterprise single sign-on  Secure wireless network logon  Biometric authentication  Cafeteria payments  Personal data storage  Role-based access  Secure physical access Today, smart cards are essential to the security backbone of an organization’s identity management system, supporting the strong authentication required to validate individuals accessing networked resources and providing a critical first step in blocking intruders. Standardization has enabled card issuers to combine solutions from multiple sources, thus ensuring large-scale interoperability and reducing the costs of ownership by providing an open market. Because significant investment is still required to integrate new authentication systems into a legacy infrastructure, ongoing commitment by top executives and dedicated project management are required to make new identity management system deployments successful. Organizations who adopt smart

31 Source: Logical Access Security: The Role of Smart Cards in Strong Authentication, Smart Card Alliance white paper, October 2004, with edits from Anna Fernezian, ActivIdentity.

cards for logical access see a strong return on investment and significant benefits, including improvements in convenience and security, greater accountability and better security decisions, regulatory compliance, operational efficiencies, and new business opportunities. 6.1 Overview of Logical Access Authentication Technologies In the story Ali Baba and the Forty Thieves, a treasure stolen by 40 thieves is hidden in a cave protected by a magic stone. The only way to enter the cave is to speak the secret password, “Open Sesame.” It doesn’t matter who the speaker is. Those words, said in that exact form, cause something magical to happen, moving the stone and allowing the speaker to enter. That same magic happens every time someone logs on to a computer network. The importance of authentication cannot be overstated. Once a person is authenticated to the network, the person’s privileges and access rights are based on that authentication. The purpose of authentication is therefore to permit network access to everyone who is authorized while keeping all others out. Stopping imposters without hindering valid users is the goal of every authentication technique. Various approaches address this vital task. All rely on the incorporation of one or more of the three factors critical to authentication:  Some knowledge the person has, such as a password. This factor is commonly referred to as “something you know.”  Some physical characteristic, such as a fingerprint. This factor is commonly referred to as “something you are.”  Some item the person possesses, such as a key, a token, or a smart card. This factor is commonly referred to as “something you have.” Each individual approach is uniquely designed to authenticate a user as completely as possible without imposing too much inconvenience. Each also has unique potential weaknesses. Used in combination, the strength of authentication security is magnified, reducing the potential for impostor entry.

6.1.1 Passwords The password is undoubtedly the most commonly used access control technique. The user simply provides a username and password, submits the information, and is granted or denied access. Within the computer system, this authentication method compares the username and password combination to stored information. An electronic response grants or denies access based on the results of this comparison. Protecting usernames, passwords, and the relationships between them is therefore critical to controlling logical access with passwords. There are many ways for unauthorized individuals to gain access to passwords. Several of the most common methods follow.  Social engineering is probably the best known of all ways to gain access to a system. For example, unauthorized individuals use flattery or logical reasons to obtain another person’s password. This risk is most easily mitigated by educating users on the need for strong and effective security.  Password cracking programs use either brute force or dictionary look-up methods to attempt to decrypt protected passwords.  Sniffer programs monitor packets traveling over a network. If an unencrypted password passes by, the sniffer captures and uses it, compromising the integrity of the system. However, the effectiveness of sniffing tools has decreased with widespread adoption of network switches and routers, greatly reducing the usefulness of sniffing utilities.  Personal knowledge about legitimate users is used to try to guess their passwords.

 Access to employees’ desks. A person can sit at an employee’s desk when nobody is around and look for passwords that have been written down.  Look and see. By far the easiest way to get a password is to watch someone type it! In order to safeguard password integrity, security policies require users to change passwords regularly to deter access to their accounts through such methods as finding written passwords, watching the person enter information, using keyboard sniffing programs, or guessing. Such password security policies are effective but can become quite complicated. These policies usually direct users not to reuse passwords, forcing them to create new and equally “guess resistant” passwords that they can remember. The protection of stored information is also critical to a strong password security policy. Passwords can be implemented in a variety of ways. In all cases, implementation of a password security policy is highly recommended. The policy may be as simple as requiring a minimum number of letters and may require the inclusion of upper- or lowercase letters, numbers, and special characters.

6.1.1.1 Password Storage How passwords are stored on IT systems affect the overall security of the system.

6.1.1.1.1 Cleartext Passwords The most elementary approach to passwords is to store cleartext (i.e., unencrypted) passwords and usernames in a flat file stored on a network. Such a file might look like this:

USERNAME PASSWORD

AliceZ myDOGsparkY

BobY Home4holidays

CarolW getthejobdone

This approach is easy to implement. The challenge is to protect the information from inappropriate access or manipulation while retaining instant accessibility for the logon process. While this approach is appropriate for certain situations, it is extremely vulnerable to attack. Once attackers find out how the logon function works and determine that passwords are maintained in the clear, access is greatly simplified. Once inside the system, the attacker simply reads the file and obtains network privileges and access based on existing user accounts.

6.1.1.1.2 Password Conversions In order to mitigate the vulnerability of storing cleartext passwords, three approaches rely on techniques that convert the password entered by the user from cleartext to some other form of data:  Hashing  Message authentication codes  Cryptography All three approaches potentially suffer from the same vulnerability: they all rely on the ability of people to choose passwords that are easy to remember (without writing them down) but complicated enough to withstand attack. Converting a password protects the stored form of the password, thereby eliminating the value of gaining access to the password database. However, the password itself is still potentially vulnerable to guessing or sniffed replay (in which an attacker intercepts data containing the password and extracts it from the data).

Hashing. Hashing, sometimes referred to as a message digest, uses a one-way mathematical algorithm that creates a fixed length result from a message of any length. Hashing essentially creates a digital fingerprint of a message and, in this case, is used to protect passwords. Hashing changes a password into binary format and divides it into code blocks of a predetermined size. Each block is then processed through the hash algorithm and combined with the next unprocessed block to be processed again until all blocks have been processed. The result is then reconverted to ASCII text. Hashing is a reliable method for converting passwords because the result of feeding the same password into the same algorithm is always the same. However, virtually no mathematical or logical approach can obtain the original password from the result. The two most popular hashing algorithms are MD5, which produces a 128-bit hash from any input, and the Secure Hash Algorithm (SHA), designed for use with the Digital Signature Standard by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). SHA-1 produces a 160-bit hash. An update to SHA, SHA-256, has been released and adopted for high-level security with encryption certificates. Since 2013, SHA-256 is universally accepted. A SHA-1 hashed password file looks like this:

USERNAME PASSWORD

AliceZ c0f1ce0662f4a2f8d86613cf2e7ddc311fbcf3bd

BobY 6dc04707c1204dac18b73e5b388365deac43f70c

CarolW 2a70467b07eb3acfb90944c90e0261a5cb44649d

Message Authentication Codes. Protecting passwords using a message authentication code (MAC) depends on a process that first hashes the password and then adds a symmetric cryptographic key. Security is enhanced by the fact that the hashed password is encrypted. The verifying location compares the password to a stored value. The password is typically prepared for transport within the computer used to log on. Like hashing, MACs protect passwords only after they are submitted. Cryptography. Passwords can also be protected using cryptography. A cryptographic algorithm, generally residing on the logon computer, encrypts the password and sends it to the location where the password data resides. The password is then compared to the stored data and the result is sent back to the logon computer. Symmetric cryptographic algorithms are typically used, since they are fast and robust. Unlike hashing and MACs, the resulting length varies in relation to the length of the password. A file of encrypted passwords might look like this:

USERNAME PASSWORD

AliceZ 60135d5b849c2700dc60ffc2606fb947

BobY 0c0dd92d4bd8d8ca864441d23e066d8b

CarolW 7b94228224366ce3b2a049acaa0bd3c2

6.1.1.2 One-time Passwords One-time passwords (OTPs) were developed to counter the potential problems of user-determined, static passwords and password security policy management. OTPs use a time-based and/or event- based algorithm with a random number generator that is unique for each individual user. Each time the user authenticates to the system, a different password is used, after which that password is no longer valid. The password is computed either by software on the logon computer or OTP hardware tokens in the user’s possession that are coordinated through a trusted system. Software-based OTPs. Software-based OTP programs reside completely on the network and the host machine. One of the most common software-based OTPs is S/KEY®, which is freely available on the Internet and is used as an example in the following discussion. S/KEY uses a combination of a permanent S/KEY password that is never sent over the network and a one-time key. When the user connects to the remote machine, a dialog box displays a one-time key and prompts for a password. The one-time key and the user’s permanent S/KEY password are entered into a local S/KEY client machine, which then generates a password that allows logon. Every time the user connects to the remote machine, the one-time key changes; however, the user’s permanent S/KEY password remains the same. One of the advantages claimed for this approach is that no secrets are stored on the host server. However, the server does need to store the OTP most recently used for authentication. For this reason, software-based OTPs are vulnerable to intruders who obtain root privileges on a server. With the expiration of the basic patents on public key cryptography and the widespread use of laptop computers running SSH and other cryptographic protocols that can secure an entire session, not just the password, S/KEY is falling into disuse. Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. While many OTP approaches are based on proprietary algorithms, the Initiative for Open Authentication (OATH) has been working with the Internet Engineering Task Force (IETF) to develop open standards. One standard has been published, HOTP: An HMAC-Based OTP Algorithm (IETF RFC 4226), with several other authentication methods and provisioning specifications now being discussed as IETF drafts and have been implemented by a number of vendors. Software-based OTPs have gained momentum for the mobile environment with PDAs and smart phones as display devices. This is an area where the OATH-proposed HOTP standard is put to use. HOTP uses the SHA-1 hash function to create a secret key shared between a user device and validation server that synchronizes unique passwords for sequential use. OTP Tokens. Hardware-based OTPs are generated by a physical token or other device that users carry with them. Password generation is based on either time-based or challenge-response algorithms. The most popular time-based algorithm is incorporated in several companies' products. In this implementation, the user carries a special token that generates and displays a six-digit number that changes every 60 seconds. To log onto a system, the user enters a username and uses the six-digit number as the password. A server hosts software that uses a clock to coordinate with the hardware token and maintains a database with the correct passwords and challenge response. If the number is what the server expects, the password is accepted. In a challenge-response system, a challenge is issued by the host system, which is then used by the user to compute the appropriate response. The response can be computed by the token, an automatic program, or user software. Other companies’ tokens may use a combination of time- and event-based algorithms which capture the frequency of use and better manage the out-of-synch issues that occur with time-based algorithms. Alternative OTP techniques are available, including approaches that use a smart card or smart-card- based USB token as the physical OTP device.

6.1.1.3 Single Sign-on Single sign-on is an authentication mechanism that requires computer users to sign on to a system (i.e., present a password) once. The single sign-on then provides them with access to all applications and systems that they are authorized to access. Single sign-on solutions are typically being implemented to reduce human error and user frustration. The widespread implementation of single sign-on solutions has not been universal, since they often only reduce the number of passwords required or they can be too complex to integrate with all applications. Since single sign-on solutions rely on passwords, they also suffer from the potential weaknesses inherent to all password-based authentication unless other authentication factors are also implemented.

6.1.2 Biometrics Approaches that rely on biometric factors comprise a group of proven technologies and computerized methods that identify and verify individuals based on personal characteristics. These approaches match a characteristic in real time against a record of the characteristic that was created at enrollment. The main biometric technologies include fingerprint, face, hand geometry, iris, palm, signature, voice, and skin. Biometric technologies are being used more often as a primary or secondary authentication factor for logical access. A common approach is that the individual user, at the time of registration and provisioning for logical access privileges, submits a biometric to the system. This biometric is stored in the system as a reference. In a typical scenario, users enter a username and place a finger on a reader (instead of or in addition to providing a password). A server compares the biometric template created by the reader with the reference record stored on the server. As an alternative, a reference biometric may be written and securely stored in a smart card. During logon, users may insert their smart card in a card reader and submit a fingerprint to authenticate that they are the valid cardholders. The biometric captured by the reader is compared to the reference biometric data stored on the smart card. If the captured biometric matches the biometric stored on the card, the smart card then releases the secret information required to log the user onto the network. In this case, the biometric comparison may be done in the reader or on the card (called match-on-card or on-card comparison (OCC)). The value of using biometrics for logical access will increase as the technology becomes easier and faster to use. Personal traits are an attractive, convenient, and reliable authentication mechanism. Security concerns, however, center on the biometric data matching process, which typically either requires sending unprotected data over the network or storing the data on the logon computer. Such data is vulnerable to replay (resulting in illegal access) or replacement (resulting in denial of access). This concern can be mitigated by protecting biometric data in transit or by capturing and comparing the biometric data locally (e.g., within a reader or on a smart card).

6.1.3 Public Key Cryptography Public key cryptography (also known as asymmetric key cryptography) encrypts information using mathematically related pairs of cryptographic keys. One key in the pair is used to encrypt information; the information can then only by decrypted using the other key. Users obtain the key pairs through a trusted authority and use them to exchange data securely and privately. Each key pair comprises a public key and a private key. The public key is used to encrypt confidential information. The private key authenticates the key holder and decrypts information that has been encrypted using the public key. The private key must be kept secret. The person using the private key can therefore be certain that information the key is able to decrypt was intended for them, and the person sending the information can be certain that only the holder of the private key can decrypt it. Information describing the public key is recorded in a certificate that is signed digitally by a certificate authority. A user can provide the public key to a sender, or the key can be retrieved from a directory in which it is published.

The use of asymmetric keys is supported by a public key infrastructure (PKI). PKI is a combination of standards, protocols, and software composed of at least the following components:  A certificate authority (CA), which issues and verifies digital certificates  A registration authority (RA), which verifies the identity of the requestor before a digital certificate is generated and issued  One or more directories where certificates (with their public keys) and the certificate revocation list (CRL) are stored Public key cryptography offers an additional level of security, since there are no shared secrets. Generally, the PKI certificate is stored on a logon computer or hardware token (for example, a smart card) and is used to encrypt the password before it is sent to be authenticated.

6.1.4 Soft Tokens32 Soft tokens (also known as virtual cards) are software files that contain cryptographic keys used for authentication. Users authenticate themselves to a network by proving possession and control of this cryptographic key (typically stored on disk or some other media). The media used to store cryptographic keys is itself password-encrypted, with the password known only to the user. Each instance of an activation requires the entry of the password to decrypt the contents of the soft token. The unencrypted copy of the authentication key is erased after every authentication. Soft tokens are generally seen as inexpensive, easily managed, and disposable. However, this authentication method is not typically portable; users must be at a client machine to authenticate themselves. Some soft-token offerings support user mobility, either by allowing keys to be stored on servers and downloaded to the user’s system as needed, or by employing key components generated from passwords combined with key components stored on servers. Soft tokens rely on a trusted client and a trusted server. In addition, the user must have another key to access the soft token; otherwise, anyone with access to the client machine can be authenticated.

6.1.5 Smart Card Technology When used for logical access, smart card technology typically comes in two form factors: a credit-card- sized plastic card or a USB device, each with an embedded computer chip. By far the most popular form factor is the plastic card, due to its ability to include a picture and visible corporate information and to host other security mechanisms such as a magnetic stripe or bar code. Regardless of form factor, smart cards can be used to implement any of the authentication techniques described above. Smart cards have the ability to:  Securely store password files  Generate asymmetric key pairs and securely store PKI certificates  Securely store symmetric keys  Securely store OTP token seed files  Securely store biometric image templates Using a smart card to store password files is the simplest use of smart cards for logical access. The benefits of this type of system are:  Users do not have to remember their passwords.  Stored passwords can be very large and almost unbreakable using a dictionary attack.  The card can be activated by a personal identification number (PIN) or biometric if required, adding an authentication factor.  This implementation is usually the lowest entry-cost system.

32 Electronic Authentication Guideline, NIST Special Publication 800-63-2, August 2013.

Smart cards can also be used to support stronger authentication schemes. For example, in a system that uses symmetric keys, the card can securely store a shared secret injected at the point of manufacture. This key can then be used during the authentication process with a secure server as part of an algorithmic challenge and response session. Smart cards are also widely acknowledged as the ideal carrier of PKI credentials; smart cards can support on-card key generation, can store public key certificates securely, and protect the user’s private key. The use of a smart card with one or more of these approaches can provide a more secure means of logical access, even if the combination does not necessarily meet the criteria of two- or three-factor authentication. For example, a smart card alone cannot authenticate a user to a network, but a smart card can store information that provides a logon mechanism. A smart card that stores a user’s PKI logon certificate can authenticate that user to the network but only satisfies the requirement for something you have. However, combining a smart card with a PIN or biometric protection achieves two- factor authentication. A smart card used with both a PIN and biometric data provides three-factor authentication. Table 3 summarizes the advantages that smart cards can provide for logical access when used with different authentication mechanisms. Table 3. Enhancing Authentication with Smart Cards

Authentication Mechanism Issue Value Added by Smart Cards Single-Factor Authentication Static passwords  Easy to guess, sniff, or steal A smart card system provides a  Difficult to enforce strong secure container for passwords password policies and automates the user’s logon,  User frustration and relieving the user of the resistance to changing and requirement to manage memorizing passwords passwords. Strong password  Cost to manage policies are easy to enforce. Passive or active token without a  Token loss or theft A smart card system provides PIN security for the token seed and also adds PIN-based access to the card, implementing two-factor strong authentication. Biometric reader  Replay attack A smart card system provides  Masquerade attack secure storage for the biometric  Biometric credential and template, performs the biometric matching security match on the card, and adds PIN- based access to the card, implementing three-factor authentication. Two-Factor Authentication One-time password token with  Complex infrastructure A smart card system replaces a PIN  Man-in-the-middle attack single-function token with multi-  Single function product function capability (securing  OTP seed protection application and network access)  Token life-cycle cost and reduces overall complexity and life-cycle cost. Smart card investment can be leveraged by using the card as a smart ID badge for secure access to buildings. Smart cards are programmable. Cards can be reused easily,

Authentication Mechanism Issue Value Added by Smart Cards supporting a more cost-effective approach to issuing temporary access cards. New smart card functions can be added after issuance, supporting upgrades to systems or new applications Biometric reader and password  Complex back-end A smart card system provides infrastructure secure storage for the biometric  Credential security template and performs the biometric match on the card. Three-Factor Authentication Token, biometric, PIN  Credential security, whether A smart card system provides the on the server or workstation least complex mechanism for  Complex infrastructure three-factor authentication when integrated with biometric match- on-card capability

6.2 Drivers for Smart Card Technology for Logical Access The following are the primary drivers for smart card technology use for logical access.

6.2.1 Strong Authentication Support As described in Section 6.1, more and more organizations today are looking for stronger authentication solutions – beyond usernames and passwords – to validate that the users accessing systems are who they say they are. Smart cards significantly increase the security of a user’s digital credentials, regardless of the nature of the credentials. The credentials are permanently stored on the card, which is in the possession of the end user, and never available in software or on the network for an unauthorized user to steal. Smart cards are typically used to enable two-factor authentication, incorporating something that you have (the smart card) and something that you know (typically a PIN that activates the card’s cryptographic functions). Smart card technology also supports the addition of biometric technologies (something you are) to enable three-factor authentication. When using a smart card, taking control of a user’s digital identity requires stealing the smart card and guessing the PIN. Users know very quickly when a card is stolen and can contact the network administrator to revoke the stolen credentials. In addition, too many incorrect password guesses can lock the card.

6.2.2 Enhanced Security and Convenience for Users Users in most organizations face the challenge of managing multiple passwords for multiple systems and applications. This requirement has implications for security and user productivity. Some IT departments choose the path of least resistance, allowing users to use the same password for every application. This practice represents the greatest security risk, since all applications are compromised if a single password is guessed or stolen. Other IT departments may establish a stronger policy, requiring a different password for each application and a more complex password, containing a mix of character types (alphanumeric, uppercase, lowercase, symbols). In addition, a secure password policy may require that passwords be changed on a regular basis. Establishing stronger password policies is an important step when access relies on a static password alone, but enforcing these policies can be challenging. Most users have difficulty remembering multiple complex passwords, so they write them down or store them in plain text on their computers, where they can easily be stolen.

IT departments also face the challenge of administering passwords for multiple users and multiple applications without sacrificing productivity and without creating unhappy users. Industry statistics show that 30% to 50% of IT help desk resources are consumed by managing and resetting passwords. End- user productivity is also affected, since users cannot access applications until a new password is assigned. The U.S. Department of State reported that password-reset related calls to their help desk were reduced from 35% to 5% after they implemented smart card logon. Various “identity management” solutions are currently available that address these productivity issues. Consolidating users’ identities in central directories and implementing provisioning tools to manage those identities minimize the productivity losses attributable to managing different identities for different accounts. Such solutions also address the security vulnerabilities posed by accounts that remain on a system long after the owner’s access is no longer valid. Similar solutions are available for Web-based content and applications. However, such solutions cannot be implemented overnight. In addition, they require a gradual change in an organization’s back-end infrastructure. And users still need to juggle multiple passwords for their applications. Other identity management solutions simplify the end-user experience by using password synchronization, self-service password management, or single sign-on, but these also typically require modifications to the IT infrastructure and do not address the security concerns raised by using passwords. When used with PKI certificates, an additional benefit is a simple, enterprise wide revocation process when an employee leaves the organization. Organizations that use smart card technology for logical access do not have to wait for back-end identity management system implementation to realize operational efficiencies and return on investment. User identities and credentials can be consolidated onto a smart card immediately, providing users with a single, consistent approach to logical access, regardless of whether the user is logging onto a workstation or a network or accessing the network remotely using a VPN. The user experience remains consistent when the organization updates its identity management infrastructure: insert a smart card and enter a PIN. A smart card is a user’s personal key to all of the user’s data and applications. In addition, because the key is portable, users are not tied to a single workstation on which their credentials are located. They can travel from machine to machine, a critical advantage for users who work at multiple locations.

6.2.3 Enhanced Protection against Identity Fraud Smart cards can help defend against ever-more-cunning attempts at phishing. Phishing uses e-mail messages or the Internet to attempt to fool individuals into divulging information about their accounts. For example, a phishing attempt might use e-mail to send a potential victim what appears to be a genuine request from a trusted party (e.g., a bank or an Internet service provider). The individual would then respond to the request by providing account numbers, PINs or passwords to a rogue Web site posing as the legitimate entity. Phishing attacks exploit the lack of authentication between the e-mail sender and recipient and between the rogue Web site and the individual. Smart cards can be used to combat phishing attacks by applying two-way mutual authentication for secure access to Web site services. When account issuers offer a Web service (e.g., for account management), they can issue smart cards to account holders that allow access to the legitimate Web site. The smart card credential can both authenticate the user to the Web site and authenticate the Web site as legitimate. By providing strong, multi-factor authentication and by enabling mutual authentication, smart cards can help defeat phishing attacks. Individuals can be assured that they are communicating with a legitimate site and that their identity credentials are protected from unauthorized access.

6.2.4 Standards-Based Application Coverage Smart card technology is becoming a preferred approach for logical access, not only for the smart card’s increased security, but also for its ease of use, broad application coverage, ease of integration, and

multi-purpose functionality. Smart cards provide organizations with a cost-effective solution that can be deployed easily and is widely accepted by the end user. Different applications impose different requirements on users before granting access. Some applications support only one method of granting access; others support multiple methods. Few applications allow credentials to be shared. Of the most common application access methods described previously (username and password combination, password only, shared secret, OTP, biometrics, and PKI or digital certificate), the username and password combination, while the least secure approach, is currently the primary method used for access control. As the methods required to access different applications multiply, user acceptance decreases, often leading to decreased security. Smart cards, unlike other solutions, can provide the user with all of these access methods built into a single card, while requiring only the entry of the user’s PIN. Additional functionality enables smart cards to generate OTPs that replace single-use tokens and use biometrics to replace the PIN. Commercial products are available that leverage the security and portability of smart cards to store usernames and passwords for all applications. In addition, smart cards are more flexible than traditional token technology, because they are cryptographic devices that can support a wide range of functionality. They are not dependent on the presence of a server, and they can be erased and reprogrammed for continued use within an organization. Smart cards can now provide a user with a single interface for access to all applications, regardless of the credential required by the application. This capability increases user acceptance and convenience, while implementing and enforcing the organization’s security policies. Over the last several years, standards have evolved that provide the interoperability needed to allow a smart card to access multiple organization resources. For example, cryptographic standards and services such as PKCS #11 and Microsoft Crypto API (CAPI) allow applications to use a digital certificate stored on a smart card to authorize end-user access. The private key is stored on the smart card chip and can only be accessed by a user who provides the correct PIN when the application opens. The adoption of the Personal Computer/Smart Card (PC/SC) standard and the proliferation of readers and reader drivers have also contributed to a wider acceptance of smart cards for logical access. The price of readers has decreased, and their quality and availability has increased to the point that many of the major computer manufacturers now build a reader into a computer keyboard or laptop for little additional charge. In addition, international, regional or industry-specific standards are used to specify the identity application, data model and technologies used with smart identity cards. (See additional information in Section 3.4 and in Module 1, Section 10, Relevant Standards and Specifications.)

6.2.5 Ease of Integration Smart cards include built-in functionality that simplifies their integration into an organization’s IT infrastructure. Most applications requiring credentials other than a username adhere to one of the standards listed above. For this reason, enabling smart cards for logical access is typically simple, requiring installation of a small middleware application on the computer. Smart cards can then be used for logon, VPN access, signing and encrypting e-mail, SSL-based Web access, and biometric-based logon. Most of the leading CAs have adopted smart cards as the preferred platform for storing and using digital certificates. A CA can use either the PKCS #11 or Microsoft CAPI interface to generate keys, load certificates, and perform required cryptographic functions. Configuring a CA to use a smart card is straightforward and typically consists only of selecting the correct interface. Smart card readers are now easily integrated with applications and desktop operating systems through two standards: the PC/SC standard and the CCID, or Chip Card Interface Device, specification.

The PC/SC standard allows smart card readers to be integrated easily with middleware or other applications, regardless of manufacturer or command set. Although this standard was developed for use in a Microsoft environment, it is now considered the de facto standard for many other platforms as well. The CCID specification was developed for USB smart card readers. It was designed to support easy integration of smart card readers with desktop operating systems, thereby removing the need to install additional reader driver software onto the user’s desktop. The specification was defined by the USB Implementer’s Forum (USB-IF)33 in conjunction with the smart card industry. CCID defines a command set and transport protocol over the USB so that a host system can communicate with a smart card reader. A specific USB class is now defined for smart card readers. In addition, Microsoft Windows 7 provides built-in support for standards-based smart cards, such as the PIV card and the European Citizen Card.

6.2.6 Ease of Deployment Management tools and deployment methods are available that facilitate large deployments of smart cards. Card management systems integrated into an organization’s directory or procurement system provide the functionality needed to deploy and manage smart cards and their credentials. Reader drivers and smart card middleware are mature and easily deployed throughout an organization as well. Both top management and dedicated project management support are still critical to successful implementation. Deploying a new, organization-wide identity management system that includes smart cards can be a complex project that extends across multiple organizations and affects core business processes.

6.2.7 Multi-Purpose Functionality Plastic cards are a common fixture within many organizations and have many uses, such as identification, physical access, and time and attendance. Smart cards allow organizations to realize the benefits of combining all such applications on one card. The user can then carry a single card for physical access, logical access, identification, and other business functions. Smart cards can also host applications that require contactless identification, such as physical access to buildings and transportation services. Other technologies often associated with a plastic card, such as magnetic stripes, bar codes, radio frequency (RF) technology, and security laminates can be used in conjunction with the smart card. 6.3 The National Strategy for Trusted Identities in Cyberspace: A Key U.S. Initiative Driving Stronger Authentication Technologies Individuals are increasingly using the Internet for sensitive transactions, like banking, mortgage applications, buying and trading stocks, and reviewing healthcare information. Given this, there are very real problems of identity management, privacy and security in cyberspace. The National Strategy for Trusted Identities in Cyberspace (NSTIC)34 is an Obama administration initiative that broadly defines an Identity Ecosystem that would re-establish trust and better protect online identities. NSTIC aims to give individuals and organizations the ability to complete online transactions with confidence and trust. According to the Howard A. Schmidt on the White House blog35, “Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy- enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc.) from a variety of service providers – both public and private – to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.).”

33 Additional information about CCID can be found at the USB Implementer’s Forum web site, http://www.usb.org. 34 http://www.nist.gov/nstic/ 35 http://www.whitehouse.gov/blog/2010/06/25/national-strategy-trusted-identities-cyberspace

According to the White House36, the goals for the NSTIC are as follows: 1. Design the Identity Ecosystem 2. Build the Identity Ecosystem infrastructure 3. Strengthen privacy protections for end users and increase awareness of risks 4. Manage the Identity Ecosystem NIST is currently leading the effort to facilitate private sector involvement in defining and establishing the Identity Ecosystem. The Identity Ecosystem will be created and run primarily by the private sector. According to the NSTIC web site: “The role of the federal government is to facilitate and help jump start the private sector's efforts by convening workshops and bringing together the many different stakeholders important for establishing the Identity Ecosystem. The government will also protect individuals by ensuring that the Identity Ecosystem meets these four guiding principles: (1) privacy- enhancing and voluntary, (2) secure and resilient, (3) interoperable, and (4) cost-effective and easy to use. Lastly, the government can help drive the market by accepting Identity Ecosystem credentials for its online services.”

6.3.1 Smart Cards and NSTIC The NSTIC Framework is technology-agnostic; however, it identifies smart card technology as one example of an identity medium — a card, USB token or other device storing identity credentials used to validate online identities and transactions — and one that is suitable for high-value transactions and identities. For high assurance online identity transactions (for example, for a mortgage application or health record access), using smart card technology for an identity credential will protect identities in cyberspace in a secure, privacy-sensitive way.

36 http://www.whitehouse.gov/the-press-office/fact-sheet-national-strategy-trusted-identities-cyberspace

7 Smart Cards and Biometrics37 Biometric technologies are defined as automated methods of identifying or verifying the identity of a living person based on unique physiological or behavioral characteristics. Biometrics can provide very secure and convenient verification or identification of an individual since they cannot be stolen or forgotten and are very difficult to forge.  A physiological characteristic is a relatively stable physical characteristic, such as an individual’s fingerprint, hand geometry, iris pattern, facial image, or blood vessel pattern in the hand. This type of biometric measurement is usually unchanging and unalterable without significant duress to the individual.  A behavioral characteristic is more a reflection of an individual's psychological makeup. Speech patterns provide a method of speaker verification and is the most common behavioral biometric used for identification. Another example of a behavioral biometric is dynamic signature verification. Because most behavioral characteristics vary over time, an identification system using these must allow updates to enrolled biometric references.

7.1 Biometric System Components and Process Four major components are usually present in a biometric system:  A mechanism to scan and capture a digital representation of a living person’s biometric characteristic.  Software to process the raw data into a format (called a template) that can be used for storing and matching.  Matching software to compare a previously stored biometric template with a template from a live sample.  An interface with the application system to communicate the match result. Two different stages are involved in the biometric system process – enrollment and verification. Enrollment. As shown in Figure 13, the biometric sample of the individual is captured during the enrollment process (e.g., using a sensor for fingerprint, microphone for speaker verification, camera for face recognition, camera for iris recognition). The unique characteristics are then extracted from the biometric image to create the user’s biometric template. This biometric template is stored in a database or on a machine-readable ID card for later use during an identity verification process. Figure 13. Example Enrollment Process

37 Source: Smart Cards and Biometrics in Privacy-Sensitive Secure Personal Identification Systems, Smart Card Alliance white paper, May 2002, with updates from Walter Hamilton, Identification Technology Partners.

Matching. Figure 14 illustrates the biometric matching process. The biometric sample is again captured. The unique characteristics are extracted from the biometric sample to create the user’s “live” biometric template. This new template is then compared with the template previously stored and a numeric matching (similarity) score is generated based on a determination of the common elements between the two templates. System designers determine the threshold value for this identity verification score based upon the security requirements of the system. Figure 14. Example Matching Process

Biometrically-enabled security systems use biometrics for two basic purposes: identification and verification. Identification (1-to-many of 1:N comparison) determines if the individual exists within an enrolled population by comparing the live sample template to all stored templates in the system. Identification can confirm that the individual is not enrolled with another identity or is not on a predetermined list of prohibited persons. The biometric for the individual being considered for enrollment would be compared against all stored biometrics. For some credentialing applications, a biometric identification process is used at the time of enrollment to confirm that the individual is not already enrolled. Verification (one-to-one or 1:1 comparison) determines whether the live biometric template matches with a specific enrolled template record. This requires that there be a “claim” of identity by the person seeking verification so that the specific enrolled template record can be accessed. An example would be presentation of a smart card credential and matching the live sample biometric template with the enrolled template stored in the smart card memory. Another example would be entry of a user name or ID number which would point to an enrolled template record in a database. 7.2 Selecting a Biometric Technology The selection of the appropriate biometric technology will depend on a number of application-specific factors, including the environment in which the identification or verification process is carried out, the user profile, requirements for matching accuracy and throughput, the overall system cost and capabilities, and cultural issues that could affect user acceptance. Table 4 shows a comparison of different biometric modalities, with their performance rated against several metrics.

Table 4. Comparison of Biometric Technologies38

- Biometric Identifier

queness

(Bytes)

Maturity

Accuracy

Durability

Failure

Enroll RateEnroll

Uni Universality

Record Size

H Face M M M L H M 84-2,000 M Fingerprint (one print) H H M L-M H H 250-1,000 L Hand M L L L M M 9 M Iris M M H L M H 688 M Signature L L M L M M 500-1,000 M Vascular M M H L H H 512 H Voice L L M M H L 1,500-3,000

Source: Report of the Defense Science Board Task Force on Defense Biometrics- March 2007 A key factor in the selection of the appropriate biometric technology is its accuracy. When the live biometric template is compared to the stored biometric template (in a verification application), a similarity score is used to confirm or deny the identity of the user. System designers set the threshold (match or no match decision point) for this numeric score to accommodate the desired level of matching performance for the system, as measured by the False Acceptance Rate (FAR) and False Rejection Rate (FRR). The False Acceptance Rate indicates the likelihood that a biometric system will incorrectly verify an individual or accept an impostor. The False Rejection Rate indicates the likelihood that a biometric system will reject the correct person. Biometric system administrators will tune system sensitivity to FAR and FRR to get to the desired level of matching performance supporting the system security requirements (e.g., for a high security environment, tuning to achieve a low FAR and tolerating a higher FRR; for a high convenience environment, tuning to achieve a higher FAR and a lower FRR).

7.3 The Role of Smart Cards with Biometrics Smart cards are widely acknowledged as one of the most secure and reliable forms of electronic identification. To provide the highest degree of confidence in identity verification, biometric technology is considered to be essential in a secure identification system design. Combining smart card technology with biometrics provides the means to create a positive binding of the smart card (a difficult-to-clone token) to the cardholder thereby enabling strong verification and authentication of the cardholder’s identity.

38 High, medium and low are denoted by H, M, and L, respectively. Values assigned for the various qualities are subjective judgments, based on expert opinion and review of (several) current published sources.

7.3.1 Example Programs Combining Smart Cards and Biometrics There are numerous ID systems implemented worldwide that are using smart card and biometric technology, including:

 U.S. FIPS 201-2 Personal Identity Verification (PIV) Card – with photo, biometrics (fingerprint) and smart card.  U.S. Department of Defense Common Access Card (CAC) – with photo, biometrics (fingerprint), and smart card.  U.S. Transportation Worker Identification Credential (TWIC) – with photo, biometrics (fingerprint), and smart card.  ICAO ePassport specification – with photo, optional biometrics and smart card chip  Singapore Immigration Automated Clearance System – with fingerprint and smart card chip  Canadian Airport Restricted Area Identification Card – with fingerprint and smart card  Amsterdam Schiphol Airport – with iris and smart card  Malaysia’s national ID (Government Multi-Purpose Card) – with photo, biometrics (fingerprint) and smart card.  Spain’s social security card – with biometrics and smart card.  Netherlands’ “Privium” automated border crossing system – with photo, biometrics (iris) and smart card.  Brunei’s national ID – with photo, biometrics (fingerprint) and smart card.  U.K.’s Asylum Seekers Card – with photo, biometrics (fingerprint) and smart card.

7.3.2 Key Considerations for Implementing Combined Smart Card / Biometric Systems The National Institute of Standards and Technology (NIST) included recognized standards for fingerprint templates in its Personal Identity Verification (PIV) standard for federal workers and contractors. This encouraged multiple vendors to develop and offer interoperable access control readers that supported three-factor authentication. As a result, unit costs have decreased and such readers are now widely available. Three-factor access control readers are now accepted by a growing number of organizations. Standardization has reduced the fear of being “locked-in” to a proprietary fingerprint technology solution and there are now multiple sources of readers that use biometric algorithms that conform to recognized fingerprint template standards. Procurement officers today have the comfort of knowing that readers will work within existing access control systems even if they are sourced from different vendors. With the growing acceptance of small and self-contained multi-factor access control readers, unit prices will continue to fall.

7.3.2.1 Biometric Processing Biometric processing consists of two separate and sequential tasks. First, the “live” biometric template of the user must be extracted and processed. Second, the live template must be compared with the trusted, stored template (i.e., performing the biometric match). The live biometric template extraction is a processor intensive task. A fingerprint extraction, for example, requires approximately 10 times more processing effort than a 1-to-1 fingerprint template comparison. Smart card processors are capable of performing live template extraction and executing the comparison on the card itself. Two main smart card and biometric implementation approaches are "match off-card" and "on-card comparison" (also known as “match on-card”).  Match-off-card. For this type of implementation, the enrolled template is initially loaded onto the smart card and then transferred from the smart card via either contact or contactless interface when requested by the external biometric system. The external equipment then compares a new live scan template of the biometric with the one being presented from the smart

card. (The external equipment could be either the reader or a central computer system. This implementation clearly has some security risks associated with transmitting the enrolled template off the smart card for every biometric comparison. Appropriate security measures should be implemented to ensure the confidentiality and integrity of the released template. With this technique, the smart card is storing a template (or multiple templates), but has no significant knowledge of the type of biometric information, nor the ability to process it in any way. This implementation method is appropriate for all types of smart cards; this technique will work with memory, wired logic or microcontroller-based smart cards.  On-card comparison (or match-on-card). This implementation technique initially stores the enrollment template into the smart card’s secure memory. When a biometric match is requested, the external equipment submits a new live template to the smart card. The smart card then performs the matching operation within its secure processor and securely communicates the result to the external equipment. This method protects the initial enrollment template since it is maintained within the smart card and never transmitted off-card. Cardholder privacy is also maintained with this technique since the cardholder’s biometric template information is not readable from the smart card. With this technique, the smart card must be a microcontroller-based device and be capable of computing the one-to-one comparison. Both smart cards and smart card readers are available that support on-card comparison. The National Institute of Standards and Technology (NIST) Minutiae Interoperability Exchange (MINEX) II program is dedicated to the evaluation and development of the capabilities of fingerprint minutia matchers running on ISO/IEC 7816 smart cards. The MINEX II test plan was released in February 2008. NIST conducted two rounds of public testing and released an updated test report on June 9, 2009. The final results of the most recent evaluation have been released as a revision of NIST Interagency Report 7477.39

7.3.2.2 Biometric Data Either the raw biometric data (usually in the form of a bitmap image) or an extracted template of the biometric can be stored. For matching purposes, only the template is used. Storing the complete biometric typically requires substantially more memory. For example, a complete fingerprint image will require 50 to 100 Kbytes, while a fingerprint template requires only 300 bytes to 2 Kbytes. Given the storage restrictions, most smart card applications that use biometrics are based on template storage rather than image storage. Some template formats are proprietary so there is a consideration for retaining the image in offline storage in the event that the template generation and matching software needs to change. If the images are retained, it is possible to generate new templates from the original images without requiring re- enrollment. Some biometric modalities, such as fingerprint, now support an interoperable template standard that works with template generation and matching software products provided by multiple vendors. The interoperability and performance characteristics for both proprietary and interoperable templates are reported in the NIST MINEX report.40 In the case of iris recognition, non-proprietary interoperability is supported by storing a “compact image” format in applications (like those used with smart cards) with storage or bandwidth limitations. These compact formats support iris images usable for verification matching that are in the 2 to 4 Kbyte size range. Performance results of testing compact image formats are provided in NIST Iris Interoperability Exchange (IREX) test report41.

7.3.2.3 Biometric Storage Biometric data may be stored on the smart card, in the local reader, or in a central database. For a smart card-based ID system, the biometric template would typically be stored in the smart card. This offers increased privacy and portability for the user and ensures the information is always with the

39 See link to NIST IR 7477 and other information about MINEX II testing at http://www.nist.gov/itl/iad/ig/minexii.cfm. 40 NIST MINEX test program information can be accessed at http://www.nist.gov/itl/iad/ig/minex04.cfm. 41 NIST IREX test program information can be accessed at http://www.nist.gov/itl/iad/ig/irex.cfm.

cardholder, thus supporting matching without dependence on the availability of an online database connection. This design does require the smart card to have sufficient memory to store the appropriate biometric data. In some applications (such as door entry systems employing contactless smart cards with very little memory), the biometric template may be stored in the reader. This application would require that the smart card be used with a single reader, or where several access points exist, that the biometric database and readers be networked. Central database or reader storage of biometric data may provide a higher level of throughput since the biometric data on the card does not have to be read.

7.3.2.4 Biometric Standards A number of published standards relate to biometrics, including standards for data format, technical interfaces, application profiles, performance measurement and reporting. Standards are generally promulgated by recognized standards bodies. Within the U.S., the main standards work in biometrics is performed by the American National Standards Institute (ANSI)/International Committee for Information Technology Standards (INCITS) and NIST. ANSI's customary practice is to adopt International Organization for Standardization (ISO) standards as direct replacements to corresponding ANSI standards when such standards are approved by ISO for international use. Biometric standards can contribute to the success of system implementation where interoperability and choice of interchangeable vendor products are important considerations42,43.

7.3.2.5 Multi-modal Biometrics Some of the accuracy and usability limitations imposed by the use of a single biometric modality can be overcome by using multiple biometric modalities. Multi-modal biometrics enhance the overall matching accuracy through the use of multiple and independent biometric measurements. For example, the similarity score from a fingerprint measurement can be mathematically “fused” with an independent measurement of the vein pattern in the finger to yield a higher level of confidence in the identity of a person. In addition, multi-modal biometrics can provide a solution for those individuals who are unable to present a suitable biometric sample in one modality. An example would be offering the option to present either a fingerprint or iris for authentication. A person who has poorly defined fingerprint patterns due to age, occupation, or medical condition would be given the choice to enroll and use iris as their biometric modality of choice. If both sensors are present, the user can use whatever modality that they are best suited for. In this situation, there is no fusion of independent biometric measurements. As can be seen in Figure 15, multi-biometric systems can incorporate information from multiple modalities, instances, algorithms, sensors, samples, or any combination of the five44. Arguably, such systems may also include other sources of information, including biographic or travel document-based information.

42 A useful reference to biometric standards can be found at http://www.planetbiometrics.com/biometric-standards/. 43 A summary of biometrics standards can be accessed at http://www.incits.org/tc_home/International_Standards_Published_as_of_09_08_2010.pdf. 44 A. Ross, K. Nandakumar, and A. Jain, Handbook of Multibiometrics, Springer-Verlag New York, Inc., 2006.

Left Profile Frontal Right Profile

Optical Multi-Sample Fingerprint

Multi-Sensor Multi-Modal Face Solid-State Multi-biometric Sources Iris

Multi-Algorithm Multi-Instance

Minutiae Texture Right Eye Left Eye Figure 15. Multi-Biometric Source of Input The trend toward multi-biometric systems has been particularly prevalent in large-scale U.S. government systems. The Department of Defense Automated Biometric Identification System (ABIS), Department of Homeland Security (DHS) Automated Biometric Identification System (IDENT), and Federal Bureau of Investigation (FBI) Next Generation Identification System (NGI) are all examples of systems which are currently multi-biometric in nature45,46,47. Furthermore, all three systems are increasing the number of biometric sources which can be leveraged.

7.3.3 Benefits of Combining Smart Cards and Biometrics in a Secure ID System The combination of smart cards and biometrics deliver a number of significant benefits to organizations implementing secure identification system.

7.3.3.1 Enhanced Privacy Using smart card technology significantly enhances privacy in biometric ID systems. The smart card provides the individual with a personal database, a personal firewall and a personal terminal. It secures personal information on the card through advanced cryptography and digital signatures to prevent alteration or replacement of biometric data and to prevent cloning of the card. This allows the individual to control access to their biometric information and eliminates the need for central database access during identity verification. When used in combination with biometrics, a smart card ID becomes even more personal and private. A biometric provides a strong and unique binding between the cardholder and the personal database on the card, identifying the cardholder as the rightful owner of this card. The biometric cannot be borrowed, lost, or stolen like a PIN or a password, and so strengthens the authentication of an individual’s identity.

45 Next Generation ABIS Goes Operational, Now Referred To as DoD ABIS, DoD biometrics web site, January, 2009. http://www.biometrics.dod.mil/Newsletter/Issues/2009/Apr/v5issue2_a1.html. 46 Next Generation Identification, FBI web site, June 2009, http://www.fbi.gov/hq/cjisd/ngi.htm. 47 10-Fingerprint Scanners to Deploy at all Ports of Entry, DHS website, Nov. 2007, http://www.dhs.gov/files/programs/gc_1194553866460.shtm.

A smart card based ID system also gives the cardholder control over who can access personal information stored on the card. A biometric further enhances this control, ensuring that only the rightful cardholder can authorize access to personal information. Because of their cryptographic processing capabilities, smart cards can be used in ID systems to increase the trustworthiness of terminals. This can translate into increased privacy for individuals and can allow cardholders to use anonymous devices as personal terminals. The increase in terminal trustworthiness is especially critical for biometric systems. Biometric ID systems rely on terminals to perform live-scan captures of some biometric trait. The ID system should be able to trust the biometric reader to capture and process a user’s biometric. If it cannot, the integrity of the whole authentication process is compromised. Smart card technology can help to address this vulnerability. Using well-established security protocols, a smart card can participate in the exchange of digital certificates (or cryptographic secrets) with a terminal to determine its authenticity and trustworthiness. In essence, the smart card asks the terminal to prove that it is certified by the ID system. The terminal, in turn, asks the card to prove that it is a genuine member of the system. Once trust is established between the terminal and the smart card, it can then be extended to include the cardholder. By using biometric data captured from the cardholder at the point of use, the system can perform a match against enrollment data stored on the smart card. The ID system can thus authenticate that this user is the rightful owner of this card, and that the personal information stored on this card belongs to this cardholder. This completes the trust relationship between the user, the card, the terminal being used, and the ID system.

7.3.3.2 Enhanced Security Biometric technologies are used with smart card technology for ID system applications specifically due to their ability to identify people with minimal ambiguity. A biometric based ID allows for the verification of “who you claim to be” (information about the cardholder printed or stored in the card) based on “who you are” (the biometric information stored in the smart card), instead of, or possibly in addition to, checking “what you know” (such as a PIN). As shown in Figure 16, this increases the security of the overall ID system and improves the accuracy, speed, and control of cardholder authentication. Figure 16. Impact of Smart Cards and Biometrics on Security

As the importance of accurate identification grows, new technologies are being added to ID systems to improve their security. Table 5 summarizes the features that smart card technology and smart cards with biometrics provide to increase the overall security of an ID system. Each ID application needs to determine the level of risk management required to counter security threats and then choose the level of technology appropriate for the desired level of assurance. Table 5. Security Feature Summary

Smart Cards Smart Cards with Biometrics

 Visual inspection of card for non-machine-  All attributes of smart cards. read applications.  Biometric templates stored on the smart  Automated inspection using readers. card ICC and used to authenticate the  Security markings and materials to help cardholder, provide access to on-card thwart counterfeiting. data and enable the trusted terminal.  Integrated Circuit Chip (ICC), allowing  Counterfeiting attempts reduced due to cryptographic functionalities to protect enrollment process that verifies identity information and programs for multiple and captures biometric. applications stored on the card.  Extremely high security and excellent  Cryptographic co-processor on card, user-to-card verification. allowing protection of information stored in the chip, authentication of the trust level of the reader and establishment of secure communications.  High trust of information shared with the reader.  High security and strong user-to-card authentication.

An ID system using a contact or contactless smart card, cryptographic functions and biometrics has significant security advantages.  The biometric template can be digitally signed and stored on the smart card at the time of enrollment and checked between the biometric capture device and the smart card itself each time the card is used.  The template and other personal information stored on the cards can be encrypted to improve security against external attacks.  Cardholder authentication can be performed by the smart card comparing the live template with the template stored in the card. The biometric template never leaves the card, protecting the information from being accessed during transmission and helping to address the user’s privacy concerns.  A smart card ID can authenticate its legitimacy, and that of the reader, by creating a mutually authenticated cryptographic challenge between the ID card and the reader before identity verification is started. Once that process has been accomplished, access to a specific application can be granted. This ensures a very high level of privacy for the cardholder, prevents inappropriate disclosure of sensitive data, and helps to thwart “skimming” of data that might be used for identity theft. The smart card ID can also challenge the biometric reader to ensure that a previously captured template is not being retransmitted in a form of playback attack.

 Smart cards have sufficient memory to store growing amounts of data including programs, one or more biometric templates, and multiple cryptographic keys to restrict data access and ensure that data is not modified, deleted, or appended.  The smart card can also be used to prove the digital identity of its cardholder using cryptographic keys and algorithms stored in its protected memory, making smart cards ideal for applications that need both physical and logical authentication.

7.3.3.3 Improved System Performance and Availability Storing the biometric template on a smart card also increases overall system performance and cardholder convenience by allowing local identity verification. The identity of an individual is established and validated at the time the smart card is issued and the individual has proven eligibility to receive the identity card. From that point on, the user’s identity is authenticated through the presentation of the smart card to a card reader, without the need to perform a search and match against a remote database over a network. This local processing can reduce the time to authenticate an individual’s identity to one second or less, allowing faster security checks, and reduce the need for the card readers to be online with a central system. The question may arise regarding how to handle a comparison failure (i.e., false rejection) without accessing a remote database. With smart card technology, it is straightforward for the security staff to revert to a visual comparison of a digitally signed, digitized photo or backup biometric also stored on the card. In the event of a false rejection, the cardholder can simply repeat the process. For applications where fast and frequent use is necessary (e.g., controlling access to buildings and at airports), contactless smart cards can speed the transfer of biometric templates and eliminate the need to make a physical connection. Low cost, contactless smart cards with high communication speeds are now available that have enough memory to store a unique fingerprint template or photographic representation. This means higher security biometrics-based ID systems can use contactless smart cards to achieve a range of security, throughput and cost goals. When biometric data is transmitted over a contactless interface between a smart card and a reader device, it is advised that the data transmission or data be encrypted to avoid any chance of unauthorized reading of the biometric data through eavesdropping or other surveillance methods.

7.3.3.4 Improved Efficiency Using the combination of smart cards with biometrics for identification and authentication of individuals provides the most cost-effective implementation of a secure identification system. Several ID and security technologies can be combined with a smart card, allowing deployment of different authentication mechanisms based on the degree of security required and the budget available for implementation. Biometrics may be absolutely essential for those security checkpoints in the system where the user must be firmly linked to their ID card as the rightful owner and a password or PIN is not secure enough or lacks ease of use. Examples of systems requiring this stronger verification of identity include airport security gates or border crossings. A government or corporate enterprise identification system may include a variety of physical and logical access checkpoints that have different levels of security requirements. Biometric readers may be required at main entrances to the buildings, but internal access doors may only require the use of a magnetic stripe on the back of a smart card. When on a network, accessing different types of information may also have different security requirements. Some information may only require a password to access (which the smart card can store and remember for the user); other more sensitive information may require the use of a biometric; still other transactions may require the use of features on the smart card to digitally sign the transaction. Contactless smart card technology can be used in environments where high usage or environmental conditions are expected to affect the cost of maintaining the system. Because the contactless card chip and the reader communicate using radio waves, there is no need to physically make an electrical connection but this may require the communication to be encrypted or, at least, not be able to be

replayed. Maintenance of readers is minimized while reliability is improved since there are no worn contacts to be replaced or openings to be protected. Cards also last longer because removing them from their regular carrying place is not necessary for use. Readers or kiosks can be sealed, allowing contactless ID systems to be deployed in almost any environment. Smart cards uniquely provide a single device that can function as an individual’s identity card and allow the combination of several technologies to cost-effectively address varying security needs of a system.

7.3.3.5 Upgradability and Flexibility A key requirement for any identification system is the ability for the system to be upgraded without needing large investments in new infrastructure. For example, there may be a need to modify the system without replacing the individual ID cards if a security scheme is compromised or if enhanced capabilities become available. Because smart cards contain rewritable data storage, and in some cases rewritable program storage, they allow the most flexibility for updates to card data and card-system interaction algorithms and for secure management of multiple applications on a single card. When used in biometric-based identity systems, a smart card ID can be upgraded, after issuance, as follows.  Smart card IDs can have sufficient storage to upgrade or add new biometric content (e.g., new or different biometric templates).  Smart card IDs can have on-card content partitioned into mutually private sections to be used by several different secure ID systems. For example, physical access activities and card content may be kept separate from transaction authentication activities and content. With a single multi- partition-capable identity card, new and private uses of the biometric content may be added to the card by any authorized issuing entity at any time. This last capability makes use of another key smart card attribute -- flexibility. Smart cards, due to their on-card processor and software, have the best ability to adapt to varying and evolving requirements.  Their ability to be both securely read and written by authorized issuers adds system capabilities unavailable with other technologies.  Their ability to actively detect tampering with information stored on the card is also unavailable except with smart cards.  A smart card-based ID can support several biometrics: fingerprint, photographic facial image, iris, vascular or hand geometry template, or any combination of these, simultaneously or incrementally over time Stored reference biometrics can also be updated as needed.  Smart card-based IDs may have both the traditional contact interface to reader/writer mechanisms and a contactless interface for applications that require high throughput and usage without mechanical wear.  The same physical smart card can contain multiple storage media, such as a printed photograph, printed bar code, magnetic stripe and/or optical stripe. Thus, a single card can be compatible with many forms of existing infrastructure. In multi-application smart card IDs, each application can have its own degree of challenge and response activity depending upon the respective application’s requirements. For example, a simple fingerprint comparison with the stored on-card template may be sufficient to authenticate a person’s right to access certain premises, while the same card and fingerprint template may be used in conjunction with an encrypted digital signature exchange to authorize sensitive transaction rights. In summary, the unique features of smart card technology can deliver enhanced privacy, security, performance and return on investment to a secure ID system implementation. Their upgradability and flexibility for securely handling multiple applications and accommodating changing requirements over time are unmatched by other ID technology. Smart card technology, coupled with biometrics and

privacy-sensitive architectures and card management processes, provides a proven, cost-effective foundation for a highly secure personal ID system.

8 Identity, Security and Access Control Application Examples This section presents several examples of smart card-based identity cards and applications, including:  National ID programs  Corporate ID badge use case  Healthcare ID use cases - Sesam Vitale Health Card – France - German Health Card - Smart Health Cards in the United States - Taiwan Health Card  International driving license standard  Corporate ID badge use case  U.S. Federal government smart ID card use cases - FIPS 201-2 Personal Identity Verification (PIV) Card - Department of Defense Common Access Card (CAC) - Transportation Worker Identification Credential (TWIC) - First Responder Authentication Credential (FRAC)  Machine-to-machine applications  Pay TV 8.1 National ID Programs National identity cards are in use in approximately 100 countries,48 with the primary purpose for the card to prove citizens' identities within the country where they are citizens. The technology of national ID cards varies – from simple paper or plastic cards to microcontroller-based smart cards. When smart card technology is used, countries often implement additional applications that take advantage of the smart card features to provide e-government services to citizens. Table 6 shows examples of national ID programs using smart card technology. Smart card-based national healthcare cards are discussed in Section 8.3, Table 7. Table 6. Examples of National ID Programs Using Smart Card Technology49 Country Card Type Belgium National identity card; allows for legally binding electronic signatures Estonia National identity card Finland National identity card; allows for logging into government services on the Internet

48 http://en.wikipedia.org/wiki/National_ID 49 http://en.wikipedia.org/wiki/National_ID

Country Card Type Germany National identity card that complies with ICAO Doc 9303, ISO/IEC 14443 and ISO/IEC 7816; allows for legally binding electronic signatures and for accessing eGovernment services50 India National identity card; includes a biometric and a digital signature Malaysia National identity card; includes a biometric Portugal National identity card; includes digital certificates Spain National identity card; allows for digital signatures

8.1.1 eID in Europe and the European Citizen Card The following content is from the Eurosmart position paper, "European Citizen Card: One Pillar of Interoperable eID Success." The Smart Card Alliance thanks the Eurosmart for their contribution.51 National ID cards are issued by national government bodies or agencies for citizens of the respective country. Personal identity documents confirm the identity of individual citizens, thus proving their legitimate residency within their homeland. An e-ID in this context is a national ID card with visible and invisible security features and a secured microprocessor. These cards use the ID-1 format which is well known from credit cards. Traditionally an ID card serves as personal document for visual identification. By including a chip, the security will be increased because smart card microprocessors are virtually impossible to counterfeit. This chip could carry the biographic data of the citizen. Additional storage of biometric features in the chip could create a binding between the document and the cardholder as successfully realized in ePassports. The European e-ID is intended to carry credentials in order to provide all or some of the following services:  Act as an inter-European Union travel document;  Facilitate logical access to e-government or local administration services. Smart card technology has multiple advantages for e-ID:  e-ID smart chip technology protects the individual's privacy while securely assuring their identity by using personal identification number (PIN) codes or biometrics;  e-ID’s proven security increases confidence in a national credentialing system;  Using e-IDs does not require online access to central databases since citizen verification and identity authentication is performed offline;  Virtually impossible to counterfeit, the e-ID provides a strong countermeasure against Identity theft;  e-ID’s digital signatures contribute to the accountability of government officials and employees;

50 The German Citizen ID Card: 1st Anniversary – Lessons Learned, Dietmar Wendling, SCM Microsystems, presentation, Smart Cards and Government Conference, November 3, 2011 51 http://www.eurosmart.com

 e-IDs enable citizen’s authentication and accountability;  An e-ID reduces government expenses by eliminating multi-claim benefit fraud. The trend is set in Europe. Electronic passports have been deployed successfully. In addition, most European countries have a national ID card and several (e.g., Belgium, Estonia, Finland, France, Germany, Italy) have adopted or are adopting an electronic national ID card. Figure 17 illustrates European countries with eID programs.

Figure 17. European eID Programs

8.1.1.1 Motivation for a European Citizen Card Definition European governments are motivated to move from the existing situation to a new one in order to reinforce security after the events of 11th September 2001. This is true for border control and is also true for simple control in the street done by the police. At the same time, e-services are motivated by the societal move from paper to paperless transactions and by the necessity for governments to reduce their budget (i.e., reducing the cost for some applications for citizen services and government-to-government exchanges). The requirements for a more secure ID document and for citizen electronic services were the two pillars which motivated the CEN definition of the European Citizen Card. With the European Citizen Card standard, the European Union can take the leadership in e-ID as it did in the past with the GSM standard for mobile communication.

8.1.1.2 Benefits of the European Citizen Card The European Citizen Card (ECC52) is an open application standard, defining the logical data structure, security and privacy mechanisms for the data, and interface and communication protocols. It is open, because it allows the governments to select options. For example, both contact and contactless smart card interfaces are defined and biometrics and/or PIN can be used for two-factor authentication. The complete framework for an electronic signature is specified. The standard has no limits for the project quantity scale and/or the type or number of online services. ECC is a key pillar for an interoperable and cross border e-services solution. ECC is open for various services, like eGovernment, eBusiness, eVoting, eDemocracy, eBanking and others. With the decision to take this application standard into a national government and/or industry program, the decision maker reduces development time, decreases technical risks and reduces the needed budget for the period of definition, specification and tendering.

8.1.1.3 ECC Implementation The ECC standard defines the services and mechanisms to be adopted for the provision of features in products that need to comply with functional requirements, the user capability to use the product, and the integration in the environment. The standards provide a certain level of interoperability. However, the high level of definition introduces different interpretations and the options that can be part of a standard may introduce interoperability difficulties. The specifications contain an implementation view that determines choices left open by standards, and thus lead to a high level of interoperability. In addition, the level of definition made in the specifications allows test suites to be produced that will be used to show interoperability. In France, the Gixel association has published the Identification Authentication Signature European Citizen Card (IAS ECC) specification that fully complies with the ECC standard while providing a high level of interoperability with a former IAS specification used for the new generation of French healthcare card (Vitale 2). The ECC standard is a central element for an interoperable e-ID management system. It is a key enabler for the achievement of the i2010 objectives proposed by the European Commission and it is already used by some Members States (e.g., France and very soon as Germany, which is looking for compliance with ECC for its future national e-ID card).

8.1.1.4 The ECC Standard The European standardization body Comité Européen de Normalisation (CEN) published the technical specification 15480 (CEN TS 15480), the European Citizen Card (ECC), as an offer to be used for governmental purposes. The European Citizen Card standard is neither a physical card nor a specific card application or set of applications by itself; the standard includes a definition of logical data groups and services that can be provided by any governmental card issued for any application context (e.g., ID cards or health cards). The European Citizen Card specification includes four parts to date: part 1 and 2 were published in 2007; part 3 and 4 are currently under development in CEN TC 224 WG 15:  Part 1: Physical, electrical properties and transport protocols (physical card interface);  Part 2: Logical data structures and card services (logical card interface);  Part 3 (preliminary): Interoperability using an application interface (middleware);  Part 4 (preliminary): Recommendations for issuance, operation and use (card profiles)

52 It is important to note that this section and many public documents use ECC as the acronym used for the European Citizen Card; it should not be confused with using the same acronym for elliptic curve cryptography.

8.1.1.4.1 ECC Part 1 Part 1 of the ECC specifications describes the physical and the electrical characteristics of the ECC. It defines the basic requirements for the format, the design, the security features, the electrical properties of the chip, and the transport protocols used for the communication between the smart card and a terminal. In doing so, the specification does not introduce any new smart card definitions nor limit the ECC chip technology requirement to a certain interface. The specification refers to the standardized ISO/IEC specifications for smart cards, such as ISO/IEC 7810, ISO/IEC 7816 and ISO/IEC 14443. Furthermore it follows the ICAO recommendations for the machine readable travel document (MRTD) in ID-1 format. There are no restrictions related to the smart card interface used. In principle it is up to the issuer of the card to decide whether the card supports contact-only, contactless-only or dual-interface technology. This non-constraining approach will lead to multiple, different implementations which could all be called ECC-compliant. An elaboration on the pros and cons of choosing one of the abovementioned technologies – contact, contact or dual-interface – can be found in the Eurosmart white paper, “Durability of Smartcards for Government ID.”53

8.1.1.4.2 ECC Part 2 Part 2 of the ECC specification defines the card services that are mandatory for a European Citizen Card as well as optional extensions. It specifies the logical data structure on the card, the logical card interface itself, and the security architecture/mechanism. Furthermore, it defines a common set of commands for the ECC as one key part to ensure interoperability with system infrastructures. There is a differentiation between basic and extended electronic card services. The electronic services for identification, authentication and signature creation (IAS services) are mainly based on public key procedures, essentially, on RSA cryptographic operations, as used by the German electronic health card, eGK, and the French identity card, INES. However, elliptic curve cryptography is gaining ground and offers equivalent security. In general, the definitions of the services and the commands are not limited to a specific chip interface technology. However, depending on the different nature of these interfaces, there is the need for special treatments of particular mechanisms – for example, an additional securing of the contactless interface during communication as compared to the contact interface. In order to reach the interoperability objective, IAS services are also compliant to prEN 14890, Application Interface for Smartcards used as Secure Signature Devices, part 1 and part 2. Since a card used as an ECC can have many different primary applications (e.g., as an ID card or as a health card), various instantiations of an ECC are imaginable. This leads to the definition of so-called card application profiles in ECC part 4.

8.1.1.4.3 ECC Part 3 ECC part 3 will provide an interoperability model, which will enable a PC client application that is compliant with ECC technical requirements to interoperate with different implementations of the European Citizen Card. In addition to the ECC card description in parts 1, 2 and 4, this part of the ECC specification describes generic middleware that enables the ECC to be used securely in online transactions. The middleware

53 Durability of Smartcards for Government ID, Eurosmart white paper, July 2008, http://www.eurosmart.com/images/doc/WorkingGroups/e-ID/Papers/eurosmart_smartcard_durability_wpfinal.pdf

architecture will be based on ISO/IEC 24727 with additional technical specifications. The API provides the client application with the abovementioned IAS services that are supported by the ECC. The specific ECC card implementation type will be transparent for the ECC middleware. The ECC middleware checks the supported card functionality by reading specific card content. It is up to the ECC middleware to detect the card capabilities. As long as the services on the card are available, the middleware can interoperate with the card – regardless of the nature of the card – whether it is contactless or contact- only or whether it is a native or Open Platform implementation. Interoperability is achieved by the standardized API.

8.1.1.4.4 ECC Part 4 Specific application profiles are contained in part 4, to present use cases which can act as a reference and to exemplify use cases which are based on actual implementations. Two application profiles have been developed in the past drafts, with the expectation that others will be added by the time the specification is adopted. Each of these profiles contains one or more applications which use the interfaces and transport protocols described in part 1 of the specification and services described in part 2. Each profile thereby is linked to a distinct object identifier (OID) to be used as interoperable reference (e.g., to ease the discovery of the card’s and/or application’s capabilities). In any other case, the middleware according ECC part 3, must detect the services on the card. For this purpose, one so-called global profile is integrated in Part 4, to retrieve the card capabilities as well as application capabilities. This profile can be used as complementary to the application profiles, in case the card/application contains additional information which is not covered by the specific profile in use. Profile 1 – ID Card. ECC Profile 1 describes a card which is used as an identity document. Profile 2 – ESIGN-K. Profile 2 describes a card with an ESIGN application and the option for an additional functionality for digital signatures. Other Profiles. More profiles can be included and existing profiles are subject to further development and improvement before the specification is finally adopted. Even after it has been released, new profiles can still be added to the specification through the CEN TC224 WG 15 working group. Therefore, the standard provides a profile template to design new profiles in a comparable manner. The template contains guidelines in order to support anyone developing a profile; it clearly states which information has to be included in a profile. In general, any country will always have the option to define and bring in its own profiles to have country- specific use cases.

8.1.1.4.4.1 Profile a) eID This ID scheme is presented by profile 1 of part 4 of ECC specification. ECC Profile a) describes a card which is used as an identity document. One single mandatory contactless interface conforming to ISO/IEC 14443 is specified for all applications. The following three applications are envisioned:  eID: This application implements electronic identity card services and data structure. The cardholder’s data (corresponding to the data on conventional identity documents) are stored in distinct data groups.  ICAO: Since ID cards are accepted as travel documents within Schengen States, this profile contains an MRTD application in conformance with ICAO specifications, comparable to the ePassport. The mandatory card services are passive authentication, Basic Access Control (BAC), Extended Access Control (EAC) chip and terminal authentication referenced by the specific OIDs, and secure messaging for the ICAO application.

 SIG: The card includes a signature application in accordance with CEN prEN 14890 which contains the signature service itself on the card, with the added possibility of installing the necessary certificates or keys at time of issuance or alternatively having them already installed during the personalization process.

8.1.1.4.4.2 Profile b) eHealth Card (ESIGN-K) Profile b) describes a card with an ESIGN application and the option for additional functionality for digital signatures. It supports a contact-based interface according to ISO/IEC 7816-3 and the T=1 transport protocol. The protocols, services, and formats used in profile b) are largely based on the CEN prEN 14890 standards.

8.1.1.4.4.3 Profile c) eHealth card (II) The objective of profile c) is to list features for a contact smart card supporting an eHealth application and a legacy application. The card profile supports RSA-based digital signature functionality and symmetric device authentication using 2TDES (112 bit) with subsequent secure messaging. It can be used as an authentication token for RSA-based client/server authentication. Two different card types are described for cards complying with the profile: a patient card (e.g., health insurance card (HIC)) and a health professional’s card (HPC). The profile gives some simple use cases illustrating how to use the HIC/HPC cards: access of patients' insurance data by the health professional or by the patient, creation of an electronic prescription.

8.1.1.4.4.4 Profile d) eID (IAS) France has chosen to be ECC-compliant and selected IAS ECC as the specification for its national e-ID card. The specification is a concrete implementation of ECC and freezes some technical options proposed by the ECC. As an association of several standards (see Figure 18 below), IAS ECC allows complete interoperability among smart card manufacturers and also with previous IAS versions. The architecture is built as shown in the Figure 19 and can be easily upgraded with new functionalities (e.g., biometrics) or security features (e.g., elliptic curve cryptography). The travel functionality is contactless as for the ePassport when the e-Service is contact. This is motivated by the opportunity to reuse both existing infrastructures (ePassport and RSA PKI). Nevertheless, the e-Services could be easily used into a contactless approach. Figure 18. Standards Used for IAS-ECC

Figure 19. IAS-ECC Architecture

8.2 Corporate ID Badge Use Case To illustrate what happens when organizations provide employees with a smart ID badge that is used for both logical and physical access, consider a typical day in the life of Kay Smith, the fictitious customer service manager for a fictitious company, Enterprise Systems. Enterprise Systems implemented a smart ID badge system for its employees 2 years ago to integrate security across the organization and comply with corporate-wide security policies. Before Enterprise Systems adopted the single smart ID card/badge solution, the company parking lot was accessed by using a magnetic stripe card. The new smart IDs include magnetic stripes so that Enterprise Systems can continue to use their existing parking access application. At the start of her day, Kay Smith accesses the parking lot in the same way she always has, by swiping her badge through a reader. Once inside the building, Kay must present her smart ID badge to the guard to verify that the badge is indeed her badge. The guard checks the photo on the badge and waves her through. Next, Kay waves her badge close to the RF-based door reader so she can leave the lobby and enter the main office area. Enterprise Systems incorporated a dual-interface smart card chip on its new employee ID badge and uses the contactless interface with the company's physical access control system. Now employees can use the same ID card to get into both the company parking lot and the main office area. Now that Kay is at her desk, she turns on her computer and inserts her badge in the attached smart card reader. The standard Windows logon process recognizes the smart card reader, and Kay is prompted to enter the PIN for her badge, which only Kay knows. Kay is now logged onto her computer and can get to work. As she accesses her various applications (e.g., e-mail, customer database, support database) she is prompted for a password or other credential. The smart ID card automatically provides the required information to access those applications, providing Kay with single sign-on (using the PIN in the initial authentication to the card). Before Kay was given her new badge, she had to remember 12 different passwords for different corporate applications, which frustrated her. She often wrote her passwords down on notepads next to her computer. Kay loves her new badge, because the process is now the same for her no matter what application she accesses. The smart ID card is also configurable so that Enterprise Systems can require different authentication processes or credentials for each application if needed (for example, requiring smart card PIN entry for each application). Kay is required to adhere to certain company e-mail policies. Sensitive e-mail messages regarding new product information or human resource issues must be signed and encrypted. Enterprise Systems uses digital certificates for e-mail. To secure an e-mail message, Kay accesses the security options for the message and clicks on “sign and encrypt.” The system automatically accesses the digital signature information on Kay’s smart ID badge. Only the valid recipient can now open and read Kay’s message. It is also a policy at Enterprise Systems that employees must carry their smart ID badges with them at all times. Kay heads for a meeting, grabbing her badge as she goes. As soon as the card is removed from the desktop reader, the Windows desktop is inaccessible until Kay returns, reinserts her badge, and reenters her PIN.

Home at the end of day, Kay decides to access her e-mail and also confirm a customer order. Enterprise Systems uses digital certificates for VPN access. Kay uses her smart card in conjunction with a VPN client on her home computer to connect to the Enterprise Systems intranet. The only information she needs to provide is her smart card PIN, and she’s connected. During the course of her working day, Kay has used a single smart-card-based ID badge to replace multiple cards granting physical access to her employer’s facilities. The same badge has facilitated and secured access to her employer’s information resources, both on site and remotely, and allowed her to use these resources more efficiently. As this use case illustrates, smart cards are an effective approach to combining robust security with ease of use. Many corporations are now using smart card-based ID badges for their employees including: the U.S. Federal government (PIV card); Unisys; Northrop Grumman; Lockheed Martin; Microsoft; Boeing; Rabobank; Shell; Pfizer; Sun Microsystems.

8.3 Healthcare ID Use Cases54 Countries throughout Europe and Asia are providing their citizens with smart cards. Some use smart cards as part of their national healthcare programs. Others have smart card-based national ID programs. Table 7 lists examples of national health smart card deployments worldwide; in addition to the countries listed, smart health card programs are also active in other countries, including China, Finland, Jordan, Poland, and Turkey.55 Table 7. Examples of National Health Smart Card Deployments Worldwide

Country Card Type Number of Cards Launch Year Algeria56 CNAS 7 million 2007 Austria57 e-card 11 million patient 2005 24,000 professional Belgium58 Social system identity 11 million 1998 France59 Sesame Vitale 60 million (combined) 1998 Sesame Vitale-2 2007 Germany60 Gesundheitskarte 80 million 2006 375,000 professional Italy (Tuscany)61 Carta Sanitaria Elettronica 3.6 million patient n/a Mexico62 Seguro Popular health 3.7 million 2006 insurance cards Slovenia63 Health insurance card 2 million patient 1999 70,000 professional Spain14 Carte Santé 5.5 million 1995

54 Smart Card Technology in Healthcare, Smart Card Alliance FAQ, May 2009 55 Sources: Gemalto and CardLogix. 56 http://www.gemalto.com/press/archives/2006/07-04-2006-algeria.pdf. 57 http://www.bellid.com/index.php/content/view/137/73/, http://www.scc.rhul.ac.uk/public/smart2_final.pdf. 58 Source: Gemalto. 59 http://www.gemalto.com/brochures/download/france_health.pdf. 60 Source: Gemalto. 61 http://www.epractice.eu/en/news/321688 62 http://www.gemalto.com/brochures/download/mexico.pdf. 63 http://www.gemalto.com/brochures/download/slovene_eHealthcare.pdf.

Country Card Type Number of Cards Launch Year Taiwan64 National health insurance 24 million patient 2002 card 350,000 professional United Kingdom9 NHS Connection for Health 1.2 million n/a (health professional cards)

8.3.1 Sesam Vitale Health Card – France65 Starting in 1997, France began a complete reform of health care organizations and professionals. The purpose was to develop a program meeting the data exchange expectations and needs of everyone involved in French health care, from insured patients to health care professionals and insurance funds. France was one of the first countries in the world to introduce large scale deployment of smart cards as part of a health insurance system. The system, known as Sesam Vitale, was the first completely automatic system in which smart cards were used in the health sector. Today, there are approximately 57 million cards in use. That number is expected to rise to 65 million in the near future. Health care in France is funded partly by the French government and partly by private insurance companies. This situation leads to a complex process for reimbursement for the individuals involved, both patients and professionals. The old paper system was prone to error, fraud, and long delays before final payment was received.

8.3.1.1 Sesam Vitale Sesam Vitale is a highly secure dual-card system. The cards (one for patients and one for health care professionals) are the heart of a French health care system that links every individual with health care resources, including public hospitals, private clinics, general practitioners, specialist doctors, nurses, and midwives, all through a secure network. The Sesam Vitale system simplifies the procedure by which health care costs are cleared and also dramatically reduces the risks that refunds to insured patients will be delayed by replacing an annual 1 billion pages of health care information with electronic transactions. The result is that the average reimbursement time has been reduced from up to 6 weeks to 2 or 3 days. In addition, payments are made directly to health professionals by the insurance companies. The system also tracks health care spending and, in the future, will be used to transfer electronic prescriptions to the health care funds responsible for reimbursement.

8.3.1.2 Sesam Vitale Patient’s Card The Sesam Vitale patient’s card is a microcontroller (MCU) card containing approximately 4 pages of text. The patient’s surname, first name, and Numéro d’inscription au Répertoire (NIR) are printed on the front of the card. On the back is the card serial number. The data stored in the chip are separated into two zones and include the NIR, health insurance system code, branch, entitlement start date, proof of entitlement, presence of permanent entitlement, surname, first name, date of birth, status of beneficiary, information specific to the health insurance system, and entitlement end date. The card replaces the standard “soft copy” individual health insurance card. The first, family version of the card (Vitale1) contains administrative data that is available to health professionals (such as physicians, pharmacists, dentists, physiotherapists, and nurses). The data is read immediately and stored as a secure electronic health care cost claim sheet (e-sheet) during the patient visit. (The data cannot be read without the presence of a health care professional’s card, or

64 Giesecke & Devrient GmbH – Health Systems Relying on Smart Cards, Dr. Klaus Vedder http://portal.etsi.org/docbox/workshop/2006/ETSI_CENETEC_May06/Presentaciones/17%20K.%20Vedder%20- Giesecke%20&%20Devrient-%20%20Seguridad%20en%20Smartcards.ppt. 65 French Sesam Vitale Health Card, Smart Card Alliance profile, 2005, http://www.smartcardalliance.org/resources/pdf/Sesam_Vitale.pdf

CPS, described below.) Depending on the software application and the smart card reader, this e-sheet can be stored either in programmable secure reader memory or on the health professional computer’s hard disk. The sheets are bound daily into secure electronic batches and transmitted through the secure national health intranet, the RSS (Réseau Santé Social), to the health insurance front-end servers. There the sheets are automatically processed by a back-office system for further cost clearing.

8.3.1.3 Sesam Vitale Health Care Professional’s Card The Sesam Vitale health care professional’s card, called the Carte de Professionnel de Santé (CPS), is also a highly secure smart card that is easily recognized by its color. The MCU embedded in the card includes a crypto-processor that manages public keys and generates digital signatures. The card identifies the health care professional and provides authentication, digital signatures, and data encryption. Pharmacists and medical staff also receive a card. More than 425,000 cards have already been issued to health care professionals, with more than 90,000 to physicians.

8.3.2 German Health Card66 Health insurance is required in Germany, and the majority of the population is served by public health insurance. Currently, Germans carry a health care card that can be characterized as an insurance card. Its primary function is administrative. The current German health card program was rolled out in 1993 and is fully implemented. A total of 80 million people now carry the card. The card contains a 256-byte protected memory chip (not a microprocessor) and stores the following data:  Identity of the insurance  Insured person’s name, address, and date of birth  Status of the insurance  Expiration date for the insurance  This data supports the following administrative benefits:  Patient identification  Elimination of duplicate records  Reduced paperwork and cost associated with mailing health insurance forms  Streamlined admission process  Reduced transaction costs A 1997 study by the German Ministry of Health showed that the cost of the cards was fully amortized in the 3 years after introduction. When data on the card become obsolete, insurers reissue the card (even though overwriting the obsolete data is possible). Between 15 and 20 million cards are issued annually. In 2011, Germany started issuing the new “electronische Gesundsheitskarte” that included online verification of insurance status, e-prescription/drug interaction, emergency data and European insurance certificate.67 The Patient Data Card (PDC) is a microcontroller-based smart card with cryptographic functions; the card contains administrative insurance information, is the transportation media for electronic prescriptions, supports electronic signatures for eGovernment and eBusiness services and grants physicians secure access to personal medical data (in connection with the Health Professional Card [HPC]). The HPC is used for authenticating the healthcare professional to the PDC and to computer data servers, among other functions.

66 German Health Card Profile, Smart Card Alliance, 2005, http://www.smartcardalliance.org/resources/pdf/German_Health_Card.pdf 67 The German Health Card, Fabiola Bellersheim, Giesecke & Devrient, presentation, Smart Cards and Government Conference, November 18, 2010

8.3.3 Smart Health Cards in the United States The United States has no national health insurance or national health card program. Healthcare cards are issued by health insurance companies, by the state governments (for Medicare and Medicaid programs) or by hospitals. To date, most cards in use are simple plastic cards, many with no machine readable technology. The situation is starting to change, with smart cards making some progress for patient health ID cards. Within the U.S. healthcare industry, the American Recovery and Reinvestment Act of 2009 (ARRA), the associated provisions under the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are driving the use of smart cards for both patients and providers to improve the security of healthcare IT systems and protect the privacy of patient information.68 ARRA and the HITECH Act, the federal government will be investing over $19 billion in healthcare information technology.69 This investment will provide significant incentives for healthcare providers to implement electronic medical record (EMR) systems over the next five years. The increasing use of EMRs and electronic health records (EHRs) drives the need to address privacy and security across the healthcare system through a strong identity management infrastructure to protect patient data. Smart cards are now being used in a number of hospitals to provide patient ID cards, including:  New York’s Mount Sinai Hospital70, one of the oldest and largest voluntary teaching hospitals in the United States, has led the trend towards smart healthcare cards. Mount Sinai has joined with nine other institutions in the greater New York City area to create a regional HealthSmart Network that accepts a common smart card-based Personal Health Card (PHC) for regional patients. Elmhurst Hospital (part of the Health and Hospitals Corporation, New York City’s public hospital system) is one of the member organizations and a collaborator in the development of the PHC system.  Texas-based Lake Pointe Medical Center, one of 55 Tenet hospital locations, The Memorial Hospital of North Conway, NH, Sarasota Memorial Hospital and Wyckoff Heights Medical Center71 are deploying smart patient health cards using the LifeMedTM Personal Health Smart Card Platform. LifeMedTM smart cards are issued to patients to more accurately identify the patients, grant them a more streamlined admission, and connect and synchronize patient medical information from sources outside the hospital. Patients with the LifeMedTM card have the ability to view and contribute to their overall medical records, giving the provider a more complete medical picture. Current programs focus on patient identification – streamlining admissions, managing payments, and moving patient data from point to point – and provider identification – providing an identification credential for accessing patient electronic health records. Four factors have driven smart card use to date:  Identification and patient authentication  Matching patients to their particular data

68 HIPAA Compliance and Smart Cards: Solutions to Privacy and Security Requirements, Smart Card Alliance white paper, September 2003 69 On February 17, 2009, President Obama signed the $728 billion American Recovery and Reinvestment Act of 2009 (ARRA) into law. The Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of ARRA in Title XIII, represents an investment of more than $19 billion towards healthcare IT related initiatives. HITECH specifically outlines how the federal stimulus money will be used to advance the design, development, and operation of a nationwide health information infrastructure that promotes the electronic use and exchange of information, but also includes significant changes in privacy and security provisions for health information technology. 70 Mount Sinai Medical Center Personal Health Card, Smart Card Alliance profile, 2007 71 http://www.smartcardalliance.org/pages/smart-cards-applications-healthcare

 Synchronizing data from disparate sources  Security and access control In addition to hospital-based patient health cards, several industry and government initiatives are including or advocating smart card technology.  The Work Group for Electronic Data Interchange (WEDI) has established specifications for health insurance cards. Version 1.1 of the WEDI Health Identification Card Implementation Guide includes smart cards as an appropriate card type.72  The American Medical Association is implementing a pilot program for a smart card technology- based Health Security Information Card, that would be used during natural disasters for identification and for medical information storage.73  A bi-partisan group of U.S. senators and representatives led by Senators Mark Kirk (R-IL) and Ron Widen (D-OR) have introduced legislation to use existing “smart card” technology to protect seniors and to combat a reported $60 billion lost to waste, fraud and abuse within the Medicare system. The Medicare Common Access Card Act of 2011 (S. 1551 and H.R. 2925)74, which would establish a pilot program to develop a secure Medicare card using smart card technology to protect seniors’ personal information, prevent fraud and speed payment to doctors and hospitals. It is estimated that upgrading the Medicare system with globally proven smart card technology could save the American taxpayer $30 billion or more per year in fraud and waste reductions.75

8.3.4 Taiwan Smart Health Card76 Taiwan has implemented a national smart health card, with cards being issued since 2001. As of 2005, the total population of Taiwan was 22.5 million, and 96% of Taiwan citizens joined the National Health Insurance (NHI) program. A total of 16,558 hospitals and clinics (90% of the total) registered in the NHI program, creating a service network for insured applicants nationwide. Taiwan had a strong IT foundation: the original paper-based health care system included 92% of contracted medical institutions with a computerization rate of at least 70% and public satisfaction levels of 71%. The NHI program recognized revenue from insurance premiums of US$8.3 billion in 2001. Total health expenditure is 5.5% of Taiwan’s GDP. Before the smart card was introduced, paper cards were used by the Bureau of National Health Insurance (BNHI) to audit patient information, and then reimburse service providers monthly. The card is renewed after the patient uses medical services up to six times. Even though reporting and information handling is well run and maintained, the system has certain problems, such as identity fraud, excess false insurance premium claims from health care institutions, complex program vouchers, waste of resources due to high frequency of card replacement, and high losses due to discontinuity of insured applicants. To solve these problems, in April 2001 the Bureau of National Health Insurance (BNHI) issued 22 million smart health care cards using Java Card technology to Taiwanese citizens.

72 Complementary Smart Card Guidance for the WEDI Health Identification Card Implementation Guide, Smart Card Alliance Healthcare Council publication, October 2011, http://www.smartcardalliance.org/pages/publications- complementary-smart-card-guidance-for-the-wedi-health-identification-card-implementation-guide 73 Health Security Information Card, Dr. James J. James, AMA Center for Public Health Preparedness and Disaster Response, presentation, Smart Card Alliance webinar, September 13, 2011, http://www.smartcardalliance.org/resources/webinars/Smart_Health_ID_Webinar_091311.pdf 74 http://kirk.senate.gov/?p=press_release&id=290 75 Secure ID Coalition, Sept. 23, 2011, http://www.upgradethecard.org/ 76 The Taiwan Health Care Smart Card Project, Smart Card Alliance profile, 2005, http://www.smartcardalliance.org/resources/pdf/Taiwan_Health_Card_Profile.pdf

The new smart card-based system was integrated with the original back-end database for the paper card system. The NHI health care smart card (illustrated below) can be used for 5 to 7 years, making annual replacement unnecessary. The front side of the card includes the card’s serial number and the cardholder's photo, name, ID number, and date of birth. People are not required to present an additional ID when they use the card for NHI health care services.

Figure 20. Taiwan Health Card The smart card is a microcontroller-based card and has 32 kilobytes (KB) of memory, of which 22 KB will be used for four kinds of information:  Personal information, including the card serial number, date of issue and cardholder’s name, gender, date of birth, ID number, and picture.  NHI-related information, including cardholder status, remarks for catastrophic diseases, number of visits and admissions, use of NHI health prevention programs, cardholder’s premium records, accumulated medical expenditure records and amount of cost-sharing.  Medical service information, including drug allergy history and long-term prescriptions of ambulatory care and certain medical treatments. This information is planned to be gradually added depending on how health care providers adapt to the system.  Public health administration information (such as the cardholder’s personal immunization chart and instructions for organ donation). The Taiwanese government has reserved the other 10 KB of memory for future use. Moving to the smart card system has resulted in the following changes:  Hospitals and clinics upload electronic records daily to BNHI.  After every six patient visits, card information is uploaded online for data analysis, audit, and authentication.  The reimbursement process is faster. BNHI has strong privacy and security requirements for the Taiwan health care smart card, including a defined privacy policy, multiple smart card security mechanisms to prevent counterfeiting and protect cardholder information, mechanisms to protect the security of information during transmission, practices to prevent computer viruses and a crisis management and response plan. The overall system architecture was designed to implement these policies, protecting the cardholder’s private information while allowing access by authorized health care professionals. Key smart card security and privacy mechanisms are:  High-grade card printing, comparable to payment cards.  Encryption of information stored on the card.  BNHI-issued SAM card for each smart card reader, with a strict authorization and mutual authentication process to access on-card data.  Cardholder personal identification numbers (PINs) to protect on-card personal information.  Plans for a health professional card that would be used to authorize health care provider access to medical information on the card.

As of 2010, 24 million patient cards have been issued and 350,000 health professional cards. The project reached breakeven in the first year with $190 million in savings vs. the $170 million budget.77

8.3.5 Smart Health Cards: Use and Benefits for Patients There are a number of ways that smart card technology can help patients, all stemming from the ability to authenticate the patient's identity when seeking medical care. This may seem simple, but it’s actually the cornerstone of quality medical care and good health systems management. Accurate identification of each person that receives healthcare:  Decreases medical errors. Optimal medical care requires that a healthcare provider have access to all relevant medical history and know what medications have been prescribed. This can be challenging as individuals seek care from more than one healthcare organization and fill prescriptions at more than one pharmacy chain. A validated patient identity can be linked to a healthcare organization’s medical records. Using a smart card also allows the storage of patient record numbers across different medical providers in a secure, privacy-sensitive way. Other personal information such as prescription history, name, address, insurance information, allergies, emergency contact information and other key data elements can also be securely stored on the card.  Expedites the admissions process. Use of a smart card-based healthcare ID card allows patients to bypass the usual lines at inpatient admission offices or ambulatory care admissions stations. Instead, when entering a healthcare facility, registration can be quickly and easily achieved by inserting the smart healthcare card in a reader at a kiosk or station. This instantly gives the provider current information and the link to the patient's medical records, delivering increased convenience, customer service, and accuracy – in record time!  Reduces medical identity theft and fraud. Medical identity theft and fraud is a growing concern to healthcare consumers and providers. Using smart card technology enables the addition of security elements such as a picture, personal identification number (PIN) or biometric (e.g., a fingerprint) so that a lost or stolen healthcare ID card cannot be used or accessed by anyone else. The data kept on the card can also be encrypted so that no one can access the patient's data without permission.  Reduces healthcare costs. In addition to streamlining administrative procedures for the healthcare provider and reducing the resources dedicated to those functions, the ability to link to and quickly access all of the patient's medical history makes it less likely that the doctor would need to order duplicate tests or procedures. These significant cost savings start during the admissions process and continue all the way through the claims management process.  Expedites claims reimbursement. Providing complete and accurate information during the registration process and removing issues with language barriers or human error greatly reduce the incidence of denied or delayed claims. Smart card-based technology can help patients get better quality healthcare, delivered faster and more cost effectively.

8.3.6 Smart Health Cards: Use and Benefits for Hospitals78 Smart card-based technology offers a way to significantly reduce hospital administrative costs while maintaining or increasing quality of care and customer service. Smart card technology can help hospitals achieve:

77 http://www.gi-de.com/portal/page?_pageid=42,55000&_dad=portal&_schema=PORTAL 78 “Smart Card Technology in Heatlhcare FAQ, “ Smart Card Alliance, http://www.smartcardalliance.org/resources/pdf/Smart_Card_Technology_in_Healthcare_FAQ_FINAL_096012.pd f

 Better patient identification. Smart cards serve as highly reliable and secure identity tokens. The cards can securely store various identity credentials (such as a PIN, photo, or biometric) directly on the card and make it very difficult to forge or steal the credentials on the card. A smart card can also create a digital signature. A digital signature serves as a guarantee that information received has not been modified, as if it were protected by a tamper-proof seal that is broken if the content is altered. Smart cards can present a considerable barrier to medical identity theft and fraud. Real- time verification is a superior method of confirming the identity of the incoming patient.  Administrative efficiencies. The time and resources required to admit a patient are critical measurements of hospital efficiency. Busy waiting rooms, thin staffing levels, language barriers and manual transcription of important data from handwritten forms create many opportunities for error. Smart cards cut down the time for admissions by providing ready access to accurate, up-to- date patient information. Moreover, the standard set of information provided by the patient can be obtained via an online pre-registration process, which can be downloaded onto a smart card. Lastly, admissions can be streamlined when patients use smart cards at unmanned kiosks – taking out the labor element altogether. These efficiency gains lower cost79,80, reduce errors and improve the patient experience.  Better medical records management. Linking a patient to their medical records seems like a simple process, but human errors often lead to many issues with matching the right patient and the right records. Using a smart card to match a patient to a specific medical record ensures a more comprehensive and accurate patient health record. Smart card-based healthcare IDs can significantly decrease the incidence of and expenses associated with duplicate record creation81. This improves administrative functions such as billing and registration and also provides for better continuity of care.  Quality of care. A key benefit for smart patient healthcare cards is the potential reduction of medical errors and duplicative medical testing. As an example, more than 195,000 deaths occur in the United States because of medical error82, with 10 out of 1783 medical error deaths each year due to “wrong patient errors.” Smart cards help ensure better quality of care by authenticating the identity of the person receiving medical treatment. The ability to accurately link a patient to an institution’s medical records potentially reduces the number of adverse events and medical errors due to lack of patient information.  Privacy, security and confidentiality. Since smart cards are physically held by patients, and because information is supplied by providers in an “approved” network with audit capabilities, smart cards provide privacy and security measures. Information on smart cards can be encrypted using robust, standard cryptography methods that have been proven to be extremely secure and that are used for government and military security. Thus, a patient’s information is very secure and private. Smart card technology offers solutions to a number of challenges that healthcare organizations are looking to address. Smart card technology offers the ability to automate much of the admissions process, eliminate costly duplicate and overlaid records, and enable the creation of and access to a comprehensive medical record across a broad spectrum of healthcare providers. Smart card technology can also buttress internal hospital security systems. Use of smart cards for employee IDs enable hospital security to limit a hospital employee’s physical access to those specific buildings and areas within the facilities that are appropriate for their immediate set of responsibilities, including access to medication cabinets. Smart employee IDs can also be used for strong authentication to networks and computers.

79 In-Hospital Deaths From Medical Errors at 195,000 per Year, Health Grades Study Finds, Health Grades, July 2004 80 Stanching Hospitals’ Financial Hemorrhage with Information Technology, J.Pesce, Health Management Technology, August 2003 81 A Healthcare CFO’s Guide to Smart Card Technology and Applications, Smart Card Alliance, February 2009 82 In-Hospital Deaths From Medical Errors at 195,000 per Year, Health Grades Study Finds, Health Grades, July 2004 83 Identity Crisis, Robin Hess, For the Record, January 17, 2005

Table 8 summarizes the benefits of smart card technology for healthcare industry stakeholders. Table 8. Smart Card Benefits in Healthcare84

Stakeholder Benefit

Patient  Positive identification at initial registration  Secure and portable health record  Personal ownership and control of access to medical records  Easier and faster registration  Improved and faster treatment and medical care  Positive identification for payer coverage, treatment, and billing  Accelerated treatment in emergencies  Audit trail through a course of treatment that crosses multiple organizations Healthcare Provider  Instant patient identification  Accurate link between patients and institutional medical records  Elimination of duplicate and overlaid records  Faster care delivery in emergency care settings  Rapid accessibility to patient medical history  Potential reduction in adverse events and medical errors due to lack of patient information  Reduction in claims denials  Faster access to key medical record data  Integration with legacy systems with nominal IT costs  Audit trail through a course of treatment that crosses multiple organizations  Reduction in unnecessary/duplicate diagnostic tests or procedures by showing results from other medical providers Healthcare Delivery  Accurate patient identity Organization  Reduced medical record maintenance costs (duplicate/overlaid)  Streamlined administrative processing  Increased awareness of provider brand, in and out of the service area  Strengthened voluntary physician/referral relationships  Ability to support value-added service to patient community Payer  Positive identification of the insured (Insurance, Pharmacy  Verification of eligibility and health plan information Benefits Manager)  Reduction in medical fraud  Reduction of duplicate tests and reduction in payments  Enforced formulary compliance  Immediate adjudication at point of care  Potential integration with payment accounts Healthcare  Highly secure identity credential for both physical and logical access Employer  Single sign-on capabilities (reduction in help desk calls/password management requirements)  Link to other employee services (ID badge, parking, cafeteria)

8.4 International Driver's License Countries have historically had their own driver's license standards, with some countries having multiple regional, state or provincial versions of driver's licenses. In most cases, the driver's licenses do not use smart card technology. Examples of countries using smart card-based driver's licenses are: El Salvador; India; Japan; some Mexican states; Morocco.85

84 A Healthcare CFO's Guide to Smart Card Technology and Applications, Smart Card Alliance white paper, February 2009 85 Electronic Driving Licence – A Pan-European Long Term Solution, Eurosmart white paper, September 2008

ISO/IEC 18013 has defined the standard for a potential internationally recognized driver's license. The standard "establishes the design format and data content of an ISO-compliant driving license (IDL) with regard to the human-readable (visual) features and the placement of ISO machine-readable technologies on the card. It creates a common basis for international use and mutual recognition of the IDL without restricting individual domestic or regional driver licensing authorities from incorporating their specific needs on the IDL."86 The standard includes the minimum common data element set, a common layout for ease of recognition and a minimum set of security requirements. ISO/IEC 18013 provides driver licensing authorities with flexibility to:  Include other optional data elements;  Choose the desired ISO/IEC JTC1/SC17 machine-readable technology (including magnetic stripe, integrated circuit with contacts, contactless integrated circuit, optical memory technology) or JTC1/SC311 technologies (e.g., one-dimensional or two-dimensional barcodes) and incorporate future technologies (e.g., biometrics, cryptography)  Add other physical document security features. The ISO/IEC 18013 standard had three parts, as follows:  Part 1: Physical Characteristics and Basic Data Set. Part 1 describes the basic terms for this standard including physical characteristics, basic data element set, visual layout, and physical security features.  Part 2: Machine-Readable Technologies. Part 2 describes the technologies that may be used for this standard, including the logical data structure and data mapping for each technology.  Part 3: Access Control, Authentication and Integrity Validation. Part 3 describes the electronic security features that may be incorporated under this standard, including mechanisms for controlling access to data, verifying the origin of an IDL, and confirming data integrity. 8.5 U.S. Federal Government Use Cases

8.5.1 FIPS 201-2 Personal Identity Verification Card87 The U.S. Federal Government has been issuing smart card-based employee identity credentials for some time. One of the earliest and most influential government deployments is the Department of Defense (DoD) Common Access Card (CAC), which was designed to be the standard DoD ID card and the primary card enabling both physical access to buildings and other controlled spaces and logical access to DoD computer networks and systems. Since October 2000, when deployment began, DoD has issued over 12 million CACs and implemented the issuance infrastructure worldwide. Support for the CAC can be found on Windows®, Apple®, and Linux® systems, and it can even be used with portable mobile devices (such as the Blackberry® smart phone). DoD has reported compelling results in reducing fraud as a result of using the CAC to log onto DoD networks and sign e-mail messages—a 46 percent decrease in DoD network intrusions and 30 percent decrease in socially engineered e-mail attacks88. The Federal Government's move to smart cards accelerated with the issuance of Homeland Security Presidential Directive 12 (HSPD-12) on August 27, 2004. HSPD-12 mandates the need “to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification.”

86 http://www.iso.org/iso/catalogue_detail.htm?csnumber=41920 87 Using FIPS 201 and the PIV Card for Corporate Enterprises, Smart Card Alliance white paper, October 2008 88 DoD Implementation of Homeland Security Presidential Directive-12, Inspector General, U.S. Department of Defense, Report No. D-2008-104, June 23, 2008, p. 38 (http://www.dodig.osd.mil/Audit/reports/fy08/08-104.pdf)

HSPD-12 specifically calls for the use of a common identification credential for “gaining physical access to Federally controlled facilities and logical access to Federally controlled information systems.” As a result of this directive, the National Institute of Standards and Technology (NIST) published FIPS 201, which was updated in August 2013 to FIPS 201-2. FIPS 201-2 defines the identity vetting, enrollment, and issuance requirements for a common identity credential and the technical specifications for a government employee and contractor ID card—the PIV card. The FIPS 201 PIV card is a smart card with both contact and contactless interfaces that is now being issued to all Federal employees and contractors. To support a variety of authentication mechanisms, the PIV card's logical credentials contain multiple data elements that are used to verify the cardholder's identity at graduated assurance levels, including:89  A personal identification number (PIN)  A card holder unique identifier (CHUID, FASC-N identifier and UUID)  PIV authentication data (one asymmetric key pair and corresponding certificate)  Two biometric fingerprints  Electronic facial image (in FIPS 201-2)  Asymmetric Card Authentication Key (CAK) The PIV card may also include optional data to meet department or agency-specific requirements for additional applications, including:  An asymmetric key pair and corresponding certificate for digital signatures  An asymmetric key pair and corresponding certificate for key management  Asymmetric or symmetric card authentication keys for supporting additional physical access applications  Symmetric key(s) associated with the card management system The success of the FIPS 201 PIV program is largely due to the development of goals, issuance policies, and technical specifications that all agencies follow. A cross-certification policy enables trust to be established between agencies, so that employees from one agency can use their PIV credentials to access controlled resources while visiting other agencies. Products and systems that conform to the defined technical interoperability standards are offered by a variety of suppliers. New standards- compliant products are introduced frequently. Today, well over 5 million PIV cards have been issued by the Federal government to employees and contractors. One of the main advantages of the PIV credentials is that they adhere to a set of standards that is accepted by suppliers, issuers, and users. A standards-based credential means that any government employee’s credential can be accepted by any government facility and IT network. In addition, vendors of both logical and physical access control products can build equipment that complies with one common standard. As a result, the Federal government can now choose from a wide range of conforming access control products, which can be purchased from a variety of suppliers, and be assured that their choice will work with every employee’s or contractor’s credential.

8.5.1.1 Standards-Based Secure Identity Credentials for Commercial Organizations Organizations outside of the Federal government can benefit from following the FIPS 201-2 standard and issuing identity credentials. Two additional credentials have been defined – the Personal Identity Verification- Interoperable (PIV-I) and Commercial Identity Verification (CIV) credentials – with the goal of taking advantage of the infrastructure created by the PIV program. The policy, process and

89 Federal Information Processing Standard Publication 201-2 (FIPS 201-2), Personal Identity Verification (PIV) of Federal Employees and Contractors, Section 4.2, August 2013

technology applied to each of these credentials results in a level of assurance and interoperability, and ultimately the extent to which it can be used and trusted in its intended application.

8.5.1.1.1 PIV-Interoperable (PIV-I) Credential As a result of non-federal issuers (NFIs) of identity cards expressing a desire to produce identity cards that can technically interoperate with Federal government PIV systems and can be trusted by Federal government relying parties, the Federal CIO Council published the guidance document, Personal Identity Verification Interoperability for Non-Federal Issuers90. The PIV-interoperable (PIV-I) credential is an identity credential that meets the PIV technical specifications to work with PIV infrastructure elements such as card readers, and is issued by a non-federal issuer (NFI) in a manner that allows federal government relying parties to trust the credential. The PIV-I credentials are technically interoperable with the PIV infrastructure. PIV-I issuers comply with the identity-proofing, registration, and issuance policies described in FIPS 201-2 and are cross-certified with the Federal PKI Bridge. Following the FIPS 201-2 process for credential issuance allows Federal relying parties to trust the PIV-I credential, across organizations. This trust is established by an enrollment, registration, and issuance process that is trusted across organizations, and a strong authentication credential that leverages a cross-certified and federated public key infrastructure. The PIV and PIV-I technology and infrastructure are based on standards at many levels – from the physical token (the smart card) to the identity credential components to the public key infrastructure (PKI) – that enable interoperable trust. A PIV–I credential would be of great value to organizations that collaborate or do business with the Federal government and have a requirement to issue interoperable identity credentials. PIV- interoperable (PIV-I) cards are now being issued by Federal contractors to those employees who need access to Federal buildings and networks. In addition, many state and local organizations point to the PIV standard as a way to achieve a more holistic approach to issuing identity credentials and improving their own business processes. Early state adoption of PIV-I credentials and infrastructure in the Commonwealth of Virginia, the State of Colorado, and the State of Illinois has established baselines for achieving interoperability with Federal credentials, services, and systems. These PIV-I credentials are being used in regional and national interoperability exercises sponsored by the Federal Emergency Management Agency (FEMA) and for piloting operations in other areas, such as accessing Federal systems. In the July 2010 FEMA white paper, Moving towards Credentialing Interoperability: Case Studies at the State, Local and Regional Level91, seven states highlighted ongoing and planned activities for deploying PIV-I credentials within their jurisdictions.

8.5.1.1.2 Commercial Identity Verification (CIV) Credential The CIV credential was defined by the Smart Card Alliance Access Control Council in response to requests to provide guidance on how enterprises can take advantage of FIPS 201 and the PIV credential specifications to implement a standards-based commercial identity credentialing program. The definition leverages earlier Federal government work to define a credential that was technically-compatible with the PIV specifications. An October 2011 Smart Card Alliance white paper defines the CIV credential and discusses corporate benefits of adopting the CIV credential.92

90 Personal Identity Verification Interoperability for Non-Federal Issuers, Federal CIO Council, July 2010, http://www.idmanagement.gov/documents/PIV_IO_NonFed_Issuers.pdf 91 Moving towards Credentialing Interoperability: Case Studies at the State, Local and Regional Level, Federal Emergency Management Agency (FEMA) white paper, July 2010, http://www.safecomprogram.gov/NR/rdonlyres/648C73A5-022C-4E1E-84EB- 8DFEFCA0C382/0/2aMovingTowardsCredentialingInteroperability_7810.pdf 92 The Commercial Identity Verification (CIV) Credential – Leveraging FIPS 201 and the PIV Specifications: Is the CIV Credential Right for You?, Smart Card Alliance Access Control Council whit e paper, October 2011, http://www.smartcardalliance.org/pages/publications-the-commercial-identity-verification-civ-credential-leveraging- fips-201-and-the-piv-specifications

The CIV credential is technically compatible with the PIV-I credential specifications. However, a CIV credential issuer need not comply with the strict policy framework associated with issuance and use of the PIV and PIV-I credentials. This freedom allows corporate enterprises to deploy the standardized technologies in a manner that is suitable for their own corporate environments, taking advantage of the standards-based products and services available in the market. Any enterprise can create, issue, and use CIV credentials according to requirements established within that enterprise’s unique environment.

8.5.1.1.3 Comparison of PIV, PIV-I and CIV Credentials93 Table 9 shows the key differences among PIV, PIV-I and CIV credentials and the organizations that would issue or use each type of credential.

Table 9. Comparison of PIV, PIV-I and CIV Credentials

PIV PIV-I CIV Policy

Breeder documents Follows FIPS 201-2 Follows FIPS 201-2 Follows the issuing organization’s policies Background checks National Agency Check None required, directly Follows the issuing with Investigation impacts level of suitability organization’s policies for access Process Application Follows FIPS 201-2, Follows Federal Bridge Follows the issuing Adjudication including separation of cross-certification organization’s policies roles, strong biometric certificate policies94 Enrollment For Federal relying parties, binding Follows SP 800-63-1 for follows SP 800-63-1 Issuance Federal issuance Activation Based on FIPS 201-2, including separation of roles, strong biometric binding Technology Card data model Must follow SP 800-73 Must follow SP 800-73 “Follows” SP 800-73 (recommended) Current primary credential FASC-N95 (requires UUID (no Federal agency UUID (recommended) (no number Federal agency code) code required) Federal agency code required) Object identifiers Federal Bridge Federal Bridge Organization Internet Assigned Number Authority (IANA) (if exists) Types of Federation and Levels of Assurance Trustworthiness Trusted identity, credential Trusted basic identity and Trusted credential only and suitability credential but not within the issuing suitability organization.

93 A Comparison of PIV, PIV-I and CIV Credentials, Smart Card Alliance Access Control Council publication, March 2012, http://www.smartcardalliance.org 94 http://www.idmanagement.gov/fpkipa/documents/FBCA_CP_RFC3647.pdf 95 The FASC-N contains a federal agency code which is managed by NIST. PIV-I and CIV credential numbers (UUIDs) are generated by the issuing organization. See NIST SP 800-87 for additional information.

PIV PIV-I CIV Trust among organizations Federal Bridge Clustered through Federal Clustered alone Bridge Origin Organization NIST Federal CIO Council Smart Card Alliance Access Control Council96 Defining documents FIPS 201, SP 800-73 and Personal Identity The Commercial Identity other related NIST Verification Interoperability Verification (CIV) publications for Non-Federal Issuers97 Credential–Leveraging FICAM PIV-I FAQ98 FIPS 201 and the PIV Specifications99 Motivation HSPD-12 Interoperable credential for Commercial credential that organizations doing could take advantage of business with the the PIV infrastructure government and for first responders Markets Organizations that may Federal agencies Federal agencies Commercial organizations issue and/or use the Federal contractors seeking a credential for credential use for their employees, Commercial organizations subcontractors, non- doing business with the employee visitors and Federal government customers State and local Federal agencies who governments accept credentials with Critical infrastructure medium hardware providers assurance100 First responder organizations Commercial organizations who are part of an industry initiative and require an interoperable, trusted credential Credential can be used in a wide range of both employment-related and consumer- Resources that the based transactions. Examples include physical access, logical access101, mass credential may be used for transit, and closed loop payments.

8.5.2 Department of Defense Common Access Card The Department of Defense (DoD) Common Access Card (CAC) was the first enterprise smart card program in the Federal Government. The DoD began deploying the CAC in 2000, and since then the CAC has been a single unifying card for the entire department with a growing number of applications.

96 The Smart Card Alliance Access Control Council selected the name CIV and documented the specifications that would define a credential that was technically compatible with the PIV specifications. 97 http://www.idmanagement.gov/documents/PIV_IO_NonFed_Issuers.pdf 98 http://www.idmanagement.gov/documents/PIV-I_FAQ.pdf 99 http://www.smartcardalliance.org/resources/pdf/CIV_WP_101611.pdf 100 Requires that the CIV credential have a medium hardware certificate. 101 Logical access includes: computer logon, digital signatures, network access, application access, data/communication encryption.

The goal of the CAC program was to provide individuals with physical access to buildings and controlled spaces and logical access to networks and systems. These individuals are members of the active duty military personnel, civilian employees, and eligible contractor personnel. In addition to the original goals of physical and logical access the CAC is also used for benefits and privileges as well as being the Geneva Conventions card for United States. This diverse range of uses and applications requires advanced card features. The CAC uses a 64-144K smart card platform, providing the flexibility to accommodate emerging space requirements and provide a solution for a growing range of technologies. The CAC includes four PKI certificates: identity certificate, email signing certificate, email encryption certificate and PIV authentication certificate. In order to be interoperable, the CAC card includes a PIV Card Application which, when selected, behaves as would any other government issued PIV Card. The card also includes basic demographic data, fingerprint biometrics and facial image, and contactless technology. The card also includes basic demographic data, fingerprint biometrics and facial image, and contactless technology. The CAC program has been successful for many reasons. The CAC is integral to DoD business practices which means card holders are routinely using the card. Any changes to the card must be approved by the user community through a robust configuration management program. Also, the card is supported by policies and governance that clearly outline the uses and limitations of the card. In compliance with Homeland Security Presidential Directive 12/HSPD-12, the DoD began issuing its FIPS 201-compliant CAC in October 2006. Because of the maturity of the CAC program, a significant transition strategy was required to ensure continuity of operations. The CAC now fully complies with PIV standards and provides interoperability when used in other Federal Agencies, but the primary functionality of the card remains DoD focused. The CAC is currently being considered for additional functions and applications. Some potential new areas of use are transportation and banking. Some applications could use the card as a payment system for transit systems and use the card instead of a bank card.

8.5.2.1 DoD Identity Management The DoD has unique challenges that must be solved through its personnel identity management solutions. In addition to those individuals that receive CACs, the DoD population includes millions of dependents and retirees and other individuals that require routine access to DoD facilities and assets. DoD is working to align the needs of the populations with the current solutions and to `provide additional services where necessary. To serve these populations, the DoD has a number of identity management solutions including: the family of DoD ID cards, the Defense Biometrics Identification System (DBIDS), the Defense National Visitors Center (DNVC), and the Defense Cross-Credentialing Identification System (DCCIS). DBIDS is a readily deployable system for capturing, storing, and comparing biometric data to use for authentication. The system also provides a means of registering all personnel requiring access, incorporating complex rules of sponsorship and access, linking access to sponsor, and limiting access by location, building, and force protection level. In addition, DBIDS allows installation security personnel to control access and authenticate identity for population elements not eligible for other DoD credentials, including maintenance personnel, janitorial staff, and contractor personnel from non-DoD organizations. The ability to rapidly electronically authenticate credentials and cardholders is critical to being able to operate in a federated environment. DNVC is the system that can electronically validate any centrally issued DoD credential. DNVC can accommodate different readable formats and provides a real-time determination of validity in a privacy-friendly manner. The DNVC is web-based and provides a means for strengthening security across the DoD down to the lowest levels. DCCIS is an extension of DNVC. DCCIS is an initial proof-of-concept system that proposes to resolve cross-credentialing interoperability difficulties between DoD and certain of its commercial partners.

DNVC can be DCCIS-enabled, in which case a participating DNVC facility connects with the DCCIS member organization database to authenticate visiting personnel from those organizations. Not all needs are being met by current capabilities. Access to online applications for non-CAC populations has been difficult and is under consideration. A potential solution to meet this need may include federated electronic credentials for these populations. DoD is also working to align its capabilities with the requirements of the Federal Identity, Credentialing and Access Management Sub- Committee. As such, DoD will continue to evolve and transform to meet the changing needs.

8.5.3 Transportation Worker Identification Credential102 The Transportation Worker Identification Credential (TWIC) program is a joint program of the Transportation Security Administration (TSA) and the U.S. Coast Guard (USCG) within the Department of Homeland Security (DHS). The objective of TWIC is to strengthen the security of the U.S. maritime infrastructure through background vetting of civilian maritime workers and issuance of tamper-proof biometrically-enabled identification credentials to eligible workers. TWIC was developed in response to the legislative requirements contained in the Maritime Transportation Security Act (MTSA) of 2002 (Public Law 107-295) and the Security and Accountability for Every Port (SAFE Port) Act of 2006 (PL 109-347). As of April 2015, over 3 million maritime workers have enrolled in the TWIC program. Possession of a TWIC card since April 2009 is required for unescorted access at 3,200 land-based and outer continental shelf (OCS) facilities and on over 14,000 vessels that are subject to MTSA regulations. Workers pay for the TWIC which is $128.00 for a five-year card as of February 2015. TWIC is aligned with FIPS 201 and includes the following technical features:103  64K of non-volatile memory  Dual-interface smart card chip with both contact and contactless interfaces  Physical security features, color shifting inks  Magnetic stripe and linear bar code  Logical security features, including: encrypted fingerprint templates, signed data (CHUID and biometrics), security objects, and PKI certificates (for the PIV application). In the early stages of defining the technical requirements for the TWIC card, the maritime industry expressed concerns about the proposed approach, which called for the TWIC card to be fully compliant with the FIPS 201 standard. The maritime community felt that FIPS 201 was not an appropriate standard for high volume physical access control situations in which rapid access is an operational requirement. Their concerns were based on the fact that FIPS 201 allows access to the biometric data on the smart card only through a contact interface, thereby requiring insertion of the card into a contact interface slot on a reader. Given that many of the fixed mounted reader devices would be exposed to the extremes of weather at seaports, there was concern that contact readers would allow airborne contaminants to infiltrate the reader electronics, resulting in maintenance problems. The maritime industry also objected to the FIPS 201 requirement for entry of a PIN to access the biometric data on the smart card after insertion of the card into the reader.

102 Source: Authentication Mechanisms for Physical Access Control, Smart Card Alliance Physical Access Council white paper, October 2009 103 Transportation Worker Identification Credential: An Overview of TWIC Reader Hardware and Card Application Specification, Walter Hamilton, IBIA, presentation, Smart Cards in Government Conference, October 2008

The resulting "TWIC Reader Hardware and Card Application Specification," initially published by TSA on September 11, 2007, implements an alternative authentication mechanism that allows contactless reading of the reference fingerprint template from a separate TWIC card application without requiring PIN entry. The TWIC card supports a GSA approved PIV Card application in addition to this specialized TWIC card application. To protect personal privacy, the fingerprint templates stored on the TWIC card application are pre-enciphered by the issuer prior to being loaded to the TWIC card application. Deciphering of these TWIC card application fingerprint templates is accomplished through the use of a randomized, unique per card symmetric key called the TWIC Privacy Key (TPK). The TPK is generated during card personalization by TSA. The TPK can be accessed through the contact interface or through a swipe read of the magnetic stripe or from an off-card database supported by some TWIC reader implementations. The point is the TPK cannot be accessed using the contactless interface as such access would break the security against a third party observing a contactless transaction. This approach to using a contactless biometric read without PIN presents some unique challenges for the implementer. If the pre-enciphered biometric templates are to be read from the TWIC card application through the contactless interface, the reader must have some way of first obtaining the TPK prior to performing the biometric match. This can be achieved by storing the TPK in the local PACS server after a one-time local PACS registration process. Another alternative is to use a reader that has both magnetic stripe and contactless smart card read capability. In this scenario, the cardholder would swipe the magnetic stripe of TWIC card before presenting the card to the contactless interface. Finally, one might use a contact interface where the enciphered fingerprint templates and the TPK are accessible. As noted above, a TWIC card consists of two card applications: a TWIC card application to support contactless, PIN-less biometric reads independent of smart card interface, and a separate FIPS 201- compliant PIV Card application, each of which are co-located in the memory of a TWIC card. A reader device can access each application independently by selecting the appropriate application identifier (AID). Table 10 shows a summary of the primary differences between the TWIC and PIV credentials. Table 10. Differences between TWIC and PIV Credentials

Category PIV TWIC

Stored fingerprint templates Data not encrypted. Requires Data encrypted. No PIN PIN to read via contact or required to read via contact or contactless interface. contactless interface.

TWIC Privacy Key (TPK) Not applicable Stored in magnetic stripe. Also accessible through contact interface. Required to decrypt stored fingerprint templates.

In late 2012, Congress passed legislation requiring TWIC to implement an issuance solution requiring only one visit to an enrollment center. This option is referred to as the OneVisit option. The OneVisit option presented significant FIPS 201 challenges to the TWIC program as the applicant has the TWIC card mailed to a location they designate. Direct mailing removes the possibility of in-person card activation (after a biometric match or alternative identification verification step). It is estimated 7 out of 10 TWIC applicants select the OneVisit option. Current regulations do not require the use of TWIC readers that automatically read the TWIC card, match the biometric to the cardholder, and validate other electronic security features in the card. As of April 2009, only visual inspection of TWIC cards is required for unescorted entry into regulated facilities and vessels.

8.5.4 First Responder Authentication Credential104 The First Responder Authentication Credential (FRAC) is an excellent example of the use of a PIV- interoperable credential. In the wake of 9/11 and Hurricane Katrina, U.S. homeland security professionals learned that responding to a disaster requires a multi-disciplinary response team including law enforcement, firefighters, medical professionals, and critical infrastructure workers. These emergency responders represent a broad array of disciplines within the local and state emergency management organizations and it is crucial for the incident command to recognize, in real-time, the certifications and abilities of each individual responding to the incident. The Office of National Capital Region Coordination coordinated a major initiative to leverage a smart card identity system (the First Responder Authentication Credential) for emergency response officials (EROs). These smart cards would provide first responders from across the region with the ability to quickly and easily access government buildings and reservations in the event of a terrorist attack or other disaster. The initiative was designed to remedy access problems such as those encountered by state and local emergency officials responding to the 9/11 attack on the Pentagon. FRAC is a secure and interoperable identity credential designed for the emergency management community. NIST, DHS and the Federal Emergency Management Agency (FEMA) have worked together to specify the recommendations for the FRAC card for all emergency responders nationwide. Adherence to these recommendations ensures a common framework to trust the identities and capabilities of those emergency response team members arriving at incidents to assist during emergencies. By leveraging the US Government FIPS-201 Personal Identity Verification standard, and the accompanying PIV-interoperable guidance from the CIO Council105, interoperable identity verification is achieved among federal, state, local, non-profit and commercial organizations responding to an incident. Under DHS National Incident Management System (NIMS) draft credentialing guidelines, three distinct and necessary components are required for an emergency responder credential:  Identity: personal attributes that uniquely define a person  Knowledge, skills and attributes (KSAs): certifications, trainings and NIMS resource typing that allow an incident commander to make access and deployment decisions  Deployment authorizations: the invitation from a requesting jurisdiction, and authorization from the supporting jurisdiction, for an emergency response individual or team to respond to a mutual aid incident. Deployment authorizations are widely used in multi-jurisdictional responses crossing state boundaries. Deployment authorizations typically follow Emergency Management Assistance Compacts (EMAC) processes. At an incident scene, it is imperative to accurately verify both a person’s identity and KSAs. In locales around the country, there are regular news and online stories of individuals pretending to be a police officer or a firefighter or an emergency medical technician. Official-looking badges and clothing are available for purchase via catalogs and websites and, during the high intensity of a disaster, these fraudulent items can fool even the most experienced veteran responders. Unfortunately there are also cases where valid emergency responders are detained or delayed because they do not have an easy way to establish identity or KSAs at a checkpoint. A person’s identity can only be trusted if it’s confirmed, issued and verifiable via a trusted issuing source. The NIMS has published the resource typing categories and certifications for Emergency Support Functions (ESFs) and National Infrastructure Protection Plan (NIPP). States and jurisdictions are

104 Sources: DHS web site, http://www.dhs.gov/xfrstresp/standards/editorial_0849.shtm; Probaris: First Responder Authentication Credentials white paper. 105 Personal Identity Verification Interoperability for Non-Federal Issuers, CIO Council, May 2009, http://www.idmanagement.gov/documents/PIV_IO_NonFed_Issuers_May2009.pdf

required to identify and maintain lists of individuals who have the correct training and certifications for each of these NIMS categories. Privileges granted at an incident depend upon knowing the emergency responder’s ESF codes or NIPP sectors, training, certifications and licensure information.

8.5.4.1 FRAC Demonstrations “Public Law 110-53: Implementing Recommendations of the 9/11 Commission Act of 2007,” was introduced into Congress on January 5, 2007 and signed into law by the President on August 3, 2007.106 Under Public Law 110-53, FEMA, in collaboration with the Department of Health and Human Services (HHS), is responsible for creating credentialing and attribute guidance for emergency response across the nation. The first step is to establish federal preparedness, to be followed by outreach to state and local communities, the critical infrastructure communities, and the volunteer communities. During the development of Public Law 110-53 and after its inception, several demonstrations were held to test the credentialing and attributes of the various emergency response communities. These demonstrations were named Winter Fox107 (February 2006), Winter Storm108,109 (February 2007), Summer Breeze (July 2007), Winter Blast110,111 (March 2008), Spring Blitz112 (May 2008), Summer Sizzle (July 2008), Autumn Rush (October 2008), and Spring Ahead113 (May 2009). All early adopter organizations issuing FRACS to date are issuing dual-interface or tri-interface smart cards with PKI credentials, with some including magnetic stripes or bar codes for legacy system compatibility.

8.5.4.2 FRAC and PIV Interoperable Credentials In late 2009, the Command, Control and Interoperability (CCI) Division within the Science & Technology (S&T) Directorate, the FEMA Office of National Capital Region Coordination (NCRC), and the FEMA Office of Security (OS) partnered to convene the PIV-I/FRAC Technology Transition Working Group (TTWG). The TTWG is composed of state and local emergency management representatives, many of whom have already implemented innovative and secure identity management solutions in their own jurisdictions. Local and state participants in the work group include Colorado, Maryland, Virginia, District of Columbia, Missouri, Southwest Texas, Pennsylvania, West Virginia, Hawaii, and Illinois. The working group is focused on exploring PIV interoperable (PIV-I) credentials as the standard that will enable interoperability between local and state emergency response officials.114 The FRAC is one usage scenario of the PIV-I credential which is successfully driving adoption in the state, local and commercial sectors. Early adopter organizations issuing FRAC/PIV-I cards to date have attempted to closely align with the maturing PIV-I recommendations to ensure current and future interoperability and trust. In some cases, such as the Commonwealth of Virginia, early pilots for issuing "PIV-like” cards generated feedback to the federal community which was used to help define the PIV-I recommendations. Early adopter organizations have also been leveraging the PIV-I technology for a range of additional applications in-development and pilot phase. Some of these applications closely mirror the Federal Identity, Credentialing and Access Management (ICAM) objectives, with an added benefit of extended

106 http://www.govtrack.us/congress/bill.xpd?bill=h110-1 107 http://www.fema.gov/about/offices/ncr/editorial_0849.shtm 108 http://www.secureidnews.com/audio/iab_jan_07/winterstorm_iab_0107.pdf 109 http://secureidnews.com/audio/iab_april_07/JonesandWilson.pdf 110 http://www.secureidnews.com/audio/iab_0308/iab_0308_wilson.pdf 111 http://www.secureidnews.com/audio/iab_0308/iab_0308_wilson.mp3 112 http://www.secureidnews.com/news/2008/05/20/probaris-participates-in-spring-blast/ 113 Electronic Designation and Validation of Federal/Mutual Aid Emergency Response Officials (F/EROs) in support of National Preparedness, Craig Wilson, FEMA, presentation, CTST 2009, May 2009 114 PIV-I/FRAC Technology Transition Working Group, U.S. Department of Homeland Security Command, Control and Interoperability Division

focus on daily usage external to an enterprise. A sampling of the population of credentials issued and applications implemented includes:  Credentialing of emergency response teams (with FRAC), including doctors and nursing professionals  Credentialing of employees, contractors and volunteers  Credentialing of jurisdictional licensed workers such as taxi cab drivers  Access to parking garages (low assurance access leveraging tri-interface PIV smart cards)  Logical access to networks  Physical access to buildings  Digital signatures The following sections provide sample case studies from two of the states currently deploying FRAC/PIV-I credentials.

8.5.4.3 Commonwealth of Virginia First Responder Authentication Credentials115 EROs from across the region were present at the Pentagon site on 9/11, including EROs from Arlington County and the City of Alexandria. Immediately following the attacks, onlookers were able to mingle with rescuers. This presented a serious challenge for incident commanders— to make sure that only credentialed EROs had access to the most sensitive areas. It became evident that a credentialing process was needed to simplify this effort in the future. In February 2007, as part of the DHS National Capitol Region (NCR) First Responder Partnership Initiative, the Virginia Department of Transportation and Commonwealth of Virginia began issuing FRACs. The Virginia FRAC identity proofing and registration processes follow FIPS 201 as closely as possible for a non-Federal entity and use products from the FIPS 201 GSA Approved Products List. The design of the Virginia FRAC card was also based upon FIPS 201. The goal of the FRAC initiative, now being deployed in the NCR and Hampton Roads area, is to provide state and local EROs with a new, Federally-approved PIV-interoperable smart credential designed to achieve the following:  Securely establish emergency responders' identities at the scene of an incident  Confirm first responders' qualifications and expertise, allowing incident commanders to dispatch them quickly and appropriately  Enhance cooperation and efficiency between state and local first responders and their federal counterparts116 Using a wireless handheld device, commanders at an incident scene can read and validate data from the FRAC and authenticate the ERO's identity and attributes. Among the first localities in Virginia to be issued the new FRACs were Arlington County and the City of Alexandria. Virginia is now working on a FRAC deployment in the Hampton Roads region. This

115 Emergency Response Official Credentials: An Approach to Attain Trust in Credentials across Multiple Jurisdictions for Disaster Response and Recovery, Smart Card Alliance white paper, October 2008, http://www.smartcardalliance.org/pages/publications-emergency-response-official-credentials 116 http://www.govtech.com/gt/articles/104398

deployment includes eight locations for the biometric enrollment and issuance of PIV-interoperable credentials, 39 handhelds for offline credential validation and 11,495 FRACs.117

8.5.4.4 Colorado First Responder Authentication Credential118 Colorado identified as a high priority the need for an interoperable first responder credential. The Colorado first responder authentication credential (COFRAC) initiative provides the ability to electronically validate the identity and the knowledge, skills and attributes of those who are required – or volunteer – to respond to natural or man-made disasters or acts of terror. In June 2007, a Statewide Credentialing Working Group was formed, chaired by the Governor's Office of Information Technology (OIT). This Working Group, comprised of individuals at the State, regional and local levels, developed a program that addresses the needs of Colorado, while being mindful of the Federal standards and the need for interoperability with Federal agency responders. The overall goal of this working group was to provide recommendations for a common identification standard for State and local first responders that promotes interoperable first responder credentials across the State and:  Primarily, to achieve appropriate security assurance by efficiently verifying the claimed identity of individuals seeking physical access to all-hazard incidents and events in the State of Colorado.  Secondarily, to communicate the qualifications, skills and training of first responder personnel to the Receiving Authority Incident Command.  Finally, to base the program upon recognized standards, open-system architectures, and non- proprietary technologies. The COFRAC standard is focused on incident management and interoperability, and does not specify access control policies or requirements for State departments and local agencies. State and local departments and agencies were encouraged, however, to investigate how the FRAC technology can be leveraged for both physical and logical access. The Colorado credentialing standard was published in April 2008.119 Colorado’s North Central Region (metropolitan Denver area) began its COFRAC deployment in October 2008 with plans to issue between 10,000 and 15,000 FRACs in the North Central Region.120

8.6 Machine-to-Machine Applications Machine-to-machine (M2M) technology allows devices to communicate with each other – in wireless or wired systems – without human interaction. While the M2M market is still in a very early phase, analysts are projecting strong growth for wireless M2M applications, with government regulations for smart metering and vehicle safety key drivers for the growth. The M2M market is expected to support wide variety of applications, including  Smart metering/smart power grid applications, where smart meters collect and transmit consumption data and help to manage power consumption.  Vehicle systems: emergency call systems; anti-theft systems; fleet management systems  POS and vending systems

117 Source: Commonwealth of Virginia First Responder Authentication Credential (FRAC) Program, Mike McAllister, Governor's Office of Commonwealth Preparedness, Smart Cards in Government Conference, October 2009 118 Emergency Response Official Credentials: An Approach to Attain Trust in Credentials across Multiple Jurisdictions for Disaster Response and Recovery, Smart Card Alliance white paper, October 2008 119 Colorado State First Responder Authentication Credential Standards: Best Practice Standard, Colorado Governor's Office of Information Technology, April 10, 2008, https://publish.colorado.gov/cs/Satellite/OIT- New/OITX/1200536168031?rendermode=preview-lplunkett-1165692952165 120 First Responder Credentials Expedite Access, NLECTC TechBeat, Winter 2010

 Alarm and security management  Healthcare applications -- remote monitoring of patient data and prevention of medical device cloning  Industrial data collection  Remote maintenance and control of mechanical systems Smart card technology is built into M2M modules and is used in M2M applications when the security of the application is critical (e.g., there is a high risk of fraud or system compromise). Smart card functions in M2M applications include:  Authentication of the device to the mobile network and with other devices communicating M2M  Encryption of data transmitted from M2M  Prevention of manipulation of data in the end device. Smart card technology M2M modules are manufactured to specifications required by the industrial marketplace, so that they work in more hostile environments (with extended operation ranges for temperature, vibration and humidity) and with longer lifespan (typically ten year data retention). M2M modules are available in multiple form factors, including:  A standard-sized plug-in SIM card (2FF)  A microSIM plug-in card (3FF)  A solderable small SIM (MFF1 or MFF2)  A SIM component in surface mount device (SMD) packaging to allow the component to soldered onto printed circuit boards (to resist theft) Standards for M2M technology cover the M2M module or secure element, the device interface and the different M2M applications.  The European Telecommunications Standards Institute (ETSI) has defined the entry level M2M secure element specification, ETSI TS 102 671 V9.1.0 (2011-09), Smart Cards; Machine to Machine UICC; Physical and Logical Characteristics.121 The ETSI specification defines the environmental classes for the M2M UICC, two form factors (MFF1 and MFF2), the electrical and logical specifications of the MFF UICC-terminal interface and the device pairing mechanism. The specification also relies on other underlying smart card specifications for the UICC, including ISO/IEC 7816, ETSI TS 102 221, ETSI TS 102 484, ETSI TS 102 600 and ETSI TS 102 613.  Communications with M2M modules may be wired or wireless. Wireless communications may be GSM-based, may use point-to-point communication protocols (e.g., Bluetooth) or may be IP- based (e.g., WiFi).  Each M2M application will also be governed by its own set of standards (for example, for smart metering).

8.7 Pay TV Smart card technology is incorporated into conditional access systems used for digital pay TV. Conditional access systems control consumer access to content and allow broadcasters and operators to offer different fee-based content that is delivered via satellite, cable or other over-the-air systems. Conditional access modules descramble content being broadcast and protect consumer codes authorizing access to the content. Smart card technology built into the consumer's set-top box is used to encrypt and decrypt user control codes and transparently descramble broadcast signals. By

121 http://www.etsi.org/deliver/etsi_ts/102600_102699/102671/09.01.00_60/ts_102671v090100p.pdf

incorporating a smart card module, broadcasters can update a consumer's set-top box by providing a new smart card rather than a complete new box and take advantage of smart card features to prevent compromises to the conditional access system security. Figure 21 illustrates the use of smart cards in a pay TV application.

Figure 21. Pay TV Application Additional information on conditional access modules and smart card use in pay TV systems can be found in the following Wikipedia articles:  "Television encryption," http://en.wikipedia.org/wiki/Television_encryption  "Conditional access," http://en.wikipedia.org/wiki/Conditional_access  "Card sharing," http://en.wikipedia.org/wiki/Card_sharing  "Pirate decryption," http://en.wikipedia.org/wiki/Pirate_decryption  "Conditional access to television service," http://www.wirelesscommunication.nl/reference/chaptr01/brdcsyst/dvb/paytv.htm

9 Privacy122 Individuals are currently required to confirm their identity for many diverse purposes, such as verifying eligibility within a health care system, accessing a secure network or facility, or validating their authority to travel. In almost every discussion about implementing personal identification (ID) systems to improve identity verification processes, concerns about privacy and the protection of personal information quickly emerge as key issues. Government agencies and private businesses that are implementing ID systems to improve the security of physical or logical access must factor these issues into their system designs. While technologies are available that can provide a higher level of security and privacy than ever before, ID system complexity coupled with increasing public awareness of the risks of privacy intrusion require that organizations focus on privacy and personal information protection throughout the entire ID system design and implementation. A secure personal ID system must address policy and technical requirements as well as individual privacy concerns. The system must be secure, provide fast and effective verification of an individual’s identity, and protect the individual’s privacy. To implement a privacy-sensitive ID system, policies, processes, system architecture and technology choices must be carefully considered and designed to enhance individual privacy. Smart card technology can provide a privacy-enabling platform for implementing identification systems that meet both governmental and business needs for secure and accurate identification. This section defines privacy as the concept applies to an identification system and discusses how privacy considerations affect system design and implementation. It reviews how smart cards can provide a privacy-enabling technology for different ID systems and recommends key guidelines for business practices and system designs that can help protect privacy.

9.1 Defining Privacy in an Information Context In 1967, Alan Westin defined privacy as “the claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others.”123 This definition focuses on the protection of personal information and reflects both the modern necessity to interact with others and the modern requirement that information in one form or another flow between the different components of society. There have been many further attempts to define privacy, based both on the concept of leaving the individual alone and on the more modern concept of protecting the collection, storage, and transmission of information.124 These definitions tend to range from generic definitions (like the two examples above) to very specific and detailed definitions that attempt to identify every component involved in a privacy- aware process or system.125 One author even argues that the privacy principles are more important than agreeing on a concrete definition of privacy.126 For the purposes of this section, Alan Westin’s definition offers a context within which to make technology and process choices in an information system. It enshrines the right of the owner of information to decide how, where, and by whom that information is used. Usage of information in this context encompasses initial collection, when the owner of information presents it to a collecting body and consents to its use, and all subsequent use, either by the collecting body or by others to whom the information has been transmitted.

122 Privacy and Secure Identification Systems: The Role of Smart Cards as a Privacy-Enabling Technology, Smart Card Alliance white paper, February 2008. 123 Alan F. Westin, Privacy and Freedom, New York, NY: Atheneum, 1967. 124 A search on “definition of privacy” on http://www.google.com returned 1,740 entries. 125 One example is the “Privacy Framework” from the International Security, Trust and Privacy Alliance (http://www.istpa.org). The ISTPA definition of privacy is: “The proper handling and use of personal information throughout its life cycle, consistent with the preferences of the subject.” 126 Robert Gellman, Privacy, Consumers and Costs, March 2002. Available at: http://www.epic.org/reports/dmfprivacy.html.

Another important component of privacy in an information system is the protection of personal information during its lifecycle, from collection through usage and storage to eventual destruction. What personal information is considered private also varies, depending on the situation. Such information may include an individual’s Social Security number, biometric information, financial transaction histories, and other information such as medical, employment, academic, driving, and income tax records.

9.1.1 Privacy Parameters The protection of privacy in a modern information system is concerned with the following broad areas:  When, how, and why information is collected from an individual.  When, how, and why collected information is accessed by authorized entities.  When, how, and why collected information is destroyed.  How information is protected from accidental or deliberate disclosure to, or modification by, unauthorized parties, from collection to destruction.  How an individual can control whether information will be collected and, if so, subsequently used and retransmitted.  How an individual’s usage preferences are enforced if information is retransmitted to additional information systems. The Fair Information Practices defined by the Organization for Economic Development (OECD)127 are being used internationally to form the operational basis for privacy safeguards and data protection. The commonly-accepted fair information practice principles are: notice and awareness; choice and consent; individual access; information quality and integrity; update and correction; enforcement and recourse. Other guidelines and principles can be found in the European Union (EU) Data Protection Directive (1995)128 and the U.S. Department of Health, Education and Welfare (HEW) Fair Information Practices: “Records, Computers and the Rights of Citizens” (1973).129

9.1.2 Security Parameters Information security is a vital element in the design and implementation of a privacy-sensitive system. If unauthorized users can access information too easily, the information can hardly be private. The broad definition of security has been standardized for a number of years to mean maintaining the confidentiality, integrity, and availability of information (with various subdivisions). When the main concern is protecting privacy, maintaining confidentiality receives the most focus. However, all aspects of security are critical to protecting the privacy of information. In the context of information security, confidentiality pertains to the secrecy of information. Once an individual’s information has been passed to a collector, how that information is entered, transmitted and stored so that an unauthorized entity cannot access or alter the information, is critical. Is it encrypted, or stored in a “locked” container? What is the strength of the “key” and encryption algorithm used to protect the information? Is the information protected while it is being collected (e.g., during Internet collection)? What are the processes and procedures that govern how an authorized entity uses the information? If the confidentiality of information is compromised, the information can easily and quickly be copied and disseminated. Integrity in this context pertains to the accuracy of information held about an individual. Integrity considers not only whether the information has been protected from tampering, but also whether the information is accurate when it is used. In a privacy-enabled system, the integrity of information is

127 See http://www1.oecd.org/publications/e-book/9302011E.PDF 128 See http://www.cdt.org/privacy/eudirective/EU_Directive_.html 129 See http://aspe.hhs.gov/datacncl/1973privacy/tocprefacemembers.htm

crucial. If the integrity of information is lost (for example, if the information is incorrect or outdated), then the owner’s privacy may be violated when incorrect decisions are made based on unreliable information. Availability in this context pertains to access control (i.e., who can access the information). The processes, procedures, and technology used to control access are crucial to preventing information leakage, either to external third parties or unauthorized insiders. In many cases poor access controls are the means by which private information is leaked from an organization to the outside world. Poor access controls can negate the best secrecy technology.

9.1.3 ID System Design and Implementation Goals Both privacy and security must be considered fundamental design goals for any personal ID system and factored into the specification of the ID system’s policies, processes, architectures, and technologies. When implementing an ID system (especially in non-corporate situations) there are three main choices: 1) Use an existing ID as the de facto choice. For example, in the United States, the Social Security number was often used as a general identifier for numerous systems. 2) Deliberately use another ID that is not associated with the specific application. For example, in the United States, the driver’s license is used for boarding aircraft. 3) Design an ID system for the specific application. Select a solution that is appropriate for the task to be performed with appropriate controls, technology choices, and processes. This is the most effective mechanism for protecting privacy. Privacy considerations map to the various aspects of an ID system as follows:  The enrollment system must ensure the accuracy and integrity of the information presented to validate an individual’s identity and also protect the confidentiality and integrity of this information.  The ID token must protect the credential against copying or intrusion to prevent unauthorized use or disclosure of the ID information.  The ID token and ID validation entity must protect any exchange of validation information to prevent spoofing of an ID (e.g., unauthorized capture and use of data to impersonate an individual).  When a valid ID is presented, the ID system must ensure that only the information necessary to the task being performed is released. The design of a privacy-sensitive ID system therefore covers much more than the choice of the token used to carry the identity information. The entire system design, from the enrollment process through the use and final destruction of the ID, including policies and procedures as well as technology, needs to be privacy-aware. A well-defined security policy can specify how personal information is protected and managed; however, the policy alone cannot ensure that the system meets the policy requirements. One common approach taken to address this issue is to design tests that validate that the system is operating as intended, with different security methodologies, processes and technologies used to ensure the strength of the identification mechanism in the implementation. Common Criteria130 is an extensive security standard that can be applied to the problem of system validation. Most of the tokens that could be chosen for an ID system are privacy-neutral. It is how the system overall is designed that determines whether the system is a privacy risk or benefit. Smart cards are one of the few ID technology choices that have the strong security mechanisms required to enhance the privacy aspects of a well-designed ID system.

130 See http://www.commoncriteria.org

9.2 Smart Cards and Privacy Protection Because smart cards are programmable, ID systems that incorporate them are flexible. ID systems can be privacy-invasive, privacy-protective, or privacy-neutral, depending on the motivations driving the overall system design. This section examines the potential of smart cards for use as a privacy- enhancing technology. Many of the drivers for using smart cards in ID systems that were discussed in Section 2 are those that enhance privacy.  Personal firewall for private information. To protect personal information, each smart ID card can contain a personal firewall. The firewall is implemented to ensure that data objects are served from the card only when an external system is authenticated as having predetermined access rights to the data. The provision of any personal information on the card can be linked to a technique that seeks the permission of the cardholder before the information is released. The permission can be a cardholder’s PIN, password or a biometric factor. If the smart ID card is able to verify the PIN, password, or biometric, it can then release the appropriate information.  Authenticated and authorized information access. The information required to identify an individual typically depends on the individual’s role in the situation. For example, when cigarettes are being purchased, the only identification information required may be the individual’s age. Whether the individual can drive and where the individual lives may be irrelevant. The smart card’s ability to process information and react to its environment gives it a unique advantage in providing authenticated information access. Unlike other forms of identification (such as a passive printed driver’s license), a smart card does not expose all of an individual’s personal information (including potentially irrelevant information) when it is presented. A smart card is able to release only the information required and only when it is required. The card’s unique ability to verify the authority of the information requestor makes it an excellent guardian of the cardholder’s personal information. For example, to a police officer, a driver’s license that is also a smart ID card can present only information that is related to the motor vehicle authority. By allowing authorized, authenticated access only to the information required by a transaction, a smart card-based personal ID system can protect an individual’s privacy while ensuring that the individual is properly identified.  Strong ID card security. Smart card technology helps to deter countering and thwart tampering through a variety of hardware and software capabilities. When compared with other tamper-resistant tokens, smart cards currently represent the best tradeoff between security and cost. Smart cards also allow compatibility with other installed card systems, since hybrid cards can include a magnetic stripe, bar codes, embossing, or visual printing. When used in combination with other technologies such as public key cryptography and biometrics and when properly implemented, smart cards are almost impossible to duplicate or forge, and data in the chip cannot be modified without proper authorization (e.g., with passwords, biometric authentication, or cryptographic access keys). As long as system implementations have an effective security policy and incorporate the necessary security services provided by smart cards, users can have a high degree of confidence in the integrity of their information and its secure, authorized use. (See CSCIP Module 2 for more detail.)  Strong data security. Privacy, authenticity, and integrity of data encoded on ID credentials are primary requirements for a secure ID system. Sensitive data is typically encrypted, both on the smart ID card and during communications with the external reader and system. Digital signatures can be used to ensure data integrity, with multiple signatures required if different authorities created the data. To ensure privacy, applications and data on the ID credential must be designed to prevent information sharing.

 System challenges and privacy. For the most robust security and privacy, the secure ID system may require that system components authenticate the legitimacy of other components during the identity verification process. This can include the smart ID card verifying that the automated reader is authentic and the reader in turn authenticating the validity of the smart ID card. The smart ID card can also ensure that the requesting system has established the right to access the information being requested.  Anonymous go/no go. Verification of identity validates that the individual presenting an ID card is the person who owns the credentials on the card. Verification of identity ensures that an imposter has not come into possession of the card. The use of secondary or tertiary authentication factors, such as personal identification numbers (PINs), passwords, or biometrics, can verify that the cardholder is indeed the person who was initially enrolled. Matching a card with a cardholder does not necessarily require access to an identity database. A smart ID card can perform the match by itself (on-card) and use a secure communication channel to indicate to external equipment, such as a door lock, terminal, or computer, that the correct holder of the card is present along with the smart ID card. In this case, information accessed by the door lock, terminal, or computer must be updated periodically to ensure that expired or revoked ID cards and credentials are not validated. When on-card matching is used, smart ID cards offer an important privacy benefit. If the smart ID card is determined to be authentic (enrolled and not revoked, expired or counterfeit) and the cardholder’s identity is verified, the person’s identity does not have to be divulged externally. The identity of the cardholder can be verified by means of a single secure message, sent externally by the smart ID card indicating a correct or incorrect match. The door, terminal equipment, or computer should not be able to record the actual identity of the person being verified. The equipment records only that what was presented was an authenticated smart ID card and that a good or bad credential match resulted.  Multiple and separate applications. Smart cards allow applications to be segregated. This can allow a smart card to support multiple single-purpose IDs, all in one card, that relate to a person's role rather than to a person. This enables an individual to use different identifiers and segregate data trails, such that the transaction trails generated in the context of one relationship are not available to other organizations.131 The design of privacy-protective smart cards revolves around providing the individual with control. This can be accomplished through such measures as placing the ownership of cards in the hands of the individual and ensuring design transparency of smart card-based ID systems. On-card identity verification schemes can be more conducive to privacy protection because they do not rely on a centralized database. Such systems store private information (e.g., private keys and biometric information) on the card itself. As a result, the data is under the control of the individual and is also less accessible to hackers. While privacy breaches can still occur with the use of smart cards, the measures discussed here can significantly prevent fraud or identity theft, deter counterfeiting and protect private information.

9.3 Practical Guidelines for Privacy Protection in Smart Card-Based ID systems To be successful, a privacy-enabled smart card-based identification system must satisfy two critical objectives:  Maximize protection of individuals’ private information.  Instill confidence among users that private information is being protected.

131 Roger Clarke, Chip-Based ID: Promise or Peril, Proc. Int'l Conf. on Privacy, Montreal, September 1997.

This section recommends key non-technical and non-legal considerations and practices for achieving these two objectives within two broad areas: business practices and ID system design considerations. The section does not attempt to offer comprehensive guidelines on all aspects of privacy protection. Two concepts, privacy protection and data security, overlap considerably in this context. Achieving the former depends greatly on achieving the latter. If data are insecure or too easily inappropriately accessed, they can hardly be private. Thus, some of these guidelines necessarily allude to security and data handling practices. The guidelines below focus on how to design a system that has strong privacy protection. It is important to remember that some ID systems will have other requirements that are a higher priority than privacy protection (e.g., auditing who has accessed a bank vault). The design of any ID system, however, should include consideration of all of the potential privacy issues and select the appropriate policies and implementation approaches.

9.3.1 Business Practice Guidelines132,133 The following business practices can help enterprises protect the privacy of individuals enrolled in an ID system:

 Develop and adhere to a comprehensive privacy policy that includes information handling practices.  Conduct regular staff training and spot checks on proper practices.  Conduct employee background checks, and screen temporary service providers.  Collect only the minimum data required to perform transactions.  Avoid displaying personal data on cards or in printouts (for example, Social Security numbers, biometric images). Truncate displayed or printed account numbers.  Restrict access to individuals’ personal information to only those who need the information to perform transactions. Enforce this restriction by requiring rigorous staff identity verification at the time of each transaction.  Before collecting personal information from individuals, tell them why it is being collected, what it will be used for, who will be able to see it, how it will be protected, the consequences of not providing the information, and the rights of redress if the policy is violated. The individual can then decide whether to provide the information.

9.3.2 System Design Considerations and Guidelines134,135 The following system design guidelines are recommended to protect privacy.

 Consider all media on which information is stored and transmitted, not only the information stored on the ID card. Store all personal information in encrypted form in the ID card and in any database. Destroy original unencrypted personal information after encryption.  Transmit only encrypted information.  Remove any information captured by an ID card reader or at any intermediate system transmission point from the reader or transmission point as soon as the transaction is complete.  Use checklists for individual data fields to determine what rights each authorized group has to view, add, change, or delete data in the field.

132 Privacy Rights Clearing House, 2000 (http://www.privacyrights.org/). 133 Electronic Privacy Information Center, 1994 (http://www.epic.org). 134 Privacy Rights Clearing House, 2000 (http://www.privacyrights.org/). 135 Information and Privacy Commission of Ontario, 2001 (http://www.ipc.on.ca).

 Enable cardholders to authorize card content extraction with a password, PIN, and/or biometric verification for all transactions.  Maximize the offline portion of transactions (involving the card and reader only) and minimize online access, transmission of data, and recording of transaction activity in remote databases. Perform on-card verification of identity where possible. This practice provides an additional benefit: it speeds up transaction processing and reduces telecommunications expenses.  Construct identification verification applications that extract from the card only the information required to execute a transaction. For example, authorization for the purchase of alcohol or tobacco requires only two pieces of data: data verifying the cardholder’s identity and data verifying that the cardholder meets the age requirement. This transaction does not require and should not be permitted to include personal information such as the cardholder’s age, address, or requirement to wear corrective lenses while operating a motor vehicle.  Construct applications so that transaction records cannot be used as surveillance tools. The Information and Privacy Commissioner/Ontario states, “Data generated from the use of the card, such as where and when it was used, can never be matched to the transaction information and its content. The systems design ultimately used should be incapable of permitting such matching to take place.”136 While privacy must be designed into the entire system, smart cards, with on-card intelligence and processing capabilities, are uniquely capable of enabling compliance with the above guidelines.

136 Ibid.

10 Relevant Standards and Specifications Numerous standards are relevant to smart card applications and more are created every year. They have various impacts at different levels of a smart card based-system and may deal with physical characteristics, security certifications, transmission protocols, and application loading or design. There are also industry "specifications," which are not "standards," but which play a very important role in smart card applications. Not all application specifications are listed in this section, though some of the important industry-focused applications are included. Standards are voluntary, but are generally adhered to in the interest of achieving conformity and interoperability. A brief synopsis of the various smart card standards and specifications is included in this section. Additional information can be found in the body of work referenced with each smart card standard or specification. ISO/IEC is the worldwide standard-setting body for technology, including plastic cards. These standards set minimums, but also include many options and tend to leave some issues unaddressed. As a result, conformance to ISO standards alone does not necessarily ensure interoperability – nor does it ensure that cards and terminals built to the specifications will interoperate. The main standards that pertain to smart cards are ISO/IEC 7810, ISO/IEC 7816, ISO/IEC 14443, ISO/IEC 15693, ISO/IEC 24727 and ISO/IEC 7501. The following should be noted: 1. Some standards listed below are available free of charge, but many must be purchased. 2. Some standards may not be listed in this section, but could be relevant to a specific application or a specific technique required by an implementation (e.g., standardized format of biometric information). This section contains a list of standards and specifications relating to this module. A more complete listing of standards and specifications, with descriptions of each, can be found in Module 1.

10.1 Standards Relevant to Smart Card Physical Characteristics  ISO/IEC 7810 – Identification Cards – Physical Characteristics  ISO/IEC 7816 – Identification Cards – Integrated Circuit Cards137 10.2 Standards Relevant to Technologies Which Could Be Found on a Smart Card Smart cards often include other technologies in the card body. The following standards apply to common technologies:  Magnetic stripes: ISO/IEC 7811 series, Identification cards – Recording technique  Linear bar codes: ISO/IEC 15416 Information technology – Automatic identification and data capture techniques – Bar code print quality test specification – Linear symbols  PDF417 bar code: ISO/IEC 15438 Information technology – Automatic identification and data capture techniques – PDF417 bar code symbology specification  Optical memory cards: ISO/IEC 11693 Identification cards – Optical memory cards; ISO/IEC 11694 Identification cards – Optical memory cards - linear recording method

137 Source: http://www.iso.org

10.3 Standards and Specifications Relevant to Technologies Related to the Card Interface  ISO/IEC 7816 Series – Identification Cards – Integrated Circuit(s) Cards with Contacts  ISO/IEC 14443 – Contactless Integrated Circuit Cards – Proximity Cards  ISO/IEC 15693 – Contactless Integrated Circuit Cards – Vicinity Cards  Personal Computer/Smart Card (PC/SC) Specifications 10.4 Standards and Specifications Relevant to the Card Commands and Application Data Structures  ISO/IEC 7816 Series – Identification Cards – Integrated Circuit(s) Cards with Contacts  GlobalPlatform138  Java Card139 10.5 Standards and Specifications Relevant to Security or Cryptography  ISO/IEC 9798 - Information Technology – Security Techniques – Entity Authentication  ISO/IEC 11770 - Information Technology – Security Techniques – Key Management  ISO/IEC 24787 - Information Technology – Identification Cards – On-Card Biometric Comparison  Common Criteria 10.6 Standards and Specifications Relevant to Issuers or Specific Industry Sectors  ISO/IEC 7501 Series, Identification Cards – Machine Readable Travel Documents  ISO/IEC 7812 Series, Identification Cards – Identification of Issuers  ISO/IEC 7816 Series, Identification Cards – Integrated Circuit(s) Cards with Contacts  ISO/IEC 18013 – Personal Identification – ISO-Compliant Driving License  Healthcare Card Standards  ISO/IEC 21549 – Health Informatics – Patient Health Card Data  ISO/IEC 13606 – Health Informatics – Electronic Health Record Communication  ISO/IEC 18037 – Heath informatics. Interoperability and Compatibility in Messaging and Communication Standards.  ANSI INCITS 284 – Identification cards – Health Care Identification Cards  Doc 9303, ICAO Machine Readable Travel Documents

138 GlobalPlatform specifications are available at http://www.globalplatform.org/specifications.asp 139 Java Card specifications are available at http://java.sun.com/javacard/3.0.1/specs.jsp

 NFC. ETSI TS 102 10 V1.1.1 (2003-03)) "Near Field Communication (NFC) IP-1; Interface and Protocol (NFCIP-1)"  ETSI TS 102 221 V9.2.0 (2010-10), “Smart Cards; UICC-Terminal interface; physical and logical characteristics”  ETSI TS 102 484 V10.0.0 (2011-01), “Smart Cards; Secure channel between a UICC and an end- point terminal”  ETSI TS 102 600 V10.0.0 (2010-10), “UICC-Terminal interface; Characteristics of the USB interface”  ETSI TS 102 613 V9.2.0 (2011-03), “UICC – Contactless Front-end (CLF) Inteface; Part 1: physical and data link layer characteristics”  ETSI TS 102 671 V9.1.0 (2011-09), “Smart Cards; Machine to Machine UICC; Physical and logical characteristics”  Comité Européen de Normalisation: CEN/TS 15480 Identification card systems - European Citizen Card  ETSI TS 102 671 V9.1.0 (2011-09), “Smart Cards; Machine to Machine UICC; Physical and logical characteristics”

10.7 Other Standards Related to Smart Cards or their Software Clients  ISO/IEC 24727 Identification Cards – Integrated Circuit Card Programming Interfaces 10.8 Primary U.S. Standards and Specifications Related to Smart Cards – Federal Information Processing Standards (FIPS) FIPS standards are developed by NIST Computer Security Division. FIPS standards are designed to protect federal computer and telecommunications systems. The following FIPS standards apply to smart card technology and pertain to digital signature standards, advanced encryption standards, security requirements for cryptographic modules and personal identity verification cards.  FIPS Standards for Digital Signatures - FIPS 186-2 Digital Security Standard - ANSI X9.31-1998 RSA signature algorithm specifications - ANSI X9.62-1998 ECDSA signature algorithm specifications  FIPS Standards for Digital Encryption - FIPS 197 Advanced Encryption Standard (AES)  FIPS 140 (1-3) Security Requirements for Cryptographic Modules Standard  FIPS 201-2 Personal Identity Verification of Federal Employees and Contractors 10.9 Biometrics Standards Many new secure ID system implementations are using both biometrics and smart cards to improve the security and privacy of the ID system. The following standards apply to biometric applications in general, and may apply to portions of a smart card-based system.  ANSI-INCITS 358-2002, BioAPI Specification - (ISO/IEC 19784-1).

 ANSI-INCITS 398, Common Biometric Exchange Formats Framework (CBEFF) - (ISO/IEC 19785-1).  ANSI-INCITS Biometric Data Format Interchange Standards.  ANSI-INCITS 377-2004 - Finger Pattern Based Interchange Format  ANSI-INCITS 378-2004 - Finger Minutiae Format for Data Interchange  ANSI-INCITS 379-2004 - Iris Interchange Format  ANSI-INCITS 381-2004 - Finger Image Based Interchange Format  ANSI-INCITS 385-2004 - Face Recognition Format for Data Interchange  ANSI-INCITS 395-2005 - Signature/Sign Image Based Interchange Format  ANSI-INCITS 396-2004 - Hand Geometry Interchange Format  ISO/IEC 19794 series on biometric data interchange formats. 10.10 Other Standards and Specifications that Relate to Smart Card- Based Applications  G-8 Health Standards  The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (Public Law 104-191)  American National Standards Institute - INCITS 284 Identification cards – Health Care Identification Cards  USB Implementers Forum140  Initiative for Open Authentication (OATH)141

140 USB Implementer's web site, http://www.usb.org. 141 Source: http://www.openauthentication.org/

11 References 39 Myths about ePassports: Part I, ICAO MRTD Report, Vol. 5, No. 1, 2010, http://www2.icao.int/en/MRTD2/ReportsPastIssues/ICAO%20MRTD%20Report%20Vol.5%20No.1,%202 010.pdf#page=24 Access Control Reader and Credential Architecture and Engineering Specification for Non-Government Facilities: Contactless Smart Card 13.56 MHz High Frequency Technology. Smart Card Alliance, April 2015, http://www.smartcardalliance.org/wp-content/uploads/AE-Generic-PACS-Smartcard-Reader-and- Credential-Annotated-Version-FINAL-v30-042015.pdf Authentication Mechanisms for Physical Access Control Systems, Smart Card Alliance Physical Access Council white paper, October 2009, http://www.smartcardalliance.org Chip-Based ID: Promise or Peril, by Roger Clarke, Proc. Int'l Conf. on Privacy, Montreal, September 1997 Colorado State First Responder Authentication Credential Standards: Best Practice Standard, Colorado Governor's Office of Information Technology, April 10, 2008, https://publish.colorado.gov/cs/Satellite/OIT-New/OITX/1200536168031?rendermode=preview-lplunkett- 1165692952165 The Commercial Identity Verification (CIV) Credential – Leveraging FIPS 201 and the PIV Specifications: Is the CIV Credential Right for You?, Smart Card Alliance Access Control Council white paper, October 2011, http://www.smartcardalliance.org Commonwealth of Virginia First Responder Authentication Credential (FRAC) Program, Mike McAllister, Governor's Office of Commonwealth Preparedness, Smart Cards in Government Conference, October 2009 A Comparison of PIV, PIV-I and CIV Credentials, Smart Card Alliance Access Control Council publication, March 2012, http://www.smartcardalliance.org Complementary Smart Card Guidance for the WEDI Health Identification Card Implementation Guide, Smart Card Alliance Healthcare Council publication, October 2011, http://www.smartcardalliance.org/pages/publications-complementary-smart-card-guidance-for-the-wedi- health-identification-card-implementation-guide DoD Implementation of Homeland Security Presidential Directive-12, Inspector General, U.S. Department of Defense, Report No. D-2008-104, June 23, 2008 Electronic Driving Licence – A Pan-European Long Term Solution, Eurosmart position paper, September 2008, http://www.eurosmart.com/images/doc/WorkingGroups/e- ID/Papers/eurosmart_position_paper_driving_licences_final.pdf Electronic Privacy Information Center, http://www.epic.org Emergency Response Official Credentials: An Approach to Attain Trust in Credentials across Multiple Jurisdictions for Disaster Response and Recovery, Smart Card Alliance white paper, October 2008, http://www.smartcardalliance.org ePassport Frequently Asked Questions, Smart Card Alliance publication, March 2009, http://www.smartcardalliance.org European Citizen Card: One Pillar of Interoperable eID Success, Eurosmart position paper, November 2009, http://www.eurosmart.com/images/doc/WorkingGroups/e-ID/Papers/ecc-position-paper-final.pdf First Responder Authentication Credentials white paper, Probaris Gemalto M2M web site, http://www.gemalto.com/telecom/m2m/

The German Citizen ID Card: 1st Anniversary – Lessons Learned, Dietmar Wendling, SCM Microsystems, presentation, Smart Cards and Government Conference, November 3, 2011 The German Health Card, Fabiola Bellersheim, Giesecke & Devrient, presentation, Smart Cards and Government Conference, November 18, 2010 The Global Wireless M2M Market, Berg Insight, http://www.berginsight.com/ReportPDF/ProductSheet/bi- gwm2m-ps.pdf Giesecke & Devrient M2M web site, http://www.gi- de.com/en/products_and_solutions/solutions/machine_to_machine/machine-to-machine-solutions.jsp Government Smart Card Handbook, General Services Administration, February 2004, http://www.smartcardalliance.org Health Security Information Card, Dr. James J. James, AMA Center for Public Health Preparedness and Disaster Response, presentation, Smart Card Alliance webinar, September 13, 2011, http://www.smartcardalliance.org/resources/webinars/Smart_Health_ID_Webinar_091311.pdf A Healthcare CFO's Guide to Smart Card Technology and Applications, Smart Card Alliance white paper, February 2009, http://www.smartcardalliance.org Healthcare Identity Management: The Foundation for a Secure and Trusted National Health Information Network, Smart Card Alliance Healthcare Council and Identity Council brief, September 2009, http://www.smartcardalliance.org HIPAA Compliance and Smart Cards: Solutions to Privacy and Security Requirements, Smart Card Alliance white paper, September 2003, http://www.smartcardalliance.org ICAO Doc 9303 Machine Readable Travel Documents, Part 1 Machine Readable Passports, Volume 2 Specifications for Electronically Enabled Passports with Biometric Identification Capability, Sixth Edition 2006 Identifiers and Authentication – Smart Credential Choices to Protect Digital Identity, Smart Card Alliance Identity Council position paper, September 2009, http://www.smartcardalliance.org Identity Crisis, Robin Hess, For the Record, January 17, 2005 Identity Theft: Prevalence and Cost Appear to be Growing, GAO-02-063, March 2002 Identity Theft in Florida, State-wide Grand Jury Report, November 2002 In-Hospital Deaths From Medical Errors at 195,000 per Year, Health Grades Study Finds, Health Grades, July 2004 Infineon Technologies web site, http://www.infineon.com/cms/en/product/applications/chip-card-and- security/communications Information and Privacy Commission of Ontario, http://www.ipc.on.ca Initiative for Open Authentication, http://www.openauthentication.org/ International Civil Aviation Organization (ICAO), http://www.icao.int An Introduction to Biometric Recognition, by Anil K. Jain, Arun Ross, & Salil Prabhakar, IEEE Invited Paper, 2004 List of National Identity Card Policies by Country, http://en.wikipedia.org/wiki/List_of_national_identity_card_policies_by_country Logical Access Security: The Role of Smart Cards in Strong Authentication, Smart Card Alliance white paper, October 2004, http://www.smartcardalliance.org

M2M challenges for further development, Eurosmart, November 2011, http://www.eurosmart.com/images/doc/WorkingGroups/NewFF/Papers/m2m%20challenges%20for%20f urther%20development_november%202011.pdf The Machine-to-Machine Market: A High Growth Opportunity for MNOs, Pyramid Research, October 2011, http://www.pyramidreseach.com Mission Critical, http://www.tvworldwide.com/events/mission_critical/061018/default.cfm?id=7523&type=wmhigh NIST MINEX II web site, http://fingerprint.nist.gov/minexII/ NIST NSTIC web site, http://www.nist.gov/nstic/ NIST Special Publication 800-63, Electronic Authentication Guideline, Version 1.0, June 2004 NIST Special Publication 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS), November 2008 NSTIC Frequently Asked Questions, Smart Card Alliance FAQ, http://www.smartcardalliance.org/pages/publications-nstic-faq Oberthur Technologies web site, http://www.oberthur.com/content/253/telecom Overview: The ICAO Public Key Directory, ICAO, http://www2.icao.int/en/MRTD/Downloads/PKD%20Documents/Overview%20- %20The%20ICAO%20Public%20Key%20Directory.pdf Personal Identity Verification Interoperability for Non-Federal Issuers, CIO Council, May 2009, http://www.idmanagement.gov/documents/PIV_IO_NonFed_Issuers_May2009.pdf Privacy, Consumers and Costs, by Robert Gellman, March 2002 Privacy and Freedom, by Alan F. Westin, (Atheneum, 1967) Privacy Rights Clearing House, http://www.privacyrights.org/ Privacy and Secure Identification Systems: The Role of Smart Cards as a Privacy-Enabling Technology, Smart Card Alliance white paper, February 2003, http://www.smartcardalliance.org The REAL ID Act: Why Real ID Cards Should Be Based on Smart Card Technology, Smart Card Alliance white paper, July 2006, http://www.smartcardalliance.org The Right to Privacy, by Samuel Warren and Louis Brandies, Harvard Law Review 193 [1890]. Secure Identification Systems: Building a Chain of Trust, Smart Card Alliance white paper, March 2004, http://www.smartcardalliance.org Security Industry Association (SIA), http://www.siaonline.org/ Smart Card Technology: The Right Choice for REAL ID, Smart Card Alliance white paper, http://www.smartcardalliance.org Smart Card Technology in Healthcare: Frequently Asked Questions, Smart Card Alliance publication, May 2009, http://www.smartcardalliance.org Smart Cards and Biometrics, Smart Card Alliance Access Control Council white paper, March 2011, http://www.smartcardalliance.org Smart! M2M – New Markets, New Opportunities, New Requirements, Giesecke & Devrient publication, http://www.gi- de.com/gd_media/media/documents/complementary_material/smart__newsletter/smart_issue1_2010.pd f

Smart M2M Module, Eurosmart, November 2009, http://www.eurosmart.com/images/doc/WorkingGroups/NewFF/Papers/m2m_whitepaper_versionfinale.p df Smart.Gov, GSA smart card web site, http://www.smart.gov/ Stanching Hospitals’ Financial Hemorrhage with Information Technology, J.Pesce, Health Management Technology, August 2003 Transportation Worker Identification Credential (TWIC), CDR David Murk (USCG) presentation, National Petroleum and Refiners Association, March 2010 Transportation Worker Identification Credential: An Overview of TWIC Reader Hardware and Card Application Specification, Walter Hamilton, IBIA, presentation, Smart Cards in Government Conference, October 2008 TWIC Reader Hardware and Card Application Specification, TSA, May 30, 2008, http://www.tsa.gov/assets/pdf/twic_reader_card_app_spec.pdf The U.S. Electronic Passport Frequently Asked Questions, U.S. Department of State web site, http://travel.state.gov/passport/eppt/eppt_2788.html#Eleven USB Implementer’s Forum web site, http://www.usb.org Using FIPS 201 and the PIV Card for the Corporate Enterprise, Smart Card Alliance white paper, October 2008, http://www.smartcardalliance.org Using Smart Cards for Secure Physical Access, Smart Card Alliance white paper, July 2003, http://www.smartcardalliance.org

12 Acknowledgements This document was developed by the Smart Card Alliance for the Certified Smart Card Industry Professional (CSCIP) program. Publication of this document by the Smart Card Alliance does not imply the endorsement of any of the member organizations of the Alliance. The Smart Card Alliance thanks the following individuals and organizations for their review of and contributions to this CSCIP module:  Anna Fernezian, ActivIdentity  Walter Hamilton, Identification Technology Partners  Bryan Ichikawa, Deloitte  Gilles Lisimaque, Identification Technology Partners  Neville Pattinson, Gemalto  Mark Stafford, Infineon Technologies  Lars Suneborn, Hirsch Electronics The Smart Card Alliance thanks the following individuals and organizations for contributing content to this CSCIP module:  Bob Gilson and Joe G. Stuntz, DoD/DMDC, Section 8.5.2, Department of Defense Common Access Card  Walter Hamilton, Identification Technology Partners, Section 8.5.3, Transportation Worker Identification Credential  LaChelle Levan, Probaris, Section 8.5.4, First Responder Authentication Credential  Neville Pattinson, Gemalto, Sections 3.1.1, Security Printing Features; Section 3.1.2, Security Devices. The Smart Card Alliance thanks Gemalto for the Figure 9 graphics and for the graphics in Sections 3.1.1 and 3.1.2. The Smart Card Alliance wishes to thank the many current and past members of the Smart Card Alliance Councils and Task Forces who contributed to the development of the reference material that was used to create this module. About LEAP and the CSCIP Program The Smart Card Alliance Leadership, Education and Advancement Program (LEAP) was formed to: offer a new individual members-only organization for smart card professional; advance education and professional development for individuals working in the smart card industry; manage and confer, based on a standardized body-of-knowledge examination, the Certified Smart Card Industry Professional (CSCIP) designation. LEAP members who wish to achieve certification as experts in smart card technology may do so at any time. Certification requires that LEAP members meet specific educational and professional criteria prior to acceptance into the certification program. A series of educational modules forming the CSCIP certification body of knowledge has been developed by leading smart card industry professionals and is updated regularly. These educational modules prepare applicants for the multi-part CSCIP exam administered by the Smart Card Alliance. The exam requires demonstrated proficiency in a broad body of industry knowledge, as opposed to expertise in specialized smart card disciplines. Applicants must receive a passing grade on all parts of the exam to receive the CSCIP certification. LEAP membership in good standing is required to sustain the certification, and documentation of a required level of continuing education activities must be submitted every three years for CSCIP re- certification. Additional information on LEAP and the CSCIP accreditation program can be found at http://www.smartcardalliance.org.

Trademark Notice All registered trademarks, trademarks, or service marks are the property of their respective owners.