DOCSLIB.ORG

A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS) NIST Special Publication 800-116 A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS) William MacGregor Ketan Mehta David Cooper Karen Scarfone I N F O R M A T I O N S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD, 20899-8930 November 2008 U.S. Department of Commerce Carlos M. Gutierrez, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Deputy Director Special Publication 800-116 A Recommendation for the Use of PIV Credentials in PACS REPORTS ON COMPUTER SYSTEMS TECHNOLOGY The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of non-national security-related information in Federal information systems. This Special Publication 800-series reports on ITL’s research, guidelines, and outreach efforts in information system security, and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-116, 71 pages (November 2008) Page ii Special Publication 800-116 A Recommendation for the Use of PIV Credentials in PACS Acknowledgements The authors, David Cooper, William MacGregor, and Karen Scarfone of the National Institute of Standards and Technology (NIST) and Ketan Mehta of Mehta, Inc., wish to thank their colleagues who reviewed drafts of this document and contributed to its development. We thank Tony Cieri and Ron Martin for substantial written contributions to the document. The authors gratefully acknowledge and appreciate the support received from the Interagency Security Committee, Department of Justice (DOJ), General Services Administration (GSA), Department of Homeland Security (DHS), Department of Defense (DoD), Social Security Administration (SSA), and Department of Treasury in developing this document. Special thanks to our expert collaborators who participated in weekly conference calls and provided comments on many versions of the document: + Tim Baldridge + Magdalena Benitez + Joe Broghamer + Mike Defrancisco + Hildegard Ferraiolo + Scott Glaser + Christopher Hernandez + Gwainevere Hess + Everett Hilliard + Nolin Huddleston + Lemar Jones + C. Larson + Edward Layo + Diana Londergan + Ron Martin + Eric Mitchell + Steve Mitchell + Benjamin Overbey Page iii Special Publication 800-116 A Recommendation for the Use of PIV Credentials in PACS + Ron Ross + Austin Smith + Carlton Stevenson + David Vanderweele + Tom Whittle + Craig Zeigler Page iv Special Publication 800-116 A Recommendation for the Use of PIV Credentials in PACS Table of Contents 1. Executive Summary ............................................................................................................1 2. Introduction .........................................................................................................................4 2.1 Authority ......................................................................................................................4 2.2 Background .................................................................................................................4 2.3 Purpose and Scope.....................................................................................................5 2.4 Audience .....................................................................................................................6 3. Terminology.........................................................................................................................7 4. Threat Environment ..........................................................................................................12 4.1 Identifier Collisions ....................................................................................................12 4.2 Terminated PIV Cards...............................................................................................13 4.3 Visual Counterfeiting .................................................................................................13 4.4 Skimming...................................................................................................................14 4.5 Sniffing ......................................................................................................................14 4.6 Social Engineering ....................................................................................................14 4.7 Electronic Cloning .....................................................................................................15 4.8 Electronic Counterfeiting ...........................................................................................15 4.9 Other Threats ............................................................................................................15 5. Limitations of Deployed Physical Access Control Systems.........................................16 5.1 Cardholder Identification ...........................................................................................16 5.2 Door Reader Interface...............................................................................................16 5.3 Authentication Capability...........................................................................................16 5.4 Deployed Wiring ........................................................................................................17 5.5 Software Upgrades....................................................................................................17 5.6 Deployed Non-PIV PACS Cards and PIV Card Differences......................................17 6. The PIV Vision ...................................................................................................................19 6.1 Interoperability...........................................................................................................19 6.2 Qualities of the Complete Implementation.................................................................20 6.3 Benefits of the Complete Implementation..................................................................21 6.4 Infrastructure Requirements......................................................................................23 Page v Special Publication 800-116 A Recommendation for the Use of PIV Credentials in PACS 7. PIV Authentication Mechanisms......................................................................................24 7.1 Authentication Factors...............................................................................................24 7.1.1 Deployed Proximity or Magnetic Stripe Authentication..................................25 7.1.2 Visual (VIS) Authentication............................................................................25 7.1.3 Cardholder Unique Identifier (CHUID) Authentication ...................................25 7.1.4 Card Authentication Key (CAK) Authentication .............................................26 7.1.5 PIV Authentication Key (PKI) Authentication.................................................26 7.1.6 BIO Authentication.........................................................................................27 7.1.7 BIO-A Authentication .....................................................................................27 7.1.8 CAK + BIO(-A) Authentication .......................................................................28 7.2 Multi-Factor Authentication........................................................................................28 7.3 Selection of PIV Authentication Mechanisms............................................................28 7.4 PACS Registration ....................................................................................................32 7.5 Credential Validation and Path Validation .................................................................33 7.6 Lost PIV Card or Suspicion of Fraudulent Use..........................................................34 8. PACS Use Cases ...............................................................................................................36 8.1 Single-Tenant Facility................................................................................................37 8.2 Multi-Tenant Facility ..................................................................................................37 8.3 Mixed-Multi-Tenant Facility........................................................................................38 8.4 Single-Tenant Campus..............................................................................................39 8.4.1 FSL I or II Campus Facility ............................................................................39 8.4.2 FSL III Campus Facility..................................................................................40 8.4.3 FSL IV or V Campus Facility..........................................................................41 8.5 Multi-Tenant Campus ................................................................................................41
Load more

Recommended publications
  • American Diplomacy Project: a US Diplomatic Service for the 21St
    AMERICAN DIPLOMACY PROJECT A U.S. Diplomatic Service for the 21st Century Ambassador Nicholas Burns Ambassador Marc Grossman Ambassador Marcie Ries REPORT NOVEMBER 2020 American Diplomacy Project: A U.S. Diplomatic Service for the 21st Century Belfer Center for Science and International Affairs Harvard Kennedy School 79 JFK Street Cambridge, MA 02138 www.belfercenter.org Statements and views expressed in this report are solely those of the authors and do not imply endorsement by Harvard University, Harvard Kennedy School, or the Belfer Center for Science and International Affairs. Design and layout by Auge+Gray+Drake Collective Works Copyright 2020, President and Fellows of Harvard College Printed in the United States of America FULL PROJECT NAME American Diplomacy Project A U.S. Diplomatic Service for the 21st Century Ambassador Nicholas Burns Ambassador Marc Grossman Ambassador Marcie Ries REPORT NOVEMBER 2020 Belfer Center for Science and International Affairs | Harvard Kennedy School i ii American Diplomacy Project: A U.S. Diplomatic Service for the 21st Century Table of Contents Executive Summary ........................................................................3 10 Actions to Reimagine American Diplomacy and Reinvent the Foreign Service ........................................................5 Action 1 Redefine the Mission and Mandate of the U.S. Foreign Service ...................................................10 Action 2 Revise the Foreign Service Act ................................. 16 Action 3 Change the Culture ..................................................
    [Show full text]
  • Access Control
    Security Engineering: A Guide to Building Dependable Distributed Systems CHAPTER 4 Access Control Going all the way back to early time-sharing systems, we systems people regarded the users, and any code they wrote, as the mortal enemies of us and each other. We were like the police force in a violent slum. —ROGER NEEDHAM Microsoft could have incorporated effective security measures as standard, but good sense prevailed. Security systems have a nasty habit of backfiring, and there is no doubt they would cause enormous problems. —RICK MAYBURY 4.1 Introduction Access control is the traditional center of gravity of computer security. It is where se- curity engineering meets computer science. Its function is to control which principals (persons, processes, machines, . .) have access to which resources in the sys- tem—which files they can read, which programs they can execute, how they share data with other principals, and so on. NOTE This chapter necessarily assumes more computer science background than previous chapters, but I try to keep it to a minimum. 51 Chapter 4: Access Controls Figure 4.1 Access controls at different levels in a system. Access control works at a number of levels, as shown in Figure 4.1, and described in the following: 1. The access control mechanisms, which the user sees at the application level, may express a very rich and complex security policy. A modern online busi- ness could assign staff to one of dozens of different roles, each of which could initiate some subset of several hundred possible transactions in the system. Some of these (such as credit card transactions with customers) might require online authorization from a third party while others (such as refunds) might require dual control.
    [Show full text]
  • Using Certificate-Based Authentication for Access Control
    GLOBALSIGN WHITE PAPER Using Certificate‐based Authentication for Access Control GLOBALSIGN WHITE PAPER John Harris for GlobalSign GLOBALSIGN WHITE PAPER CONTENTS Introduction ...................................................................................................................................................................2 Finding The Right Path ...................................................................................................................................................2 Certicate‐based Network Authentication ......................................................................................................................3 What Is It? ................................................................................................................................................................. 3 How Does It All Work? .............................................................................................................................................. 4 What Can Users Expect? ........................................................................................................................................... 4 How Does It Stack Up To Other Authentication Methods? ....................................................................................... 4 Other Authentication Methods ................................................................................................................................. 5 Comparing Authentication Methods ........................................................................................................................
    [Show full text]
  • Virtual Credential Ceremony of Foreign Diplomats
    Virtual Credential Ceremony of Foreign Diplomats Why in news? In a first, President Ram Nath Kovind accepted the credentials of foreign diplomats of as many as 7 countries in a virtual ceremony, given the COVID-19 situation. What is the credential ceremony all about? A Letter of Credence is a formal document appointing a diplomat as Ambassador or High Commissioner to another sovereign state. The present ceremony involved diplomats from the Democratic People's Republic of Korea, Senegal, Trinidad & Tobago, Mauritius, Australia, Cote d'Ivoire and Rwanda. They presented their credentials (Letters of Credence) before the President via video conference. Each of these letters is addressed from one head of state to another. President Ram Nath Kovind formally accepted each Letter of Credence. This marked the beginning of the ambassadorship of each of those foreign diplomats, in India. The letters were officially handed over to the MEA (Ministry of External Affairs) to be delivered to the President of India. Initially, the ambassadors were to present their credentials from their respective embassies. However, all seven were escorted to the Jawahar Bhavan headquarters of the MEA (Ministry of External Affairs). How does it take place generally? The presentation of credentials is a spectacular and elaborate ceremony with strict rules and rituals. Under normal circumstances, it is hosted at the majestic Ashoka Hall inside the Rashtrapati Bhavan. The envoys come to Rashtrapati Bhavan accompanied by a foreign ministry official. They have to sit in a specific seat in the car with the protocol officer next to them. The diplomat is received at the forecourt of the presidential palace by the commander of the Presidential Guard.
    [Show full text]
  • Access Control
    Access Control CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Access Control • Describe the permissions available to computing processes – Originally, all permissions were available • Clearly, some controls are necessary – Prevent bugs in one process from breaking another • But, what should determine access? CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 2 Permissions for Processes • What permissions should be granted to... – An editor process? – An editor process that you run? – An editor process that someone else runs? – An editor process that contains malware? – An editor process used to edit a password file? • Q: How do we determine/describe the permissions available to processes? • Q: How are they enforced? • Q: How might they change over time? CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 3 Protection System • Any “system” that provides resources to multiple subjects needs to control access among them – Operating system – Servers • Consists of: – Protection state • Description of permission assignments (i.e., policy) • Determines how security goals are met – Enforcement mechanism • Enforce protection state on “system” CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 4 Protection State • Describes the conditions under which the system is secure
    [Show full text]
  • Security in Ordinary Operating Systems
    39 C H A P T E R 4 Security in Ordinary Operating Systems In considering the requirements of a secure operating system,it is worth considering how far ordinary operating systems are from achieving these requirements. In this chapter, we examine the UNIX and Windows operating systems and show why they are fundamentally not secure operating systems. We first examine the history these systems, briefly describe their protection systems, then we show, using the requirements of a secure operating system defined in Chapter 2, why ordinary operating systems are inherently insecure. Finally, we examine common vulnerabilities in these systems to show the need for secure operating systems and the types of threats that they will have to overcome. 4.1 SYSTEM HISTORIES 4.1.1 UNIX HISTORY UNIX is a multiuser operating system developed by Dennis Ritchie and Ken Thompson at AT&T Bell Labs [266]. UNIX started as a small project to build an operating system to play a game on an available PDP-7 computer. However, UNIX grew over the next 10 to 15 years into a system with considerable mindshare, such that a variety of commercial UNIX efforts were launched. The lack of coherence in these efforts may have limited the market penetration of UNIX, but many vendors, even Microsoft, had their own versions. UNIX remains a significant operating system today, embodied in many systems, such as Linux, Sun Solaris, IBM AIX, the various BSD systems, etc. Recall from Chapter 3 that Bell Labs was a member of the Multics consortium. However, Bell Labs dropped out of the Multics project in 1969, primarily due to delays in the project.
    [Show full text]
  • What They Wear the Observer | FEBRUARY 2020 | 1 in the Habit
    SPECIAL SECTION FEBRUARY 2020 Inside Poor Clare Colettines ....... 2 Benedictines of Marmion Abbey What .............................. 4 Everyday Wear for Priests ......... 6 Priests’ Vestments ...... 8 Deacons’ Attire .......................... 10 Monsignors’ They Attire .............. 12 Bishops’ Attire ........................... 14 — Text and photos by Amanda Hudson, news editor; design by Sharon Boehlefeld, features editor Wear Learn the names of the everyday and liturgical attire worn by bishops, monsignors, priests, deacons and religious in the Rockford Diocese. And learn what each piece of clothing means in the lives of those who have given themselves to the service of God. What They Wear The Observer | FEBRUARY 2020 | 1 In the Habit Mother Habits Span Centuries Dominica Stein, PCC he wearing n The hood — of habits in humility; religious com- n The belt — purity; munities goes and Tback to the early 300s. n The scapular — The Armenian manual labor. monks founded by For women, a veil Eustatius in 318 was part of the habit, were the first to originating from the have their entire rite of consecrated community virgins as a bride of dress alike. Belt placement Christ. Using a veil was Having “the members an adaptation of the societal practice (dress) the same,” says where married women covered their Mother Dominica Stein, hair when in public. Poor Clare Colettines, “was a Putting on the habit was an symbol of unity. The wearing of outward sign of profession in a the habit was a symbol of leaving religious order. Early on, those the secular life to give oneself to joining an order were clothed in the God.” order’s habit almost immediately.
    [Show full text]
  • Designing Physical Security Monitoring for Water Quality Surveillance and Response Systems
    United States Environmental Protection Agency Designing Physical Security Monitoring For Water Quality Surveillance and Response Systems Office of Water (AWBERC, MS 140) EPA 817-B-17-001 September 2017 Disclaimer The Water Security Division of the Office of Ground Water and Drinking Water has reviewed and approved this document for publication. This document does not impose legally binding requirements on any party. The information in this document is intended solely to recommend or suggest and does not imply any requirements. Neither the U.S. Government nor any of its employees, contractors or their employees make any warranty, expressed or implied, or assumes any legal liability or responsibility for any third party’s use of any information, product or process discussed in this document, or represents that its use by such party would not infringe on privately owned rights. Mention of trade names or commercial products does not constitute endorsement or recommendation for use. Version History: The 2019 version is the second release of the document, originally published in September 2017. This release includes updated component names (Enhanced Security Monitoring was changed to Physical Security Monitoring and Consequence Management was changed to Water Contamination Response), an updated version of Figure 1.1 that reflects the component name changes and includes the Advanced Metering Infrastructure component, an updated Glossary, updated target capabilities, and updated links to external resources. “Enhanced” was replaced with “Physical” in this document to avoid any implication of a baseline standard, and better describe the type of security. Questions concerning this document should be addressed to [email protected] or the following contacts: Nelson Mix U.S.
    [Show full text]
  • General Access Control Guidance for Cloud Systems
    NIST Special Publication 800-210 General Access Control Guidance for Cloud Systems Vincent C. Hu Michaela Iorga Wei Bao Ang Li Qinghua Li Antonios Gouglidis This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-210 C O M P U T E R S E C U R I T Y NIST Special Publication 800-210 General Access Control Guidance for Cloud Systems Vincent C. Hu Michaela Iorga Computer Security Division Information Technology Laboratory Wei Bao Ang Li Qinghua Li Department of Computer Science and Computer Engineering University of Arkansas Fayetteville, AR Antonios Gouglidis School of Computing and Communications Lancaster University Lancaster, United Kingdom This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-210 July 2020 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority.
    [Show full text]
  • Standards for Building Materials, Equipment and Systems Used in Detention and Correctional Facilities
    NATIONAL INSTITUTE OF STANDARDS & TECHNOLOGY Research Information Center Gaithersburg, MD 20890 PUBLICATIONS NBSIR 87-3687 Standards for Building Materials, Equipment and Systems Used in Detention and Correctional Facilities Robert D. Dikkers Belinda C. Reeder U.S. DEPARTMENT OF COMMERCE National Bureau of Standards National Engineering Laboratory Center for Building Technology Building Environment Division Gaithersburg, MD 20899 November 1987 Prepared for: -QC ment of Justice 100 ititute of Corrections i, DC 20534 . U56 87-3687 1987 C . 2 Research Information Center National Bureau of Standards Gaithersburg, Maryland NBSIR 87-3687 20899 STANDARDS FOR BUILDING MATERIALS, EQUIPMENT AND SYSTEMS USED IN u - DETENTION AND CORRECTIONAL FACILITIES Robert D. Dikkers Belinda C. Reeder U.S. DEPARTMENT OF COMMERCE National Bureau of Standards National Engineering Laboratory Center for Building Technology Building Environment Division Gaithersburg, MD 20899 November 1987 Prepared for: U.S. Department of Justice National Institute of Corrections Washington, DC 20534 U.S. DEPARTMENT OF COMMERCE, C. William Verity, Secretary NATIONAL BUREAU OF STANDARDS, Ernest Ambler, Director TABLE OF CONTENTS Page Preface . vi Acknowledgements vii Executive Summary ix I . INTRODUCTION 1 A. Background , 1 B. Objectives and Scope of NBS Study 3 II. FACILITY DESIGN AND CONSTRUCTION 6 A. Facility Development Process 6 1 . Needs Assessment ........................................ 6 2 . Master Plan 6 3 . Mission Statement . 6 4. Architectural Program 7 5. Schematic Design and Design Development 7 6 . Construction 9 B. Security Levels 10 C . ACA S tandar ds 13 . III MATERIALS , EQUIPMENT AND SYSTEMS .... 14 A. Introduction 14 B. Performance Problems 15 C. Available Standards/Guide Specifications 20 iii TABLE OF CONTENTS (continued) 5 Page D« Perimeter Systems 21 1 .
    [Show full text]
  • Physical Access Control Systems (PACS) Customer Ordering Guide
    Physical Access Control Systems (PACS) Customer Ordering Guide Revised January 2017 1 Physical Access Control Systems (PACS) Customer Ordering Guide Table of Contents Purpose ...................................................................................................................3 Background .............................................................................................................3 Recent Policy Announcements ...............................................................................4 What is PACS? .......................................................................................................5 As an end-user agency, where do I start and what steps are involved? ................. 7 Where do I purchase PACS Solutions from GSA? ..............................................10 How do I purchase a PACS Solution using GSA eBuy? .....................................11 Frequently Asked Questions (FAQs) ...................................................................12 GSA Points of Contact for PACS .........................................................................15 Reference Documents ...........................................................................................16 Sample Statement of Work (SOW) ......................................................................18 2 Physical Access Control Systems (PACS) Customer Ordering Guide Purpose The purpose of this document is to create a comprehensive ordering guide that assists ordering agencies, particularly contracting officers, to
    [Show full text]
  • Implications for Serving Students with Emotional and Behavior Disorders Michael Fitzpatrick and Earle Knowlton
    Table of Contents JAASEP Editorial Board of Reviewers Faculty Epistemological Beliefs as a Mediator to Attitudes Toward Persons with Disabilities Lucy Barnard, Tara Stevens, Kamau O. Siwatu, & William Y. Lan Relationship Between Service Coordinator Practices and Early Intervention Services Mary Beth Bruder and Carl J. Dunst Individualized Interventions: When Teachers Resist Sharla N. Fasko No Child Left Behind’s Implementation in Urban School Settings: Implications for Serving Students with Emotional and Behavior Disorders Michael Fitzpatrick and Earle Knowlton The Impact of High-Stakes Testing for Individuals with Disabilities: A Review Synthesis Richard Boon, Debbie Voltz, Carl Lawson, Sr.,and Michael Baskette Special Education Professionals and Assistive Technology: Requirements for Preparation in a Digital Age George R. Peterson-Karlan, Jack J. Hourcade, Howard P. Parette, and Brian W. Wojcik 2 Table of Contents | Journal of the American Academy of Special Education Professionals (JAASEP) Book Review - The Short Bus: A Journey Beyond Normal Richard L. Mehrenberg Author Guidelines for Submission to JAASEP Copyright and Reprint Rights of JAASEP Journal of the American Academy of Special Education Professionals (JAASEP) | Table of 3 Contents JAASEP Executive Editors Roger Pierangelo, Ph.D. George Giuliani, J.D., Psy.D. JAASEP Editorial Board Nicholas Agro, ESQ. Diana Basilice, Columbia University Graduate School-Masters Degree Candidate at Teachers College Columbia University in the School Psychology program Heather Bausano, Psy.D. Keri Chernichun, Psy.D. Robert Colucci, D.O. Jeffrey Froh, Psy.D. Anita Giuliani, M.S., S.A.S., S.D.A Christopher Kearney, M.S. Scott Markowitz, Esq. Lisa Morris, M.S. Tanya Spadaro, Ed.M. candidate at Teachers College Columbia University in the School Psychology program Danielle Warnke, M.S.
    [Show full text]