Card and Reader Overview

dashingincestuousSecurity

Feb 22, 2014 (7 years and 10 months ago)

398 views

Card and Reader Overview

Gerald Smith

Sr. Consultant

ID Technology Partners

November 19, 2007

2

Agenda


Characteristics of a TWIC™ Card


Data Models Supported


Identification / Authentication Methods


Revocation Hot List


Reader Specification Overview


Biometric Interoperability


November 19, 2007

3

What a TWIC™ Looks Like


Front and Back views of a TWIC™

<FACIAL


IMAGE>

November 19, 2007

4

TWIC


is a Smart Card


64K of non
-
volatile memory


Dual interfaces share memory

o
Contact interface (ISO/IEC 7816)

o
Contactless interface (ISO/IEC 14443)


Physical security features

o
Tamper resistant

o
Color shifting inks


Logical security features

o
Two encrypted fingerprint templates

o
Signed data

o
PKI certificates



<FACIAL


IMAGE>

November 19, 2007

5

TWIC ™ Application Data Models

PIV Application Data Model
(SP 800
-
73.1)

Buffer Description

Access Rule

Contact /
Contactless

Card Capability Container

Read Always

Contact

CHUID Buffer

Read Always

Contact & Contactless

PIV Authentication Certificate
Buffer

Read Always

Contact

Fingerprint Buffer

PIN

Contact

Printed Information Buffer

PIN

Contact

Facial Image Buffer

PIN

Contact

Digital Signature Certificate Buffer

Read Always

Contact

Key Management Certificate
Buffer

Read Always

Contact

Card Authentication Certificate
Buffer

Read Always

Contact

Security Object Buffer

Read Always

Contact

TWIC™ Application Data Model

Buffer Description

Access Rule

Contact / Contactless

Unsigned CHUID Buffer

Read Always

Contact & Contactless

(Signed) CHUID Buffer

Read Always

Contact & Contactless

TWIC Privacy Key Buffer

Read Always

Contact (+Out of Band)

Fingerprint Buffer

Read Always

Contact & Contactless

Security Object Buffer

Read Always

Contact & Contactless

TWIC Differences from PIV

PIV Differences from TWIC

Shading broadly indicates
:

November 19, 2007

6

What is a CHUID?

Card Holder Unique
Identifier


0x3000

Always Read

Data Element (TLV)

Type

Max. Bytes

FASC
-
N (Compact Form)

Fixed

25

Agency Code ( if with Alpha
characters)

Fixed

4

Organization Identifier (if
with Alpha characters)

Fixed

4

GUID (IPv6 format or 0)

Fixed Numeric

16

Expiration Date

Date (YYYYMMDD)

8

Authentication Key Map
(Optional)

Variable

512

Issuer Asymmetric Signature

Variable

2816

Error Detection Code

LRC

0

Field

name

Length


(BCD

digits)

Field

description

AGENCY

CODE

4

Identifies

the

government

agency

issuing

the

credential

SYSTEM

CODE

4

Identifies

the

system

the

card

is

enrolled

in

and

is

unique

for

each

site

CREDENTIAL

NUMBER

6

Encoded

by

the

issuing

agency
.

For

a

given

system

no

duplicate

numbers

are

active

CS

1

CREDENTIAL

SERIES

ICI

1

INDIVIDUAL

CREDENTIAL

ISSUE

PI

10

PERSON

IDENTIFIER

OC

1

ORGANIZATIONAL

CATEGORY

OI

4

ORGANIZATIONAL

IDENTIFIER

POA

1

PERSON/ORGANIZATION

ASSOCIATION

CATEGORY

SS

1

Start

Sentinel
.

Leading

character

which

is

read

first

when

card

is

swiped

FS

1

Field

Separator

ES

1

End

Sentinel

LRC

1

Longitudinal

Redundancy

Character

What is a FASC
-
N within the CHUID?

FASC
-
N
Federal Agency Smart Credential Number

November 19, 2007

7

Identification / Authentication Methods


Visual Check



Perform a visual inspection of the TWIC™ and verify the
presence of security features, expiration date and a visual comparison of the
photo on the card to the individual presenting the card


CHUID Check



Verify the CHUID is granted access in the PACS and / or
verify the digital signature of the CHUID and verify the CHUID is not on the
Hot list


Biometric Check



Authenticate the individual by performing a 1:1 fingerprint
biometric match against the fingerprint template stored in the TWIC™


PIN Verification



Require the cardholder to enter the correct PIN number that
is stored in the TWIC™


Digital Photo Check



Visually compare the photo stored in the TWIC™ with
the individual presenting the card


Card Authentication



Verify the card is authenticate and not cloned by
performing a private key operation

November 19, 2007

8

Authentication types using a TWIC™

Authentication Type

Contact / Contactless



Biometric and PIN Authentication





PIN + Biometric

Contact Only

Biometric Authentication





CHUID + Card Authentication + Biometric / Card

Both

CHUID + Biometric / Card

Both

CHUID + Biometric / System

Both

Dual Factor Authentication





CHUID + Card Authentication + PIN + Digital Photo

Contact Only

CHUID + Card Authentication + PIN

Contact Only

Flash Pass + CHUID + Digital Signature

Both

Flash Pass + CHUID + Card Authentication

Both

Single Factor Authentication





CHUID + Digital Signature

Both

CHUID + Card Authentication

Both

Flash Pass w/ Human

N/A

CHUID

Both

November 19, 2007

9

Credential Revocation Hot List


Available now on the pre
-
Enrollment website

o
-

Publicly available for reading


Simple format compatible with many PACS

o
-

Small record contains the revoked credential

number and date of revocation

o
-

Reason for revocation not stated in the record


Each revoked credential stays on the list until the
original credential expiration date has passed


The hot list is updated daily

November 19, 2007

10

Reader Specification Overview


TSA published the TWIC


reader “working” specification September 11, 2007


Three reader types defined

o
-

Fixed mount for outdoor use

o
-

Fixed mount for indoor use

o
-

Handheld for mobile use


May operate as standalone or network attached

o
-

Network attached readers should support 2
-
way communications


* Allows for upload of TWIC


Privacy Key from server


Outdoor reader specified to meet diverse environmental conditions

o
-

Operating temperature range:


-
20
ºC to +70ºC

o
-

Operating condensing humidity range:

5% to 100%


Transaction time of 3 seconds (or less)

o
-

As measured from presentation of contactless card to completion of biometric match


Biometric matching equal error rate of 1% or less


Biometric sensor should provide “liveness” detection

November 19, 2007

11

Reader Specification and the TPK Concept


The TWIC
™ Privacy Key (TPK) Concept

o
-

Biometric data is encrypted on the card using this symmetrical key

o
-

TPK enables confidentiality of biometric data over the contactless interface

o
-

Contactless transfer of biometric data allowed without PIN verification


TPK and Contactless communications

o
-

Inspired by the ICAO ePassport cryptographic solution for confidentiality

o
-

TPK is a diversified key unique to each card

o
-

TPK is a data object in the TWIC
™ Data Model

o
-

TPK is used as a “public” key that is obtained “out of band” from the data

o
-

The TPK solution obviates the need for shared key management


TPK accessible from either the magnetic stripe or Contact interface

o
-

May be stored in each local access control system server to eliminate the

need for reading the magnetic swipe (or performing a contact read) on each

use


November 19, 2007

12

Biometric Interoperability



“ It should be noted that biometric interoperability is defined as the ability of a
biometric reader to perform a match from a presented biometric with the
ANSI/INCITS 378 formatted enrolled templates provided on the TWIC card by
the TSA. Such templates shall be in compliance with NIST Special Publication
800
-
76
-
1 INCITS 378 profile for PIV Card templates.”


Source:

Section 8 of the TWIC


Reader Hardware and Card Application Specification (11 Sep 2007)


NOTE: The reader specification requires compliance to SP 800
-
76
-
1. Section

7.3 of 800
-
76
-
1 requires NIST certification of template matchers.



Source:

SP 800
-
76
-
1 Section 7.3Test Overview

November 19, 2007

13

Contact Details:


Email:
GSmith@idtp.com