Presentation Title Slide DO NOT RESIZE OPACITY – Enabling ... · Issuance, physical and logical...

OPACITY – Enabling PIV for Mass Transit

Nick Stoner – Director, Professional Services Americas February 7, 2014

Optional photo placement DO NOT RESIZE Right Click: Change Picture Delete if undesired.

Presentation Title Slide

An ASSA ABLOY Group brand © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Contents are confidential and proprietary and not intended for external distribution.

DO NOT place slide content below this dotted line.

All slide content should go below this dotted line. DO NOT use clip art.

Slide Title Format •  Two lines max. •  Font: Arial Bold •  Size: 24 points •  Before/After ¶ Space: 0

Body Text Format •  Font: Arial Regular •  Size: 18 points •  Line Spacing for basic body

style: 24 points

NOTE: Body, Bulleted, Table, and Graph text size may vary depending upon the amount of text on the slide, e.g., reduce font size if there is a large amount of text.

0/83/155

sRGB Color Palette Values

0/45/86

248/152/29

0/113/97

97/17/106

139/141/9

211/18/69

255/255/255

176/183/188

176/203/234

Chart Accent Colors

Chart Neutral Colors

(For charts, use colors in order of appearance.)

Title Color

0/83/155

Body Text Colors

0/20/55

2 An ASSA ABLOY Group brand © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Contents are confidential and proprietary and not intended for external distribution.

HSPD-12: “The mandate” §  NIST authored and published FIPS 201 in 02/2005. It addresses the US HSPD-12

presidential directive and therefore provide requirements for the business process to deploy smart cards for US federal government employees & contractors including: Issuance, physical and logical card layout, security level, and usage.

§  The primary objective of HSPD-12 is the development and deployment of Federal government-wide and reliable identification verification system that will be interoperable among all government agencies and serve as the basis for reciprocity among those agencies. The intend is to enhance security, efficiency, reduce identity fraud and protect personal privacy. FIPS 201: “Implementation for greater security and interoperability”

§  Provide guidance for implementing HSPD-12 requirements. §  Such interoperability allows Federal agencies to choose between different ID cards,

terminals, readers and card middleware providers, biometric authentication system… §  Require the use of a smart card for heightened security. §  Defines the standard for Personal Identity Verification (PIV) cards. Series of special

publication including NIST-SP 800-73, i.e. the PIV smart card interface specification & the PIV client application API.

§  SP 800-73 defines interoperability between PIV cards, the terminal/reader and the middleware for a number of physical and logical access use cases.

Highlights on HSPD-12 & FIPS 201





style: 24 points


0/83/155


0/45/86

248/152/29

0/113/97

97/17/106

139/141/9

211/18/69

255/255/255

176/183/188

176/203/234

Chart Accent Colors



Title Color

0/83/155

Body Text Colors

0/20/55

3 An ASSA ABLOY Group brand © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Contents are confidential and proprietary and not intended for external distribution. 3

§  Centralized Security: –  Access Control Rule & Global

PIN management §  Generic Container (on-card buffers):

–  Employee ID –  Benefits –  External Benefits –  Healthcare Information –  Closed Payment - Food Service… –  PIV cardholder identity (facial, fingerprint)

§  PKI for Authentication (login), Signature/ Encryption/ Decryption (email), Backup Encryption key:

–  Four RSA Key Pairs/ X.509 Certificates

§  Other Areas: –  Data Confidentiality (Encryption) –  Plug-in support (new CAC applications) –  Multiple Global Platform Domains –  Securing the contactless interface => OPACITY

US DoD CAC Common Access Card is a multi-application dual-interface smart card for FIPS201 deployments

JAVACARD GLOBAL PLATFORM

CC EAL5+

Example of PIV card (the CAC)





style: 24 points


0/83/155


0/45/86

248/152/29

0/113/97

97/17/106

139/141/9

211/18/69

255/255/255

176/183/188

176/203/234

Chart Accent Colors



Title Color

0/83/155

Body Text Colors

0/20/55


Challenges in the Use of PIV Cards in Mass Transit

§  PIV was, and is, a large security investment §  Strong desire to leverage that investment to

gain as many usage benefits as possible §  Use of PIV cards in Mass Transit presents

challenges –  Speed

•  Must be a “wave and beep” experience •  Entire transaction must occur in less than

500 milliseconds –  Security

•  Must not be vulnerable to attack •  Must continue to utilize standards to

support product interoperability •  Must function on cards as well as secure

elements for mobile platforms





style: 24 points


0/83/155


0/45/86

248/152/29

0/113/97

97/17/106

139/141/9

211/18/69

255/255/255

176/183/188

176/203/234

Chart Accent Colors



Title Color

0/83/155

Body Text Colors

0/20/55


The OPACITY Protocol

§  OPACITY - Open Protocol for Access Control Identification and Ticketing with PrivacY

§  A series of authentication & key agreement protocols specially optimized for fast contactless transactions (for Physical Access Control Systems [PACS] or Mass Transit )

Designed to protect information over the air: §  2 Security Levels – FS and ZKM §  End to end secure channel protection for digital transactions (sensitive or privileged

information can now be exchanged over the air with assurance) §  Security enhanced solution such as forward secrecy and full privacy (No Identity

leak) §  Protection against anti-skimming & sniffing, man in the middle attacks

High performance: §  Provides good experience for user at the door/gate §  Optimized for performance (Elliptic curve, persistent binding, single command

execution)





style: 24 points


0/83/155


0/45/86

248/152/29

0/113/97

97/17/106

139/141/9

211/18/69

255/255/255

176/183/188

176/203/234

Chart Accent Colors



Title Color

0/83/155

Body Text Colors

0/20/55


The OPACITY Protocol (continued)

Designed for easy integration: §  Simple cryptographic key management and minimum infrastructure costs- with PKI

only solution. §  Easy integration (one command / one response to perform authentication) §  Standard-based incorporated in ANSI B10.10 (GICS: Generic Interface Command

Set)

Designed to be easily certified and last (>20/30 years): §  NSA Suite-B/SP800-57 Part1 for cryptographic stack, NIST 800-56A compliant for

Key agreement §  FIPS140-2 Security Level 2 compliant. Designed to reach L3 accreditation.

Registered as a Statutory Invention: §  A special type of patent, which protects the protocol but excludes royalties, has been

filed and protects the community using OPACITY from anyone trying to patent the protocol.





style: 24 points


0/83/155


0/45/86

248/152/29

0/113/97

97/17/106

139/141/9

211/18/69

255/255/255

176/183/188

176/203/234

Chart Accent Colors



Title Color

0/83/155

Body Text Colors

0/20/55

7 An ASSA ABLOY Group brand © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Contents are confidential and proprietary and not intended for external distribution. 7

A few OPACITY Key Concepts: ZKM and SAMs

OPACITY supports two main modes: -  Full Secrecy (FS), that provides enhanced privacy protection and durable

confidentiality and very high level of Assurance, but require a static PKI credential stored and operated by the terminal.

-  Zero Key Management (ZKM or SMAv3) that does not require ANY secrets to be stored on a terminal.

FS implementation of OPACITY relies on a Secure Authentication Module (SAM)

applet. A SAM is a secure ICC or a smartcard device embedded into a Terminal, such as a Door Controller or now a smart phone.

The ZKM/SMAv3 protocol does not always require a SAM since it does not

require any static secrets to be operated on the Terminal. Instead it only requires the root Public Key of the CVC Digital Signatory to be protected by the Terminal (in contrast other protocols require MASTER keys and private keys to be distributed to ALL terminals)

Confidential © 2013 HID Global





style: 24 points


0/83/155


0/45/86

248/152/29

0/113/97

97/17/106

139/141/9

211/18/69

255/255/255

176/183/188

176/203/234

Chart Accent Colors



Title Color

0/83/155

Body Text Colors

0/20/55


OPACITY – Use Cases





style: 24 points


0/83/155


0/45/86

248/152/29

0/113/97

97/17/106

139/141/9

211/18/69

255/255/255

176/183/188

176/203/234

Chart Accent Colors



Title Color

0/83/155

Body Text Colors

0/20/55


Status of OPACITY §  Specification and Standardization

–  Incorporated in released version: ANSI 504-1 and also incorporated in FIPS 201-2 –  For inclusion in NIST SP800-73-4 (for PIV card) –  Compliant with the US NIST SP 800-56A protocol. –  Based on optimizations of NIST SP 800-56A compliant ECC-based authentication

protocols contributed by Actividentity to ISO 24727-3 in 2008. –  First protocol registered to ISO24727-6 (SAI Global - ISO registry)

§  Publication –  Published to SCA as industry contribution –  http://www.smartcardalliance.org/pages/smart-cards-contributions-opacity

§  Proven Solution –  Feasibility demonstrated through PoC implementation with support for different use

cases, including building access, signing e-mail on a PC, and signing e-mails on an Android phone, all leveraging contactless credentials

–  HID Global’s Windows 7 mini-driver available as part of the OPACITY PoC –  Also prototyped with PACS (physical access control readers) –  Communicated to a several PACS vendors for integration





style: 24 points


0/83/155


0/45/86

248/152/29

0/113/97

97/17/106

139/141/9

211/18/69

255/255/255

176/183/188

176/203/234

Chart Accent Colors



Title Color

0/83/155

Body Text Colors

0/20/55


Summary

§  OPACITY initially developed to support a use case other than payments

§  Focus was on enabling highly secure, PKI-based physical access

§  Adopted as part of FIPS 201-2, provides a unique opportunity for further identity convergence –  Logical Access (contact or contactless) –  Physical Access –  Secure Authentication for Transportation

§  Initial set of products supporting protocol are in pilot mode to ensure ability to meet DoD and other Government Agency expectations for all use cases





style: 24 points


0/83/155


0/45/86

248/152/29

0/113/97

97/17/106

139/141/9

211/18/69

255/255/255

176/183/188

176/203/234

Chart Accent Colors



Title Color

0/83/155

Body Text Colors

0/20/55


For Further Information on OPACITY

§  Further information on OPACITY, its uses, and a more detailed description of the protocol can be found at: http://www.smartcardalliance.org/pages/smart-cards-contributions-opacity

§  A reference implementation of OPACITY is also accessible under an Apache 2.0 license at: http://sourceforge.net/projects/opacity/


Photo content should go below this dotted line. DO NOT Change Image

12

0/83/155


0/45/86

248/152/29

0/113/97

97/17/106

139/141/9

211/18/69

255/255/255

176/183/188

176/203/234

Chart Accent Colors



Title Color

0/83/155

Body Text Colors

0/20/55

An ASSA ABLOY Group brand PROPRIETARY INFORMATION. © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Contents are confidential and proprietary and not intended for external distribution.

Thank You Slide

Presentation Title Slide DO NOT RESIZE OPACITY – Enabling ... · Issuance, physical and logical...

Documents

Transcript of Presentation Title Slide DO NOT RESIZE OPACITY – Enabling ... · Issuance, physical and logical...