Common Physical Access Scenarios

A primary focus of the PACS modernization implementation is the capability for agency PACS to electronically authenticate the PIV card in accordance with mechanisms specified in NIST SP 800-116. Using the PIV card for physical access offers an agency the opportunity to align with the ICAM segment architecture and realize the enhanced security benefits of the authentication mechanisms on the PIV card. For example, agencies can achieve a level of trust in the claimed identity of the person presenting the PIV card as a result of authentication and validation processes.

This section introduces each of the allowable PIV card authentication mechanisms for PACS, discusses where it is appropriate to use each, and outlines the benefits and limitations associated with each. An agency PACS cannot be considered PIV-enabled if it not leveraging the authentication mechanisms contained in this section in accordance with the guidance in SP 800- 116.67 Specifically, use of the PIV card with legacy technologies (e.g., proximity antennas, magnetic stripe, barcode, etc.) does not meet the intent of the ICAM target state and this guidance. As its PACS implementations mature, it is also recommended that an agency move towards the stronger authentication mechanisms, such as cryptographic authentication using the PIV Authentication Key (PKI) as described in section 10.3.2.3.

67 _{Per OMB M-10-15, FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management,}

Note: The ICAMSC Architecture Working Group is currently developing a supplemental guidance document, the Federated PACS document, which addresses additional technical content including variations of the PIV card authentication mechanisms, the potential security attacks associated with each, and additional recommendations for selecting between authentication mechanisms. It is anticipated that this section will be updated with further detail once that document has been published.

10.3.2.1. CHUID Authentication

The CHUID is a mandatory data object on the PIV card, which includes the Federal Agency Smart Credential Number (FASC-N) element that uniquely identifies the card. The CHUID is a free-read data object that is available on the contactless interface of the PIV card. Of the available PIV card authentication mechanisms, it is more closely aligned with legacy PACS operations, which read and compare a number from the card against the PACS user database. In the initial stages of an agency‟s PACS modernization effort, CHUID authentication is considered a viable approach based on its relatively easy incorporation into existing PACS systems and implementations; however, the CHUID is a weak one factor authentication method and should only be used in the target end state for areas identified as having extremely low risk following a careful facility risk assessment.

Implementation Tip

Educate your users on proper PIV card storage and handling. Improper storage or handling can break the contactless interface on the card, preventing use of certain authentication mechanisms, such as the CHUID, in your PACS and driving up program costs for replacing damaged cards. Failing to properly store the PIV card in its

electromagnetically opaque holder when not in use can also increase security risks for

the skimming of card data.



The CHUID numbering scheme is standardized by FIPS 201 and can be counterfeited easily; however, modifications or alterations to a CHUID can be detected by validating the digital signature of the Issuing Agency across the CHUID object. As indicated in SP 800-116, all PACS access decisions are based on utilization of the complete FASC-N; therefore it is important that a PACS be able to read at least the full FASC-N data subset. The FASC-N represents a viable authentication mechanism for rapid access at high throughput access points due to the abbreviated read of the CHUID. Additionally, PACS that cannot read the full FASC-N lose uniqueness and risk data collisions. Based on the benefits and limitations listed in Figure 32 and the recommendations found in SP 800-116, agencies may choose to leverage CHUID authentication at access points separating two areas at the same impact level, either Controlled or Limited. Agencies may also use the CHUID authentication mechanism, when paired with a visual (VIS) authentication mechanism, at access points between Unrestricted and Controlled areas.68

Benefits Limitations

 If the CHUID signature verification is performed, the PACS can be sure the CHUID came from a valid issuer and it has not been altered.

 The CHUID read presents the simplest implementation alternative when migrating from legacy PACS.

 The CHUID is a free read object on the PIV card; therefore it can be cloned.

 Because of the risk of CHUID counterfeiting or cloning, the CHUID authentication mechanism, used in isolation, provides a confidence level that is

Benefits Limitations

 In comparison with other mechanisms, the CHUID offers the smallest data read on the PIV card.

comparable to proximity cards in widespread use today.

 To achieve single-factor authentication with CHUID, the relying parties must validate the signature on the CHUID.

 Legacy technology cannot always accurately read the full CHUID, which can result in data collisions.  The CHUID with signature validation authentication

method can only be used to enter controlled areas.  There is no standard for checking revocation status of

a CHUID.

Figure 32: Benefits and Limitations of CHUID Authentication in PACS

10.3.2.2. CAK Authentication

Card Authentication Key (CAK) authentication involves verifying a claimed identity through validation of a digital certificate on the PIV card issued by a trusted CA.

The CAK method is characterized by the following:

 It may be used on either the contact or contactless interface, which is desirable in many PACS implementations;

 It does not require the entry of the PIN;

 It allows the PACS to determine the validity of certificates in real time or by pre- validating the certificates and storing the information in a cache;

 It leverages asymmetric key cryptography,69 to perform certificate validation;  It is an optional certificate, and may not be present on all agency cards, which could

impact interoperability; and

 It provides single factor authentication, and thus is appropriate only for access to controlled areas, unless used in combination with another authentication factor.

The CAK authentication of the PIV card represents a stronger alternative than standard CHUID- based authentication while meeting throughput expectations at facility access points. Furthermore, SP 800-116 recommends that the asymmetric CAK authentication mechanism be used instead of the CHUID authentication mechanism to the greatest extent practicable. Based on the benefits and limitations of CAK authentication, agencies may choose to implement this mechanism at access control points between Unrestricted and Controlled areas. When used in combination with attended biometric authentication, CAK authentication provides three-factor authentication and can be used at access control points between Limited and Exclusion areas.

Benefits Limitations

 CAK provides a higher assurance mechanism while still retaining the contactless capability.

 Cached certificate validation can provide rapid authentication with an inherently stronger validation compared to a standard CHUID read.

 Real-time certificate validation can provide strong authentication as it only relies upon the refresh rate of the published CRL.

 Certificate validation technology can be marginally slower than a CHUID validation technology dependant on product selection.

 Cached certificate results do not validate certificates in real-time, certificate status is based on PACS server to CRL refresh and server to panel refresh timeframes.

 Real-time certificate validation technology can

69 _{While outside of the scope of this discussion, NIST does permit the CAK on a specific card to be symmetric. Agencies should note, however,}

that this approach is based upon use of a shared secret and is not considered an acceptable approach for using the CAK validation mechanism in the ICAM target state due to security and interoperability concerns.

Benefits Limitations

require a longer read time when compared to a standard CHUID or cached certificate read.

 Not a native capability of many existing and available PACS systems, resulting in additional implementation costs and challenges.

 The CAK authenticates the card, not the individual; therefore it provides only some assurance in the identity of the individual.

Figure 33: Benefits and Limitation of CAK Authentication in PACS

10.3.2.3. PKI Authentication

PKI authentication involves verifying a claimed identity through validation of a digital certificate on the PIV card issued by a trusted CA. For the PIV card, this may be accomplished using the PIV Authentication Key.

The PIV Authentication Key method is characterized by the following:

 It provides two-factor authentication, since the cardholder must enter a PIN to unlock the card in order to successfully authenticate;

 It is a mandatory credential on the PIV card, and thus will be available on PIV cards of visitors from other agencies;

 Is accessible over the contact interface;

 It requires the PACS to determine the validity of certificates when an individual presents his card to a card reader; and

 It may be used for authentication to areas up to and including exclusion areas.

The PKI validation of the PIV card represents a stronger alternative than standard CHUID-based authentication while meeting throughput expectations at facility access points. Based on the benefits and limitations of PKI authentication, agencies may choose to implement this mechanism at access control points between Limited and Exclusion areas.

Benefits Limitations

 Cached certificate validation can provide rapid authentication with an inherently stronger validation compared to a standard CHUID read.

 Real-time certificate validation can provide strong authentication as it only relies upon the refresh rate of the published CRL.

 Certificate validation technology can be marginally slower than a CHUID validation technology dependant on product selection, real-time certificate validation technology can require a longer read time when compared to a standard CHUID or cached certificate read.

 Cached certificate results do not validate certificates in real-time, certificate status is based on PACS server to CRL refresh and server to panel refresh timeframes.  Not a native capability of many existing and available

PACS systems, resulting in additional implementation costs and challenges.

Figure 34: Benefits and Limitations of PKI Authentication in PACS

10.3.2.4. Biometric Authentication

Biometric authentication verifies an individual‟s identity by comparing the reference biometric template on the PIV card with the sample biometric template provided at the time of the transaction. This verification exchange occurs off-card, in the reader or on a server. Every PIV card contains two fingerprint templates of the card holder in a standardized data format that is

described in NIST SP 800-76. Because these templates are standardized, they provide interoperability across a federated system. As with several of the other objects on the card, the biometric on the PIV card is signed by the issuer. It is recommended that the PACS verify the digital signature on the biometric template data object to check the authenticity of the biometric. PACS readers that incorporate biometric technology, supporting software, and hardware logic are commercially available and utilized across multiple federal agencies. As a general premise, biometric access points provide a higher level of authentication at the expense of a reduction in throughput as biometric authentication requires a contact interface with cardholder PIN input. Based on the benefits and limitations listed below, agencies may choose to leverage biometric authentication at access points between Controlled and Limited areas When biometric authentication is performed in the presence of an attendant (BIO-A), it mitigates the risk that the user is presenting a fake card or fake or synthetic fingerprints that could falsely be accepted by the reader. For this reason, BIO-A may be used at access control points between Limited and Exclusion areas.

Benefits Limitations

 The biometric on the PIV card is signed by the issuer, so the authenticity of the biometric can be validated by the PACS.

 Current biometric technology demonstrates low crossover error rates in NIST Minutia Exchange (MINEX) testing.

 The 1:1 biometric match represents the closest cardholder to PIV card validation possible.

 Provides mitigation against fraudulent authentication attempts with synthetic fingerprints when conducted in BIO-A mode.

 Biometric authentication cannot be used on the contactless interface.

 This authentication mechanism by itself does not include authentication of the PIV card.

 Slower transaction time due to requirement for use of contact interface and user PIN entry.

 Biometric readers may not be viable at external access points, where environmental conditions can cause rapid equipment deterioration.

Figure 35: Benefits and Limitations of Biometric Authentication in PACS

The FIPS 201 standard restricts access to the reference biometric fingerprint data stored on the PIV card to transactions on the contact interface following PIN entry. This requirement presents a challenge in physical access environments where use of the contactless interface is necessary to support high throughput requirements (i.e., the time required to enter the PIV card into a card reader and enter the PIN would create a bottleneck at the access point). In these scenarios, an agency may consider implementing an approach where the biometric template is read from the card the first time the card is used at the site, or alternatively in an earlier provisioning session, and retained in a site-based biometric system with a local database of biometric objects read from PIV cards.

This approach is viable because FIPS 201 does not restrict the length of time that an application may retain the biometric object from the PIV card; however, it is critical to note that the biometric object must be checked against the CHUID expiration date on the card, per SP 800- 116. When a card is presented for biometric authentication, the CHUID is read from the card, and the FASC-N from the CHUID is used to look up the biometric object in the local database; the expiration date from the CHUID is then checked to make sure the biometric object is still valid. Following successful validation, the cardholder‟s live biometric sample is compared against the biometric object.

Another potential challenge for using biometric authentication is environments where use of the fingerprint biometric modality is not feasible, such as instances where fingerprints are

unavailable for a significant portion of the user population or environmental conditions at the access point do not allow for an acceptable fingerprint capture. In these cases, an agency may wish to implement an alternate biometric modality, such as iris. It is recommended that an agency only pursue this approach in the extremely rare case where authentication cannot be supported by another PIV authentication mechanism, as this approach incurs additional administration costs and effort to collect, manage, and protect additional biometric data. Because this approach requires locally-enrolled data to successfully complete the access transaction, it also significantly limits interoperability, which is a key objective of the ICAM segment architecture.

10.3.2.5. Multi-factor Authentication

As noted in the ICAM segment architecture, multi-factor authentication involves a combination of three distinct types of authentication factors: a) something you have, in this case, a PIV card, b) something you know, knowledge of the PIN to access protected areas of the PIV card, and c) something you are, cardholder fingerprint comparison with biometric data stored on the card. Several of the PIV card authentication mechanisms, including reading a signed object from the card or performing challenge/response authentication with the card, only provide validation of possession of the PIV card (i.e., something you have). Likewise, biometric authentication also only provides a single factor of authentication (i.e., something you are). Combining different variations of PIV card authentication provides an agency with the ability to overcome the drawbacks of single-factor authentication while meeting facility area authorization requirements. As defined in SP 800-116, two-factor authentication is specified for access to limited areas, and three-factor authentication is specified for access to exclusion areas. Multi-factor authentication mechanisms should be commonly leveraged in areas that require higher levels of access control. More information on possible permutations of multi-factor authentication mechanisms can be found in the ICAM Federated PACS Guidance.