Recently in Authentication Category

From SecureIDNews -- Link

Pilots concluding but final access control policies still more than a year out

John Schwartz, program manager for the Transportation Worker Identification Credential (TWIC), was going to begin an update on the program with the words "eight-years ago," but then thought better of it. It has been that long since Congress mandated that the Transportation Security Administration (TSA) create a credential for secure access to ports, and the agency is still working on the roll out.

It will most likely be 2012 before there are widespread readers electronically verifying the credentials, Schwartz said during a presentation at the Interagency Advisory Board meeting in September. But while critics dismiss the credential as an expensive flash pass, progress has been made toward wide-scale electronic verification at ports.

The TSA reports that at 135 enrollment centers across the country, 1.7 million workers have been enrolled and of those 1.6 million have activated their ID.

Schwartz and his team are working on a congressionally-mandated reader test that will lead to the final rule for reading the TWIC. His team has done testing in the lab, in the field without looking at the impact on a port's business processes and finally in the field while considering at the impact on business.

Through lab testing the TSA approved 28 readers and associated systems, Schwartz says. The lab tests looked at reader performance in different environmental conditions, extreme hot and cold temperatures, water and humidity, as well as durability tests.

The 28 approved readers include two alternative biometric systems. If a port can show a chain of trust in enrolling a worker in the local physical access control system, it is acceptable to use an alternative biometric, such as iris, to access the facility.

TWIC follows the FIPS 201 specification but diverges in the utilization of biometric and contactless technologies. In order to access the biometric on a TWIC a cardholder must be enrolled in the local physical access control system first. That means the TWIC privacy key, which is storied on the card's magnetic stripe and chip, must be registered into the local physical access control system before it can be read using the contactless interface.

This is different from other PIV credentials where the biometric is accessed only via the card's contact interface. TWIC modified the FIPS 201 spec for its use because port operators demand high throughput and PIN protected contact interface reads were deemed too time intensive.

For the field-testing, Congress instructed that the readers be used in at least five distinct geographic locations to test the business processes, technology and operational impacts.

The sites selected for the tests needed to be from a broad spectrum of operations and climates, Schwartz says. The final report on the testing was due in April but implementing specifications and identifying volunteer ports delayed the project.

The TSA received $8.1 million to provide independent testing, data collection and analysis, Schwartz says. The ports, terminal and vessel operators received $23 million in security grants with $15 million for the pilot and the remainder held in reserve for future reader deployments.

While $15 million may sounds like a lot of money to spend on readers, it wasn't spent just on that technology, Schwartz explains. Cabling, updating infrastructure and deploying physical access control systems had to be done in many instances for the system to work.

The tests have already generated some important lessons, Schwartz says. There have been challenges integrating the TWIC readers into different physical access control systems.

The messaging from the readers needs to be standardized and made to be visible in all environments, Schwartz says. He cites the example of a card rejected by a reader without an adequate error message. "If the card gets an error the guard would tell the worker they need a new one when it may not have been registered in the PACS or something more minor," Schwartz says.

There have also been issues with creating a standard for the information processing. The TSA has determined that the sequences for authenticating the card, checking the registration in the physical access control system and checking the hot list all need to be done in the same sequence.

The read range of the contactless readers has been problematic too, Schwartz says. Ports that used proximity cards previously are reeducating workers that the card may need to be held closer to the reader than with the prior technology. The cards, which come with plastic sleeves, also have to be removed from the sleeve to be read in some instances.

Educating cardholders on how to take care of the credential has been a learning experience, he says. Some truck drivers will keep the credential around the rearview mirror in the sun and this can damage the chip and antenna.

Explaining the hot list, or revocation list, has been problematic too, Schwartz says. A worker will lose the card, call the number to report it lost at which point it is placed on the revocation list. If the worker finds the card a day or two later and tries to use it, it is flagged port security is alerted.

Other problems have included general installation issues including electrical power fluctuations, physical reader placements that are too high, too low or too far from worker, and slow turnstile and gate mechanism responses.

The TSA is planning to deliver a report with the test findings to Congress in 2011, Schwartz says. After that the U.S. Coast Guard, which is responsible for enforcing TWIC, will make a rule for ports and port operators to follow. That will most likely not be until 2012.

Because of the delay in the final rule most port operators are opting to wait before deploying TWIC reading systems, says Walter Hamilton, senior consultant at ID Technology Partners. Port operators could deploy the systems now but are afraid they will have to retrofit or tear out technology depending on the rule.

But some reader manufacturers have given guarantees that if they opt for the maintenance package the vendor will guarantee compatibility with the final rule, Hamilton says. "It give the maritime operators some level of comfort," he says.

The TSA is looking to solve some other logistics issues as well, Schwartz says. Enrollment and card activation services for remote locations can be a hardship for some areas. Workers have to show up once to apply for the credential with all the appropriate documentation and then show up again a few days later to receive and activate the card.

This has been problematic in areas where the enrollment center is far from the port or port worker's home, he explains. Congress has questioned the TSA on this, asking if the credential can be mailed but the FIPS 201 standard doesn't allow the ID to be mailed. TSA is looking at other alternatives to solve this problem.

The durability of the credential has been another problem, Schwartz says. The card is tested before leaving the central production facility and before leaving the activation center, but there have been problems with card failures in the field.

Without the presence of a TWIC team member with card analysis tools, it has been difficult to determine whether the problem is with the card, the reader or the access control system at the facility.

The TSA is considering a move from a 72K chip to a 144K chip, Schwartz says. Before the change is made official, however, they are verifying that no other system changes will be necessary and that there will be little or no impact on production and reader equipment.

The TWIC road has been a long and arduous one, ultimately taking more than a decade from mandate through roll out to electronic verification of the credential. But one day soon U.S. ports may have the increased security originally envisioned by TWIC initiators.

New driver license legislation proposed

Some believe that new proposed driver license legislation would help states better secure IDs while also protecting citizen privacy. Others say it "guts" an existing law and takes states back to pre-9/11 identity vetting for IDs.

Debate on whether it increases or decreases security

Story Link

A hearing held in the U.S. Senate Committee on Homeland Security and Governmental Affairs on the proposed bill called the Providing Additional Security in States' Identification (PASS) Act of 2009. Testimony revealed very different takes on the bill that would basically roll back, REAL ID. It's not clear how the proposed change would impact states already complying with REAL ID and rolling out new documents. Even with this new bill looming, some states are still moving ahead to comply with REAL ID.

"The major problem with REAL ID is that it is producing very little progress in terms of securing driver's licenses, and it is not getting us to where we need to be," said Janet Napolitano, secretary of the U.S. Department of Homeland Security. "Simply put, REAL ID is unrealistic."

Citing the almost $4 billion estimated price tags for states to switch to REAL ID and unfeasible deadlines, Napolitano offers up PASS as an alternative. Napolitano, when she was governor of Arizona, had signed a law against REAL ID.

"PASS ID is a critical piece of national security legislation that will fix the REAL ID Act of 2005 and institute strong security standards for government-issued identification," she said. "PASS ID will fulfill a key recommendation of the 9/11 Commission, that the federal government set standards for identification such as driver's licenses and non-driver identification cards-and this bill will do so in a way that states will implement, rather than disregard. PASS ID will enact the same strong security standards set out by REAL ID as quickly as REAL ID but, critically, this bill provides a workable way to get there."

Napolitano said that PASS ID keeps document verification and authenticating of source documents, advocates the physical security of ID production, requires that photos of applicants be taken and still has the requirement to show compliant IDs. "All in all, PASS ID would match the security provided in REAL ID, while providing the states with more flexibility to innovate and meet the standards," she said.

How does it differ from REAL ID?

The major difference is that PASS ID gives states different options to meet the criteria. "While REAL ID mandates electronic verification for all source document information, PASS ID would maintain a focus on ensuring the authenticity of identity source documents that applicants present, allowing states to adopt cost-effective ways to achieve or exceed that threshold," Napolitano said.

Since states would be able to choose how to verify identity there would be some cost savings, Napolitano said. The bill would also codify state grants for driver licenses and speed up implementation.

"States would have one year after the issuance of final DHS regulations to begin issuing compliant documents, and would have five years from that date to enroll driver's license holders as they see fit," she said. "The REAL ID deadline for completing issuance of compliant driver's licenses is December 2017. If Congress enacts the PASS ID Act as it is currently written by October 2009, states could complete enrollment by July 2016, a full one year and five months ahead of the REAL ID timetable."

PASS ID potentially rolls back one key requirement of REAL ID, checking other states to see if an individual has multiple licenses. Napolitano and others say this was cause for privacy concerns. "PASS ID would not require states to provide direct access to each other's driver's license databases; in fact, the bill contains protections against creating any national identity database containing all driver's license information and requires states to adopt adequate procedures to prevent unauthorized access to or sharing of personally identifiable information," she said.

Read rest of the story and how Opponents see PASS ID as a weak substitute for REAL ID.

Link to story

More than 100 million electronic passports have been issued in the two plus years since governments initiated production of the new travel credentials. The U.S. State Department alone has issued almost 15 million of the contactless documents.

But while there are many e-passports in circulation the inspection systems used to read them have not been widely deployed at border crossings. Putting these systems in place, while not adversely impacting wait times, will be the next challenge for countries.

European Union countries have that and another obstacle to hurdle as well: extended access control (EAC). Since EU countries are storing fingerprint images on e-passports they are using the more advanced security of EAC, a public key infrastructure scheme that secures the biometric data. EU countries are supposed to start issuing passports with EAC by next June.

Even the U.S., the initiator of the move to e-passports after the terrorist attacks of Sept. 11, hasn't deployed many inspection systems. The U.S. Department of Homeland Security's Customs and Border Protection (CBP) has requested funding for 5,000 e-passport readers to deploy at 372 air, sea and land border entry points, said Warren Burr, director of the fraudulent document analysis unit at Customs and Border Protection. The new readers would replace the current devices that just read the machine readable zone on the passport.

But so far only 500 of the readers have been purchased and less than half of those, just 247, have been installed, Burr said. The concern is that using the new scanners will adversely impact wait times.

The readers in the field are at the 33 U.S. international airports, which covers 97% of visa waiver country travelers entering the country, Burr says. CBP is analyzing how to deploy e-passport readers to all border entries and assess how it will impact wait times. Burr made these comments at the Future of Secure Document 2008 conference in Chicago.

There are concerns around how long it will take to process travelers with the e-passports. With the older documents customs officials would swipe the machine readable zone, check a few other items in the book and ask the traveler some questions.

E-passports require a little bit of extra finesse, says R. Michael Holly, director of international affairs for passports with the U.S. State Department. "They need to get the inspectors prepared and familiar with how to deal with the new documents," he says. "They have to deploy full page scanners and you need to let them sit awhile so the data can be accessed."

The State Department is working on getting sample e-passports to border officials so they can test the systems and train officers, Holly says. When the U.S. introduced e-passports they also changed some of the physical security in the book as well and officers need to be able to spot the different features.

Already, use of the new documents is rising rapidly. Between Oct. 1 and Dec. 31, 2006 Customs and Border Protection scanned 165,921 electronic passports, Burr said. In all of 2007 1.4 million were checked and in the first half of 2008 CBP officers had scanned more than 1 million e-passports.

Inspection challenges trump issuance challenges

But the challenge to deploy these inspection systems is what most countries are facing. The change was evident in September at the E-Passport EAC Conformity and Interoperability Tests in Prague, says Mike Bond, security director at Cryptomathic. "The guys from the inspection side outnumbered the guys on the issuing side," he said. "Their money has been spent and the project is done, now it's time for the border control guys to come in."

The European border control officials have quite the task in front of them. Extended access control is a PKI scheme that secures biometric data on e-passports. EU countries decided to store fingerprint and iris biometrics on the passports as well as the photo and other data. This biometric information is stored as images, not templates, so countries want to take extra steps to make sure the data is protected.

In order to view the biometric on the passport and match it with the traveler the other country will have to have the proper PKI certificate so the data can be unlocked. Vendors and border officials are still trying to figure out how these certificates will be exchanged and read while also making sure that systems from different vendors are interoperable.

While EU countries have to start issuing e-passports with EAC by next June there is no deadline to actually read the biometric data from the passports, Bond says. "With regards to inspecting we're 18 months away from starting pilots. The UK was talking about initial inspection by the end of 2009, scanning the full biometrics of some people, but only about 1% of travelers, and moving to 30% by 2016."

There are numerous reasons for the seemingly long timeline. First and foremost, governments don't know how it will work. This was a reason for the Prague conference in September.

The purpose of the test was to enable European countries to verify the conformity of e-passports using EAC and fingerprint biometric data. A related target is verification of the cross-over interoperability of different EAC inspection systems and e-passports. In addition countries attempted to verify interoperability of EAC PKI infrastructure for national border inspection systems, including official exchange of EAC certificates.

The tests went well, but were not without issues. "Overall results are that not all passports worked with all readers," says Neville Pattinson, director of government affairs and marketing, identity and security at Gemalto.

Four of the countries participated in a test that put in place a fully-operational PKI infrastructure, says Tim Moses, director of advanced security technology at Entrust, one of the participants. Entrust is supplying the PKI infrastructure to the UK and Slovenia.

Considering it was the first time the infrastructure was checked, the test was pretty successful, Moses says. "There were a few minor issues on the certificate exchange but we resolved them." Full results from the conference are not expected until December and another test will be scheduled before the June 2009 deadline.

Moses emphasized that countries are going to have to work to make sure EAC is done properly. "The EAC environment requires a lot of interaction among countries," he says. "The PKI system must be built to manage the trust; it's not just a set of tools."

Added security likely to add further delays at inspection points

One of the larger issues with EAC is the time it's going to take to process travelers. Pattinson says it can take anywhere from two to 15 seconds for the information to transmit.

Cryptomathic has released a new product it claims will accelerate the speed of inspecting electronic passports by a factor of four. The product uses a different type of caching mechanism, a storage area that holds an encrypted version of the e-passport biometric data.

When the e-passport has its initial contact with the border control station, the biometric data is transferred from the chip into the inspection system, and at the same time a unique key is calculated from the e-passport chip which is used to encrypt the stored data.

The storage key is then deleted from the memory of the border control system to make it impossible to retrieve the stored data. In order to recreate the decryption key for the record and view the biometric data, the original e-passport document must be connected to the inspection system.

Long lines at border control points is the fear when countries start deploying inspection technologies for e-passports, Bond says. He saw one presentation at the Prague conference that said wait times at some busy airports during peak times could be as long as 90 minutes.

And some countries are making the problem worse because they're not standardizing the biometric, Bond says. For example, most EU countries are storing the index fingerprint images on the passport, regardless of the quality of those fingerprints. But Germany is taking the two best quality fingerprints from passport applicants; it may be the index, but it also may be the thumbs.

This may lead to slow-downs at border crossings. German travelers won't remember what fingerprint image is stored in the book or a border control agent may be asking for the index when he needs the thumb. "When the delays start to happen they'll either pull the plug or soldier on," Bond says. He expects a few false starts. Countries will roll out systems and then roll them back and reconfigure as problems arise.

One solution that could potentially alleviate wait times are self-serve kiosks, says Gemalto's Pattinson. (See Global Entry story) "The consequence of EAC is more automated kiosks for border control," he says. "Have the document authenticated by the kiosk instead of manual inspection."

While the focus shifts from issuing e-passports to inspecting them, lines at international border checkpoints may be interesting over the next couple of years as travelers and officials get used to the new documents