An ASSA ABLOY Group brandPROPRIETARY INFORMATION. © 2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Contents are confidential and proprietary and not intended for external distribution.
A case for secure ID Credentials
Case Study: US Department of Defense
Ian Lowe – Product Marketing – Solutions
May, 2013
Identity Assurance (formerly ActivIdentity)
*(2012 Juniper Research Report)
US Department of Defense
Geographically Spread
27 Countries
Many Data Centres1,000 Locations
Top 10 largest employer world wide4.3 Million Employees
Quick Facts DMDC Established in 1974 to “collect and maintain accurately, readily
available manpower and personnel data.”– November 10, 1999, Memo from Dr. John Hamre (Deputy Secretary of
Defense) • Directive to create a Common Access Card Program
– First 70 Beta sites operational by mid 2001– CAC v2 (GSC-IS 2.1) introduced in 2003– Federal Information Processing Standard (FIPS) 201
• US Government PIV program created (2/2005) in response to HSPD 12 (8/2004)
• Special Publication SP800-73 created (PIV Transitional card) (3/2006)• HID delivered PIV End-Point support in September 2007
Mission: “Serve as a central source to identify and authenticate people in the Department of Defense.”
An ASSA ABLOY Group brandPROPRIETARY INFORMATION. © 2013 HID Global Corporation. All rights reserved.
The History
• Laminated Photo ID for Identification, Facility Access and Entitlement
• Username and Passwords for access to military computers and networks
An ASSA ABLOY Group brandPROPRIETARY INFORMATION. © 2013 HID Global Corporation. All rights reserved.
Challenge 1From paper ID & Passwords to smart card ID
Secure standardized multi-function ID
Laminated IDs and weak passwords
An ASSA ABLOY Group brandPROPRIETARY INFORMATION. © 2013 HID Global Corporation. All rights reserved.
SolutionStandardised CredentialCAC is a multi-application dual-interface smart card for FIPS 201 deployments Centralized Security:
Access Control Rule & Global PIN management
Generic Container (on-card buffers): Employee ID Benefits External Benefits Healthcare Information PIV cardholder identity (facial, fingerprint)
PKI for Authentication (login), Signature/ Encryption/ Decryption (email): Four RSA Key Pairs/ X.509 Certificates
Other Areas: Data Confidentiality Encryption – SMA secure
messaging protocol Plug-in support (new CAC applications) Multiple Global Platform Domains
JAVACARD GLOBAL PLATFORM
CC EAL5+
An ASSA ABLOY Group brandPROPRIETARY INFORMATION. © 2013 HID Global Corporation. All rights reserved.
Challenge 2Infrastructure + issuance/management policies
employee
HIDActivID Card
Management System
ActivIDApplianceAAA or AS
Server
UserLDAP
PKICA
Hardware Security Module
database
self service
Remote access
Windows and Network login
digital signature
encryption
physical access
issuance
update/
post issuance
suspension /
terminationHIDActivID Batch
Management System
Identity Management
System
operator
help desk
PACS System
smart card printer
Badging system badgingservice bureaumass badging
SolutionHID Credential Management System
Multiple DOD infrastructure components
Summary
Today they issue, track and manage CAC plus several other missions– The PIV-based CAC is used by DoD armed services (Army, Air
Force, Navy, Marines) and 25+ DoD agencies.
An ASSA ABLOY Group brandPROPRIETARY INFORMATION. © 2013 HID Global Corporation. All rights reserved.
What Next?Smart Phones/Tablets and Derived Credentials
FutureIdentity on MobileNFC Mobile AccessDerived Credentials
Past
PresentCurrent CAC
An ASSA ABLOY Group brandPROPRIETARY INFORMATION. © 2013 HID Global Corporation. All rights reserved.
Keys, access credentials in your daily life
Converged in your NFC-enabled smartphone
Used to open cloud-applications, data and
doors
HID Secure Access Cloud, Data and Door
An ASSA ABLOY Group brandPROPRIETARY INFORMATION. © 2013 HID Global Corporation. All rights reserved.
Summary• Used by DoD armed
services (Army, Air Force, Navy, Marines) and 25+ DoD agencies
• 30M+ cards deployed during life of the program
• 3.8M active CACs used everyday
• Over 11,000 cards issued daily
• 600 issuance stations, 1000 locations in 27 countries
An ASSA ABLOY Group brandPROPRIETARY INFORMATION. © 2013 HID Global Corporation. All rights reserved.
Best PracticesDelivery and management of Secure Trusted Identity
Solutions should adopt/use industry standards such as: PIV, FIPS, Global Platform, NFC…etc.
Use the FIPS 201 APL as a starting point for selecting compatible products: http://fips201ep.cio.gov/apl.php
Don’t re-invent the wheel. Implement a trusted credential management model (Registration, Vetting, Issuance, Revocation)
Take a layered approach to security, consider all components of solution (Card, Chip, CMS, Middleware, future capabilities and impact on users)
An ASSA ABLOY Group brandPROPRIETARY INFORMATION. © 2013 HID Global Corporation. All rights reserved.
15An ASSA ABLOY Group brandPROPRIETARY INFORMATION. © 2012 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Contents are confidential and proprietary and not intended for external distribution.
An ASSA ABLOY Group brandPROPRIETARY INFORMATION. © 2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Contents are confidential and proprietary and not intended for external distribution.
Top Related