Feature of the Month

Physical Access Control System Migration Options for Using FIPS 201-1 Compliant Credentials

All federal government employees and contractors are now transitioning to FIPS 201-1 compliant credentials (the Personal Identity Verification card, known as the PIV card).  This presents unique challenges to security directors with currently-deployed ID badges and existing systems for building access management and control.  Key questions that may be asked by all security directors and those responsible for physical access control systems are: 

• Will what I have today work with the new directives and requirements?  If not, what can I do to comply? 
• How do I take advantage of the enhanced security technology in a FIPS 201-1 credential to improve my organization's security profile?

The answers to these common questions depend on many factors.  Compliance methods range from visual presentation and validation of the new PIV card (a minimal process with high risk), to the trusted process using the PIV card for fast, electronic authentication through the public key infrastructure (PKI) and a multi-factor reader or handheld device.  Beyond reading the PIV card, field devices, the associated network and cabling, intermediary hardware or control equipment, host computers, and processes may be affected by new technologies used by the PIV card.

Given the scope of an enterprise, federated and converged security system, it is thus very important for a security director, facilities manager or systems manager to understand the changes introduced by PIV cards and determine how to manage change for success.  Understanding what will maximize the return on investment and mitigate the risks going forward of “failure of operation” or “failure to comply” is critical to success.  It is expected that corollary questions are “how much of my existing system can I reuse” -- i.e., how can I mitigate costs, permitting a migration strategy to be implemented -- and optionally “how can I use the same method of authentication for physical access and logical access?”

Simply stated, a migration strategy defines a series of steps in a particular direction leading to a final objective or goal.  The final migration goal for Federal agencies is to achieve FIPS 201-1 compatibility and interoperability by fully using the PIV card within a physical access control system (PACS).  There are a number of migration steps that an agency can take to move toward this goal, while also improving security for the organization.  The PIV card enables agencies to implement a range of identity authentication methods, allowing the method appropriate to an agency's risk assessment and security requirements.

PACS Migration Considerations

The PIV card uses smart card technology and a data model that is significantly different from traditional physical access tokens.  These differences may require changes to the PACS and related components as described in this section.

Whether the facility is considering upgrading an existing PACS or procuring a new system, certain operational parameters are crucial for a successful outcome.  These are discussed in detail in the white paper, “Considerations for the Migration of Existing Physical Access Control Systems to Achieve FIPS 201-1 Compatibility,” published September, 2006 by the Smart Card Alliance Physical Access Council.

Today, a PACS consists of four major components.  Starting from the center and working toward the edge, the first component is a PACS server, the second component is the access or area control panel, the third is a reader or combination multi-factor reader with keypad and/or biometric that can read the card, which is the fourth component. 

Any migration strategy must consider that the PACS solution in place may already be tightly integrated with other control technologies, such as: intrusion detection systems, video monitoring and alarm/response management.

Each of these system components is affected by the introduction of HSPD-12 and FIPS 201-1.  This section describes the basic functions of each of these vital components and important factors that must be considered when migrating from an existing physical access solution to the use of a PIV card for physical access.

It is also important to remember that these activities involve several stakeholders, each with some level of jurisdiction in the process.  Facilities, IT, and security staff members must co-operate as a team to ensure the migration process is as smooth as possible.

With FIPS 201-1, PACS must now work in coordination with the credential issuance infrastructure in those cases where the PACS does not issue the credential.  This requires interfaces with new identity system components, pulling information into the PACS as opposed to creating information about identities.  This also requires a separation of the functions around creating an identity with those around assigning associated privileges with identities and tracking the actions of individuals associated with those credentials.

PACS Server

Traditionally the access control server is an administrative tool used by the PACS operator to provision a variety of physical access control resources, journal all system activities, and execute business logic related to alarms and other events collected via data sensors.  The access control server has also typically been the primary means to register and enroll a cardholder's name, access privileges, and expiration date in the physical access control system.  The server downloads cardholder unique identification data, access level and authorized function(s) to the relevant access control panel.  It also allows a system operator to temporarily assign a credential and access privileges to a visitor or to an employee who accidentally forgot or misplaced the permanent credential.

For physical access to facilities, an individual's identity has traditionally been authenticated locally by using paper or other hand-carried credentials, such as driver’s licenses and ID badges.  Once confirmed, identity data about the individual is entered into the PACS database and management authorizations are confirmed for access to areas in the facility.  With few exceptions, a local PACS operator registers and revokes approved user access privileges manually at the PACS server.  FIPS 201-1 defines tools for automated authentication, validation and revocation procedures for a PIV credential.  A PACS may be connected to the federated IT infrastructure, enabling automation for these processes using federated ID services.  Alternatively, an agency may define compliant manual validation and revocation procedures.

Modern PACS databases are often upgradeable.  Several PACS suppliers and system integrators offer upgrade packages and services to facilitate integration to external IT resources.

During a transitional period, both legacy cards and readers and new PIV compliant cards and readers may co-exist in one system.  Until all legacy equipment (e.g., cards and readers) is updated or replaced, one person may have both a legacy card and a PIV card.

The consequence in a PACS server is that each user may be entered twice, once with the data read from the legacy card and once with the data read from the PIV card.  Some PACS server databases are capable of registering multiple credentials for the same individual, while others may require a separate user record for each credential, even when they belong to the same individual.   
Key considerations for migration of PACS servers include:

• Determine if the currently installed server database can be integrated with the agency IT systems to enable federated ID services (including smart card log-on).
• Determine if the PACS server database supports, or can be upgraded to support both existing cards and PIV cards simultaneously.
• Determine if the PACS server can be upgraded to communicate with an online certificate status protocol (OCSP) or certificate revocation list (CRL) service to check the validity or revocation status of credentials.

Area Control Panels

The control panel is clock synchronized and connected to the access control server, card reader/ keypad and door hardware.  It contains a number of user records, usually one per cardholder.  Content of the user records varies greatly from one manufacturer to another; however, the basic information is similar among most systems.  The panel receives the information from the card reader and compares this to data stored in its local database.  Once the control panel determines that the data is valid, it compares this against access privileges registered to the cardholder and makes an access decision.  This decision is based on credential revocation status, day of the week, time of day, door location and so on.  The control panel sends the decision result to the access control server for display and archiving.  When the panel makes an access grant decision, it sends a signal to release the locking mechanism and disarm associated alarm sensors, such as door position monitors.    

Numbering systems.  The FIPS 201-1 specification does not allow locally-defined or vendor-defined facility codes or system codes commonly used in legacy PACS.  The PIV card uses a government-wide Federal Agency Smart Credential Number (FASC-N) that enables cross agency interoperability without credential number conflicts among agencies.  As a result, PIV cards will not work unless legacy numbering associated with the cardholder is modified to replace the facility code and system code numbering method with the FASC-N system.  During a transition period it may be necessary for the PACS controller to process data from legacy cards as well as from PIV cards. 

User records.  PIV user records stored in the control panel require additional memory space to accommodate the larger amount of data required for each user in FIPS 201-1 compliant systems.  

Key considerations for migration of control panels include:

• Determine if the currently installed control panel can operate, or be updated to operate without facility and system codes.
• Determine if the currently installed control panel is capable of, or can be upgraded to process the data from a reader included on the GSA Approved Products List (APL).
• Determine if the currently installed controller can, or can be updated to process multiple card technologies (existing cards and PIV cards).
• Determine if the currently installed controller can, or can be updated to support the expected user population.

PACS Readers

The GSA FIPS 201-1 Evaluation Program defines readers in two categories: Card Holder Unique Identifier (CHUID) and Transparent.  A "CHUID reader" reads the CHUID and validates the expiration date of a presented PIV card.  A "Transparent reader" reads the CHUID from a card, then extracts and sends the FASC-N and expiration date to a PACS control panel.  This section discusses only the "Transparent" reader type.

The PIV card produces the same output to the reader regardless of what transparent reader type is installed at an access control point.  From a practical interoperability perspective, the process of connecting a contactless, contact, or three-factor (card, personal identification number (PIN), biometric) reader to the PACS control panel is greatly simplified as one reader type may simply replace another.

For the past few years several reader manufacturers have produced card readers that are upgradeable to support FIPS 201-1 requirements.

Key considerations for migration of PACS readers include:

• Determine if the currently installed readers are capable of, or can be updated to read, process and send the required data.

PACS Cards

Essential to the understanding of a PACS is an understanding of the card used to request physical access.  In a FIPS 201-1-compatible PACS, the PIV card is the physical artifact issued to an individual that allows the claimed identity of the cardholder to be verified.

FIPS 201-1 requires that the PIV card be a smart card.  The card body is similar to a bank credit card and conforms to the ISO/IEC 7810 specification.  The card must contain both contact and contactless interfaces to a single integrated circuit chip (ICC), known as a dual-interface ICC.  The contact interface must conform to the ISO/IEC 7816 specification, and the contactless interface must conform to the ISO/IEC 14443 specification.  In most cases, physical access applications will use the contactless interface, although there are special cases in which the contact interface will be used for such applications.

The PIV card stores a cardholder photograph, PKI certificates and associated cryptographic keys, biometric data and the cardholder’s unique identifier (CHUID).  The card enables the identity of the cardholder to be verified.  The card is presented to a card reader to initiate an authentication transaction and to request access authorization.

Key considerations for using PIV cards with PACS:

• Determine operational use of the card. 
• Determine how to use data stored on the PIV card. 
• Determine how to take advantage of all of the information on a card including photos, certificates, biometrics and other information.

Migration Options

In transitioning to accepting PIV credentials, it is recommended that the security director first define the end-state identification verification goals, then decide the equipment, if any, needed to help accomplish this goal and finally, develop a transition and migration plan that meets the agency's needs and budget.

The migration plan will need to incorporate a strategy for issuing and using PIV cards and for upgrading the PACS reader infrastructure to accept the new cards.  Migration options for card issuance can include:

• Using the PIV card as defined by FIPS 201 for rapid electronic verification.
• Issuing the PIV card with additional technologies that are compatible with the existing PACS.
• Issuing two cards -- the PIV card and the existing PACS card -- until funding is available to replace PACS components.
• Using the PIV card as a flash pass in the initial stages of migration.

These card options are accompanied by a number of options for reader infrastructure migration including:

• Upgrading firmware in current card readers for FIPS 201-1 compatibility.
• Replacing current card readers with PIV-compliant readers.
• Using the PIV card with a handheld or desktop reader for authentication.
• Replacing current card readers with multi-technology readers.

Each of these card and reader options has associated benefits and challenges for the agency.  Security directors need to carefully define the migration plan to allow practical steps to the end-state identification verification goal, while meeting security and operational requirements.

Summary

With FIPS 201-1, security directors are empowered with a tool to check the identity and status of individuals needing access to their resources.  This provides capabilities beyond those of most legacy physical access credentials in place today.  It is important to understand the different authentication mechanisms and the levels of threat they mitigate.  With this knowledge a security director is in the best position to decide how to employ the FIPS 201-1 credential within the context of their overall security plan, bearing in mind requirements for throughput, operational and interoperability considerations.

About this Article

This article is an extract from the new white paper, "Physical Access Control System Migration Options for Using FIPS 201-1 Compliant Credentials developed by the Smart Card Alliance Physical Access Council in collaboration with the Open Security Exchange (OSE), Security Industry Association (SIA) and International Biometric Industry Association (IBIA).  The white paper allows security directors, facilities managers or systems managers to understand the changes introduced by PIV cards, what migration options are available, and how to manage the transition to guarantee success.  Topics covered in the white paper include:

• Key migration considerations for elements of a typical PACS.
• Migration options for cards and readers, including benefits and challenges associated with each option.
• Key considerations and options for integration, PACS enrollment and registration and biometrics.

About the Smart Card Alliance Physical Access Council

Copyright 2006-2007· Smart Card Alliance · 191 Clarksville Rd. · Princeton Junction, NJ 08550
Phone: (800) 556-6828 info@smartcardalliance.org · www.smartcardalliance.org