Interoperable Identity Credentials for the Air Transport Industry

Since September 11, 2001, the air transportation system–airports and air carriers–has been subjected to significantly more security measures and procedures to counter threats to U.S. civil aviation. One area of security that has received considerable attention is the deployment of an interoperable identification (ID) credential system that would provide identity assurance, electronic identity verification, and potentially, automated access to airport security controlled areas.

Defining Interoperability

For the purposes of this article, interoperability is defined as follows:

• All personnel are vetted according to a universally accepted standard.
• Breeder documents meet a universally (within the anticipated user community) accepted standard.
• Adjudication and card production processes are conducted according to a universally accepted standard.
• The credential data structure and content, including any biometric data, are standardized.
• Activation and issuance procedures follow a universally accepted standard.
• Card usage causes the local card reader to produce a universally accepted (by all conforming entities) data stream from both valid and invalid access attempts.

As these interoperability elements are documented and processes implemented, the origin of a compliant individual credential becomes irrelevant. Electronically, a credential produced in Seattle behaves the same way as one produced in Chicago and can be read by any conforming reader at any location. A standardized validation and authentication infrastructure can then accept the claimed identity of local employees, contractors, and flight crews with a high level of confidence. Local airport authorities still maintain full control of access privileges.

Defining High Assurance Identity Credentials

An identity credential is a means to assert an individual’s claim of identity. Such claims are normally made when a person requests access to a restricted area or IT network. Because the requesting individual’s identity may not be known to the local authority responsible for authorizing such access, the identity credential may be the only item used to establish that the person is who the person claims to be. Often the identity credential that is used is a driver’s license with a photo and expiration date. In some scenarios, such a credential may be sufficient to grant an individual the requested access.

Printed credentials are relatively simple to duplicate, manipulate, or otherwise tamper with. They therefore offer very little assurance that the credential is indeed authentic and in the hands of the right person. In summary, the credential-to-user binding is considered to be weak and use of the credential would produce low assurance verification of identity.

A high assurance identity credential produces a strong credential-to-user binding, so that a relying party (e.g., an airport) would have high degree of confidence that the individual presenting the credential is who they say they are.

As an example, within the Federal government, the Federal Information Processing Standard 201 (FIPS 201) Personal Identity Verification (PIV) program defined both the processes and technologies required for high assurance identity credentials. FIPS 201 established a set of criteria for vetting the identity of an individual before an identity credential is created and issued. The vetting process consists of a background investigation that includes several elements, including a biometric check through the Automated Fingerprint Identification System (AFIS). When the FIPS 201 vetting procedure is complete, an individual’s identity is established in a manner that is mandated to be universally accepted by all relying parties (i.e., all Executive Branch agencies).

Using a combination of smart card, biometric, and cryptographic technologies, biometric information is then encoded on the smart chip of the card, creating an identity credential that is very difficult to manipulate or duplicate without authorization. When used with electronic readers capable of accessing, reading, and verifying the encoded biometric data against a live biometric sample, these smart credentials can link (bind) a particular person to the presented credential. The result is that the claimed identity is verified with a high level of assurance.

Used in combination with proper cryptographic IT infrastructure, these smart identity credentials can be deployed with an additional validation check against the individual’s record maintained with the authority that vetted the individual’s identity and created the identity credential. This process can prove not only that the claimed identity is valid but also that the credential is indeed authentic and that the individual is employed by the stated organization. For an airport, the individual carrying such a card could be an airline employee or contractor who needs access to the most critical areas of an airport. This process would establish the individual’s identity so that the local airport can make a decision about granting the individual such access privileges.

By using the process and technologies described above, the credential-to-user binding is considered to be very strong, the credential is verified as authentic and valid, and the airport can have high confidence in the identity verification process.

There are currently no universally accepted standards for defining the relative “strength” of binding card to holder or resistance to tampering with a card or transaction, nor are there universally defined “levels” of confidence or assurance in identity transaction processes.

Key Industry Standards and Guidance

While formal guidance on airport credentialing systems is still being developed, several critical industry standards and guidance should be considered in order to implement systems that are interoperable and deliver high identity assurance.

FIPS 201. In 2004, Homeland Security Presidential Directive 12 (HSPD-12) mandated the need “to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification.” HSPD-12 specifically calls for the use of a common identification credential for “gaining physical access to Federally controlled facilities and logical access to Federally controlled information systems.” HSPD-12 defines the following requirements for Federal identity credentials:

• They must be issued based on sound criteria for verifying the employee’s identity.
• They must be strongly resistant to fraud, tampering, counterfeiting, and exploitation.
• They must be capable of rapid electronic authentication.

As a result of this directive, the National Institute of Standards and Technology (NIST) published FIPS 201. FIPS 201 defines the identity vetting, enrollment, and issuance requirements for a common identity credential and the technical specifications for a government employee and contractor ID card–the PIV card. The FIPS 201 PIV card is a dual-interface smart card that is now being issued to all Federal employees and contractors.

A growing number of approved vendors of logical and physical access systems and applications have developed products built on FIPS 201 and industry standards for smart cards. FIPS 201 has attracted international attention and is under consideration for government, public safety, and critical infrastructure personnel in other countries. Within the next five years, the General Services Administration (GSA) estimates that 12 million PIV cards will be used in the Federal Government alone, driving a significant expansion of FIPS 201 infrastructure and applications.

Unfortunately, the events of September 11, 2001 placed the airport industry at the forefront of Federal national and international travel security concerns. Many of these concerns encompass identity verification, access control, and facility protection. HSPD-12 and FIPS 201 are the Federal Government’s attempt to mitigate identity fraud and the resulting threats to secure information systems and facilities.

RTCA DO-230B. The RTCA DO-230B, Integrated Security Systems Standard for Airport Access Control, provides standards and guidelines for implementing access control systems in the context of an airport’s integrated security system, including acquiring and designing such systems, testing and evaluating performance, and determining operational requirements.

The document incorporates the latest technological advances in security, access control systems and identity management technologies, including smart cards and biometrics. The document identifies best practices and system requirements to meet the current regulatory standards, as well as information for airports wishing to go beyond these requirements and logical and reasonable methods for implementing advances in security technology.

Aviation Credential Interoperability Solution. The Aviation Credential Interoperability Solution (ACIS) is a program currently under development by the Transportation Security Administration (TSA). It is intended to provide standards and recommendations for an aviation identification credential (and related subsystems) that is interoperable among participating entities. The program uses biometric verification to assert an individual’s identity. When complete and implemented, the program will establish proper identity vetting procedures.

The ACIS specification is a draft, and as such, is subject to change. However, it provides a view of identity assurance and the identity management process that is substantially in harmony with RTCA DO-230B.

The specification presents a three-step model for airports to transition from current credentialing and access control systems to interoperable high assurance identity credentialing systems:

1. Identity assurance and identity credential issuance
2. Identity assurance and identity credential issuance with electronic identity verification
3. Identity assurance and identity credential issuance with electronic identity verification and a privilege application for access control

This model provides for the transition as described in the RTCA DO-230B in a controlled and consistent manner. It shows how to gradually adopt the use of an identity credential and grow into a physical access solution.

Interoperable Identity Credentials: Use Case for Increasing Airport Identity Assurance and Efficiency

Over the past several years, airports and air carriers have been issued TSA Security Directives (SDs) that ostensibly focus on vetting individuals before issuing an identification/access credential. Currently, airports are required to conduct a Criminal History Records Check (CHRC) and a Security Threat Assessment (STA) for all individuals who apply for authority to access controlled areas without an escort. These vetting processes must be completed before issuing an ID or access credential.

Over the past year, TSA has been developing a program to provide guidance and standards for an aviation interoperable identification credential system. The ACIS program is designed to properly vet an individual’s identity through data and biometrics verification while providing relevant and appropriate airport access according to local policy.

However, ACIS has not yet been fully introduced to or accepted by airport operators. ACIS presents substantial benefits and increased value for identity verification and credentialing. It supports an airport’s authority to assign access privileges independently, based on local policies, guidelines, and procedures. To comply with the Transportation Security Regulations (TSR), Part 1542–Airport Security, airport operators assign access authority to individuals based on need, span of movement, and local regulations, if applicable. The ability for airports to assign access authority is absolutely essential in the context of an interoperable identification credential system.

An interoperable identity credential system, such as ACIS, would enhance and enable identity assurance across the entire airport and air carrier security spectrum. Once an individual’s data and biometrics are captured electronically, pertinent information could be verified immediately for the purposes of issuing a local ID or activating a credential. An interoperable identity system could significantly improve the current card issuance process, making it more effective and efficient.

ACIS describes a three-step approach that represents a structured transition to an industry-wide interoperable identity and access system. When an identity management and credential information system issues an ACIS-compliant identity credential, the applicant presenting that credential to a registration workstation is providing high assurance identity information to an airport’s access control system (ACS). The identity information from the credential is parsed and used to establish a user record in the ACS, while substantially improving the identity assurance for that applicant. Following this, an airport simply completes the enrollment process according to local policies and guidelines, issuing an airport-specific ID or access card or credential. For example, flight crew members with interoperable credentials can be issued airport ID or access media very efficiently or have their credentials activated for local access if permitted by local regulations.

However, one point should be underscored. To ensure absolute control of an individual’s access privileges at an airport, the airport operator must ultimately be responsible for issuing and assigning access privileges to individuals with unescorted access authority. Allowing individuals to have universal airport access without local control and authorization completely contradicts the principles and fundamentals outlined in the Federal regulations for airport security.

Physical Access Control and “Transient” Credentials Use Case

“Transient” credentials–or non-locally issued credentials–are presented at airports by a number of categories of individuals:

• Flight crews (cockpit and cabin crews) who are not based locally, as well as other airline staff
• Airport staff
• Regulatory agency and other Federal staff
• First responders and mutual aid staff

Today, the main use of transient credentials at airports is by non-local flight crews, including both the cockpit crew, which uses credentials to access the ramp around the aircraft for safety and security checks, and the cabin crew, which controls the passenger loading process in association with local staff.

At most airports these crews do not have local airport badges. In these cases, the airline badge is frequently used as a “flash” pass. In addition, some airports have briefing rooms for cockpit crew and lounges for cabin crew, which are either accessible from the sterile area or through the secure area. The main identification used to access these areas is typically the airline badge, sometimes in association with a PIN. Sometimes access to this area requires that personnel be escorted through a secure area by a local staff member.

In large hubs (for example, O’Hare International in Chicago), some airlines manage their own security in their parts of the airport and use their airline IDs in association with a local system. This ID is not issued by the airport and, outside of these specific areas, is a flash pass only.

Other airline staff with transient credentials are the “deadheads,” off-duty cabin and cockpit staff, and occasionally maintenance and customer relations staff who travel using an airline ID to access sterile and airline-specific areas.

In addition, some airports move staff between their operating sites. However, such movement is a limited requirement and can be ignored for credentialing systems unless airline staffing policies change as a result of economic pressures.

Regulatory agencies present additional requirements. At present, the Federal Aviation Administration (FAA) has an agreement with most airports that under certain restricted and airport-specific circumstances, an FAA badge can be used to access sterile and secure areas. TSA and U.S. Customs and Border Protection (CBP) have similar arrangements, but these arrangements are more limited, since typically these staff also have local airport badges. Specialists in various fields are another example of staff that is required to move between several airports. Although individual requirements may vary, they generally require access to both secure and sterile areas.

Finally, first responders and mutual aid staff are occasionally required to access the sterile, secure, or Security Identification Display Area (SIDA) parts of an airport. These staff have until recently used their own agency IDs as flash passes, leading to a number of reported cases of abuse. The TSA First Responder Authentication Credential (FRAC) program is designed to resolve this problem. But again, an interoperable credential would enhance security. This credential would, in many cases, need to be verifiable by a mobile device to be effective.

In all of these transient credential cases, the use of an interoperable credential (combined with a solution to the visual verification and challenge procedure which becomes an issue with non familiar credential designs) could clearly enhance security and provide operational convenience for staff.

In addition, use of interoperable credential as a “breeder” ID whose status could be verified quickly by an airport security office can offer several advantages. Airports could realize significantly enhanced badge issuance to holders, increased security, and reduced costs, even if the end result were the issuance of an airport-specific ID (after any local checking and training requirements were fulfilled).

First Response Officials and Airport Access Use Case

The goal of the TSA FRAC initiative is to provide state and local emergency response officials and first responders with a new, Federally-approved smart ID credential designed to achieve the following:

• Securely establish emergency responders’ identities at the scene of an incident
• Confirm first responders’ qualifications and expertise, allowing incident commanders to dispatch them quickly and appropriately
• Enhance cooperation and efficiency between state and local first responders and their federal counterparts

A number of recent FRAC demonstrations and pilots of ERO programs have been implemented, including programs that involved emergency response officials in the National Capital Region (NCR), Virginia, Maryland, Pennsylvania, Texas, Illinois, Florida, and Colorado.

The FRAC adheres to the FIPS 201 standard and, as a result, supports a wide range of applications. To some extent the range of applications supported depends on the credential profile and the certificates provisioned onto the credential. Since in most cases the companies that are providing the credentials do not charge by certificate but rather charge a fixed price for the credential, it is assumed (and strongly suggested) that the credential contain all available certificates: PIV Authentication, Card Authentication, Signature, and Encryption.

The power of this interoperable credential derives from its ability to support not only emergency and incident use cases but also everyday use. Any access control application contains processing that answers two questions: “Who are you?” and “What are you allowed to do?” The FRAC and FIPS 201 PIV card provide a basis for determining the answer to the first question at a very high level of assurance. The ability to answer the second question depends on the associated infrastructure, be it federal, state, or local.

Armed law enforcement officers often require access to airport facilities. However, airports do not issue their credentials to these individuals, and, at present, these credentials typically cannot be recognized by the physical access control system or by the airport. FIPS 201 can provide a means of interoperability with armed law enforcement officer credentials. State and local public safety officials (which include armed law enforcement officers) are increasingly using FIPS 201 as the basis for interoperable first responder credentials. In addition, Federal armed law enforcement officers will be issued FIPS 201 credentials. Therefore, interoperable FIPS 201 credentials provide a means for airports to address the challenge of recognizing transient armed law enforcement officer credentials.¹

Use of Reference and Operational Biometrics

Two categories of biometrics can be used in an interoperable credential program for privilege-based access control at airports: reference biometrics and operational biometrics.

The reference biometric is an interoperable fingerprint template that meets FIPS 201 specifications and is stored on each credential as part of the enrollment process. Each FIPS 201-compliant credential will be issued with a reference biometric to be used for identity and privilege-based access control transactions.

Operational biometrics can include modalities such as iris, hand geometry, face recognition, or proprietary fingerprint systems. Use of an operational biometric is optional and can provide the card issuer with deployment flexibility in an access control system. This biometric may not be interoperable with other entities and can be used as an alternative to the reference biometric.

There are several cases for using operational biometrics. Operational biometrics can be part of a migration plan to leverage an existing biometric reader infrastructure while adding devices that are compatible with the reference biometric. Under this scenario, as migration occurs, there can be a mix of devices, some of which use the reference biometric, while others use the legacy operational biometric.

In other cases, there may be some site-specific operational requirements that are well-supported by an alternative to the reference biometric. One example might be a secured area where a non-touch biometric is required; iris or face recognition could be options here. Again, a mix of devices can be deployed to leverage the reference or operational biometric that best suits the specific environment. There can be many other cases that support using an operational biometric; the above are simply two examples.

To ensure consistent product performance, operational biometric products should be selected from the TSA Qualified Products List (QPL) of biometric technologies for use in airport access control systems.²

Conclusions

FIPS 201, ACIS and the RTCA DO-230B are important standards and guidance that form the foundation for an interoperable trusted identity aviation credential.

FIPS 201 provides an established architecture for identity assurance. A FIPS 201 conformant identity credential is PKI-enabled, may be deployed to establish trust across multiple organizations and provides strong authentication verification for access control applications.

The number of air transport industry workers is expanding and includes members from a wide variety of private as well as government organizations. Staff from these organizations provide services ranging from baggage handling, air craft maintenance, critical operations and management functions. Each individual has legitimate access requirements to controlled areas for both routine as well as for emergency purposes.

All organizations in the aviation community should take advantage of the experience of the Federal organizations that are now deploying FIPS 201-interoperable credentials.

Only an interoperable credential can fully leverage the experience and investment made by the Federal government and industry. Only a FIPS 201-aligned smart card-based credential can meet the requirements of chief information officers and airport security directors who are looking for a cost-effective solution for secure physical access.

Notes

1. The Smart Card Alliance publication, Emergency Response Official Credentials: An Approach to Attain Trust in Credentials across Multiple Jurisdictions for Disaster Response and Recovery, covers topics related to identity and attribute credentialing and credentialing management for first responder officials in depth.
2. For more details, see http://www.tsa.gov/join/business/biometric_qualification.shtm.

About this Article

This article is an extract from the new Smart Card Alliance white paper, Interoperable Identity Credentials for the Air Transport Industry, which captures best practices and defines use cases for interoperable identity credentials that meet the identity goals of trust, privacy, interoperability and usability. The paper was developed by the Smart Card Alliance Physical Access and Identity Councils after discussion with both government and air transport industry personnel to understand the complexities of trusting identity credentials at airports The Smart Card Alliance offers an independent assessment of how standards, technology and processes can support the implementation of a high assurance, interoperable identity credential for the air transport industry, while local airports retain the ability to determine access privileges and design and issue local ID badges.

About the Smart Card Alliance Physical Access Council

The Smart Card Alliance Physical Access Council is focused on accelerating widespread acceptance, use, and application of smart card technology for physical access control. The Council brings together leading users and technologists from both the public and private sectors in an open forum and works on activities that are important to the physical access industry and address key issues that end user organizations have in deploying new physical access system technology. The Physical Access Council includes participants from across the smart card and physical access control system industry, including end users; smart card chip, card, software, and reader vendors; physical access control system vendors; and integration service providers.

About the Smart Card Alliance Identity Council

The Smart Card Alliance Identity Council is focused on promoting the need for technologies and usage solutions regarding human identity information to address the challenges of securing identity information and reducing identity fraud and to help organizations realize the benefits that secure identity information delivers. The Council engages a broad set of participants and takes an industry perspective, bringing careful thought, joint planning, and multiple organization resources to bear on addressing the challenges of securing identity information for proper use.