PKI-at-the-Door Information

bdulude's picture

Federal Information Processing Standard Publication 201 (FIPS 201) has primarily been used for logical access and digital document signing using Public/Private Key Infrastructure (PKI)-based validation.  With PKI multifactor authentication, a digital certificate including the user’s public key is placed on a Personal Identification Verification(PIV) card, which leverages smart card and biometric technology (a digitally signed fingerprint template), and also supports multifactor  authentication methods.  To use a PIV card to enter a building, the PIV card’s digital certificates are checked against a Certificate Revocation List (CRL) which is provided by certificate authorities.  Rather than relying on a shared, secret key for authentication, a pair of public and private keys is used and these keys are linked such that information processed with one key can only be decoded or validated using the other key.  The Federal Bridge is used to establish trust between cross-certified agencies’ PKIs (i.e., separate and independent infrastructures, each with its own root certificate authority), thus enabling secure information exchange of digital signatures and certificates sent from and between various other participating government organizations.    PKI authentication is a highly efficient and interoperable method for both logical access control to protect data, and for physical access control to protect facilities, the latter referred to as “PKI at the door.” 

Agencies are taking a phased approach to implementing PKI at the door, as budget becomes available.  To ensure that this is possible, they are configuring their infrastructure so that it can be quickly and easily upgraded to PKI strong authentication for physical access control when they are ready.  For instance, they are first enrolling all of their PIV card holders into their head-end system, and then simply deploying Transitional Readers as defined by the General Services Administration (GSA), which read the unique identifier from the card and match it with the enrolled card holder without using any FIPS-201 authentication techniques.  These Transitional readers can later be reconfigured in the field to support multifactor authentication.  This ability to upgrade in the field to FIPS-201 is not possible with Transparent Readers.   It’s important to note that GSA-approved Transparent Readers listed on the APL do not, by themselves, constitute an “Authentication System” as defined by the GSA, and do not, in and of themselves, provide the required validation mechanisms. 

As an example, HID Global’s pivCLASS solutions are certified as GSA-approved Authentication Systems.  By installing the pivCLASS Transitional readers for FIPS-201 compliance, agencies can later add pivCLASS authentication modules that will classify their readers as GSA-approved Authentication Systems that can  perform PKI multifactor authentication at the door, without having to replace the readers in order to make this possible.  This approach also enables them to preserve existing door controller and panel functionality.   

It is expected that PKI at the door will become more widely adopted as FIPS 201 evolves and there are more products available on the market to support it.  We also see PIV cards (and, presumably, strong authentication for both logical and physical access control) moving to NFC-enabled mobile phones.  FIPS-201-2 specifications are expected to include extensions such as the concept of derived credentials, which will enable a credential derived from the PIV card to be carried in the phone’s secure element, with the digital version providing the same cryptographic services as the card.    FIPS 201-2 is also expected to allow the use of the Open Protocol for Access Control Identification and Ticketing with privacY (OPACITY) suite of authentication and key agreement protocols which add two important things:  1) much better performance (by a factor of approximately four for critical tasks), and 2) secure wireless communications, which will enable the use of PIN and biometrics on the contactless interface, further strengthening authentication alongside PKI for both physical and logical access control.