Learn about installing a new PACS with trusted PKI authentication
The technology and architecture of legacy physical access control systems (PACS) is well over 25 years old. It depends on outdated identification cards that are easily counterfeited and copied- which was the case with 18 out of 19 terrorists in the 9/11 attacks.
The Federal Government has put in place standards and guidance to modernize PACS with secure Public Key Infrastructure (PKI), the technology used to secure electronic transactions on the Internet. It can be seamless, secure and cost effective.
Many legacy PACS suppliers are offering “upgrades.” However, there is a caveat: performance can be compromised when third party solutions are bolted onto a legacy PACS. The latest guidance from OMB makes it clear that PACS which do not properly implement HSPD-12 do not qualify for FISMA. However, when PKI is designed and integrated into a PACS from the ground-up, then PKI technology has been proven to be cost effective, secure and reliable.
Today, the Federal Government and much of critical infrastructure, including finance, defense, telecommunication and energy, are moving to strong authentication. It’s clear that a new PACS should employ trusted mechanisms. Unfortunately, while agencies are faced with compressed implementation deadlines, most legacy PACS vendors are moving slowly to meet the latest standards and guidance.
Here are three common questions and the answers:
Q: Is validating certificates cumbersome and will it affect my system performance?
A: By caching certificate status in the server and controllers per NIST 800-116, a PACS performance is not impacted by the process of certificate validation. The validation process runs in the background as a service, the results are cached, and only small amounts of data are involved.
Q: I hear that doing a PKI challenge-response at the door will take a Reader 10 seconds or more?
A: Actually, it takes about 1 second longer than a typical read of a CHUID from a PIV or CAC credential.
Q: How much will PKI increase the cost of my PACS?
A: As a core function within a PACS, the added cost is marginal because it is primarily a function of software (sending and storing more bits). Conversely, “bolting” on PKI functionality to a legacy system is expensive because third party providers must interface hardware and software solutions. This configuration usually introduces unnecessary complexity, often resulting in complications.
HSPD-12 has proven to be a visionary mandate. It is clear that the marginal added cost to install a trusted system that performs strong authentication offers a tremendous value when compared against the risk of implementing a PACS that performs legacy type transactions using PIV credentials
When considering a new PACS implementation, four considerations should be kept in focus:
- BE SURE YOU ARE USING A MODERN PACS: Utilize only PACS software that is assured to be compatible with a software application capable of checking certificate status against the Certificate Revocation List (CRL) via OCSP (Online Certificate Status Protocol) or SCVP (Server-based Certificate Validation Protocol).
- PREPARE TO VALIDATE CERTIFICATES: As soon as you possibly can, begin capturing the PKI certificates from the credential at enrollment into the PACS. This will prevent a need to re-enroll card holders in the future when going live with the PKI solution.
- BE FULLY INTEROPERABLE: Confirm that all components in the PACS, including software, hardware, readers and especially the controllers are capable of processing at a minimum a 56 bit FASC-N (Federal Agency Smart Credential Number) plus at least 32 bits of a PKI certificate digital signature. If your agency plans on granting access to contractors who may be issued PIV-I credentials, your PACS should be capable of processing the 128 bit GUID (Global Unique Identifier). Make sure the system provider gives assurance that a full match of the credential number is made in the controller can be performed.
- VERIFY PRIVATE KEYS: Even if you do not implement PKI at the outset, be sure to purchase access readers (or controllers) that have the capability to perform a PKI challenge response to the certificate private key on the PIV credential. For HIGH security areas, it is advisable to install readers capable of both contactless and contact operation with PIN or even Biometric capability.
BridgePoint provides the premier solution. Contact us today
A primary value of HSPD-12 was to eliminate the numerous proprietary badges for building access that government employees were required to carry around their neck to access various buildings. HSPD-12 created the Federal Agency Smart Credential Number (FASC-N) which assurers both interoperability and uniqueness for all Federal government employees and contractors. The FASC-N means that any person from any agency has a credential that can be accepted by any other agency without concern for duplication. Benefits include credential uniformity and lower cost.
Another primary value of HSPD-12 was the mandate for a “secure tamper proof credential” which could be “rapidly verified electronically. “ To establish this high level of security the Government provisioned the PIV credential with public key certificates (PKI). Legacy credentials clearly do not have this level of protection against attack. These certificates are the basis for secure electronic transactions and, when properly used in a building access system, eliminate the potential for expired, revoked and even cloned credentials. Using the certificates requires the use of certificate status validation and certificate private key challenge-response, both PKI operations that are supported by the PIV.
Many important standards and guidance documents have been released to further support the implementation of HSPD-12. Federal Information Processing Standard 201 (FIPS-201), first issued in 2005, defines the technical interface between the PIV credential and a reader. In February 2011, a new draft (FIPS-201-2) was released for public comment which increases the requirement for use of PKI. To provide guidance for use of PIV credentials in physical access systems, the National Institute of Standards and Technology (NIST) released SP 800-116, a “Guidance for use of PIV Credentials in Physical access Systems.” This guidance sets a baseline for use of PIV credentials in PACS to insure the both interoperability by specifying that the full FASC-N, and not a truncated subset, is used for granting access.
The Federal Government is not finished with the effort to insure that identities can be trusted when it comes to access to networks and facilities. For example, one recent combined memorandum from OMB and DHS, entitled “Continued Implementation of HSPD-12,” (M 11-11), requires each agency to “expedite the Executive Branch’s full use of the PIV credentials for access to federal facilities and information systems.” Furthermore, the memorandum sets forth dates: “Effective the beginning of FY2012, existing physical and logical access control systems must be upgraded to use PIV credentials, in accordance with NIST guidelines."
M 11-11 further states that “Agency processes must accept and electronically verify PIV credentials issued by other federal agencies” which requires PKI validation and verification processes. There are two additional programs in development that will further mandate the use of PKI strong authentication:
ICAM (Identity, Credential and Access Management): The ICAM Subcommittee serves under the Federal Government CIO Council and is comprised of high level security managers from all agencies including DHS, GSA and DoD. The latest version of the FICAM Roadmap for PACS in the target state includes the following characteristic to improve security through the use of strong authentication:
NSTIC (National Strategy for Trusted Identities in Cyberspace): NSTIC is an administration program to improve the security and privacy of on-line transactions through trusted ID’s. The NSTIC program will coordinate with the FICAM Subcommittee, the DHS, GSA, NIST and the White House to improve the security and convenience of sensitive online transactions through the process of authenticating individuals, organizations, and underlying infrastructure. NSTIC will clearly make strong authentication via use of PKI certificates the backbone of all electronic transactions including requests to access Federal facilities.