Presentation is loading. Please wait.

Presentation is loading. Please wait.

Card and Reader Overview Gerald Smith Sr. Consultant ID Technology Partners.

Similar presentations

Presentation on theme: "Card and Reader Overview Gerald Smith Sr. Consultant ID Technology Partners."— Presentation transcript:

1 Card and Reader Overview Gerald Smith Sr. Consultant ID Technology Partners

2 November 19, Agenda Characteristics of a TWIC Card Data Models Supported Identification / Authentication Methods Revocation Hot List Reader Specification Overview Biometric Interoperability

3 November 19, What a TWIC Looks Like Front and Back views of a TWIC

4 November 19, TWIC is a Smart Card 64K of non-volatile memory Dual interfaces share memory o Contact interface (ISO/IEC 7816) o Contactless interface (ISO/IEC 14443) Physical security features o Tamper resistant o Color shifting inks Logical security features o Two encrypted fingerprint templates o Signed data o PKI certificates

5 November 19, TWIC Application Data Models PIV Application Data Model (SP ) Buffer DescriptionAccess RuleContact / Contactless Card Capability ContainerRead AlwaysContact CHUID BufferRead AlwaysContact & Contactless PIV Authentication Certificate Buffer Read AlwaysContact Fingerprint BufferPINContact Printed Information BufferPINContact Facial Image BufferPINContact Digital Signature Certificate BufferRead AlwaysContact Key Management Certificate Buffer Read AlwaysContact Card Authentication Certificate Buffer Read AlwaysContact Security Object BufferRead AlwaysContact TWIC Application Data Model Buffer DescriptionAccess RuleContact / Contactless Unsigned CHUID BufferRead AlwaysContact & Contactless (Signed) CHUID BufferRead AlwaysContact & Contactless TWIC Privacy Key BufferRead AlwaysContact (+Out of Band) Fingerprint BufferRead AlwaysContact & Contactless Security Object BufferRead AlwaysContact & Contactless TWIC Differences from PIV PIV Differences from TWIC Shading broadly indicates :

6 November 19, What is a CHUID? Card Holder Unique Identifier 0x3000Always Read Data Element (TLV)TypeMax. Bytes FASC-N (Compact Form)Fixed25 Agency Code ( if with Alpha characters)Fixed4 Organization Identifier (if with Alpha characters)Fixed4 GUID (IPv6 format or 0)Fixed Numeric16 Expiration DateDate (YYYYMMDD)8 Authentication Key Map (Optional)Variable512 Issuer Asymmetric SignatureVariable2816 Error Detection CodeLRC0 Field name Length (BCD digits)Field description AGENCY CODE4 Identifies the government agency issuing the credential SYSTEM CODE4 Identifies the system the card is enrolled in and is unique for each site CREDENTIAL NUMBER6 Encoded by the issuing agency. For a given system no duplicate numbers are active CS1CREDENTIAL SERIES ICI1INDIVIDUAL CREDENTIAL ISSUE PI10PERSON IDENTIFIER OC1ORGANIZATIONAL CATEGORY OI4ORGANIZATIONAL IDENTIFIER POA1 PERSON/ORGANIZATION ASSOCIATION CATEGORY SS1 Start Sentinel. Leading character which is read first when card is swiped FS1Field Separator ES1End Sentinel LRC1Longitudinal Redundancy Character What is a FASC-N within the CHUID? FASC-N Federal Agency Smart Credential Number

7 November 19, Identification / Authentication Methods Visual Check – Perform a visual inspection of the TWIC and verify the presence of security features, expiration date and a visual comparison of the photo on the card to the individual presenting the card CHUID Check – Verify the CHUID is granted access in the PACS and / or verify the digital signature of the CHUID and verify the CHUID is not on the Hot list Biometric Check – Authenticate the individual by performing a 1:1 fingerprint biometric match against the fingerprint template stored in the TWIC PIN Verification – Require the cardholder to enter the correct PIN number that is stored in the TWIC Digital Photo Check – Visually compare the photo stored in the TWIC with the individual presenting the card Card Authentication – Verify the card is authenticate and not cloned by performing a private key operation

8 November 19, Authentication types using a TWIC Authentication TypeContact / Contactless Biometric and PIN Authentication PIN + BiometricContact Only Biometric Authentication CHUID + Card Authentication + Biometric / CardBoth CHUID + Biometric / CardBoth CHUID + Biometric / SystemBoth Dual Factor Authentication CHUID + Card Authentication + PIN + Digital PhotoContact Only CHUID + Card Authentication + PINContact Only Flash Pass + CHUID + Digital SignatureBoth Flash Pass + CHUID + Card AuthenticationBoth Single Factor Authentication CHUID + Digital SignatureBoth CHUID + Card AuthenticationBoth Flash Pass w/ HumanN/A CHUIDBoth

9 November 19, Credential Revocation Hot List Available now on the pre-Enrollment website o - Publicly available for reading Simple format compatible with many PACS o - Small record contains the revoked credential number and date of revocation o - Reason for revocation not stated in the record Each revoked credential stays on the list until the original credential expiration date has passed The hot list is updated daily

10 November 19, Reader Specification Overview TSA published the TWIC reader working specification September 11, 2007 Three reader types defined o - Fixed mount for outdoor use o - Fixed mount for indoor use o - Handheld for mobile use May operate as standalone or network attached o - Network attached readers should support 2-way communications * Allows for upload of TWIC Privacy Key from server Outdoor reader specified to meet diverse environmental conditions o - Operating temperature range: -20ºC to +70ºC o - Operating condensing humidity range:5% to 100% Transaction time of 3 seconds (or less) o - As measured from presentation of contactless card to completion of biometric match Biometric matching equal error rate of 1% or less Biometric sensor should provide liveness detection

11 November 19, Reader Specification and the TPK Concept The TWIC Privacy Key (TPK) Concept o - Biometric data is encrypted on the card using this symmetrical key o - TPK enables confidentiality of biometric data over the contactless interface o - Contactless transfer of biometric data allowed without PIN verification TPK and Contactless communications o - Inspired by the ICAO ePassport cryptographic solution for confidentiality o - TPK is a diversified key unique to each card o - TPK is a data object in the TWIC Data Model o - TPK is used as a public key that is obtained out of band from the data o - The TPK solution obviates the need for shared key management TPK accessible from either the magnetic stripe or Contact interface o - May be stored in each local access control system server to eliminate the need for reading the magnetic swipe (or performing a contact read) on each use

12 November 19, Biometric Interoperability It should be noted that biometric interoperability is defined as the ability of a biometric reader to perform a match from a presented biometric with the ANSI/INCITS 378 formatted enrolled templates provided on the TWIC card by the TSA. Such templates shall be in compliance with NIST Special Publication INCITS 378 profile for PIV Card templates. Source: Section 8 of the TWIC Reader Hardware and Card Application Specification (11 Sep 2007) NOTE: The reader specification requires compliance to SP Section 7.3 of requires NIST certification of template matchers. Source: SP Section 7.3Test Overview

13 November 19, Contact Details:

Download ppt "Card and Reader Overview Gerald Smith Sr. Consultant ID Technology Partners."

Similar presentations

Ads by Google