11/18/2003 Smart Card Authentication Mechanism Tim W. Baldridge, CISSP Marshall Space Flight Center Office of the Chief Information Officer.

Slides:



Advertisements
Similar presentations
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Advertisements

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide
Smart Card Security Xufen Gao CS 265 Spring, 2004 San Jose State University.
Card Verification Support
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Digital Certificate Installation & User Guide For Class-2 Certificates.
Operating System Security
Digital Certificate Installation & User Guide For Class-2 Certificates.
1 1 A Synopsis of Federal Information Processing Standard (FIPS) 201 for Personal Identity Verification (PIV) of Federal Employees and Contractors Presentation.
Secure Socket Layer.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Department of Labor HSPD-12
Cryptography Usage in TWIC (Draft v4 8Dec06)
DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.
FIT3105 Smart card based authentication and identity management Lecture 4.
Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Chapter 10 Boundary Controls. Cryptographic Controls Cryptology is the science of secret codes Cryptography deals with systems for transforming data into.
TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.
Microcrypt Technologies SPACER Secure Physical Access Control Enhanced Reader for contactless cryptographic smart cards.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Understanding Security Lesson 6. Objective Domain Matrix Skills/ConceptsMTA Exam Objectives Understanding the System.Security Namespace Understand the.
Digital Signature Technologies & Applications Ed Jensen Fall 2013.
CSCI 6962: Server-side Design and Programming
OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.
Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.
HSPD-12 and FIPS-201 Overview v Learning Objectives At the end of this course, you will be able to: Describe Homeland Security Presidential Directive.
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
Week #7 Objectives: Secure Windows 7 Desktop
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
©2008 Gotham Digital Science Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Key Management Workshop November 1-2, Cryptographic Algorithms, Keys, and other Keying Material  Approved cryptographic algorithms  Security.
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Web Security : Secure Socket Layer Secure Electronic Transaction.
Chapter 21 Distributed System Security Copyright © 2008.
Key Management. Session and Interchange Keys  Key management – distribution of cryptographic keys, mechanisms used to bind an identity to a key, and.
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
Page 1 ©1999 InfoGard Laboratories, Inc Centre for Applied Cryptographic Research workshop, Nov. 8, 1999 Third party evaluations of CA cryptographic implementations.
28 th International Traffic Records Forum Biometrics/SmartCard Workshop 28 th International Traffic Records Forum August 4, 2002 Orlando, Florida.
Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.
Pertemuan #9 Security in Practice Kuliah Pengaman Jaringan.
SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
Chapter 14: Representing Identity Dr. Wayne Summers Department of Computer Science Columbus State University
Chapt. 10 – Key Management Dr. Wayne Summers Department of Computer Science Columbus State University
Smart Card Authentication Mechanism Tim W. Baldridge, CISSP Marshall Space Flight Center Office of the Chief Information Officer.
Introduction Contain two or more CPU share common memory and peripherals. Provide greater system throughput. Multiple processor executing simultaneous.
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Online Decision Process
Page 1 of 17 M. Ufuk Caglayan, CmpE 476 Spring 2000, SSL and SET Notes, March 29, 2000 CmpE 476 Spring 2000 Notes on SSL and SET Dr. M. Ufuk Caglayan Department.
Mar 18, 2003Mårten Trolin1 Agenda Parts that need to be secured Card authentication Key management.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
TAG Presentation 18th May 2004 Paul Butler
Chapter One: Mastering the Basics of Security
Cryptographic Hash Function
TAG Presentation 18th May 2004 Paul Butler
Radius, LDAP, Radius used in Authenticating Users
Presentation transcript:

11/18/2003 Smart Card Authentication Mechanism Tim W. Baldridge, CISSP Marshall Space Flight Center Office of the Chief Information Officer

11/18/2003Page 2 Overview o A Token must provide interoperable, enhanced security compared to magnetic stripe and similar serial data transmission security technologies o The Token encoding must be highly tamper, counterfeit and cloning resistant o The Token Unique Identifier (UID) and Identification data are free read and may be optionally validated and authenticated o Identification data is formatted as 25 byte packed SEIWG 012 string for legacy compatibility o A Token UID and data is validated using a free read Message Authentication Code (MAC) o Optional internal token authentication is for high security protection profiles and applications

11/18/2003Page 3 Overview (cont.) o A Token is issued to a Holder by a home of record Issuer in an Enrollment process following the Federal Identity Credential model o Issuer policy defines a level of assurance associating a Token to a Holder o The Issuer manages the data structure and contents of issued Tokens o The Issuer maintains and does not reveal master Token and application write access secrets to a holder or other party.

11/18/2003Page 4 Overview (cont.) o A Holder initiates an Access Transaction to a Physical Access Control System (PACS) application which has free read to Token identification (SEIWG) and validation (MAC) data o A Holder initiates a Enrollment Transaction to access a PACS or related support system in cooperation with or independent of the Issuer according Issuer policy and token configuration o An Enrollment Transaction is distinct from an Access Transaction

11/18/2003Page 5 Assumptions o No change to existing PACS except field replaceable readers compatible with new Token technology o Validation and Authentication is optional and may be performed at the reader, panel or system o Validation and Authentication data must not interfere with PACS authorization mechanisms o Three protection profile levels are described: Low, Medium and High

11/18/2003Page 6 Protection Profiles o Low – Basic Interoperability o Free read SEIWG string o no validation or authentication o Medium – Validated Data o Free read SEIWG String o Free read MAC, reader computes and validates MAC o High – Authenticated Token o Free read SEIWG String o Free Read MAC, reader computes and validates MAC o Token Authentication from MAC derived token key

11/18/2003Page 7 High Security Use Case Constraints o High security function, i.e. authentication, is optional for both tokens and readers o Higher security tokens can be used transparently in lower security profiles o High works with both Medium and Low o Medium works with Low o High security profiles require o Token key write and key export prevention o Reader true random number generator (for cryptographic challenge)

11/18/2003Page 8 Message Authentication Code (MAC) o By design a MAC is unique to every Token for every PACS secret o The Token must store a separate MAC for each PACS secret to validate the Token UID and Holder Identification SEIWG string o A MAC is used only to validate a Token UID and Identification data and is not used to determine authorization for access o Each PACS may have one or more secret keys that are unknown to any other system or authority, these secrets must be used to generate the unique MACs for every Token that will be validated and authenticated by a PACS

11/18/2003Page 9 Message Authentication Code (MAC) o The MAC is generated by concatenating the Token Unique Identifier (7 bytes) and the SEIWG string (25 bytes) then performing a 3DES CBC – Send Mode Enciphering with a initial vector of 8 X 0x00 and a 16 byte secret key o The MAC value is the first 4 bytes from the last stage of the CBC enciphering o In an optional high security profile the token key is a 3DES enciphering of the applicable MAC o In a high security profile a PACS may use the same or different 3DES key to encipher the MAC for the token Key

11/18/2003Page 10 MAC Data Model o Managed MACs are stored as a concatenated list under a single TLV in the same EF (elementary file) as the SEIWG o Security MACs, if present, are managed by the Issuer and are stored with additional token specific data under a single TLV in a separate EF o Un-managed MACs, if permitted by policy, are stored as a concatenated list under a single TLV in a separate EF. o If Security or Un-managed MACs exist on the token the EF FIDs are specified with a TLV in the same EF as the SEIWG to enable chaining to both the Security and the Un-managed MACs

11/18/2003Page 11 MAC Data Model o Managed and Security MACs are only written by the Issuer and are protected from otherwise unauthorized modification o Un-managed MACS are free write to the maximum size of the EF and are written cyclically in a FIFO replacement o Both the Managed and Un-Managed MAC TLV lists are always n X 4 bytes where n is the number of MACs in the list o The Security MAC list is (n+m) X 4 bytes where n is the number of MACs in the list and m is the number of token specific authentication bytes (i.e. AID, FID, and key number as required)

11/18/2003Page 12 Access Transaction - Medium o REQA o RATS – Returns UID o Select File (0007 or 3000) o Read Binary o SEIWG o Managed MACs o Secured MACs FID + Token type + Algorithm (optional) o Un-Managed MACs FID (optional) o The reader internally generates a MAC from the Token UID and SEIWG, then compares for a match in managed MAC list o If no match is found in the Managed MAC List and If a Secured MAC FID TLV exists it is checked first in the High Security Access Transaction o If the Secured MAC FID TLV does not exist or the reader generated MAC does not match an entry on the Secured MAC list then o Select File (Unmanaged MACs FID) o Read Binary o Reader compares internally generated MAC to the Un-Managed MAC list, o If no match on any of the three lists, validation fails o Authorization is determined by the PACS using SEIWG identification data

11/18/2003Page 13 Access Transaction - High o REQA o RATS – Returns UID o Select File (0007 or 3000) o Read Binary o SEIWG o Managed MACs o Secured MACs FID + Token type + Algorithm (optional) o Un-Managed MACs FID (optional) o The reader internally generates a MAC from the Token UID and SEIWG, then compares for a match in the managed MAC list and fails, and if the Secured MACs TLV exists o Select File (Secured MACs FID) o Read Binary o Secured MAC List (MAC + AID + FID + key no) o Reader compares internally generated MAC to the Secured MAC list, o If no match or the Secure list does not exist, the Secure validation fails and the Un-Managed MAC list is processed according to the Medium level Access Transaction o If a match on the Secure MAC list exists, a reader key is used to encipher the reader generated MAC creating the token specific internal key o Reader internally authenticates token using the generated token key o Authorization is determined by the PACS using SEIWG identification data

11/18/2003Page 14 Managed Enrollment Transaction o The Holder contacts Issuer for validated access to the requested remote system o The Issuer proxies the request, including Token UID and SEIWG, to remote system; if accepted the remote system returns MAC to the Issuer o The Issuer records pertinent data and writes MAC to managed MAC list on Token o The remote system authorizes access as appropriate using the SEIWG for identification

11/18/2003Page 15 Un-Managed Enrollment Transaction o The Holder presents card for non-Issuer enrollment to a remote system o The Holder presented identity is verified by a remote system security officer o The MAC is generated from Token UID and SEIWG and written to the Un-managed MAC list if present o If the Un-managed MAC list is not present then the Token UID and SEIWG identification data validation is not possible o The Remote system authorizes access as appropriate using the SEIWG for identification with or without validation

11/18/2003Page 16 Secure Enrollment Transaction o The Holder contacts Issuer for authenticated access to the requested remote system o The Issuer proxies the request, including Token UID and SEIWG, to remote system; if accepted the remote system returns the MAC to the Issuer o The Issuer records pertinent data and writes the MAC and token specific data to the Secure MAC list on the Token o The Issuer creates an EF (AID, FID and Key Number) on the token and provides a key to the remote system for Token specific key injections access the specified EF o The remote system verification officer verifies Holder identity and injects token key to complete enrollment o The remote system authorizes access as appropriate using SEIWG for identification

11/18/2003Page 17 Risks o Generating a MAC cannot prevent token cloning. However the MAC is an effective measure against data tampering of an issued credential. o The only effective measure against token cloning is an internally computed token response to a random external challenge o Internal token authentication for contact-less token technology remains proprietary o Contact-less Token authentication technology interoperability cannot be guaranteed or mandated at this time and may require matched contact-less tokens and readers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.