What's there in expiration date ???

Why Expiration Date for PIV Credentials ???

The physical access control systems (PACS) validate Identity before allowing entry and/or exit to a facility. The identity in a traditional physical access system is a plain, simple and traditional unique identifier which encodes the unique number using different technologies on the token. At times, physical access system obfuscates unique identity number by using encryption or scrambling.

PIV requires more than a unique identity number to be part of the card holder's unique identifier which will "bind" the holder to the token. In PIV lingo, this ID is known as the CHUID that has various components to it. The card holder is identified by not only the unique number but also the agency where he/she is employed, system code, credential and the expiration date of the identity card.

Why was there a need to add the expiration date to card holder's unique identifier?
Well, PIV has been designed for interoperability and to achieve real inter-agency operability the critical information on which the user is allowed to enter the facility should be available on the card, and be portable. Therefore, if Alice enters into facility FA, where she works, her identity can be verified. Now, lets say that Alice goes to facility FB, her identity can be verified by not only the agency code and credentials to grant or deny access, but also the expiration date along with agency code and credentials.

This is really the right design, for an interoperable and secure physical access control system. Therefore, I am all for it and would like to add that any implementation which doesn't implement the verification of expiration date is truly not an inter-operable PAC system. It also doesn't implement the specifications to its entirety.

Security systems that do not implement verification of expiration date into its access control policy through a database, expiration date on card MUST be checked and the date which comes first should hold priority over the other.

If a card that is issued to a visitor, the expiration date on the temporary badge must be encoded to have a temporal restriction to the facility. Let's win our freedom by not compromising the system anytime !!


---

FCC Title 47, Part 15 for Identity Applications

FCC Title 47, Part 15

Electronic products and boards which emit electromagnetic radiation intentionally or unintentionally need to get Federal Communications Commission certification in United States to confirm that it complies by the rules and guidelines of FCC. Usually, the finished product needs to be certified, but at times board level certification may be sufficient so that it can be added to the motherboard which has been certified. A certified board is presumed not to violate the FCC certification when added to the mother gadget.

Part 15 applies to all products which do not require a licence for its operation. For the same reason, RFID readers for smart cards and tags need to be certified and approved for compliance with the following emission requirements.

Subparts of Part 15 (Unlicensed Low Power Intentional Radiators)
Part 15 is further divided into other sub parts as follows.
Subpart A: Contains information about the testing, certification, legal implications, definitions, prohibitions and labeling.
Subpart B: Presents rules for unintentional radiators.
Subpart C: Contains rules for intentional radiators.
Subpart D: Unlicensed personal communication devices
Subpart E: Unlicensed NII (National Information Infrastructure Devices)
Subpart G: Rules for broadband over power line. (BPL)

Device Types - Class A and Class B

The intentional radiators are classified into two classes

1. Class A: A digital device that is marketed for use in a commercial, industrial or business environment, exclusive of a device which is marketed for use by the general public or is intended to be used in the home.



2. Class B: A digital device that is marketed for use in a residential environment notwithstanding use in commercial, business and industrial environments. Examples of such devices include personal computers, calculators, and similar electronics devices that are marketed for use by the general public
   

Identity card physical access readers are classified as Class B device since they are typically used in offices that have close proximity to the people. Based on the frequency of transmission, radiators are generally categorized as the following.

Device Types based on frequency

• low freq 125-190 kHz; 1 watt power; 15 m of antenna length


• med freq 510-1705 kHz; 0.1 watt power; 3 m of antenna length


• hi freq 14kHz wide band at 13.56 MHz; 4.8 milli-watt power; dipole or 1/4 pole vertical
  

Most of the identity tags are passive and are either low or high frequency (freq) receptors. The prox card technology from Casi-Rusco/GE and HID operates at 125kHz. However, the proximity and the vicinity technology operate at 13.56 MHz which has a different set of radiation requirements.

Nearest Frequency where Intentional Radiators (125kHz or 13.56MHz) can't Radiate

Intentional radiators, readers in this case can't emit in the mentioned frequency range. The range is more exhaustive as per part 15 but the following is a subset of frequencies that falls near the 125/13.56 readers.

• 90-110 kHz / 495-505 kHz
  
• 12.57675-12.57725 MHz / 13.36-13.41 MHz / 16.42-16.423 MHz
  

Field Strength limits for 13.56MHz Technology (Additional Provision, Section 15.225)

PIV/FIPS 201 doesn't specify either the low freq (125kHz) or high range ISO 15693 which is designed to work for distances up to 100 cm. For 13.56 MHz, the field strength at distance of 30 m should be as follows:

• 13.553-13.567 MHz field strength should not exceed 15,848 uV/m at 30m.



• 13.410-13.553 MHz and 13.567-13.710 MHz field strength shall not exceed 334 uV/m at 30m.



• 13.110-13.410 MHz and 13.710-14.010 MHz field strength shall not exceed 106 uV/m at 30 m.



• The freq tolerance of the carrier freq will be maintained between +/- 0.01% for the temperature range of -20 to +50 degrees C.

Field Strength limits for 125kHz Technology

For 125 kHz readers, the maximum radiated power allowed should be as follows;

• 9-490 kHz field strength should not exceed 2400/F(kHz) uV/m at 300 m. For frequency of 125 kHz, F=125 therefore, the field strength should not exceed 2400/125 = 19.2 uV/m

---

FIPS 201 -- a success story ...

FIPS 201 -- Steps in right direction

For the first time, users have been bold to accept a new technology not really used for the purpose it was invented -- path followed was by defining and standardizing this widely accepted security technology.

The use of smartcard as an identity card for physical as well as logical security for all federal government facilities, computer systems and employees is not only a technically bold move, but also a smart decision, which is a solution designed in response to HSPD-12. Critics have argued that cards although have improved security, invade our privacy, but for the first time they are wrong and the system security architects are right. Isn't leaving your fingerprints on that door you know you opened last a privacy issue? Can we do anything about it? Well, the answer is N ... !!


The best way to design a secure authentication system is by using multi-factor authentication. Use of secure credentials only upon verification of a secret that you know makes the “proper” design of the system even for physical access systems that have high traffic and has strict requirements for small transaction time.


The amalgamation of physical as well as logical security into a dual-interface card leads to the use of cutting edge technology for the use of security. In times prior to FIPS 201, the access cards were either contact or contactless talking at different frequencies 125kHz and 13.56 MHz to the reader. The technology enabler to FIPS 201 for all practical purposes is a dual-interface card, which at least has the capability to transfer the unique holder identifier to the reader through both the interfaces. It couldn't have been thought of better than the way it has been defined for PIV application.


The physical security does pose a threat to reveal the CHUID which is otherwise secured and never let out, but isn't this a convenience factor as well? Encryption of cardholder's unique identity is not the best option because of its adverse affects on the transaction time and the hassle of managing cryptographic keys. The security is built into the specification by limiting the read range to less than 10 cm by specifications. The user's card can be interrogated without his knowledge but then the cards are required to be kept in a protective shield.

FIPS 201 -- possible future enhancements

A. Is the PIV card open for post issuance application download?
If at all the card is open for post issuance, methods to download the application on the card needs to be defined in the specifications. Although, this part is well covered in Global Platform, there is a need for an application level specifications. In present state of specifications, this has been left open and leans towards post issuance download of applications.

B. Why not encrypt communication between card and the reader?
Even though the distance between the reader and PIV card in the field can't be more than 10 cms. there have been concerns about snooping the CHUID and the popular message replay attack. Specification needs to address encryption of the data and its decryption in an interoperable way.

C. What is the best method to swap the credentials if needed.
Well, if the cost of PIV card is this ($$$) much, can't issuers update the card with new set of credentails? A method to retain the container and update credentials has not been defined or thought of in the specifications.

D. Definition of the format from the card readers to the access control systems have not been clearly defined and detailed.
Although this is PACS implementation dependent, the specifications addendum may address this to cover all holes in the inter-operability issues. In most cases, the reader to controller interface is a Weigand, however, there are some systems that use F/2F as well. There needs to be a common standard which will help protect the investment of Federal agencies.

E. Its a popular misconception that the expiration date is not required for visitors to be given access, but this misconception is a mis---conception.
The specification does mention that they are necessary and required for all roll outs.

---