1

Cryptography Usage in TWIC(Draft v4 8Dec06)

National Maritime Security Advisory Committee TWIC Working Group

By

The TWIC Working Group Security Industry Task Team

2

Topics• Information security and cryptography overview• FIPS 201-1 cryptography options• Factors driving cryptography choices• Comparison of available choices• Next steps and resources

3

Cryptographic Goals

Cryptography is a not a solution by itself, but is a tool used to achieve security goals such as:

• Authentication• Entity authentication – I am who I say I am• Data origin authentication – This data comes from a trusted source

• Data Integrity• Detect unauthorized change or substitution of data

• Privacy and Confidentiality• Control who can read data

• Non-repudiation• Prevent denial of action - It can be proved that I signed this data

4

Useful Cryptographic Terms• Encryption and Decryption

• Encryption makes data unreadable to unauthorized people or machines• Decryption makes encrypted data readable to authorized people or machines

• MACs, Digital Signature, Signature Verification• MAC (Message Authentication Code) - A small piece of (usually symmetric)

cryptographic data used to check the authenticity and integrity of message data• A digital signature binds data to an originator, assuring integrity and authenticity• The sender digitally signs data; the recipient verifies the digital signature

• Key Management• All activities related to generation, exchange, storage, safeguarding, use, vetting,

replacement and destruction of keys.• Key management requires not just technology, but also policy and procedures.

• Compromise• Unauthorized disclosure, modification, substitution or use of sensitive data.• Compromised keys or crypto system components can weaken system security

• Symmetric and Asymmetric• Two flavors of cryptographic mechanisms described later in greater detail

5

Symmetric Cryptography• One common cryptographic secret key for all authorized parties

• Security depends on only authorized parties knowing the key• Examples

• TDES – Triple Data Encryption Standard (DES): Encryption and decryption• TDES MAC – used for authentication and data integrity• AES (Advanced Encryption Standard) - Selected by NIST in 2000

• AES has multiple modes with different characteristics• Example: Counter with Cipher Block Chaining-Message Authentication Code

(CCM) is used for authentication and data integrity• Advantage

• Good performance – designed for hardware implementation• Only one secret key to manage

• Disadvantage • Greater risk in sharing the secret key among many people or machines• Makes it harder to implement across multiple organizations (e.g., federated)• Cryptographic schemes to protect the secret key (e.g., key transport protocol)

may be used, but impacts performance and adds to complexity

6

Asymmetric Cryptography

• Asymmetric cryptography uses a key pair to protect data• A public key (available to the general public) is used to encrypt data or verify

digital signatures.• Knowledge of a public key does not compromise system security

• A private key (held by the owner) is used to decrypt or digitally sign data• Examples

• RSA • Elliptical curve

• Advantages• Minimal exposure of private key since other parties do not require this portion• Unique key pair per entity/device minimizes impact of compromised keys

• Disadvantages• Longer computation times due to complex algorithm and large key sizes• Some mechanism (e.g. Public Key Infrastructure - PKI) must be in place to verify

integrity and authenticity of public keys

7

Smart Cards vs. Proximity Cards

• Both use contactless radio frequency (RF) transfer technology• Differences are in frequency, communications range, and security design

• Proximity uses 125 KHz frequency• Smart card uses 13.56 MHz frequency

• Smart cards originated in telecom and finance industries• Offers a secure channel capability by virtue of on-board microprocessor

• Smart cards widely acknowledged as offering higher security• Proximity card can only store the card identification number

• Cannot store biometrics on the card

• Proximity technology represents approximately 85% of the installed base for physical access control systems (PACS)

8

PIV card in Contactless Mode

• PIV contactless mode is limited to a few operations• Read Card Holder Unique ID (CHUID)

• CHUID is unprotected, available to any reader• CHUID contains personal identifiers

• Authenticate the card using the Card Authentication Key• Read Card Authentication Key certificate• Verifies the card is authentic, but does not verify the cardholder• Meaningful only if the issuer signature is also checked

• Features not supported by PIV in contactless mode• PIV does not include secure channels to transfer data

• However, industry has secure channel options in widespread use• No biometric data or operations are available in contactless mode• No PIN authentication with the PIV card in contactless mode

• PIV specification permits additional features and software (applets) placed on the PIV card to extend functionality

9

Impact of Cryptography Choices• Performance is critical in contactless applications

• Need to go from “power on” to “transaction complete” in less than second• Some algorithms require more processing time

• FIPS 140-2 crypto certification (if used) requires startup self-test which adds to transaction time

• Key management• Symmetric key management may be impractical in large deployments• Asymmetric key management requires validation infrastructure• Need for trained staff to manage keys• Need for policy and procedures

• Approved uses and modes• Standards recognize specific uses of cryptography • New unique crypto approaches with secure properties are rare

• Strength and planned obsolescence• Regulators publish schedules for retirement of weaker (more vulnerable)

algorithms

10

Methods of Contactless Transmission

• Send data in clear• Use a secure channel• Encrypt data• Sign data

11

Send Data in Clear

• The finger print template would be a free read• No security

• Data is in clear

• However, there are counter arguments that biometric data are not secrets and therefore have little security impact if exposed

• No privacy• Could be read by an unauthorized reader without the card holders

knowledge or consent

• However, templates cannot be used to reconstruct a fingerprint image

• Easy to implement• Fastest method

12

Use a Secure Channel• TWIC Card and the physical access control system (PACS) would

mutually authenticate to each other• The two parties suitably authenticate each other

• Only trusted TWIC card will talk to trusted PACS• Requires key management scheme• Currently widely implemented with symmetric keys

• Diversified keys based on card serial number can reduce risk of key exposure• Creates a unique key by combining master key with other data

• Asymmetric keys could used but still experimental phase• Reduce risk key exposure to one card• Requires the PACS to receive a PKI certificate when the card is used driving the

need for PACS to be connected to the PKI authority• However, doesn’t require a real-time connection from the reader to the Internet

• Computationally intensive requiring more computing power and time

13

Encrypt Data

• Fingerprint template is in an encrypted free read file• Protects the confidentiality of the biometric data

• Data encryption only protects the confidentiality of biometric data

• Could use symmetric encryption

• Asymmetric encryption requires restricted distribution of the public key.• Exposure of public key would only represent a privacy issue and would still

provide security integrity• Private key would be restricted to the encoding site – thereby reducing risk

14

Sign Data

• Digitally sign fingerprint templates • Can be implemented with symmetric or asymmetric algorithms

• Digital signature protects data integrity and provides non-repudiation

• PACS reader can validate signature but would need to receive new keys when the signing key is changed

• Validate data integrity with a message authentication code (MAC) • A MAC can be used to protect data integrity with less infrastructure than

a digital signature

• MAC checking protects integrity but not non-repudiation

• MAC’s require cryptography and a key, but no public key or certificate verification

15

Tradeoffs in Data Protection

• Selection of any approach involves tradeoffs• Encrypting data protects privacy, but is vulnerable to some attacks• Encryption plus MAC protects privacy and provides some integrity

assurance• Encrypted, signed data protects privacy, integrity and non-repudiation,

but requires additional infrastructure, both technical and policy/procedural

• Choice depends heavily on the goals• Privacy• Security• Non-repudiation• Etc.

16

Key Distribution Alternatives

• Symmetric key• Requires key distribution

• Asymmetric keys• Relies on certificate authority

• Local key distribution• Regional key distribution• Centralized key distribution

Note: Ownership of keys equals liability • Who is responsible when a key is compromised?• Need to define and implement strategy for corrective action

17

Symmetric Key Management

• Keys must be transported and stored in a secure manner• Example of methods

• Manual entry - two or more people contribute parts of the key (key ceremony)

• The key is manually entered into the devices• Susceptible to compromise • Subject to error

• Automated - keys loaded using secure methods from one secure device to another

• Example: key loading using smart cards, with key loading protocols performed by the card and the target device

• Secure key loading can use an asymmetric key pair to protect keys• Card issuance procedures can restrict key loading to end user,

central issuance, or allow both

18

Asymmetric Key Management

• Each card and PACS has a key pair • The private key is generated on card and never revealed

• Public keys or certificates are meaningful only if verified • e.g., certificates are used to verify the authenticity of a key

• Asymmetric cryptography performance• Traditional asymmetric cryptography requires more computation time

and uses larger keys

• However, newer elliptic curve asymmetric algorithms are faster and use smaller keys

• Not proven in any known deployed PACS

19

Site Specific Key Issuance

• New cards are disabled until activated with a site key• The site key can be loaded at the time the card is registered into the

PACS

• Maintains local control of authorized credentials

• Authorization to register cards protected by access rules • Only an authorized registration agent can write keys to the card

• Reduces key exposure issues• Requires a key table on the card (multiple sites)• Cardholders must register on a first visit to a site

20

Regional Key Distribution

• Keys loaded at a regional issuance center• Keys securely distributed by regional issuance center to

sites • Reduces key exposure issue

• Re-keying could be done within a region

21

Centralized Key Distribution

• Keys are loaded in the card at issuance• Keys to read the card are distributed by central system

• Keys could be distributed to facility or vessel operators for loading onto readers

• Keys could be already loaded into a hardware module inserted into the reader vs. loaded into the reader through a software load process

• Reduced security and privacy if TWIC PACS components are readily available

22

Regulatory Constraints• FIPS 201 certification covers PIV cards and middleware• A PIV card requires two certification processes by accredited labs

• An SP 800-73-1 conformance evaluation (managed by NIST under FIPS 201)• A FIPS 140-2 evaluation (managed by NIST outside of FIPS 201)

• Certification impact of PIV card software modifications• Changes to the PIV applet (if any) require recertification to SP 800-73-1• Addition of another non-PIV applet may require FIPS 140-2 recertification, but

not SP 800-73-1 recertification

• SP 800-73-1 middleware testing is not relevant to PACS• Requirements governing other PIV components

• E.g. readers, panels, biometric enrollment, etc.• FIPS 140-2 required for all cryptographic modules used by a federal agency• Use of GSA Approved Product List required for purchase of all PIV components

• Not clear if FIPS 201 regulatory constraints apply to TWIC

23

Next Steps

• Schedule call to discuss this presentation• Security industry task team develop narrative white

paper expanding on the information contained in this presentation

• NMSAC provide further guidance to the security industry task team on operational considerations and preferences related to the presented alternatives

• Security industry task team develop recommendation and detail specification on cryptographic approach and supporting key management scheme