Paul Karger: Privacy and Security Analysis of the Federal Employee Personal Identification and Verification Program
July 14, 2006 by PingIn August 2004, Homeland Security directive 12 established a government-wide standard for identifying federal employees and contractors, primarily for access to federal buildings.
NIST developed FIPS 201 in response, defining two types of cards: PIV I (for quick deployment at individual agencies) and PIV II (for inter-agency use).
HSPD 12 had a requirement for “secure and reliable” identification, which was defined as resistance to identity fraud, tampering, counterfeiting, and exploitation by terrorists, rapid electronic authentication, strong criteria for verifying identity, and issuance only by accredited providers. FIPS 201 requires dual-interface smart cards, where the contact cards don’t require encryption but the contactless (inductively powered radio, but not RFID) cards do require encryption.
The communication includes a CHUID (card-holder unique ID), which FIPS 201 says is not privileged and doesn’t need to be encrypted. But the CHUID includes a detailed agency code, which could be used for an attack (recruiting spies, choosing kidnapping targets, identifying CIA employees).
[Oops! The following sentence is incorrect; see Paul Karger's comment.] Also, because FIPS 201 doesn’t require encryption for contact cards, one would not be able to prevent identification to a terrorist with physical access to the card.
For the cardholder, usability is excellent because you only have to wave the card near the reader. For the agency developers, deploying the cards is difficult because there are many options for authentication mechanisms. Responsibility for making good wireless security decisions rests on each individual agency.
IBM has developed the Caernarvon protocol, which is a privacy-preserving login protocol based on IKE. First the card and the reader establish a Diffie-Hellman session key, then the read authenticates itself to the card, and only then does the card reveal its identity to the reader.
Because of the weaknesses of PIV II, the author recommends that use be limited to PIV I, and that a new version of the standard mandate a formally proven, privacy-preserving protocol for cards issued by all agencies.
July 14th, 2006 at 10:28
There is a slight error in the description above.
FIPS 201 does require encryption for contact cards, but the strong keys that are there by default are restricted to the contact interface. Your can use encryption on the contactless, but you have to use a different key (which you can get, but it’s optional).
See the paper for more details on this.