Comments on: Paul Karger: Privacy and Security Analysis of the Federal Employee Personal Identification and Verification Program

By: Anand

Anand — Sat, 21 Apr 2007 03:59:33 +0000

Sir,I want to kno the process to certify the product for FIPS210.I want to kno the necessary requirement for FIPS 210.Wht is the time require to certify the product & norms on basis of which the product is certified.We want to certify our smartcard based access control reader.

Waiting for your reply.

By: Anshuman Sinha

Anshuman Sinha — Sat, 21 Apr 2007 02:27:58 +0000

Anand, Let me know how I can guide. Cheers.

By: Anand

Anand — Sat, 09 Dec 2006 06:03:54 +0000

Dear Sir,

I want to know more about the FIPS 201 standard.I am working with company dealing in Smartcard based reader,biometric based reader for access control & time attendance system. We want to cerify our product
Can you please guide inthe same.

Thanking You

By: Anshuman Sinha

Anshuman Sinha — Mon, 06 Nov 2006 20:53:37 +0000

Another minor slip …

HSPD-12 requires identification for not only federal physical entities like buildings, but also information systems, logical access to federal electronic resources and data that is almost as crucial and secret.

PIV 1 has some security weaknesses as well which is worth noting before recommending it as an alternate to PIV II. PIV I in many ways is not vendor neutral …

By: Ping

Ping — Fri, 14 Jul 2006 18:31:45 +0000

Oops! Thanks for the correction.

By: Paul Karger

Paul Karger — Fri, 14 Jul 2006 18:28:25 +0000

There is a slight error in the description above.

FIPS 201 does require encryption for contact cards, but the strong keys that are there by default are restricted to the contact interface. Your can use encryption on the contactless, but you have to use a different key (which you can get, but it’s optional).

See the paper for more details on this.