Show your support by donating any amount. (Note: We are still technically a for-profit company, so your
contribution is not tax-deductible.)
PayPal Acct: 
Feedback: 
Donate to VoyForums (PayPal):
| [ Login ] [ Contact Forum Admin ] [ Main index ] [ Post a new message ] [ Search | Check update time | Archives: 1, 2, [3], 4, 5, 6, 7, 8, 9, 10 ] |
| Subject: Finland-based Miotec Oy | |
|
Author: The Dutch Justice Ministry Nov 2002 |
[
Next Thread |
Previous Thread |
Next Message |
Previous Message
]
Date Posted: 22:01:17 01/06/03 Mon Government Smart Card IDs: Lessons Learned By Cathy Bowen When President George W. Bush came into office last year, the General Services Administration, which is responsible for managing U.S. government facilities, set up temporary offices for Bush’s staff to use as the Clinton Administration moved out of the White House. As part of its duties, the GSA issued everyone who used that space a smart card ID badge that included digital certificates for verifying their identities when communicating via the Internet. The transition, which should have taken six weeks, dragged on for four months. One problem was keeping track of the different types of badges issued for the various government employees using the space, which included the transition staff, Bush’s incoming staff, as well as contractors, says Jim Schoening, program manager at the GSA’s Center for Smart Card Solutions. With cards costing around $20 each since only 1,500 were ordered, some would view this project as another example of wasted taxpayers’ money. Others counter that in these times of heightened security, it is money well spent, and not just for presidential transition teams. "Security is the cost justification for smart cards," says Robert Brandewie, deputy director of the Defense Manpower Data Center, which issues the U.S. Department of Defense’s chip-based Common Access ID card. "The government has very valuable assets on the physical side and the logical side, and the sophistication of smart cards helps us protect both those areas." Corporations, too, have valuable information and physical assets, and such giants as Microsoft Corp. and several global oil companies are turning to smart cards for their employee IDs. But no one has done it on the scale of government agencies, especially the U.S. Defense Department, which recently passed the 1 million mark in smart card IDs. The lessons learned in these large government projects will benefit others replacing their employee ID cards with smart cards. The focus of government officials has shifted since the terrorist attacks of Sept. 11. Before then, many government agencies looked at issuing smart cards largely as a way to reduce paperwork and to do more business online with the security of what is known as public key infrastructure, or PKI. Spain’s Finance Ministry, for example, is issuing chip cards that carry a digital certificate to its employees so that internal administrative procedures, such as requesting materials, advance payments, and vacation time, can be done securely through the Internet. But the terrorist attacks brought physical security to the forefront, causing agencies–particularly in the United States–to investigate ways the chip can make physical access more secure. The chip can store a biometric template, a physical characteristic such as fingerprint or iris scan, that can verify that the cardholder is who he or she claims to be. Chip cards are also harder to counterfeit than the magnetic-stripe cards used in many access-control systems. "Everyone is more security-conscious since last year," says Bill Holcombe, director of smart card policy for the GSA. "Smart cards are a great platform for badging, passes, right on up to PKI and high-tech solutions like biometrics." Many governments, such as the United States, Sweden, Canada and the Netherlands, have been hammering out their PKI card programs since the mid-1990s. PKI uses a form of digital ID, called digital certificates, which enable individuals to securely authenticate themselves to a network and digitally sign documents. Many countries treat digital signatures as legally binding. PKI Learning Curve Many of the lessons governments are learning from their smart card projects relate to how to manage digital certificates, says Dave Garvas, director of government sales at Irvine, Calif.-based Rainbow Technologies. For example, the certificate authorities that issue and revoke digital certificates must maintain an up-to-date list of valid certificates, lest employees wind up with expired credentials that no longer work. Agencies that want their employees to exchange documents using PKI also may end up frustrated because their separate certificate authorities maintain different rules to guard the authenticity of the credentials. The Dutch government is trying to avoid those problems by setting up a hierarchical PKI structure, says Lonneke Stempels, director of international relations for the Taskforce PKIoverheid, which is preparing the Dutch government’s PKI infrastructure. The government plans to set up a root authority by the end of the year, which vouches for the credibility of departmental certificate authorities. In turn, the certificate authorities must use certificates approved by the root authority. Achieving interoperability has been a challenge for the Dutch government, says Jelle Rijpma, an executive at the Taskforce PKIoverheid. "The goal is that with one smart card a person should be able to transact with all government agencies," he says. "But this requires a lot of harmonization effort in the technical, but even more in the administrative and organizational respect." A number of Dutch government agencies are conducting pilots to test the PKI-enabled smart cards, including the ministries of Transport and Defense, says Rijpma. The Dutch Justice Ministry recently rolled out chip-based ID cards for physical and logical access to its 15,000 employees. The cards, which have 64 kilobytes of memory, include a digitized version of the employee’s fingerprint to be used to enter buildings and log onto the computer network, according to Finland-based Miotec Oy, which is supplying the cards. Like the Netherlands, certificate authorities in Sweden must issue certificates that comply with a format defined by the government, according to Dag Osterman, a director at the Swedish National Tax Board. Three companies–the Swedish Posten AB, the telco firm Telia, and the bank Nordea–issue certificates for government agencies. The Stock Exchange Registration Office, Stockholm City Planning Administration, the Customs Agency, members of Parliament, and the Tax Board use the Sweden Post as their certificate authority, says Evald Persson, its marketing manager. The post office issues the cards for the agencies. It publishes the certificates, public keys and a list of blocked certificates in an Internet directory, which is accessible to individuals who need to check a certificate’s validity. Setting Up A Bridge Instead of creating a hierarchical PKI infrastructure, federal agencies in the United States have created a so-called bridge agency, which enables federal and state agencies with disparate certificate authorities to exchange encrypted e-mail. By certifying with the Federal Bridge Certification Agency, an agency only has to enter into one certificate management relationship as opposed to creating relationships with every other department, says an executive with the Federal Depository Insurance Corporation. "If the FDIC certifies with the bridge, then if the Bank of Illinois certifies, or the Illinois Treasury certifies, we do not have to create one-on-one relationships with them," says the executive who asked not to be named. The FDIC, which insures U.S. bank deposits, has used PKI-enabled smart cards since the late 1990’s. It began issuing smart cards with digital certificates to the 3,500 of its 7,800 total employees that work off-site. The off-site employees used the cards for the FDIC’s Electronic Travel Voucher system. Employees use their smart cards to encrypt FDIC’s electronic travel expense documents so they can be securely filed via the Internet. This cuts the time employees wait to be reimbursed from two months to two days, according to a study by the consulting firm Booz Allen & Hamilton. Also, the FDIC saves $3.2 million to $4 million per year in reimbursement costs. Now the FDIC is in the process of issuing PKI-enabled smart ID badges to all its employees. On-site employees had their digital certificates stored on their computer hard drives until now. The badges will also feature the employee’s photo and an antenna embedded in the card so that the employee can enter FDIC facilities by waving the "proximity" card, a relatively simple chip card that works by radio frequency, near a reader, says the FDIC executive. "The program cuts down the number of cards employees have to carry around," he says. "Examiners have a PKI card, an ID badge, and may also have a separate proximity card. They are overjoyed to have it all combined onto one card." Not only do government officials face interoperability problems when rolling out PKI-enabled smart cards, but logistical problems as well. "The biggest challenge we had was an aggressive deployment schedule," says Captain Richard Ouimet, installation coordinator for the secure common e-mail project for Canada’s Defense Department. "We had to complete deployment during the active posting season in June, before military personnel start moving from base to base." Canada’s Defense Department has issued 73,000 PKI-enabled smart cards to civilian employees, soldiers, reservists and contractors who have proper security clearance, says Ouimet. The department personalized the cards and created passwords at one location, then sealed each one in an envelope for delivery. A local registration coordinator at each facility distributes the cards. Each employee must verify his identity to the local registration coordinator with two forms of identification. Then he changes his password on the spot and sends himself an e-mail to make sure the card works. Centralized Or Distributed? The U.S. Department of Defense initially chose a decentralized issuing system when it rolled out its Common Access Card, but may switch to a more centralized approach, says Mary Dixon, director of the Pentagon’s Access Card Office. Issuing cards centrally means the cards must be shipped safely after they have been personalized, including with the card’s digital certificate. It also can create headaches if an individual who has gotten used to signing onto the computer network with their card loses it. "They won’t be happy to wait two days to get a new card," Dixon says. But when cards are created at the Defense Department’s 900 locations worldwide, each site must be able to communicate with central databases. That ensures the department has a record of each card and such information as which applications and digital certificate it carries. If a location’s connectivity with the central server is lost, issuance can be disrupted, no small matter when the department is issuing 7,000 ID cards per day. Dixon says the department has not made a final decision, but likely will move toward central issuance, with local facilities authorized to issue new or replacement cards in certain circumstances. The department also has come to the conclusion that the smart card should be primarily a way for department personnel to authenticate themselves to the network, which will hold most applications and data, rather than the smart card storing such information. This makes it easier to keep data synchronized than it would be if it were held on millions of cards in the field. It also reduces the memory capacity required of the smart card, she adds. Nonetheless, Dixon says Defense is probably going to upgrade to a 64K card. Agencies will need the added space, she says, to hold a digitized photograph of the cardholder, multiple digital certificates and biometrics data, and longer encryption keys for greater security. Defense officials also debated whether cardholders should have to enter a PIN to use the smart card. Some argued for no PIN, saying that cardholders would only forget them. Others demanded PINs that would be very hard to guess, such as those that are randomly generated and that include both letters and numbers. The department now allows users to select a PIN as the card is issued. If someone enters an incorrect PIN three times, the card shuts down, providing some security against a lost or stolen card being used by anyone but the authorized cardholder. Defense also has had to deal with complaints from department personnel who received their smart card and digital certificate, but then had to wait months to obtain a smart card reader for their PCs. Dixon says, however, that any agency issuing credentials to millions of individuals is likely to have to decide which to deploy first, readers or cards. While it had issued more than 1 million cards as of last month, Defense had deployed just under 200,000 PC smart card readers, Dixon says. She says 3 million of the 4 million CAC cardholders will need card readers for their PCs. Don’t Blame The Smart Card The U.S. Department of the Interior is also addressing card reader questions as it rolls out smart card IDs to 70,000 department workers, says Robert Donelson, leader of the smart card rollout at Interior. As many as 80,000 other individuals associated with the department, such as firefighters called in to deal with forest fires, may get smart cards, as well. The agency is installing the card readers as it upgrades PCs to the latest version of Microsoft’s desktop operating system, Windows XP. However, knowing that the operating system change is likely to cause some applications to malfunction, Donelson says the department will delay introducing the smart cards for three weeks after the XP installation. "We don’t want users to think the smart card messed up their applications," he says. Donelson also found that all the PC suppliers he contacted were willing to provide new keyboards with smart card readers for no more than they would charge for conventional keyboards. He says the department will save at least $6 million by obtaining the keyboards with built-in readers, compared to buying standalone card readers at $70 to $100 apiece. While not as common as PKI projects, some government agencies are introducing smart cards for access to buildings. One example is the state of New Jersey, which has issued 30,000 contactless smart cards since 1999, a project that was combined with computer network upgrades to avoid year 2000 problems. The contactless cards, which employees wave in front of a reader, replaced older, radio-frequency cards that some call "prox" cards. Such cards communicate with readers at the relatively slow speed of 125 kilohertz, compared with 13.56 megahertz for the smart cards. This faster transmission speed and the greater sophistication of the smart card allow cards and readers to authenticate themselves to each other. The older cards merely stored data, and could not check the validity of a card reader. The New Jersey smart cards also carry 8 kilobytes of data, while prox cards, which usually just carry an employee’s ID number and possibly a facility code, can hold no more than 256 bytes. New Jersey is considering using that extra space to store an encrypted image of the employee’s photo, plus his or her fingerprint, says a state official who asked not to be named. But being on the leading edge of smart card adoption was not entirely easy, he says. At the time the contract was put out to bid, New Jersey could only find two companies that could provide contactless smart cards and readers by the state’s deadline. That lack of competition increases the card’s cost. "A proximity card costs between $1.50 to $2.50 each," he says. "A contactless smart card costs double that price." Too Many Standards Government agencies are also concerned about the lack of a dominant standard among contactless smart cards, which means agencies may not be able to source cards from several vendors. The State Department chose contact cards, which must be inserted into a reader, because the GSA does not yet have interoperability specifications for contactless smart cards, says Lollie Kull, the agency’s access control smart card implementation manager. U.S. agencies buy smart cards and services under the GSA’s Common Access ID contract. The State Department is in the process of issuing the chip-based ID cards to its U.S.-based employees. The cards will carry the employee’s photo, and the chip will store a digital certificate that can be used to encrypt and digitally sign electronic documents, says Kull. This year, the Department of State will issue 2,000 employee ID cards with digital certificates, says Kull. The card’s first use will be for access to 100 U.S-based Department of State facilities. To enter a facility, employees will insert the card into a reader and type in a PIN, which provides an additional layer of security. With physical security a hot topic in the United States, the GSA is working with the National Institute of Standards and Technology to add standards for contactless cards and biometrics to the government’s smart card specifications. The U.S. organizations also have developed an add-on piece of smart card software meant to overcome communication problems between chip cards and readers. They would like to see this technology, which they call a "card capabilities container," used worldwide, making it an industry standard that would allow U.S. agencies to buy cards and readers from many vendors, sure that they would work together. Existing smart card standards leave vendors too much room for interpretation, says Terry Schwarzhoff, a computer security specialist at NIST. Thus, if a government agency switches to a new card vendor, it may have to reprogram its readers to accept the cards, she says. She says the U.S. agencies hope to present this proposal to the International Organization for Standardization, or ISO as it is commonly known, by the end of 2003. To begin to build support, she says, NIST presented its proposal in September to several global smart card groups, including GlobalPlatform, a consortium that sets standards for multiapplication card systems, and the Smart Card Charter, an organization created by the European Commission for promoting the use of chip cards. "Our framework was well received because interoperability is a real issue for them," says Schwarzhoff. In fact, interoperability of smart cards has been an issue in many markets, from contactless transit cards to mobile phones. But governments can get faster results, says Barbara Selter, a consultant for the U.S.-based Maximus, one of the major systems integrators on U.S. government smart card contracts. "For so long in this industry, creating interoperability was such an insurmountable struggle that no one actually did it," says Selter. "But having the force of government behind this made a big difference." Standards will make smart card implementations easier. Even then, hard-earned lessons of the pioneering issuers will come in handy. [ Next Thread | Previous Thread | Next Message | Previous Message ] |
| Subject | Author | Date |
| Re: Finland-based Miotec Oy | MeT MembersNovember 13, 2001 07:31 GMTKeyware | 22:46:23 01/06/03 Mon |