- Email: [email protected]
New software aids PIV card development
NEWS/VIEWPOINT government id
New software aids PIV card development
T
he US National Institute of Standards and Technology (NIST) has developed two demonstration software packages that show how smart card-based Personal Identity Verification (PIV) cards can be used with Windows and Linux systems to perform logon, digital signing and verification, and arrange of other services. The demonstration software, written in C++, will assist software developers, system integrators and computer security professionals as they develop products and solutions in response to Homeland Security Presidential Directive 12 and the FIPS 201–1 standard. “We wanted to provide IT professionals with a model of one way that PIV cards can be used to support authentication to federal information systems,” explains Donna Dodson, deputy director of the NIST Computer Security Division. “Our objective was not to say ‘do the steps this way,’ but to show an example of how you might proceed.” Homeland Security Presidential Directive 12 calls for government employees and contractors to use secure identity credentials to access federal facilities and computers. NIST worked with industry to develop the standards for the PIV cards that will be used for those purposes. Each card contains a unique number, two of the employee’s biometric fingerprint templates, and cryptographic keys stored on an electronic chip embedded in the card’s plastic body. NIST computer scientists developed the software to demonstrate that PIV cards can work with common computer activities such as system logon. The typical process of keying in user name and password will be replaced with the user inserting his/her PIV card in a reader and entering a personal identification number (PIN). This secure logon could eliminate the need for passwords for other applications and could provide access to secure databases to which the user is authorized. The PIV Crypto Service Provider (CSP) demonstrates Windows XP Logon with PIV cards. The Public Key Cryptography Standard #11 module was developed to operate in the Fedora Core 5 environment and to implement Linux Logon, signing and encrypting Email (following the S/MIME standard) and Web site authentication (following the SSL/TLS standard), configured in Linux OS, Thunderbird and Firefox applications. The software is available at http://csrc.nist.gov/ groups/SNS/piv/download.html. 16
Card Technology Today
Viewpoint The Loss of the UK’s Child Benefit Data: Farce in three Acts The recent police report into the loss, late in 2007, of the records of the UK’s Child Benefit recipients reads like a farce in three acts. It contains sobering lessons for those who will be responsible for any national ID database. Act One: An Email is sent on 11 January 2007 from Employee D at HM Revenue and Customs (HMRC) in Washington, Tyne and Wear. She advises fellow members of the staff that she is the appointed point of contact between Washington and auditors from the National Audit Office (NAO) in London. Arrangements are subsequently made by Employee D for NAO Employee 2 to meet a number of managers involved in the Child Benefit system. On 13 February 2007 NAO Employee 2 Emails Washington requesting details of 2006/07 Child Benefit data, to provide an overview of the error rate in benefit payments. Staff in Washington are concerned about confidentiality and security clearance. Employee F at Washington actually mentions the impact that there would be if the data went astray: “the long knives would be out…” 12 sample records are sent to the NAO by Email on 13 March 2007. NAO Employee 2 replies, can these files be filtered down? The NAO doesn’t need bank details, parent details or addresses. Back in Washington Employee D responds, pointing out that 100% scan is available at no added cost to the department. NAO Employee 2 understands this to mean that he will not get the data in the form or reduced size he has requested. NAO decides to use the 100% data scan of Child Benefit and to make its own arrangements for the data to be processed into a more manageable format. On 15 March NAO Employee 2 is in Washington, where he is handed 2 CDs which contain the 100% live data scan of Child Benefit. He takes them back to London with him. The data is processed and analysed and in April 2007 the two CDs are returned safely to Washington. Act Two: In September 2007 the NAO begins its 2007/08 audit of Child Benefit. Employee C is now the point of contact in Washington. This time NAO Employee 2 is prepared to accept the live 100% data scan and have it processed at NAO. His Emailed request to Employee J on 2 October 2007 includes the crucial passage, “Last time we had a 100 zipped files on 2 CDs. Please could you
ensure that the CDs are delivered to NAO as safely as possible due to their content.” Because he is going to be away from his office, NAO Employee 2 asks Employee J at Washington to send the CDs to NAO Employee 5, to keep for his attention on return. On 18 October Employee J puts the two CDs in a yellow plastic envelope, which he addresses to the NAO Office in London and places in the ‘tax post’ system in the Washington office. The two CDs have not been encrypted, but they are password protected. Employee J intends to forward the passwords separately, once the NAO has received the CDs. The two CDs never reach the NAO. Act Three: On 22 October NAO Employee 2 returns to his office in London. He can find no trace of the package containing the two CDs. He rings Employee C in Washington, to say that he needs the CDs as a matter of urgency. Emails fly to and fro between Washington and London. On 24 October Employee J entrusts two duplicate CDs, also password protected, to the Washington post room. Arrangements are made for the envelope to be sent by special delivery to NAO, to arrive by 1300 hours the next day. They do arrive safely and are used in the audit. Later the two duplicate CDs are returned to HMRC and destroyed. The security breach report concerning the loss of the original two CDs is submitted by Employee J on 8 November. Comment: The lost CDs held the live records of the entire Child Benefit system, which amounted to 7.5 million records consisting of approximately 25 million names. Birth-dates, addresses, bank account details and payment methods were among pieces of information included. However no incidents of the information being used for criminal purposes have as yet been reported. Nevertheless Employee F’s prophecy, at the time of the audit in spring 2007, that if ever the data went astray: “the long knives would be out…” was fulfilled. The episode proved to be yet another blow to the Government’s reputation in the autumn and winter of 2007. For anyone involved in the design and planning of the national ID database, the lesson is stark. Data handling on this scale presents immense challenges – not all of which are intellectual and technical. The best systems in the world can be undone, with potential for great harm to private citizens. David Jones
July/August 2008
New software aids PIV card development
T
he US National Institute of Standards and Technology (NIST) has developed two demonstration software packages that show how smart card-based Personal Identity Verification (PIV) cards can be used with Windows and Linux systems to perform logon, digital signing and verification, and arrange of other services. The demonstration software, written in C++, will assist software developers, system integrators and computer security professionals as they develop products and solutions in response to Homeland Security Presidential Directive 12 and the FIPS 201–1 standard. “We wanted to provide IT professionals with a model of one way that PIV cards can be used to support authentication to federal information systems,” explains Donna Dodson, deputy director of the NIST Computer Security Division. “Our objective was not to say ‘do the steps this way,’ but to show an example of how you might proceed.” Homeland Security Presidential Directive 12 calls for government employees and contractors to use secure identity credentials to access federal facilities and computers. NIST worked with industry to develop the standards for the PIV cards that will be used for those purposes. Each card contains a unique number, two of the employee’s biometric fingerprint templates, and cryptographic keys stored on an electronic chip embedded in the card’s plastic body. NIST computer scientists developed the software to demonstrate that PIV cards can work with common computer activities such as system logon. The typical process of keying in user name and password will be replaced with the user inserting his/her PIV card in a reader and entering a personal identification number (PIN). This secure logon could eliminate the need for passwords for other applications and could provide access to secure databases to which the user is authorized. The PIV Crypto Service Provider (CSP) demonstrates Windows XP Logon with PIV cards. The Public Key Cryptography Standard #11 module was developed to operate in the Fedora Core 5 environment and to implement Linux Logon, signing and encrypting Email (following the S/MIME standard) and Web site authentication (following the SSL/TLS standard), configured in Linux OS, Thunderbird and Firefox applications. The software is available at http://csrc.nist.gov/ groups/SNS/piv/download.html. 16
Card Technology Today
Viewpoint The Loss of the UK’s Child Benefit Data: Farce in three Acts The recent police report into the loss, late in 2007, of the records of the UK’s Child Benefit recipients reads like a farce in three acts. It contains sobering lessons for those who will be responsible for any national ID database. Act One: An Email is sent on 11 January 2007 from Employee D at HM Revenue and Customs (HMRC) in Washington, Tyne and Wear. She advises fellow members of the staff that she is the appointed point of contact between Washington and auditors from the National Audit Office (NAO) in London. Arrangements are subsequently made by Employee D for NAO Employee 2 to meet a number of managers involved in the Child Benefit system. On 13 February 2007 NAO Employee 2 Emails Washington requesting details of 2006/07 Child Benefit data, to provide an overview of the error rate in benefit payments. Staff in Washington are concerned about confidentiality and security clearance. Employee F at Washington actually mentions the impact that there would be if the data went astray: “the long knives would be out…” 12 sample records are sent to the NAO by Email on 13 March 2007. NAO Employee 2 replies, can these files be filtered down? The NAO doesn’t need bank details, parent details or addresses. Back in Washington Employee D responds, pointing out that 100% scan is available at no added cost to the department. NAO Employee 2 understands this to mean that he will not get the data in the form or reduced size he has requested. NAO decides to use the 100% data scan of Child Benefit and to make its own arrangements for the data to be processed into a more manageable format. On 15 March NAO Employee 2 is in Washington, where he is handed 2 CDs which contain the 100% live data scan of Child Benefit. He takes them back to London with him. The data is processed and analysed and in April 2007 the two CDs are returned safely to Washington. Act Two: In September 2007 the NAO begins its 2007/08 audit of Child Benefit. Employee C is now the point of contact in Washington. This time NAO Employee 2 is prepared to accept the live 100% data scan and have it processed at NAO. His Emailed request to Employee J on 2 October 2007 includes the crucial passage, “Last time we had a 100 zipped files on 2 CDs. Please could you
ensure that the CDs are delivered to NAO as safely as possible due to their content.” Because he is going to be away from his office, NAO Employee 2 asks Employee J at Washington to send the CDs to NAO Employee 5, to keep for his attention on return. On 18 October Employee J puts the two CDs in a yellow plastic envelope, which he addresses to the NAO Office in London and places in the ‘tax post’ system in the Washington office. The two CDs have not been encrypted, but they are password protected. Employee J intends to forward the passwords separately, once the NAO has received the CDs. The two CDs never reach the NAO. Act Three: On 22 October NAO Employee 2 returns to his office in London. He can find no trace of the package containing the two CDs. He rings Employee C in Washington, to say that he needs the CDs as a matter of urgency. Emails fly to and fro between Washington and London. On 24 October Employee J entrusts two duplicate CDs, also password protected, to the Washington post room. Arrangements are made for the envelope to be sent by special delivery to NAO, to arrive by 1300 hours the next day. They do arrive safely and are used in the audit. Later the two duplicate CDs are returned to HMRC and destroyed. The security breach report concerning the loss of the original two CDs is submitted by Employee J on 8 November. Comment: The lost CDs held the live records of the entire Child Benefit system, which amounted to 7.5 million records consisting of approximately 25 million names. Birth-dates, addresses, bank account details and payment methods were among pieces of information included. However no incidents of the information being used for criminal purposes have as yet been reported. Nevertheless Employee F’s prophecy, at the time of the audit in spring 2007, that if ever the data went astray: “the long knives would be out…” was fulfilled. The episode proved to be yet another blow to the Government’s reputation in the autumn and winter of 2007. For anyone involved in the design and planning of the national ID database, the lesson is stark. Data handling on this scale presents immense challenges – not all of which are intellectual and technical. The best systems in the world can be undone, with potential for great harm to private citizens. David Jones
July/August 2008