In addition to providing tremendous multi-factor authentication (MFA) security for cyber resources, the PIV-C card also can serve multiple duties to allow a user to use it to authenticate to physical resources such a doors, garages and turnstiles. This blog explores the threats to traditional physical access control systems (PACS), and how new PIV-C security features mitigate many vulnerabilities.
Threats to modern PACS
There are numerous ways PACS can be exploited. Possible attack vectors include identifier collisions, revoked PIV Cards, visual counterfeiting, skimming, sniffing, social engineering, electronic cloning, and electronic counterfeiting. These methods of attack, as well as others, are discussed below. [see NIST SP 800-116, pg.5-8]
|Identifier collisions||During the issuance process the unique identifier is created, if the unique identifier is ever modified, hashed, or compressed the information could be lost. And if the information is lost from unique identifier before it reaches the access control list (ACL) entries, multiple cards may generate the same reduced identifier. This creates identifier collision. In summary, this means that multiple PIV cards will appear to have the same identity ultimately resulting in the cards having same access privileges.|
|Revoked PIV Cards||After the PIV cards are revoked, which is very common the card might still continue to have access to physical locations. In order to avoid this situation, the regular check for revocation should be performed using either OCSP or CRL on the PIV Authentication certificate or the card authentication certificate. Credential validation is required by FIPS201 for all PIV authentication mechanisms, however, validation of the cardholder unique identifier (CHUID) and biometric credentials do not include a revocation check. PACS relies on the CHUID authentication mechanism, therefore it will continue to accept the CHUID until the user is de-authorized in each of those systems. PACS also store the cache of PIV cards, which means if the cache is not refreshed the revoked card will still appear to be valid.|
|Visual counterfeiting||PIV cards sometimes are visually inspected by security guard to gain access to restricted areas. A PIV card can be duplicated with the same appearance as the original one. The only difference might be that the counterfeit one does not have the same electronic behavior as the actual PIV card. A PIV replica can be easily created by photocopy or photoshop and printed on a blank card. Those cards are unlikely to pass close examination by trained security but they might just pass if they use a method of “flash passes” walking by the security.|
|Skimming||Each contactless PIV card can be skimmed with PIV card reader with as little distance as 25 cm away. The range is restricted due to the requirement by the skimmer to supply power to the PIV card by inductive coupling. The concealed skimmer can obtain free-read data from the PIV card via the antenna. Virtual contact interface (VCI), allows all the data on PIV card that is not protected by the PIN to be read once the connection is established. If agencies deploy PIV cards that support VCI without additional pairing code, the data is not protected by the PIN and therefore vulnerable to skimming.|
|Sniffing||A sniffer is a passive receiver that does not supply power to the smart card and it can operate at greater distances compared to skimmers. When a user presents PIV card to the reader at access point the reader supplies power to the PIV card and at that moment the communication between the reader and card is established using radio frequency, at that moment sniffers use their readers to sniff cards information using RF receiver.|
|Electronic Cloning||After a successful attack on PIV card (skimming, sniffing, or social engineering), the attacker possesses vital data that can be cloned onto a blank PIV card. The certificates and CHUID retain signatures and are valid if the original card is valid. One thing is for sure that the attackers cannot copy the private or secret keys needed for cryptographic authentication methods. Therefore, the attackers are able to clone a PIV card with CHUID authentication but will not succeed cloning a PIV card with PKI-CAK or PKI-AUTH authentication methods.|
|Electronic Counterfeiting||Constructed battery-powered device with a microprocessor capable of generating and testing CHUIDs repetitively against a PACS reader. The device changes the FASC-N credential identifier on each trial to obtain CHUIDs authentication mechanism. This method will only be successful if there are no signature verification in the CHUID processing done by the reader.|
PIV-C Security Features
Thankfully, NIST has conducted extensive security research in the aforementioned PACS threats and have developed standardized guidance for strong authentication protocols. In order to keep PIV cards as secure as possible, the PACS application is designed to perform the variation of authentication steps to keep the security to its highest potential. The authentication process is based on one, two, or three of these factors [see NIST SP 800-116, pg. 18]:
- “something you have,” for example, possession of the PIV Card;
- “something you know,” for example, knowledge of the PIN;
- “something you are” for example, presentation of live fingerprints or irises by a cardholder.
PIV authentication mechanisms operate in several different ways. CHUID authentication mechanism operates by reading PIV card object data and verifies its signature. A private key on the PIV Card may be used to sign a challenge or a live biometric test can be performed to verify authenticity.
Another way the PIV card verifies the authenticity is the PIV card itself, the card verifies the PIN or fingerprint as part of the trust in a valid PIV card. The more steps it takes to authenticate the PIV card the more trustworthy it becomes. Many different combinations of authentication are possible with the PIV card.
In order for the PIV card and readers establish a connection and exchange information the access point in a PACS needs to support at least one PIV authentication mechanisms that are supported by all PIV cards. As for now only PKI-AUTH (PIV card +PIN) and CHUID + VIS are currently supported by all PIV cards.
|Authentication using PIV VIS (Visual Credentials)||Visual authentication involves trained staff to examine the PIV Cards topographical features. This method is really looked down upon due to its little or no confidence in the identity of the cardholder. This process requires a human to perform checks on the card which a lot of the times depends on the training that the person checking the IDs went through.|
|Authentication using CHUID (Cardholder Unique Identifier)||One of the mandatory data objects on PIV cards. Contains two data elements, FASC-N and UUID for unique identification of the card. The data on CHUID is signed by the issuer so any alterations or modifications will be detected. And if the CHUID is expired, or failed signature and path verification is found the card no longer has access. CHUID is a free read object and it can be read or cloned easily.|
|Authentication with the card Authentication Certificate (PKI-CAK)||Asymmetric card authentication key is one of two mandatory asymmetric authentication keys present on the PIV card. The purpose of PKI-CAK is to authenticate the card, therefore, the user. It is highly resistant to cloning since cloning would require to obtaining the private key. It also has protection against revoked cars as access will get denied if the certificate validation indicates that the certification has been revoked. Also, failed signature verification or path validation results in a failed attempt and does not give access to the cardholder.|
|Authentication with the Symmetric Card Authentication Key (SYM-CAK)||Similar to PKI-CAK, except it uses the optional symmetric card authentication key to authenticate the card and it does not provide protection against revoked cards. Only compatible with authenticating PIV cards issued by the same agency as the PACS.|
|Unattended Authentication Using Off-Card Biometric Comparison (BIO)||Using off-card biometric authentication using the fingerprints or iris image stored on the PIV card. The biometric on the PIV card is signed by the issuer, so the authenticity of the biometric can be checked by the PACS. Unfortunately, a biometric template could be placed on a blank card and result in successful one-factor authentication.|
|Attended Authentication Using Off-Card Biometric Comparison (BIO-A)||Same as BIO but this is supervised by an individual. This eliminates (hopefully) the suspicion of fake id card, fake or synthetic fingerprints and the insertion of the PIN. Therefore BIO-A is considered two-factor authentication mechanism.|
|Authentication with the PIV Authentication Certificate (PKI-AUTH)||An Asymmetric key is mandatory on the PIV card. PACS performs public key cryptography-based authentication with the PIV authentication key uses the PKI-AUTH Authentication mechanism. Requires two-step authentications; card and PIN or biometrics for successful authentication of the card. PKI-AUTH requires validation of the certificate. Protects from revoked, or modified certificates.|
|Authentication Using On-Card Biometric Comparison (OCC-AUTH)||On-card biometric comparison (OCC) may be implemented on the PIV card. The data on the card cannot be read but can be used to authenticate the cardholder.
OCC-AUTH performs over secure connection thanks to PACS. Provides two-factor authentication. Highly resistant to cloning, but lacks protection against revoked cards.
Security is extremely important when dealing with sensitive data, this is why NIST performs extensive research to help reduce the risks when it comes to PACS and PIV security.