Cryptography Usage in TWIC (Draft v4 8Dec06) National Maritime Security Advisory Committee TWIC Working Group By The TWIC Working Group Security Industry Task Team
Topics Information security and cryptography overview FIPS 201-1 cryptography options Factors driving cryptography choices Comparison of available choices Next steps and resources
Cryptographic Goals Cryptography is a not a solution by itself, but is a tool used to achieve security goals such as: Authentication Entity authentication – I am who I say I am Data origin authentication – This data comes from a trusted source Data Integrity Detect unauthorized change or substitution of data Privacy and Confidentiality Control who can read data Non-repudiation Prevent denial of action - It can be proved that I signed this data
Useful Cryptographic Terms Encryption and Decryption Encryption makes data unreadable to unauthorized people or machines Decryption makes encrypted data readable to authorized people or machines MACs, Digital Signature, Signature Verification MAC (Message Authentication Code) - A small piece of (usually symmetric) cryptographic data used to check the authenticity and integrity of message data A digital signature binds data to an originator, assuring integrity and authenticity The sender digitally signs data; the recipient verifies the digital signature Key Management All activities related to generation, exchange, storage, safeguarding, use, vetting, replacement and destruction of keys. Key management requires not just technology, but also policy and procedures. Compromise Unauthorized disclosure, modification, substitution or use of sensitive data. Compromised keys or crypto system components can weaken system security Symmetric and Asymmetric Two flavors of cryptographic mechanisms described later in greater detail
Symmetric Cryptography One common cryptographic secret key for all authorized parties Security depends on only authorized parties knowing the key Examples TDES – Triple Data Encryption Standard (DES): Encryption and decryption TDES MAC – used for authentication and data integrity AES (Advanced Encryption Standard) - Selected by NIST in 2000 AES has multiple modes with different characteristics Example: Counter with Cipher Block Chaining-Message Authentication Code (CCM) is used for authentication and data integrity Advantage Good performance – designed for hardware implementation Only one secret key to manage Disadvantage Greater risk in sharing the secret key among many people or machines Makes it harder to implement across multiple organizations (e.g., federated) Cryptographic schemes to protect the secret key (e.g., key transport protocol) may be used, but impacts performance and adds to complexity
Asymmetric Cryptography Asymmetric cryptography uses a key pair to protect data A public key (available to the general public) is used to encrypt data or verify digital signatures. Knowledge of a public key does not compromise system security A private key (held by the owner) is used to decrypt or digitally sign data Examples RSA Elliptical curve Advantages Minimal exposure of private key since other parties do not require this portion Unique key pair per entity/device minimizes impact of compromised keys Disadvantages Longer computation times due to complex algorithm and large key sizes Some mechanism (e.g. Public Key Infrastructure - PKI) must be in place to verify integrity and authenticity of public keys
Smart Cards vs. Proximity Cards Both use contactless radio frequency (RF) transfer technology Differences are in frequency, communications range, and security design Proximity uses 125 KHz frequency Smart card uses 13.56 MHz frequency Smart cards originated in telecom and finance industries Offers a secure channel capability by virtue of on-board microprocessor Smart cards widely acknowledged as offering higher security Proximity card can only store the card identification number Cannot store biometrics on the card Proximity technology represents approximately 85% of the installed base for physical access control systems (PACS)
PIV card in Contactless Mode PIV contactless mode is limited to a few operations Read Card Holder Unique ID (CHUID) CHUID is unprotected, available to any reader CHUID contains personal identifiers Authenticate the card using the Card Authentication Key Read Card Authentication Key certificate Verifies the card is authentic, but does not verify the cardholder Meaningful only if the issuer signature is also checked Features not supported by PIV in contactless mode PIV does not include secure channels to transfer data However, industry has secure channel options in widespread use No biometric data or operations are available in contactless mode No PIN authentication with the PIV card in contactless mode PIV specification permits additional features and software (applets) placed on the PIV card to extend functionality
Impact of Cryptography Choices Performance is critical in contactless applications Need to go from “power on” to “transaction complete” in less than second Some algorithms require more processing time FIPS 140-2 crypto certification (if used) requires startup self-test which adds to transaction time Key management Symmetric key management may be impractical in large deployments Asymmetric key management requires validation infrastructure Need for trained staff to manage keys Need for policy and procedures Approved uses and modes Standards recognize specific uses of cryptography New unique crypto approaches with secure properties are rare Strength and planned obsolescence Regulators publish schedules for retirement of weaker (more vulnerable) algorithms
Methods of Contactless Transmission Send data in clear Use a secure channel Encrypt data Sign data
Send Data in Clear The finger print template would be a free read No security Data is in clear However, there are counter arguments that biometric data are not secrets and therefore have little security impact if exposed No privacy Could be read by an unauthorized reader without the card holders knowledge or consent However, templates cannot be used to reconstruct a fingerprint image Easy to implement Fastest method
Use a Secure Channel TWIC Card and the physical access control system (PACS) would mutually authenticate to each other The two parties suitably authenticate each other Only trusted TWIC card will talk to trusted PACS Requires key management scheme Currently widely implemented with symmetric keys Diversified keys based on card serial number can reduce risk of key exposure Creates a unique key by combining master key with other data Asymmetric keys could used but still experimental phase Reduce risk key exposure to one card Requires the PACS to receive a PKI certificate when the card is used driving the need for PACS to be connected to the PKI authority However, doesn’t require a real-time connection from the reader to the Internet Computationally intensive requiring more computing power and time
Encrypt Data Fingerprint template is in an encrypted free read file Protects the confidentiality of the biometric data Data encryption only protects the confidentiality of biometric data Could use symmetric encryption Asymmetric encryption requires restricted distribution of the public key. Exposure of public key would only represent a privacy issue and would still provide security integrity Private key would be restricted to the encoding site – thereby reducing risk
Sign Data Digitally sign fingerprint templates Can be implemented with symmetric or asymmetric algorithms Digital signature protects data integrity and provides non-repudiation PACS reader can validate signature but would need to receive new keys when the signing key is changed Validate data integrity with a message authentication code (MAC) A MAC can be used to protect data integrity with less infrastructure than a digital signature MAC checking protects integrity but not non-repudiation MAC’s require cryptography and a key, but no public key or certificate verification
Tradeoffs in Data Protection Selection of any approach involves tradeoffs Encrypting data protects privacy, but is vulnerable to some attacks Encryption plus MAC protects privacy and provides some integrity assurance Encrypted, signed data protects privacy, integrity and non-repudiation, but requires additional infrastructure, both technical and policy/procedural Choice depends heavily on the goals Privacy Security Non-repudiation Etc.
Key Distribution Alternatives Symmetric key Requires key distribution Asymmetric keys Relies on certificate authority Local key distribution Regional key distribution Centralized key distribution Note: Ownership of keys equals liability Who is responsible when a key is compromised? Need to define and implement strategy for corrective action
Symmetric Key Management Keys must be transported and stored in a secure manner Example of methods Manual entry - two or more people contribute parts of the key (key ceremony) The key is manually entered into the devices Susceptible to compromise Subject to error Automated - keys loaded using secure methods from one secure device to another Example: key loading using smart cards, with key loading protocols performed by the card and the target device Secure key loading can use an asymmetric key pair to protect keys Card issuance procedures can restrict key loading to end user, central issuance, or allow both
Asymmetric Key Management Each card and PACS has a key pair The private key is generated on card and never revealed Public keys or certificates are meaningful only if verified e.g., certificates are used to verify the authenticity of a key Asymmetric cryptography performance Traditional asymmetric cryptography requires more computation time and uses larger keys However, newer elliptic curve asymmetric algorithms are faster and use smaller keys Not proven in any known deployed PACS
Site Specific Key Issuance New cards are disabled until activated with a site key The site key can be loaded at the time the card is registered into the PACS Maintains local control of authorized credentials Authorization to register cards protected by access rules Only an authorized registration agent can write keys to the card Reduces key exposure issues Requires a key table on the card (multiple sites) Cardholders must register on a first visit to a site
Regional Key Distribution Keys loaded at a regional issuance center Keys securely distributed by regional issuance center to sites Reduces key exposure issue Re-keying could be done within a region
Centralized Key Distribution Keys are loaded in the card at issuance Keys to read the card are distributed by central system Keys could be distributed to facility or vessel operators for loading onto readers Keys could be already loaded into a hardware module inserted into the reader vs. loaded into the reader through a software load process Reduced security and privacy if TWIC PACS components are readily available
Regulatory Constraints FIPS 201 certification covers PIV cards and middleware A PIV card requires two certification processes by accredited labs An SP 800-73-1 conformance evaluation (managed by NIST under FIPS 201) A FIPS 140-2 evaluation (managed by NIST outside of FIPS 201) Certification impact of PIV card software modifications Changes to the PIV applet (if any) require recertification to SP 800-73-1 Addition of another non-PIV applet may require FIPS 140-2 recertification, but not SP 800-73-1 recertification SP 800-73-1 middleware testing is not relevant to PACS Requirements governing other PIV components E.g. readers, panels, biometric enrollment, etc. FIPS 140-2 required for all cryptographic modules used by a federal agency Use of GSA Approved Product List required for purchase of all PIV components Not clear if FIPS 201 regulatory constraints apply to TWIC
Next Steps Schedule call to discuss this presentation Security industry task team develop narrative white paper expanding on the information contained in this presentation NMSAC provide further guidance to the security industry task team on operational considerations and preferences related to the presented alternatives Security industry task team develop recommendation and detail specification on cryptographic approach and supporting key management scheme