PKI opens more doors
Traditionally associated with logical access and the digital signing of documents, PKI is now also being used to control physical access.
Public Key Infrastructure (PKI) is fast becoming a leading driver in controlling physical access largely due to FIPS 201, US government physical-access control specifications recommending PKI at the door. Recommendations since 2005, they are expected to become mandates with FIPS 201-2 later this year.
FIPS offers standards for not only what information should be stored on an ID card, but also best practices for verifying the credential is authentic and in the right person’s possession, says Kevin Graebel, product manager of HID credentials at HID Global, a leading manufacturer of physical and logical access control solutions. “A digital certificate is placed on the card with the user’s key information/access levels. Then the PKI process sends that information via an electronic bridge to a federal certificate authority, making sure access hasn’t been revoked or information tampered with.”
PKI boils down to the use of a mathematically linked pair of keys, one designated public and the other designated private. The linkage ensures that information processed with one key can only be decoded or validated using the other key.
“The primary benefit of a PKI-based access system is that it does not depend on a shared secret key; instead it uses an asymmetric key pair,” says Graebel. “In traditional access systems, the reader and the card share a symmetric key used to authenticate each other. This requires a great deal of coordination between the cards and readers, especially when the cards may be used at more than one location. Using PKI, only the public key of the card needs to be shared, and it can easily be revoked or changed in the event of a breach. The private key is stored securely within the card.”
Many advances in deploying PKIs have led to efficiency and interoperability that make it a natural choice for not just logical but also physical access control. “An organization can use a single PKI smart card, such as a PIV (Personal Identity Verification) card, for physical access to a building and to certain rooms, and for logical access to workstations, servers, VPNs, and so on,” notes Dave Coombs, director of PKI Standards and Policy at Carillon Information Security, a Canadian air transport and aerospace identity management consulting firm. “This reduces the complexity of managing access control: manual provisioning or removal of access for a person in dozens of different systems is replaced with the issuance or revocation of a single credential.”
Furthermore, recent interoperability advances allow one organization that accepts PIV cards to understand the identity of a visitor with a PIV card from a completely separate organization.
But despite PKI’s promise, there can be disadvantages, including cost and speed. “At a minimum, organizations will need to create or have access to a Certification Authority to manage the generation and validation of certificates,” says Graebel. Depending on how this is implemented, it may require costly rewiring and upgrading of all of their readers.”
The speed is also a bottleneck for physical access control. For durability and vandalism reasons, it is more practical to use contactless rather than contact communication between the card and the reader and then communication can take as much as 1.5 to 2 seconds. This may not seem like a long time, but when users are used to the fraction of a second read times offered by technologies like Prox or iCLASS, it can cause issues.
“One disadvantage we hear about is the perceived slowness of PKI at the door,” observes Coombs. “This can be mitigated by caching revocation information or OCSP (Online Certificate Status Protocol) responses, or even by pre-validating every morning each credential that was used at that site the previous day.” He predicts that in the coming years, “more and more public and private organizations will be going this route, particularly given the work being done in the US right now.”
Of course, many countries have been developing their own PKI methodologies in parallel.
The French government issues PKI credentials to its citizens every year to file their income tax, and its General Security Framework (RGS) includes recommendations on securing large-scale IT systems using PKI. “The Belgians have done something similar with their eID card,” says Coombs. “It’s a PKI-enabled smart card issued to Belgian citizens to authenticate their access to government systems and programs online.”
Meanwhile, the German government is leading the way in implementing the European Union directive concerning ‘qualified signature’ certificates, the only kind of digital signature that carries the force of law in Europe.
It should be noted that these European initiatives concern only logical access control to information systems, and it is still early days for PKI as a physical access control. At this point, very few public companies are choosing to use PKI for physical access control because of the newness and relative complexity, observes Graebel. “I suspect it will become more common as FIPS 201-2 is implemented and there is a wider variety of products available on the market to support it.”
By Derek Scheips