Federal smart cards about to get smarter
Federal personal identification verification cards — better known as PIV cards — are about to get a technical facelift.
The National Institute of Standards and Technology, or NIST, has released updated technical specifications and guidance for the next generation of “smart” identity cards used by federal government employees and contractors to gain access to government facilities and computers.
The next generation PIV cards will enable federal employees to connect securely to government computer networks from smart phones and other mobile devices, and provide enhanced security features to verify the identity of federal workers.
The PIV cards in use today contain a microchip that stores digital credentials, including an employee’s photo, fingerprint information, a PIN code and other details, but require card readers that must be attached to computers and mobile devices to complete the verification process.
The new specifications add protections to wireless communications between the PIV card and a mobile device.
“We specified a secure communication mechanism so that the next generation PIV Card can be used with mobile devices, enabling federal employees to connect securely to government computer networks, encrypt or sign email from such devices,” said NIST computer scientist Hildegard Ferraiolo, co-author of the publications.
The new specifications also provide additional ways to prove, or authenticate, the cardholder’s identity. One method, called on-card biometric comparison, helps preserve a cardholder’s privacy using a technique that eliminates the need for an individual’s fingerprint data to ever leave the card. Another new security feature prevents a cardholder from changing the PIN to one that is too short.
“It’s encouraging to see NIST continue to improve the capabilities and security associated with the government’s PIV card,” said Dave Wennergren, senior vice president at the Professional Services Council. A decade ago, as Navy CIO, Wennergren chaired a Defense Department working group responsible for deploying the Common Access Card, which helped launch the use of digitally encoded identification cards for government employees and contractors.
“These enhancements should continue to increase the value of the card and we should applaud NIST’s work. That said though, we must also face the fact that it takes time to implement a new version of a smart card, particularly for a large agency,” he said. “Even after the preliminary work to buy cards and prepare for issuance, new cards will slowly replace expiring cards over a period of several years,” he said.
Wennergren also cautioned that more than a decade after Homeland Security Presidential Directive 12, “there are still far too many government agencies not using the card’s capabilities for cryptographic log-on to networks, digital signatures and physical access. If it’s only being used as a ‘flash pass,’ the new features are wasted,” he said.
The updated NIST specifications are contained in two documents, one dealing with interfaces for personal identity verification and the other detailing cryptographic algorithms needed to maintain the security of the PIV cards. The publications are intended for U.S. government agencies to upgrade their PIV cards, or for vendors that make the cards or develop hardware and software to work with the cards.
