Risk
10/21/2009
03:49 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Smart Card Alliance Outlines Authentication Methods for Government Agencies' New Physical Access Control Systems

New white paper goes beyond specifications for PIV credentials

PRINCETON JUNCTION, NJ, October 21, 2009 " With Personal Identity Verification (PIV) credentials being issued by government agencies for both physical and logical access, many agencies are working on upgrading or replacing their installed physical access control systems (PACS) to meet new PIV requirements. With these agencies in mind, the Smart Card Alliance Physical Access Council has developed a new white paper detailing the types of authentication mechanisms available for PACS to identify people who are entering different areas. The new white paper, Authentication Mechanisms for Physical Access Control, details authentication mechanisms beyond those in the NIST Special Publication (SP) 800-116, "A Recommendation for the Use of PIV Credentials in Physical Access Control Systems." SP 800-116, published in November 2008, provides useful guidance on where to deploy various PIV authentication mechanisms. The Smart Card Alliance has written a number of white papers, available at http://www.smartcardalliance.org/pages/activities-councils-physical-access, to explain the PIV authentication options. However, not all possible authentication mechanisms are included in SP 800-116. The new white paper describes additional methods, their use, and the regulations or requirements that drive their implementation. "The SP 800-116 document provides useful information regarding authentication and the use of PIV credentials for PACS. However, a number of scenarios are not covered. Our security industry experts have written additional guidance for local security authorities who may be left with unanswered questions when faced with installed PACS technologies and occasionally conflicting regulations regarding authentication," said Randy Vanderhoof, executive director of the Smart Card Alliance. "This document highlights some of these situations and suggests some additional authentication mechanisms for security authorities to consider." Some of the alternative authentication mechanisms described in the white paper include: mutual authentication protocol (MAP); mutual registration; and widely deployed mechanisms such as combinations of cards, PINs, and operational or reference biometrics. The white paper also details example implementations using alternative authentication mechanisms, including the Transportation Worker Identification Credential (TWIC) and the Aviation Credential Interoperability Solution (ACIS) program.

Council members involved in the development of this report included: AMAG Technology, CSC, Diebold, Gemalto, Hirsch Electronics, HP Enterprise Services, Identification Technology Partners, IDmachines, JMF Solutions, LLC, Roehr Consulting, XTec, Inc. To hear more about the latest in PIV and PACS implementations, attend the 8th Annual Smart Cards in Government Conference from October 27th to October 30th at the Washington DC Convention Center. With almost 800 registrants and 50 exhibitors and sponsors, the conference is the largest annual event for the government identity and security sector. The Physical Access Council is offering additional training on PACS implementation with smart cards by hosting a full day pre-conference workshop on Next Generation PACS. To register, please visit the Smart Card Alliance Web site. About the Smart Card Alliance Physical Access Council The Smart Card Alliance Physical Access Council is focused on accelerating widespread acceptance, use, and application of smart card technology for physical access control. The Council brings together leading users and technologists from both the public and private sectors in an open forum and works on activities that are important to the physical access industry and address key issues that end user organizations have in deploying new physical access system technology. The Physical Access Council includes participants from across the smart card and physical access control system industry, including end users; smart card chip, card, software, and reader vendors; physical access control system vendors; and integration service providers. About the Smart Card Alliance The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit http://www.smartcardalliance.org. ###

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?