Risk
10/21/2009
03:49 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

Smart Card Alliance Outlines Authentication Methods for Government Agencies' New Physical Access Control Systems

New white paper goes beyond specifications for PIV credentials

PRINCETON JUNCTION, NJ, October 21, 2009 " With Personal Identity Verification (PIV) credentials being issued by government agencies for both physical and logical access, many agencies are working on upgrading or replacing their installed physical access control systems (PACS) to meet new PIV requirements. With these agencies in mind, the Smart Card Alliance Physical Access Council has developed a new white paper detailing the types of authentication mechanisms available for PACS to identify people who are entering different areas. The new white paper, Authentication Mechanisms for Physical Access Control, details authentication mechanisms beyond those in the NIST Special Publication (SP) 800-116, "A Recommendation for the Use of PIV Credentials in Physical Access Control Systems." SP 800-116, published in November 2008, provides useful guidance on where to deploy various PIV authentication mechanisms. The Smart Card Alliance has written a number of white papers, available at http://www.smartcardalliance.org/pages/activities-councils-physical-access, to explain the PIV authentication options. However, not all possible authentication mechanisms are included in SP 800-116. The new white paper describes additional methods, their use, and the regulations or requirements that drive their implementation. "The SP 800-116 document provides useful information regarding authentication and the use of PIV credentials for PACS. However, a number of scenarios are not covered. Our security industry experts have written additional guidance for local security authorities who may be left with unanswered questions when faced with installed PACS technologies and occasionally conflicting regulations regarding authentication," said Randy Vanderhoof, executive director of the Smart Card Alliance. "This document highlights some of these situations and suggests some additional authentication mechanisms for security authorities to consider." Some of the alternative authentication mechanisms described in the white paper include: mutual authentication protocol (MAP); mutual registration; and widely deployed mechanisms such as combinations of cards, PINs, and operational or reference biometrics. The white paper also details example implementations using alternative authentication mechanisms, including the Transportation Worker Identification Credential (TWIC) and the Aviation Credential Interoperability Solution (ACIS) program.

Council members involved in the development of this report included: AMAG Technology, CSC, Diebold, Gemalto, Hirsch Electronics, HP Enterprise Services, Identification Technology Partners, IDmachines, JMF Solutions, LLC, Roehr Consulting, XTec, Inc. To hear more about the latest in PIV and PACS implementations, attend the 8th Annual Smart Cards in Government Conference from October 27th to October 30th at the Washington DC Convention Center. With almost 800 registrants and 50 exhibitors and sponsors, the conference is the largest annual event for the government identity and security sector. The Physical Access Council is offering additional training on PACS implementation with smart cards by hosting a full day pre-conference workshop on Next Generation PACS. To register, please visit the Smart Card Alliance Web site. About the Smart Card Alliance Physical Access Council The Smart Card Alliance Physical Access Council is focused on accelerating widespread acceptance, use, and application of smart card technology for physical access control. The Council brings together leading users and technologists from both the public and private sectors in an open forum and works on activities that are important to the physical access industry and address key issues that end user organizations have in deploying new physical access system technology. The Physical Access Council includes participants from across the smart card and physical access control system industry, including end users; smart card chip, card, software, and reader vendors; physical access control system vendors; and integration service providers. About the Smart Card Alliance The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit http://www.smartcardalliance.org. ###

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.