Risk
10/21/2009
03:49 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Smart Card Alliance Outlines Authentication Methods for Government Agencies' New Physical Access Control Systems

New white paper goes beyond specifications for PIV credentials

PRINCETON JUNCTION, NJ, October 21, 2009 " With Personal Identity Verification (PIV) credentials being issued by government agencies for both physical and logical access, many agencies are working on upgrading or replacing their installed physical access control systems (PACS) to meet new PIV requirements. With these agencies in mind, the Smart Card Alliance Physical Access Council has developed a new white paper detailing the types of authentication mechanisms available for PACS to identify people who are entering different areas. The new white paper, Authentication Mechanisms for Physical Access Control, details authentication mechanisms beyond those in the NIST Special Publication (SP) 800-116, "A Recommendation for the Use of PIV Credentials in Physical Access Control Systems." SP 800-116, published in November 2008, provides useful guidance on where to deploy various PIV authentication mechanisms. The Smart Card Alliance has written a number of white papers, available at http://www.smartcardalliance.org/pages/activities-councils-physical-access, to explain the PIV authentication options. However, not all possible authentication mechanisms are included in SP 800-116. The new white paper describes additional methods, their use, and the regulations or requirements that drive their implementation. "The SP 800-116 document provides useful information regarding authentication and the use of PIV credentials for PACS. However, a number of scenarios are not covered. Our security industry experts have written additional guidance for local security authorities who may be left with unanswered questions when faced with installed PACS technologies and occasionally conflicting regulations regarding authentication," said Randy Vanderhoof, executive director of the Smart Card Alliance. "This document highlights some of these situations and suggests some additional authentication mechanisms for security authorities to consider." Some of the alternative authentication mechanisms described in the white paper include: mutual authentication protocol (MAP); mutual registration; and widely deployed mechanisms such as combinations of cards, PINs, and operational or reference biometrics. The white paper also details example implementations using alternative authentication mechanisms, including the Transportation Worker Identification Credential (TWIC) and the Aviation Credential Interoperability Solution (ACIS) program.

Council members involved in the development of this report included: AMAG Technology, CSC, Diebold, Gemalto, Hirsch Electronics, HP Enterprise Services, Identification Technology Partners, IDmachines, JMF Solutions, LLC, Roehr Consulting, XTec, Inc. To hear more about the latest in PIV and PACS implementations, attend the 8th Annual Smart Cards in Government Conference from October 27th to October 30th at the Washington DC Convention Center. With almost 800 registrants and 50 exhibitors and sponsors, the conference is the largest annual event for the government identity and security sector. The Physical Access Council is offering additional training on PACS implementation with smart cards by hosting a full day pre-conference workshop on Next Generation PACS. To register, please visit the Smart Card Alliance Web site. About the Smart Card Alliance Physical Access Council The Smart Card Alliance Physical Access Council is focused on accelerating widespread acceptance, use, and application of smart card technology for physical access control. The Council brings together leading users and technologists from both the public and private sectors in an open forum and works on activities that are important to the physical access industry and address key issues that end user organizations have in deploying new physical access system technology. The Physical Access Council includes participants from across the smart card and physical access control system industry, including end users; smart card chip, card, software, and reader vendors; physical access control system vendors; and integration service providers. About the Smart Card Alliance The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit http://www.smartcardalliance.org. ###

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.