Security Beyond the Prox Card
How SEIWG and CAC changed how we think about security credentials
By Adam Shane, Manager Applications Engineering, AMAG Technology
November 6, 2006

Introduction

The US Government has been driving access control technology to more and more secure solutions. From its roots as an identification technology, the recent trend is towards smart cards that provide significant security features.

SEIWG is an acronym for the Security Equipment Integration Working Group which is a group of subject matter experts within the Department of Defense, DoD. In an effort to provide a robust means of authentication that would be suitable across the entire DoD (with application for Government-wide solutions), the SEIWG published a credential data format called SEIWG-012 in 1993. This data format (depicted in Figure 1) provides the ability to quickly determine who issued the credential and also uniquely identifies the person to whom the credential was assigned.

SEIWG-012 was defined with magstripe technology in mind; however, the access control industry would start to favor proximity technology (what we now refer to as low-frequency prox to differentiate it from contactless smart card technology). Prox technology does not lend itself to large data formats like SEIWG-012, which requires 40 characters (200 bits of data). However, the DoD was implementing a program for a CAC (Common Access Card) in 2000 that would rely on smart card technology. The card itself would have a contact smart card chip, magstripe and multiple barcodes. The SEIWG-012 format data was encoded into the chip memory. The CAC is used as a visual identification device as well as a means of providing electronic identification for various systems. It can be used to log onto military computer systems and can be used to encrypt e-mail. The card is also being used for access control.

 

SEIWG-012

The SEIWG-012 data format specification was developed to encode information that would uniquely identify the cardholder. In the DoD (as in the US Government as a whole), this is particularly challenging because of the gross scale of the project as well as the fact that the organization is highly segmented with little or no coordination in this area across divisions (Air Force, Army, Navy). Designed by the DOD, the intent was to create an access card that could store enough data to determine information such as the individual cardholder, from which branch of the military the card was issued, and from which base the card was issued all within the available forty digits of data storage.

SEIWG-012 was initially designed for access cards utilizing magnetic stripe technology, as it was the only technology in existence able to store enough information to meet the specification. A major drawback however, was that magnetic stripe technology is not secure. The cards are both easily read, and easily duplicated. The electronic security industry did create access card technologies offering greater security, both proximity and Wiegand, but neither had the storage capacity necessary to meet the SEIWG-012 specification. Additionally, manufacturers of electronic security hardware (field panels) fell short of being able to effectively work within the parameters of the specification because their equipment could not validate the long string of data the SEIWG-012 specification requires.

In 1995, the DoD tasked the Navy with exploring the possible benefits of using smart cards (capable of storing much more data than a proximity or Wiegand card, and much more secure than a magstripe card) to increase physical and logical (computer) security and to decrease operational costs. That year, the Navy initiated the Multi-technology Automated Reader Card (MARC) program, which used the massive Pacific Command complex in Hawaii as its testing facility. The SEIWG-012 data was used on the smart card, and AMAG was the only access control developer that had the necessary knowledge of both smart card and magstripe technology to quickly design one of the world’s first physical access control systems that used smart cards. The system was deployed in Hawaii. The success of the MARC and subsequent tests, like Cobra Gold in 1998, convinced the DoD of the huge potential for security and efficiency that smart cards promised.

CAC

In 1999 the Deputy Secretary of Defense issued the “Smart Card Adoption and Implementation” memo that officially brought the Common Access Card (CAC) project into existence. Of significant importance in this regard is the statement, “[The CAC] will also be the principal card used to enable physical access to buildings and controlled places . . .”

The Common Access Card (CAC) was developed to be a single card carrying multiple electronic and printed credentials. The CAC would be used for both logical access control and other PKI (Public Key Infrastructure, a means of encrypting data) functions like logging into a computer system or encrypting communications as well as physical access control. The SEIWG-012 data structure supported the data fields to meet the challenge of eliminating the possibility that issuing stations at different locations would produce the same physical access control ID number.

GSC-IS

As the Federal Government saw more adoption of smart card technology within its agencies it assembled the Government Smart Card Interagency Advisory Board (GSC-IAB). This group consulted with industry experts and developed the Government Smart Card Interoperability Specification (GSC-IS) as well as the Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems (TIG SCE PACS) through the Physical Access Integration and Interoperability Working Group (PAIIWG).

The GSC-IS pays homage to the SEIWG-012 data format, but defines a new version that foregoes with the Social Security Number (the use of which is frowned upon with regard to personal privacy protection) for the more innocuous Person Identifier. The new format is defined as the Federal Agency Smart Credential – Number (FASC-N) and is depicted in Figure 2.

 

In moving to the FASC-N data model, the GSC-IS suggests that the first 3 data fields – Agency Code, System Code, and Credential Number (a total of 14 digits) – make up a unique identifier across the Federal Government. This is true only to the extent that Agency code and System code are numeric 4-digit values. In fact, the document that first defined these, FIPS 95-2, has since been withdrawn by NIST in 2005. That document allowed non-numeric identification of some Agency and system codes. In those cases, additional information external to the FASC-N might be required to uniquely identify the cardholder. The additional information and the FASC-N were contained in a container in the card called the Card Holder Unique Identifier (CHUID).

AMAG Technology assisted the GSC-IAB and the PAIIWG by producing prototype readers and software. The resultant solution is now referred to as Symmetry Homeland Security, and is fielded at many Federal Government facilities.

FIPS 201

The President signed Homeland Security Presidential Directive 12 (HSPD-12) in August of 2004. By February 2005, the National Institute of Standards and Technology (NIST) published Federal Information Processing Standard (FIPS) Publication 201 for the “Personal Identity Verification (PIV) of Federal Employees and Contractors.” Part II of this document describes the technology of the card solution to be both a contact and a contactless smart card interface. The CHUID previously defined in GSC-IS was further modified to include a card expiration date.

Access Control System Requirements

The cardholder identifier has evolved significantly. Until the early 1990’s, the cardholder identifier was a card number that could fit in a small amount of memory programmed into a Wiegand (wires embedded in a plastic card) or prox card (on the order of 100 bits or approximately 12 bytes worth of data). The FIPS 201 document defines a CHUID that can be over 2800 bytes. This explosion of information usable to uniquely identify the cardholder was only possible through the technology advances in smart cards – increased memory capacity and contactless interfaces for physical access control.

However, to make this data truly useful, four extremely important issues beyond the card and card reader must also be addressed:

1. Can the access control software address the complete SEIWG-012/FASC-N specification?
2. Can the field panel support the very large identifiers (minimum 14 digits)?
3. Can the reader handle the forty digits of information resident on the smart card?
4. Is the communication between the card reader and the field panel secure?

Field panels at a minimum must be able to validate the smart cards that store a large amount of data structured in a specific way. Initially the reader must determine that the full forty digits are present on the smart card, and that those digits are in a valid structure. Then the panel must be able to identify the unique data on the smart card to validate entry by the cardholder. This can be accomplished by reading a minimum of fourteen digits: a four-digit Agency Code, a four-digit System Code, a six-digit Credential Number and a one-digit Issue Level. Most manufacturers of security equipment (both software and hardware) have the capability to read up to a maximum of nine to ten unique digits of data. Thus to meet the specification, a manufacturer must show the ability to validate the minimums required to meet the format. Few manufacturers have displayed this ability.

Communications between the card reader and the field panel must also be secure. The industry standard communications protocol from card reader to field panel is Wiegand. This is an open standard that has not addressed communication security in any way. It is neither supervised nor encrypted. As it can be tapped into unnoticed, allowing the data to be read and emulated, it does not meet the growing security demands of government and commercial users.

Conclusions

Many manufacturers meet some portion of the requirements listed above. However, full compliance requires a complete end-to-end solution to authenticate a credential from the card to the card reader to the field panel to the software.

Very few manufacturers are able to provide the required end-to-end solution. The AMAG product line subtitled Symmetry Homeland fully addresses all of the DoD concerns regarding the specification. AMAG systems have proven their ability to meet the SEIWG/FASC-N specification using magstripe, contact smart card and contactless technologies.

AMAG Technologies has been producing these solutions for the past 10 years. AMAG has been a pioneer in the use of smart cards for physical access control and continues to be a leader in this area. We fully support HSPD-12 and FIPS 201 as well as the government’s leadership in moving the access control industry towards more comprehensive and secure solutions for the future.