Identity Assurance Grows Stronger

The U.S. government’s progress toward a universal personal identification card for government employees and contractors is moving into the next phase. A need to increase key lengths to ensure security has the National Institute of Standards and Technology (NIST) busy working to define replacements and to determine a specific migration schedule. Updates will begin at the end of this year and continue through 2015.

Homeland Security Presidential Directive–12 (HSPD-12) instigated the drive for a common, reliable and secure identification standard for federal employees and contractors. The directive requires that all agencies issue interoperable credentials to all government employees and contractors by October 2008. NIST laid the groundwork for creating the credential with the Federal Information Processing Standard (FIPS) 201. According to William MacGregor, Personal Identity Verification (PIV) coordinator and acting manager of the security testing and metrics group at NIST, FIPS 201 is the umbrella name for a dozen documents that detail requirements for issues such as the card distribution, biometrics, testing and the cryptographic elements.

MacGregor shares that requiring use of the card for access to computer systems resulted in immediate security results for many organizations. For example, as soon as the Defense Information Systems Agency (DISA) instituted the policy mandating card usage for logical access, its computer systems experienced 46 percent fewer attacks. “We knew it would happen. In fact, I was surprised the number didn’t decrease even more. That’s something we have to work on,” he says. Because access to systems now requires a card and a personal identification number (PIN), attacks on the system could only be coming from current employees, hackers who have gotten their hands on cards and PINs or some other leak in the security system, he allows.

Beefing up that security is one reason NIST is changing two of the documents under the FIPS 201 umbrella. “Cryptographers said from the very beginning that key lengths would need to be increased,” MacGregor shares. Algorithms recommended for phase-out are RSA 1024, SHA-1 and 2TDEA.

Because the migration takes place over a five-year period, MacGregor does not anticipate major problems. Cards featuring the new technology will not be affected, he notes. The challenge will be that in the interim—when both older cards and new cards are being used—systems will have to be able to read both.

Keeping security up-to-date is not the only work NIST has been conducting in the area of identity assurance and PIV. MacGregor says that in addition to continuing to revise the original rendition of FIPS-201, the organization has moved to the next logical step: applications. For example, when an organization is building a Web application, it needs to determine how PIV card use will fit into the architecture.

This constant reviewing and updating is how FIPS-201 was envisioned from the beginning, MacGregor relates. It was never viewed as a stagnant document with rigid rules but rather as a view of all facets of the problems of identity assurance, from the processes through the technology. “The goal was to create the standards for an identity assurance infrastructure that was reliable and dependable and carried through the life cycle of a card: issuance, renewal, re-issuance if necessary, termination and sometimes suspension,” he explains.

During the two years that MacGregor has been working in this field with NIST, he has seen substantive progress in identity assurance work, particularly in the area of biometrics. Fingerprints as identification markers head the list, but advances have been made in facial image recognition as well. Several identification verification techniques—backed by better science—are demonstrating lower error as well as failure-to-identify rates. Ensuring interoperability of systems will be key to ensuring these technologies will be able to make their way into widespread use, he notes.