Moving to a New, Portable Model for Secure Identity
We often confuse the concept of identity with the card that carries it, but in reality, “identity” can reside on a mobile phone, a USB stick, or some other medium. The move toward virtualized credentials is expanding the concept of “identity” beyond traditional I.D. cards to include many different credential form factors. This new way of thinking is driving fundamental changes in how we deliver and manage secure identity.
Over the last 20 years, 125 kHz RFID proximity (or Prox) cards and readers have become a de facto standard for physical access control. They offer customers the optimum in cost and convenience, but are not as secure as contactless smart cards, which began emerging in the early 2000s. Contactless solutions enhance security through data encryption and mutual authentication, and also support multiple applications such as biometric authentication, cashless vending and PC log on security.
Now, as we move into a new era of enhanced mobility, advanced applications and more dangerous security threats, the industry is moving toward a new access control architecture that will enable a new class of portable identity credentials. It will be possible to securely provision and safely embed these credentials into both fixed and mobile devices, which will improve security while enabling the migration of physical access control technology beyond cards and readers into configurable credentials and virtualized contactless solutions.
The first step toward supporting this new generation of portable identities is to create a trusted boundary within which all network endpoints, or nodes (such as credentials, printers, readers and NFC phones) can be validated, so that transactions between the nodes can be trusted. One of the first such bounded environments, HID Global’s Trusted Identity Platform (TIP), establishes a scalable framework and delivery infrastructure that delivers three critical capabilities: plug-and-play secure channels between hardware and software; best-in-class key management and secure provisioning processes; and seamless integration with information technology infrastructures.
A trusted framework must be anchored by a secure, open and independent Secure Identity Object (SIO) data-structure on the credential side, and corresponding SIO interpreters on the reader side. An SIO is a standards-based, device-independent data object that can exist on any number of identity devices. SIOs and SIO interpreters perform similar functions to traditional cards and readers, only using a significantly more secure, flexible and extensible data structure. (see Fig. 1).
SIOs deliver three key benefits: portability, security and extensibility. First, because SIOs are portable, they can reside on traditional contactless credentials, and also can reside on other memory cards containing other card technology, microprocessor-based cards like SmartMX, smartphones with Near Field Communications (NFC) capabilities, USB tokens, computer disk drives and many other formats (see Fig. 2). This enables the interoperability of the same object stored on one device to later port to another device with ease and without strict constraints. Research reported in an Avisian 2010 survey shows 90 percent of end users responding that adding new applications with minimal investment is important, with 53 percent of industry respondents stating they are not satisfied with the solutions to accomplish this in today’s market.
Second, these device-independent SIOs provide an additional layer of security on top of device-specific security, acting as a data wrapper that provides additional key diversification, authentication and encryption, and guards against security penetration (see Fig. 3). Objects are bound to specific devices by utilizing device-unique properties, preventing card cloning. 93 percent of end users expressed a requirement to have multiple layers of security on a card or credential, especially when other applications and private data are present, and approximately 37 percent of the industry providers were not satisfied with solutions in the market today as noted in the Avisian 2010 survey.
Third, SIOs are defined using open standards including Abstract Syntax Notification One (ASN.1, a joint ISO/IEC and ITU-T standard), a data definition that allows for an infinitely extensible object definition. This definition can support any piece of data, including data for access control, biometrics, vending, time-and-attendance and many other applications. Unlike many other fixed-field structures used in today’s access control card and reader systems, the SIO and associated interpreters continue to grow in security capabilities while traditional architectures are left behind, stagnant and stuck in a fixed definition. Additionally, this SIO’s flexible data definition provides the aforementioned ability to deploy flexible security protection.
The next generation of access control card-and-reader platforms will support a new era of more convenient, virtual credentials that can be embedded into phones and other portable devices. At the same time, this coming generation of access control technology promises enhanced security within a more easily extensible access control system infrastructure, so that users to add levels of security, customize security protection, and extend system capabilities without having to overhaul the device infrastructure and applications.