NIST SP800-116：PIV卡在物理访问控制系统中的应用指南

需积分: 9 164 浏览量更新于2024-07-16 收藏 633KB PDF 举报

"NIST SP800-116.pdf" 是一份由美国国家标准与技术研究所(NIST)发布的特别出版物，旨在提供关于在物理访问控制系统(PACS)中使用个人身份验证(PIV)证书的建议。这份文档是2008年11月发布的，由William MacGregor、Ketan Mehta、David Cooper和Karen Scarfone等人共同编写，隶属于NIST的信息安全领域计算机安全分部。该出版物的背景源于国土安全部总统指令12（HSPD-12），该指令规定联邦政府员工和承包商必须根据联邦信息处理标准(FIPS 201)获得一种新的身份凭证，即PIV卡。PIV卡是一种基于微处理器的智能卡技术，旨在防止伪造、篡改，并能在联邦政府设施之间实现互操作性。HSPD-12明确要求使用PIV凭证进行物理访问联邦控制设施以及逻辑访问联邦控制的信息系统。 NIST SP800-116着重于指导如何在PACS中有效地应用PIV卡，这是对原始版本的第一次修订。文档中不仅涵盖了PIV卡的技术特性，还可能包括了使用案例、实施策略、安全要求以及与PACS集成的方法。此外，附录I提供了自初始指南以来的修订历史记录，以便读者了解更新的内容和改进。 NIST SP800-116为联邦机构提供了实施和管理基于PIV卡的物理访问控制系统的标准化框架，以提升联邦设施的安全水平。这份指南对于理解PIV卡在保护关键基础设施和信息资产中的作用至关重要，同时也为确保遵循HSPD-12和FIPS 201标准提供了实用的操作指导。

Special Publication 800-116 A Recommendation for the Use of PIV Credentials in PACS

lack of agency card technology standards and current credential numbering systems are the

factors that limit interoperability across agencies. In other words, an identity credential issued by

one PACS may not have the capability to be used by another. To enhance security and promote

interoperability, it is essential to develop an efficient and cost-effective strategy to migrate PACS

to standardized methods as defined in FIPS 201. The application of cryptographic authentication

and integrity methods allows the security of authentication to be improved, the design of

authentication to rely on open standards, and the need for secrecy regarding authentication to be

concentrated on cryptographic keys.

Full compliance with HSPD-12, and the use of PIV authentication mechanisms for access to

Federal facilities and systems as required by HSPD-12, should be the principal goals of a

department or agency implementation plan. Recognizing that implementation will take time,

migration goals and plans should be developed to PIV-enable PACS installations, while meeting

continuity of operations and resource constraints. Plans may include change management

strategies such as:

+ The use of "multi-technology" readers, enabling a transition to the PIV-enabled PACS

over time by allowing proprietary identity cards and PIV Cards to work side-by-side.

+ Retrofit or upgrade the existing PACS to use PIV Cards.

+ Coexistence of PIV-enabled and existing PACS in leased multi-tenant facilities.

Recommendation: The OMB Memorandum [M-08-01] requires that the

credential issuance be accomplished by October 27, 2008 (or by the date specified

in the implementation plan mutually agreed-upon by the agency and OMB).

Agency implementation plans should be written to accomplish the goals of HSPD-

12.

2.3 Purpose and Scope

The purpose of this document is to describe a strategy allowing agencies to PIV-enable their

PACS, and migrate to government-wide interoperability. Specifically, the document

recommends a risk-based approach for selecting appropriate PIV authentication mechanisms to

manage physical access to Federal government facilities and assets. With the intent to facilitate

and encourage greater use of PIV Cards, this document:

+ Describes the desired characteristics of a target implementation of PIV-enabled PACS.

+ Describes trust and infrastructure challenges that must be overcome to achieve

government-wide credential interoperability.

+ Discusses the PIV Card capabilities so that risk-based assessment can be aligned with the

appropriate PIV authentication mechanism.

+ Recommends to Federal agencies an overall strategy for the implementation of PIV

authentication mechanisms with agency facility PACS.

+ Proposes a PIMM to measure the progress of facility and agency implementations.

As stated above, this document focuses on the use of PIV Cards to gain access to Federal

buildings and facilities. This document does not address non-PIV authentication mechanisms.

Page 5

Special Publication 800-116 A Recommendation for the Use of PIV Credentials in PACS

Page 6

Although the ergonomic design of PACS components is outside the scope of this publication, the

1998 Amendment to Section 508 of the Rehabilitation Act has special relevance to PACS

components. [SECTION508] PACS access controls are intended to be unavoidable. Section 508

should be considered early during projects that integrate the PIV System with PACS. Section 508

should be considered as it applies to enrollment software, smart card and biometric readers,

monitoring systems, and access control point sensors and actuators. Note that FIPS 201, Section

4.4.1, states that an alternative to BIO or BIO-A authentication mechanism should be used if one

or more fingers cannot be enrolled. Further information can be found at [SECTION508], in

[FIPS201], and in [SP800-76].

Many other aspects of physical access control are outside the scope of this publication.

Authorization (i.e., granting permission within a PACS for an identified person to pass access

control points) is a critical security function, but is out of scope for the PIV System. Other out-

of-scope functions include area protection, intrusion detection, monitoring and tracking (other

than at access control points), and enforcement of access control decisions. It is understood that

PACS may also be integrated with surveillance systems, fire control systems, evacuation systems,

etc., within a facility. This document does not address the integration of PACS with other

facility-centric information technology (IT) systems, although it has been written to minimize

conflicts during such integration. Therefore, if the integration of the measures outlined in this

document creates a life-safety risk, organizations will need to mitigate these risks before applying

the measures.

The evaluation of specific PACS architectures or implementations is also outside the scope of this

publication, as is the standardization of PACS. The creation of specific migration plans for each

agency and facility is also not the intent of this document, although it offers advice on the

construction of such plans. Unless normatively referenced, this document is a best practice

guideline.

Recommendation: This document recommends a risk-based approach for

selecting appropriate PIV authentication mechanisms to manage physical access to

Federal government facilities and assets. Agencies should seek recommendations

on PACS architectures, authorization, and facility protection from other sources.

2.4 Audience

This document is intended for the government officials responsible for implementing HSPD-12.

This document will also aid government executives (i.e., decision makers) to evaluate business

cases and develop strategies for their departments or agencies. Information in this document is

also useful to the government contractors and security industry vendors implementing HSPD-12-

related systems, products, and services.

Special Publication 800-116 A Recommendation for the Use of PIV Credentials in PACS

3. Terminology

The following terms are used in this document and are not defined in FIPS 201.

Access Control: A function or a system that restricts access to authorized persons only.

Access Control List: A list of (identifier, permissions) pairs associated with a resource or an

asset. As an expression of security policy, a person may perform an operation on a resource or

asset if and only if the person’s identifier is present in the access control list (explicitly or

implicitly), and the permissions in the (identifier, permissions) pair include the permission to

perform the requested operation.

Assurance Level (or E-Authentication Assurance Level): A measure of trust or confidence in

an authentication mechanism defined in OMB Memorandum M-04-04 and NIST Special

Publication (SP) 800-63, in terms of four levels: [M-04-04]

• Level 1: LITTLE OR NO confidence

• Level 2: SOME confidence

• Level 3: HIGH confidence

• Level 4: VERY HIGH confidence

Authentication: A process that establishes the origin of information, or determines an entity’s

identity. In this publication, authentication often means the performance of a PIV authentication

mechanism.

Authentication in Context: Authentication in context is a concept in which PACS may benefit

from previous authentication within nested areas in a facility. The PACS may use information

from previous access control decisions (“context”) when making a new access control decision.

Authorization: In this publication, a process that associates permission to access a resource or

asset with a person and the person’s identifier(s).

Authenticator: A memory, possession, or quality of a person that can serve as proof of identity,

when presented to a verifier of the appropriate kind. For example, passwords, cryptographic

keys, and fingerprints are authenticators.

BIO or BIO-A: A FIPS 201 authentication mechanism that is implemented by using a

Fingerprint data object sent from the PIV Card to the PACS. Note that the short-hand “BIO (-A)”

is used throughout the document to represent both BIO and BIO-A authentication mechanisms.

Biometric: An authenticator produced from measurable qualities of a living person.

Building Security Committee: A committee consisting of representatives of Federal tenants in a

facility, and possibly the building owner or management. The committee is responsible for

building-specific security issues and approval of security policies and practices.

Card Authentication Key (CAK): A PIV authentication mechanism (or the PIV Card key of

the same name) that is implemented by an asymmetric or symmetric key challenge/response

protocol. The CAK is an optional mechanism defined in NIST SP 800-73. [SP800-73] NIST

strongly recommends that every PIV Card contain an asymmetric CAK and corresponding

certificate, and that agencies use the asymmetric CAK protocol, rather than a symmetric CAK

protocol, whenever the CAK authentication mechanism is used with PACS. See Section 7.1.4.

Page 7

Special Publication 800-116 A Recommendation for the Use of PIV Credentials in PACS

Cardholder Unique Identifier (CHUID): A FIPS 201 authentication mechanism that is

implemented by transmission of the CHUID data object from the PIV Card to PACS, or the PIV

Card data object of the same name.

Certificate: A data object containing a subject identifier, a public key, and other information,

that is digitally signed by a Certification Authority. Certificates convey trust in the relationship

of the subject identifier to the public key.

Cloning: In this publication, a process to create a verbatim copy of a PIV Card, or a partial copy

sufficient to perform one or more authentication mechanisms as if it were the original card.

Contact Reader: A smart card reader that communicates with the Integrated Circuit chip in a

smart card using electrical signals on wires touching the smart card’s contact pad. The PIV

contact interface is standardized by International Organization of Standards / International

Electrotechnical Commission (ISO/IEC) 7816-3. [ISO/IEC7816]

Contactless Reader: A smart card reader that communicates with the Integrated Circuit chip in

a smart card using radio frequency (RF) signaling. The PIV contactless interface is standardized

by ISO/IEC 14443. [ISO/IEC14443]

Controller (or Control Panel, or Panel): A device located within the secure area that

communicates with multiple PIV Card readers and door actuators, and with the Head End

System. The PIV Card readers provide cardholder information to the Controller, which it uses to

make access control decisions and release door locking mechanisms. The Controller

communicates with the Head End System to receive changes in access permissions, report

unauthorized access attempts and send audit records and other log information. Most modern

controllers can continue to operate properly during periods of time in which communication with

the Head End is disrupted and can journal transactions so that they can be reported to the Head

End when communication is restored.

Counterfeiting: In this publication, the creation of a fake ID card that can perform one or more

authentication mechanisms, without copying a legitimate card (see Cloning).

Credential: In this publication, a collection of information about a person, attested to by an

issuing authority. A credential may be a physical artifact (e.g., a PIV Card) or a data object

(e.g., a certificate). One or more data object credentials may be stored on the same physical

memory device (e.g., a smart card).

Credential Validation: The process of determining if a credential is valid, i.e., it was

legitimately issued, its activation date has been reached, it has not expired, it has not been

tampered with, and it has not been terminated, suspended, or revoked by the issuing authority.

Digital Signature: A data object produced by a digital signature method, such as Rivest, Shamir,

Aldeman (RSA) or the Elliptic Curve Digital Signature Algorithm (ECDSA), that when verified

provides strong evidence of the origin and integrity of the signed data object.

Federal Agency Smart Credential Number (FASC-N): As required by FIPS 201, the primary

identifier on the PIV Card for physical access control. The FASC-N is a fixed length (25 byte)

data object, specified in [TIG SCEPACS], and included in several data objects on a PIV Card.

FASC-N Identifier: The FASC-N shall be in accordance with [TIG SCEPACS]. A subset of

FASC-N, a FASC-N Identifier, is a unique identifier as described in [TIG SCEPACS]. Section

2.1, 10

paragraph of [TIG SCEPACS] states “For full interoperability of a PACS it must at a

minimum be able to distinguish fourteen digits (i.e., a combination of an Agency Code, System

Code, and Credential Number) when matching FASC-N based credentials to enrolled card

holders.” Also, Section 6.6, 3

paragraph of [TIG SCEPACS] states, “The combination of an

Agency Code, System Code, and Credential Number is a fully qualified number that is uniquely

Page 8

剩余70页未读，继续阅读

艾米的爸爸

粉丝: 787
资源: 314

NIST SP800-116：PIV卡在物理访问控制系统中的应用指南

NIST SP800-177r1.pdf

NIST SP800-30信息安全文档

NIST SP800-153.pdf

NIST SP800-36.pdf

NIST SP800-111.pdf

NIST SP800-170.pdf

NIST SP800-37.pdf

NIST SP800-52.pdf

NIST SP800-65.pdf

NIST SP800-123.pdf

最新资源