Article

Privacy and security threat analysis of the federal employee personal identity verification (PIV) program

Author:

Paul A. KargerAuthors Info & Claims

SOUPS '06: Proceedings of the second symposium on Usable privacy and security

Pages 114 - 121

https://doi.org/10.1145/1143120.1143135

Published: 12 July 2006 Publication History

Abstract

This paper is a security and privacy threat analysis of new Federal Information Processing Standard for Personal Identity Verification (FIPS PUB 201). It identifies some problems with the standard, and it proposes solutions to those problems, using standardized cryptographic techniques that are based on the Internet Key Exchange (IKE) protocol [16]. When the standard is viewed in the abstract, it seems to effectively provide security and privacy, because it uses strong cryptographic algorithms. However, when you examine the standard in the context of potential user scenarios regarding its use; security, privacy, and usability problems can be identified. User scenarios are employed to provide the context for the identification of these problems, and the technical solutions are described to address the issues raised.

References

[1]

Application interface for smart cards used as secure signature creation devices - part 1: Basic requirements. CWA 14890-1, Comité Européen de Normalisation (CEN), Brussels, Belgium, March 2004. URL: ftp://ftp.cenorm.be/PUBLIC/CWAs/e-Europe/eSign/cwa14890-01-2004-Mar.pdf.

[2]

Dan Bailey. Contactless threats to FIPS 201 systems. In Public Meeting Addressing Privacy and Policy Issues in a Common Identification Standard for Federal Employees and Contractors, Washington, DC, 19 January 2005. National Institute of Standards (NIST). URL: http://csrc.ncsl.nist.gov/piv-program/workshop-Jan 19-2005/Bailey.pdf.

[3]

William C. Barker and Hildegard Ferraiolo. Codes for the identification of federal and federally assisted organizations. NIST Special Publication 800-87, Version 1.0, National Institute of Standards and Technology, Gaithersburg, MD, January 2006. URL: http://csrc.ncsl.nist.gov/publications/nistpubs/800-87/sp800-87-Final.pdf.

[4]

David E. Bell and Leonard J. LaPadula. Computer security model: Unified exposition and multics interpretation. Technical Report ESD-TR-75-306, The MITRE Corporation, Bedford, MA, USA, HQ Electronic Systems Division, Hanscom AFB, MA, USA, June 1975.

[5]

George W. Bush. Policy for a common identification standard for federal employees and contractors. Homeland Security Presidential Directive Hspd-12, The White House, Washington, DC, 27 August 2004, URL: http://csrc.nist.gov/policies/Presidential-Directive-Hspd-12.html.

[6]

Ran Canetti and Hugo Krawczyk. Security analysis of IKE's signature-based key-exchange protocol. In Advances in Cryptology - Crypto 2002, volume 2045 of Lecture Notes in Computer Science, pages 143--161, Santa Barbara, CA, 2002. Springer-Verlag.

Digital Library

[7]

Kurt Carlson. One American Must Die: A Hostage's Personal Account of the Hijacking of Flight 847. Congdon & Weed, 1986.

[8]

Chipcards with digital signature application/function according to SigG and SigV - part 1: Application interface. DIN V66291-1, Secretariat: DIN Deutsches Institut für Normung e.V, Berlin, 15 December 1998.

[9]

Chipcards with digital signature application/function according to SigG and SigV - part 4: Basic security services. DIN V66291-4, Secretariat: DIN Deutsches Institute für Normung e.V, Berlin, 17 October 2000.

[10]

Development of a logical data structure (LDS) for optional capacity expansion technologies. LDS 1.7-2004-05-18, Revision 1.7, International Civil Aviation Organization, Montreal, Quebec, Canada, 18 May 2004. URL: http://www.icao.int/mrtd/download/technical.cfm.

[11]

W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22(6):644--654, 1976.

Digital Library

[12]

James F. Dray, Scott B. Guthery, and Teresa Schwarzhoff. Interfaces for personal identity verification. NIST Special Publication 800-73, National Institute of Standards and Technology, Gaithersburg, MD, April 2005. URL: http://csrc.ncsl.nist.gov/publications/nistpubs/800-73/SP800-73-Final.pdf.

[13]

Jon Edney and William A. Arbaugh. Real 802.11 Security: Wi-Fi Protected Access and 802.11i. Addison-Wesley, Boston, MA, 2004.

Digital Library

[14]

J. H. Ellis. The story of non-secret encryption. Technical report, Communications-Electronics Security Group (CESG), Cheltenham, UK, 1987. URL: http://www.cesg.gov.uk/publications/media/nsecret/ellis.pdf.

[15]

Yair Frankel, Amir Herzberg, Paul A. Karger, Hugo Krawczyk, Charles A. Kunzinger, and Moti Yung. Security issues in a CDPD wireless network. IEEE Personal Communications, 2(4):16--27, August 1995.

[16]

D. Harkins and D. Carrel. The internet key exchange (IKE). RFC 2409, November 1998. URL: ftp://ftp.rfc-editor.org/in-notes/rfc2409.txt.

Digital Library

[17]

Sari Horwitz and Michael Ruana. Sniper: Inside the Hunt for the Killers Who Terrorized the Nation. Random House, New York, 2003.

[18]

Identification cards - contactless integrated circuit(s) cards - proximity cards - part 4: Transmission protocol. ISO/IEC 14443-4, International Standards Organization, Geneva, Switzerland, 2000.

[19]

Information technology - identification cards - integrated circuit(s) cards with contacts - part 4: Inter-industry commands for interchange. ISO/IEC 7816-4, International Standards Organization, Genève, 1995.

[20]

Information technology - security techniques - key management - part 3: Mechanisms using asymetric techniques. ISO/IEC 11770-3, International Organization for Standardization, Genève, 1 November 1999.

[21]

Ari Juels, David Molnar, and David Wagner. Security and privacy issues in e-passports. In SecureComm 2005, First International Conference on Security and Privacy for Emerging Areas in Communication Networks, Athens, Greece, 5-9 September 2005. URL: http://www.cs.berkeley.edu/daw/papers/epassports-sc05.pdf.

Digital Library

[22]

Dato' Mohd Jamal Kamdi. The Malaysian electronic passport. In Twelfth Meeting of the Facilitation Division, Cairo, Egypt, 22 March - 2 April 2004. International Civil Aviation Organization (ICAO). URL: http://www.icao.int/icao/en/atb/fal/fal12/presentations.htm.

[23]

Paul A. Karger. FIPS PUB 201 security and privacy recommendations. Report RC23871 (W0501-049), IBM Corporation, Thomas J. Watson Research Center, Yorktown Heights, NY, 14 January 2005. URL: http://domino.watson.ibm.com/library/(CyberDig.nsf/Home.

[24]

Paul A. Karger and Yair Frankel. Security and privacy threats to ITS. In Proceedings of the Second World Congress on Intelligent Transport Systems '95 Yokohama, volume V, pages 2452--2458, Yokohama, Japan, 9-11 November 1995. VERTIS: Vehicle, Road and Traffic Intelligence Society.

[25]

Gaurav S. Kc and Paul A. Karger. Preventing attacks on machine readable travel documents (MRTDs). Report 2005/404, Cryptology ePrint Archive, 11 April 2006. URL: http://eprint.iacr.org/2005/404.pdf.

[26]

Ziv Kfir and Avishai Wool. Security and privacy issues in e-passports. In First International Conference on Security and Privacy for Emerging Areas in Communication Networks (SecureComm 2005), pages 47--58, Athens, Greece, 5-9 September 2005. URL: http://eprint.iacr.org/2005/052.

Digital Library

[27]

Tom A. F. Kinneging. PKI for machine readable travel documents offering ICC read-only access. Version 1.1, International Civil Aviation Organization, Montreal, Quebec, Canada, 1 October 2004. URL: http://www.icao.int/mrtd/download/technical.cfm.

[28]

Hugo Krawczyk. SIGMA: the 'SIGn-and-MAc' approach to authenticated diffie-hellman and its use in the IKE protocols. In Advances in Cryptology -- CRYPTO 2003 Proceesings, volume 2729 of Lecture Notes in Computer Science, pages 399--424, Santa Barbara, CA, 17-21 August 2003. Springer--Verlag.

[29]

Susan Kumpf and Nora Russell. Getting the jump on fraud. Cellular Business, 9(10):24--26, October 1992.

[30]

Tsutomu Matsumoto. Gummy and conductive silicone rubber fingers: Importance of vulnerability analysis. In Advances in Cryptology: ASIACRYPT 2002, pages 574--575, Queenstown, New Zealand, 1-5 December 2002. Lecture Notes in Computer Science, Vol. 2501, Springer Verlag.

Digital Library

[31]

Tsutomu Matsumoto, Hiroyuki Matsumoto, Koji Yamada, and Satoshi Hoshino. Impact of artificial "gummy" fingers on fingerprint systems. Proceedings of the SPIE, Optical Security and Counterfeit Deterrence Techniques IV, 4677:275--289, 24-25 January 2002. URL: http://cryptome.org/gummy.htm.

[32]

Personal identity verification (PIV) for federal employees and contractors: Public draft. FIPS PUB 201, National Institute of Standards and Technology (NIST), Gaithersburg, MD, 8 November 2004. URL: http://csrc.nist.gov/publications/drafts/draft-FIPS_201-110804-publicl.pdf.

[33]

Personal identity verification (PIV) for federal employees and contractors. FIPS PUB 201, National Institute of Standards and Technology (NIST), Gaithersburg, MD, 25 February 2005. URL: http://csrc.ncsl.nist.gov/publications/fips/fips201/FIPS-201-022505.pdf.

[34]

W. Timothy Polk, Donna F. Dodson, and William E. Burr. Cryptographic algorithms and key sizes for personal identity verification. NIST Special Publication 800--78, National Institute of Standards and Technology, Gaithersburg, MD, April 2005. URL: http://csrc.ncsl.nist.gov/publications/nistpubs/800-78/sp800-78-final.pdf.

[35]

Prime item product function specification for magnetic stripe credentials (MSC). SEIWG 012, U.S. Department of Defense, Security Enterprise Integration Working Group (SEIWG), Washington, DC, 28 February 1994.

[36]

RFID tags and contactless smart card technology: Comparing and contrasting applications and capabilities. Technical report, Smart Card Alliance, Princeton Junction, NJ, 17 December 2004. URL: http://www.smartcardalliance.org/pdf/alliance_activities/rfidvscontactless_final_121704.pdf.

[37]

RFID tags, contactless smart card technology and electronic passports: Frequently asked questions. Technical report, Smart Card Alliance, Princeton Junction, NJ, 3 January 2005. URL: http://www.smartcardalliance.org/pdf/alliance_activities/RFID_Contactless_Smart_Cards_FAQ_FINAL_010305.pdf.

[38]

Helmut Scherzer, Ran Canetti, Paul A. Karger, Hugo Krawczyk, Tal Rabin, and David C. Toll. Authenticating mandatory access controls and preserving privacy for a high-assurance smart card. In 8th European Symposium on Research in Computer Security (ESORICS 2003), pages 181--200, Gjøvik, Norway, 13--15 October 2003. Lecture Notes in Computer Science, Vol. 2808, Springer Verlag.

[39]

Technical implementation guidance: Smart card enabled physical access control systems. Version 2.2, Physical Access Interagency Interoperability Working Group, Government Smart Card Interagency Advisory Board, Washington, DC, 30 July 2004. URL: http://www.smart.gov/information/TIG_SCEPACS_v2.2.pdf.

[40]

Lisa Thalheim, Jan Krissler, and Peter-Michael Ziegler. Body check: Biometric access protection devices and their programs put to the test. c't - magazin für computertechnik, page 114, November 2002. URL: http://www.heise.de/ct/english/02/11/114/.

[41]

M. J. Williamson. Thoughts on cheaper non-secret encryption. Technical report, Communications-Electronics Security Group (CESG), Cheltenham, UK, 10 August 1976. URL: http://www.cesg.gov.uk/publications/media/nsecret/cheapnse.pdf.

[42]

Marc Witteman. Attacks on digital passports. In What the Hack, Liempde, near Den Bosch, The Netherlands. URL: http://wiki.whatthehack.org/index.php/Track:Attacks_on_Digital_Passports.

[43]

Junko Yoshida. Tests reveal e-passport security flaw. Electronic Engineering Times, (1336):1, 30 August 2004. URL: http://www.eetimes.com/news/latest/showArticle.jhtml?articleID=45400010.

[44]

Kim Zetter. Feds rethinking RFID passport. Wired News, 26 April 2005. URL: http://www.wired.com/news/privacy/0,1848,67333,00.html.

Cited By

Yee G(2012)Estimating the Privacy Protection Capability of a Web Service ProviderInnovations, Standards and Practices of Web Services10.4018/978-1-61350-104-7.ch007(132-153)Online publication date: 2012
https://doi.org/10.4018/978-1-61350-104-7.ch007
Yee G(2012)Towards Designing E-Services that Protect PrivacySecurity-Aware Systems Applications and Software Development Methods10.4018/978-1-4666-1580-9.ch003(35-50)Online publication date: 2012
https://doi.org/10.4018/978-1-4666-1580-9.ch003
Kim JKim H(2012)A Study on Privacy Preserving Data Leakage Prevention SystemRecent Progress in Data Engineering and Internet Technology10.1007/978-3-642-28798-5_26(191-196)Online publication date: 2012
https://doi.org/10.1007/978-3-642-28798-5_26
Show More Cited By

Index Terms

Privacy and security threat analysis of the federal employee personal identity verification (PIV) program

Recommendations

Releasing Individually Identifiable Microdata with Privacy Protection Against Stochastic Threat: An Application to Health Information

The ability to collect and disseminate individually identifiable microdata is becoming increasingly important in a number of arenas. This is especially true in health care and national security, where this data is considered vital for a number of public ...
Identity Management

The Identity Solutions Symposium held in Jonesboro, Arkansas, 21 to 22 February, 2007 brought together academic, industry, and government experts working on radio frequency identification (RFID), biometrics, sensors, animal identification, identity ...
Personal identity verification (PIV) cards as federated identities: challenges and opportunities
IDtrust '09: Proceedings of the 8th Symposium on Identity and Trust on the Internet

In this paper, we describe the challenges in using Personal Identity Verification (PIV) cards and PIV-like cards as federated identities to authenticate to US Federal government facilities and systems. The current set of specifications and policies ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SOUPS '06: Proceedings of the second symposium on Usable privacy and security

July 2006

168 pages

ISBN:1595934480

DOI:10.1145/1143120

General Chair:
Lorrie Faith Cranor
Carnegie Mellon University

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 July 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Acceptance Rates

Overall Acceptance Rate 15 of 49 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
1,374
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)2

Reflects downloads up to 12 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Yee G(2012)Estimating the Privacy Protection Capability of a Web Service ProviderInnovations, Standards and Practices of Web Services10.4018/978-1-61350-104-7.ch007(132-153)Online publication date: 2012
https://doi.org/10.4018/978-1-61350-104-7.ch007
Yee G(2012)Towards Designing E-Services that Protect PrivacySecurity-Aware Systems Applications and Software Development Methods10.4018/978-1-4666-1580-9.ch003(35-50)Online publication date: 2012
https://doi.org/10.4018/978-1-4666-1580-9.ch003
Kim JKim H(2012)A Study on Privacy Preserving Data Leakage Prevention SystemRecent Progress in Data Engineering and Internet Technology10.1007/978-3-642-28798-5_26(191-196)Online publication date: 2012
https://doi.org/10.1007/978-3-642-28798-5_26
Paul CMorse EZhang AChoong YTheofanos M(2011)A field study of user behavior and perceptions in smartcard authenticationProceedings of the 13th IFIP TC 13 international conference on Human-computer interaction - Volume Part IV10.5555/2042283.2042285(1-17)Online publication date: 5-Sep-2011
https://dl.acm.org/doi/10.5555/2042283.2042285
Paul CMorse EZhang AChoong YTheofanos M(2011)A Field Study of User Behavior and Perceptions in Smartcard AuthenticationHuman-Computer Interaction – INTERACT 201110.1007/978-3-642-23768-3_1(1-17)Online publication date: 2011
https://doi.org/10.1007/978-3-642-23768-3_1
Yee G(2010)Towards Designing E-Services that Protect PrivacyInternational Journal of Secure Software Engineering10.4018/jsse.20100401021:2(18-34)Online publication date: Apr-2010
https://doi.org/10.4018/jsse.2010040102
Hu JChen HHou T(2010)A hybrid public key infrastructure solution (HPKI) for HIPAA privacy/security regulationsComputer Standards & Interfaces10.1016/j.csi.2009.04.00532:5-6(274-280)Online publication date: 1-Oct-2010
https://dl.acm.org/doi/10.1016/j.csi.2009.04.005
Karger PKc GToll D(2009)Privacy is essential for secure mobile devicesIBM Journal of Research and Development10.5555/1850636.185064153:2(256-272)Online publication date: 1-Mar-2009
https://dl.acm.org/doi/10.5555/1850636.1850641
Yee G(2009)Estimating the Privacy Protection Capability of a Web Service ProviderInternational Journal of Web Services Research10.4018/jwsr.20090922026:2(20-41)Online publication date: Apr-2009
https://doi.org/10.4018/jwsr.2009092202
Palmer A(2008)Criteria to evaluate Automated Personal Identification MechanismsComputers and Security10.1016/j.cose.2008.07.00727:7-8(260-284)Online publication date: 1-Dec-2008
https://dl.acm.org/doi/10.1016/j.cose.2008.07.007
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents