PIV Cards | Counterfeiting | Skimming | Cloning | Social Engineering

You are here: Technology Topics » Computer & Gadgets » Computer & Network Security » PIV Cards » PIV Cards | Counterfeiting | Skimming | Cloning | Social Engineering

Terminated Personal Identity Verification Cards

Personal Identity Verification Cards may be terminated for a number of reasons, including a lost or stolen card. A terminated Personal Identity Verification Card could continue to open doors with the Cardholder Unique Identifier (CHUID) authentication mechanism long after the card has been terminated.

The check for termination should be performed by a status check, using either the Online Certificate Status Protocol (OCSP) or Certificate Revocation Lists (CRL), on a Personal Identity Verification authentication certificate. Credential validation is required by Federal Information Processing Standard 201 (FIPS 201) for the Personal Identity Verification Authentication Key (PKI) authentication mechanism, but it is not required, nor described, for the Cardholder Unique Identifier (CHUID) authentication mechanism.

If a Personal Identity Verification Card is reported as lost and then terminated by the issuer, Physical Access Control Systems relying on Cardholder Unique Identifier (CHUID) authentication mechanism will continue to accept the Cardholder Unique Identifier (CHUID) until the user is de-authorized in each of those systems.

If a Physical Access Control Systems caches the status of Personal Identity Verification Cards, the cached status of a terminated Personal Identity Verification Card will remain “valid” until the cache is refreshed. The process for Physical Access Control Systems de-authorization is not required or defined by Federal Information Processing Standard 201 (FIPS 201), raising the possibility that on-line credential validation will not be implemented, or not effectively implemented, where the Cardholder Unique Identifier (CHUID) authentication mechanism is employed.

The Personal Identity Verification System mitigates the risk of use of a misappropriated Personal Identity Verification Card (which has been successfully reported and revoked) through the process of on-line credential validation. Federal Information Processing Standard 201 (FIPS 201) equates on-line Personal Identity Verification credential validation to path validation of a Personal Identity Verification authentication certificate.

In the Cardholder Unique Identifier (CHUID) authentication mechanism, only the Cardholder Unique Identifier (CHUID) data object is read from the Personal Identity Verification Card, and a reader cannot check the status of a Personal Identity Verification authentication certificate on the basis of the Cardholder Unique Identifier (CHUID) alone. Therefore, it is recommended that path validation of a Personal Identity Verification authentication certificate be done at Personal Identity Verification registration, and periodically repeated by the Physical Access Control Systems server as long as registration is maintained.

Visual Counterfeiting

Personal Identity Verification Cards are used in the Visual (VIS) authentication mechanism that requires visual inspection of the Personal Identity Verification Card by a security guard. A visual counterfeit mimics the appearance, but not the electronic behavior, of an actual Personal Identity Verification Card.

A Personal Identity Verification replica may be created by color photocopying or graphic illustration methods and color printing to blank stock. Because of the required presence of one or more security features on the Personal Identity Verification Card, a visual counterfeit is unlikely to pass close examination, provided guards are trained to recognize security features. ID (Identity Document) cards may receive only cursory examination when used as “flash passes”, however.

The Personal Identity Verification Card mitigates the risk of visual counterfeiting through its capability for rapid electronic authentication, and to a lesser degree, by the presence of one or more security features on the surface of the card. Given the ready availability of high-quality scanners, graphic editing software, card stock, and smart card printers, electronic verification is strongly recommended, either in place of the Visual (VIS) authentication mechanism or in combination with it.

Skimming

A contactless Personal Identity Verification Card reader with a sensitive antenna can be concealed in a briefcase, and is capable of reading ISO/IEC 14443 (standard) contactless smart cards like the Personal Identity Verification Card at a distance of at least 25 cm.

The range of a skimmer is limited primarily by the requirement for the skimmer to supply power to the Personal Identity Verification Card by inductive coupling. A concealed skimmer could immediately obtain the free-read data from the Personal Identity Verification Card, which includes the Cardholder Unique Identifier (CHUID) and the certificates.

The Personal Identity Verification Card mitigates the risk of skimming by access rules that prevent the release of biometric and other data over the contactless interface, and by minimizing content in the free-read data objects. Additional protection can be achieved by shielding techniques that positively deactivate a Personal Identity Verification Card when not in use. The electromagnetically opaque sleeve is one such technique.

Sniffing

When a Personal Identity Verification Card is presented to a contactless reader at an access point, the reader supplies power to the Personal Identity Verification Card through inductive coupling and a series of messages is exchanged between the Personal Identity Verification Card and reader using RF (radio frequency) communications. A sniffer is a receiver that does not supply power to the smart card.

A sniffer can operate at greater distance than a skimmer (sniffing at a distance of about 10 m has been reported), because a legitimate reader powers the Personal Identity Verification Card at the nominal distance of a few centimeters, while the sniffer’s RF (radio frequency) receiver is farther away. Potentially, a sniffer could capture the entire message transaction between the contactless reader and the Personal Identity Verification Card.

The Personal Identity Verification Card mitigates the risk of sniffing by the same access rules that prevent the release of biometric and other data over the contactless interface. The Cardholder Unique Identifier (CHUID) can be sniffed, however, when used over a contactless interface. Shielding techniques that positively deactivate a Personal Identity Verification Card when not in use cannot mitigate the risk of sniffing, because a Personal Identity Verification Card must be activated to perform a legitimate authentication transaction.

Social Engineering

If an attacker persuaded the cardholder to give them possession of the Personal Identity Verification Card, the attacker could quickly insert the card into a contact reader and copy all of the information available as free-read (the Cardholder Unique Identifier (CHUID), the security object, the Card Capability Container, and the certificates) over the contact interface.

An attacker could also attempt a remote attack similar to well-known phishing attacks by creating a web page that asks the subject to “insert their Personal Identity Verification Card and enter their PIN (Personal Identification Number)” for an apparently legitimate purpose. If the cardholder complies, under some assumptions the attacker could capture the cardholder’s PIN (Personal Identification Number) and all of the readable Personal Identity Verification data objects, including the Cardholder Unique Identifier (CHUID).

The Personal Identity Verification Card mitigates the risk of social engineering attacks by blocking the release of all private and secret keys, and by requiring two-factor authentication (Personal Identity Verification Card and PIN (Personal Identification Number)) to perform cryptographic operations with the Personal Identity Verification Authentication Key. Moreover, the Personal Identity Verification Card is blocked upon exceeding the allocated number of bad PIN (Personal Identification Number) tries. Additional technical and procedural controls may be needed to counter Personal Identity Verification phishing.

Cardholder Unique Identifier (CHUID) is one of the data elements of Personal Identity Verification credentials that uniquely identifies the Personal Identity Verification cardholder.

Electronic Cloning

If an attacker has successfully conducted a skimming, sniffing, or social engineering attack, he or she possesses verbatim copies of some of the data objects from an issued Personal Identity Verification Card. The objects that are signed (e.g., the certificates and Cardholder Unique Identifier (CHUID)) retain their signatures, and the signatures are valid if the original card is valid.

The attacks described, however, cannot copy the private or secret keys needed for cryptographic authentication methods. The attacker is thus able to create a partial clone of the Personal Identity Verification Card that would succeed in Cardholder Unique Identifier (CHUID)-based authentication, but is not able to create a clone that would succeed in Personal Identity Verification Authentication Key (PKI) or CAK authentication mechanisms.

The Personal Identity Verification Card mitigates the risk of electronic cloning by providing the Personal Identity Verification Authentication Key (PKI) and CAK alternative mechanisms. It is strongly recommended that agencies use Personal Identity Verification Authentication Key (PKI) or asymmetric CAK challenge/response methods instead of the Cardholder Unique Identifier (CHUID) authentication mechanism.

Electronic Counterfeiting

An attacker could construct a battery-powered, microprocessor-based device that emulates a Personal Identity Verification Card for purposes of the Cardholder Unique Identifier (CHUID) authentication mechanism. The attacker could program the microprocessor to generate and test Cardholder Unique Identifier (CHUID)s repetitively against a Physical Access Control Systems reader, changing the Federal Agency Smart Credential Number (FASC-N) credential identifier on each trial.

This approach would not require prior capture of a valid Cardholder Unique Identifier (CHUID), but since the counterfeit Cardholder Unique Identifier (CHUID)s would not possess valid issuer signatures, a successful exploit depends on the absence of signature verification in the Cardholder Unique Identifier (CHUID) processing done by the reader.

The Personal Identity Verification Card mitigates the risk of electronic counterfeiting by storing a Cardholder Unique Identifier (CHUID) with a digital signature field. Electronic counterfeiting will be extremely difficult if Cardholder Unique Identifier (CHUID) signature verification is done, although signature verification is not required.

Moreover, since many counterfeit Cardholder Unique Identifier (CHUID)s may be presented while an attacker probes for a valid counterfeit Cardholder Unique Identifier (CHUID), the Physical Access Control Systems should employ methods to detect, alarm, and block repeated unsuccessful Cardholder Unique Identifier (CHUID) presentations.

Published in PIV Cards , Thursday February 5th 2009
Tags: hspd 12 piv cards, security

No Responses to “PIV Cards | Counterfeiting | Skimming | Cloning | Social Engineering”

omar says:

Very interesting article.I wait to read more about this subject
Ken says:

interesting post
P. Silva says:

a very good article about PIV Cards | Counterfeiting | Skimming | Cloning | Social Engineering