FIPS 201 News

Probaris upgrades identity registration authority software

Published Tuesday, November 01, 2011

Posted by FIPS 201 Administrator Tue, 01 Nov 2011 13:25:00 GMT

Philadelphia-based identity software company Probaris has released an upgrade to its identity registration authority software. Called ID 4.0, it now supports multiple credential, token and device types, enabling configurable workflows for varying credential form factors.

Additional new features include the ability to audit and provide reporting for governance, risk management and compliance by identity type and industry requirements.

ID 4.0 is compliant with many Federal identity standards such as FIPS 201, PIV, PIV-I and related publications.

These software enhancements allow enterprises and government agencies to issue strong forms of identity like Level 4 Crypto, PIV and PIV-I. The product can issue identities to many form factors including smart phones.

SCA report: How FIPS 201 can help the enterprise

Published Monday, October 24, 2011

Posted by FIPS 201 Administrator Mon, 24 Oct 2011 13:23:00 GMT

The Smart Card Alliance released a report on how PIV and PIV-I can be leveraged by others to fulfill identity needs. Calling the credentials Commercial Identity Verification (CIV), the documents can use the PIV-I specification, technology and data model without the requirement for cross-certification.

Any enterprise can create, issue, and use CIV credentials according to requirements established within that enterprise’s unique corporate environment. This white paper is designed to provide guidance on how enterprises can take advantage of FIPS 201 and the PIV credential specifications to implement a standards-based identity credentialing program.

The paper discusses benefits, describes best practices and technical requirements, and provides a set of reference documents to assist corporations in establishing a secure, reliable, electronically verifiable identity program.

Standards based

One of the advantages of these credentials is that they adhere to a set of standards that is accepted by suppliers, issuers and users. Typically, most access control systems relied on proprietary identity credentials and interoperability was typically confined to a few office sites belonging to a single organization.

A standards-based credential means that any employee’s credential can be accepted by any facility and IT network that adheres to that standard. Enterprises that use this credential and access control products built to support the PIV-I credential can achieve levels of access control security and technical interoperability similar to those available using PIV cards.

The CIV credential is technically compatible with the PIV-I credential specifications. However, a CIV credential issuer need not comply with the strict policy framework associated with issuance and use of the PIV and PIV-I credentials. This freedom enables corporate enterprises to deploy the standardized technologies in a manner that is suitable for their own corporate environments.

The white paper can be downloaded here.

SecuGen's Hamster IV receives FIPS 201/PIV certification

Published Thursday, October 13, 2011

Posted by FIPS 201 Administrator Thu, 13 Oct 2011 13:22:00 GMT

SecuGen has announced its Hamster IV v2 fingerprint reader, the new generation of its Hamster IV fingerprint readers, has met the requirements Personal Identity Verification (PIV) Single Finger Capture Device Specifications and received FBI certification for FIPS 201/PIV.

The new version of the Hamster IV retains most of the aspects of its predecessor such as rugged design and image quality, but has also increased the image capture speed and has USB 1.1 and 2.0 compatibility.

Audio from September 28 IAB meeting online now

Published Thursday, October 06, 2011

Posted by FIPS 201 Administrator Thu, 06 Oct 2011 13:51:00 GMT

IAB AudioThe September meeting of the influential Government Smart Card Interagency Advisory Board (IAB) was recently held in Washington D.C. FIPS201.com was on hand to cover the event and has provided, as a service to the IAB and the smart card community, an audio recording of the presentations. Click on the link below to access a list of audio and accompanying PowerPoint slides (in pdf format).

Government Smart Card Interagency Advisory Board (IAB) Meeting

  • Opening Remarks
    Tim Baldridge, IAB Chair


    MP3: click here

  • Identity Management: A Financial Services Perspective
    David Belchick, CitiBank

    PDF: click here


    MP3: click here

  • Leveraging PIV to Enhance Mobile Device Security
    Andrew Sheedy, ActivIdentity

    PDF: click here


    MP3: click here

  • Closing Remarks
    Tim Baldridge, IAB Chair


    MP3: click here

  • An Introduction to the NIMS Credentialing Guidelines
    Ted Sobel, DHS

    PDF: click here


    MP3: click here

idOnDemand releases report on updating PACs

Published Wednesday, October 05, 2011

Posted by FIPS 201 Administrator Wed, 05 Oct 2011 13:20:00 GMT

idOnDemand announced the availability of a new white paper on physical access control systems. The white paper: “Physical Access Card Systems: Yesterday and Today” by security analyst Dave Kearns, is designed to assist organizations in recognizing the limitations of their proximity card-based building access systems and offers a secure, standards-based approach to modernize building security.

The risks to businesses have evolved, compliance is more complex and threats are more sophisticated than in years past, according to the white paper. Most organizations lack information about how their physical access control proximity card systems work and the security levels these systems offer, which limits their ability to effectively consider strategic directions.

Physical Access Card Systems: Yesterday and Today gives an overview of building access systems, explains how the widely employed legacy approach does not address today’s security needs and offers considerations and strategies to move forward with a more secure smart card-based solution.

In the paper, Kearns addresses proprietary systems, identifies standards that are changing the market such as ISO/JEC 14443, FIPS 201, OSDP and PLAID, and explores a number of myths and misinformation in the physical access world.

The white paper can be downloaded here.

AuthenTec sensors to be included in new Dell notebooks

Published Tuesday, October 04, 2011

Posted by FIPS 201 Administrator Tue, 04 Oct 2011 12:59:00 GMT


AuthenTec has announced that its TouchChip line fingerprint scanning modules are to be implemented into Dell Computers’ new Latitude E6520 notebooks. The sensor is FIPS 201-certified so it can be used in conjunction with U.S. government projects.

The Dell Latitude E6520 is a business-rugged laptop that features a military standard-tested metal case and highly durable display. It represents the second generation of Dell notebooks to incorporate an AuthenTec TCS1-based TouchChip module with a PIV-compliant smart card reader enabling multi-factor authentication. The Dell Latitude E6520 offers government agencies and contractors a complete endpoint security solution for complying with U.S. government standards.

AuthenTec’s new TCETB1 TouchChip module integrates a low profile conductive metal bezel which reduces device thickness to approximately half of the prior generation allowing it to fit into more devices.

The TCETB1 offers a rugged yet thin package, on-board memory for sensor calibration data, a USB controller and other features that deliver a self-contained USB module for notebooks, keyboards, smart card readers, mobile ID terminals and access control devices. AuthenTec’s TCETB1 is thinner than bulky optical fingerprint readers and offers greater power efficiency, making it ideally suited for battery operated mobile devices that must be small and portable yet meet government fingerprint standards.

What happened to the smart card OS battle?

Published Monday, October 03, 2011

Posted by FIPS 201 Administrator Mon, 03 Oct 2011 14:54:00 GMT


Once hotly contested, the operating system debate has cooled

By Jill Jaracz, Contributing Editor, AVISIAN Publications

Coke vs. Pepsi. Windows vs. Mac. Visa vs. MasterCard.

These well-known rivalries are good for consumers because they create healthy competition. For many years, this seemed to be the case for smart card operating systems. The debate and battle was quite heated, but today, there’s little talk about the smart card OS. What happened the OS war?

In order to know why the smart card operating system was a hot topic, you need to look at its evolution. The smart card operating system took off in the ’90s when the memory card underwent a transition. The memory card, a product of the ’80s transformed when it became feasible to add microprocessors to cards, explains Jean-Louis Carrera, vice president of system development at Gemalto North America.

The addition of a microprocessor necessitated an operating system. In the early stages, the OS came from the card’s manufacturer. Each manufacturer had its own proprietary operating system and at times a manufacturer had a different OS for its different card types.

This meant that applications had to be written for the specific card on which it would ultimately be used. For the most part, this resulted in both cards and applications being purchased from the same vendor. This worked out great for vendors but made it difficult for the end issuers.

“In the late ’90s smart cards were controlled by manufacturers who developed native operating systems,” says Anna Fernezian, principle leader and subject matter expert at CSC. “The native operating system made a lot of sense. It constrained the buyer to get cards from some specific suppliers.”

The constraints on these operating systems extended to application development as each had to written specifically for a single, predetermined OS. “There was no development on the fly,” says Fernezian, “it was nothing like today’s applications.”

As smart card capacity grew, issuers wanted to do more with their cards without waiting on suppliers for application development. A standardized OS was needed.

Two main operating systems emerged to fill the gap: Sun’s Java Card, and MULTOS, an OS developed for the banking community. Then in the late ’90s, Microsoft jumped into the smart card operating system market with great fanfare surrounding its Smart Card for Windows OS.

The competitive landscape looked very much like the bankcard wars as Visa aligned with the Java Card and MasterCard backed MULTOS. “Smart Card for Windows was a Johnny come lately, a ‘me too’ operating system,” says Fernezian.

“As a developer, you prefer having fewer operating systems,” says Fernezian. Having to know fewer OS’s means development of applications becomes easier in terms of structure, commands and responses. “Where am I going to get the biggest bang for my time?” says Fernezian. “You develop to the operating system that’s most widely used.”

Over time, Java Card emerged as the system preferred by developers. By 2003 it was clearly the leading OS with 220 million units shipped versus just 8.3 million for MULTOS, according to Frost & Sullivan.

The key to Java Card’s victory was its simplicity, familiarity and portability. Developers knew Java, explains Carrera, and the Java Card applet was portable and could be loaded onto different systems.

Java Card’s simple structure also made it more acceptable to an industry where technology changes need to get to the market quickly. “Java Card makes time to market much simpler and faster,” says Fernezian. “(Applications) could be delivered in months instead of years.”

MULTOS’ predominant use has been in Asia-Pacific and Brazil. “(MULTOS is) an operating system ahead of its time,” says Fernezian, due to PKI being inherent in its development. “It’s more complicated than Java Card, and that scared people away,” she adds.

“The MULTOS organization has realized there’s complexity and has tried to simplify in the last five years or so, but Java Card has such a long lead and a huge development community that it’s hard to get (suppliers and vendors) to buy into it now,” says Fernezian.

As for Microsoft, it became an also-ran. “Since there wasn’t a lot of progress, Microsoft seemed to lose interest,” says Fernezian.

Java Card go-to OS for U.S. government

When the federal government’s FIPS 201 specification was first written there was much discussion around smart card operating systems. MULTOS, Java and a file-based system were all discussed.

Early on, many were concerned that NIST would ignore the Defense Department’s investment in the Java Card environment and create a specification that was purely for a file system based card.

FIPS 201 ended up being operating system agnostic, though implementations have all been based on the Java Card OS. There were MULTOS-approved systems when FIPS 201 first came out but agencies have exclusively deployed Java Card, says Neville Pattinson, vice president of government affairs at Gemalto.

To date U.S. government agencies have issued more than 4.8 million credentials running the Java Card OS.

The aftermath

The smart card OS war of the ‘90’s has turned into a more or less peaceful competition. Developers and manufacturers have been able to answer the security, performance and interoperability issues that were so important when the industry took off. “The challenges and the interoperability has been addressed,” says Carrera.

The industry has matured to a point where it can focus on usability and applications rather than the underlying platforms. “The operating system has become a commodity,” says Fernezian. “It is so standardized and readily available that they’re not interested in it anymore.”

MULTOS history and timeline

1993 National Westminster Bank or NatWest (UK) develops MULTOS to support the Mondex stored value e-purse scheme

2001 MasterCard International assumes control of Mondex and MULTOS

2006 StepNexus is formed by Hitachi, Keycorp and MasterCard take over control and development of MULTOS

2008 Keycorp (Australia) acquires StepNexus and MULTOS

2008 Gemalto acquires Keycorp’s smart card business including MULTOS and forms Multos International to manage system

Codebench integrates with RedCloud

Published Tuesday, September 20, 2011

Posted by FIPS 201 Administrator Tue, 20 Sep 2011 14:41:00 GMT

Codebench Inc. announced that it has integrated its PIVCheck Plus software with RedCloud Security Management Software. RedCloud was formerly known as PlaSec.

This marks the first integration of PIVCheck Plus software with a physical and virtual network appliance access control platform. RedCloud Virtual is a VMware Ready access control solution purpose-built for organizations that have migrated their IT infrastructure to a secure, private cloud environment.

RedCloud Enterprise offers all the software features found in RedCloud Virtual, including PIVCheck Plus integration and is packaged in a network appliance. Both RedCloud Systems are 100% Web-based and leverage an open architecture, plus they offer integrated identity management and video surveillance.

Codebench accomplished the integration by utilizing RedCloud’s REST API, one of many IT collaboration tools available from RedCloud.

Codebench’s PIVCheck software suite is a card validation, authentication and registration solution for HSPD-12 compliance. Pairing the PIVCheck solution with RedCloud Security Management Software will enable federal government users and other organizations that need to comply with HSPD-12 requirements to easily validate FIPS-201 compliant credentials in real-time and to continue that validation on an ongoing, user-defined schedule. In addition, it will allow entities to easily register PIV, TWIC, CAC or FRAC cards without having to do additional data entry on each cardholder.

Psion accredited by Apriva

Published Tuesday, September 13, 2011

Posted by FIPS 201 Administrator Tue, 13 Sep 2011 14:36:00 GMT

Psion announced that its Workabout Pro 3 and Workabout Pro-g have earned Apriva’s compatibility certification. Running on Windows Mobile 6.1, the Workabout Pro 3 and Workabout Pro-g have completed Apriva’s integration and testing with its secure mobile communications products deployed to government and public agencies around the world.

Apriva integrated and tested the Workabout Pro with its Apriva CSPware and Apriva Guard middleware to ensure compatibility with all government-issued FIPS 201 certified smart cards or Common Access Cards. The Workabout Pro has also been validated to comply with the government’s security technical implementation guide standards for how devices are protected. This requires that data be encrypted and the device locked down when not in use, making it nearly impossible to compromise.

The U.S. government data uses Apriva’s technology to secure mobile communications for classified and unclassified email. The company’s BT200 smart card reader and PKI authentication software are used on handheld terminals deployed by government agencies to inventory sensitive assets from commissary items to advanced weapons.

Psion’s handheld computers have been used by the U.S. government for applications such as homeland security at the nation’s borders, ports and airports, as well as military applications.

Audio from July 27 IAB meeting online now

Published Monday, August 01, 2011

Posted by FIPS 201 Administrator Mon, 01 Aug 2011 13:56:00 GMT

IAB AudioThe July meeting of the influential Government Smart Card Interagency Advisory Board (IAB) was recently held in Washington D.C. FIPS201.com was on hand to cover the event and has provided, as a service to the IAB and the smart card community, an audio recording of the presentations. Click on the link below to access a list of audio and accompanying PowerPoint slides (in pdf format).

Government Smart Card Interagency Advisory Board (IAB) Meeting

Older news: 1 2 3 4 5 ... 49  •  Previous  •  Next