FIPS 201 and PIN: Never replicate or put a PIN in the clear!
13 July, 2009
category:
By Salvatore D’Agostino, IDmachines
IDmachines recently has run across a number of situations in which people want to leverage the PIN on a FIPS 201 credential. The idea is to use a PIN on system as a second factor in combination with contactless components of the credential. Multi-factor authentication is a great idea for any access control application. Something you have plus something you know is simply more secure than something you have.
But let’s be clear, it’s something YOU have and something YOU know, not something WE (as is anyone with access to a database or application knows). The PIN on a FIPS 201 credential is something you set and then is locked away. You should never tell anyone and certainly you should never store it in a database for use in another application.
In particular under no circumstance use the PIN that is associated with and provides access to you private keys as a PIN on system for a physical access control application. End of story no further discussion please.
It’s not the worst thing in the world to have a second PIN for the physical access control system particularly given the increase in security it brings to contactless applications in the FIPS 201 world. Further, this is where you can be creative, there are certainly ways to use the PIN but not STORE in on the physical access control system (PACS).
This is where you need to dig into your cryptographic tool box and do something neat. Just don’t compromise your FIPS 201 credential and do something silly such as store the PIN on the system. It doesn’t matter if it’s only accessible by administrators or security officers. It’s your PIN it protects a PRIVATE key, policy states never give it to anyone. This is not a case where it’s OK to bend the rules.
Read more from D’Agostino here.