I have written on a number of occasions in this column about the role of smart cards in transportation. I also have discussed the implication of Homeland Security Presidential Directive (HSPD) 12 mandating that a common credential be established for identity across the federal enterprise. For those involved in the transportation world a new acronym now becomes part of the lexicon, FIPS 201.
Since the last column the National Institute of Standards and Technology (NIST) has published the Federal Information Processing Standard (FIPS) 201. To quote from NIST: “In response to HSPD 12, the NIST Computer Security Division initiated a new project for improving the identification and authentication of federal employees and contractors for access to federal facilities and information systems. Federal Information Processing Standard (FIPS) 201, titled Personal Identity Verification of Federal Employees and Contractors, was developed to satisfy the requirements of HSPD 12, approved by the Secretary of Commerce, and issued on Feb. 25, 2005.” The details can be found at the following link: www.csrc.nist.gov/piv-project.
The publication of this standard effectively creates a standard for smart cards in the U.S. And while it does not create a national ID program it does set a standard for identity cards, also known as driver licenses, across the country. One of the important aspects of the FIPS pertains to the fact that it not only addresses federal employees but contractors as well. This means that anyone who does business with the government will be required to use these credentials. This has a profound impact on the breadth of the standard’s impact.
Further, the language above states that the standard relates to access to federal facilities and information systems. From a transportation perspective what does this mean? The standard affects ports, borders, airports and rail (e.g., Amtrak) facilities. This means the standard affects all modes of transportation: air, sea, rail and road (even if you drive your snowmobile or walk across a border). The Transportation Workers Identification Credential (TWIC) alone will involve 10 million people and the standard itself immediately affect more than 40 million people.
I am trying to point out that this is a big thing, not that this is a bad thing. The specification and its proper implementation go a long way to helping security and, even more importantly, toward helping privacy. Let me go through a few examples of why the FIPS 201 will benefit transportation professionals and the general public.
Protecting your identity
In spite of everything going on in the world of smart printing for driver licenses (holograms, special inks, special laminations, etc.), using digital certificates and digital signatures and smart cards as designated by the FIPS 201 provides the highest level of identity protection. Identity theft is a huge “business” estimated in the range of $50 billion per year. The potential illicit gain has caused an increasing brazenness on the part of those stealing identities.
As an example, recently thieves just simply took the computer equipment to make Nevada drivers’ licenses, including over 1,000 blanks. While they were at it they also gained access to individual identity files related to nearly 9,000 issued licenses. How did they do this? The technique used: crash through the back door of the building with a car. There’s another lesson here about the requirement for physical security to match logical security (e.g., what good did the DMV network firewall do to stop file access here?)
Not everyone has to be so brazen, just Google “fake ID” and you will find multiple sites with all kinds of opportunities for reselling fake IDs. What does this have to do with transportation? A few examples would be: under-age drinking and related accidents; unlicensed drivers and related accidents and the danger to transportation workers from these drivers; the impacts on congestion from these incidents; illegal commercial driver licenses and the related cargo being transported; etc. This goes hand-in-hand with the ITS America vision of zero fatalities.
How does the FIPS help? By creating electronic credentials they can be easily revoked. It doesn’t take a store clerk to perform the equivalent of cutting the credit card in half. Moving beyond flashing IDs to electronically verifying them provides a deterrent, if not a solution, to the use of fake credentials. Further, it is possible to electronically place a “poison pill” making it useless as well. This is from an operational perspective. Practically, the ID, like your bank ID, can require additional factors (such as a PIN or for high-value or high-security transactions even a biometric).
The presence of the standard and the ability to protect identity through the use of a secure credential means that states will begin to issue this type of card as a driver’s license. The gating factor for this moving forward is a fear on the part of privacy advocates that this will create a means of electronically tracking people and their transactions. I find this ironic given the fact that theft of my identity would be the greatest invasion of privacy. Protect my identity first and then let me control the use of my identity.
Further transportation cases
One of the first areas where the evolving card standard will have an effect is in the area of transit. As an example the smart card industry association, the Smart Card Alliance, has announced the formation of a transportation council in association with the American Public Transportation Association. The goal is to accelerate the use of standards-based smart-card payment programs. Standards-based means the FIPS 201. The Washington Metropolitan Area Transit Authority has already demonstrated the desire to use the standard government credential for not only logical and physical access but for use in transit as well.
The standard addresses some of the recent issues that have arisen around the strength of security associated with the radio frequency tokens used for gasoline purchases and also for vehicle entry. The technology used in more than 6 million key chain tags for wireless gasoline purchases and in an estimated 150 million keys for vehicles built by at least three leading manufacturers was recently compromised by a researcher at Johns Hopkins University. The radio frequency standard used in the new credential standards has sufficient strength to withstand the type of brute force cryptographic attack used to crack these key codes.
The Vehicle Infrastructure Initiative provides another area in which the standard will likely have an influence. Access to the network infrastructure and the associated authentication and authorization of vehicles, users and the related applications will likely take advantage of this identity standard. Identity applies to vehicles and devices as well as to individuals.
The skill set for professionals in the field of intelligent transportation systems continues to expand. At this point it now clearly includes the world of smart cards and identity credentials.
TME
RSS: Roads & Bridges Articles
