Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 140

Machine-readable smart cards or digital ID cards have been becoming more commonplace during the last two decades. Much of this was spurred on by the U.S. government, and this drove the creation of NIST guidelines and standards for physical access control systems (PACSs). Standards describing two different cards, the common access card (CAC) and the personal identity verification (PIV), have been developed for their use, and they support high-volume mass production of the blank cards that are then initialized as part of the identity provisioning process by the using organizations. Each card type uses an embedded chip to store digital certificates and information about the identity of the person the card has been issued to, which is then used as part of the access authentication. These cards are not foolproof and can be prone to radio frequency crosstalk that in some cases can render the card inoperable. Within many U.S. government organizations, for example, CACs are used not only for face-to-face verification of identity but as part of access control to computer and communications systems and for entry to restricted or controlled areas. Many private companies use one or the other card as part of their physical access control for data centers or other high-value assets. CAC and PIV cards may be used with magnetic stripe readers, with OCR readers, or in some cases with near-field communications (NFC) RF readers.

NOTE In the United States, Federal Information Processing Standard Publication 201 (FIPS 201, Parts I and II), developed by the National Institute of Standards and Technology, provides current standards and technical details related to using physical access control systems (PACSs) and the associated CAC or PIV cards as part of an authentication system. See https://csrc.nist.gov/publications/detail/fips/201/2/final.

Note that in the European Union's Genera Data Protection Regulation (GDPR), which went into effect in 2018, there are additional requirements about how data can be collected from humans during the identity verification process, how that data can be compared to data in other sources, and what if any of that data can be retained by the data processor without explicit consent of the user.

Because electronic ID cards like the CAC and PIV are intended for mass production and because millions of mass-produced cards make an alluring target for attackers, it is critical for researchers and practitioners alike to keep abreast of vulnerability concerns with these and similar devices. For example, an alarming report by two Czech scientists in 2014 about a “highly theoretical” vulnerability in Estonian CAC ID cards led to an investigation identifying a manufacturing error requiring 15 cards to be canceled immediately. After further investigation, the Estonian software was rewritten to compensate for the problem. (For more information, see, for example, https://news.postimees.ee/4236857/id-card-tip-from-czech-scientists.) While the fundamental technology appears sound and the cards practical, you can expect many more vulnerabilities and alarms in the future as these hardware-based devices, impossible to perfect and resistant (in their current forms) to patching, proliferate in number and increase in importance in our careers and in our everyday life.