【英文原文】
传统上我们的访问控制是与逻辑访问和文件的数字签证相关联的,现在,公钥基础设施(PKI)也开始被用来控制物理访问。他们在物理访问控制中的使用看起来更符合今年FIPS 201-2的建议的实施。ASSA Abloy 未来实验室的Derek Scheips探索了这一针对物理访问系统的关键基础设施的优势。
PKI迅速的成为一种控制物理访问的主导性驱动,很大程度上归功于FIPS201(联邦信息处理标准发布201),美国政府物理访问控制规范推荐在门口使用PKI。这些建议自2005年开始提出,今年晚些时候,它们预计可以成为符合FIPS201-2的任务。
FIPS介绍
FIPS不仅为应该存储在ID卡上的信息提供标准,也是验证证书真实性的最好做法,全球领先的物理和逻辑访问控制方案供应商HID Global的HID证书产品经理Kevin Graebel说,“数字证书是与用户的关键信息/访问级别一起放在卡里的。然后PKI进程通过电子通道向联邦认证机构发送信息,确保访问还没有被撤销或信息被篡改。”
基于PKI的访问系统的优点
一个基于PKI的访问系统的主要好处是它不依赖共享密钥
PKI归结到一个数学上的键联对的使用,一个指定公共密钥,另一个指定私人密钥。这种联动确保了通过一个密钥只能被另一个密钥以解码或验证的方式来处理信息。
“一个基于PKI的访问系统的主要好处是,它不依赖于一个共享密钥,相反它使用非对称键联,” Graebel说。“在传统的访问系统中,读卡器和访问卡共享一个对称密钥用于相互验证。这样卡和读卡器之间需要很大的协调,尤其是当卡在多个位置使用的时候。使用PKI,只有卡的公共密钥需要共享,它可以在违规事件中很容易地被撤销或修改。而私人密钥则安全地存储在卡片里”
部署PKIS的许多进步导致了高效率和高互操作性,使其成为一个不只是逻辑乃至是物理访问控制的自然的选择。“一个组织可以使用一个单一的PKI智能卡,比如PIV(个人身份验证)卡,用于楼宇和特殊房间的物理访问,以及工作站、服务器、VPN(虚拟专用网)等等的逻辑访问。” 加拿大航空运输和航空航天身份管理咨询公司,Carillon 信息安全部门的PKI标准和政策主管Dave Coombs指出,“这减小了管理访问控制的复杂性:一个人在几十个不同系统访问的手动配置或取消,被取代为用一个单独的凭证签发或撤销。”
此外,最近的互操作性有了提升,这允许一个接受PIV卡的机构,可以了解到持有PIV卡的来自另一个完全独立的机构的访客的身份。
采用PKI的成本
但是,尽管PKI有承诺,但还是有缺点,包括成本和速度。“至少,各个组织将需要创建或者访问一个认证机构来管理证书的生成和验证,” Graebel说。”根据PKI的实现状况,可能需要重铺线缆和升级读卡器而增加不少成本。”
与非接触式访问卡的接触
速度也是物理访问控制的瓶颈之一。由于耐久性和损耗等原因,在卡和读卡器之间使用非接触式通信比接触式更加实际,通信时长能达到1.5到2秒。这看起来似乎并不是一个比较长的时间,但是当用户们习惯了诸如Prox或者iCLASS等技术提供的一秒钟内反应,它将导致问题出现。
“我们听到的一个缺点是在门口的PKI感知缓慢,”Cooms观察到。“这可以通过缓存吊销信息或OCSP(在线证书状态协议)反馈来缓解,或者甚至通过每个早上预先验证前一天该设备使用的每一个证书。”他预测在未来几年:“越来越多的公共的或者私人组织将走这条路线,特别是现在美国正在做这样的工作。”[nextpage]
PKI在欧洲的发展现状
当然,许多国家已经在发展他们各自的PKI方法。
法国政府每年给公民签发PKI证书来提交收入税,其总的安全框架(RGS)包括确保大型IT系统使用PKi的建议。“比利时人已经用电子身份卡(eID card)做了类似的事情,”Coombs说。“这是签发给瑞士公民的一种支持PKI的智能卡,通过它可以获得认证以便访问政府的系统和在线程序。”
与此同时,德国政府正在致力于实施欧盟指令相关合格签注证书,这是欧洲唯一一种带有法律效力的数字签注。
应当指出的是这些欧洲的倡议关注的还仅仅是对信息系统的逻辑访问控制,而把PKI作为物理访问控制来为时过早。在这点上,因为其较为新颖和相对复杂,只有极少数上市公司选择使用PKI来进行物理访问控制, Graebel说。“我预计当FIPS201-2被实施以后,并且市场上有更多种类的产品来支持它,FIPS将会变得更普及。”
作者:Derek Scheips Assa Abloy未来实验室 自由撰稿人
【英文原文】
Traditionally associated with logical access and the digital signing of documents, Public Key Infrastructure (PKI) is now also being used to control physical access. Their use in physical access control is likely to be more prevalent with the implementation of the FIPS 201-2 recommendations this year. Derek Scheips of ASSA Abloy Future Lab explores the benefits of this key infrastructure for physical access systems.
PKI is fast becoming a leading driver in controlling physical access largely due to FIPS 201 (Federal Information Processing Standards Publication 201), US government physical-access control specifications recommending PKI at the door. Recommendations since 2005, they are expected to become mandates with FIPS 201-2 later this year.[nextpage]
FIPS explained
FIPS offers standards for not only what information should be stored on an ID card, but also best practices for verifying the credential is authentic and in the right persons possession, says Kevin Graebel, product manager of HID credentials at HID Global, a leading manufacturer of physical and logical access control solutions. "A digital certificate is placed on the card with the users key information/access levels. Then the PKI process sends that information via an electronic bridge to a federal certificate authority, making sure access hasnt been revoked or information tampered with."
Benefits of PKI-based access systems
The primary benefit of a PKI-based access system is that it does not depend on a shared secret key
PKI boils down to the use of a mathematically linked pair of keys, one designated public and the other designated private. The linkage ensures that information processed with one key can only be decoded or validated using the other key.
"The primary benefit of a PKI-based access system is that it does not depend on a shared secret key; instead it uses an asymmetric key pair," says Graebel. "In traditional access systems, the reader and the access card share a symmetric key used to authenticate each other. This requires a great deal of coordination between the cards and readers, especially when the cards may be used at more than one location. Using PKI, only the public key of the card needs to be shared, and it can easily be revoked or changed in the event of a breach. The private key is stored securely within the card."
Many advances in deploying PKIs have led to efficiency and interoperability that make it a natural choice not just for logical but also physical access control. "An organization can use a single PKI smart card, such as a PIV (Personal Identity Verification) card, for physical access to a building and to certain rooms, and for logical access to workstations, servers, VPNs, and so on," notes Dave Coombs, director of PKI Standards and Policy at Carillon Information Security, a Canadian air transport and aerospace identity management consulting firm. "This reduces the complexity of managing access control: manual provisioning or removal of access for a person in dozens of different systems is replaced with the issuance or revocation of a single credential."
Furthermore, recent interoperability advances allow one organization that accepts PIV cards to understand the identity of a visitor with a PIV card from a completely separate organization.
Cost of adopting PKI
But despite PKIs promise, there can be disadvantages, including cost and speed. "At a minimum, organizations will need to create or have access to a Certification Authority to manage the generation and validation of certificates," says Graebel. Depending on how this is implemented, it may require costly rewiring and upgrading of all of their readers."
Contact versus contactless access control cards
The speed is also a bottleneck for physical access control. For durability and vandalism reasons, it is more practical to use contactless rather than contact communication between the card and the reader and then communication can take as much as 1.5 to 2 seconds. This may not seem like a long time, but when users are used to the fraction of a second read times offered by technologies like Prox or iCLASS, it can cause issues.[nextpage]
"One disadvantage we hear about is the perceived slowness of PKI at the door," observes Coombs. "This can be mitigated by caching revocation information or OCSP (Online Certificate Status Protocol) responses, or even by pre-validating every morning each credential that was used at that site the previous day." He predicts that in the coming years: "more and more public and private organizations will be going this route, particularly given the work being done in the US right now."
PKI development in Europe
Of course, many countries have been developing their own PKI methodologies in parallel.
The French government issues PKI credentials to its citizens every year to file their income tax, and its General Security Framework (RGS) includes recommendations on securing large-scale IT systems using PKI. "The Belgians have done something similar with their eID card," says Coombs. "Its a PKI-enabled smart card issued to Belgian citizens to authenticate their access to government systems and programs online."
Meanwhile, the German government is leading the way in implementing the European Union directive concerning ‘qualified signature certificates, the only kind of digital signature that carries the force of law in Europe.
It should be noted that these European initiatives concern only logical access control to information systems, and it is still early days for PKI as a physical access control. At this point, very few public companies are choosing to use PKI for physical access control because of the newness and relative complexity, observes Graebel. "I suspect it will become more common as FIPS 201-2 is implemented and there is a wider variety of products available on the market to support it."
Derek Scheips
Freelance Writer
Assa Abloy Future Lab