One of my goals for the ISC West show will be an inventory of the Physical Access Control Systems that actually perform high assurance as laid out by FIPS 201 and Special Publication 800-116. Adding to the mix are 7 new categories that have been established by GSA (their categories not IDmachines') some of which finally get to the requirement of using asymmetric cryptography and PKI to get to high assurance with PACS.
Too many of the PACS out there have simply waived a hand at meeting the requirements of FIPS 201 incorporating a reader that is simply doing a free read of the Federal Agency Smart Card Number off the contactless interface. In my opinion this is security theater in the worst way by giving the impression of electronic access control but with out any of the access control (the FASC-N can easily be copied and replayed).
Let's see who really understands what it means to do strong authentication and fair warning to companies and booth personnel who make claims about FIPS 201.
No comments:
Post a Comment