Credential Verification

Site Navigation

Search

Credential Verification

In the past, simple ID badges were used to prove authorization to enter a protected space. Whether visually verified by a guard or electronically using a card access system, there was a serious flaw. Both check whether or not a credential is authorized to enter a protected area. They fail, however, to verify that the card belongs to the person presenting it, that it is an original unaltered credential, and that it has not been revoked. Credential verification solves this problem by ensuring that a PIV, TWIC, FRAC, or CAC credential, and its cardholder match and are currently valid.

To validate the credentials and cardholder, we need a system that does the following things:

  • Verify that the cardholder knows the card's PIN
  • Verify the credential's CHUID signature
  • Verify that the biometric information encoded on the credential is signed by a trusted authority
  • Capture and match fingerprints with the biometric template encoded on the credential
  • Verify PIV and CAC authenticity using PAK or CAK protocols
  • Perform certification path validation of PIV card certificates
  • Check PIV card revocation status

The challenge is these functions can not be done by a guard without special tools. Additionally, a traditional PACS system checks only that the presented badge was, at one time, entered into its database.

Solutions

PIVCheck - Validation System for government credentials

PIVCheck is a software and hardware solution designed to assist security personnel in validating PIV, TWIC, FRAC, and CAC credentials and verify cardholder identities. The software can be deployed on a PC, laptop, or handheld terminal.

All versions of PIVCheck operate in the following manner:
The cardholder's PIN is used to unlock the card. The card's authenticity is then verified by issuing a cryptographic challenge to the card. The CHUID and biometric signatures are verified, and the revocation status of the X.509 Certificate for PIV Authentication and the CHUID signing certificates are checked using a flexible combination of Microsoft's Cryptographic API, OCSP, or SCVP.

To ensure that the credential is issued to the person presenting it, a fingerprint image is acquired, and the resulting template is matched with the template encoded on the credential. For TWICs, PIVCheck can be configured to verify that the cardholder's FASC-N is not on the current TSA hotlist. The hotlist can be imported, or can be accessed directly if the desktop or mobile verification terminal has Internet connectivity.

For auditing, the credential validation session is logged to an encrypted, serialized data file. The contents of the file can be exported to a removable file system, such as a flash drive.

PIVCheck can be found on the GSA FIPS 201 Approved Products List (APL) in the following categories:

  • SCVP Client
  • PIV Authentication System
  • CAK Authentication System
  • Card Authentication System
  • CHUID Authentication System
  • Caching Status Proxy (when PIVCheck Certificate Manager is deployed)

PIVCheck is available in the following versions:

  • PIVCheck Desktop Edition for basic card validation using a desktop computer
  • PIVCheck Mobile Edition for basic card validation on a handheld terminal
  • PIVCheck Plus which adds the following functions to either Desktop or Mobile editions:
    • Networked PACS registration of credential data (insert and update PACS cards and cardholders)
    • Audit trail exporting (in real-time or batch mode)
    • Downloading server-based configuration policies

In addition to the PIVCheck line of products, Codebench also offers a card validation system especially designed for use in environments where the contactless interface is the primary means of communications to the card.

OMNICheck - Mobile Verification especially designed for Contactless cards

OMNICheck is a mobile validation tool that verifies PIV, TWIC, FRAC, and CAC credentials over the reader's contactless interface. When configured in one of the four TWIC authentication modes, it functions as a TSA ICE-listed mobile TWIC reader. When operating in "Non-TWIC" mode, OMNICheck determines the card type and interface used, and applies the strictest possible validation rules for that card. For instance, a legacy CAC card can be presented on the contactless interface to validate without the need to enter a PIN. If the situation calls for increased security, the same CAC card can be presented to the contact interface, and the cardholder will be prompted for a PIN which unlocks fingerprint validation.

OMNICheck works with all types of FIPS 201 cards. The card's authenticity is verified by issuing a cryptographic challenge to the card. The CHUID signature and biometric signatures are verified, and the revocation status of the X.509

Certificate for PIV (or Card) Authentication and the CHUID signing certificates are checked using a flexible combination of Microsoft's Cryptographic API, OCSP, or SCVP. For TWICs, PIVCheck can be configured to verify that the cardholder's FASC-N is not on the current TSA hotlist. The hotlist can be imported, or can be accessed directly if the mobile reader has wireless Internet connectivity. For auditing, each credential validation session is logged to an encrypted, serialized data file. The contents of the file can be exported to a removable file system, such as a flash drive.

OMNICheck can also be upgraded to OMNICheck Plus Edition which adds network-based functionality.

  • Database synchronization (photo, name, PACS card numbers, TWIC privacy keys)
  • Audit trail exporting (in real-time or batch mode)
  • Downloading server-based configuration policies

OMNICheck Plus Edition is designed to operate line in real-time with the PACS or offline after downloading cached cardholder data from the PACS.