Transportation Worker Identification Credential Program: Biometric reader specification and TWIC contactless smart card application,

[Federal Register: September 20, 2007 (Volume 72, Number 182)]

[Notices]

[Page 53784-53789]

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

[DOCID:fr20se07-57]

DEPARTMENT OF HOMELAND SECURITY

Transportation Security Administration

[Docket No. TSA-2006-24191; USCG-2007-27415]

Transportation Worker Identity Credential (TWIC) Biometric Reader Specification and TWIC Contactless Smart Card Application

AGENCY: Transportation Security Administration; United States Coast Guard; DHS.

ACTION: Notice of availability.

SUMMARY: The Department of Homeland Security, through the U.S. Coast Guard (Coast Guard) and the Transportation Security Administration (TSA), announces the availability of the

[[Page 53785]]

working specification for Transportation Worker Identification Credential (TWIC) biometric readers and the TWIC contactless smart card application. This specification is based on recommendations to the Coast Guard and TSA from the National Maritime Security Advisory Committee (NMSAC); comments from the public following publication of the NMSAC recommendations and request for comment; and, the government's review of the NMSAC recommendations and comments received. The working specification is available to review at http://www.tsa.gov/twic

and at http://dms.dot.gov in docket USCG-2007-27415.

DATES: The reader specifications and card application are available September 20, 2007.

FOR FURTHER INFORMATION CONTACT: John Schwartz, Office of Transportation Threat Assessment and Credentialing (TSA-19), Transportation Worker Identification Credential Program Transportation Security Administration, 601 South 12th Street, Arlington, VA 22202- 4220; telephone (571) 227-2177; facsimile (703) 603-0409; e-mail john.schwartz@dhs.gov.

Reviewing Comments and the TWIC Working Technology Specification in the Docket

Please be aware that anyone is able to search the electronic form of all comments received into any of our dockets by the name of the individual submitting the comment (or signing the comment, if submitted on behalf of an association, business, labor union, etc.). You may review the applicable Privacy Act Statement published in the Federal Register on April 11, 2000 (65 FR 19477), or you may visit http://dms.dot.gov .

You may review the comments in the public docket by visiting the Dockets Office between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays. The Dockets Office is located in the West Building Ground Floor, Room W12-140, at the Department of Transportation address, previously provided under ADDRESSES. Also, you may review public dockets on the Internet at http://dms.dot.gov.

Availability of Document

You can get an electronic copy of this Notice and the actual working specifications using the Internet by--

(1) Searching the Department of Transportation's electronic Docket Management System (DMS) Web page (http://dms.dot.gov/search); (2) Accessing the Government Printing Office's Web page at http://

http://www.gpoaccess.gov/fr/index.html (Notice only); or

(3) Visiting TSA's Security Regulations Web page at http://www.tsa.gov and accessing the link for ``Research Center'' at the top

of the page.

In addition, copies are available by writing or calling the individual in the FOR FURTHER INFORMATION CONTACT section. Make sure to identify the docket number of this action.

1. Background

   The National Maritime Security Advisory Council (NMSAC) was created pursuant to the Federal Advisory Committee Act, 5 U.S.C., App. 2 (FACA) in 2003. The membership of NMSAC, which includes 21 voting members, was selected to represent a broad range of viewpoints regarding maritime security challenges and to advise the Secretary of Homeland Security through the Commandant of the Coast Guard of relevant maritime security issues.

   At the NMSAC meeting of November 14, 2006, the Coast Guard and TSA asked NMSAC to provide advice on a contactless biometric smart card application and reader specification for TWIC by February 28, 2007, taking into account expertise from the biometric credentialing industry and maritime/TWIC industry stakeholders. The specification is necessary for biometric readers and the TWICs that will be issued to individuals in the initial rollout of the TWIC program, beginning in the fall of 2007, and that will be used in pilot programs required by the Security and Accountability for Every Port Act of 2006 (SAFE Port Act).\1\

   \1\ Pub. L. 109-347; October 13, 2006.

   TSA and Coast Guard provided NMSAC the following baseline requirements for the specification:

   1. Be non-proprietary;

   2. Incorporate appropriate security and privacy controls;

   3. Be interoperable with FIPS 201-1 credential specifications;

   4. Be capable of serving as a platform for future capabilities;

   5. Be capable of supporting maritime operations; and

   6. Be suitable for manufacturing.

   TSA and Coast Guard recommended that the task be addressed by dividing responsibilities to construct operational maritime requirements and technology specifications. We recommended that members of the maritime industry develop operational maritime requirements and address credential authentication (e.g. authentication time and process, and alternate authentication procedures) requirements; durability requirements; and credential management procedures, including key management. We recommended that the biometric credentialing experts develop technology specifications, including a smart card, reader, and keying specifications.

   In the course of our discussions with NMSAC, members of the committee stated that they did not wish to recommend a specification that included encryption of the biometric and corresponding processes to decrypt the biometric when the card engages the reader. Many of the NMSAC members asserted that encryption was not necessary because the biometric--a fingerprint minutiae template, rather than an actual fingerprint--should not require the added protection that encryption provides. Also, members of NMSAC did not want to take on the additional responsibility of key management, which would be necessary if the recommended specification included encryption. However, TSA and Coast Guard disagreed with NMSAC's suggestion that the fingerprint template does not need to be encrypted and therefore asked NMSAC to provide one specification with encryption of the biometric and a corresponding process to decrypt the biometric when the card engages the reader. The formal request from the TWIC program to NMSAC is available at the following URL: http://homeport.uscg.mil, and in the docket for this

   notice.

   On March 1, 2007, the Coast Guard received NMSAC's report, entitled ``Recommendations on Developing a Contactless Biometric Specification for the TWIC.'' The report included two specifications. The first recommended specification, preferred by NMSAC for the reasons discussed in the paragraph above, does not provide for encryption of the TWIC cardholder's biometric fingerprint minutiae template. Without encryption, the template is transmitted in the clear and could be read by a third party whenever the card is energized by a contactless reader. Therefore, there is a risk that the template on the TWIC could be read without the knowledge or overt action of the cardholder.

   NMSAC's second specification includes encryption of the biometric fingerprint minutiae template, which will protect the template from being decrypted unless information on the card's magnetic stripe or contact integrated circuit chip (ICC), is also provided to the reader. The information on the card's magnetic strip (or ICC) is needed to decrypt the template, which is obtained contactlessly from the card.

   [[Page 53786]]

   This method of encryption protects the template from being read even if it is obtained covertly since the information on the card's magnetic stripe (or ICC) cannot be obtained without physical possession of the card. If a TWIC is physically obtained by someone other than the rightful owner, the information necessary to obtain and decrypt the template would be available to them.

   Note that each TWIC will contain three magnetic stripes and the first is reserved exclusively for TSA's use to store encryption information. Owner/operators may use the remaining two magnetic stripes for information that facilitates the use of local access control systems so long as doing so does not interfere with the information encoded by TSA on the first magnetic stripe that allows contactless operation of the TWIC. Technical specifications for the magnetic stripe and areas reserved for TSA use are contained in the TWIC contactless card and reader working specification.

   In March 2007, the Coast Guard published a Notice of Availability of the NMSAC Recommendations and requested comments from all interested parties. (72 FR 12626, March 16, 2007.) In addition to requesting general comments, Coast Guard asked the public to respond to specific questions, including: (1) Whether the use of a Personal Identification Number (PIN) is justified to further minimize the chance that a fingerprint template from a lost or stolen credential could be obtained by an unauthorized individual; (2) what, if any, privacy concerns exist if the fingerprint template is obtained by an unauthorized individual; (3) how the recommended specifications impact maritime security and operations; (4) how the recommended specifications impact existing physical access control systems (PACS); (5) whether TSA and Coast Guard should consider alternative designs; (6) how the recommended specifications impact product, system, and operational costs; (7) how quickly the recommended specifications could be incorporated into the design and manufacture of access control equipment; and (8) whether there should be a qualified products list (QPL) or equivalent regime.

   Over thirty separate entities submitted comments to these questions. The majority of commenters represented the maritime industry, but several technology companies and trade associations also responded. Generally, the commenters praised the work of the NMSAC TWIC Contactless Specification Workgroup. TSA and Coast Guard agree that NMSAC delivered excellent recommendations in a very short time-frame, and we greatly appreciate NMSAC's efforts in this important security endeavor. In the following section, we summarize all comments received.

2. Summary of Comments

   Question 1--Additional Security Features

   Commenters generally agreed that the additional security feature mentioned, a PIN, was not a good idea for general use due to operational concerns. Others stated that a PIN should be considered only if it could be used in a way that does not adversely impact maritime operations. Many commenters stated that TWIC holders would likely forget their PINs, which would become burdensome to TWIC users and maritime operations. As for PIN length, the few who commented prefer a 4-digit PIN over a longer PIN.

   Only one commenter discussed an alternative security feature--the use of a smart card holder that protects information stored on the card's integrated circuit chip until the holder is activated by the card holder's live biometric. At least one commenter suggested that to help deter fraudulent use of the TWIC, fingerprint scanners associated with card readers should be able to confirm that the fingerprint being presented is that of a live person rather than an artificial replica of a fingerprint or fingerprint template. This capability is called ``liveness'' detection.

   Question 2--Privacy Concerns

   Most commenters from the maritime industry stated that maintaining the privacy of the information stored on the card is important, but they do not believe additional measures are necessary to protect the privacy of biometric fingerprint templates. However, commenters from the technology industry generally asserted that biometric fingerprint templates should be protected, and that the TWIC Privacy Key (TPK) scheme provided in NMSAC's alternative recommended specification is sufficient to protect the template.

   Question 3--Vessel and Facility Security Operations

   A number of maritime commenters stated that use of a PIN and TPK card swipe scheme, and, encryption of the fingerprint biometric template have the potential to adversely impact port and facility operations. Specifically, commenters expressed concern about error rates that might impact gate throughput, particularly during times of high-volume access; and, the effect of requiring the use of both PINs and biometrics at certain Maritime Security (MARSEC) levels. Commenters also mentioned that the upcoming TWIC pilot program that TSA and Coast Guard are implementing to test card and reader interaction will be helpful in identifying impacts on facility and vessel operations.

   Question 4--Impacts on Existing Physical Access Control Systems

   Commenters generally agreed that the TWIC program will have a significant impact on existing PACS if the two are integrated and will be duplicative if they are not. They cited the need for replacing or enhancing existing systems; additional trenching and related construction activities; and, installing or upgrading electrical power supplies and wiring to readers as examples of the impacts TWIC will have on existing PACS. Some commenters mentioned that the use of TPK would impact legacy PACS by requiring the modification or replacement of existing readers to include a magnetic stripe reading capability. Some commenters expressed concern that multiple credentials may be required of certain workers at certain locations and that multiple credentials would have to be processed to allow entry. Several commenters asserted that the cost of integration should be supported by Federal grant funding. One commenter suggested that TWIC PACS requirements should have a long phase-in period to allow facilities to use legacy equipment through the end of its useful life.

   Question 5--Alternative Designs

   Commenters mentioned that any alternative designs should be evaluated in the context of the maritime operating requirements established by the NMSAC working group. Several commenters suggested that the short time period allotted for development of the technical specification may have prevented alternative designs from emerging. However, a technology industry commenter stated that alternatives were considered and rejected by the technology team during their deliberations. The commenter stated that the following alternative designs were considered and rejected: 1. Shared Symmetric Keys

   Key management is operationally complex and exposure of the key would have a negative impact on the entire TWIC system. Shared symmetric keys rely on one secret key to be distributed among all readers and cards to establish secure communications between card and reader. Keys must be changed

   [[Page 53787]]

   regularly, and securely distributed and stored to maintain system security. Secure key management would be difficult to accomplish due to the number and dispersion of TWIC readers. 2. Public Key Infrastructure (PKI)

   In a PKI system, secure communication and authentication are done using public key certificates which require online communication. The fragmented TWIC PACS would lack the real-time network access required of a PKI system. 3. Biometric Match-on-Card (MOC)

   MOC involves matching a biometric sample against a reference biometric template stored inside the secure environment of a smart card. The reference template cannot be read outside of the card, but is only used internally by the matching process inside the smart card. MOC is a relatively new approach within the smart card and biometrics industries and provides a good level of security and privacy. This is because the user's biometric information is protected by the smart card and is never released from the card. Internal to the smart card, MOC matches the user's live biometric template provided by an external biometric reader with the user's stored reference template. A major advantage to MOC over other approaches is that the card never releases personally identifying information (the biometric template) to the reader. Thus, the biometric could not be lifted or ``skimmed'' by an unauthorized individual. Also, under the MOC process, the need for reader authentication and associated reader key management is minimized because the reader only stores public keys that do not need to be protected from disclosure by using a Secure Access Module (SAM) to store secret keys to identify a particular smart card. With MOC, the transmission of the biometric template from the reader to the card is done using the public key and can only be decrypted using the private key that is stored securely on the smart card. For all of these reasons, MOC is a very promising technology to pursue. However, it has not been fully tested in a variety of laboratory or field settings and currently, there are no approved MOC standards. Therefore, we have determined that it would not be advisable to implement MOC for the upcoming TWIC rollout. We will continue to follow the development of MOC and if it matures for operational use, we will again consider its use in the maritime environment.

   One commenter requested that the distance between the card reader and the card be increased from four to 18 inches to allow truck drivers to remain in their cabs while their TWICs are read. Some commenters reiterated their view that the specification should not include encryption in any form.

   Question 6--Cost Impacts

   A number of commenters reiterated their endorsement of NMSAC's non- encryption recommendation to minimize costs. Commenters who operate existing PACS expressed concern about integrating TWIC into their operation, particularly if encryption of the biometric is required and if wiring upgrades are necessary to support TWIC readers. Commenters who do not have PACS now expressed concern about how much it will cost to purchase, install, and maintain TWIC systems.

   Question 7--Incorporation of TWIC Into Existing Access Control Equipment

   Maritime industry commenters generally deferred this question to the technical experts. Technical commenters stated that the specifications TSA and Coast Guard choose for the TWIC program will determine the ease of design, manufacture, and integration. They also stated that knowledge gained through experience with designs for other PACS that share common attributes with TWIC will lessen the time needed to create TWIC PACS products. Conversely, features that are unique to TWIC will have to be created, but some commenters believe TWIC-unique features can be accommodated through software or firmware (i.e., computer programming instructions that are stored in a read-only memory unit rather than being implemented through software) applications for existing readers. The commenters estimate that it may take from only a few months up to 36 months to integrate TWIC with certain PACS designs.

   Question 8--Quality Products List Process & Creation

   Almost universally, commenters agreed that TSA and Coast Guard should use a QPL process to help stakeholders know what equipment is best for use in the maritime environment. Many commented that the process the U.S. General Services Administration uses should be considered as a starting point for development of a TWIC QPL. Commenters also stated that product testing should include harsh maritime conditions.

3. Working Specification Selected

   1. Summary of Selection

      TSA and the Coast Guard have selected the NMSAC alternate recommendation that requires encryption and use of the TWIC Privacy Key (TPK) as the working specification for readers that will be used during the pilot programs. If the readers that meet this working specification perform as planned during the pilot testing, we will finalize the specification as we complete the rulemaking that requires the use of readers. Also, it is important to note that the TWICs that will be issued this fall in the initial rollout of the TWIC program will operate as designed when engaged in readers that are built to this working specification.

      We are choosing to adopt this specification to protect the personally identifiable information (PII) contained in the TWIC from unintended disclosure while the TWIC is in the possession of the credential's rightful owner. Even assuming individuals suffer no real injury today if their template is taken or lifted through an unauthorized process, the template is personal information connected to that individual. Using a fingerprint template in lieu of a fingerprint image does not necessarily prevent the long-term potential for unauthorized use of personally identifying fingerprint information, if intercepted by unauthorized persons. Even assuming the fingerprint template cannot be reverse-engineered to produce an accurate duplicate fingerprint today, we cannot be certain that such a capability will not arise in the future. With the use of the TPK model, security and privacy protection are provided without the burden that other encryption models would place on PACS owners and operators.

      TSA and Coast Guard take the industry's concerns about adverse operational impacts very seriously. Consequently, as the card and readers are envisioned to operate when TWIC is fully implemented, use of a PIN will not be necessary to release the biometric unless the owner/operator chooses to use contact readers and the contact side of the credential. In addition, we are in the process of finalizing plans for the pilot tests required by the SAFE Port Act and we are working with experts within DHS to establish a very thorough test plan to evaluate the card-reader interface under a variety of conditions and assess its impact on operations. Through the pilot tests, we will investigate the impacts of requiring biometric identity verification on business processes, technology, and operations on facilities and vessels of

      [[Page 53788]]

      various size, type, and location. As detailed below, while the government has removed any specific language about MARSEC levels from the specifications, the pilot testing process will be used to evaluate various use case scenarios that will influence the upcoming TWIC reader rulemaking process, including TWIC card and reader use requirements at various MARSEC levels.

      We understand that the decision to implement the TPK model for contactless biometric identity verification will have impacts on the installed base of PACS systems. However, the TPK model allows facilities to integrate the model with their local PACS in several different ways. The TPK model allows use of: (1) The magnetic stripe to transfer TPK information by swiping the card through a magnetic strip reader and then presenting the card to a contactless reader to securely transmit the biometric template; (2) pre-registration of the information on the magnetic stripe into the local PACS and then presenting the card to a contactless reader; or (3) pre-registering the biometric minutiae templates into the local PACS until retrieved upon presentation of the TWIC to a contactless reader. The TPK model also allows several options for handheld readers. Handheld reader options include the use of either the contact or contactless portion of the TWIC to enable biometric identity verification.

      We do not wish to implement any alternative designs at this time. However, we may add additional security features to the card or card reader with due notice to the industry and regard for operational impacts. One alternative technology of particular interest to the government is match-on-card (MOC) technology. The TWIC program and Coast Guard remain in close contact with the National Institute of Standards and Technology (NIST) in their consideration of MOC technology for various Federal smart card and personal identification initiatives.

      We are mindful that cost is a strong consideration in the operational implementation of TWIC and we are working to minimize costs on the operational users of TWIC where possible. Also, we are working closely with other DHS components to continue to make available Port Security Grant funds to mitigate some of the costs to vessel and facility operators and owners of implementing the TWIC program.

      We have worked closely with the NMSAC working group to understand the impacts of the TWIC program on the maritime sector. Our choice of the TPK model is grounded in the specific recommendation of smart card, PACS, and biometrics industry experts involved in the NMSAC working group process and a thorough review of technology choices and impacts by government experts. These experts leveraged other similar technologies from contactless identification regimes in their deliberations. While implementation of the TWIC program should be as timely as possible, we understand that technical implementation timelines must incorporate engineering and manufacturing time, field testing, facility adaptation, and final field installation.

      We are encouraged by the positive responses we received regarding the creation of a QPL. However, unlike other government smart card programs, TWIC card readers, in most cases, will not be procured by the government. This lessens the ability of the government to leverage existing QPL-type programs already in existence, such as those supporting the Homeland Security Presidential Directive (HSPD)--12 Personal Identity Verification (PIV) Program.

   2. Technical Changes to the TPK Working Specification

      TSA and Coast Guard are making some technical modifications to the TPK working specification recommended by NMSAC. We believe these changes are necessary to further protect privacy and security for the TWIC program. There are four important changes involving verification of the cardholder unique identifier (CHUID) data, MARSEC level operations, biometric liveness detection, and contactless transmission speed that are discussed in detail below. In addition, we made minor changes to the specification that is discussed below. B.1. Signature Verification of CHUID Data

      The NMSAC specification recommends that verification of the signature on the CHUID be optional. However, regardless of whether the credential is digitally signed, CHUID data can be copied or ``cloned'' to another card. Signature verification mitigates counterfeited CHUID data from being accepted as authentic. For this reason, verification of the digital signature on any CHUID unknown to a PACS is mandatory and is included in the final specification. Signature verification will have minimal performance impact to the contactless transaction and minimal impact on reader implementation. B.2. Authentication Methods Used at MARSEC Levels:

      NMSAC recommended that CHUID authentication should be used at MARSEC 1 and biometric authentication should be used at MARSEC 2. Specifying authentication methods for various threat or risk levels is outside of the scope of a technical specification for contactless cards and readers, and is more appropriately addressed separately in the risk management and security requirements for maritime operators. Therefore, we have removed the MARSEC guidance relating to use of specific authentication levels at different MARSEC levels from the working specification. B.3. Biometric Liveness Detection

      NMSAC recommended that biometric liveness detection may be employed in TWIC readers, making liveness detection optional. Liveness detection is an important means to prevent spoofing of a biometric sensor and is generally something that is strongly recommended by the reader industry. Because standards for liveness detection are currently not available, and there is no conformance testing protocol to validate its effectiveness, it is difficult to specify liveness detection as a mandatory requirement. However, we have changed the language for liveness detection from may to should, to stress that liveness detection (or attended verification) in TWIC readers is a highly desirable feature. This change will have no operational impact on TWIC contactless transactions. B.4. Contactless Transmission Speed

      The contactless reader performance requirements in the NMSAC specification are based upon transaction completion time. We have determined that specific requirements for contactless transmission speed should be specified so that the reader will support negotiation of a contactless speed with the card that achieves at least 400K bits per second. This will minimize transaction timings based on transmission capabilities of both current and future TWIC card versions. This change will not adversely impact TWIC contactless transactions.

   3. List of All Changes to the TPK Specification

      Listed below is a complete list of the changes TSA and Coast Guard have made to the TPK specification that NMSAC recommended. The changes of interest are discussed in detail above in Section III.B.

      1. Section 4, TWIC Modes of Operation. Requirement for specific

         [[Page 53789]]

         authentication modes to be used at specific MARSEC levels has been removed and available authentication modes have been clarified.

      2. Section 4, TWIC Modes of Operation. Ability to configure specific authentication modes depending on a given perimeter security requirement and to be used at differing MARSEC levels has been added.

      3. Section 4, TWIC Modes of Operation. Verification of CHUID signature changed to mandatory. CHUID signature is either verified once, either when the card holder's CHUID is registered in a local PACS, or read by the TWIC reader each time the card is presented for access.

      4. Section 5.1.1, Device Dimensions. Note added to stress contactless reader sensitivity to location and electromagnetic conditions of their environment.

      5. Section 6, Portable Reader Requirements. Requirements for confidentiality and authentication added for wireless devices used in physical access systems.

      6. Section 7, Operational Requirements. Contactless transmission speed requirement changed to support 106kbit/s, 212kbit/s or 424kbit/s, based on the card's capabilities.

      7. Section 7, Operational Requirements. Requirement added to reject transaction if multiple cards are simultaneously detected in the reader's contactless field.

      8. Section 8, Performance Requirements. Support for biometric liveness detection strengthened from ``may'' to ``should'' indicating a strong preference for liveness detection.

      9. Appendix A.1, CHUID Authentication. CHUID authentication clarified.

      10. Appendix A.2, TWIC Biometric Authentication. Biometric authentication clarified.

      11. Appendix A.3, Card Authentication Key Authentication. Card Authentication data object reference corrected.

      12. Appendix A.3, Card Authentication Key Authentication. Card Authentication Key usage clarified to indicate that it is only available via the PIV application, and is not shared with the TWIC application.

      13. Appendix D, TWIC Reader Compatibility with Other Card Types. Reader compatibility and default card support clarified and modified to allow configuration of default AID.

      14. Appendix E.4, Alternate Implementations. Minor clarifications to PACS enrollment.

      15. Appendix F, Proposed TWIC AID Structure. TSA RID added, AID structure clarified.

   4. Future Changes to Specification

      TSA and Coast Guard will continue to evaluate and test the working specification as we implement the TWIC Pilot Program. We anticipate that, as with any testing program, we will encounter technical issues that can be corrected by making minor changes to the working specification. We will make such changes available to the public as they occur, through use of the following link/Web site: http://www.tsa.gov/twic. In addition, we will address any necessary changes to the working

      specification prior to finalizing the regulations requiring TWIC readers.

      Issued in Arlington, Virginia, on September 14, 2007. Stephanie Rowe, Assistant Administrator, Transportation Threat Assessment and Credentialing, Transportation Security Administration.

      [FR Doc. 07-4649 Filed 9-19-07; 8:45 am]

      BILLING CODE 4910-15-P