The algorithm that specifies how data transmitted by the system is to be interpreted. The format specifies how many bits make up the data stream and which bits represent different types of information. For example, the first few bits might transmit the facility code, the next few the unique ID number, the next few parity, and so on.
The privilege or permission for an individual to access a controlled resource or entity (physical or logical).
See application programming interface.
A hardware/software system implemented to satisfy a particular set of requirements. In the context of FIPS 201, an application incorporates a system used to satisfy a subset of requirements related to the verification or identification of an end user’s identity so that the end user’s identifier can be used to facilitate the end user’s interaction with the system.
Application programming interface (API)
A source code interface that a computer system or program library provides in order to support requests for services to be made of it by other computer programs, and/or to allow data to be exchanged.
Two related keys, a public key and a private key, that are used to perform complementary operations, such as encryption and decryption or signature generation and signature verification.
A quality, characteristic or entity that defines properties of a subject (e.g., person), object or element.
The process of validating the identity of a person or other entity.
The assignment of a privilege or privileges (e.g., access to a building or network) verifying that a known person or entity has the authority to perform a specific operation. Authorization is provided after authentication.
Data encoding a feature or features used in biometric verification.
Biometric reference data
Data stored on the card for the purpose of comparison with the biometric verification data.
The formatted digital record used to store an individual’s biometric attributes. This record typically is a translation of the individual’s biometric attributes and is created using a specific algorithm.
A document used as an original source of identity to apply for (or breed) other forms of identity credentials.
A type of physical form factor designed to carry electronic information and/or human readable data.
Under FIPS 201, a dual interface smart card-based ID badge for both physical and logical access that contains within it an integrated circuit chip.
Card management system (CMS)
A smart card/token and digital credential management solution that is used to issue, manage, personalize and support cryptographic smart cards and PKI certificates for identity-based applications throughout an organization.
Card serial number
An identifier which is guaranteed to be unique among all identifiers used for a specific purpose (see unique identifier).
See digital certificate.
Certificate revocation list (CRL)
A list of certificates that have been revoked before their expiration by a certificate authority.
Chain of trust
An attribute of a secure ID system that encompasses all of the system’s components and processes and assures that the system as a whole is worthy of trust. A chain of trust should guarantee the authenticity of the people, issuing organizations, devices, equipment, networks, and other components of a secure ID system. The chain of trust must also ensure that information within the system is verified, authenticated, protected, and used appropriately.
A family of protocols in which one party (e.g., a reader) presents a question (“challenge”) and another party (e.g., a credential) must provide a valid answer (“response”) in order to be authenticated.
Electronic component that performs logic, processing and/or memory functions.
An assertion by a subject about the value of an attribute.
An element of a larger system. In the FIPS 201 context, a component can be an identity card, PIV issuer, PIV registrar, card reader, or identity verification support, within the PIV system.
Contact smart card
A smart card that connects to the reading device through direct physical contact between the smart card chip and the smart card reader. (See ISO/IEC 7816.)
The access control system component that connects to all door readers, door locks and the access control server. The control panel validates the reader and accepts data. Depending on the overall system design, the control panel may next send the data to the access control server or may have enough local intelligence to determine the user’s rights and make the final access authorization. The control panel can be called the controller or panel.
Evidence attesting to one’s rights, privileges or evidence of authority.
In FIPS 201, the PIV card and data elements associated with an individual that authoritatively binds an identity (and, optionally, additional attributes) to that individual. A smart card can store multiple digital credentials.
Cryptographic smart cards
Advanced smart cards that are equipped with specialized cryptographic hardware that lets algorithms such as RSA be used on the card. Today’s cryptographic smart cards are also able to generate key pairs on the card, to avoid the risk of having more than one copy of the key (since by design (usually) there isn’t a way to extract the keys from a smart card). Cryptographic smart cards are often used for digital signatures and secure identification.
Data Encryption Standard. A method for encrypting information. (See related term Triple DES.)
Digital information used for the purpose of identification of an electronic message or documents. Digital signatures provide a way of authenticating the identity of creators or producers of digital information.
The device on each door that communicates with a card or credential and sends data from the card to the controller for decision on access rights.
Digital Signature Algorithm.
Dual interface card
A smart card that has a single smart card chip with two interfaces–a contact and a contactless interface–using shared memory and chip resources.
Elliptic Curve Cryptography
The process of translating information into a code that can only be read if the reader has access to the key that was used to encrypt it. There are two main types of encryption—asymmetric (or public key) and symmetric (or secret key).
The process of entering the appropriate identity data for an individual into a system and associating the identity with the privileges being granted by the system.
A travel document that contains an integrated circuit chip based on international standard ISO/IEC 14443 and that can securely store and communicate the ePassport holder’s personal information to authorized reading devices.
The not-for-profit organization establishing and supporting “the EPCglobal Network™ as the global standard for real-time, automatic identification of information in the supply chain of any company, anywhere in the world” and “leading the development of industry-driven standards for the Electronic Product Code™ (EPC) to support the use of Radio Frequency Identification (RFID) in today’s fast-moving, information rich, trading networks.” Additional information can be found at http://www.epcglobalinc.org.
The RF field or electromagnetic field constantly transmitted by a contactless door reader. When a contactless card is within range of the excite field, the internal antenna on the card converts the field energy into electricity that powers the chip. The chip then uses the antenna to transmit data to the reader.
An enclosure formed by conducting material, or by a mesh of such material, that blocks out external static electrical fields. Any electric field will cause the charges to rearrange so as to completely cancel the field’s (RF signal) effects in the cage’s interior.
Federal Information Processing Standard (FIPS)
A standard for adoption and use by Federal departments and agencies that has been developed within the Information Technology Laboratory and published by NIST, a part of the U.S. Department of Commerce. A FIPS publication covers some topic in information technology to achieve a minimum level of quality or interoperability.
In information technology (IT), federated identity has two general meanings:
The virtual reunion, or assembled identity, of a person’s user information (or principal), stored across multiple distinct identity management systems. Data is joined together by use of the common token, usually the user name.
The process of a user’s authentication across multiple IT systems or even organizations.
The physical device that contains the smart card chip. Smart chip-based devices can come in a variety of form factors, including plastic cards, key fobs, wristbands, wristwatches, PDAs, and mobile phones.
Global System for Mobile Communications
A software algorithm that computes a value (hash) from a particular data unit in a manner that enables detection of intentional/unauthorized or unintentional/accidental data modification by the recipient of the data.
High frequency (HF)
Radio frequencies (RF) in the range of 3 MHz to 30 MHz. When used in an RF-based identification system, the high frequency used is typically 13.56 MHz.
Homeland Security Presidential Directive 12. The primary objective of HSPD-12 is the development and deployment of a Federal government-wide common and reliable identification verification system that will be interoperable among all government agencies and serve as the basis for reciprocity among those agencies.
A smart card that contains two smart card chips–both contact and contactless chips–that are not interconnected.
Integrated circuit card. ICC typically refers to a plastic (or other material) card containing an integrated circuit which is compatible to ISO/IEC 7816.
The process of using claimed or observed attributes of an entity to deduce who the entity is.
The evidence of identity or fact of proof showing the attributes of the individual presenting the identification.
Unique data used to represent a person’s identity and associated attributes. Names and card numbers are examples of identifiers.
Identity and access management (IAM)
The combination of processes, technologies, and policies to manage digital identities and specify how digital identities are used to access resources.
A piece of documentation designed to verify aspects of a person’s identity. (See also breeder document.)
Identity management system (IDMS)
System composed of one or more computer systems or applications that manage the identity registration, verification, validation, and issuance process, as well as the provisioning and deprovisioning of identity credentials.
The process of making a person’s identity known to a system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the system.
The process of confirming or denying that a claimed identity is correct by comparing the credentials (something you know, something you have, something you are) of a person requesting access with those previously proven and stored in an ID card or system and associated with the identity being claimed.
International Civil Aviation Organization (ICAO) MRTD
International Civil Aviation Organization Machine Readable Travel Documents. ICAO establishes international standards for travel documents. An MRTD is an international travel document (e.g., a passport or visa) containing eye- and machine-readable data. ICAO Document 9303 is the international standard for MRTDs.
The ability of two or more systems or components to exchange information and to use the information that has been exchanged.
For the purposes of FIPS 201, the ability for any government facility or information system, regardless of the PIV issuer, to verify a cardholder’s identity using the credentials on the PIV card.
The series of international standards describing the characteristics of identification cards, including physical characteristics, sizes, thickness, dimensions, construction, materials and other requirements.
The international standard for integrated circuit cards with contacts, as well as the command set for all smart cards.
The international standard, “Identification Cards – Contactless Integrated Circuit(s) Cards – Vicinity Cards,” for cards operating at the 13.56 MHz frequency which can be read from a greater distance as compared to proximity cards. (See ISO/IEC 14443.)
Issuer (or issuing authority)
The organization that issues an identity card to an individual after identity proofing, background checks and related approvals have been completed. Typically this is an organization for which the individual is working.
In encryption and digital signatures, a value used in combination with a cryptographic algorithm to encrypt or decrypt data.
Low frequency (LF)
Radio frequencies (RF) in the range of 30 to 300 kHz. When used in an RF-based identification system, the low frequency is typically 125 kHz.
An attack on an authentication protocol in which the attacker is positioned between the individual seeking authentication and the system verifying the authentication. In this attack, the attacker attempts to intercept and alter data traveling between the parties.
The process of comparing biometric information against previously stored biometric data and scoring the level of similarity.
One of the most popular hashing algorithms, developed by Professor Ronald L. Rivest of MIT, which produces a 128-bit hash from any input.
Message authentication code (MAC)
A short piece of information used to support authentication of a message. A MAC algorithm accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC (sometimes known as a tag or checksum). The MAC value protects both a message’s integrity as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the message content. MACs are computed and verified with the same key, unlike digital signatures.
Typically a smart card or any pocket-sized card with an embedded integrated circuit or circuits containing memory and microprocessor components.
A smart card that runs multiple applications–for example, physical access, logical access, data storage and electronic purse–using a single card.
A smart card reader that includes a PIN pad, biometric reader, or both to allow multi-factor authentication.
A card reader/writer that can accommodate more than one card technology in the same reader (e.g., both ISO/IEC 14443 and ISO/IEC 15693 contactless smart card technologies or both 13.56 MHz and 125 kHz contactless technologies).
For applications requiring secure access, the process that is used for the smart card-based device to verify that the reader is authentic and to prove its own authenticity to the reader before starting a secure transaction.
National Institute of Standards and Technology
The ability to ensure and have evidence that a specific action occurred in an electronic transaction (e.g., that a message originator cannot deny sending a message or that a party in a transaction cannot deny the authenticity of their signature).
Refers to data that is not stored on the ID card or to a computation that is not performed by the integrated circuit on the ID card.
Passwords that are used once and then discarded. Each time the user authenticates to a system, a different password is used, after which that password is no longer valid. The password is computed either by software on the logon computer or by OTP hardware tokens in the user’s possession that are coordinated through a trusted system.
The maximum distance between a contactless smart card reader and a contactless smart card.
Physical Access Interagency Interoperability Working Group
Personal Computer/Smart Card. The PC/SC specification defines how to integrate smart card readers and smart cards with the computing environment and how to allow multiple applications to share smart card devices.
Personal identification number (PIN)
A secret that an individual memorizes and uses to authenticate his or her identity or to unlock certain information stored on an ID card (e.g., the biometric information). PINs are generally only decimal digits.
Personally identifiable information (PII)
In information security and privacy, any piece of information which can potentially be used to uniquely identify, locate, or contact a person or steal the identity of a person.
A cyber attack that directs people to a fraudulent website to collect personal information for identity theft.
Physical access control system (PACS)
A system composed of hardware and software components that controls access to physical facilities (e.g., buildings, rooms, airports, warehouses).
See personal identity verification.
Public key infrastructure. See public key infrastructure.
The ability of an individual or group to keep their lives and personal affairs out of public view, or to control the flow of information about themselves.
An authorization or right granted by an application authority for an individual or group to perform an action.
The public part of an asymmetric key pair that is used to verify signatures created with its corresponding private key. Depending on the algorithm, public keys are also used to encrypt messages, files, or other information that can then be decrypted with the corresponding private key. The user releases this key to the public who can use it to encrypt messages to be sent to the user and to verify the user’s digital signature. Compare with private key.
Public (asymmetric) key cryptography
A type of cryptography that uses a pair of mathematically related cryptographic keys. The public key can be made available to anyone and can encrypt information or verify a digital signature. The private key is kept secret by its holder and can decrypt information or generate a digital signature.
Public key infrastructure (PKI)
The architecture, organization, techniques, practices, and procedures that collectively support the implementation and operation of a certificate-based public key cryptographic system. There are four basic components to the PKI: the certificate authority (CA) responsible for issuing and verifying digital certificates, the registration authority (RA) which provides verification to the CA prior to issuance of digital certificates, one or multiple directories to hold certificates (with public keys), and a system for managing the certificates. Also included in a PKI are the certificate policies and agreements among parties that document the operating rules, procedural policies, and liabilities of the parties operating within the PKI.
Radio frequency identification (RFID)
Technology that is used to transmit information about objects wirelessly, using radio waves. RFID technology is composed of 2 main pieces: the device that contains the data and the reader that captures such data. The device has a silicon chip and an antenna and the reader also has an antenna. The device is activated when put within range of the reader. The term RFID has been most commonly associated with tags used in supply chain applications in the manufacturing and retail industries.
REAL ID Act
The REAL ID Act of 2005. Legislation intended to deter terrorism by establishing national standards for state-issued driver’s licenses and non-driver’s identification cards in addition to other key executables.
A body given the responsibility of maintaining lists of codes under international standards and issuing new codes to those wishing to register them.
RFID tag (labels)
Simple, low-cost and disposable electronic devices that are used to identify animals, track goods logistically and replace printed bar codes at retailers. RFID tags include an integrated circuit that typically stores a static number (an ID) and an antenna that enables the chip to transmit the stored number to a reader. When the tag comes within range of the appropriate RF reader, the tag is powered by the reader’s RF field and transmits its ID to the reader. There is little to no security on the RFID tag or during communication with the reader. Typical RFID tags can be easily read from distances of several inches (centimeters) to several yards (meters) to allow easy tracking of goods.
Role-based access control (RBAC)
Access to resources based on a user’s assigned role. Access permissions, which determine which resources can be accessed and the privileges in the context of that resource, are administratively associated with roles, and users are administratively assigned appropriate roles. Roles can be granted new permissions as new resources are incorporated, permissions can be revoked from roles as needed, and role assignments for users can be modified or removed as needed. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning the appropriate roles to the user, which simplifies common operations such as adding a user, or changing a user’s department.
Refers to public/private key encryption technology that uses an algorithm developed by Ron Rivest, Adi Shamir and Leonard Adleman and that is owned and licensed by RSA Security.
A key used with symmetric cryptographic techniques by a set of specified entities.
The verifiable and exclusive right to use the identity information being presented by an individual to access a set of privileges.
A random sequence of bits that is used in a cryptographic algorithm as the input to generate other, longer pseudo-random bit sequences.
The practice of obtaining information from a data storage device without the owner’s knowledge. Skimming is typically associated with magnetic stripe-based credit cards.
Secure Multipurpose Internet Mail Extensions. A protocol for exchanging digitally signed and/or encrypted mail.
A set of documentation that reflects agreements on products, practices, or operations produced by one or more organizations (or groups of cooperating entities), some for internal usage only, others for use by groups of people, groups of companies, or an entire industry.
Specifications produced by accredited associations, such as ANSI, ISO, SIA, ETSI or NIST. In the United States the use of standards is typically optional and multiple standards can be developed on the same subject. In some countries, the use of existing standards may be required by law and the development of multiple standards on the same subject may be restricted.
A person, system or object with associated attributes.
Keys that are used for symmetric (secret) key cryptography. In a symmetric cryptographic system, the same secret key is used to perform both the cryptographic operation and its inverse (for example to encrypt and decrypt, or to create a message authentication code and to verify the code).
A physical device that carries an individual’s credentials. The device is typically small (for easy transport) and usually employs a variety of physical and/or logical mechanisms to protect against modifying legitimate credentials or producing fraudulent credentials. Examples of tokens include picture ID cards (e.g., state driver’s licenses), smart cards, and USB devices.
As defined in NIST SP 800-73, products that meet the “Transitional” interface specification. Transitional products can be used as part of a migration strategy by Federal agencies that have already initiated a large-scale deployment of smart cards as identity badges.
A wireless communications device that detects and responds to an RF signal.
Any element or value which is guaranteed to be unique among a given group.
Universal Serial Bus. A serial bus standard to interface devices.
The process by which the question “is this person who the person claims to be?” is answered. This function requires a one-to-one match between presented identity information and identity information that is known to a system. See identity verification.
See ISO/IEC 15693.
Web access management (WAM)
Systems that replace the sign-on process on various web applications, typically using a plug-in on a front-end web server. The systems authenticate users once, and maintain that user’s authentication state even as the user navigates between applications. These systems normally also define user groups and attach users to privileges on the managed systems. These systems provide effective access management and single sign-on to web applications. They do not, in general, support effective (or any) management of ‘legacy’ systems such as network operating systems, mainframes, client/server applications, and e-mail systems.
Technology widely used for physical access applications. The technology includes an interface, a signal, a 26-bit format, an electromagnetic effect, and a card technology. A Wiegand strip is the implementation of Wiegand technology on an ID credential.
A contactless card that has an electronic circuit that is designed for a specific function (e.g., security, authentication).