Identity assurance with public key infrastructure

Following a successful trial nearly two years ago to test the feasibility of combining secure physical and logical access, West Midlands Police is now rolling out a secure and flexible access and identity management system for its policing facilities and systems.

With the increasing reliance on IT systems and mobile computer technology in everyday policing, user identity has taken on greater significance.
The Internet is fast becoming the medium of choice and is used daily to transmit and access sensitive data, but identity theft and fraud continues to be a major worry. It is therefore essential that access to systems  which enable the transmission of sensitive information is secure.
Passwords alone are no longer a secure means to proving identity; they can be easily guessed and social engineering (manipulating someone into divulging confidential information) is becoming commonplace. In addition, the stronger the password the more difficult it becomes for the end user to remember, which results in either the user writing the password down or forgetting it all together.
It is for these reasons that ‘two factor authentication’ – the principle based on a physical (security token) and a logical (personal identification number [PIN]) entry code is becoming the accepted replacement to passwords. Its common adoption by high street banks to secure online banking is evidence of this.
A range of security tokens are available in the marketplace, such as one-time-password tokens, USB keys, mobile phones, software-based tokens for personal digital assistants (PDAs) and PCs, smartcards and biometrics.
But more and more organisations are beginning to utilise public key infrastructure (PKI) to achieve identity assurance. A digital certificate issued by a trusted authority, which is stored on a smartcard, is currently one of the strongest and most reliable methods of positive digital identification.
Due to open standards [a standard that is publicly available and has various rights of use associated with it], most technologies now support certificate-based authentication where and a certificate on a smartcard can be used for authentication to Windows, virtual private networks (VPNs), firewalls, websites, and pre-boot hard disk encryption, among others. Because of this, one benefit of PKI is a single point of issuance and revocation to multiple systems and the importance of a device and certificate management system is key, especially if there is a large user population.

World first
In 2007, West Midlands Police successfully completed the world’s first pilot to test the feasibility of combining secure physical and logical access, smart card/chip and PIN technology and the creation of a ‘single sign-on’ to all applications.
The pilot was developed and implemented by identity and access management specialists Enline plc.
The two disciplines of physical and logical access security had been prominent issues for police forces and other organisations, as had the desire to achieve convergence between the underlying technologies. Through this pilot, West Midlands Police became the first UK police force to achieve this.
Paul Williamson, lead for the force’s Gateway programme to integrate business processes, was delighted that West Midlands became the first to prove that integrating physical and logical access really does work. He said feedback from both a strategic level and from officers at the heart of the trial had been very positive.
“This pilot set the baseline for future identity management control within our force,” he added.
The trial included the use of biometric technology, which Mr Williamson explained proved particularly useful from a practical point of view for officers in custody or a public facing, ie, front office environment, where there is a greater risk of losing or damaging smart cards. Keyboard biometric authentication provided easy, instant direct access to applications/ information.
From a strategic point of view, the trail p