【英文原文】

        傳統(tǒng)上我們的訪問(wèn)控制是與邏輯訪問(wèn)和文件的數(shù)字簽證相關(guān)聯(lián)的，現(xiàn)在，公鑰基礎(chǔ)設(shè)施(PKI)也開(kāi)始被用來(lái)控制物理訪問(wèn)。他們?cè)谖锢碓L問(wèn)控制中的使用看起來(lái)更符合今年FIPS 201-2的建議的實(shí)施。ASSA Abloy 未來(lái)實(shí)驗(yàn)室的Derek Scheips探索了這一針對(duì)物理訪問(wèn)系統(tǒng)的關(guān)鍵基礎(chǔ)設(shè)施的優(yōu)勢(shì)。

　　PKI迅速的成為一種控制物理訪問(wèn)的主導(dǎo)性驅(qū)動(dòng)，很大程度上歸功于FIPS201(聯(lián)邦信息處理標(biāo)準(zhǔn)發(fā)布201)，美國(guó)政府物理訪問(wèn)控制規(guī)范推薦在門(mén)口使用PKI。這些建議自2005年開(kāi)始提出，今年晚些時(shí)候，它們預(yù)計(jì)可以成為符合FIPS201-2的任務(wù)。

　　FIPS介紹

　　FIPS不僅為應(yīng)該存儲(chǔ)在ID卡上的信息提供標(biāo)準(zhǔn)，也是驗(yàn)證證書(shū)真實(shí)性的最好做法，全球領(lǐng)先的物理和邏輯訪問(wèn)控制方案供應(yīng)商HID Global的HID證書(shū)產(chǎn)品經(jīng)理Kevin Graebel說(shuō)，“數(shù)字證書(shū)是與用戶(hù)的關(guān)鍵信息/訪問(wèn)級(jí)別一起放在卡里的。然后PKI進(jìn)程通過(guò)電子通道向聯(lián)邦認(rèn)證機(jī)構(gòu)發(fā)送信息，確保訪問(wèn)還沒(méi)有被撤銷(xiāo)或信息被篡改?！薄　?/P>

　　基于PKI的訪問(wèn)系統(tǒng)的優(yōu)點(diǎn)

　　一個(gè)基于PKI的訪問(wèn)系統(tǒng)的主要好處是它不依賴(lài)共享密鑰

　　PKI歸結(jié)到一個(gè)數(shù)學(xué)上的鍵聯(lián)對(duì)的使用，一個(gè)指定公共密鑰，另一個(gè)指定私人密鑰。這種聯(lián)動(dòng)確保了通過(guò)一個(gè)密鑰只能被另一個(gè)密鑰以解碼或驗(yàn)證的方式來(lái)處理信息。

　　“一個(gè)基于PKI的訪問(wèn)系統(tǒng)的主要好處是，它不依賴(lài)于一個(gè)共享密鑰，相反它使用非對(duì)稱(chēng)鍵聯(lián)，” Graebel說(shuō)?！霸趥鹘y(tǒng)的訪問(wèn)系統(tǒng)中，讀卡器和訪問(wèn)卡共享一個(gè)對(duì)稱(chēng)密鑰用于相互驗(yàn)證。這樣卡和讀卡器之間需要很大的協(xié)調(diào)，尤其是當(dāng)卡在多個(gè)位置使用的時(shí)候。使用PKI，只有卡的公共密鑰需要共享，它可以在違規(guī)事件中很容易地被撤銷(xiāo)或修改。而私人密鑰則安全地存儲(chǔ)在卡片里”

　　部署PKIS的許多進(jìn)步導(dǎo)致了高效率和高互操作性，使其成為一個(gè)不只是邏輯乃至是物理訪問(wèn)控制的自然的選擇。“一個(gè)組織可以使用一個(gè)單一的PKI智能卡，比如PIV(個(gè)人身份驗(yàn)證)卡，用于樓宇和特殊房間的物理訪問(wèn)，以及工作站、服務(wù)器、VPN(虛擬專(zhuān)用網(wǎng))等等的邏輯訪問(wèn)?！?加拿大航空運(yùn)輸和航空航天身份管理咨詢(xún)公司，Carillon 信息安全部門(mén)的PKI標(biāo)準(zhǔn)和政策主管Dave Coombs指出，“這減小了管理訪問(wèn)控制的復(fù)雜性：一個(gè)人在幾十個(gè)不同系統(tǒng)訪問(wèn)的手動(dòng)配置或取消，被取代為用一個(gè)單獨(dú)的憑證簽發(fā)或撤銷(xiāo)?！?/P>

　　此外，最近的互操作性有了提升，這允許一個(gè)接受PIV卡的機(jī)構(gòu)，可以了解到持有PIV卡的來(lái)自另一個(gè)完全獨(dú)立的機(jī)構(gòu)的訪客的身份。

　　采用PKI的成本

　　但是，盡管PKI有承諾，但還是有缺點(diǎn)，包括成本和速度。“至少，各個(gè)組織將需要?jiǎng)?chuàng)建或者訪問(wèn)一個(gè)認(rèn)證機(jī)構(gòu)來(lái)管理證書(shū)的生成和驗(yàn)證，” Graebel說(shuō)?！备鶕?jù)PKI的實(shí)現(xiàn)狀況，可能需要重鋪線纜和升級(jí)讀卡器而增加不少成本。”

　　與非接觸式訪問(wèn)卡的接觸

　　速度也是物理訪問(wèn)控制的瓶頸之一。由于耐久性和損耗等原因，在卡和讀卡器之間使用非接觸式通信比接觸式更加實(shí)際，通信時(shí)長(zhǎng)能達(dá)到1.5到2秒。這看起來(lái)似乎并不是一個(gè)比較長(zhǎng)的時(shí)間，但是當(dāng)用戶(hù)們習(xí)慣了諸如Prox或者iCLASS等技術(shù)提供的一秒鐘內(nèi)反應(yīng)，它將導(dǎo)致問(wèn)題出現(xiàn)。

　　“我們聽(tīng)到的一個(gè)缺點(diǎn)是在門(mén)口的PKI感知緩慢，”Cooms觀察到?！斑@可以通過(guò)緩存吊銷(xiāo)信息或OCSP(在線證書(shū)狀態(tài)協(xié)議)反饋來(lái)緩解，或者甚至通過(guò)每個(gè)早上預(yù)先驗(yàn)證前一天該設(shè)備使用的每一個(gè)證書(shū)?！彼A(yù)測(cè)在未來(lái)幾年：“越來(lái)越多的公共的或者私人組織將走這條路線，特別是現(xiàn)在美國(guó)正在做這樣的工作?！盵nextpage]

　　PKI在歐洲的發(fā)展現(xiàn)狀

　　當(dāng)然，許多國(guó)家已經(jīng)在發(fā)展他們各自的PKI方法。

　　法國(guó)政府每年給公民簽發(fā)PKI證書(shū)來(lái)提交收入稅，其總的安全框架(RGS)包括確保大型IT系統(tǒng)使用PKi的建議?！氨壤麜r(shí)人已經(jīng)用電子身份卡(eID card)做了類(lèi)似的事情，”Coombs說(shuō)?！斑@是簽發(fā)給瑞士公民的一種支持PKI的智能卡，通過(guò)它可以獲得認(rèn)證以便訪問(wèn)政府的系統(tǒng)和在線程序。”

　　與此同時(shí)，德國(guó)政府正在致力于實(shí)施歐盟指令相關(guān)合格簽注證書(shū)，這是歐洲唯一一種帶有法律效力的數(shù)字簽注。

　　應(yīng)當(dāng)指出的是這些歐洲的倡議關(guān)注的還僅僅是對(duì)信息系統(tǒng)的邏輯訪問(wèn)控制，而把PKI作為物理訪問(wèn)控制來(lái)為時(shí)過(guò)早。在這點(diǎn)上，因?yàn)槠漭^為新穎和相對(duì)復(fù)雜，只有極少數(shù)上市公司選擇使用PKI來(lái)進(jìn)行物理訪問(wèn)控制， Graebel說(shuō)?！拔翌A(yù)計(jì)當(dāng)FIPS201-2被實(shí)施以后，并且市場(chǎng)上有更多種類(lèi)的產(chǎn)品來(lái)支持它，F(xiàn)IPS將會(huì)變得更普及?！?/P>

　作者：Derek Scheips　Assa Abloy未來(lái)實(shí)驗(yàn)室 自由撰稿人

【英文原文】

Traditionally associated with logical access and the digital signing of documents, Public Key Infrastructure (PKI) is now also being used to control physical access. Their use in physical access control is likely to be more prevalent with the implementation of the FIPS 201-2 recommendations this year. Derek Scheips of ASSA Abloy Future Lab explores the benefits of this key infrastructure for physical access systems.

        PKI is fast becoming a leading driver in controlling physical access largely due to FIPS 201 (Federal Information Processing Standards Publication 201), US government physical-access control specifications recommending PKI at the door. Recommendations since 2005, they are expected to become mandates with FIPS 201-2 later this year.[nextpage]

FIPS explained

　　FIPS offers standards for not only what information should be stored on an ID card, but also best practices for verifying the credential is authentic and in the right persons possession, says Kevin Graebel, product manager of HID credentials at HID Global, a leading manufacturer of physical and logical access control solutions. "A digital certificate is placed on the card with the users key information/access levels. Then the PKI process sends that information via an electronic bridge to a federal certificate authority, making sure access hasnt been revoked or information tampered with."

Benefits of PKI-based access systems

　　The primary benefit of a PKI-based access system is that it does not depend on a shared secret key

　　PKI boils down to the use of a mathematically linked pair of keys, one designated public and the other designated private. The linkage ensures that information processed with one key can only be decoded or validated using the other key.

　　"The primary benefit of a PKI-based access system is that it does not depend on a shared secret key; instead it uses an asymmetric key pair," says Graebel. "In traditional access systems, the reader and the access card share a symmetric key used to authenticate each other. This requires a great deal of coordination between the cards and readers, especially when the cards may be used at more than one location. Using PKI, only the public key of the card needs to be shared, and it can easily be revoked or changed in the event of a breach. The private key is stored securely within the card."

　　Many advances in deploying PKIs have led to efficiency and interoperability that make it a natural choice not just for logical but also physical access control. "An organization can use a single PKI smart card, such as a PIV (Personal Identity Verification) card, for physical access to a building and to certain rooms, and for logical access to workstations, servers, VPNs, and so on," notes Dave Coombs, director of PKI Standards and Policy at Carillon Information Security, a Canadian air transport and aerospace identity management consulting firm. "This reduces the complexity of managing access control: manual provisioning or removal of access for a person in dozens of different systems is replaced with the issuance or revocation of a single credential."

　　Furthermore, recent interoperability advances allow one organization that accepts PIV cards to understand the identity of a visitor with a PIV card from a completely separate organization.

Cost of adopting PKI

　　But despite PKIs promise, there can be disadvantages, including cost and speed. "At a minimum, organizations will need to create or have access to a Certification Authority to manage the generation and validation of certificates," says Graebel. Depending on how this is implemented, it may require costly rewiring and upgrading of all of their readers."

Contact versus contactless access control cards

　　The speed is also a bottleneck for physical access control. For durability and vandalism reasons, it is more practical to use contactless rather than contact communication between the card and the reader and then communication can take as much as 1.5 to 2 seconds. This may not seem like a long time, but when users are used to the fraction of a second read times offered by technologies like Prox or iCLASS, it can cause issues.[nextpage]

　　"One disadvantage we hear about is the perceived slowness of PKI at the door," observes Coombs. "This can be mitigated by caching revocation information or OCSP (Online Certificate Status Protocol) responses, or even by pre-validating every morning each credential that was used at that site the previous day." He predicts that in the coming years: "more and more public and private organizations will be going this route, particularly given the work being done in the US right now."

PKI development in Europe

　　Of course, many countries have been developing their own PKI methodologies in parallel.

　　The French government issues PKI credentials to its citizens every year to file their income tax, and its General Security Framework (RGS) includes recommendations on securing large-scale IT systems using PKI. "The Belgians have done something similar with their eID card," says Coombs. "Its a PKI-enabled smart card issued to Belgian citizens to authenticate their access to government systems and programs online."

　　Meanwhile, the German government is leading the way in implementing the European Union directive concerning ‘qualified signature certificates, the only kind of digital signature that carries the force of law in Europe.

　　It should be noted that these European initiatives concern only logical access control to information systems, and it is still early days for PKI as a physical access control. At this point, very few public companies are choosing to use PKI for physical access control because of the newness and relative complexity, observes Graebel. "I suspect it will become more common as FIPS 201-2 is implemented and there is a wider variety of products available on the market to support it."

　　Derek Scheips

　　Freelance Writer

　　Assa Abloy Future Lab