`Case 6:21-cv-00916-ADA Document 43-6 Filed 04/19/22 Page 1of8
`
`EXHIBIT 6
`EXHIBIT 6
`
`
`
`Case 6:21-cv-00916-ADA Document 43-6 Filed 04/19/22 Page 2 of 8
`
`U..5. General Services Administration
`
`GOVERNMENT SMART CARD HANDBOOK
`
`Samsung Ex. 1022, Page 1 of 262
`Samsung Electronics America, Inc. v. RFCyber Corp.
`IPR2021-00979
`
`APL-RFC0916-PA-00008878
`
`
`
`Case 6:21-cv-00916-ADA Document 43-6 Filed 04/19/22 Page 3 of 8
`
`GS- U.S. General Services Administration
`
`GOVERNMENT SMART CARD HANDBOOK
`PREFACE
`
`This guidance Handbook is the result of Government experience gained over the past several years with smart
`card programs that include many smart card implementations, pilots, and projects conducted throughout the
`Federal government. The Handbook includes very significant input from industry and academic resources.
`The purpose of this Handbook is to share lessons learned and to provide guidance to Federal agencies
`contemplating the development and deployment of smart card or integrated circuit card-based identity and
`credentialing systems.
`
`At this writing there is a project under way to make this Handbook as web friendly as possible. Any
`suggestions on how to make this Handbook more useful and convenient would be appreciated. Please e-mail
`comments to Jim Hunt (jim.hunt@cisa.gov) and Bill Holcombe (bill.holcombe@cisa.gov).
`
`Bill Holcombe,
`
`Office of Governmentwide Policy
`General Services Administration
`
`February 2004
`
`Samsung Ex. 1022, Page 2 of 262
`Samsung Electronics America, Inc. v. RFCyber Corp.
`IPR2021-00979
`APL-RFC0916-PA-00008879
`
`
`
`Case 6:21-cv-00916-ADA Document 43-6 Filed 04/19/22 Page 4 of 8
`
`U.S. General Services Administration
`
`GOVERNMENT SMART CARD HANDBOOK
`ACKNOWLEDGEMENTS
`
`This `Government Smart Card Handbook' has been developed under the joint sponsorship of the General
`Services Administration Office of Governmentwide Policy and the Smart Card Interoperability Advisory Board
`(IAB). It would not have been possible to produce this Handbook without the contributions of knowledgeable
`people from government, industry, and academia. We acknowledge their contributions and give special thanks
`to the following direct contributors:
`
`Tim Baldridge — National Aeronautics and Space Administration
`Ralph Billeri — BearingPoint Inc.
`Dallas Bishoff — Veterans Affairs AAIP Team
`Joseph Broghamer — Department of Homeland Security
`Michael Brooks — General Services Administration
`Michael Butler — DoD Common Access Card Program
`Fred Catoe — Veterans Affairs AAIP Team
`Pamela Corry — Department of Homeland Security
`Patty Davis — Department of Agriculture
`Russ Davis — Federal Department of Insurance Corporation
`Peter Dauderis — General Services Administration
`Portia Dischinger — National Aeronautics and Space Administration
`Mary Dixon — Department of Defense
`Bob Donelson — Department of Interior
`Ron Dorman — Defense Information Systems Agency
`James Dray — National Institute of Standards and Technology
`John de Ferrari — General Accounting Office
`Keith Filzen — Central Intelligence Agency
`Jack Finberg — General Services Administration
`Liz Fong — National Institute of Standards and Technology
`George Fortwengler — Department of Health and Human Services
`Damon Goddard — General Services Administration
`Scott Glaser — General Services Administration
`David Hauge — BearingPoint Inc.
`Peter Han — General Services Administration
`Gordon Hannah — BearingPoint Inc.
`Daryl Hendricks — General Services Administration
`Barbara Hoffman — Department of the Navy
`Bill Holcombe — General Services Administration
`Lee Holcomb — Department of Homeland Security
`Keith Hughes — Department of Homeland Security
`Paul Hunter — Transportation Workers Identification Credential
`Joel Hurford — United States Patent and Trademark Office
`
`Kevin Hurst - Office of Science and Technology Policy
`Lisa Kalinowski - BearingPoint Inc.
`Jeff Kindschuh — Veterans Affairs AAIP Team
`July Kresgi — Department of Agriculture
`Lolie Kull — Department of State
`Steven Law — General Accounting Office
`Greta Lehman — Department of Defense — Army
`Graham MacKenzie — Department of Treasury
`Amin Magdi — World Bank Group
`Eugenia McGroarty — DoD — Defense Logistics Agency
`John Mercer — Department of State
`Carey Miller— BearingPoint Inc.
`Mary Mitchell — General Services Administration
`Martin Monahan — World Bank Group
`John Moore — General Services Administration
`William Morrison — National Aeronautics and Space Administration
`Trung Nguyen — Department of Treasury
`Steve Parsons — Transportation Security Administration
`Sonya Pee — General Services Administration
`Arthur Purcell — United States Patent and Trademark Office
`Ronald Pusz - BearingPoint Inc.
`Fred Riggle — United States Geological Survey
`Teresa Schwarzhoff — National Institute of Standards and Technology
`John G. Sindelar — General Services Administration
`Judith Spencer — General Services Administration
`Dario Stipisic — BearingPoint Inc.
`Michael Sulak — Department of State
`David Temoshok — General Services Administration
`Janel Valverde — BearingPoint Inc.
`Martin Wagner — General Services Administration
`Dr. Jim Wayman - National Biometric Testing Center, San Jose State
`William Windsor — General Services Administration
`James Zok — Department of Transportation — Maritime Administration
`
`We also recognize and give thanks to the Smart Card Alliance and their industry members for their assistance
`in providing commentary and editorial advice to this Handbook:
`
`Randy Vanderhoof — Executive Director, Smart Card Alliance
`Cathy Medich — Government Smart Card Handbook Committee Chair, Smart Card Alliance
`
`Bob Beer— Datacard Group
`Linda Brown — Infineon Technologies
`Alex Giakoumis — Atmel Corporation
`Kevin Kozlowski — XTec, Incorporated
`Bob Merkert — SCM Microsystems
`Neville Pattinson — Axalto
`
`Joe Pilozzi — Philips Semiconductors
`James Russell — MasterCard International
`Carlos Santos - IBM
`Rick Uhrig — Gemplus
`Bob Wilberger — Northrop Grumman IT
`
`Samsung Ex. 1022, Page 3 of 262
`Samsung Electronics America, Inc. v. RFCyber Corp.
`IPR2021-00979
`
`APL-RFC0916-PA-00008880
`
`
`
`Case 6:21-cv-00916-ADA Document 43-6 Filed 04/19/22 Page 5 of 8
`
`GS. LI.S. General Services Administration
`
`GOVERNMENT SMART CARD HANDBOOK
`TABLE OF CONTENTS
`
`EXECUTIVE SUMMARY
`1.
`INTRODUCTION
`1.1
`SMART IDENTIFICATION CARD VISION AND GOALS
`1.1.1
`Achieving Interoperability Across Federal agencies
`1.1.2 Open Government System Framework
`1.1.3
`Flexibility
`1.1.4
`Interentity Cooperation
`1.2 GSA's ROLE
`1.3
`HANDBOOK AND SMART ACCESS COMMON ID CONTRACT PURPOSE AND ORGANIZATION
`1.3.1
`Purpose
`1.3.2 Organization
`2. SMART CARD TECHNOLOGY
`2.1
`SMART CARDS AND RELATED TECHNOLOGIES
`2.1.1 Overview
`2.1.2
`Types of Chip Cards
`2.1.3
`The Secure Microcontroller Chip
`2.1.4
`Smart Card Read/Write Devices
`2.1.5
`Smart Card Interfaces: Contact and Contactless Cards
`2.1.6 GSC-IS 2.1: Contact and Contactless Interoperability
`2.1.7 Multiple Technology and Multiple Interface Cards
`2.1.8 Multi-Application Cards
`2.1.9
`Synopsis of Technical Standards
`2.1.10 Current Legislation and OMB Guidance
`2.1.11 Smart Card Implementation Considerations
`2.2
`COMPONENTS OF A SMART CARD SYSTEM
`2.3
`CARD LIFE CYCLE MANAGEMENT ARCHITECTURE
`2.4
`CAPABILITIES OF THE SMART IDENTIFICATION CARD FOR AGENCIES
`2.4.1
`Identification
`2.4.2
`Smart Cards and Building Security: Physical Access Control
`2.4.3
`Smart Cards and IT Security: Logical Access Control
`2.4.4
`Digital Signatures
`2.4.5
`Biometrics and Smart Cards
`2.4.6 Other Value-Added Services
`2.5
`BENEFITS OF IMPLEMENTING A SMART CARD SYSTEM
`2.5.1 Why Implement a Smart Card System?
`2.5.2
`Relative Merit of Smart Cards vs. Alternative Technologies
`3. AGENCY IMPLEMENTATIONS
`3.1
`AGENCY SMART CARD REQUIREMENTS
`3.2
`CURRENT STATUS OF SMART CARD DEVELOPMENT OF MAJOR USERS AND DEPARTMENTS
`3.2.1
`Introduction
`3.2.2
`Current and Planned Smart Card Implementations
`3.2.3
`Identity Management Solutions
`3.2.4
`User Support
`3.2.5
`Summary
`4. KEY DECISIONS
`4.1
`DECIDING ON A SMART CARD
`4.2
`DETERMINING THE APPLICATIONS, CAPABILITIES AND OPTIONS OF THE CARD PLATFORM
`
`III
`
`ES-1
`7
`7
`8
`10
` 10
` 11
`11
`12
`13
`13
`15
`15
`15
`16
`18
`20
`22
`25
`26
`28
`30
`35
`36
`39
`40
`46
`47
`47
`48
`48
`52
`63
`64
`65
`68
`74
`74
`75
`75
`76
`80
`81
`82
`83
`83
`85
`
`Samsung Ex. 1022, Page 4 of 262
`Samsung Electronics America, Inc. v. RFCyber Corp.
`IPR2021-00979
`APL-RFC0916-PA-00008881
`
`
`
`Case 6:21-cv-00916-ADA Document 43-6 Filed 04/19/22 Page 6 of 8
`
`GSA
`
`U.S. General Services Administration
`
`GOVERNMENT SMART CARD HANDBOOK
`
`Lack of robustness (resistance to attack) is another concern and organizations should seek
`independent confirmation of vendors' claims. For ATMs and other kiosk-style applications involving
`multiple users, organizations should consider iris, fingerprint, hand, or face. For information system
`security, fingerprint or iris is more appropriate. Two types of biometrics lend themselves to particular
`applications: voice for telephone applications (including mobile devices) and IVR systems, and
`signature for document-centric applications. Medium and large organizations will also be best
`served by adopting authentication middleware that allows biometrics to be used alongside and in
`combination with other authentication methods and offers better manageability and scalability than
`"single-engined" solutions.
`
`2.4.6 OTHER VALUE-ADDED SERVICES
`In addition to the identification, physical access, and logical access control applications, agencies
`may use their smart card platforms for a variety of other applications and services including:
`
`• Property Management. A chip-based application that provides the capability to enter, update,
`and delete asset information from the employee's card. This asset information can then be
`manually read and verified by a guard when the employee enters or exits a building or read
`automatically through RF tags in assets when the employee passes through a portal.
`
`• Exchange of Clearance Information. A chip-based application that allows clearance
`information to be transported on the smart card between agencies and used to grant the visiting
`employee access to high-security facilities.
`
`• Rostering. A chip-based application that allows data residing on the smart identification card to
`be retrieved, date or time stamped, and transferred to a database that is then used to generate a
`variety of specialized reports and to provide positive proof of attendance.
`
`• Medical. A chip-based application that allows basic medical and insurance data to be stored on
`the card, read when appropriate by authorized providers, and used to populate claim forms.
`
`• Training/Certification. A chip-based application that allows training and job-specific
`certifications to be entered on the card.
`
`• Electronic Forms Submission. By combining the use of data maintained on the card with the
`ability to digitally sign an electronic form, this application can populate and submit a wide range
`of standard administrative forms used by virtually all Federal agencies.
`
`• Electronic Purse. A chip-based application where cash or value is recorded on a chip and is
`available for use in vending machines and at participating merchants, typically for small
`transactions. Through this application, merchants can replace labor-intensive cash transactions
`(counting, sorting, bundling, and transporting) with electronic transactions vending service
`providers can eliminate loading and emptying coins from machines, as well as eliminate the
`incentive for vandalism. Customers are able to reduce the need to carry and make payments
`with cash, particularly when exact change is required.
`
`63
`
`Samsung Ex. 1022, Page 64 of 262
`Samsung Electronics America, Inc. v. RFCyber Corp.
`IPR2021-00979
`APL-RFC0916-PA-00008941
`
`
`
`Case 6:21-cv-00916-ADA Document 43-6 Filed 04/19/22 Page 7 of 8
`
`MOM U.S. General Services Administration
`Appendix A: Glossary of Terms
`
`GOVERNMENT SMART CARD HANDBOOK
`
`8. APPENDIX A - GLOSSARY OF TERMS
`
`Algorithm — A computational procedure used for performing a set of tasks such as encryption process, digital
`signature process, or cardholder verification.
`
`American Association of Motor Vehicle Administrators (AAMVA) — An association of administrators
`representing motor vehicle agencies in the United States and Canada.
`
`Anti-tamper — Refers to the technology available to prevent unauthorized alteration or modification of cards.
`
`Anti-tearing — The process or processes that prevent data loss when a smart card is withdrawn from the
`contracts during a data operation.
`
`Application Program Interface (API) — A formal specification of a collection of procedures and functions
`available to a client application programmer. These specifications describe the available commands, the
`arguments (or parameters) that must be provided when calling the command, and the types of return values
`when the command execution is completed.
`
`Attribute Authority (AA) — An entity responsible for issuing and verifying the validity of an attribute certificate.
`
`Attribute Certificate — A message, similar to a digital certificate, which is intended to convey information about
`the subject. The attribute certificate is linked to a specific public key certificate. Thus, the attribute certificate
`conveys a set of attributes along with a public key certificate identifier or entity name.
`
`Authorization — The process of determining what types of activities or access are permitted for a given physical or
`logical resource. Once the identity of the user has been authenticated, they may be authorized to have access to a
`specific location, system, or service. In the context of logical access control, the process whereby a user's privileges
`to access and manipulate data objects are assigned.
`
`Automated Response Unit (ARU) — A designated system for answering telephone calls and providing
`information to callers via recorded messages, or transferring calls to a customer service center (CSC).
`
`Bar Code — The set of vertical bars of irregular widths representing coded information placed on consumer
`products and other items (such as identification cards) that may require this type of identification.
`
`Binding — An affirmation by a Certificate Authority/Attribute Authority (or its acting Registration Authority) of the
`relationship between a named entity and its public key or biometric template.
`
`Biometric Template — Refers to a stored record of an individual's biometric features. Typically, a "livescan" of
`an individual's biometric attributes is translated through a specific algorithm into a digital record that can be
`stored in a database or on an integrated circuit chip card. The formatted digital record used to store the
`biometric attributes is generally referred to as the biometric template.
`
`Biometrics — An automatic identification process for identity verification of individuals based on unique
`behavioral or physiological characteristics. These are unique things that we do or unique physical
`characteristics that we have. Behavioral biometrics include voice, signature, and keyboard typing technique.
`Physical biometrics include fingerprint, hand geometry, facial recognition, and iris and retinal scan.
`
`A-1
`
`Samsung Ex. 1022, Page 154 of 262
`Samsung Electronics America, Inc. v. RFCyber Corp.
`IPR2021-00979
`APL-RFC0916-PA-00009031
`
`
`
`Case 6:21-cv-00916-ADA Document 43-6 Filed 04/19/22 Page 8 of 8
`
`GOVERNMENT SMART CARD HANDBOOK
`
`MOM U.S. General Services Administration
`Appendix A: Glossary of Terms
`Public Key Infrastructure (PKI) — The architecture, organization, techniques, practices, and procedures that
`collectively support the implementation and operation of a certificate-based public key cryptographic system.
`Further, a communications infrastructure that allows users to exchange money and data over the Internet in a
`secure environment. There are four basic components to the PKI: the certificate authority (CA) responsible for
`issuing and verifying digital certificates, the registration authority (RA) which provides verification to the CA
`prior to issuance of digital certificates, one or multiple directories to hold certificates (with public keys), and a
`system for managing the certificates. Included also in a PKI are the certificate policies and agreements among
`parties that document the operating rules, procedural policies, and liabilities of the parties operating within the
`PKI.
`
`Public Key — A mathematical key that can be made publicly available and which is used to verify signatures
`created with its corresponding private key. Depending on the algorithm, public keys are also used to encrypt
`messages or files that can then be decrypted with the corresponding private key.
`
`Radio Frequency Identification (RFID) — Refers to an access control system that features a tag embedded
`with both a circuit and an antenna. As the antenna enters the electronic field of the reader, it generates energy
`for the circuit, and transmits the identification number in the tag to the reader.
`
`Registration Authority (RA) — The Registration Authority is a component of the Public Key Infrastructure.
`The RA acts as a gatekeeper by providing verification to the Certificate Authority before granting a request for
`a digital certificate.
`
`Relying Party — A recipient who acts in reliance on a certificate and digital signature.
`
`Renewal — The process of obtaining a new certificate of the same class and type for the same subject once an
`existing certificate has expired.
`
`Revocation — The process of permanently ending the operational period of a certificate from a specified time
`forward. Generally, revocation is performed when a private key has been compromised.
`
`Root — The CA that issues the first certificate in a certification chain. The root's public key must be known in
`advance by a certificate user in order to validate a certificate chain.
`
`Secret (Symmetric) Key Cryptography — A cryptographic system that uses the same key, known as a "secret
`key algorithm" to encipher and decipher messages. This is contrasted with asymmetric key cryptography,
`which uses a secure public/private key pair.
`
`Secure Access Module (SAM) - A software module contained in a card access device that allows the card
`and terminal to mutually authenticate each other.
`
`Sensitive Compartmentalized Information Facility (SCIF) — A designated physical location that requires
`high-level security clearance for entry. An area that is generally used to maintain top secret documents and
`systems.
`
`Source Selection Evaluation Board (SSEB) — A group of government employees charged with evaluating
`offerors' responses to a task order and determining to which vendor the task order is to be awarded.
`
`A-6
`
`Samsung Ex. 1022, Page 159 of 262
`Samsung Electronics America, Inc. v. RFCyber Corp.
`IPR2021-00979
`APL-RFC0916-PA-00009036
`
`