CIV Credentials on Mobile Devices

Peter CattaneoVP Mobile Business Development Intercede

CIV Credentials on Mobile Devices - Overview

• What is CIV?• Standards-based Identification• A set of credentials

• Cryptographic (PKI)

• Biometric

• Biographic

• Supported by many physical and logical access products

• What is a Mobile Device?• Mobile Phone• Tablet• Laptop• Ultrabook• Wearable Computer• More coming soon…

The PIV Family

Interoperable Standards-based Smart Cards NIST Specifications

• FIPS 201-2, FIPS 140-2, SP 800-73-4, etc.

NIST Recommended Practices Multiple Vendors NIST-Specified Compliance

• Approved 3rd party testing

Approved Product List• http://fips201ep.cio.gov/apl.php

Three Levels PIV – Government Employees and Contractors – only! PIV-I – High security civilian – Specified enrollment process CIV – No specific policy requirements

ID Form Factors

• Smart Cards are the ‘traditional’ form Small, rugged, reliable, highly secure Inexpensive and well standardized Perfect option for employee badge Widely used for bank cards

• Fits in your wallet• EMV – most of the world now, coming to the US

Used in virtually all mobile devices• All GSM phones, all 3G and 4G devices

Mandatory for Federal employees and on-site contractors

• But Needs a reader, UI & communication Physical delivery needed Challenges to update and maintain in the field

ID Form Factors

• Smart Phones and Tablets offer new possibilities Powerful processors High capacity Keyboard, screen, camera Communications Peripherals such as fingerprint and card readers

Smart Cards in Mobile• Every device on a mobile network has a SIM/USIM/UICC• NFC enabled devices may have an additional Secure Element• microSD cards are available with Smart Card elements• Trusted Platform Module (TPM)

Available in some tablets with “Virtual Smart Card” support Mobile TPM specs in development

• TEE in ARM devices; IPT in Intel• External smart cards via contact or contactless readers

Credential Use Cases

• Proof of Identity

• Visual and electronic Identity, Attribute and Entitlement verification

• Secure communications eMail, VPN, Signed documents

• Access systems and services Desktop logon, Application or Service logon

• Enter physical locations Buildings access, Perimeter checks

• Trusted information discovery Qualifications, permissions, emergency medical

What data is needed?

• Keys and certificates Symmetric and asymmetric keys and X.509 certificates

• Identity attributes Name, DoB, Address, Employer, Status

• Photographs• May also have biometric data

• Fingerprints and other biometrics

• Claims records Qualifications, Permits, Proof of age, Entitlements

• Claims service information URI and account data for real-time claims assertion

Data storage options

• Secure element (SE) UICC (SIM), Secure micro SD, Embedded SE, External SE, TEE/IPT Limited capacity

• Essential for keys and certificates• Optional for other data

• Cloud storage Infinite capacity Always current

• On-device storage High capacity, flexible format Fine-grained control over data release Always available - can be used offline Can be regarded as a cache of the live data

Trusted Execution Environment, “TEE”

• Users need to know they can trust the device Malware can intercept SE communications

Malware can intercept screen communications

Malware can intercept keyboard communications

• The Trusted Execution Environment can help Trusted apps and services

Secure display

Secure keyboard

Secure SE communications (no ‘man in the middleware’ attacks)

‘Standards’ based (Global Platform specifications)

Data access

• A credential store requires controlled access

• SEs offer multiple methods of protection Public, User PIN, SO PIN, Key authentication etc.

• Encrypt data outside the SE with a key in the SE This is how many HSMs operate

• Release of information should be under user control PIN, password, explicit permissions for each attribute Applies to SE, Device, static and dynamic cloud data

• Some use cases demand direct access to data Physical access – door readers

How does NFC fit in?

• NFC offers a way to consume identities locally

Proof of Identity – phone-to-phone or phone-to-terminal NFC challenge/response credential verification

Securing Communications – use the phone as a contactless smart card over NFC to sign and encrypt emails and documents

Service and Systems Access – use the phone as a contactless smart card over NFC to authenticate for logon, VPN and service permissions

Physical Access – NFC ISO14443 compatibility allows PIV, Mifare and other PACS solutions

Payment – ISIS or other; rapidly growing POS infrastructure

Contact Exchange – business card information passed over NFC

Contactless Smart Card reader– interact with any standard contactless smart card – ID card or Bank card

NFC Architecture Overview

UICC

NFC Modem

CPU

14443 Reader

APP SWP

Single Wire Protocol

• SWP permits direct contactless ‘Card Emulation’ over ISO 14443

• Can works even when phone battery is dead

• Vital safety feature for PACS and ticketing applications

• Apps can intercept and redirect secure element communications through the ‘contact’ interface

• Allows desktop logon, signing and encryption

NFC SE

Handset

Credential Management

• Mobile devices will be important secure identity carriers

But how do you provision the content?

• Trusted credentials need strong, policy-driven management

Sources and deployment of secure hardware

Deployment of secure credential containers

Sources of trusted identities

Pre-issuance and credential delivery

Post-issuance management

May need synchronization with smart card credentials

Multiple credential providers, identities and attributes

Integration with external systems

Credential Provisioning

Secure Element - Out of Device Removable devices, like UICCs and Secure microSD can be

programmed directly; e.g. bureau process

• In Device – Secure Element and Local Storage Centralized, policy-driven updates

• May be directly ‘over the air’ from MNO / TSM• May be ‘over the internet’ via a handset application

Live updates wherever you have a network Self-service interaction and choice May be ‘derived’ from a primary device or account

Delivery Ecosystem

SSD-1

SSD-2

SSD-3

SSD-4

MNO TSM

Bank

Identity

Loyalty

Delivery Ecosystem

SSD-1

SSD-2

SSD-3

SSD-4

MNO TSM

Bank

Identity

Loyalty

HTTPS

SSD-A

SSD-B

SSD-C

SSD-DEmployer

I

d

e

n

t

i

t

y

A

g

e

n

t

Delivery Ecosystem

SSD-1

SSD-2

SSD-3

SSD-4

MNO TSM

Bank

Identity

Loyalty

HTTPS

SSD-A

SSD-B

SSD-C

SSD-DEmployer

I

d

e

n

t

i

t

y

A

g

e

n

t

Secure

Attribute

Store

HTTPS

Professional Body

Employer

Delivery Ecosystem

SSD-1

SSD-2

SSD-3

SSD-4

MNO TSM

Bank

Identity

Loyalty

HTTPS

SSD-A

SSD-B

SSD-C

SSD-DEmployer

I

d

e

n

t

i

t

y

A

g

e

n

t

Secure

Attribute

Store

HTTPS

Professional Body

ClubResidence

Employer

Credential Use – Email

SSD-A

SSD-B

SSD-C

SSD-D

SSD-1

SSD-2

SSD-3

SSD-4

OCSP

Email

I

d

e

n

t

i

t

y

A

g

e

n

t

Secure

Attribute

Store OK

PIN: ________******

xcqjzHello

Credential Use – Secure Remote Access

SSD-A

SSD-B

SSD-C

SSD-D

SSD-1

SSD-2

SSD-3

SSD-4

OCSP

Browser

I

d

e

n

t

i

t

y

A

g

e

n

t

Secure

Attribute

Store OK

PIN: ________******

OK

PIN:

Credential Use - NFC

Physical Access

SSD-A

SSD-B

SSD-C

SSD-D

SSD-1

SSD-2

SSD-3

SSD-4

I

d

e

n

t

i

t

y

A

g

e

n

t

Secure

Attribute

Store OK

PIN: ________

NFC

Desktop Logon

******

SWP

Credential Use

OCSP

SSD-A

SSD-B

SSD-C

SSD-D

SSD-1

SSD-2

SSD-3

SSD-4Browser

Email

Wallet

IdentityVerification

ServiceIdentityClaimsService

SWP

I

d

e

n

t

i

t

y

A

g

e

n

t

NFC

Secure

Attribute

Store OK

PIN: ________

Challenges

Device Diversity

Multiple players and multiple commercial models

Hardware and API standards for crypto and SEs

Interoperability between solutions

• Protocols and APIs within and external to the device

• Common data dictionaries for attributes

Common standards for trust – LOA etc.

Identity provider accreditation

Conclusions

The is a huge market for Mobile Credentials

• Enhanced Security in the Mobile Device

• Securing Remote Access

• Badge Replacement

CIV provides a solid standards-based foundation

Many security features available today.

Lots of enabling technologies in development: NFC, TEE, BT LE

25

ContactPeter.Cattaneo@intercede.com

www.intercede.com