civ credentials on mobile devices · 4/1/2014 · id form factors • smart phones and tablets...
TRANSCRIPT
CIV Credentials on Mobile Devices
Peter CattaneoVP Mobile Business Development Intercede
CIV Credentials on Mobile Devices - Overview
• What is CIV?• Standards-based Identification• A set of credentials
• Cryptographic (PKI)
• Biometric
• Biographic
• Supported by many physical and logical access products
• What is a Mobile Device?• Mobile Phone• Tablet• Laptop• Ultrabook• Wearable Computer• More coming soon…
The PIV Family
Interoperable Standards-based Smart Cards NIST Specifications
• FIPS 201-2, FIPS 140-2, SP 800-73-4, etc.
NIST Recommended Practices Multiple Vendors NIST-Specified Compliance
• Approved 3rd party testing
Approved Product List• http://fips201ep.cio.gov/apl.php
Three Levels PIV – Government Employees and Contractors – only! PIV-I – High security civilian – Specified enrollment process CIV – No specific policy requirements
ID Form Factors
• Smart Cards are the ‘traditional’ form Small, rugged, reliable, highly secure Inexpensive and well standardized Perfect option for employee badge Widely used for bank cards
• Fits in your wallet• EMV – most of the world now, coming to the US
Used in virtually all mobile devices• All GSM phones, all 3G and 4G devices
Mandatory for Federal employees and on-site contractors
• But Needs a reader, UI & communication Physical delivery needed Challenges to update and maintain in the field
ID Form Factors
• Smart Phones and Tablets offer new possibilities Powerful processors High capacity Keyboard, screen, camera Communications Peripherals such as fingerprint and card readers
Smart Cards in Mobile• Every device on a mobile network has a SIM/USIM/UICC• NFC enabled devices may have an additional Secure Element• microSD cards are available with Smart Card elements• Trusted Platform Module (TPM)
Available in some tablets with “Virtual Smart Card” support Mobile TPM specs in development
• TEE in ARM devices; IPT in Intel• External smart cards via contact or contactless readers
Credential Use Cases
• Proof of Identity
• Visual and electronic Identity, Attribute and Entitlement verification
• Secure communications eMail, VPN, Signed documents
• Access systems and services Desktop logon, Application or Service logon
• Enter physical locations Buildings access, Perimeter checks
• Trusted information discovery Qualifications, permissions, emergency medical
What data is needed?
• Keys and certificates Symmetric and asymmetric keys and X.509 certificates
• Identity attributes Name, DoB, Address, Employer, Status
• Photographs• May also have biometric data
• Fingerprints and other biometrics
• Claims records Qualifications, Permits, Proof of age, Entitlements
• Claims service information URI and account data for real-time claims assertion
Data storage options
• Secure element (SE) UICC (SIM), Secure micro SD, Embedded SE, External SE, TEE/IPT Limited capacity
• Essential for keys and certificates• Optional for other data
• Cloud storage Infinite capacity Always current
• On-device storage High capacity, flexible format Fine-grained control over data release Always available - can be used offline Can be regarded as a cache of the live data
Trusted Execution Environment, “TEE”
• Users need to know they can trust the device Malware can intercept SE communications
Malware can intercept screen communications
Malware can intercept keyboard communications
• The Trusted Execution Environment can help Trusted apps and services
Secure display
Secure keyboard
Secure SE communications (no ‘man in the middleware’ attacks)
‘Standards’ based (Global Platform specifications)
Data access
• A credential store requires controlled access
• SEs offer multiple methods of protection Public, User PIN, SO PIN, Key authentication etc.
• Encrypt data outside the SE with a key in the SE This is how many HSMs operate
• Release of information should be under user control PIN, password, explicit permissions for each attribute Applies to SE, Device, static and dynamic cloud data
• Some use cases demand direct access to data Physical access – door readers
How does NFC fit in?
• NFC offers a way to consume identities locally
Proof of Identity – phone-to-phone or phone-to-terminal NFC challenge/response credential verification
Securing Communications – use the phone as a contactless smart card over NFC to sign and encrypt emails and documents
Service and Systems Access – use the phone as a contactless smart card over NFC to authenticate for logon, VPN and service permissions
Physical Access – NFC ISO14443 compatibility allows PIV, Mifare and other PACS solutions
Payment – ISIS or other; rapidly growing POS infrastructure
Contact Exchange – business card information passed over NFC
Contactless Smart Card reader– interact with any standard contactless smart card – ID card or Bank card
NFC Architecture Overview
UICC
NFC Modem
CPU
14443 Reader
APP SWP
Single Wire Protocol
• SWP permits direct contactless ‘Card Emulation’ over ISO 14443
• Can works even when phone battery is dead
• Vital safety feature for PACS and ticketing applications
• Apps can intercept and redirect secure element communications through the ‘contact’ interface
• Allows desktop logon, signing and encryption
NFC SE
Handset
Credential Management
• Mobile devices will be important secure identity carriers
But how do you provision the content?
• Trusted credentials need strong, policy-driven management
Sources and deployment of secure hardware
Deployment of secure credential containers
Sources of trusted identities
Pre-issuance and credential delivery
Post-issuance management
May need synchronization with smart card credentials
Multiple credential providers, identities and attributes
Integration with external systems
Credential Provisioning
Secure Element - Out of Device Removable devices, like UICCs and Secure microSD can be
programmed directly; e.g. bureau process
• In Device – Secure Element and Local Storage Centralized, policy-driven updates
• May be directly ‘over the air’ from MNO / TSM• May be ‘over the internet’ via a handset application
Live updates wherever you have a network Self-service interaction and choice May be ‘derived’ from a primary device or account
Delivery Ecosystem
SSD-1
SSD-2
SSD-3
SSD-4
MNO TSM
Bank
Identity
Loyalty
Delivery Ecosystem
SSD-1
SSD-2
SSD-3
SSD-4
MNO TSM
Bank
Identity
Loyalty
HTTPS
SSD-A
SSD-B
SSD-C
SSD-DEmployer
I
d
e
n
t
i
t
y
A
g
e
n
t
Delivery Ecosystem
SSD-1
SSD-2
SSD-3
SSD-4
MNO TSM
Bank
Identity
Loyalty
HTTPS
SSD-A
SSD-B
SSD-C
SSD-DEmployer
I
d
e
n
t
i
t
y
A
g
e
n
t
Secure
Attribute
Store
HTTPS
Professional Body
Employer
Delivery Ecosystem
SSD-1
SSD-2
SSD-3
SSD-4
MNO TSM
Bank
Identity
Loyalty
HTTPS
SSD-A
SSD-B
SSD-C
SSD-DEmployer
I
d
e
n
t
i
t
y
A
g
e
n
t
Secure
Attribute
Store
HTTPS
Professional Body
ClubResidence
Employer
Credential Use – Email
SSD-A
SSD-B
SSD-C
SSD-D
SSD-1
SSD-2
SSD-3
SSD-4
OCSP
I
d
e
n
t
i
t
y
A
g
e
n
t
Secure
Attribute
Store OK
PIN: ________******
xcqjzHello
Credential Use – Secure Remote Access
SSD-A
SSD-B
SSD-C
SSD-D
SSD-1
SSD-2
SSD-3
SSD-4
OCSP
Browser
I
d
e
n
t
i
t
y
A
g
e
n
t
Secure
Attribute
Store OK
PIN: ________******
OK
PIN:
Credential Use - NFC
Physical Access
SSD-A
SSD-B
SSD-C
SSD-D
SSD-1
SSD-2
SSD-3
SSD-4
I
d
e
n
t
i
t
y
A
g
e
n
t
Secure
Attribute
Store OK
PIN: ________
NFC
Desktop Logon
******
SWP
Credential Use
OCSP
SSD-A
SSD-B
SSD-C
SSD-D
SSD-1
SSD-2
SSD-3
SSD-4Browser
Wallet
IdentityVerification
ServiceIdentityClaimsService
SWP
I
d
e
n
t
i
t
y
A
g
e
n
t
NFC
Secure
Attribute
Store OK
PIN: ________
Challenges
Device Diversity
Multiple players and multiple commercial models
Hardware and API standards for crypto and SEs
Interoperability between solutions
• Protocols and APIs within and external to the device
• Common data dictionaries for attributes
Common standards for trust – LOA etc.
Identity provider accreditation
Conclusions
The is a huge market for Mobile Credentials
• Enhanced Security in the Mobile Device
• Securing Remote Access
• Badge Replacement
CIV provides a solid standards-based foundation
Many security features available today.
Lots of enabling technologies in development: NFC, TEE, BT LE