Interagency Advisory Board - FIPS201.com Security Module/ Trusted Execution Envirnoment SIM or UICC embedded CAC/PIV applet Combinations of options Securing mobile services “Replacing”

Interagency Advisory Board Meeting Agenda, Wednesday, September 26, 2012

1. Opening Remarks

2. Enabling the Mobile Government Workforce with PIV Credentials in a BYOD Future (Neville Pattinson, Gemalto)

3. Enabling PIV and Federated Access and Privileges within Cloud Services (Ken Ammon, CSO, Xceedium)

4. Demonstration of Means to Provision PIV to Various Relying Party Systems (Joe Broghamer, DHS)

5. Identity Management Reassembled (Jeff Nigriny, Certipath)

6. Closing Remarks

Enabling the Mobile CAC/PIV workforce

Neville Pattinson

SVP Government Affairs September 2012

Unclassified

Gemalto

Gemalto – Vital statistics

$2.6B in revenue in 2011 (Euronext: GTO.PA)

10,000 employees

90 Countries

Produce 1.5B digital credentials a each year

Involved in hundreds of solutions involving secure documents

Austin, TX. North American HQ

Gemalto The Leader in Digital Security

It is most likely you have one or more of our products in

your possession right now

The SIM card in your mobile phone

The bank cards in your wallet or purse (Mag stripe or chip based)

Your US Passport

If you are a federal employee – your CAC or PIV card

6 27/09/2012

Gemalto & DoD CAC

Proud to be the first qualified supplier of CAC to DoD in

September 2001

Proud to have been able to supply over 15Million CACs

to DoD over 11 years.

Presently deploying 5th Generation of CAC today.

Dual –Interface ,128KB, Suite B Crypto.

New enhanced CAC card body just approved

More durable, longer life expectancy, Optimized RF performance

6th Generation CAC chip coming very soon…

SP800-73-3, Supporting Elliptic curve and latest CAC Applet etc

7 UNCLASSIFIED: Gemalto Public 27/09/2012

Mobile Market growth

Mobile Market


0

200,000

400,000

600,000

800,000

1,000,000

1,200,000

1,400,000

2011 2012 2013 2014 2015

Worldwide Smartphones Market by OS (in thousands of units)

Android Symbian iOS RIM Microsoft BADA Others

WW Tablets Market

from ~ 70 million in 2011

growing to 300 million in 2015

Source - Gartner - 3Q2011

The Mobile use cases

Mobile “as a token”

Users want to use their mobile phones as the 2nd factor authentication

device

The Mobile phone is a personal token of choice. Always associated to an

individual and always with them.

Instead of dedicated HW devices (OTP tokens, Smart Cards)

Primary use case: Remote access through their laptop / desktop

Secondary use cases: Win Logon, Encryption, Signature, Physical Access

11 09/27/2012

Use case #1

Use case #2

Mobile/Tablet “as a laptop”

Security solutions on this devices must be at par with security

solutions on laptops & desktops

BYOD culture becoming prevalent

Users want to access corporate resources (regular mail, encrypted mail,

online corporate services) through their smart phones and PADs) …

… and they are doing so, whether CIOs/CSOs like it or not!

Corporations don’t want to constrain their users by imposing restrictive

policies

Primary Use Cases: Email decryption, VPN access

Secondary Use Cases: Data at rest encryption, Digital signature,

Device un/Lock, SSO


The Playing Field

It is a complex, immature environment Diversity of:

Mobile OS platforms:

IOS, Android, Windows phone, RIM, Symbian …

Mobile OS versions

IOS v4, v5, …, Android Gingerbread, Honeycomb, IceCream, Windows

Phone 7, 8, … Bada(Samsung)

Phone vendors:

Windows Phone: Nokia, HTC, Samsung

Android: Samsung, LG, HTC, SonyEricsson, …

Options for storage of credentials (Secure Elements)

Each one requiring specific drivers for each Mobile platform

Middleware

Middleware will also be specific to each Mobile OS

Applications and application providers?

No standard Smart Card support to rely on. PKCS11 seems best option

No Base CSP on Windows Phone 7.

13 09/27/2012

What are the mobile technology options?

Mobile Platform Technology Solution options

Bluetooth reader

Software Certificates in Mobile device applications

SD Micro integration

USB Connected reader

NFC coupled

Trusted Security Module/ Trusted Execution Envirnoment

SIM or UICC embedded CAC/PIV applet

Combinations of options

Securing mobile services

“Replacing” CAC/PIV form factor too for logical access with

handset?


Bluetooth

Bluetooth CAC reader


Working today in DoD

“cumbersome”, “battery life issues”, “only Blackberry”, “expensive”

Bluetooth & Handset Operating Systems

Blackberry OS – controlled by RIM™

Bluetooth CAC integration achieved with RIM™ collaboration in O/S

Blackberry Smart Card Reader

Apriva™ BT200 Bluetooth reader


Bluetooth CAC/PIV readers with other handsets? Like the Blackberry it requires collaboration with every handset or tablet


?

Connected Readers

Connected Reader – for secure services

Attach a simple reader via the 37pin Apple™ port in USB mode

or to an Android™ via micro USB connector in USB mode

Uses existing CAC or PIV full form factor Smart Card

Requires O/S integration; email & Brower support etc

Low cost reader. No extra credentials needed

Physically cumbersome?


CAC with NFC Phone

CAC via NFC Phone – for secure services

With an NFC enabled smart phone the CAC could be connected

and utilized in close proximity

Uses existing CAC or PIV full form factor Smart Card

Requires NFC integration; email & Brower support etc

No reader. No extra credentials needed

Physically easy and practical

Present PKI policy does not allow crypto services over contactless!


SD Micro

Solutions – SD Micro integration

Combine CAC/PIV chip on SD Micro device

No Mobile operator involvement (no SIM impact)

Handset middleware support required.

Not universally supported on all handsets (Not on Apple™

platforms)

How to provision CAC/PIV applet? On SDMicro on Laptop or

OTA?

NFC can be provided on SD Micro formfactor too


Inside the Handset in a Trusted place?

Securing Mobile applications


Software to be executed must to be secured (code and

data such as cryptographic keys)

Principle: isolation in a secure environment

1. Use of Trusted Execution Environment (TEE)

2. Use of external component: Secure Element

User Interface must to be secured

Sensitive information entry (e.g. password)

Transaction data to be validated (e.g. transaction amount)

Principle: Trusted User Interface via Trusted Execution

Environment

4 Levels of Security


• Application-based SW countermeasures @ Application

• OS Security Architecture @ Device

Operating System

• Based on TrustZone for ARM-based processors

@ Application Processor

Trusted Execution Environment (TEE)

• Embedded SE

• USIM

• Micro-SD

Within Secure Element (SE)

Soft

ware

Only

H

ard

wa

re-e

nfo

rced

Can be

selected &

combined

for a secure

multi-use

case

device

TEE (Trusted Execution Environment)

TEE is a security mechanism based on the ARM processors TrustZone

It is a 2nd and secure OS that provides services for the applications and the main OS

It is specified by GlobalPlatform: See White Paper and road map

Trusted Logic is a leading provider of TEE with its product Trusted Foundation

Can also protects the User Interface such as the PIN entry

29

http://www.arm.com/products/processors/technologies/trustzone.php

http://www.globalplatform.org/specificationsdevice.asp

http://www.globalplatform.org/documents/GlobalPlatform_TEE_White_Paper_Feb2011.pdf









http://www.trusted-logic.com/spip.php?rubrique6

Integration into Trusted Execution Environment

30

Secure Element (Removable or Embedded) • Certified tamper-resistant

• For secure storage and

processing of the most

valuable and sensitive data

Trusted Execution Environment • Protects input and output and transient processing of sensitive data

• Applicable to a broad array of new connected devices

Gemalto, ARM and Giesecke & Devrient are forming a joint venture

to offer an open software-hardware security platform

to provide a Trusted Execution Environment in connected devices

CAC in a SIM

Solutions – Mobile CAC/PIV in SIM – Physical Access & Remote services


Technical requirements

NFC SIM with CAC/PIV applet

Must support all Crypto requirements (ok)

SIM Must be FIPS 140-2 Certified (to do)

Sufficient space (ok)

Ability to provision CAC/PIV (e.g. Keys/Certs etc) remotely from

DEERS/RAPIDS via a secure link via Over The Air platforms and

the mobile CAC /PIV.

Secure provisioning OTA protocol to be developed.

Ability to present CAC/PIV Physical Access credential via NFC.


Managing & Provisioning the CAC/PIV

over-the-air

Need to provision the CAC/PIV applet over-the-air when

embedded in UICC or Trusted Execution Environment

Secure connection from UICC to DEERS/RAPIDS via the

mobile network with a provisioning protocol.

PKI Keys can be generated in UICC and the public key(s)

sent to CA as is done today for Certificate generation.

Management of devices needed (when phone is lost or

must be deactivated).


Mobile Operating Systems

Apple IOS – controlled tightly by Apple™

BAI™ : baiMobile®™ 3000 Bluetooth Smart Card Reader

& adaptor

Thursby™


Android OS - controlled by Open Handset Alliance – led by Google™.

Linux based Operating System

No core O/S support for smart cards to-date beyond Baseband

SIM/UICC

NSA is reportedly working on a competing system called

SE Android, or Security Enhanced Android.

Target is Classified Network usage.

Soft or hard credential?

Apriva made an announcement for future support of their

Bluetooth device on Android platforms


Mobile-as-a-Laptop use case

Secure applications are out of the box

on BlackBerry

Secure web portal, secure email, VPN, data

encryption

3rd party applications required on other OS

Re use existing PKI infrastructure

Based on Micro SD cards and NFC

compliant badges

Same enrolment tools and PKI certificates

for the CAC

Government

Web portal

Secure eMail

Government

network

38

Status on Windows Phone 7 / Windows 8

39

Bricks available From Charismatic

PKCS#11 / CSP crypto layer

OS evolution Phase out of Windows Mobile and Symbian OS from Nokia

Deployment of Windows Phone by Nokia

No driver development possible on Phone 7

NFC will be supported in 2012

Promising first implementation of Windows 8 by ITG ITG xpPhone

http://fr.wikipedia.org/wiki/Windows_Phone_7_Series

http://www.geeky-gadgets.com/windows-phone-to-get-nfc-next-year-20-10-2011/











http://www.engadget.com/2011/10/28/itg-xpphone-2-to-get-some-windows-8-love-starts-living-large-in/













Where is the mobileCAC going to reside?

41

Software

MicroSD

UICC

Badge via NFC

TEE

eSE

Where to store the security credentials Embedded or detached?

Badge via Mobile

Contact reader

Badge via

Bluetooth Semi-

detached

credentials

Detached

credentials

Embedded

Credentials

Secure Element Options

42

Policy Issues

Policy issues

One credential – one digital ID. Physical access & Logical Access – CAC today.

Authentication, Digital Signatures ,Encryption certificates.

Policy Issues if holding a CAC and then the need for integrated credentials

on another device.

Issue two CAC Credentials (CAC & Mobile CAC credential)?

Separate CAC credentials which can be linked together (backend).

Can co-exist but sender needs to select one or both credentials for

encrypted email.

Can have two Contactless credentials for Physical Access (CAC &

mobile NFC)

Government PKI Policy Only on CAC /PIV today.

No crypto functions allowed on 14443 (13.56Mhz Contactless interface) –

only permitted on contact interface.

Secure Remote Provisioning issues - Mobile CAC/PIV via Over The Air

to/from DEERS/RAPIDS or other provisioning systems

FIPS 201 Only specifies PIV card today.

GSA APL Only specifies PIV card

Graphical & Electrical personalization & provisioning facilities

No remote services presently specified for electrical.


Standards Approach

Several options technically possible

Pros and Cons for each implementation

All require FIPS 140-2 & FIPS 201 certification

Handset Operating Systems integration is required

Apple IOS, Windows Mobile & Android only?

Phone platform validation can take time….

Full integrated implementation(s) would cover

email/vpn/browser and NFC support.

Recommend a Standard be developed to define the

functionality required in line with comprehensive Policy.

Government & Industry collaboration.

Determine all stakeholders.

Create forum to develop Standard(s)


Implementation timelines

When will market be ready for each Secure element?

(Gemalto estimation)

Legend

AV = A number of commercial solutions commercially available on major OS platforms

PoC = It is possible to implement limited scope pilots with specific mobile devices and

applications

47

Secure Element 2011 2012 2013 2014

Software on Mobile AV

Contact badge + BlueTooth reader AV

µSD card PoC AV

UICC PoC AV

Contactless badge over NFC PoC AV

Trusted Execution Environment (TEE) PoC AV

Embedded Secure Element (ESE) PoC AV

Conclusion

There are several implementation options emerging

which address a subset of the problem space.

Requirements must be defined.

Handsets; Operating Systems; Mobile Operators; Provisioning?

An implementation plan & ROI for each scenario would

lead to best investment approach.

Short, Medium and Long term plans?

Security Policy critical for technology selection and

secure implementation.

Standard needed for implementation and interoperability

Must cover internal applications and provisioning protocols.


The Mobile Credential for Government

Gemalto recommends PIV/CAC in a SIM/UICC

Java Card based NFC UICC

PIV applet loaded as second application

Global Platform Lifecycle Management

Agnostic of Handset vendor

Agnostic of Handset operating system (and updates)

Regular UICC or NFC UICC

Secure provisioning of PIV end-to-end OverTheAir

Requires collaboration with Verizon, AT&T, T-Mobile, Sprint etc

Add PIV to NFC SIM

UNCLASSIFIED. Gemalto Public

PIV/UICC Demos

Out of Band Web Authentication

Phone serves PIV authentication credential when accessing a web

site on any computer/tablet/device.

Post Issuance updates Over the Air

NFC PIV Logon to windows with certificates

NFC PIV authentication to remote website

NFC PIV Signing an email with digital signature


Thank you.

Neville Pattinson

SVP Government Affairs, Gemalto, Inc.

[email protected]

Office 1 512 257 3982

Mobile 1 512 825 3082

Twitter @Neville_Gemalto

mailto:[email protected]





Documents

Interagency Advisory Board - FIPS201.com Security Module/ Trusted Execution Envirnoment SIM or UICC embedded CAC/PIV applet Combinations of options Securing mobile services “Replacing”