Upload
ngokhanh
View
219
Download
1
Embed Size (px)
Citation preview
Interagency Advisory Board Meeting Agenda, Wednesday, September 26, 2012
1. Opening Remarks
2. Enabling the Mobile Government Workforce with PIV Credentials in a BYOD Future (Neville Pattinson, Gemalto)
3. Enabling PIV and Federated Access and Privileges within Cloud Services (Ken Ammon, CSO, Xceedium)
4. Demonstration of Means to Provision PIV to Various Relying Party Systems (Joe Broghamer, DHS)
5. Identity Management Reassembled (Jeff Nigriny, Certipath)
6. Closing Remarks
Enabling the Mobile CAC/PIV workforce
Neville Pattinson
SVP Government Affairs September 2012
Unclassified
Gemalto – Vital statistics
$2.6B in revenue in 2011 (Euronext: GTO.PA)
10,000 employees
90 Countries
Produce 1.5B digital credentials a each year
Involved in hundreds of solutions involving secure documents
Austin, TX. North American HQ
Gemalto The Leader in Digital Security
It is most likely you have one or more of our products in
your possession right now
The SIM card in your mobile phone
The bank cards in your wallet or purse (Mag stripe or chip based)
Your US Passport
If you are a federal employee – your CAC or PIV card
6 27/09/2012
Gemalto & DoD CAC
Proud to be the first qualified supplier of CAC to DoD in
September 2001
Proud to have been able to supply over 15Million CACs
to DoD over 11 years.
Presently deploying 5th Generation of CAC today.
Dual –Interface ,128KB, Suite B Crypto.
New enhanced CAC card body just approved
More durable, longer life expectancy, Optimized RF performance
6th Generation CAC chip coming very soon…
SP800-73-3, Supporting Elliptic curve and latest CAC Applet etc
7 UNCLASSIFIED: Gemalto Public 27/09/2012
Mobile Market
9 UNCLASSIFIED: Gemalto Public 27/09/2012
0
200,000
400,000
600,000
800,000
1,000,000
1,200,000
1,400,000
2011 2012 2013 2014 2015
Worldwide Smartphones Market by OS (in thousands of units)
Android Symbian iOS RIM Microsoft BADA Others
WW Tablets Market
from ~ 70 million in 2011
growing to 300 million in 2015
Source - Gartner - 3Q2011
Mobile “as a token”
Users want to use their mobile phones as the 2nd factor authentication
device
The Mobile phone is a personal token of choice. Always associated to an
individual and always with them.
Instead of dedicated HW devices (OTP tokens, Smart Cards)
Primary use case: Remote access through their laptop / desktop
Secondary use cases: Win Logon, Encryption, Signature, Physical Access
11 09/27/2012
Use case #1
Use case #2
Mobile/Tablet “as a laptop”
Security solutions on this devices must be at par with security
solutions on laptops & desktops
BYOD culture becoming prevalent
Users want to access corporate resources (regular mail, encrypted mail,
online corporate services) through their smart phones and PADs) …
… and they are doing so, whether CIOs/CSOs like it or not!
Corporations don’t want to constrain their users by imposing restrictive
policies
Primary Use Cases: Email decryption, VPN access
Secondary Use Cases: Data at rest encryption, Digital signature,
Device un/Lock, SSO
12 UNCLASSIFIED: Gemalto Public 27/09/2012
The Playing Field
It is a complex, immature environment Diversity of:
Mobile OS platforms:
IOS, Android, Windows phone, RIM, Symbian …
Mobile OS versions
IOS v4, v5, …, Android Gingerbread, Honeycomb, IceCream, Windows
Phone 7, 8, … Bada(Samsung)
Phone vendors:
Windows Phone: Nokia, HTC, Samsung
Android: Samsung, LG, HTC, SonyEricsson, …
Options for storage of credentials (Secure Elements)
Each one requiring specific drivers for each Mobile platform
Middleware
Middleware will also be specific to each Mobile OS
Applications and application providers?
No standard Smart Card support to rely on. PKCS11 seems best option
No Base CSP on Windows Phone 7.
13 09/27/2012
Mobile Platform Technology Solution options
Bluetooth reader
Software Certificates in Mobile device applications
SD Micro integration
USB Connected reader
NFC coupled
Trusted Security Module/ Trusted Execution Envirnoment
SIM or UICC embedded CAC/PIV applet
Combinations of options
Securing mobile services
“Replacing” CAC/PIV form factor too for logical access with
handset?
15 UNCLASSIFIED: Gemalto Public 27/09/2012
Bluetooth CAC reader
17 UNCLASSIFIED: Gemalto Public 27/09/2012
Working today in DoD
“cumbersome”, “battery life issues”, “only Blackberry”, “expensive”
Bluetooth & Handset Operating Systems
Blackberry OS – controlled by RIM™
Bluetooth CAC integration achieved with RIM™ collaboration in O/S
Blackberry Smart Card Reader
Apriva™ BT200 Bluetooth reader
18 UNCLASSIFIED: Gemalto Public 27/09/2012
Bluetooth CAC/PIV readers with other handsets? Like the Blackberry it requires collaboration with every handset or tablet
19 UNCLASSIFIED: Gemalto Public 27/09/2012
?
Connected Reader – for secure services
Attach a simple reader via the 37pin Apple™ port in USB mode
or to an Android™ via micro USB connector in USB mode
Uses existing CAC or PIV full form factor Smart Card
Requires O/S integration; email & Brower support etc
Low cost reader. No extra credentials needed
Physically cumbersome?
21 UNCLASSIFIED: Gemalto Public 27/09/2012
CAC via NFC Phone – for secure services
With an NFC enabled smart phone the CAC could be connected
and utilized in close proximity
Uses existing CAC or PIV full form factor Smart Card
Requires NFC integration; email & Brower support etc
No reader. No extra credentials needed
Physically easy and practical
Present PKI policy does not allow crypto services over contactless!
23 UNCLASSIFIED: Gemalto Public 27/09/2012
Solutions – SD Micro integration
Combine CAC/PIV chip on SD Micro device
No Mobile operator involvement (no SIM impact)
Handset middleware support required.
Not universally supported on all handsets (Not on Apple™
platforms)
How to provision CAC/PIV applet? On SDMicro on Laptop or
OTA?
NFC can be provided on SD Micro formfactor too
25 UNCLASSIFIED: Gemalto Public 27/09/2012
Securing Mobile applications
27 UNCLASSIFIED: Gemalto Public 27/09/2012
Software to be executed must to be secured (code and
data such as cryptographic keys)
Principle: isolation in a secure environment
1. Use of Trusted Execution Environment (TEE)
2. Use of external component: Secure Element
User Interface must to be secured
Sensitive information entry (e.g. password)
Transaction data to be validated (e.g. transaction amount)
Principle: Trusted User Interface via Trusted Execution
Environment
4 Levels of Security
28 UNCLASSIFIED: Gemalto Public 27/09/2012
• Application-based SW countermeasures @ Application
• OS Security Architecture @ Device
Operating System
• Based on TrustZone for ARM-based processors
@ Application Processor
Trusted Execution Environment (TEE)
• Embedded SE
• USIM
• Micro-SD
Within Secure Element (SE)
Soft
ware
Only
H
ard
wa
re-e
nfo
rced
Can be
selected &
combined
for a secure
multi-use
case
device
TEE (Trusted Execution Environment)
TEE is a security mechanism based on the ARM processors TrustZone
It is a 2nd and secure OS that provides services for the applications and the main OS
It is specified by GlobalPlatform: See White Paper and road map
Trusted Logic is a leading provider of TEE with its product Trusted Foundation
Can also protects the User Interface such as the PIN entry
29
Integration into Trusted Execution Environment
30
Secure Element (Removable or Embedded) • Certified tamper-resistant
• For secure storage and
processing of the most
valuable and sensitive data
Trusted Execution Environment • Protects input and output and transient processing of sensitive data
• Applicable to a broad array of new connected devices
Gemalto, ARM and Giesecke & Devrient are forming a joint venture
to offer an open software-hardware security platform
to provide a Trusted Execution Environment in connected devices
Solutions – Mobile CAC/PIV in SIM – Physical Access & Remote services
32 UNCLASSIFIED: Gemalto Public 27/09/2012
Technical requirements
NFC SIM with CAC/PIV applet
Must support all Crypto requirements (ok)
SIM Must be FIPS 140-2 Certified (to do)
Sufficient space (ok)
Ability to provision CAC/PIV (e.g. Keys/Certs etc) remotely from
DEERS/RAPIDS via a secure link via Over The Air platforms and
the mobile CAC /PIV.
Secure provisioning OTA protocol to be developed.
Ability to present CAC/PIV Physical Access credential via NFC.
33 UNCLASSIFIED: Gemalto Public 27/09/2012
Managing & Provisioning the CAC/PIV
over-the-air
Need to provision the CAC/PIV applet over-the-air when
embedded in UICC or Trusted Execution Environment
Secure connection from UICC to DEERS/RAPIDS via the
mobile network with a provisioning protocol.
PKI Keys can be generated in UICC and the public key(s)
sent to CA as is done today for Certificate generation.
Management of devices needed (when phone is lost or
must be deactivated).
34 UNCLASSIFIED: Gemalto Public 27/09/2012
Apple IOS – controlled tightly by Apple™
BAI™ : baiMobile®™ 3000 Bluetooth Smart Card Reader
& adaptor
Thursby™
36 UNCLASSIFIED: Gemalto Public 27/09/2012
Android OS - controlled by Open Handset Alliance – led by Google™.
Linux based Operating System
No core O/S support for smart cards to-date beyond Baseband
SIM/UICC
NSA is reportedly working on a competing system called
SE Android, or Security Enhanced Android.
Target is Classified Network usage.
Soft or hard credential?
Apriva made an announcement for future support of their
Bluetooth device on Android platforms
37 UNCLASSIFIED: Gemalto Public 27/09/2012
Mobile-as-a-Laptop use case
Secure applications are out of the box
on BlackBerry
Secure web portal, secure email, VPN, data
encryption
3rd party applications required on other OS
Re use existing PKI infrastructure
Based on Micro SD cards and NFC
compliant badges
Same enrolment tools and PKI certificates
for the CAC
Government
Web portal
Secure eMail
Government
network
38
Status on Windows Phone 7 / Windows 8
39
Bricks available From Charismatic
PKCS#11 / CSP crypto layer
OS evolution Phase out of Windows Mobile and Symbian OS from Nokia
Deployment of Windows Phone by Nokia
No driver development possible on Phone 7
NFC will be supported in 2012
Promising first implementation of Windows 8 by ITG ITG xpPhone
41
Software
MicroSD
UICC
Badge via NFC
TEE
eSE
Where to store the security credentials Embedded or detached?
Badge via Mobile
Contact reader
Badge via
Bluetooth Semi-
detached
credentials
Detached
credentials
Embedded
Credentials
Policy issues
One credential – one digital ID. Physical access & Logical Access – CAC today.
Authentication, Digital Signatures ,Encryption certificates.
Policy Issues if holding a CAC and then the need for integrated credentials
on another device.
Issue two CAC Credentials (CAC & Mobile CAC credential)?
Separate CAC credentials which can be linked together (backend).
Can co-exist but sender needs to select one or both credentials for
encrypted email.
Can have two Contactless credentials for Physical Access (CAC &
mobile NFC)
Government PKI Policy Only on CAC /PIV today.
No crypto functions allowed on 14443 (13.56Mhz Contactless interface) –
only permitted on contact interface.
Secure Remote Provisioning issues - Mobile CAC/PIV via Over The Air
to/from DEERS/RAPIDS or other provisioning systems
FIPS 201 Only specifies PIV card today.
GSA APL Only specifies PIV card
Graphical & Electrical personalization & provisioning facilities
No remote services presently specified for electrical.
44 UNCLASSIFIED: Gemalto Public 27/09/2012
Standards Approach
Several options technically possible
Pros and Cons for each implementation
All require FIPS 140-2 & FIPS 201 certification
Handset Operating Systems integration is required
Apple IOS, Windows Mobile & Android only?
Phone platform validation can take time….
Full integrated implementation(s) would cover
email/vpn/browser and NFC support.
Recommend a Standard be developed to define the
functionality required in line with comprehensive Policy.
Government & Industry collaboration.
Determine all stakeholders.
Create forum to develop Standard(s)
45 UNCLASSIFIED: Gemalto Public 27/09/2012
When will market be ready for each Secure element?
(Gemalto estimation)
Legend
AV = A number of commercial solutions commercially available on major OS platforms
PoC = It is possible to implement limited scope pilots with specific mobile devices and
applications
47
Secure Element 2011 2012 2013 2014
Software on Mobile AV
Contact badge + BlueTooth reader AV
µSD card PoC AV
UICC PoC AV
Contactless badge over NFC PoC AV
Trusted Execution Environment (TEE) PoC AV
Embedded Secure Element (ESE) PoC AV
Conclusion
There are several implementation options emerging
which address a subset of the problem space.
Requirements must be defined.
Handsets; Operating Systems; Mobile Operators; Provisioning?
An implementation plan & ROI for each scenario would
lead to best investment approach.
Short, Medium and Long term plans?
Security Policy critical for technology selection and
secure implementation.
Standard needed for implementation and interoperability
Must cover internal applications and provisioning protocols.
48 UNCLASSIFIED: Gemalto Public 27/09/2012
The Mobile Credential for Government
Gemalto recommends PIV/CAC in a SIM/UICC
Java Card based NFC UICC
PIV applet loaded as second application
Global Platform Lifecycle Management
Agnostic of Handset vendor
Agnostic of Handset operating system (and updates)
Regular UICC or NFC UICC
Secure provisioning of PIV end-to-end OverTheAir
Requires collaboration with Verizon, AT&T, T-Mobile, Sprint etc
Add PIV to NFC SIM
UNCLASSIFIED. Gemalto Public
PIV/UICC Demos
Out of Band Web Authentication
Phone serves PIV authentication credential when accessing a web
site on any computer/tablet/device.
Post Issuance updates Over the Air
NFC PIV Logon to windows with certificates
NFC PIV authentication to remote website
NFC PIV Signing an email with digital signature
50 UNCLASSIFIED: Gemalto Public 27/09/2012
Thank you.
Neville Pattinson
SVP Government Affairs, Gemalto, Inc.
Office 1 512 257 3982
Mobile 1 512 825 3082
Twitter @Neville_Gemalto