Serving Those Who Serve Our Country - 1 - Michael P. Butler DMDC Deputy Director for Identity Services and Personnel Security / Assurance June 18, 2013 Mobile Devices in the DoD
Mar 29, 2015
Serving Those Who Serve Our Country- 1 -
Michael P. Butler
DMDC Deputy Director for Identity Services and Personnel Security / Assurance
June 18, 2013
Mobile Devices in the DoD
Serving Those Who Serve Our Country- 2 -
Background
Challenges:• DoD Component - desire to improve usability of PKI on emerging mobile
computing environments– Dislike of smart card sleds and dongles (due to form factor challenges
and bulkiness)
Activity:• DMDC is working within the Department’s identity management community
to examine ways to improve the user experience by conducting several proof of concepts
Serving Those Who Serve Our Country- 3 -
Authentication on Mobile Devices(DoD’s Thought Process)
• US Government employees must use Personal Identity Verification (PIV) smart cards for authenticationHSPD-12 and FIPS 201Office of Management and Budget (OMB) Memorandum M-11-11
• Successful usage for Windows laptops and workstationsStrong Authentication to Windows, applications and networksSigning and encrypting emails / documents
• Mobile Devices must meet the same use case as desktop environment
• Use existing identity investment as much as possible
Serving Those Who Serve Our Country- 4 -
Authentication on Mobile DevicesChallenges
• Same needs as on our office computers Sign, send, and encrypt email Web authentication
• Hardware challenge: Connecting the smartphone to a smart card (or similar strong credential)
• Software challenge: Lack of native OS/device secure e-mail application Lack of centralized cryptographic service to allow extension of PKI to other
applications on the device Lack of smart card middleware to connect smart card (or similar strong
credential) to device applications Standard secure encrypted channel for NFC and contactless
Serving Those Who Serve Our Country- 5 -
Why Pursue NFC with CAC?
• Just place the card on the back of the phone!• Leverage the user’s dual-interface card• No reader required, with differences based on mobile device• No new derived credential to procure and manage• Works with majority of devices
Nine out of the top ten smartphone manufacturers have released Near Field Communications (NFC) enabled handsets
• Other business needs within DoD to enable secure contactless transactions with CACTransit E-purse
Serving Those Who Serve Our Country- 6 -
Authentication on Mobile DevicesDMDC Proof of Concept 1
• Commercial Android OS mobile device (ice cream sandwich)• Enabled contactless access on CAC applets• Prototype Secure Email app (DMDC developed)• Custom interface to connect CAC to Secure e-mail app (DMDC developed)• Demonstrated:
Sign/encrypting e-mail Reading signed CHUID from card
• Lesson learned: Timeout challenges with cards and device
– Device side—NFC parameters are too short (had to recompile OS)– Card side—the implementation of FIPS 140 crypto self-checks takes too much time.
Need to secure the communication channel between card and device via ANSI 504 Opacity
Need standard PKCS#11 or Microsoft mini driver implemented on device
Decrypt and Verify.avi
Serving Those Who Serve Our Country- 7 -
Serving Those Who Serve Our Country- 8 -
Authentication on Mobile DevicesDMDC Proof of Concept 2
• Commercial Android OS mobile device DISA Mobility Lab managed devices with Good Technology products DISA Mobility lab test e-mail accounts
• Enable contactless access on CAC prototype CAC 2.7.x applet structure• 3rd party secure email app • Prototype 3rd party mobile CAC middleware • Test DoD PKI end-user certificates• Target Use Case:
Sign/encrypt e-mail Web Authentication
Serving Those Who Serve Our Country- 9 -
• Smart Card Side:• CAC implementing draft FIPS 140-3 sequences for cryptographic algorithm
self-checks• CAC enabled to support PKI function over contactless interfaces• CAC containing secure contactless capabilities (i.e., ANSI 504 OPACITY ZKM
implementation)• Information on implementation/standard is posted on Smart Card Alliance website at http
://www.smartcardalliance.org/resources/pdf/OPACITY_Overview%203.8.pdf
• Mobile Device (hardware):• Support for NFC• Support for NFC implementing ISO 7816 PPS like functions or improved
timing
• Mobile Device (software)• Out of the box SMIME enabled mail client• Out of the box PKI enable web browser• Native OS certificate management store• Native OS implementation of ANSI 504 OPACITY enabled PKCS #11 module
or mini driver
DMDC’s Vision
Serving Those Who Serve Our Country- 10 -
Project MilestonesThe Mobile-enabled CAC
• November 2012: POC Part 1—Complete
• July/August 2013: POC Part 2• Enabling secure contactless access on CAC applets with OPACITY• CAC Middleware for Android with OPACITY• Commercial Application• Non production credentials; 20 to 30 users
• 2014: Potential Production Pilot• Targeting FIPS 201-2 Compliance • Production credentials
Serving Those Who Serve Our Country- 11 -
Authentication on Mobile DevicesList of Options DoD is Examining
MethodUser Experience
FIPS 201 Compliance
Availability Cost
Bluetooth Reader Poor Yes Today $$$$
Connected ReaderPoor to Reasonable
Yes Today $$
Derived Credential in secure microSD
GoodIn process(FIPS 201-2)
Proof of concept
$$$
Derived Credential in UICC / SIM
GoodIn process(FIPS 201-2)
Concept $$
Derived Credential in Embedded SE
GoodIn process(FIPS 201-2)
Concept $$
Built-in NFC ReaderGood / Reasonable
In process (FIPS 201-2)
Proof of Concept
$
Serving Those Who Serve Our Country- 12 -
Take Away Messages
• It is possible to use contactless cards with NFC-enabled mobile devices
• It is possible to use a secure contactless interface compliant with US Government standards
• This represents one of several viable options to provide strong authentication services on mobile devices
• DMDC is working to make this NFC solution a reality in the US Department of Defense by building on a protocol solution (not a vendor solution)
• Extent of how protocol can be adopted• Transit• Opacity (readers)