Serving Those Who Serve Our Country - 1 - Michael P. Butler DMDC Deputy Director for Identity Services and Personnel Security / Assurance June 18, 2013.

Serving Those Who Serve Our Country- 1 -

Michael P. Butler

DMDC Deputy Director for Identity Services and Personnel Security / Assurance

June 18, 2013

Mobile Devices in the DoD


Background

Challenges:• DoD Component - desire to improve usability of PKI on emerging mobile

computing environments– Dislike of smart card sleds and dongles (due to form factor challenges

and bulkiness)

Activity:• DMDC is working within the Department’s identity management community

to examine ways to improve the user experience by conducting several proof of concepts


Authentication on Mobile Devices(DoD’s Thought Process)

• US Government employees must use Personal Identity Verification (PIV) smart cards for authenticationHSPD-12 and FIPS 201Office of Management and Budget (OMB) Memorandum M-11-11

• Successful usage for Windows laptops and workstationsStrong Authentication to Windows, applications and networksSigning and encrypting emails / documents

• Mobile Devices must meet the same use case as desktop environment

• Use existing identity investment as much as possible


Authentication on Mobile DevicesChallenges

• Same needs as on our office computers Sign, send, and encrypt email Web authentication

• Hardware challenge: Connecting the smartphone to a smart card (or similar strong credential)

• Software challenge: Lack of native OS/device secure e-mail application Lack of centralized cryptographic service to allow extension of PKI to other

applications on the device Lack of smart card middleware to connect smart card (or similar strong

credential) to device applications Standard secure encrypted channel for NFC and contactless


Why Pursue NFC with CAC?

• Just place the card on the back of the phone!• Leverage the user’s dual-interface card• No reader required, with differences based on mobile device• No new derived credential to procure and manage• Works with majority of devices

Nine out of the top ten smartphone manufacturers have released Near Field Communications (NFC) enabled handsets

• Other business needs within DoD to enable secure contactless transactions with CACTransit E-purse


Authentication on Mobile DevicesDMDC Proof of Concept 1

• Commercial Android OS mobile device (ice cream sandwich)• Enabled contactless access on CAC applets• Prototype Secure Email app (DMDC developed)• Custom interface to connect CAC to Secure e-mail app (DMDC developed)• Demonstrated:

Sign/encrypting e-mail Reading signed CHUID from card

• Lesson learned: Timeout challenges with cards and device

– Device side—NFC parameters are too short (had to recompile OS)– Card side—the implementation of FIPS 140 crypto self-checks takes too much time.

Need to secure the communication channel between card and device via ANSI 504 Opacity

Need standard PKCS#11 or Microsoft mini driver implemented on device

Decrypt and Verify.avi



Authentication on Mobile DevicesDMDC Proof of Concept 2

• Commercial Android OS mobile device DISA Mobility Lab managed devices with Good Technology products DISA Mobility lab test e-mail accounts

• Enable contactless access on CAC prototype CAC 2.7.x applet structure• 3rd party secure email app • Prototype 3rd party mobile CAC middleware • Test DoD PKI end-user certificates• Target Use Case:

Sign/encrypt e-mail Web Authentication


• Smart Card Side:• CAC implementing draft FIPS 140-3 sequences for cryptographic algorithm

self-checks• CAC enabled to support PKI function over contactless interfaces• CAC containing secure contactless capabilities (i.e., ANSI 504 OPACITY ZKM

implementation)• Information on implementation/standard is posted on Smart Card Alliance website at http

://www.smartcardalliance.org/resources/pdf/OPACITY_Overview%203.8.pdf

• Mobile Device (hardware):• Support for NFC• Support for NFC implementing ISO 7816 PPS like functions or improved

timing

• Mobile Device (software)• Out of the box SMIME enabled mail client• Out of the box PKI enable web browser• Native OS certificate management store• Native OS implementation of ANSI 504 OPACITY enabled PKCS #11 module

or mini driver

DMDC’s Vision

http://www.smartcardalliance.org/resources/pdf/OPACITY_Overview%203.8.pdf




Project MilestonesThe Mobile-enabled CAC

• November 2012: POC Part 1—Complete

• July/August 2013: POC Part 2• Enabling secure contactless access on CAC applets with OPACITY• CAC Middleware for Android with OPACITY• Commercial Application• Non production credentials; 20 to 30 users

• 2014: Potential Production Pilot• Targeting FIPS 201-2 Compliance • Production credentials


Authentication on Mobile DevicesList of Options DoD is Examining

MethodUser Experience

FIPS 201 Compliance

Availability Cost

Bluetooth Reader Poor Yes Today $$$$

Connected ReaderPoor to Reasonable

Yes Today $$

Derived Credential in secure microSD

GoodIn process(FIPS 201-2)

Proof of concept

$$$

Derived Credential in UICC / SIM


Concept $$

Derived Credential in Embedded SE


Concept $$

Built-in NFC ReaderGood / Reasonable

In process (FIPS 201-2)

Proof of Concept

$


Take Away Messages

• It is possible to use contactless cards with NFC-enabled mobile devices

• It is possible to use a secure contactless interface compliant with US Government standards

• This represents one of several viable options to provide strong authentication services on mobile devices

• DMDC is working to make this NFC solution a reality in the US Department of Defense by building on a protocol solution (not a vendor solution)

• Extent of how protocol can be adopted• Transit• Opacity (readers)

Serving Those Who Serve Our Country - 1 - Michael P. Butler DMDC Deputy Director for Identity Services and Personnel Security / Assurance June 18, 2013.

Documents

mobileenabled cac

device slide

mobile devices challenges

contactless slide

mobile device hardware

cac prototype cac

mobile devices dods

dod slide