Mobile Devices in the DoD

sandwichclippersΚινητά – Ασύρματες Τεχνολογίες

24 Νοε 2013 (πριν από 3 χρόνια και 10 μήνες)

52 εμφανίσεις

Serving Those Who Serve Our Country

-

1

-

Michael P. Butler

DMDC Deputy Director for

Identity Services and Personnel Security / Assurance

June 18, 2013



Mobile Devices

in the DoD


Serving Those Who Serve Our Country

-

2

-

Background

Challenges:


DoD Component
-

desire to improve usability of PKI on emerging mobile
computing environments


Dislike of smart card sleds and dongles (due to form factor challenges
and bulkiness)



Activity:


DMDC is working within the Department’s identity management community
to examine ways to improve the user experience by conducting several proof
of concepts



Serving Those Who Serve Our Country

-

3

-

Authentication on Mobile Devices

(
DoD’s

Thought Process)


US Government employees must use Personal Identity Verification (PIV)
smart cards for authentication


HSPD
-
12 and FIPS 201


Office of Management and Budget (OMB) Memorandum M
-
11
-
11



Successful usage for Windows laptops and workstations


Strong Authentication to Windows, applications and networks


Signing and encrypting emails / documents



Mobile Devices must meet the same use case as desktop environment



Use existing identity investment as much as
possible

Serving Those Who Serve Our Country

-

4

-

Authentication on
Mobile Devices

Challenges


Same needs as on our office computers


Sign, send, and encrypt email


Web authentication



Hardware challenge:


Connecting the smartphone to a smart card (or similar strong credential)



Software challenge
:


Lack of native OS/device secure e
-
mail application


Lack of centralized cryptographic service to allow extension of PKI to other
applications on the device


Lack of smart card middleware to connect smart card (or similar strong
credential) to device applications


Standard secure encrypted channel for NFC and contactless


Serving Those Who Serve Our Country

-

5

-

Why Pursue NFC with CAC?


Just place the card on the back of the phone!


Leverage the user’s dual
-
interface card


No reader required, with differences based on mobile device


No new derived credential to procure and manage


Works with majority of devices


Nine out of the top
ten
smartphone manufacturers have released
Near
Field Communications (NFC) enabled handsets


Other business needs within DoD to enable secure contactless
transactions with CAC


Transit


E
-
purse

Serving Those Who Serve Our Country

-

6

-

Authentication on Mobile Devices

DMDC Proof of Concept 1


Commercial Android OS mobile device (ice cream sandwich)


Enabled
contactless access on CAC applets


Prototype Secure Email app (DMDC developed)


Custom interface to connect CAC to Secure e
-
mail app (DMDC developed)


Demonstrated:


Sign/encrypting e
-
mail


Reading signed CHUID from card


Lesson
learned:


Timeout challenges with cards and device


Device side

NFC parameters are too short (had to recompile OS)


Card side

the implementation of FIPS 140 crypto self
-
checks takes too much time.


Need
to secure the communication channel between card and device via ANSI 504
Opacity


Need
standard PKCS#11 or Microsoft mini driver implemented on
device


Serving Those Who Serve Our Country

-

7

-

N
F
C

P
O
C

A
r
c
h
i
t
e
c
t
u
r
e

A
n
d
r
o
i
d

P
h
o
n
e

D
M
D
C

J
C
E

O
n
-
C
a
r
d

C
r
y
p
t
o
.

A
P
I

C
A
C

A
P
I

S
p
o
n
g
y
C
a
s
t
l
e
*

C
r
y
p
t
o
.

S
e
r
v
i
c
e
s

J
a
v
a
M
a
i
l
*

A
n
d
r
o
i
d

O
/
S

D
M
D
C

M
a
i
l

N
F
C

A
p
p
l
i
c
a
o
n
s

L
i
b
r
a
r
i
e
s
/
M
i
d
d
l
e
w
a
r
e

O
/
S

&

D
r
i
v
e
r
s

Ce
r
t
s
.
M
a
i
l

S
e
r
v
e
r

Em
a
i
l

Em
a
i
l

N
F
C

C
om
m
.


C
A
C

I
n
f
or
m
a
t
i
on

T
e
s
t

C
a
r
d

(
n
on

F
IP
S
1
4
0
)

C
o
l
o
r

L
e
g
e
n
d
:

C
T
L

D
e
v
e
l
o
p
m
e
n
t

O
p
e
n

S
o
u
r
c
e

P
o
r
t

S
t
a
n
d
a
r
d

A
n
d
r
o
i
d

S
o
w
a
r
e


*

R
e
q
u
i
re
d

mo
d
i
f
i
ca
t
i
o
n
s
Serving Those Who Serve Our Country

-

8

-

Authentication on Mobile Devices

DMDC Proof of Concept 2


Commercial Android OS mobile device


DISA Mobility Lab managed devices with Good Technology products


DISA Mobility lab test e
-
mail accounts


Enable
contactless access on CAC
prototype CAC 2.7.x applet structure


3
rd

party secure email
app



Prototype 3
rd

party mobile CAC middleware


Test DoD PKI end
-
user certificates


Target Use Case:


Sign/encrypt e
-
mail


Web Authentication


Serving Those Who Serve Our Country

-

9

-


Smart Card Side:


CAC implementing draft FIPS 140
-
3 sequences for cryptographic algorithm
self
-
checks


CAC enabled to support PKI function over contactless
interfaces


CAC containing secure contactless capabilities (i.e., ANSI 504 OPACITY
ZKM
implementation)


Information on implementation/standard is posted on Smart Card Alliance website at
http
://
www.smartcardalliance.org/resources/pdf/OPACITY_Overview%203.8.pdf



Mobile Device (hardware):


Support for NFC


Support for NFC implementing ISO 7816 PPS like functions or improved
timing


Mobile Device (software)


Out of the box SMIME enabled mail client


Out of the box PKI enable web browser


Native OS certificate management store


Native OS implementation of ANSI 504 OPACITY enabled PKCS #11 module
or mini driver


DMDC’s Vision

Serving Those Who Serve Our Country

-

10

-

Project Milestones

The Mobile
-
enabled CAC


November 2012: POC Part 1

Complete



July/August 2013: POC Part 2


Enabling secure contactless access on CAC applets with OPACITY


CAC Middleware for Android with OPACITY


Commercial Application


Non production credentials; 20 to 30 users



2014: Potential Production Pilot


Targeting FIPS 201
-
2 Compliance


Production credentials

Serving Those Who Serve Our Country

-

11

-

Authentication on Mobile Devices

List of Options DoD is Examining

Method

User
Experience

FIPS 201
Compliance

Availability

Cost

Bluetooth Reader

Poor

Yes

Today

$$$$

Connected Reader

Poor to
Reasonable

Yes

Today

$$

Derived Credential in
secure
microSD

Good

In process

(FIPS 201
-
2)

Proof of
concept

$$$

Derived Credential in
UICC / SIM

Good

In process

(FIPS 201
-
2)

Concept

$$

Derived Credential in
Embedded SE

Good

In process

(FIPS 201
-
2)

Concept

$$

Built
-
in NFC Reader

Good /
Reasonable

In process

(FIPS 201
-
2)

Proof of
Concept

$

Serving Those Who Serve Our Country

-

12

-

Take Away Messages


It is possible to use contactless cards with NFC
-
enabled mobile devices



It is possible to use a secure contactless interface compliant with US Government
standards



This represents one of several viable options to provide strong authentication
services on mobile devices



DMDC is working to make this NFC solution a reality in the US Department of
Defense by building on a protocol solution (not a vendor solution)



Extent of how protocol can be adopted


Transit


Opacity (readers)