08 December, 2011
Numerous challenges to porting ID to handsets
Zack Martin, Editor, Avisian Publications
U.S. government smart card officials want some way to either use the PIV on mobile devices or have the mobile itself be used as the credential. If there was one item missing from the first draft of FIPS 201-2 it was that, officials have bemoaned.
The computer scientists at the National Institute of Standards and Technology have listened and are trying to come up with a solution that would enable PIV on smart phones and tablets, says Bill MacGregor, a computer scientist at NIST working on the new FIPS 201 standard. MacGregor gave an update of the efforts to enable the PIV working on mobile devices at the Smart Card Alliance’s Smart Cards in Government conference in November and the December Interagency Advisory Board meeting.
With the emergence of mobile devices and cloud computing making sure these devices are properly secured is paramount, MacGregor says. Tablets and smart phones will be used more frequently to access cloud-based computing. This problem only portends to increase as smart phones and cloud computing become more common.
“A mobile device without authentication isn’t worth much,” MacGregor says. “If you have a mobile device without authentication how can you give someone access?”
There are three options for enabling the PIV on a smart phone or tablet, MacGregor says. One is additional hardware that would connect the smart card to the mobile device, another is an enhanced PIV that would fully enable all functionality of the contactless interface of the credential and last is use of a mobile device manager and a derived credential.
Contact smart card readers that use Bluetooth, WiFi or a cord to securely connect the PIV credentials to mobile devices already exist, MacGregor says. This option isn’t the most attractive because of the cost of the hardware and the form factor. “From a usability point of view it’s awkward and not realistic,” he adds.
The other two options seem to be more realistic but would require policy and technology changes. The phone could be used as a credential if the contactless interface of the PIV was fully enabled, MacGregor says. The first FIPS 201 version limited the amount of information that was available from the contactless portion of the card.
Near field communication devices could then read the PIV and authenticate to networks, sign and read email, and complete other tasks. To do this the process for creating a secure channel between the mobile and the credential would have to be created. “It’s easy to do technically but hard for the key management,” he says.
Since any NFC device would be able to read any PIV there would have to be a secure key placed on the mobile to make sure the credential is only being read by the properly authorized device. It would be a way to authorize the device to the credential.
Secure keys would have to be issued to the mobile devices, MacGregor says. This could be as simple as a pairing PIN that could be entered into the mobile to authorize pairing. “This doesn’t require too much more functionality,” he adds.
The other option is a derived credential and mobile device manager, MacGregor says. This option has the PIV presented to a mobile device manager which then assigns the credential to a device. The credentials would be placed on a secure element within the mobile.
Only a portion of the PIV functionality would be available with the derived credential and it’s possible that different derived credentials could be issued depending on the level of assurance necessary, MacGregor says.
“The chief negative of this approach is it’s more complex,” MacGregor says. “It needs interaction with a mobile device manager.”
Enhanced PIV and derived credentials are the focus of NIST’s efforts on enabling the PIV with smart phones, MacGregor says. Derived credentials are also mentioned in NIST’s soon to be released Special Publication 800-63-1 which focuses on electronic authentication.
The mention of derived credentials is in a generic form and not specific to PIV, says Hildegard Ferraiolo, a computer scientist at NIST. If derived credentials were to be included with PIV it would be included in the next draft of FIPS 201-2.
The next draft is expected in the first quarter of 2012 or early the second quarter.