FIPS and Mobility (SP Derived PIV Credentials) Sal Francomacaro FIPS201/PIV Team NIST ITL Computer Security Division

Transcription

1 FIPS and Mobility (SP Derived PIV Credentials) Sal Francomacaro FIPS201/PIV Team NIST ITL Computer Security Division 2013 Smart Card Alliance Member Meeting Coral Gables, Florida, Dec. 8-10, 2013

2 Mobility: what is NIST doing? FIPS recognizes and directly supports new Mobility trends: Valid PIV Cards may be used as the basis for issuing derived PIV credentials in accordance with NIST Special Publication , Guidelines for Derived Personal Identity Verification (PIV) Credentials SP provides a guideline for Derived PIV Credentials. It will not preclude the use of different approaches (i.e. NFC) for the Mobile PIV ecosystem 2

3 Mobility: what is NIST doing? SP , Guidelines for Managing the Security of Mobile Devices in the Enterprise SP , DRAFT Guidelines on Hardware-Rooted Security in Mobile Devices Future development: SP , Guidelines for Testing Derived PIV Credentials 3

4 What are the use cases that NIST has used to develop SP ? To provide an alternative to the PIV Card for use in cases (mobile devices) in which it would be impractical to use the PIV Card To provide PIV-enabled authentication services for high-level applications on the mobile device to authenticate the credential holder to remote systems 4

5 A footnote: what is a Mobile Device? SP Rev 1 offers a list of characteristics: A small form factor At least one wireless network interface for network access Local built-in (non-removable) data storage An operating system that is not a full-fledged desktop or laptop operating system Applications available through multiple methods (provided with the mobile device, accessed through web browser, acquired and installed from third parties) 5

6 What is the intended purpose of the Derived PIV Credentials guideline? The Derived PIV Credential guideline provides for PIV-enabled authentication services for highlevel applications on the mobile device for remote authentication The guideline specifies the use of tokens with alternative form factors to the PIV card that may be inserted or used with mobile devices 6

7 What is a Derived PIV Credential? Derived PIV Credentials are based on the general concept of derived credential in SP (Electronic Authentication Guideline) Possession of a valid PIV card is the basis to issue Derived PIV Credential Identity proofing and vetting processes do not have to be repeated to issue a Derived PIV Credential 7

8 What is a Derived PIV Credential? The guideline specifies and supports both LOA-3 and LOA-4 Derived PIV Credentials The guideline doesn t preclude the issuance of multiple Derived PIV Credentials to the same Applicant on the basis of the same PIV Card A Derived PIV Credential is unaffected by loss, theft or damage to the Subscriber s PIV Card 8

9 Where can a Derived PIV Credential be stored? Derived credentials may be issued to a variety of cryptographic tokens available for use on mobile devices. These tokens may be either hardware or software implementations Federal PKI Policy Authority will issue fpki common policies for both LOA-3 and LOA-4 Derived PIV Credentials 9

10 Where can a Derived PIV Credential be stored? SD Memory card* USB token* UICC (next Gen SIM card) Embedded Hardware secure element Software token * With an embedded HW crypto controller 10

11 Is the UICC solution ready to go? Security certifications/validations Token Provisioning Lifecycle management US GOV Trusted Service Manager (TSM) SP-TSM (aka Issuer-TSM) Delegated management mode or Dual mode deployment Establishing strong collaborations with all the Telecom operators 11

12 Embedded HW secure element?? TSM never exploded Is the embedded SE case different? Has the SIM card lesson thought something about standard and interoperability? There are hundreds (and growing) devices with a short lifecycle: how to mitigate the burden on IT organization? 12

13 What level of FIPS 140 validation is required? FIPS 201 requirements apply to Derived PIV Credential containers in term of FIPS 140 validation But for different LoA, different levels of FIPS 140 validation will be required 13

14 When the Draft SP will be published for comments? "NIST is currently working with the Federal CIO council and the Office of Management and Budget to ensure that the technical recommendations for a Derived Credential is consistent with current federal policies. Once cleared by the CIO council and OMB NIST will release the Special Publication for public review and comment." 14

15 SP Editing team William Burr David Cooper Hildegard Ferraiolo (FIPS 201 coordinator) Salvatore Francomacaro Sarbari Gupta (Electrosoft) Jason Mohler (Electrosoft) Andrew Regenscheid 15

16 Thank you! Questions? Sal Francomacaro NIST ITL Computer Security Division