NFC Identity and Access Control

Transcription

1 NFC Identity and Access Control Peter Cattaneo Vice President, Business Development

2 Agenda Basics NFC User Interactions Architecture (F)ICAM Physical Access Logical Access Future Evolution 2 NFC Identity and Access Control

3 Basics NFC Radio Capabilities - Very Short Range - Typically requires touch or tap - Shows user intent - Compatible with Contactless Smart Cards (ISO 14443) Works both ways: - Use credentials from a smart card on-device e.g. sign an with a key on your smart badge - Emulate a smart card e.g. use you phone instead of a badge at the door 3 NFC Identity and Access Control

4 Basics Secure Elements - Single Wire Protocol (SWP) connects some SEs to the NFC radio - NFC Interface can power SE over SWP; No Battery Required - SE s without SWP connections can interact over NFC via apps - Multiple Secure Element Options - SWP: - SIM / UICC - Embedded NFC SE - microsd card (emerging new standard) - Non SWP: - Internal - Trusted Platform Module (TPM) - Trusted Execution Environment (TEE) - External - Contact card reader - Bluetooth reader/device - Cloud (HCE) 4 NFC Identity and Access Control

5 Smart Card vs Mobile Device Secure Element User Interface Communications Channel Additional Sensors 5 NFC Identity and Access Control

6 Smart Card vs Mobile Device PIV card Dual Interface Smart card One secure element Contactless interface ISO Contact interface External ISO 7816 NFC Device Multiple secure elements Contactless interface NFC (incl ISO 14443) Contact interface Internal only Communications Bluetooth, 3G, 4G, SMS, WiFi Screen, keyboard Camera, microphone GPS Fingerprint Sensor Lots more 6 NFC Identity and Access Control

7 NFC User Interactions 1. Desktop Computer Application 2. Physical Access - Opening a Door 3. Mobile Device App 4. Logical Remote Access from Mobile Device 7 NFC Identity and Access Control

8 User Interaction Desktop Computer Application 1. Desktop Computer Application 2. Physical Access - Opening a Door 3. Mobile Device App 4. Remote Access from Mobile Device Secure Credentials Desktop Applications Windows Login signing Secure Remote Access 8 NFC Identity and Access Control

9 User Interaction Physical Access Opening A Door 1. Desktop Computer Application 2. Physical Access - Opening a Door 3. Mobile Device App 4. Remote Access from Mobile Device Secure Credentials Physical Access Unlock Door 9 NFC Identity and Access Control

10 User Interaction Mobile Device App 1. Desktop Computer Application 2. Physical Access - Opening a Door 3. Mobile Device App 4. Remote Access from Mobile Device Secure Credentials Mobile Apps File Encryption Document Signing 10 NFC Identity and Access Control

11 User Interaction Remote Access from Mobile Device 1. Desktop Computer Application 2. Physical Access - Opening a Door 3. Using Mobile Device App 4. Remote Access from Mobile Device Secure Credentials Cloud Data 11 NFC Identity and Access Control

12 (F)ICAM - Identity, Credential, and Access Management - Why ICAM? - US-based: - Standards - Policy Guidance - Best Practices - Vendor Support 12 NFC Identity and Access Control - Practical Experience - All Federal Agencies - Many Federal Contractors - Other Commercial entities - Some other countries too! Incl disc of International Stds. - NFC works well with other architectures. ICAM is a just a well-known example

13 (F)ICAM - Identity, Credential, and Access Management 13 NFC Identity and Access Control

14 (F)ICAM - Identity, Credential, and Access Management 14 NFC Identity and Access Control

15 Logical Access Credentials in Smart Card Applications Mail Client Authentication S/MIME - Signing / Encryption Document Management Signing Encryption Synchronization Authentication Secure Remote Access VPN Secure Web Sites Mobile App Credentials 15

16 Logical Access Credentials in Smart Card Issues Contact Interface no NFC May be required for policy compliance Contactless Interface Credential Access Current FICAM limited FIPS full set using Opacity Security Concerns No different from contactless cards Mobile Operating System API Support How does an app access the credentials? Few standards; limited support 16

17 Logical Access Credentials in Mobile Device Applications Mail Client Authentication S/MIME - Signing / Encryption Document Management Signing Encryption Synchronization Authentication Secure Remote Access VPN Secure Web Sites Other Application Credentials 17

18 Logical Access Credentials in Mobile Device Contact Interface Accessible via Mobile App App in device can access the SE via the contact interface User interaction (e.g. PIN entry) NFC via Card Emulation mode Contactless Interface Direct SE to NFC over SWP No different from contactless cards Battery not required Perfect Card Emulation 18

19 Physical Access Credentials in Mobile Device Contact Interface Accessible via Mobile App App in device can access the SE via the contact interface User interaction (e.g. PIN entry) NFC via Card Emulation mode Contactless Interface Direct SE to NFC over SWP No different from contactless cards Battery not required Perfect Card Emulation 19

20 Physical Access Credentials in Mobile Device Available Today Major PACS Vendors Support ISO devices Smart Cards NFC Devices Standards-based and proprietary solutions SWP SE solutions are seamless Real Innovation in Development Leveraging Device Capabilities Communication via device Reader can be off-line Biometric Integration Cloud-based Services 20

21 Future Evolution Mobile Devices with NFC Enable New Capabilities Lots of Great Work in Many Different Categories Interface Protocols NFC Layered Security Secure Channel Against Eavesdropping Device Pairing FIPS / ANSI Opacity NFC + Other Communications Channels Bluetooth Secure Simple Pairing (SSP) with NFC Device Selection (improves user experience; ensures correct device is selected) Securely Connect (Out-of-band) Bluetooth Application Launch Credential Policy How Credentials in SE s used with NFC relate to other devices Example: NIST Derived Credentials 21 NFC Identity and Access Control

22 Future Evolution Peer to Peer Devices are Symmetric Example, mutual authentication Instead of validating an employee badge with a handheld, any employee can validate any other Example, field incident security perimeter Enables dynamic perimeter, real-time access to location, list of check in/check out Making Dumb Readers Smart Cost is in the phone E.g. for higher security at night, give night access team phones with fingerprint readers Use phone communication channels 22 NFC Identity and Access Control

23 Future Evolution Engage Mobile Device Features with NFC Combining elements to enhance security Biometrics Fingerprint Facial Voice Iris Location Velocity Temperature Example: Secure Unified Communications Everyone connects with their mobile device to the weekly project call. They are strongly authenticated with a crypto key in an SE, a facial image is captured and a fingerprint is verified. The device provides voice communication and a shared whiteboard. As per corporate policy, all participants are stationary (not driving) and indoors in an approved location (home, main office, branch office). 23 NFC Identity and Access Control

24 NFC for Identity & Access Control Here Today A Strong Addition to the Smart Card Ecosystem 24

25 Peter Cattaneo Vice President Business Development