Mobile Devices as Identity Carriers. Pre Conference Workshop October 14 th 2013

Transcription

1 Mobile Devices as Identity Carriers Pre Conference Workshop October 14 th 2013

2 Mobile Market Worldwide Smartphones Market by OS (in thousands of units) 1,400,000 1,200,000 1,000, , , , , Android Symbian ios RIM Microsoft BADA Others Source - Gartner - 3Q2011 WW Tablets Market from ~ 70 million in 2011 growing to 300 million in

3 Use Case #1 Mobile as a token Users want to use their mobile phones as the 2 nd factor authentication device The Mobile phone is a personal token of choice. Always associated to an individual and always with them. Instead of dedicated HW devices (OTP tokens, Smart Cards) Out of Band Authentication Primary use case: Remote access through their laptop / desktop Secondary use cases: Win Logon, Encryption, Signature, Physical Access Third use case: Securing an APP 3

4 Use Case #2 Mobile as a laptop Security solutions on this devices must be at par with security solutions on laptops & desktops BYOD culture becoming prevalent Users want to access corporate resources (regular mail, encrypted mail, online corporate services) through their smart phones and PADs) and they are doing so, whether CIOs/CSOs like it or not! Corporations don t want to constrain their users by imposing restrictive policies Primary Use Cases: Secure Encryption/ decryption, VPN access. Secondary Use Cases: Data at rest encryption, Digital signature, Device un/lock, SSO. 4

5 The Playing Field It is a complex, immature environment for Identity Diversity of: Mobile OS platforms: IOS, Android, Windows phone, Blackberry OS, Symbian Mobile OS versions IOS versions : Android s Gingerbread, Honeycomb, IceCream: Windows Phone 7, 8, Bada(Samsung) Phone vendors: Windows Phone: Nokia, HTC, Samsung Android: Samsung, LG, HTC, SonyEricsson, Options for storage of credentials (Secure Elements) Each one requiring specific drivers for each Mobile platform Middleware Middleware will also be specific to each Mobile OS Applications and application providers? No standard Smart Card support to rely on. PKCS11 seems best option No Base CSP on Windows Phone 7. 5

6 Mobile Platform Technology Solution options Bluetooth reader Software Certificates in Mobile device applications SD Micro Directly connected reader NFC coupled Trusted Security Module/ Trusted Execution Environment CAC/PIV applet embedded in the SIM 6

7 Bluetooth CAC reader Working today in DoD cumbersome, battery life issues, only Blackberry, expensive Blackberry OS controlled by RIM Bluetooth CAC integration achieved with RIM collaboration in O/S Blackberry Smart Card Reader Apriva BT200 Bluetooth reader 7

8 Bluetooth CAC/PIV readers with other handsets?? 8

9 Software Certificates Not an LOA4 option Soft cert considered LOA3 These certificates can be loaded into Apps such as Touchdown (Activesync ) and browsers to enable secure use of mobile. Creates a duality of credentials (One encryption cert; two signing certs) In the PIV/CAC. In the phone. FIPS 201-2, SP to define derived credential policy 9

10 Connected Reader for secure services Attach a simple reader via the Apple port in USB mode or to an Android via micro USB connector in USB mode Uses existing CAC or PIV full form factor Smart Card Requires O/S integration; & Brower support etc Low cost reader. No extra credentials needed Physically cumbersome? 10

11 CAC/PIV via NFC Phone for secure services With an NFC enabled smart phone the CAC/PIV could be connected and utilized in close proximity Uses existing CAC or PIV full form factor Smart Card Requires NFC integration into Operating System; & Brower support etc No extra credentials needed Physically easy but a little practical to hold card next to phone FIPS201-2 introduces Virtual Contact Interface for NFC operation Challenges with FIPS140-2 power-up self tests and NFC timeouts Not all NFC phones act as a reader most are acting as cards Power/Battery life issues 11

12 Solutions SD Micro integration Combine CAC/PIV chip on SD Micro device No Mobile operator involvement (no SIM impact) Handset middleware support required. SDMicro not universally supported on all handsets (Not on Apple platforms) How to provision CAC/PIV applet? On SDMicro on Laptop or via the Data connection? Needs a specific App on the phone NFC can be provided on SD Micro form factor too 12

13 Securing Mobile applications (Apps) " Software to be executed must to be secured (code and data such as cryptographic keys) Principle: isolation in a secure environment 1. Use of Trusted Execution Environment (TEE) 2. Use of external component: Secure Element " User Interface must to be secured Sensitive information entry (e.g. password) Transaction data to be validated (e.g. transaction amount) Principle: Trusted User Interface via Trusted Execution Environment 13

14 Integration into Trusted Execution Environment Gemalto, ARM and Giesecke & Devrient are forming a joint venture to offer an open software-hardware security platform to provide a Trusted Execution Environment in connected devices Trusted Execution Environment Protects input and output and transient processing of sensitive data Applicable to a broad array of new connected devices Secure Element (Removable or Embedded) Certified tamper-resistant For secure storage and processing of the most valuable and sensitive data 14

15 Solutions Mobile CAC/PIV in SIM Physical Access & Remote services 15

16 SIM/UICC architecture UICC MNO TSM Keys Security Domain 1 Vendor TSM Keys Security Domain 2 Vendor TSM Keys PIV Security Domain PIV TSM Keys Vendor App 1-1 Vendor App 1-2 Vendor App 2-1 Vendor App 2-2 PIV Applet 16

17 Provisioning & usage 17

18 Government/Enterprise owned TSM, IDM, CA & CMS xmno Government/Enterprise Owned API Exposure Point External PKI Certification Authority PKI 18

19 Mobile Operating Systems IOS controlled by Apple tightly. Android Led by Google Open source. NFC supported Windows Mobile Controlled by Microsoft Blackberry OS Controlled by RIM All require support for PKI credentials where ever stored/implemented.

20 Mobile Apps Within the Identity Ecosystem there will be different levels of Identity Assurance credentials. For example: LOA4 Digital PKI Credential in hardware + PIN LOA3 Soft PKI Certs with PIN (in app) LOA2 Username/Password + OTP LOA1 Username/Password (in app)

21 Where to store the Identity credentials? Badge via NFC MicroSD Software Apps TEE UICC ese Hardware Embedded Credentials Semidetached credentials Badge via Bluetooth Badge via Mobile Contact reader Detached credentials 21

22 Secure Element Options 22

23 Conclusion Mobiles and how they fit into the Identity Ecosystem There are several implementation options emerging which address a subset of the problem space. Use cases will drive the adoption, along with various LOA credentials Requirements must be defined for each LOA credential. Handsets; Operating Systems; Mobile Operators; Provisioning, Management, soft or hard etc Security Policies critical for technology selection and secure trusted implementations. Standard are needed for implementation and interoperability 23

24 Neville Pattinson SVP Government Sales, Gemalto, Inc. Office Mobile Smart Card Alliance 191 Clarksville Rd. Princeton Junction, NJ (800)