Mobile Derived Credentials Purebred Information Brief

Similar documents
Innovations in Identity & Access Management (IdAM)

Migrating Applications to the Cloud

Privileged User Access and Management

DoD Mobility briefing for the AFCEA Mobility Summit

GlobalPlatform Trusted Execution Environment (TEE) for Mobile

Using Workspace ONE PIV-D Manager. VMware Workspace ONE UEM 1811 VMware Workspace ONE PIV-D Manager

DoD Mobility Mobility Product Security Certification Processes

VMware PIV-D Manager Deployment Guide

TWIC Transportation Worker Identification Credential. Overview

National Information Assurance Partnership (NIAP) 2017 Report. PPs Completed in CY2017

Defense Information Systems Agency

Helping Meet the OMB Directive

Open Mobile API The enabler of Mobile ID solutions. Alexander Summerer, Giesecke & Devrient 30th Oct. 2014

White Paper : An Overview of Samsung KNOX

Cryptologic and Cyber Systems Division

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

JRSS. GPIs MNIS DMCC-S. Assured Identity NBIS. Joint Regional Security Stacks. Global Private Internets. Multinational Information Sharing

OneID An architectural overview

Mobile Devices as Identity Carriers. Pre Conference Workshop October 14 th 2013

Comodo Device Manager Software Version 4.0

ENTERPRISE ARCHITECTURE

The Device Has Left the Building

DoD CIO s Areas of Focus. David A. Cotton Deputy CIO for Information Enterprise May 20, 2015

How I Learned to Stop Worrying and Love the Internet of Things

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Windows IoT Security. Jackie Chang Sr. Program Manager

BlackBerry UEM + Samsung Knox

Multiprotocol Label Switching MPLS 101 Global Packet Transport Rollout

Federated Access. Identity & Privacy Protection

About the DISA Cloud Playbook

FiXs - Federated and Secure Identity Management in Operation

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

PKI is Alive and Well: The Symantec Managed PKI Service

Defense Information Systems Agency (DISA) Department of Defense (DoD) Cloud Service Offering (CSO) Initial Contact Form

Enabling Smart Card Logon for Mac OS X Using Centrify Suite

Prof. Christos Xenakis

Samsung Knox Tizen Wearable v2.0

ADmitMac PKI Executive Summary. 2010, Thursby Software Systems, Inc.

Prof. Christos Xenakis

Strategies for the Implementation of PIV I Secure Identity Credentials

Windows ierīces Enterprise infrastruktūrā. Aris Dzērvāns Microsoft

DoD Wireless Smartphone Security Requirements Matrix Version January 2011

Office of Transportation Vetting and Credentialing. Transportation Worker Identification Credential (TWIC)

CompTIA CASP (Advanced Security Practitioner)

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA

Lecture 3 MOBILE PLATFORM SECURITY

device management The following policies can be applied to Knox container of Samsung devices. [Android OS, Samsung Only(Knox2+)]

Progress Report National Information Assurance Partnership

FIDO Alliance: Standards-based Solutions for Simpler, Strong Authentication

Providing Cybersecurity Inventory, Compliance Tracking, and C2 in a Heterogeneous Tool Environment

Intel s s Security Vision for Xen

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Embedded System Security Mobile Hardware Platform Security

Android Enterprise Device Management with ZENworks 2017 Update 2

INITIAL ENTERPRISE CHALLENGE:

Test & Evaluation of the NR-KPP

EMERGING TRENDS AROUND AUTHENTICATION

Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group

Embedded System Security Mobile Hardware Platform Security

Using Smart Cards to Protect Against Advanced Persistent Threat

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

Federal Mobility: A Year in Review

Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance

Securing Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS

Mobile Access is the Killer App The Path to Flexible, Secure Credentials Brandon Arcement Senior Director, Product Marketing April 8, 2019

Leveraging the LincPass in USDA

Alternative Credentials for SIPRNet Disadvantaged Users Concept of Operations (CONOPS)

HP Printing and Personal Systems

Windows in the enterprise

Department of Defense Fiscal Year (FY) 2014 IT President's Budget Request Defense Prisoner of War/Missing Personnel Office (DPMO) Overview

Enabling Smart Card Logon for Linux Using Centrify Suite

Enterprise Product Guide

UNCLASSIFIED // FOUO Pegasus 101 Brief

FIDO AND PAYMENTS AUTHENTICATION. Philip Andreae Vice President Oberthur Technologies

Services Directorate Dual Persona User Guide for DoD Enterprise Portal Service Military Sealift Command Version September 8, 2016

Oracle. Field Service Cloud Using Android and ios Mobile Applications 18B

Overview. Premium Data Sheet. DigitalPersona. DigitalPersona s Composite Authentication transforms the way IT

Trusted Computing Group

Dissecting NIST Digital Identity Guidelines

IGLOO AND SNOWBALL. Philippe Garnier Ecosystem program

DEPARTMENT OF THE NAVY UNITED STATES NAVAL ACADEMY 121 BLAKE ROAD ANNAPOLIS MARYLAND

Service Description VMware Workspace ONE

SMART DEVICES: DO THEY RESPECT YOUR PRIVACY?

CERTIFICATE POLICY CIGNA PKI Certificates

Mobile Security using IBM Endpoint Manager Mobile Device Management

FPKIPA CPWG Antecedent, In-Person Task Group

Smart TV Security Solution V2.0 for Samsung Knox. Certification Report

DoD Identity & Access Management (IdAM) Portfolio Overview

Launch Smart Products With End-to-End Solutions You & Your Customers Can Trust

Say Goodbye to Enterprise IT: Welcome to the Mobile First World. Sean Ginevan, Senior Director, Strategy Infosecurity Europe

NIST Special Publication

Will Federated Cross Credentialing Solutions Accelerate Adoption of Smart Card Based Identity Solutions?

Transportation Worker Identification Credential (TWIC) Steve Parsons Deputy Program Manager, TWIC July 27, 2005

A privacy-preserving authentication service using mobile devices

Stakeholder and community feedback. Trusted Digital Identity Framework (Component 2)

Comodo IT and Security Manager Software Version 5.4

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

Markus Jakobsson Elaine Shi Philippe Golle Richard Chow (Palo Alto Research Center) Thanks to Yuan Niu (UC Davis)

Intune Policies Guide

DIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)

Transcription:

Mobile Derived Credentials Purebred Information Brief

Disclaimer The information provided in this briefing is for general information purposes only. It does not constitute a commitment on behalf of the United States Government to provide any of the capabilities, systems or equipment presented and in no way obligates the United States Government to enter into any future agreements with regard to the same. The information presented may not be disseminated without the express consent of the United States Government. 2

Authentication on Mobile Devices Before 2016 Same needs as on our office computers Sign, send, and encrypt email Web authentication Hardware challenge Connecting the smartphone to a smart card Common Access Card (CAC) Sled issues Cost Separate battery User expectations Restricts BYOD microsd card HSM Limited use pilots Requires specialized applications Not all devices support SD cards Source: Mark Norton, DoD CIO MILCOM 2014 Presentation 3

Authentication on Mobile Devices 2016+ Enter derived credentials issued to hardware-backed device native keystores Derived from CAC Derived 4

Authentication on Mobile Devices - DoD milestones DoD CIO Mobile PKI Roadmap Memo Sep 2014 Within 90 days, the DoD PKI PMO in conjunction with the DoD Public Key Enabling (PKE) and DoD PKI engineering teams shall design the approach for implementing an enterprise derived PKI credential issuance service for unclassified Commercial Mobile Devices (CMDs) NSA/DISA Industry Day Oct 2015 Introduction of Purebred and its requirements to industry Purebred 1.0 Initial Production Capability - August 2016 Support for recovery of all user encryption keys December 2016 5

What is Purebred? Purebred issued derived credentials enable users to utilize mobile signed and encrypted email and secure web browsing to CAC enabled websites without a reader or sled Purebred provides a secure over-the-air credentialing process through a series of one-time passwords and user demonstrated possession and usage of CAC Comprised of a key management server and set of apps for mobile devices Certificate enrollment Encryption key recovery capabilities Separates key management from device management Key management maintains affinity with PKI and is used across the enterprise, i.e., there is one DoD PKI used by all Device management can vary with operational scenario, i.e., different service/agency components can use different mobile device management (MDM) solutions 6

Purebred Supported Platforms Supports four major mobile/tablet platforms & one USB platform Apple ios 8, ios 9, ios 10, ios 11 Managed and unmanaged Android 5, Android 6, Android 7 Samsung Knox Android for Work containers Unmanaged Windows 10 and Windows 10 Anniversary Universal Windows Platform (UWP)* Surface Pro 3 and Surface Pro 4 Blackberry OS 10.3.3 Work and personal Yubikey4 *Current ongoing DoD policy work with use of Virtual Smart Card and TPM technology 7

Purebred Agent Views Info Collection/Phase 0/Vetting Phase 1/Phase 2/SCEP/Phase 3 8

Purebred User Views User Key Management Update User Key Management Recovery 9

Purebred Status Initial capability deployed Fall 2016 Averaging 2000-3000 devices enrolling per month and 50-100 new agents trained and granted permission to enroll device to Purebred across all DoD mission partners Quarterly updates are deployed to provide new functionality and fixes Top Purebred server priorities: 1.4 - Attestation (hand off from Qualcomm contract, Samsung evaluation under way) 1.5 - Server/Certificate Authority high availability/service redundancy 2.0 App and Server user interface improvement Release independent major tasks: Purebred reachability from internet (whitelisting) Agent nomination streamlining 10

Metrics (as of 28 Mar 2018) 30000 Total Devices 25000 20000 15000 10000 5000 0 1600 1400 1200 1000 800 600 400 200 0 Agents Devices: 25,160 Agents: 1,370 11

Devices by Type (as of 28 Mar 2018) 30000 25000 20000 15000 10000 5000 0 ios Devices Samsung Devices Microsoft Devices Blackberry Devices 12

Purebred Mission Partner Cost No direct cost no additional fee for service Purebred is a subcomponent of DoD Public Key Infrastructure (PKI) Purebred credentialing is an optional free entitlement under DoD Mobility Unclassified Capability (DMUC) or can be offered by any other mobility/mobile device management (MDM) service In-direct costs to consider Initial Integration Support Engineering and Test/Evaluation Deploying PB registration app Configuring MDM policies Profile configuration management General accreditation activities Purebred Agent Staffing (Sustainment) Agent nomination (what org/who will be agents?, is it in-scope if contractor?) Enrollment support activities Training (free, provided by DISA) User list management for migrations 13

Purebred Links Information Purebred Information - https://iase.disa.mil/pki-pke/pages/purebred.aspx Purebred Agent Collaboration - https://www.milsuite.mil/book/groups/disa-purebred-agents-group 14

15

DEFENSE INFORMATION SYSTEMS AGENCY The IT Combat Support Agency www.disa.mil /USDISA @USDISA 16

Assured Identity Next Generation Authentication Information Brief UNITED IN IN SERVICE TO OUR NATION 17

Disclaimer The information provided in this briefing is for general information purposes only. It does not constitute a commitment on behalf of the United States Government to provide any of the capabilities, systems or equipment presented and in no way obligates the United States Government to enter into any future agreements with regard to the same. The information presented may not be disseminated without the express consent of the United States Government. 18

Summary of Assured Identity Initiatives Replace/augment the CAC for logical access Goals: Use a variety of factors/sensors to develop a patterns Use pattern to create a continuously updated risk score Securely compute locally on device 4 on-going initiatives: Mobile Continuous Multifactor Authentication & Hardware Attestation Prototype Qualcomm Reference Devices with Snapdragon 845 Chipset 3mo production pilot begins Oct 2018 Behavior Based Privileged User Authentication Pilot Plurilock Biotracker measuring user s interaction with keyboard & mouse 3mo production pilot on VDI started Jan 2018 Rapid Innovation Fund CMFA Requirement for FY2018 Validating Identity with Wrist-worn Wearable pilot in April 2018 19

Hardware-based Device Attestation and CMFA Enhance Purebred issued credentials with hardware attestation Explore alternative mechanism to protecting credentials with CMFA versus single secret Exercise NIAP validated chipsets in commercially available phones System-on-Chip (SoC) Protection Profile Recommendations Identify requirements from MDFPP 3.0 and WLAN EP 1.0 that could be met by a SoC So what? Demonstrate security functionality at integrated subsystem level to speed NIAP product evaluation of mobile device manufacturers handsets i.e. Why does it take so long for the new Samsung phone to be available on DMUC? Hardware Attestation Use a mechanism to give device applications ability to provide cryptographically signed and encrypted data that describes the security state of the device Mechanism should include: HW, Firmware, TEE OS versions Android OS version and release Manufacturer and Device model Privacy-preserving Device ID Token signing at SoC HW Level Hash of secure boot verification key Trusted location CMFA Design a system to maintain an authentication trust level at any given point in time to enable use to remain authenticated to their device so long as enough evidence Evidence should include gait, face and voice recognition System should factor power consumption of continuously polling from sensors 20

Utilizing the ARM TrustZone Architecture: TEE and REE Increased Trust Leverage commercially designed and manufactured Increased Trust cryptographic objects for signing sensor data Rich Execution Environment / Higher Level OS (HLOS) Services and Apps Trusted Execution Environment Trust Score CMFA Core 21

Improving Purebred Enrollment Process Info Collection/Phase 0/Vetting Phase 1/Phase 2/SCEP/Phase 3 22

CMFA Verifiers Verifier Modality Sensors Face Recognition Face Camera Voiceprint Identification Voice Microphone Gait Recognition User s pattern of walking Accelerometer, Gyroscope Contextual Information Position Person Location GPS WiFi Person Location WiFi Bluetooth Paired Device(s) Bluetooth Cell Tower ID Person Location Modem 23

Mobile cmfa Production Pilot 24

Conclusion Assured Identity is comprised of 4 on-going initiatives Aim to replace or augment the CAC for logical access and authentication Enhancing Purebred capability with issuing hardware policy OIDs and signed assertions of genuine device identifiers Align to a mobile-centric vision Sufficient authentication and assurance to facilitate single platform for multi-networks 25

26

DEFENSE INFORMATION SYSTEMS AGENCY The IT Combat Support Agency www.disa.mil /USDISA @USDISA 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback