NFC Identity and Access Control Peter Cattaneo Vice President, Business Development
Agenda Basics NFC User Interactions Architecture (F)ICAM Physical Access Logical Access Future Evolution 2 NFC Identity and Access Control
Basics NFC Radio Capabilities - Very Short Range - Typically requires touch or tap - Shows user intent - Compatible with Contactless Smart Cards (ISO 14443) Works both ways: - Use credentials from a smart card on-device e.g. sign an email with a key on your smart badge - Emulate a smart card e.g. use you phone instead of a badge at the door 3 NFC Identity and Access Control
Basics Secure Elements - Single Wire Protocol (SWP) connects some SEs to the NFC radio - NFC Interface can power SE over SWP; No Battery Required - SE s without SWP connections can interact over NFC via apps - Multiple Secure Element Options - SWP: - SIM / UICC - Embedded NFC SE - microsd card (emerging new standard) - Non SWP: - Internal - Trusted Platform Module (TPM) - Trusted Execution Environment (TEE) - External - Contact card reader - Bluetooth reader/device - Cloud (HCE) 4 NFC Identity and Access Control
Smart Card vs Mobile Device Secure Element User Interface Communications Channel Additional Sensors 5 NFC Identity and Access Control
Smart Card vs Mobile Device PIV card Dual Interface Smart card One secure element Contactless interface ISO 14443 Contact interface External ISO 7816 NFC Device Multiple secure elements Contactless interface NFC (incl ISO 14443) Contact interface Internal only Communications Bluetooth, 3G, 4G, SMS, WiFi Screen, keyboard Camera, microphone GPS Fingerprint Sensor Lots more 6 NFC Identity and Access Control
NFC User Interactions 1. Desktop Computer Application 2. Physical Access - Opening a Door 3. Mobile Device App 4. Logical Remote Access from Mobile Device 7 NFC Identity and Access Control
User Interaction Desktop Computer Application 1. Desktop Computer Application 2. Physical Access - Opening a Door 3. Mobile Device App 4. Remote Access from Mobile Device Secure Credentials Desktop Applications Windows Login Email signing Secure Remote Access 8 NFC Identity and Access Control
User Interaction Physical Access Opening A Door 1. Desktop Computer Application 2. Physical Access - Opening a Door 3. Mobile Device App 4. Remote Access from Mobile Device Secure Credentials Physical Access Unlock Door 9 NFC Identity and Access Control
User Interaction Mobile Device App 1. Desktop Computer Application 2. Physical Access - Opening a Door 3. Mobile Device App 4. Remote Access from Mobile Device Secure Credentials Mobile Apps File Encryption Document Signing 10 NFC Identity and Access Control
User Interaction Remote Access from Mobile Device 1. Desktop Computer Application 2. Physical Access - Opening a Door 3. Using Mobile Device App 4. Remote Access from Mobile Device Secure Credentials Cloud Data 11 NFC Identity and Access Control
(F)ICAM - Identity, Credential, and Access Management - Why ICAM? - US-based: - Standards - Policy Guidance - Best Practices - Vendor Support 12 NFC Identity and Access Control - Practical Experience - All Federal Agencies - Many Federal Contractors - Other Commercial entities - Some other countries too! Incl disc of International Stds. - NFC works well with other architectures. ICAM is a just a well-known example
(F)ICAM - Identity, Credential, and Access Management 13 NFC Identity and Access Control
(F)ICAM - Identity, Credential, and Access Management 14 NFC Identity and Access Control
Logical Access Credentials in Smart Card Applications Email Mail Client Authentication S/MIME - Signing / Encryption Document Management Signing Encryption Synchronization Authentication Secure Remote Access VPN Secure Web Sites Mobile App Credentials 15
Logical Access Credentials in Smart Card Issues Contact Interface no NFC May be required for policy compliance Contactless Interface Credential Access Current FICAM limited FIPS 201-2 full set using Opacity Security Concerns No different from contactless cards Mobile Operating System API Support How does an app access the credentials? Few standards; limited support 16
Logical Access Credentials in Mobile Device Applications Email Mail Client Authentication S/MIME - Signing / Encryption Document Management Signing Encryption Synchronization Authentication Secure Remote Access VPN Secure Web Sites Other Application Credentials 17
Logical Access Credentials in Mobile Device Contact Interface Accessible via Mobile App App in device can access the SE via the contact interface User interaction (e.g. PIN entry) NFC via Card Emulation mode Contactless Interface Direct SE to NFC over SWP No different from contactless cards Battery not required Perfect Card Emulation 18
Physical Access Credentials in Mobile Device Contact Interface Accessible via Mobile App App in device can access the SE via the contact interface User interaction (e.g. PIN entry) NFC via Card Emulation mode Contactless Interface Direct SE to NFC over SWP No different from contactless cards Battery not required Perfect Card Emulation 19
Physical Access Credentials in Mobile Device Available Today Major PACS Vendors Support ISO 14443 devices Smart Cards NFC Devices Standards-based and proprietary solutions SWP SE solutions are seamless Real Innovation in Development Leveraging Device Capabilities Communication via device Reader can be off-line Biometric Integration Cloud-based Services 20
Future Evolution Mobile Devices with NFC Enable New Capabilities Lots of Great Work in Many Different Categories Interface Protocols NFC Layered Security Secure Channel Against Eavesdropping Device Pairing FIPS 201-2 / ANSI Opacity NFC + Other Communications Channels Bluetooth Secure Simple Pairing (SSP) with NFC Device Selection (improves user experience; ensures correct device is selected) Securely Connect (Out-of-band) Bluetooth Application Launch Credential Policy How Credentials in SE s used with NFC relate to other devices Example: NIST 800-157 Derived Credentials 21 NFC Identity and Access Control
Future Evolution Peer to Peer Devices are Symmetric Example, mutual authentication Instead of validating an employee badge with a handheld, any employee can validate any other Example, field incident security perimeter Enables dynamic perimeter, real-time access to location, list of check in/check out Making Dumb Readers Smart Cost is in the phone E.g. for higher security at night, give night access team phones with fingerprint readers Use phone communication channels 22 NFC Identity and Access Control
Future Evolution Engage Mobile Device Features with NFC Combining elements to enhance security Biometrics Fingerprint Facial Voice Iris Location Velocity Temperature Example: Secure Unified Communications Everyone connects with their mobile device to the weekly project call. They are strongly authenticated with a crypto key in an SE, a facial image is captured and a fingerprint is verified. The device provides voice communication and a shared whiteboard. As per corporate policy, all participants are stationary (not driving) and indoors in an approved location (home, main office, branch office). 23 NFC Identity and Access Control
NFC for Identity & Access Control Here Today A Strong Addition to the Smart Card Ecosystem 24
Peter Cattaneo Vice President Business Development Peter.Cattaneo@Intercede.com