Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mobile Devices in the DoD

Similar presentations

Presentation on theme: "Mobile Devices in the DoD"— Presentation transcript:

1 Mobile Devices in the DoD
Michael P. Butler DMDC Deputy Director for Identity Services and Personnel Security / Assurance June 18, 2013

2 Background Challenges:
DoD Component - desire to improve usability of PKI on emerging mobile computing environments Dislike of smart card sleds and dongles (due to form factor challenges and bulkiness) Activity: DMDC is working within the Department’s identity management community to examine ways to improve the user experience by conducting several proof of concepts

3 Authentication on Mobile Devices (DoD’s Thought Process)
US Government employees must use Personal Identity Verification (PIV) smart cards for authentication HSPD-12 and FIPS 201 Office of Management and Budget (OMB) Memorandum M-11-11 Successful usage for Windows laptops and workstations Strong Authentication to Windows, applications and networks Signing and encrypting s / documents Mobile Devices must meet the same use case as desktop environment Use existing identity investment as much as possible

4 Authentication on Mobile Devices
Challenges Same needs as on our office computers Sign, send, and encrypt Web authentication Hardware challenge: Connecting the smartphone to a smart card (or similar strong credential) Software challenge: Lack of native OS/device secure application Lack of centralized cryptographic service to allow extension of PKI to other applications on the device Lack of smart card middleware to connect smart card (or similar strong credential) to device applications Standard secure encrypted channel for NFC and contactless

5 Why Pursue NFC with CAC? Just place the card on the back of the phone! Leverage the user’s dual-interface card No reader required, with differences based on mobile device No new derived credential to procure and manage Works with majority of devices Nine out of the top ten smartphone manufacturers have released Near Field Communications (NFC) enabled handsets Other business needs within DoD to enable secure contactless transactions with CAC Transit E-purse

6 Authentication on Mobile Devices DMDC Proof of Concept 1
Commercial Android OS mobile device (ice cream sandwich) Enabled contactless access on CAC applets Prototype Secure app (DMDC developed) Custom interface to connect CAC to Secure app (DMDC developed) Demonstrated: Sign/encrypting Reading signed CHUID from card Lesson learned: Timeout challenges with cards and device Device side—NFC parameters are too short (had to recompile OS) Card side—the implementation of FIPS 140 crypto self-checks takes too much time. Need to secure the communication channel between card and device via ANSI 504 Opacity Need standard PKCS#11 or Microsoft mini driver implemented on device


8 Authentication on Mobile Devices DMDC Proof of Concept 2
Commercial Android OS mobile device DISA Mobility Lab managed devices with Good Technology products DISA Mobility lab test accounts Enable contactless access on CAC prototype CAC 2.7.x applet structure 3rd party secure app Prototype 3rd party mobile CAC middleware Test DoD PKI end-user certificates Target Use Case: Sign/encrypt Web Authentication

9 DMDC’s Vision Smart Card Side: Mobile Device (hardware):
CAC implementing draft FIPS sequences for cryptographic algorithm self-checks CAC enabled to support PKI function over contactless interfaces CAC containing secure contactless capabilities (i.e., ANSI 504 OPACITY ZKM implementation) Information on implementation/standard is posted on Smart Card Alliance website at Mobile Device (hardware): Support for NFC Support for NFC implementing ISO 7816 PPS like functions or improved timing Mobile Device (software) Out of the box SMIME enabled mail client Out of the box PKI enable web browser Native OS certificate management store Native OS implementation of ANSI 504 OPACITY enabled PKCS #11 module or mini driver

10 Project Milestones The Mobile-enabled CAC
November 2012: POC Part 1—Complete July/August 2013: POC Part 2 Enabling secure contactless access on CAC applets with OPACITY CAC Middleware for Android with OPACITY Commercial Application Non production credentials; 20 to 30 users 2014: Potential Production Pilot Targeting FIPS Compliance Production credentials

11 Authentication on Mobile Devices List of Options DoD is Examining
Method User Experience FIPS 201 Compliance Availability Cost Bluetooth Reader Poor Yes Today $$$$ Connected Reader Poor to Reasonable $$ Derived Credential in secure microSD Good In process (FIPS 201-2) Proof of concept $$$ Derived Credential in UICC / SIM Concept Derived Credential in Embedded SE Built-in NFC Reader Good / Reasonable In process (FIPS 201-2) Proof of Concept $

12 Take Away Messages It is possible to use contactless cards with NFC-enabled mobile devices It is possible to use a secure contactless interface compliant with US Government standards This represents one of several viable options to provide strong authentication services on mobile devices DMDC is working to make this NFC solution a reality in the US Department of Defense by building on a protocol solution (not a vendor solution) Extent of how protocol can be adopted Transit Opacity (readers)

Download ppt "Mobile Devices in the DoD"

Similar presentations

Ads by Google