Presentation is loading. Please wait.

Presentation is loading. Please wait.

Serving Those Who Serve Our Country - 1 - Michael P. Butler DMDC Deputy Director for Identity Services and Personnel Security / Assurance June 18, 2013.

Similar presentations


Presentation on theme: "Serving Those Who Serve Our Country - 1 - Michael P. Butler DMDC Deputy Director for Identity Services and Personnel Security / Assurance June 18, 2013."— Presentation transcript:

1 Serving Those Who Serve Our Country - 1 - Michael P. Butler DMDC Deputy Director for Identity Services and Personnel Security / Assurance June 18, 2013 Mobile Devices in the DoD

2 Serving Those Who Serve Our Country - 2 - Background Challenges: DoD Component - desire to improve usability of PKI on emerging mobile computing environments –Dislike of smart card sleds and dongles (due to form factor challenges and bulkiness) Activity: DMDC is working within the Departments identity management community to examine ways to improve the user experience by conducting several proof of concepts

3 Serving Those Who Serve Our Country - 3 - Authentication on Mobile Devices (DoDs Thought Process) US Government employees must use Personal Identity Verification (PIV) smart cards for authentication HSPD-12 and FIPS 201 Office of Management and Budget (OMB) Memorandum M-11-11 Successful usage for Windows laptops and workstations Strong Authentication to Windows, applications and networks Signing and encrypting emails / documents Mobile Devices must meet the same use case as desktop environment Use existing identity investment as much as possible

4 Serving Those Who Serve Our Country - 4 - Authentication on Mobile Devices Challenges Same needs as on our office computers Sign, send, and encrypt email Web authentication Hardware challenge: Connecting the smartphone to a smart card (or similar strong credential) Software challenge: Lack of native OS/device secure e-mail application Lack of centralized cryptographic service to allow extension of PKI to other applications on the device Lack of smart card middleware to connect smart card (or similar strong credential) to device applications Standard secure encrypted channel for NFC and contactless

5 Serving Those Who Serve Our Country - 5 - Why Pursue NFC with CAC? Just place the card on the back of the phone! Leverage the users dual-interface card No reader required, with differences based on mobile device No new derived credential to procure and manage Works with majority of devices Nine out of the top ten smartphone manufacturers have released Near Field Communications (NFC) enabled handsets Other business needs within DoD to enable secure contactless transactions with CAC Transit E-purse

6 Serving Those Who Serve Our Country - 6 - Authentication on Mobile Devices DMDC Proof of Concept 1 Commercial Android OS mobile device (ice cream sandwich) Enabled contactless access on CAC applets Prototype Secure Email app (DMDC developed) Custom interface to connect CAC to Secure e-mail app (DMDC developed) Demonstrated: Sign/encrypting e-mail Reading signed CHUID from card Lesson learned: Timeout challenges with cards and device –Device sideNFC parameters are too short (had to recompile OS) –Card sidethe implementation of FIPS 140 crypto self-checks takes too much time. Need to secure the communication channel between card and device via ANSI 504 Opacity Need standard PKCS#11 or Microsoft mini driver implemented on device

7 Serving Those Who Serve Our Country - 7 -

8 Serving Those Who Serve Our Country - 8 - Authentication on Mobile Devices DMDC Proof of Concept 2 Commercial Android OS mobile device DISA Mobility Lab managed devices with Good Technology products DISA Mobility lab test e-mail accounts Enable contactless access on CAC prototype CAC 2.7.x applet structure 3 rd party secure email app Prototype 3 rd party mobile CAC middleware Test DoD PKI end-user certificates Target Use Case: Sign/encrypt e-mail Web Authentication

9 Serving Those Who Serve Our Country - 9 - Smart Card Side: CAC implementing draft FIPS 140-3 sequences for cryptographic algorithm self-checks CAC enabled to support PKI function over contactless interfaces CAC containing secure contactless capabilities (i.e., ANSI 504 OPACITY ZKM implementation) Information on implementation/standard is posted on Smart Card Alliance website at http://www.smartcardalliance.org/resources/pdf/OPACITY_Overview%203.8.pdf http://www.smartcardalliance.org/resources/pdf/OPACITY_Overview%203.8.pdf Mobile Device (hardware): Support for NFC Support for NFC implementing ISO 7816 PPS like functions or improved timing Mobile Device (software) Out of the box SMIME enabled mail client Out of the box PKI enable web browser Native OS certificate management store Native OS implementation of ANSI 504 OPACITY enabled PKCS #11 module or mini driver DMDCs Vision

10 Serving Those Who Serve Our Country - 10 - Project Milestones The Mobile-enabled CAC November 2012: POC Part 1Complete July/August 2013: POC Part 2 Enabling secure contactless access on CAC applets with OPACITY CAC Middleware for Android with OPACITY Commercial Application Non production credentials; 20 to 30 users 2014: Potential Production Pilot Targeting FIPS 201-2 Compliance Production credentials

11 Serving Those Who Serve Our Country - 11 - Authentication on Mobile Devices List of Options DoD is Examining

12 Serving Those Who Serve Our Country - 12 - Take Away Messages It is possible to use contactless cards with NFC-enabled mobile devices It is possible to use a secure contactless interface compliant with US Government standards This represents one of several viable options to provide strong authentication services on mobile devices DMDC is working to make this NFC solution a reality in the US Department of Defense by building on a protocol solution (not a vendor solution) Extent of how protocol can be adopted Transit Opacity (readers)


Download ppt "Serving Those Who Serve Our Country - 1 - Michael P. Butler DMDC Deputy Director for Identity Services and Personnel Security / Assurance June 18, 2013."

Similar presentations


Ads by Google