derived piv credentials token form factors …...nist presentation 03/04/2015 page 8 secure java...
TRANSCRIPT
![Page 1: Derived PIV Credentials Token Form Factors …...NIST Presentation 03/04/2015 Page 8 Secure Java Platforms: Sm@rtCafé Expert Java Card Classic 3.0.4 GlobalPlatform 2.2.1 FIPS 140-2,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f476f26f7d9f006815b2b46/html5/thumbnails/1.jpg)
Derived PIV Credentials Token Form Factors –
Giesecke & Devrient’s ActivitiesFIPS 201-2 Supporting Special Publications Workshop
NIST, Gaithersburg
March 3rd & 4th, 2015
Werner Ness
![Page 2: Derived PIV Credentials Token Form Factors …...NIST Presentation 03/04/2015 Page 8 Secure Java Platforms: Sm@rtCafé Expert Java Card Classic 3.0.4 GlobalPlatform 2.2.1 FIPS 140-2,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f476f26f7d9f006815b2b46/html5/thumbnails/2.jpg)
NIST Presentation
03/04/2015 Page 2
Agenda
Introduction
G&D Products
G&D Activities
Conclusion
![Page 3: Derived PIV Credentials Token Form Factors …...NIST Presentation 03/04/2015 Page 8 Secure Java Platforms: Sm@rtCafé Expert Java Card Classic 3.0.4 GlobalPlatform 2.2.1 FIPS 140-2,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f476f26f7d9f006815b2b46/html5/thumbnails/3.jpg)
NIST Presentation
03/04/2015 Page 3
Introduction1
![Page 4: Derived PIV Credentials Token Form Factors …...NIST Presentation 03/04/2015 Page 8 Secure Java Platforms: Sm@rtCafé Expert Java Card Classic 3.0.4 GlobalPlatform 2.2.1 FIPS 140-2,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f476f26f7d9f006815b2b46/html5/thumbnails/4.jpg)
NIST Presentation
03/04/2015 Page 4
Concept of Derived PIV Credentials Tokens
Software
Key Store
Trusted Execution
Environment
PIV Card
Secure
micro SD
UICC
Hardware based
USB-Token
eSE
Software based
![Page 5: Derived PIV Credentials Token Form Factors …...NIST Presentation 03/04/2015 Page 8 Secure Java Platforms: Sm@rtCafé Expert Java Card Classic 3.0.4 GlobalPlatform 2.2.1 FIPS 140-2,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f476f26f7d9f006815b2b46/html5/thumbnails/5.jpg)
NIST Presentation
03/04/2015 Page 5
Purpose and Scope
Federal Network
HSDP-12
Access IT-
Resources via
Mobile Device
PIV Card credential
management
PIV Derived Credential in
hardware or software token
Life Cycle
Synchronisation
PIV Card
Derived PIV credential
management
Identity proofing and vetting process not
needed for PIV derived credential
=> Applicant can prove his/her identity via
already issued PIV Card
![Page 6: Derived PIV Credentials Token Form Factors …...NIST Presentation 03/04/2015 Page 8 Secure Java Platforms: Sm@rtCafé Expert Java Card Classic 3.0.4 GlobalPlatform 2.2.1 FIPS 140-2,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f476f26f7d9f006815b2b46/html5/thumbnails/6.jpg)
NIST Presentation
03/04/2015 Page 6
Use Cases with Derived PIV Credentials
Logical Access
Physical Access
or
Secure Mail
Communication
Secure Cloud
Storage
Secure Web
Authentication
Possible Use Cases:
Card with PIN for Physical Access
Secure OS Logon
Secure E-mail
Secure Web Authentication
File Decryption
VPN
Any other PKI-/Smart-Card-Application
Digital
Signature
Proposal of
NIST SP800-157, Guidelines for Personal Identity
Verification (PIV) Derived Credentials
![Page 7: Derived PIV Credentials Token Form Factors …...NIST Presentation 03/04/2015 Page 8 Secure Java Platforms: Sm@rtCafé Expert Java Card Classic 3.0.4 GlobalPlatform 2.2.1 FIPS 140-2,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f476f26f7d9f006815b2b46/html5/thumbnails/7.jpg)
NIST Presentation
03/04/2015 Page 7
G&D Products geared towards Derived PIV Credentials2
![Page 8: Derived PIV Credentials Token Form Factors …...NIST Presentation 03/04/2015 Page 8 Secure Java Platforms: Sm@rtCafé Expert Java Card Classic 3.0.4 GlobalPlatform 2.2.1 FIPS 140-2,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f476f26f7d9f006815b2b46/html5/thumbnails/8.jpg)
NIST Presentation
03/04/2015 Page 8
Secure Java Platforms: Sm@rtCafé Expert
Java Card Classic 3.0.4
GlobalPlatform 2.2.1
FIPS 140-2, level 3 certified: “Security
Requirements for Cryptographic Modules”
CC certified according to EAL 5+
Dual Interface with communication speeds,
Contact up to 223 kbit/s
Contactless up to 848 kbit/s
Encryption:
AES up to 256 bits
RSA up to 3072 bits
ECC up to 521 bits
Hash up to SHA-512
On-Board RSA and ECC Key Generation
![Page 9: Derived PIV Credentials Token Form Factors …...NIST Presentation 03/04/2015 Page 8 Secure Java Platforms: Sm@rtCafé Expert Java Card Classic 3.0.4 GlobalPlatform 2.2.1 FIPS 140-2,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f476f26f7d9f006815b2b46/html5/thumbnails/9.jpg)
NIST Presentation
03/04/2015 Page 9
SkySIM CX: G&D UICC for High-End SIMs/eSE
SkySIM is a highly efficient and configurable Java
Card platform
Operating system usable regardless of the mobile
network (GSM, UMTS, CDMA or LTE)
Certification: CC-certified (EAL 4+)
Mobile ID Solution in use: Vodafone Secure SIM
Supports Secure Login
Supports Secure Data
Portfolio of applets for UICC available
E.g. Mobile Payment, Identity, Transit, Access
Aspects of FIPS140-2 for an UICC, e.g.
performance, algorithms and application
management, being analysed
![Page 10: Derived PIV Credentials Token Form Factors …...NIST Presentation 03/04/2015 Page 8 Secure Java Platforms: Sm@rtCafé Expert Java Card Classic 3.0.4 GlobalPlatform 2.2.1 FIPS 140-2,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f476f26f7d9f006815b2b46/html5/thumbnails/10.jpg)
NIST Presentation
03/04/2015 Page 10
StarSign Crypto USB Token
Token OS Sm@rtCafé Expert
FIPS 140-2, level 3 certified
Supports several USB standards
Interfaces include CCID and PC/SC
Solution depends on smart card chip
technology
![Page 11: Derived PIV Credentials Token Form Factors …...NIST Presentation 03/04/2015 Page 8 Secure Java Platforms: Sm@rtCafé Expert Java Card Classic 3.0.4 GlobalPlatform 2.2.1 FIPS 140-2,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f476f26f7d9f006815b2b46/html5/thumbnails/11.jpg)
NIST Presentation
03/04/2015 Page 11
Secure Micro-SD-Card
Availability
Micro-SD card is physically supported in
most handsets.
Management
requires Admin Agent Apps on mobiles
Communication over TCP/IP
Driver
Some Handset OS‘s need additional
driver support
FIPS/CC-certified
![Page 12: Derived PIV Credentials Token Form Factors …...NIST Presentation 03/04/2015 Page 8 Secure Java Platforms: Sm@rtCafé Expert Java Card Classic 3.0.4 GlobalPlatform 2.2.1 FIPS 140-2,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f476f26f7d9f006815b2b46/html5/thumbnails/12.jpg)
NIST Presentation
03/04/2015 Page 12
G&D Activities3
![Page 13: Derived PIV Credentials Token Form Factors …...NIST Presentation 03/04/2015 Page 8 Secure Java Platforms: Sm@rtCafé Expert Java Card Classic 3.0.4 GlobalPlatform 2.2.1 FIPS 140-2,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f476f26f7d9f006815b2b46/html5/thumbnails/13.jpg)
NIST Presentation
03/04/2015 Page 13
G&D‘s Activities for usage of derived PIV credentials
• Support of standardisation of the SIMalliance Open Mobile API.
• As a Member of GSMA Mobile ID Task Force to define anddescribe an architecture and solution together with US MNOs and other UICC manufacturers.
SupportingStandardisation
• Providing Open Source implementation of Open Mobile API (SEEK).
• Providing Mobile ID solutions with UICC in severalcustomer and technology projects (e.g. Vodavone Secure SIM).
• Token combination based on TEE with eSE. Applicationcan be loaded remotely.
• Proof of concepts for implementation of DerivedCredential Technologies.
Providing Solutions
![Page 14: Derived PIV Credentials Token Form Factors …...NIST Presentation 03/04/2015 Page 8 Secure Java Platforms: Sm@rtCafé Expert Java Card Classic 3.0.4 GlobalPlatform 2.2.1 FIPS 140-2,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f476f26f7d9f006815b2b46/html5/thumbnails/14.jpg)
NIST Presentation
03/04/2015 Page 14
Conclusion4
![Page 15: Derived PIV Credentials Token Form Factors …...NIST Presentation 03/04/2015 Page 8 Secure Java Platforms: Sm@rtCafé Expert Java Card Classic 3.0.4 GlobalPlatform 2.2.1 FIPS 140-2,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f476f26f7d9f006815b2b46/html5/thumbnails/15.jpg)
NIST Presentation
03/04/2015 Page 15
Conclusion
SP 800-157 defines Derived PIV Credential Hardware Form Factors
Token operating systems are similiar to PIV-Cards.
Application can be derived from PIV.
APIs and interfaces in mobiles available (e.g. GP).
Technology of tokens available and deployed.
Certification is the same as for a PIV-Card.
Open Questions
Additional Driver for specific tokens has to be provided (e.g. µSD)
Several interfaces are required to establish the eco-system
Requirements for existing technologies like UICC may be in
contradiction to FIPS 140-2 (e.g. POST)
![Page 16: Derived PIV Credentials Token Form Factors …...NIST Presentation 03/04/2015 Page 8 Secure Java Platforms: Sm@rtCafé Expert Java Card Classic 3.0.4 GlobalPlatform 2.2.1 FIPS 140-2,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f476f26f7d9f006815b2b46/html5/thumbnails/16.jpg)
NIST Presentation
03/04/2015 Page 16
Contact:
Jatin Deshpande [email protected]
Werner Ness [email protected]