http://www.precisebiometrics.com/tactivo™-smart-card-and-fingerprint-sensor-iphone only for old iPhones? Uses micro-USB for charging and synchronization--interesting
this passes Apple's muster. Why not the correct 30-pin? The demo video includes a dig at Apple by saying it uses the "same standard micro USB connector used by the global market."
demo video uses Flash (ugh!)
Still an interesting product but for $250, ouch!
On Jan 24, 2013, at 8:51 AM, Shawn Geddis < email@hidden> wrote:
Fed-Talk Community,
Before anyone has an aneurism over this, please allow me to make a few statements to clear up apparent confusion in the area of Smart Card use with an iOS device.
This thread all began with a simple question from "Matt Stier" < email@hidden> on 1/11/13 2:44 PM:
Afternoon Folks,
I will soon be working with a DoD customer that wants to "get iPads on the network." To me there are two primary hurdles and they are using FIPS 140-2 validated crypto for WPA2-Enterprise
(thankfully Apple is back on the FIPS in process list) and second is the ability to use certificate based authentication (EAP-TLS). Unfortunately, standing up a CA like many of the commercial folks do is a no go for us so we need to use the certs on
our CAC.
I am still trying to understand the reference here with "thankfully Apple is back on the FIPS in process list". Are you indicating it was taken off the list ? Apple has continued to commit significant resources towards FIPS 140-2 Conformance Validation
for the Cryptographic Modules used within iOS & OSX. All modules were submitted on Aug 6, 2012 and due to the significant backlog with the CMVP/CSEC validation queue, no one at CMVP/CSEC has even begun to look at it -- coming up on 6 months. Apple has remained
on the list and has not now come back on the list.
Certificate based authentication (EAP-TLS) has been available in iOS, but I think what you really meant to say is for Identity based authentication (EAP-TLS) using an external hardware token (Smart Card) natively with iOS.
On Jan 23, 2013, at 3:27 PM, Henry B. Hotz <email@hidden> wrote:
While the hardware of iPhone/iPad will support USB devices (like cameras), adding support for CCID-profile devices (smart card readers) violates the security policies of the OS and must come from Apple.
iOS devices have either a the older "30-pin" or the new "Lightning" connector. The connector is not tied to any protocol, but rather MFI Approved External Accessories - can use just about any standard/proprietary protocol.
iOS 6 does not provide any system-wide Smart Card Services to iOS Apps -- the supporting architecture does not exist on iOS as it does on OSX. iOS Developers, such as Thursby, Good, etc. can all integrate Smart Card services with hardware accessories
like the Tactivo™ from Precise Biometrics into their products on a case by case bases as a value add to customers. It does not violate any Apple Developer guidelines or requirements, but rather is providing a necessary service for many that want/need to use
a Smart Card with an iOS Device right now. It does mean that it would require individual App integration and does not have integration into Apple iOS Apps (ie. MobileSafari, MobileMail, etc.).
On Jan 23, 2013, at 7:09 PM, Henry B. Hotz < email@hidden> wrote:
You guys do good work that deserves to be supported.
That said, I really wish that Apple would do what they did in Snow Leopard, where they said a standards-conforming reader and card should "just work" the way most cameras reportedly "just work" with iPhone/IPad. I note that an SCR-331 CCID-conforming card
reader is *not* supported by iOS out of the box.
OSX's Smart Card Services are backed by CDSA, which everyone should know was deprecated with the release of OS X Lion v10.7. On OS X, all of the architectural components are still there except the Tokend modules installer needs to be downloaded
from our SmartCardServices Project @ MacOSForge.org as well as the need to add the authentication mechanism line back into /etc/authorization. Commercial products are also available to augment or replace what continues
to be available from MacOSForge.org.
"Matt Stier" <email@hidden> on 1/11/13 2:44 PM:
Does anyone out there know of any agencies that have accomplished the ability to associate a CAC with a network authentication profile? If so, I would be very appreciative if you or they could share some information to help save the
tax payers some money!
This was the simple and good question that Matt asked. I believe what you are trying to ask is whether anyone is able to tie the use of identities from a Smart Card to authenticate with VPN / 802.1X on iOS. Since iOS does not provide native Smart Card
Services on iOS, this would not be possible today with the built-in services. What could happen right now is for any of the third-party SSL VPN vendors to incorporate support for devices such as the Tactivo™ into their VPN client and provide you full support
for your card and VPN services.
I believe several folks have pointed out that Good and Thursby provide you that capability right now with a web browser service for SSL/TLS.
Given ubiquitous PKI support, the card should, IMO, be just an OS device driver issue, not an application issue.
I would agree that it would be very nice to rely on integrated services for use of various hardware tokens. I will strongly disagree that it is simply a device driver issue -- tight integration like smart cards have on OS X does not come through the OS
vendor simply dropping in a device driver - it is much more than that.
- Shawn
________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Enterprise Division
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94551-0808
email@hidden
|