| Shawn,
I will address your comments below.
This thread all began with a simple question from "Matt Stier" < email@hidden> on 1/11/13 2:44 PM: Afternoon Folks,
I will soon be working with a DoD customer that wants to "get iPads on the network." To me there are two primary hurdles and they are using FIPS 140-2 validated crypto for WPA2-Enterprise (thankfully Apple is back on the FIPS in process list) and second is the ability to use certificate based authentication (EAP-TLS). Unfortunately, standing up a CA like many of the commercial folks do is a no go for us so we need to use the certs on our CAC.
I am still trying to understand the reference here with "thankfully Apple is back on the FIPS in process list". Are you indicating it was taken off the list ? Apple has continued to commit significant resources towards FIPS 140-2 Conformance Validation for the Cryptographic Modules used within iOS & OSX. All modules were submitted on Aug 6, 2012 and due to the significant backlog with the CMVP/CSEC validation queue, no one at CMVP/CSEC has even begun to look at it -- coming up on 6 months. Apple has remained on the list and has not now come back on the list.
If I am not mistaken, Apple (cannot remember if it was OSX or iOS related) was on the list roughly a year ago, but was removed for some reason either by Apple or another entity. That is what I was referring to in my "thankfully" the comment.
Certificate based authentication (EAP-TLS) has been available in iOS, but I think what you really meant to say is for Identity based authentication (EAP-TLS) using an external hardware token (Smart Card) natively with iOS.
Yes, I meant to include the "CAC" or "smart card" in my second hurdle of getting iOS devices on the network. I guess I just assumed the subject would help imply that part. Thank you for clearing it up.
"Matt Stier" <email@hidden> on 1/11/13 2:44 PM: Does anyone out there know of any agencies that have accomplished the ability to associate a CAC with a network authentication profile? If so, I would be very appreciative if you or they could share some information to help save the tax payers some money!
This was the simple and good question that Matt asked. I believe what you are trying to ask is whether anyone is able to tie the use of identities from a Smart Card to authenticate with VPN / 802.1X on iOS. Since iOS does not provide native Smart Card Services on iOS, this would not be possible today with the built-in services. What could happen right now is for any of the third-party SSL VPN vendors to incorporate support for devices such as the Tactivo™ into their VPN client and provide you full support for your card and VPN services.
I believe several folks have pointed out that Good and Thursby provide you that capability right now with a web browser service for SSL/TLS.
Yes, there are several folks either working on something or currently support identity based authentication using smart cards at layer 3 for VPNs, but the current wireless STIG requires it at layer 2 via 802.1X. I assume that is why the draft iOS STIG prohibits connecting to NIPRNet WLANs in section 2.4.1. Hopefully there will be a change to the STIG to allow for the use of device based soft certs and policy will change to allow entities to stand up a CA and issue those certs to devices.
We've been deploying enterprise WLANs across the DoD for over 6 or 7 years now and policy and/or risk resistant ODAAs make it very difficult for us to keep up with technology. That is nothing new though.
-Matt Matt Stier, CISSP/CWNA/ACMA SPAWAR, Atlantic Phone: 843.321.WLAN (9526) | Fax 843.218.6605 Email: email@hidden
On Jan 24, 2013, at 11:51 AM, Shawn Geddis wrote: Fed-Talk Community,
Before anyone has an aneurism over this, please allow me to make a few statements to clear up apparent confusion in the area of Smart Card use with an iOS device.
This thread all began with a simple question from "Matt Stier" < email@hidden> on 1/11/13 2:44 PM: Afternoon Folks,
I will soon be working with a DoD customer that wants to "get iPads on the network." To me there are two primary hurdles and they are using FIPS 140-2 validated crypto for WPA2-Enterprise (thankfully Apple is back on the FIPS in process list) and second is the ability to use certificate based authentication (EAP-TLS). Unfortunately, standing up a CA like many of the commercial folks do is a no go for us so we need to use the certs on our CAC.
I am still trying to understand the reference here with "thankfully Apple is back on the FIPS in process list". Are you indicating it was taken off the list ? Apple has continued to commit significant resources towards FIPS 140-2 Conformance Validation for the Cryptographic Modules used within iOS & OSX. All modules were submitted on Aug 6, 2012 and due to the significant backlog with the CMVP/CSEC validation queue, no one at CMVP/CSEC has even begun to look at it -- coming up on 6 months. Apple has remained on the list and has not now come back on the list.
If I am not mistaken, Apple (cannot remember if it was OSX or iOS related) was on the list roughly a year ago, but was removed for some reason either by Apple or another entity. That is what I was referring to in my "thankfully" the comment.
Certificate based authentication (EAP-TLS) has been available in iOS, but I think what you really meant to say is for Identity based authentication (EAP-TLS) using an external hardware token (Smart Card) natively with iOS.
Yes, I meant to include the "CAC" or "smart card" in my second hurdle of getting iOS devices on the network. I guess I just assumed the subject would help imply that part. Thank you for clearing it up.
On Jan 23, 2013, at 3:27 PM, Henry B. Hotz <email@hidden> wrote:
While the hardware of iPhone/iPad will support USB devices (like cameras), adding support for CCID-profile devices (smart card readers) violates the security policies of the OS and must come from Apple.
iOS devices have either a the older "30-pin" or the new "Lightning" connector. The connector is not tied to any protocol, but rather MFI Approved External Accessories - can use just about any standard/proprietary protocol.
iOS 6 does not provide any system-wide Smart Card Services to iOS Apps -- the supporting architecture does not exist on iOS as it does on OSX. iOS Developers, such as Thursby, Good, etc. can all integrate Smart Card services with hardware accessories like the Tactivo™ from Precise Biometrics into their products on a case by case bases as a value add to customers. It does not violate any Apple Developer guidelines or requirements, but rather is providing a necessary service for many that want/need to use a Smart Card with an iOS Device right now. It does mean that it would require individual App integration and does not have integration into Apple iOS Apps (ie. MobileSafari, MobileMail, etc.).
On Jan 23, 2013, at 7:09 PM, Henry B. Hotz < email@hidden> wrote: You guys do good work that deserves to be supported.
That said, I really wish that Apple would do what they did in Snow Leopard, where they said a standards-conforming reader and card should "just work" the way most cameras reportedly "just work" with iPhone/IPad. I note that an SCR-331 CCID-conforming card reader is *not* supported by iOS out of the box.
OSX's Smart Card Services are backed by CDSA, which everyone should know was deprecated with the release of OS X Lion v10.7. On OS X, all of the architectural components are still there except the Tokend modules installer needs to be downloaded from our SmartCardServices Project @ MacOSForge.org as well as the need to add the authentication mechanism line back into /etc/authorization. Commercial products are also available to augment or replace what continues to be available from MacOSForge.org.
"Matt Stier" <email@hidden> on 1/11/13 2:44 PM: Does anyone out there know of any agencies that have accomplished the ability to associate a CAC with a network authentication profile? If so, I would be very appreciative if you or they could share some information to help save the tax payers some money!
This was the simple and good question that Matt asked. I believe what you are trying to ask is whether anyone is able to tie the use of identities from a Smart Card to authenticate with VPN / 802.1X on iOS. Since iOS does not provide native Smart Card Services on iOS, this would not be possible today with the built-in services. What could happen right now is for any of the third-party SSL VPN vendors to incorporate support for devices such as the Tactivo™ into their VPN client and provide you full support for your card and VPN services.
I believe several folks have pointed out that Good and Thursby provide you that capability right now with a web browser service for SSL/TLS.
Yes, there are several folks either working or currently support identity based authentication using smart cards at layer 3 for VPNs, but the current wireless STIG requires it at layer 2 via 802.1X.
Given ubiquitous PKI support, the card should, IMO, be just an OS device driver issue, not an application issue.
I would agree that it would be very nice to rely on integrated services for use of various hardware tokens. I will strongly disagree that it is simply a device driver issue -- tight integration like smart cards have on OS X does not come through the OS vendor simply dropping in a device driver - it is much more than that.
- Shawn
________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Enterprise Division
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
|