Re: [Fed-Talk] DISA to test mobile ID, replacement for CAC
Re: [Fed-Talk] DISA to test mobile ID, replacement for CAC
- Subject: Re: [Fed-Talk] DISA to test mobile ID, replacement for CAC
- From: "Miller, Timothy J." <email@hidden>
- Date: Thu, 17 Apr 2014 12:38:50 +0000
- Thread-topic: [Fed-Talk] DISA to test mobile ID, replacement for CAC
>Forgive my ignorance. I'm trying to learn here. Are they eliminating the
>physical card?
No. FIPS 201-2 introduced the concept of a derived credential to the PIV (derived credentials were an existing concept in SP 800-63) to address usability [1]. The general idea is to use an existing set of credentials to obtain a additional set at the same or lower assurance level (rules for assurance levels for derived creds are in SP 800-63). These derived credentials can be a different form entirely than the primary [2].
Derived creds are intended to address use cases where the primary credential is difficult to use or unavailable. Mobile devices with smartcards credentials has become the example most discussed because smartcard reader integration into phones has been non-existent in the commercial space, and add-ons (sleds, dongles, and Bluetooth readers) are a usability nightmare.
Because NIST wants to have the same level of assurance for PIV derived credentials, derived creds are only to be used in logical authentication ceremonies--e.g., electronic authentication--and the private key protections have to be equivalent to the smartcard. That's why work has focused on Secure Elements and TEEs. In short, you can have creds on the phone, but they'll only be usable *from the phone* won't be used for, say, logon to your workstation, or as a flash pass.
-- T
[1] FIPS 201-2 also introduced the "virtual contact interface," which is a securable wireless interface to the chip card that can activate the private keys. This is different from the current contactless interface which is not capable of private key operations because the standard used isn't securable. The virtual contact interface could be implemented with NFC or other externally-powered wireless standards. This would also apply to mobile devices and would be more usable than current readers (e.g., you'd enter the PIN and tap the card to the phone). But since this requires hardware support in both the mobile device and the smartcard, it'll be several years before it's available. Expect this in the future.
[2] A good example is Google users with two-factor authentication enabled; in this case users have a primary credential consisting of a memorized secret token (password) and an out-of-band token (SMS verification code). However, these users can also create a derived credential consisting of a single look-up secret token (table of one-time passcodes) for use when the out-of-band token device (your phone) is unavailable. FWIW, Google is not using NIST rules, but the example is still illustrative.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
References: | |
| >[Fed-Talk] DISA to test mobile ID, replacement for CAC (From: "Dan O'Donnell" <email@hidden>) |
| >Re: [Fed-Talk] DISA to test mobile ID, replacement for CAC (From: "Martin, Robert A." <email@hidden>) |
| >Re: [Fed-Talk] DISA to test mobile ID, replacement for CAC (From: "Miller, Timothy J." <email@hidden>) |
| >Re: [Fed-Talk] DISA to test mobile ID, replacement for CAC (From: "Neely, Lee" <email@hidden>) |
| >Re: [Fed-Talk] DISA to test mobile ID, replacement for CAC (From: "Miller, Timothy J." <email@hidden>) |
| >Re: [Fed-Talk] DISA to test mobile ID, replacement for CAC (From: "Neely, Lee" <email@hidden>) |
| >Re: [Fed-Talk] DISA to test mobile ID, replacement for CAC (From: "Miller, Timothy J." <email@hidden>) |