PIV cards and Mobile Devices

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

PIV cards and Mobile Devices

Douglas E Engert
People on this list might be interested in these  Draft NIST document
that are open for comments until April 21.

http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-7981

It deals with  phones, tables, NFC, USB readers and derived credentials.
Since current PIV cards so not support Secure Messaging, NFC is not
an option today. But it could be in the future.

You may also be interested in in 800-157 that is listed on the same page.

http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-157

Derived credentials could be stored on the phone, or on a device that
does support NFC.



-- Douglas E. Engert <[hidden email]>

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: PIV cards and Mobile Devices

Anders Rundgren-2
On 2014-03-10 19:49, Douglas E Engert wrote:

> People on this list might be interested in these  Draft NIST document
> that are open for comments until April 21.
>
> http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-7981
>
> It deals with  phones, tables, NFC, USB readers and derived credentials.
> Since current PIV cards so not support Secure Messaging, NFC is not
> an option today. But it could be in the future.
>
> You may also be interested in in 800-157 that is listed on the same page.
>
> http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-157
>
> Derived credentials could be stored on the phone, or on a device that
> does support NFC.

Regarding 800-157:
A somewhat sad fact is that NIST doesn't consider provisioning a problem.

NIST's vision is dated, on-line derivation of a PIV login can without doubt
support the highest level of assurance.  Physical presence is only needed
for the primary (original) PIV credential.

Using SIMs and uSD also isn't particularly useful when the device vendors are
[almost] exclusively working with embedded security which they need to do
anyway to keep the OS in shape:
https://www.samsungknox.com/en/solutions/knox/technical

Related issue:
http://webpki.org/papers/key-access.pdf
What good is FIPS validation of a crypto module if the surrounding architecture is broken?

Anders


>
>
>
> -- Douglas E. Engert <[hidden email]>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/13534_NeoTech
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: PIV cards and Mobile Devices

Martin Paljak-4


On 10/03/14 19:55 , Anders Rundgren wrote:
> What good is FIPS validation of a crypto module if the surrounding
> architecture is broken?

If the "surrounding stuff" is broken - as in there is no functioning
link across the security boundary  of the crypto module - everything
is very secure  and can't be breached :)

--
Martin
+372 515 6495

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: PIV cards and Mobile Devices

Douglas E Engert
In reply to this post by Anders Rundgren-2

On 3/10/2014 2:55 PM, Anders Rundgren wrote:

> On 2014-03-10 19:49, Douglas E Engert wrote:
>> People on this list might be interested in these  Draft NIST document
>> that are open for comments until April 21.
>>
>> http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-7981
>>
>> It deals with  phones, tables, NFC, USB readers and derived credentials.
>> Since current PIV cards so not support Secure Messaging, NFC is not
>> an option today. But it could be in the future.
>>
>> You may also be interested in in 800-157 that is listed on the same page.
>>
>> http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-157
>>
>> Derived credentials could be stored on the phone, or on a device that
>> does support NFC.
> Regarding 800-157:
> A somewhat sad fact is that NIST doesn't consider provisioning a problem.

 From NIST's view point, cards are issued to government employees and contractors in person,
where fingerprints and  ID documents are verified. Part of the process is a background check
that may take weeks to get.  So provisioning is well defined in their model.

>
> NIST's vision is dated, on-line derivation of a PIV login can without doubt
> support the highest level of assurance.  Physical presence is only needed
> for the primary (original) PIV credential.

They are trying to be pragmatic about what they can and can't do. With Google and  Apple driving the
phone and table market, they have to fit in. With Apple changing their plug on new phones, it makes
it hard to have a smartcard reader. At least NIST is trying to address using NFC at least.

If the credit card companies in the US finally start using some form of smart cards, maybe the
phone/table vendor will support them as well. In November there was a major breach of
information, traced to a large store,Target, in the US. Their profits dropped 46%.

http://www.nasdaq.com/article/target-profit-declines-on-data-breach-fallout--3rd-update-20140226-01428

http://www.dailytech.com/Target+Calls+to+Replace+Credit+Debit+Cards+with+Smartcards+After+Security+Breach/article34259.htm

>
> Using SIMs and uSD also isn't particularly useful when the device vendors are
> [almost] exclusively working with embedded security which they need to do
> anyway to keep the OS in shape:
> https://www.samsungknox.com/en/solutions/knox/technical
>
> Related issue:
> http://webpki.org/papers/key-access.pdf
> What good is FIPS validation of a crypto module if the surrounding architecture is broken?
>
> Anders
>
>
>>
>>
>> -- Douglas E. Engert <[hidden email]>
>>
>> ------------------------------------------------------------------------------
>> Learn Graph Databases - Download FREE O'Reilly Book
>> "Graph Databases" is the definitive new guide to graph databases and their
>> applications. Written by three acclaimed leaders in the field,
>> this first edition is now available. Download your free book today!
>> http://p.sf.net/sfu/13534_NeoTech
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>

--

  Douglas E. Engert  <[hidden email]>
 


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: PIV cards and Mobile Devices

Anders Rundgren-2
On 2014-03-10 23:20, Douglas E Engert wrote:

>
> On 3/10/2014 2:55 PM, Anders Rundgren wrote:
>> On 2014-03-10 19:49, Douglas E Engert wrote:
>>> People on this list might be interested in these  Draft NIST document
>>> that are open for comments until April 21.
>>>
>>> http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-7981
>>>
>>> It deals with  phones, tables, NFC, USB readers and derived credentials.
>>> Since current PIV cards so not support Secure Messaging, NFC is not
>>> an option today. But it could be in the future.
>>>
>>> You may also be interested in in 800-157 that is listed on the same page.
>>>
>>> http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-157
>>>
>>> Derived credentials could be stored on the phone, or on a device that
>>> does support NFC.
>> Regarding 800-157:
>> A somewhat sad fact is that NIST doesn't consider provisioning a problem.
>
>  From NIST's view point, cards are issued to government employees and contractors in person,
> where fingerprints and  ID documents are verified. Part of the process is a background check
> that may take weeks to get.  So provisioning is well defined in their model.
>
>>
>> NIST's vision is dated, on-line derivation of a PIV login can without doubt
>> support the highest level of assurance.  Physical presence is only needed
>> for the primary (original) PIV credential.
>
> They are trying to be pragmatic about what they can and can't do. With Google and  Apple driving the
> phone and table market, they have to fit in. With Apple changing their plug on new phones, it makes
> it hard to have a smartcard reader. At least NIST is trying to address using NFC at least.

HCE points in an direction.


> If the credit card companies in the US finally start using some form of smart cards, maybe the
> phone/table vendor will support them as well. In November there was a major breach of
> information, traced to a large store,Target, in the US. Their profits dropped 46%.
>
> http://www.nasdaq.com/article/target-profit-declines-on-data-breach-fallout--3rd-update-20140226-01428
>
> http://www.dailytech.com/Target+Calls+to+Replace+Credit+Debit+Cards+with+Smartcards+After+Security+Breach/article34259.htm

Since EMV-cards remain useless on the Internet, I don't see why the US should invest in this technology.

Anders

>>
>> Using SIMs and uSD also isn't particularly useful when the device vendors are
>> [almost] exclusively working with embedded security which they need to do
>> anyway to keep the OS in shape:
>> https://www.samsungknox.com/en/solutions/knox/technical
>>
>> Related issue:
>> http://webpki.org/papers/key-access.pdf
>> What good is FIPS validation of a crypto module if the surrounding architecture is broken?
>>
>> Anders
>>
>>
>>>
>>>
>>> -- Douglas E. Engert <[hidden email]>
>>>
>>> ------------------------------------------------------------------------------
>>> Learn Graph Databases - Download FREE O'Reilly Book
>>> "Graph Databases" is the definitive new guide to graph databases and their
>>> applications. Written by three acclaimed leaders in the field,
>>> this first edition is now available. Download your free book today!
>>> http://p.sf.net/sfu/13534_NeoTech
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>>
>


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel