Government // Cybersecurity
News
3/7/2014
02:34 PM
50%
50%

Feds Move Toward Hardwired Credentials On Mobile Devices

NIST proposes ways for mobile-device users to access government networks without requiring smart-card readers.

The National Institute of Standards and Technology (NIST) is soliciting comments on draft guidelines for authenticating mobile-device users accessing government networks. The guidelines expand on other standards for using digital credentials derived from personal identity verification (PIV) cards, given that many smartphones and tablets do not have smartcard readers to scan the PIV cards.

Special Publication 800-157 offers guidelines for implementing secure, standards-based public-key infrastructure (PKI) credentials without requiring a physical card reader. In this scenario, a digital token derived from credentials stored on the PIV card could be used as an alternative to the card in approved situations.

The most recent release of the Federal Information Processing Standard for PIV Cards (FIPS 201-2) included standards for using PIV-derived credentials with mobile devices. The new draft publication, Guidelines for Derived Personal Identity Verification (PIV) Credentials, provides requirements on: how to issue, maintain, and terminate credentials; certificate policies and cryptographic specifications; technical specifications for permitted cryptographic token types; and command interfaces for removable tokens.

Smart chip on a PIV card.  (Source: NIST)
Smart chip on a PIV card.
(Source: NIST)

Homeland Security Presidential Directive 12, published in 2004, mandated the PIV card to provide a common identification standard including digital data to be used across government for both logical and physical access. The card contains not only printed information and a photograph, but also digital information and cryptographic PKI keys on a smart chip. FIPS 201 was created in 2005 with standards for the card and its interfaces, which was then primarily used with desktop and laptop computers.

[Government agencies are looking for stronger security on mobile devices. See Smartphone Security: Two Shades Of Black.]

The draft publication said that "the use of PIV cards has proved challenging" with modern mobile devices. Most mobile devices do not have integrated smart-card readers, making it difficult to use the required PIV cards for access to federal resources.

Some devices, especially tablets aimed at the government market, now include smart-card readers, and separate readers also are available as add-ons. Devices enabled for Near Field Communications also could wirelessly connect with PIV cards using the card's contactless antenna at close range, but a secure channel between the card and device cannot always be ensured. When it's impractical to use card readers or NFC, the new standards and specifications will allow alternative forms of derived credentials, such as microSD or USB tokens, Universal Integrated Circuit Cards, or embedded circuits in the mobile device.

Comments on the draft guidelines should be sent by April 21 to piv_comments@nist.gov, using a provided Excel template.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

William Jackson is a technology writer based in Washington, D.C. He has been a journalist for more than 35 years, most recently covering the $80 billion federal government IT sector for Government Computer News. His coverage has ranged from architecture to international ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
danielcawrey
50%
50%
danielcawrey,
User Rank: Ninja
3/10/2014 | 6:11:37 PM
Re: Mobile buzz
I think that implementing a hardware solution is a good idea. This just makes it much harder for malicious actors to be able to break in - hardware is another gauntlet to get through. And it is a tough one to crack. 
WKash
50%
50%
WKash,
User Rank: Author
3/7/2014 | 3:08:58 PM
Mobile buzz
DOD CIO Teri Takai spoke just this last week about the importance this development will have in the Defense Department's mobility strategy by eventually getting away from using PIV cards and and mobile card readers. The NIST doc is now up for 45 day comment. It will be interesting to see the response, especially since this will involve an encrypted hardware approach, not a software solution.
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 7, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program!
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.