Feds Move Toward Hardwired Credentials On Mobile Devices
NIST proposes ways for mobile-device users to access government networks without requiring smart-card readers.
The National Institute of Standards and Technology (NIST) is soliciting comments on draft guidelines for authenticating mobile-device users accessing government networks. The guidelines expand on other standards for using digital credentials derived from personal identity verification (PIV) cards, given that many smartphones and tablets do not have smartcard readers to scan the PIV cards.
Special Publication 800-157 offers guidelines for implementing secure, standards-based public-key infrastructure (PKI) credentials without requiring a physical card reader. In this scenario, a digital token derived from credentials stored on the PIV card could be used as an alternative to the card in approved situations.
The most recent release of the Federal Information Processing Standard for PIV Cards (FIPS 201-2) included standards for using PIV-derived credentials with mobile devices. The new draft publication, Guidelines for Derived Personal Identity Verification (PIV) Credentials, provides requirements on: how to issue, maintain, and terminate credentials; certificate policies and cryptographic specifications; technical specifications for permitted cryptographic token types; and command interfaces for removable tokens.
Smart chip on a PIV card. (Source: NIST)
Homeland Security Presidential Directive 12, published in 2004, mandated the PIV card to provide a common identification standard including digital data to be used across government for both logical and physical access. The card contains not only printed information and a photograph, but also digital information and cryptographic PKI keys on a smart chip. FIPS 201 was created in 2005 with standards for the card and its interfaces, which was then primarily used with desktop and laptop computers.
The draft publication said that "the use of PIV cards has proved challenging" with modern mobile devices. Most mobile devices do not have integrated smart-card readers, making it difficult to use the required PIV cards for access to federal resources.
Some devices, especially tablets aimed at the government market, now include smart-card readers, and separate readers also are available as add-ons. Devices enabled for Near Field Communications also could wirelessly connect with PIV cards using the card's contactless antenna at close range, but a secure channel between the card and device cannot always be ensured. When it's impractical to use card readers or NFC, the new standards and specifications will allow alternative forms of derived credentials, such as microSD or USB tokens, Universal Integrated Circuit Cards, or embedded circuits in the mobile device.
Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.
William Jackson is a technology writer based in Washington, D.C. He has been a journalist for more than 35 years, most recently covering the $80 billion federal government IT sector for Government Computer News. His coverage has ranged from architecture to international ... View Full Bio
Security Job #1 For FedsThe 2014 InformationWeek Government IT Priorities Survey shows federal IT pros care about security - itís rated as very important by 69% of respondents, 30 percentage points ahead of the No. 2 priority, disaster recovery. Will the upcoming NIST cyber-security framework help manage risk?
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.