NFC Identity and Access Control

Peter Cattaneo Vice President, Business Development

Agenda

NFC Identity and Access Control2

• Basics

• NFC User Interactions

• Architecture (F)ICAM Physical Access Logical Access

• Future Evolution

Basics – NFC Radio Capabilities

- Very Short Range- Typically requires touch or tap

- Shows user intent

- Compatible with Contactless Smart Cards (ISO 14443)Works both ways:

- Use credentials from a smart card on-devicee.g. sign an email with a key on your smart badge

- Emulate a smart carde.g. use you phone instead of a badge at the door

3 NFC Identity and Access Control

Basics – Secure Elements

- Single Wire Protocol (SWP) connects some SEs to the NFC radio- NFC Interface can power SE over SWP; No Battery Required- SE’s without SWP connections can interact over NFC via apps

- Multiple Secure Element Options- SWP:

- SIM / UICC

- Embedded NFC SE

- microSD card (emerging new standard)- Non SWP:

- Internal- Trusted Platform Module (TPM)

- Trusted Execution Environment (TEE)

- External- Contact card reader

- Bluetooth reader/device

- Cloud (HCE)

4 NFC Identity and Access Control

Smart Card vs Mobile Device

5 NFC Identity and Access Control

Secure Element

User Interface

Communications Channel

Additional Sensors

…

Smart Card vs Mobile Device

6 NFC Identity and Access Control

PIV card Dual Interface Smart card• One secure element• Contactless interface

‒ ISO 14443• Contact interface

‒ External ISO 7816

NFC Device

• Multiple secure elements• Contactless interface

‒ NFC (incl ISO 14443)

• Contact interface‒ Internal only

• Communications‒ Bluetooth, 3G, 4G, SMS, WiFi

• Screen, keyboard• Camera, microphone• GPS• Fingerprint Sensor• …• Lots more• …

NFC User Interactions

1. Desktop Computer Application2. Physical Access - Opening a Door3. Mobile Device App4. Logical Remote Access from Mobile Device

7 NFC Identity and Access Control

User Interaction – Desktop Computer Application

1. Desktop Computer Application2. Physical Access - Opening a Door3. Mobile Device App4. Remote Access from Mobile Device

8 NFC Identity and Access Control

• Windows Login• Email signing• Secure Remote Access• …

SecureCredentials

DesktopApplications

• Unlock Door

1. Desktop Computer Application2. Physical Access - Opening a Door3. Mobile Device App4. Remote Access from Mobile Device

User Interaction – Physical Access – Opening A Door

9 NFC Identity and Access Control

SecureCredentials

PhysicalAccess

User Interaction –Mobile Device App

1. Desktop Computer Application2. Physical Access - Opening a Door3. Mobile Device App4. Remote Access from Mobile Device

10 NFC Identity and Access Control

• File Encryption• Document Signing• …

SecureCredentials

MobileApps

User Interaction – Remote Access from Mobile Device

1. Desktop Computer Application2. Physical Access - Opening a Door3. Using Mobile Device App4. Remote Access from Mobile Device

11 NFC Identity and Access Control

SecureCredentials

CloudData

(F)ICAM - Identity, Credential, and Access Management

12 NFC Identity and Access Control

- Why ICAM?

- US-based:

- Standards

- Policy Guidance

- Best Practices

- Vendor Support

- Practical Experience- All Federal Agencies

- Many Federal Contractors

- Other Commercial entities

- Some other countries too! Incl disc of International Stds.

- NFC works well with other architectures. ICAM is a just a well-known example

(F)ICAM - Identity, Credential, and Access Management

13 NFC Identity and Access Control

(F)ICAM - Identity, Credential, and Access Management

14 NFC Identity and Access Control

Logical Access – Credentials in Smart Card

15

Applications Email

• Mail Client Authentication

• S/MIME - Signing / Encryption

Document Management

• Signing

• Encryption

• Synchronization Authentication

Secure Remote Access

• VPN

• Secure Web Sites

Mobile App Credentials

Logical Access – Credentials in Smart Card

16

Issues

• Contact Interface – no NFC May be required for policy compliance

• Contactless Interface Credential Access

• Current FICAM – limited

• FIPS 201-2 – full set using Opacity Security Concerns

• No different from contactless cards Mobile Operating System API Support

• How does an app access the credentials?

• Few standards; limited support

Applications Email

• Mail Client Authentication

• S/MIME - Signing / Encryption

Document Management

• Signing

• Encryption

• Synchronization Authentication

Secure Remote Access

• VPN

• Secure Web Sites

Other Application Credentials

Logical Access – Credentials in Mobile Device

17

• Contact Interface Accessible via Mobile App

• App in device can access the SE via the contact interface

• User interaction (e.g. PIN entry)

• NFC via Card Emulation mode

• Contactless Interface Direct SE to NFC over SWP

• No different from contactless cards

• Battery not required

Perfect Card Emulation

Logical Access – Credentials in Mobile Device

18

• Contact Interface Accessible via Mobile App

• App in device can access the SE via the contact interface

• User interaction (e.g. PIN entry)

• NFC via Card Emulation mode

• Contactless Interface Direct SE to NFC over SWP

• No different from contactless cards

• Battery not required

Perfect Card Emulation

Physical Access – Credentials in Mobile Device

19

• Available Today Major PACS Vendors Support ISO 14443 devices

• Smart Cards

• NFC Devices Standards-based and proprietary solutions SWP SE solutions are seamless

• Real Innovation in Development Leveraging Device Capabilities Communication via device

• Reader can be off-line Biometric Integration Cloud-based Services

Physical Access – Credentials in Mobile Device

20

Future Evolution

• Mobile Devices with NFC Enable New Capabilities Lots of Great Work in Many Different Categories

• Interface Protocols• NFC Layered Security

Secure Channel Against Eavesdropping Device Pairing FIPS 201-2 / ANSI Opacity

• NFC + Other Communications Channels Bluetooth Secure Simple Pairing (SSP) with NFC Device Selection (improves user experience; ensures correct device is

selected) Securely Connect (Out-of-band) Bluetooth Application Launch

Credential Policy• How Credentials in SE’s used with NFC relate to other devices• Example: NIST 800-157 “Derived Credentials”

21 NFC Identity and Access Control

Future Evolution

22 NFC Identity and Access Control

• Peer to Peer Devices are Symmetric

Example, mutual authentication

• Instead of validating an employee badge with a handheld, any employee can validate any other

Example, field incident security perimeter

• Enables dynamic perimeter, real-time access to location, list of check in/check out

• Making Dumb Readers Smart Cost is in the phone

• E.g. for higher security at night, give night access team phones with fingerprint readers

Use phone communication channels

Future Evolution

23 NFC Identity and Access Control

• Engage Mobile Device Features with NFCCombining elements to enhance security

Biometrics

• Fingerprint

• Facial

• Voice

• Iris Location Velocity Temperature …

Example: Secure Unified CommunicationsEveryone connects with their mobile device to the weekly project call. They are strongly authenticated with a crypto key in an SE, a facial image is captured and a fingerprint is verified. The device provides voice communication and a shared whiteboard. As per corporate policy, all participants are stationary (not driving) and indoors in an approved location (home, main office, branch office).

NFC for Identity & Access Control

Here Today

A Strong Addition to the Smart Card Ecosystem

24

Peter CattaneoVice PresidentBusiness Development

Peter.Cattaneo@Intercede.com