nfc identity and access control€¦ · 02.06.2014 · nfc device • multiple secure elements •...
TRANSCRIPT
-
NFC Identity and Access Control
Peter Cattaneo Vice President, Business Development
-
Agenda
NFC Identity and Access Control2
• Basics
• NFC User Interactions
• Architecture (F)ICAM Physical Access Logical Access
• Future Evolution
-
Basics – NFC Radio Capabilities
- Very Short Range- Typically requires touch or tap
- Shows user intent
- Compatible with Contactless Smart Cards (ISO 14443)Works both ways:
- Use credentials from a smart card on-devicee.g. sign an email with a key on your smart badge
- Emulate a smart carde.g. use you phone instead of a badge at the door
3 NFC Identity and Access Control
-
Basics – Secure Elements
- Single Wire Protocol (SWP) connects some SEs to the NFC radio- NFC Interface can power SE over SWP; No Battery Required- SE’s without SWP connections can interact over NFC via apps
- Multiple Secure Element Options- SWP:
- SIM / UICC
- Embedded NFC SE
- microSD card (emerging new standard)- Non SWP:
- Internal- Trusted Platform Module (TPM)
- Trusted Execution Environment (TEE)
- External- Contact card reader
- Bluetooth reader/device
- Cloud (HCE)
4 NFC Identity and Access Control
-
Smart Card vs Mobile Device
5 NFC Identity and Access Control
Secure Element
User Interface
Communications Channel
Additional Sensors
…
-
Smart Card vs Mobile Device
6 NFC Identity and Access Control
PIV card Dual Interface Smart card• One secure element• Contactless interface
‒ ISO 14443• Contact interface
‒ External ISO 7816
NFC Device
• Multiple secure elements• Contactless interface
‒ NFC (incl ISO 14443)
• Contact interface‒ Internal only
• Communications‒ Bluetooth, 3G, 4G, SMS, WiFi
• Screen, keyboard• Camera, microphone• GPS• Fingerprint Sensor• …• Lots more• …
-
NFC User Interactions
1. Desktop Computer Application2. Physical Access - Opening a Door3. Mobile Device App4. Logical Remote Access from Mobile Device
7 NFC Identity and Access Control
-
User Interaction – Desktop Computer Application
1. Desktop Computer Application2. Physical Access - Opening a Door3. Mobile Device App4. Remote Access from Mobile Device
8 NFC Identity and Access Control
• Windows Login• Email signing• Secure Remote Access• …
SecureCredentials
DesktopApplications
-
• Unlock Door
1. Desktop Computer Application2. Physical Access - Opening a Door3. Mobile Device App4. Remote Access from Mobile Device
User Interaction – Physical Access – Opening A Door
9 NFC Identity and Access Control
SecureCredentials
PhysicalAccess
-
User Interaction –Mobile Device App
1. Desktop Computer Application2. Physical Access - Opening a Door3. Mobile Device App4. Remote Access from Mobile Device
10 NFC Identity and Access Control
• File Encryption• Document Signing• …
SecureCredentials
MobileApps
-
User Interaction – Remote Access from Mobile Device
1. Desktop Computer Application2. Physical Access - Opening a Door3. Using Mobile Device App4. Remote Access from Mobile Device
11 NFC Identity and Access Control
SecureCredentials
CloudData
-
(F)ICAM - Identity, Credential, and Access Management
12 NFC Identity and Access Control
- Why ICAM?
- US-based:
- Standards
- Policy Guidance
- Best Practices
- Vendor Support
- Practical Experience- All Federal Agencies
- Many Federal Contractors
- Other Commercial entities
- Some other countries too! Incl disc of International Stds.
- NFC works well with other architectures. ICAM is a just a well-known example
-
(F)ICAM - Identity, Credential, and Access Management
13 NFC Identity and Access Control
-
(F)ICAM - Identity, Credential, and Access Management
14 NFC Identity and Access Control
-
Logical Access – Credentials in Smart Card
15
Applications Email
• Mail Client Authentication
• S/MIME - Signing / Encryption
Document Management
• Signing
• Encryption
• Synchronization Authentication
Secure Remote Access
• VPN
• Secure Web Sites
Mobile App Credentials
-
Logical Access – Credentials in Smart Card
16
Issues
• Contact Interface – no NFC May be required for policy compliance
• Contactless Interface Credential Access
• Current FICAM – limited
• FIPS 201-2 – full set using Opacity Security Concerns
• No different from contactless cards Mobile Operating System API Support
• How does an app access the credentials?
• Few standards; limited support
-
Applications Email
• Mail Client Authentication
• S/MIME - Signing / Encryption
Document Management
• Signing
• Encryption
• Synchronization Authentication
Secure Remote Access
• VPN
• Secure Web Sites
Other Application Credentials
Logical Access – Credentials in Mobile Device
17
-
• Contact Interface Accessible via Mobile App
• App in device can access the SE via the contact interface
• User interaction (e.g. PIN entry)
• NFC via Card Emulation mode
• Contactless Interface Direct SE to NFC over SWP
• No different from contactless cards
• Battery not required
Perfect Card Emulation
Logical Access – Credentials in Mobile Device
18
-
• Contact Interface Accessible via Mobile App
• App in device can access the SE via the contact interface
• User interaction (e.g. PIN entry)
• NFC via Card Emulation mode
• Contactless Interface Direct SE to NFC over SWP
• No different from contactless cards
• Battery not required
Perfect Card Emulation
Physical Access – Credentials in Mobile Device
19
-
• Available Today Major PACS Vendors Support ISO 14443 devices
• Smart Cards
• NFC Devices Standards-based and proprietary solutions SWP SE solutions are seamless
• Real Innovation in Development Leveraging Device Capabilities Communication via device
• Reader can be off-line Biometric Integration Cloud-based Services
Physical Access – Credentials in Mobile Device
20
-
Future Evolution
• Mobile Devices with NFC Enable New Capabilities Lots of Great Work in Many Different Categories
• Interface Protocols• NFC Layered Security
Secure Channel Against Eavesdropping Device Pairing FIPS 201-2 / ANSI Opacity
• NFC + Other Communications Channels Bluetooth Secure Simple Pairing (SSP) with NFC Device Selection (improves user experience; ensures correct device is
selected) Securely Connect (Out-of-band) Bluetooth Application Launch
Credential Policy• How Credentials in SE’s used with NFC relate to other devices• Example: NIST 800-157 “Derived Credentials”
21 NFC Identity and Access Control
-
Future Evolution
22 NFC Identity and Access Control
• Peer to Peer Devices are Symmetric
Example, mutual authentication
• Instead of validating an employee badge with a handheld, any employee can validate any other
Example, field incident security perimeter
• Enables dynamic perimeter, real-time access to location, list of check in/check out
• Making Dumb Readers Smart Cost is in the phone
• E.g. for higher security at night, give night access team phones with fingerprint readers
Use phone communication channels
-
Future Evolution
23 NFC Identity and Access Control
• Engage Mobile Device Features with NFCCombining elements to enhance security
Biometrics
• Fingerprint
• Facial
• Voice
• Iris Location Velocity Temperature …
Example: Secure Unified CommunicationsEveryone connects with their mobile device to the weekly project call. They are strongly authenticated with a crypto key in an SE, a facial image is captured and a fingerprint is verified. The device provides voice communication and a shared whiteboard. As per corporate policy, all participants are stationary (not driving) and indoors in an approved location (home, main office, branch office).
-
NFC for Identity & Access Control
Here Today
A Strong Addition to the Smart Card Ecosystem
24
-
Peter CattaneoVice PresidentBusiness Development