SlideShare a Scribd company logo

Draft SP 800-157 - Derived PIV Credentials

Download as PPTX, PDF
P
puffyduffduff

The presentation highlights the scope and goals of Derived PIV Credentials and desribes the technical approaches.

Technology
1 of 11
An Overview of Draft SP 800-157 Derived PIV Credentials and Draft NISTIR 7981 Mobile, PIV, and Authentication Hildegard Ferraiolo PIV Project Lead NIST ITL Computer Security Division Hildegard.ferraiolo@nist.gov , March 13, 2014
Draft SP 800-157 – Derived PIV Credential for Mobile Devices Scope: – The Derived PIV Credential is an additional PIV Credential to satisfy HSPD-12‟s „Common Identification„ mandate – Provide PIV-enabled authentication services on the mobile device to authenticate the mobile device owner to remote systems
Draft SP 800-157 – Derived PIV Credential for Mobile Devices • Motivation: – PIV Cards have been geared towards traditional computing platforms (laptop, desktop) – For newer computing devices (mobile devices), the use of the PIV Card is challenging and requires bulky add-on readers
Draft SP 800-157 – Derived PIV Credential for Mobile Devices Goal: – To provide alternative approaches to PIV-enabled e-authentication with mobile device - without PIV Card and add-on readers. • While leveraging the PIV Infrastructure for: – Interoperability: Take advantage of the same PKI infrastructure – Cost-savings: Leverage the trust and identity- proofing performed for 5 million issued PIV cards
Draft SP 800-157 – Derived PIV Credential for Mobile Devices Mobile devices and their capabilities vary by: - Mobile device manufacturers, platforms, ports, Mobile Network Operators and have capabilities that are often different in focus (e.g., tablet vs smart phone). - One technical approach is not sufficient to cover the various mobile devices deployed by USG. - Draft SP 800-157 is flexible and offers a spectrum of approaches to electronic authentication on mobile devices.
Draft SP 800-157 – Derived PIV Credential for Mobile Devices Technologies: – Mobile Device Software tokens (current) – MicroSD tokens (current) – USB security tokens (near term) – UICC tokens (near term) – Embedded Hardware (near term) Benefits: – Derived PIV Credential - leverages identity proofing and vetting processes of PIV cardholder – It‟s integrated -> better user experience Considerations: – Provisioning and management of mobile device specific credential – Limited mobile OS and application support (MicroSD, USB, UICC)
Draft SP 800-157 – Derived PIV Credential for Mobile Devices Draft SP 800-157 details: - Derived PIV Credential lifecycle activities for: - Initial issuance, maintenance (re-key, re-issuance), and termination • Technical requirements for: – Certificate Policy under which the Derived PIV Credential is issued (a ref) – Cryptographic requirements for Derived PIV Credential – How to include the optional Digital Signature Key and Encryption Key in the Derived PIV Credential security token – Data model and interfaces for the Derived PIV Credential security token • Removable (Non-Embedded) hardware cryptographic security tokens (UICC, USB, microSD) • Embedded cryptographic security tokens – Hardware token implementations – Software token implementations
FIPS 201-2 Authentication Mechanisms for PIV Card Credentials and Derived PIV Credential 8 LACS Local Workstation Environment LACS Remote/Network System Environment CHUID* PKI-CAK PKI-CAK, BIO PKI-Derived BIO-A, OCC-AUTH, PKI-AUTH PKI-AUTH, PKI-Derived PIV Assurance Level Required by Application/Res ource PACS LITTLE or NO confidence VIS, CHUID SOME confidence PKI-CAK, SYM- CAK HIGH confidence BIO VERY HIGH confidence BIO-A, OCC- AUTH, PKI-AUTH Green indicates the access control environment where the new “PKI-Derived” authentication mechanism for Mobile Devices applies. Yellow font indicates the access control environment for the PIV Card Credentials and and their authentication mechanisms.
Draft NIST IR 7981 Mobile, PIV, and Authentication A Companion Document to Draft SP 800-157 - Analyzes different approaches to PIV-enable mobile devices - Includes the use of PIV Cards with mobile devices in addition to Derived PIV Credentials - Points out benefits and considerations (pros/cons) for each approach - Example: UICC approach requires cooperation with MNO - Approximates when these approach might become available - Categorized approaches in „current‟ and „near term‟ solutions - Includes Recommendations - Hardware rooted solutions provide better security - Software solution are available now – NIST IR 7981 recommends complementing these by hardware-backed mechanism to protect the private key of the Derived PIV Credential when not in use (the hybrid solution) – In the longer-term, NIST IR recommends adoption of hardware-supported security mechanisms in mobile devices, such as the Roots of Trust (SP 800-164) to support stronger assurance of identity
Mobile, PIV and Authentication • Both Draft SP 800-157 and NIST IR 7981 are available for public commenting • Instructions to comment are provided at: http://csrc.nist.gov/groups/SNS/piv/announcements.html • Public comment period closes April 21st.
Thank you Questions? Hildegard Ferraiolo PIV Project Lead NIST ITL Computer Security Division hildegard.ferraiolo@nist.gov

Recommended

Iot security and Authentication solution
Iot security and Authentication solutionIot security and Authentication solution
Iot security and Authentication solutionPradeep Jeswani
 
Vanderhoof smartcard-roadmap
Vanderhoof smartcard-roadmapVanderhoof smartcard-roadmap
Vanderhoof smartcard-roadmapHai Nguyen
 
AET63 product presentation by Advanced Card Systems Ltd.
AET63 product presentation by Advanced Card Systems Ltd.AET63 product presentation by Advanced Card Systems Ltd.
AET63 product presentation by Advanced Card Systems Ltd.Advanced Card Systems Ltd.
 
Mobile Application Single Sign-On for Public Safety First Responders
Mobile Application Single Sign-On for Public Safety First RespondersMobile Application Single Sign-On for Public Safety First Responders
Mobile Application Single Sign-On for Public Safety First RespondersAds Manager
 
Cardholder authentication for the piv dig sig key nist ir-7863
Cardholder authentication for the piv dig sig key nist ir-7863Cardholder authentication for the piv dig sig key nist ir-7863
Cardholder authentication for the piv dig sig key nist ir-7863RepentSinner
 
OmniSource_ppt_2011_7-2 (2)(1)
OmniSource_ppt_2011_7-2 (2)(1)OmniSource_ppt_2011_7-2 (2)(1)
OmniSource_ppt_2011_7-2 (2)(1)Andrea Colombetti
 
SmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketSmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketOKsystem
 
M I Dentity 3 G 040111
M I Dentity 3 G 040111M I Dentity 3 G 040111
M I Dentity 3 G 040111Jan Vekemans
 

Recommended

Iot security and Authentication solution
Iot security and Authentication solutionIot security and Authentication solution
Iot security and Authentication solutionPradeep Jeswani
 
Vanderhoof smartcard-roadmap
Vanderhoof smartcard-roadmapVanderhoof smartcard-roadmap
Vanderhoof smartcard-roadmapHai Nguyen
 
AET63 product presentation by Advanced Card Systems Ltd.
AET63 product presentation by Advanced Card Systems Ltd.AET63 product presentation by Advanced Card Systems Ltd.
AET63 product presentation by Advanced Card Systems Ltd.Advanced Card Systems Ltd.
 
Mobile Application Single Sign-On for Public Safety First Responders
Mobile Application Single Sign-On for Public Safety First RespondersMobile Application Single Sign-On for Public Safety First Responders
Mobile Application Single Sign-On for Public Safety First RespondersAds Manager
 
Cardholder authentication for the piv dig sig key nist ir-7863
Cardholder authentication for the piv dig sig key nist ir-7863Cardholder authentication for the piv dig sig key nist ir-7863
Cardholder authentication for the piv dig sig key nist ir-7863RepentSinner
 
OmniSource_ppt_2011_7-2 (2)(1)
OmniSource_ppt_2011_7-2 (2)(1)OmniSource_ppt_2011_7-2 (2)(1)
OmniSource_ppt_2011_7-2 (2)(1)Andrea Colombetti
 
SmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketSmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketOKsystem
 
M I Dentity 3 G 040111
M I Dentity 3 G 040111M I Dentity 3 G 040111
M I Dentity 3 G 040111Jan Vekemans
 
Io t of actuating things
Io t of actuating thingsIo t of actuating things
Io t of actuating thingsArpan Pal
 
Secure Element Solutions
Secure Element SolutionsSecure Element Solutions
Secure Element SolutionsUgo Chirico
 
Smart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecuritySmart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecurityAndreas Leicher
 
Eurosmart etsi-e-io t-scs-presentation
Eurosmart etsi-e-io t-scs-presentationEurosmart etsi-e-io t-scs-presentation
Eurosmart etsi-e-io t-scs-presentationStefane Mouille
 
Cellnetrix brochure 2013
Cellnetrix brochure 2013Cellnetrix brochure 2013
Cellnetrix brochure 2013Vladimir Nagin
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantVladimir Jirasek
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutionsfrontone
 
WISekey IoT Technologies Presentation
WISekey IoT Technologies PresentationWISekey IoT Technologies Presentation
WISekey IoT Technologies PresentationCreus Moreira Carlos
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" mycroftinc
 
Kura M2M IoT Gateway
Kura M2M IoT GatewayKura M2M IoT Gateway
Kura M2M IoT GatewayEurotech
 
The Power of Identification Management
The Power of Identification ManagementThe Power of Identification Management
The Power of Identification ManagementViper Web Solutions
 
Password Problem - Solved!
Password Problem - Solved!Password Problem - Solved!
Password Problem - Solved!Cyber Security Summit
 
Identity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of ThingsIdentity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of ThingsPing Identity
 
IRJET- Configurable Intelligent Secures - 3FA Smart Lock
IRJET- Configurable Intelligent Secures - 3FA Smart LockIRJET- Configurable Intelligent Secures - 3FA Smart Lock
IRJET- Configurable Intelligent Secures - 3FA Smart LockIRJET Journal
 
ISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de EntrustISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de EntrustInformation Security Services SA
 
How to bootstrap your IoT project
How to bootstrap your IoT projectHow to bootstrap your IoT project
How to bootstrap your IoT projectEurotech
 
2FA Advanced Authentication for Public Safety
2FA Advanced Authentication for Public Safety2FA Advanced Authentication for Public Safety
2FA Advanced Authentication for Public Safety2FA, Inc.
 
case-study-cisco-ise-project copy
case-study-cisco-ise-project copycase-study-cisco-ise-project copy
case-study-cisco-ise-project copyLee Millington
 
Rsa Secur Id From Signify
Rsa Secur Id From SignifyRsa Secur Id From Signify
Rsa Secur Id From Signifypjpallen
 
Mobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesMobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesCisco Canada
 
Market Study on Mobile Authentication
Market Study on Mobile AuthenticationMarket Study on Mobile Authentication
Market Study on Mobile AuthenticationFIDO Alliance
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 

More Related Content

What's hot

Io t of actuating things
Io t of actuating thingsIo t of actuating things
Io t of actuating thingsArpan Pal
 
Secure Element Solutions
Secure Element SolutionsSecure Element Solutions
Secure Element SolutionsUgo Chirico
 
Smart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecuritySmart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecurityAndreas Leicher
 
Eurosmart etsi-e-io t-scs-presentation
Eurosmart etsi-e-io t-scs-presentationEurosmart etsi-e-io t-scs-presentation
Eurosmart etsi-e-io t-scs-presentationStefane Mouille
 
Cellnetrix brochure 2013
Cellnetrix brochure 2013Cellnetrix brochure 2013
Cellnetrix brochure 2013Vladimir Nagin
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantVladimir Jirasek
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutionsfrontone
 
WISekey IoT Technologies Presentation
WISekey IoT Technologies PresentationWISekey IoT Technologies Presentation
WISekey IoT Technologies PresentationCreus Moreira Carlos
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" mycroftinc
 
Kura M2M IoT Gateway
Kura M2M IoT GatewayKura M2M IoT Gateway
Kura M2M IoT GatewayEurotech
 
The Power of Identification Management
The Power of Identification ManagementThe Power of Identification Management
The Power of Identification ManagementViper Web Solutions
 
Identity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of ThingsIdentity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of ThingsPing Identity
 
IRJET- Configurable Intelligent Secures - 3FA Smart Lock
IRJET- Configurable Intelligent Secures - 3FA Smart LockIRJET- Configurable Intelligent Secures - 3FA Smart Lock
IRJET- Configurable Intelligent Secures - 3FA Smart LockIRJET Journal
 
How to bootstrap your IoT project
How to bootstrap your IoT projectHow to bootstrap your IoT project
How to bootstrap your IoT projectEurotech
 
2FA Advanced Authentication for Public Safety
2FA Advanced Authentication for Public Safety2FA Advanced Authentication for Public Safety
2FA Advanced Authentication for Public Safety2FA, Inc.
 
case-study-cisco-ise-project copy
case-study-cisco-ise-project copycase-study-cisco-ise-project copy
case-study-cisco-ise-project copyLee Millington
 
Rsa Secur Id From Signify
Rsa Secur Id From SignifyRsa Secur Id From Signify
Rsa Secur Id From Signifypjpallen
 

What's hot (19)

Io t of actuating things
Io t of actuating thingsIo t of actuating things
Io t of actuating things
 
Secure Element Solutions
Secure Element SolutionsSecure Element Solutions
Secure Element Solutions
 
Smart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecuritySmart OpenID & Mobile Network Security
Smart OpenID & Mobile Network Security
 
Eurosmart etsi-e-io t-scs-presentation
Eurosmart etsi-e-io t-scs-presentationEurosmart etsi-e-io t-scs-presentation
Eurosmart etsi-e-io t-scs-presentation
 
Cellnetrix brochure 2013
Cellnetrix brochure 2013Cellnetrix brochure 2013
Cellnetrix brochure 2013
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutions
 
WISekey IoT Technologies Presentation
WISekey IoT Technologies PresentationWISekey IoT Technologies Presentation
WISekey IoT Technologies Presentation
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise"
 
Kura M2M IoT Gateway
Kura M2M IoT GatewayKura M2M IoT Gateway
Kura M2M IoT Gateway
 
The Power of Identification Management
The Power of Identification ManagementThe Power of Identification Management
The Power of Identification Management
 
Password Problem - Solved!
Password Problem - Solved!Password Problem - Solved!
Password Problem - Solved!
 
Identity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of ThingsIdentity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of Things
 
IRJET- Configurable Intelligent Secures - 3FA Smart Lock
IRJET- Configurable Intelligent Secures - 3FA Smart LockIRJET- Configurable Intelligent Secures - 3FA Smart Lock
IRJET- Configurable Intelligent Secures - 3FA Smart Lock
 
ISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de EntrustISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de Entrust
 
How to bootstrap your IoT project
How to bootstrap your IoT projectHow to bootstrap your IoT project
How to bootstrap your IoT project
 
2FA Advanced Authentication for Public Safety
2FA Advanced Authentication for Public Safety2FA Advanced Authentication for Public Safety
2FA Advanced Authentication for Public Safety
 
case-study-cisco-ise-project copy
case-study-cisco-ise-project copycase-study-cisco-ise-project copy
case-study-cisco-ise-project copy
 
Rsa Secur Id From Signify
Rsa Secur Id From SignifyRsa Secur Id From Signify
Rsa Secur Id From Signify
 

Similar to Draft SP 800-157 - Derived PIV Credentials

Mobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesMobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesCisco Canada
 
Market Study on Mobile Authentication
Market Study on Mobile AuthenticationMarket Study on Mobile Authentication
Market Study on Mobile AuthenticationFIDO Alliance
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
Define PKI (Public Key Infrastructure) and list and discuss the type.pdf
Define PKI (Public Key Infrastructure) and list and discuss the type.pdfDefine PKI (Public Key Infrastructure) and list and discuss the type.pdf
Define PKI (Public Key Infrastructure) and list and discuss the type.pdfxlynettalampleyxc
 
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...SafeNet
 
国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析Onward Security
 
Multi-Factor Authentication
Multi-Factor AuthenticationMulti-Factor Authentication
Multi-Factor AuthenticationPCN
 
Meeting Mobile and BYOD Security Challenges
Meeting Mobile and BYOD Security ChallengesMeeting Mobile and BYOD Security Challenges
Meeting Mobile and BYOD Security ChallengesSymantec
 
Authentication.Next
Authentication.NextAuthentication.Next
Authentication.NextMark Diodati
 
IRJET- Technical Review of different Methods for Multi Factor Authentication
IRJET- Technical Review of different Methods for Multi Factor AuthenticationIRJET- Technical Review of different Methods for Multi Factor Authentication
IRJET- Technical Review of different Methods for Multi Factor AuthenticationIRJET Journal
 
PIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentPIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentRamesh Nagappan
 
Mobile payments and PCI DSS
Mobile payments and PCI DSSMobile payments and PCI DSS
Mobile payments and PCI DSSManish Mahapatra
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresOliver Pfaff
 
Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Editor IJARCET
 
Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Editor IJARCET
 
Cyber security and cyber law
Cyber security and cyber lawCyber security and cyber law
Cyber security and cyber lawDivyank Jindal
 
Securing broker less publish subscribe systems using identity-based encryption
Securing broker less publish subscribe systems using identity-based encryptionSecuring broker less publish subscribe systems using identity-based encryption
Securing broker less publish subscribe systems using identity-based encryptionLeMeniz Infotech
 
IOT Software Development Services | Adequate Infosoft
IOT Software Development Services | Adequate InfosoftIOT Software Development Services | Adequate Infosoft
IOT Software Development Services | Adequate InfosoftNishaadequateinfosof
 

Similar to Draft SP 800-157 - Derived PIV Credentials (20)

Mobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesMobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best Practices
 
Market Study on Mobile Authentication
Market Study on Mobile AuthenticationMarket Study on Mobile Authentication
Market Study on Mobile Authentication
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
Define PKI (Public Key Infrastructure) and list and discuss the type.pdf
Define PKI (Public Key Infrastructure) and list and discuss the type.pdfDefine PKI (Public Key Infrastructure) and list and discuss the type.pdf
Define PKI (Public Key Infrastructure) and list and discuss the type.pdf
 
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
 
国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析
 
Multi-Factor Authentication
Multi-Factor AuthenticationMulti-Factor Authentication
Multi-Factor Authentication
 
Meeting Mobile and BYOD Security Challenges
Meeting Mobile and BYOD Security ChallengesMeeting Mobile and BYOD Security Challenges
Meeting Mobile and BYOD Security Challenges
 
Tatyana-Arnaudova - English
Tatyana-Arnaudova - EnglishTatyana-Arnaudova - English
Tatyana-Arnaudova - English
 
Authentication.Next
Authentication.NextAuthentication.Next
Authentication.Next
 
IRJET- Technical Review of different Methods for Multi Factor Authentication
IRJET- Technical Review of different Methods for Multi Factor AuthenticationIRJET- Technical Review of different Methods for Multi Factor Authentication
IRJET- Technical Review of different Methods for Multi Factor Authentication
 
Fu3111411144
Fu3111411144Fu3111411144
Fu3111411144
 
PIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentPIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environment
 
Mobile payments and PCI DSS
Mobile payments and PCI DSSMobile payments and PCI DSS
Mobile payments and PCI DSS
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
 
Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310
 
Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310
 
Cyber security and cyber law
Cyber security and cyber lawCyber security and cyber law
Cyber security and cyber law
 
Securing broker less publish subscribe systems using identity-based encryption
Securing broker less publish subscribe systems using identity-based encryptionSecuring broker less publish subscribe systems using identity-based encryption
Securing broker less publish subscribe systems using identity-based encryption
 
IOT Software Development Services | Adequate Infosoft
IOT Software Development Services | Adequate InfosoftIOT Software Development Services | Adequate Infosoft
IOT Software Development Services | Adequate Infosoft
 

Recently uploaded

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 

Recently uploaded (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 

Draft SP 800-157 - Derived PIV Credentials

  • 1. An Overview of Draft SP 800-157 Derived PIV Credentials and Draft NISTIR 7981 Mobile, PIV, and Authentication Hildegard Ferraiolo PIV Project Lead NIST ITL Computer Security Division Hildegard.ferraiolo@nist.gov , March 13, 2014
  • 2. Draft SP 800-157 – Derived PIV Credential for Mobile Devices Scope: – The Derived PIV Credential is an additional PIV Credential to satisfy HSPD-12‟s „Common Identification„ mandate – Provide PIV-enabled authentication services on the mobile device to authenticate the mobile device owner to remote systems
  • 3. Draft SP 800-157 – Derived PIV Credential for Mobile Devices • Motivation: – PIV Cards have been geared towards traditional computing platforms (laptop, desktop) – For newer computing devices (mobile devices), the use of the PIV Card is challenging and requires bulky add-on readers
  • 4. Draft SP 800-157 – Derived PIV Credential for Mobile Devices Goal: – To provide alternative approaches to PIV-enabled e-authentication with mobile device - without PIV Card and add-on readers. • While leveraging the PIV Infrastructure for: – Interoperability: Take advantage of the same PKI infrastructure – Cost-savings: Leverage the trust and identity- proofing performed for 5 million issued PIV cards
  • 5. Draft SP 800-157 – Derived PIV Credential for Mobile Devices Mobile devices and their capabilities vary by: - Mobile device manufacturers, platforms, ports, Mobile Network Operators and have capabilities that are often different in focus (e.g., tablet vs smart phone). - One technical approach is not sufficient to cover the various mobile devices deployed by USG. - Draft SP 800-157 is flexible and offers a spectrum of approaches to electronic authentication on mobile devices.
  • 6. Draft SP 800-157 – Derived PIV Credential for Mobile Devices Technologies: – Mobile Device Software tokens (current) – MicroSD tokens (current) – USB security tokens (near term) – UICC tokens (near term) – Embedded Hardware (near term) Benefits: – Derived PIV Credential - leverages identity proofing and vetting processes of PIV cardholder – It‟s integrated -> better user experience Considerations: – Provisioning and management of mobile device specific credential – Limited mobile OS and application support (MicroSD, USB, UICC)
  • 7. Draft SP 800-157 – Derived PIV Credential for Mobile Devices Draft SP 800-157 details: - Derived PIV Credential lifecycle activities for: - Initial issuance, maintenance (re-key, re-issuance), and termination • Technical requirements for: – Certificate Policy under which the Derived PIV Credential is issued (a ref) – Cryptographic requirements for Derived PIV Credential – How to include the optional Digital Signature Key and Encryption Key in the Derived PIV Credential security token – Data model and interfaces for the Derived PIV Credential security token • Removable (Non-Embedded) hardware cryptographic security tokens (UICC, USB, microSD) • Embedded cryptographic security tokens – Hardware token implementations – Software token implementations
  • 8. FIPS 201-2 Authentication Mechanisms for PIV Card Credentials and Derived PIV Credential 8 LACS Local Workstation Environment LACS Remote/Network System Environment CHUID* PKI-CAK PKI-CAK, BIO PKI-Derived BIO-A, OCC-AUTH, PKI-AUTH PKI-AUTH, PKI-Derived PIV Assurance Level Required by Application/Res ource PACS LITTLE or NO confidence VIS, CHUID SOME confidence PKI-CAK, SYM- CAK HIGH confidence BIO VERY HIGH confidence BIO-A, OCC- AUTH, PKI-AUTH Green indicates the access control environment where the new “PKI-Derived” authentication mechanism for Mobile Devices applies. Yellow font indicates the access control environment for the PIV Card Credentials and and their authentication mechanisms.
  • 9. Draft NIST IR 7981 Mobile, PIV, and Authentication A Companion Document to Draft SP 800-157 - Analyzes different approaches to PIV-enable mobile devices - Includes the use of PIV Cards with mobile devices in addition to Derived PIV Credentials - Points out benefits and considerations (pros/cons) for each approach - Example: UICC approach requires cooperation with MNO - Approximates when these approach might become available - Categorized approaches in „current‟ and „near term‟ solutions - Includes Recommendations - Hardware rooted solutions provide better security - Software solution are available now – NIST IR 7981 recommends complementing these by hardware-backed mechanism to protect the private key of the Derived PIV Credential when not in use (the hybrid solution) – In the longer-term, NIST IR recommends adoption of hardware-supported security mechanisms in mobile devices, such as the Roots of Trust (SP 800-164) to support stronger assurance of identity
  • 10. Mobile, PIV and Authentication • Both Draft SP 800-157 and NIST IR 7981 are available for public commenting • Instructions to comment are provided at: http://csrc.nist.gov/groups/SNS/piv/announcements.html • Public comment period closes April 21st.
  • 11. Thank you Questions? Hildegard Ferraiolo PIV Project Lead NIST ITL Computer Security Division hildegard.ferraiolo@nist.gov