ID Cards

Digital trust for hyper-connected mobile world

by Mark Rowe

With cyber-attacks, hacks and data breaches on the rise, Intercede’s CTO Dr Chris Edwards, pictured, explores new methods to securely access data in an increasingly mobile economy.

We all know that mobile usage has exploded, with smartphones now being the UK’s most popular device for getting online. And mobile is all pervasive, way beyond our private communications: most businesses in the UK have now implemented BYOD policies to allow their employees to access corporate networks and data straight from their own devices, be it on site or when working remotely. But with such openness, comes risk. It is essential that policies are sufficiently robust to ensure that mobile access does not compromise required security levels for access to organisational resources, high value assets and critical corporate infrastructure.

Smart cards and the challenge

The smart card form factor is very convenient in many respects. It fits neatly into your wallet, can operate in contact or contactless modes, and is highly standardised, thus offering very good levels of interoperability. The recent increase in mobility, however, has challenged the traditional smart card system. Enterprise-grade laptops typically include smart card readers, and desktop computers can be connected to external readers. Mobile devices on the other hand, have no integrated card readers, so smart card authentication isn’t an easy option. Needless to say, there have been several attempts to provide external card readers for mobile phones, but issues such as battery life and the inconvenience of carrying another device in addition to the phone have meant the technologies never took off. The challenge for developers was finding a way to put the credential directly into the phone or tablet, while still maintaining an acceptable level of security for the private cryptographic keys that are relied upon for authentication, signing and encryption.

While it is clear that in some secure organisations, mobile credentials may not fully replace smart cards for some time, many of the most robust mobile solutions use ‘derived credentials’ – a system for digitally issuing and authenticating the identity information held on a physical smart card – into a digital format and onto a mobile device. For many years, the US Federal Government’s personal identity verification (PIV) programme for smart card authentication has been a cornerstone of secure physical and virtual access to resources and National infrastructure. In order to evolve this requirement to incorporate mobile device access, the National Institute of Standards and Technology (NIST) in the US defined the use of a ‘derived credential’ on mobile devices to provide secure access to corporate systems, services and data from smartphones, tablets and laptops. The derived credential ensures that access meets the appropriate required level of authentication – allowing the federal workforce to become both mobile and secure. The approach of digital identities being derived from an original physical identity source such as a smart card, has become more commonplace throughout governments and industry since it offers a fast, secure, cost effective and scalable way to ensure identities are verified through an entirely digital process, across a variety of digital formats.

Mobile in use

The ability to read encrypted emails when away from a desktop computer has been of the upmost importance for some time, so secure email was historically the primary application considered for mobile use. However, with more and more businesses demanding the ability to allow employees to work remotely – with full or partial access to secure corporate resources – packages of complete and secure cloud services have emerged as the most important requirement. The Windows operating system includes a shared cryptographic service layer – a standardised programming interface through which any app can access credentials delivered to the device. Apple iOS and Android, however, do not provide a readily accessed device-wide comprehensive cryptographic layer for apps. For example, certificates and keys installed using Safari on an iPhone cannot be used directly by your own apps – only by the ‘native’ apps such as the Safari browser and the default mail app. Another challenge with iOS is that there is no secondary authentication to the keychain and therefore once the phone is unlocked no further authentication is needed for access. However, iOS does provide ‘hardware backed’ key storage, which brings significant advantages over purely software based keychains.

For enhanced security on Android devices, more robust security facilities do exist but are greatly under used. The ARM Trustzone is present in almost every Android device as part of the chipset design. An increasing number of handset vendors are now adding the software and tools necessary for app developers to take advantage of this secondary secure operating system. The Trusted Execution Environment (TEE) offers a secure operating environment for apps dealing with sensitive data and critical user interactions. The TEE can also provide key storage with a ‘trusted user interface’ for PIN entry. In addition to the TEE, there are a wide variety of other secure environments available in phones and tablets, such as the UICC (aka SIM), TPM, secure microSD and embedded SEs that support NFC.

Derived credentials in use

The ‘formal’ definition of a derived PIV credential is purely a secondary authentication certificate that connects the identity from the original smart card for use in another form. Extensions are permitted to allow signing and encryption certificates to be implemented too. However, for any of these credentials to be of real use, and to be widely adopted, they must be made available to work easily with apps on an employee’s mobile device. With the wide range of cryptographic key storage devices now available – most of which support different app programming interfaces – a readily available library of programs for apps is now needed to operate across a range of mobile devices as transparently as possible. Once you add the widely requested additional features such as signing, encryption, physical access, and verifiable flash badges, the consumption of mobile credentials becomes even more challenging for app vendors.

As with any credentialing environment, a secure, policy-enforcing lifecycle management system is vital for mobile security. In the case of US Government, the standard describes specific business processes for the two supported levels of assurance that must be followed by any compliant solution. Such a solution must have strong authentication for operators and full audit capabilities to allow rapid, secure access to administrative functions. One major advantage for users is that they are using what is effectively an ‘always on’ connected device. This means that certificate renewals and updates can be performed without needing to attend a specific location; an internet connection to a trusted system is all that is required.

Smarter access

The use of derived credentials presents the opportunity for greatly enhanced security, access and usability of protected resources from mobile devices. The mobile market continues to evolve rapidly, with an increasing number of options for the storage and processing of cryptographic data. Using a vendor-neutral library to access these credentials that is capable of working equally well with card readers, hardware secure elements, Trusted Execution Environments and numerous flavours of software credential stores is therefore an extremely worthwhile investment. When compared to the alternative – a workforce that is either mobile or secure, but not both – it is clear that the time for such interoperability of credentials should be at the forefront of enterprise technology and security’s priorities list.

About the author

Dr Chris Edwards was responsible for the initial design of Intercede’s MyID product and retains responsibility for the architecture and use of technology within it. He has over 30 years’ senior level experience within the IT industry, 15 of them within the security sector. Chris was instrumental in making MyID the first electronic personalisation system to achieve FIPS 201 accreditation as part of the US HSPD-12 PIV Approved Products Scheme, and has substantial experience of working on US and UK government security projects.

Related News

  • ID Cards

    Signature capture

    by Mark Rowe

    Evolis, the French plastic card product company, has released its new, entry level Sig100 Lite; and top-of-the-range Sig Activ (pictured) models. Sig…

  • ID Cards

    ID card printer

    by Mark Rowe

    Ultra ID, the UK-based manufacturer of Magicard ID card printers, announces the latest upgrade to its Enduro range of printers. The Magicard…

  • ID Cards

    Smart cards

    by Mark Rowe

    What are security implications for Smart Cards, writes David Smith, from Cardzgroup. Smart cards are typically plastic cards that contain an embedded…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing