Can derived credentials replace CACs? What you need to know

When the White House released Homeland Security Presidential Directive 12 in 2004, mandating the development and use of an interoperable smart ID card for government employees and contractors, government leaders never could have foreseen the mobile revolution that has overtaken the government. 

Designed to verify a users’ identity and enable access to secure facilities and networks, Personal Identity Verification (PIV) cards and Common Access Cards (CAC), are widely used throughout the government by both federal civilian and defense personnel as part of a multi-factor authentication approach. However, with the explosion of mobile computing – and the BYOD movement – many government employees are conducting business on smartphones, tablets and mobile devices that are not equipped with integrated PIV and CAC card readers. These mobility products don’t share the same level of security as desktops, laptops and even the newer 2-in-1 computers, which puts sensitive government information at risk.   

One solution to this complicated issue consists of attaching a CAC/PIV card reader directly to a mobile device. While this solution is secure – and requires the use of the physical CAC or PIV card – it is not a viable solution. It is nearly impossible to use an attached CAC/PIV card reader on a mobile device while you are walking down the street. Additionally, attached card readers are bulky, add extra weight to devices and have been known to quickly drain the mobile device battery (what good is a tablet when the battery is dead?). It goes without saying that all of these factors negatively affect the user experience. 

Another solution that has been discussed, but also has limitations, is the use of Near Field Communications (NFC). NFC, which uses radio frequency to establish communications between NFC-enabled devices, requires the user to be in close range to a contactless antenna while holding or placing the CAC/PIV card next to the mobile device. Again, this is not a great option.

As such, the National Institute of Standards and Technology (NIST) has been tasked with developing guidelines for enabling access based on secure authentication to government networks from a mobile device that doesn’t rely on a physical CAC or PIV card.

Might software be the answer? The idea is certainly picking up momentum in the form of derived credentials, which NIST asserts “greatly improves the usability of electronic authentication from mobile devices to remote IT resources, while at the same time maintaining the goals of HSPD-12 for common identification that is secure, reliable and interoperable government-wide.”

Sounds great, but derived credentials, while heavily discussed, are still highly misunderstood, with many people not even knowing what they are. Per the draft of NIST Special Publication 800-157, a derived credential is “an alternative token, which can be implemented and deployed directly on mobile devices (such as smart phones and tablets).” The tokens, which come in an alternative form factor to PIV and CAC cards, can be either hardware- or software-based. Per NIST, they “may be inserted into mobile devices, such as microSD tokens, USB tokens, Universal Integrated Circuit Cards [UICC, the new generation of SIM cards], or embedded in the mobile device.”

Derived credentials are gaining traction because, in a way, they apply virtual PIVs and CACs to mobile devices. That’s important, since the federal workforce has become increasingly mobile yet has not been able to easily, efficiently and securely authenticate for access to unclassified information and applications. Obviously, not being able to do this limits the productivity of federal employees who may be in the field or away from their desktops.

Still, like other security measures, there are potential flaws that need to be monitored. While derived credentials can provide better authenticated access to unclassified government networks, a software-based solution, even if encrypted, is not the most secure option available. If the credential simply lives on the internal storage (be it a hard drive, flash memory, etc.) it’s relatively easy for a piece of malware, which can make its way on to the device from any infected or malicious application, to get access to the token and, ultimately, put government networks at risk. 

While the Defense Information Systems Agency (DISA) has discontinued pilot programs involving UICC and microSD cards, a hardware-enhanced token or hardware root-of-trust should still be considered a preferred option to a pure software solution. Hardware is not susceptible to being compromised by rogue applications. A solution that is embedded into the device and provides identity verification alleviates the risk that is inherent with software-based solutions, thus creating a more secure mobile computing environment.

However, even in hardware, not all solutions are created equal.

There are different implementations of hardware roots-of-trust that use Hardware Security Modules (HSM), Trusted Platform Modules (TPM) and other hardware-enhanced identity protection technologies. These hardware implementations can provide secure storage, encryption, signing and key management functions. These features are used to provide the secure foundations for encrypting or digitally signing email and authenticating to virtual private networks and Secure Sockets Layer websites in addition to providing a factor for multi-factor authentication. 

To help sort through software and hardware key storage, the National Information Assurance Partnership has published the Common Criteria “Protection Profile for Mobile Device Fundamentals” that provides the functional security requirements for commercial mobile devices. Ideally, a user’s mobile devices should securely generate tamper-resistant, persistent RSA key pairs in hardware, generate public-key infrastructure certificates from hardware-protected RSA key pairs and perform RSA private key operations within an embedded protected hardware environment without increasing the costs or complexity of deployment. 

There is still a significant amount of work to be done to determine exactly how the federal government will implement derived credentials. Two things are certain, though: the need for them is real, though there are still some concerns. In any case, while NIST and DISA continue to set the course, agencies will continue to debate how best to address the growing mobile security dilemma.