搜索
MobileIdentityManagementforPublicSafetyJoshuaFranklinComputerSecurityDivisionYee-YinChoongKristenGreeneInformationAccessDivisionCyberInnovationForumSeptember9-11,2015DisclaimerAnymentionofcommercialproductsorreferencetocommercialorganizationsisforinformationonly;itdoesnotimplyrecommendationorendorsementbytheNationalInstituteofStandardsandTechnologynordoesitimplythattheproductsmentionedarenecessarilythebestavailableforthepurpose.2Agenda•Introduction•NIST’sidentitymanagementresearchefforts•Relevantstandardsandguidance•Credentialsforfirstresponders•Applyingthistopublicsafety–Fire,EMS,Lawenforcement–Usability•NextSteps3pscr.govBackground•TheMiddleClassTaxReliefandJobCreationActof2012createdtheFirstResponderNetworkAuthority(FirstNet)•PublicSafetyCommunicationsResearch(PSCR)Program(http://www.pscr.gov)–JointNTIA/NISTresearchprogrambasedinBoulder,CO–Focusingonstandards,networkmodeling/simulation,audio/videoquality,andsecurity•SponsoredinpartbyDHSOIC(http://www.dhs.gov/st-oic)4pscr.govFirstNetOperation5•FirstNetwillrunacellularnetworkforusebypublicsafety:–EMS,Fire,Lawenforcement,etc.•Basedon“4G”LTEtechnology•Modernmobiledeviceswillbeusedtoaccessthenetwork•Howdoweensurethattherightpeopleandtherightdevicesgetonthenetwork?pscr.govResearchDirections•Needtounderstandhowfirstrespondersauthenticatenow•NISTworkingtoprovideguidanceandanalysistopublicsafetyfor:–Identitymanagement–Federatedidentityandtrustframeworks–Analysisofdiscipline-specificneeds6pscr.govNIST’sCurrentStatus•NISTIR8014–ConsiderationsforIdentityManagementinPublicSafetyNetworksStatus:Complete[PDF]•UsabilityandSecurityConsiderationsforMobileAuthenticationinPublicSafetyStatus:In-progress7pscr.govNISTIR8014•NISTfirstauthoredConsiderationsforIdentityManagementinPublicSafetyNetworks•Basedonpublicsafety’sneedsandrequirementsdescribedbytheNationalPublicSafetyTelecommunicationsCouncil(NPSTC)•NISTIR8014covers:–Identitymanagementbasics–GuidanceandFrameworks–Tokenregistrationandissuance–Mobilecredentialsandtokenselection–Authenticationprocesses8pscr.govIdentityManagement(IdM)•IdMistheprocessofmanagingtheidentification,authentication,andauthorizationofentities•Identification:makinganidentityclaim•Authentication:providingevidenceforanidentityclaim•Authorization:determiningandenforcingaccess9pscr.govIdentityManagementLifecycleRevokeorSuspendRe-issueorUpdateExpireUseIssueRegister10pscr.govTokenIssuance•Credentialsbindanidentitytoatoken•Tokensareusedtoauthenticate•Howatokeniscreatedandissuedasanimpactonitsoveralllevelofassurance–Tokenscanbedistributedin-personorremotely11pscr.govExamplesofTokens12Passwordp@$$w0rdFingerprintPIVCardOneTimePasswordGeneratorpscr.govMultifactorAuthenticationSomethingyouknowSomethingyouhaveSomethingyouare13PasswordFingerprintPIVCardpscr.govAuthenticationProcess•Authenticationprotocolsprovideassuranceinasecuremanner•Uservs.device–Bothmayneedtoauthenticatetootherentities•Determiningthestrengthofauthenticationisdifficult14pscr.govAuthenticationScenarios15LocalRemotepscr.govGuidance&Frameworks•OMBM-04-04–E-AuthenticationGuidanceforFederalAgencies•HSPD-12–CommonIdentificationStandardforFederalEmployeesandContractors•NIST800-63–ElectronicauthenticationGuidelines•NPSTCHigh-levelLaunchRequirements•ATISidentitymanagementframework16pscr.govOMBM-04-04•Outlines5stepprocessforagenciestodeterminetheirassuranceneeds1.Conductariskassessment2.Mapidentifiedriskstotheappropriateassurancelevel3.Selecttechnologybasedontechnicalguidance4.Validatetheimplementedsystem5.PeriodicallyreassessthesystemNote:editedforbrevity17pscr.govOMBM-04-04LOAs•4levelsofassurancearedefined•Specifiedminimumlevelofassurance(LOA)forgivenerrors18pscr.govHSPD-12•Mandatescommonidentificationstandardforfederalgovernmentandcontractors•ThePIVcardcontainsseveralidentitycredentials-Technicalspecification:NISTSP201-2•InteroperablewithotherPIVenabledsystems•PIVcredentialscanbeusedformobiledevices–CIOcouncilcreatedPIV-I•Availabletonon-federalusers•ShouldbecompatiblewithPIVsystems19pscr.govNISTSP800-63-2•SupplementsOMBM-04-04•Providestechnicalguidanceonselectinganauthenticationsolutioninfiveareas:1.Identityproofingandregistrationofapplicants,2.Tokens(typicallyacryptographickeyorpassword)forauthentication,3.Tokenandcredentialmanagementmechanismsusedtoestablishandmaintaintokenandcredentialinformation,4.Protocolsusedtosupporttheauthenticationmechanismbetweentheclaimantandtheverifier,5.Assertionmechanismsusedtocommunicatetheresultsofaremoteauthenticationiftheseresultsaresenttootherparties.20pscr.govMobileTokensPINs,passwords,andgesturesPhysicaltokensBiometricsOne-timepassworddevicesAttachedsmartcardreadersNFCsmartcardsSoftwarecryptographictokensHardwaresecuritymodulesWearables21pscr.govNeedsoftheDisciplines22pscr.govFirstResponders•Specializedtraining•Operateinextremeenvironments•Quickdecisionsunderhighstress•ALOTofgear–Forexample,firefighterscarrybetween75to100poundsormoreofequipment23pscr.govFirstResponder:FireService24–Airtank–Gloves–Helmet–Bodysuit–Rope–Pager–RadioNote:Thisconstitutesapreliminarylistofe