NIST's new standard to bring HSPD-12 to smartphones

Thursday - 12/8/2011, 5:04am EST

Hildegard Ferraiolo, computer scientist, NIST

Download mp3

The excitement and inevitability of mobile computing is forcing agencies to rethink how they implement Homeland Security Presidential Directive-12.

With 5.1 million federal employees and contracting holding secure identification cards and the impending deadline for agencies to begin using these cards to log on to their computer network, the National Institute of Standards and Technology is updating the federal standard for implementing HSPD-12.

NIST is considering five different options for how the smartcard could be integrated with smartphones or tablet computers. The new Federal Information Processing Standard (FIPS) 201-2 is expected to be ready in the second quarter of 2012, said Hildegard Ferraiolo, a NIST computer scientist.

While NIST doesn't expect the mobile device to replace the desktop or laptop in the short term, Ferraiolo said a combination of agency demand and the need to keep up with technology is driving the updates to the federal standard.

"The update covers new technology that we think needs to be incorporated," Ferraiolo said after Interagency Smartcard Advisory Board meeting in Washington Wednesday. "It's been five or almost six years since the first one came out. We have been doing research to figure out how do we enable the [HSPD-12] card with smartphones."

Only the Defense Department has actively tried to integrate the mobile device with the Common Access Card — its version of HSPD-12. DoD has tested the use of a Bluetooth reader to encrypt emails.

The Pentagon is trying a different approach, using a secure app on the smartphone.

NIST's effort will make integration more smooth.

Ferraiolo said the challenge the new standard will try to address is combining two pieces of hardware — the smartcard and the phone.

Pros and cons

NIST is considering several options, including attaching a reader to the smartphone, where the user inserts the secure ID card into it. The reader could be attached by a wire or through WiFi or Bluetooth.

Ferraiolo said both have advantages and disadvantages. The advantages are they are known technologies that work and can offer strong security. The cons are it's one more device for the user to keep track of and to make sure it's battery is charged.

"We look at all options and we weigh the positives and negatives, and a big factor into that is the usability," she said. "So we also are looking at derived credentials. You take your [HSPD-12] card and you create another type of credential that resides on the smartphone. We call it a representation of what would be on the card."

NIST is unsure just how secure the derived credential would be compared to the HSPD-12 card.

"We are thinking about introducing or having the security element be FIPS 140-2 validated to help that," Ferraiolo said. "Otherwise, new technologies are not necessary secure environments."

Using mobile device managers

Another option is for agencies to use mobile device managers. The vendor would provision the HSPD-12 credential through a secure channel. The credential on the device would again be a representation of the secure token that is on the identity card.

"The other piece has to be the storage. Where shall the keys or credential be stored? It has to be in a secure environment," Ferraiolo said. "Maybe not software, but maybe in a security element that is micro SD card or in another SIM card is a possibility we are looking at."

She added FIPS 201-2 will be a high-level document detailing how the HSPD-12 card could be integrated with smartphones or tablet devices.

But NIST will get down to specifics of the integration in Special Publication 800-73-4.

Bill MacGregor, NIST's PIV program manager, said at the IAB meeting completing this special publication is among the IT laboratory division's highest priorities after the public comment period for the draft of FIPS 201-2 has ended.

MacGregor said the draft of 201-2 should be open to public comment for about 30 days.

SP 800-73-4 is one of several special publications NIST is updating.

He said the agency also is working on revisions for biometrics and electronic authentication publications.

Ferraiolo said the biggest challenge going forward is ensuring the smarphone credential is as secure as the one on the HSPD-12 card.

RELATED STORIES:

Exclusive: DHS mandates HSPD-12 card use

Agencies using HSPD-12 as 'glorified ID cards'

DoD presses ahead on secure smartphones