For the past few months, there has been a buzz in the mobility, security and PIV communities concerning the new NIST standard for PIV derived credentials. As with any new technology, having a basic understanding can drastically help you decide the best way to harness the technology to improve security […]
Now that enterprises have become comfortable with cryptographically secured hardware provided by PIV-C, they are looking for ways to add convenience and agility to their mobile device landscape while maintaining the same level of security controls that the PIV card provides…but without the physical card or reader. In this blog, we describe how to create a Virtual Smart Card issuance capability with all the enterprise level management and usability features required for a scalable operation.
This blog will help you learn how to issue Virtual Smart Cards for your enterprise workforce. It describes:
- What a Virtual Smart Card Is
- Security Benefits
- Implementation Steps
What is a Virtual Smart Card (VSC)?
A virtual smart card is stored in a secured chip known as a Trusted Platform Module (TPM). This TPM provides the same security features as a PIV smart card, but the chip is on the device’s motherboard, not embedded in an ID Card. From a convenience point of view, this design is spectacular because the user can achieve the same tamperproof security controls provided by a PIV Card even if their device lacks a smart card reader. With this approach, enterprises can easily extend cryptographic multi-factor authentication features to their mobile assets to complement their PIV Card issuance capabilities.
VSC Security Features
Conceptually, the VSC is similar to taking the chip from your PIV card and permanently storing it in your mobile device. While the VSC is different from your actual PIV card, it provides the same core security features that make the PIV card so effective. This matrix provides a side by side comparison of the two.
Hardware-based security (Non-exportability)
One of the best (if not the best) security features of the VSC is that the keys cannot ever be exported. The reason this is important is that if the device is ever stolen or is impacted by malware, the keys cannot be extracted and used by an unauthorized user. This provides extraordinary protection to ensure that the user’s keys can never be compromised if a hacker steals the device or clones the hard disk.
Another benefit of using the hardware approach to storing keys is the way the hardware can protect itself against traditional brute force attacks. Using a process known as anti-hammering, the chip will be able to detect fraudulent access attempts and will lock itself using an advanced algorithm to make sure an attacker cannot gain access to the TPM, but it does not permanently lock out a valid user that accidentally entered the PIN incorrectly. This Microsoft link has a great technical explanation of the anti-hammering feature.
The VSC provides immediate MFA security features out of the box with no additional hardware or software. For enterprises that have invested in cryptographic/PKI based authentication protocols, now their mobile devices can also utilize this trust fabric faster and easier.
The cost and usability nature of VSC can enable enterprises to deploy hardware-based cryptographic tokens to their workforce at scale.
While I do love traditional PIV Cards, I will be the first to admit that they can be challenging to use when I am on my mobile device. Like everyone else, when I am on the go, I just want to be able to use my PKI credentials immediately without anything getting in the way. With the VSC feature, I now always have secure access to my credentials to protect my data and logins. For enterprises, this convenience is critical as it allows IT to implement the highest cryptographic security controls without disrupting the productivity of their workforce.
Modern devices (even desktops) are being delivered with VSC capabilities built-in out of the box. There is no need to purchase separate hardware for credential storage. Additionally, the virtual smart card behaves like a traditional PIV card so there is no need to buy additional software to use its multi-factor authentication and data protection security features.
The VSC implements the most secure multi-factor authentication protocols as well as provides the basis for Windows Bitlocker data protection. Since these features are now built into the user’s device, the enterprise can eliminate other proprietary multi-factor authentication products and use the VSC exclusively.
What you will need
If you are like me, you are so excited about the security and usability features of VSC and want to get started immediately with implementation. However, before you jump right in, you will need to prepare your enterprise for some operational changes before full roll out. Additionally, you will want to think about an architecture that is scalable and ready to go for full operations so you do not waste time evaluating a solution that will need to be reworked to meet enterprise needs.
Updated Backup/Disaster Recovery Procedures
Due to the strength of TPM security controls, TPM technologies can have a dramatic impact on the way an organization manages the recovery of their IT assets. Once the TPM is turned on and configured, traditional data backup and IT management processes no longer work without also taking great care in backing up the TPM information. The reason is, the TPM implements hardware-based security that effectively makes the data unexportable to any other device without proper security controls. Personally, I love this feature because if I lose my laptop, someone cannot just take out the hard drive and copy it. However, it does mean enterprises must take great care in securely backing TPM information to effectively provide a secure recovery process for their workforce. Microsoft provides guidance here.
Updated subscriber agreement
The virtual smart card implements the same security features as the traditional PIV card…but without the PIV card and reader. Sometimes, the end user does not even realize they are using an advanced crypto device. However, they should still be informed of their PKI responsibilities to protect their keys. Therefore, do not forget to include the subscriber agreement in the VSC issuance process.
Most of the VSC implementation guidance available describes a simple architecture comprised of 1 laptop and a test certificate authority. While this guidance is spectacular for learning how VSC works and even for evaluation purposes, an enterprise must consider what it takes to issue and manage 1000s of VSC credentials. The reason for this is because once security managers and users start using VSC technology its use will only become more popular in the enterprise. The following are elements that must be factored into the architecture to ensure a successful transition into full operations:
- Initialization – how will the VSC be initialized and managed
- Post issuance – how do you update, suspend or terminate a certificate
- Credential Linkage – given users typically have multiple credentials, how can the VSC be linked to a user’s current credential list
- Certificate Trust – How will the certificates be used and trusted
In the guidance below, we will be issuing virtual smart cards using a high speed, scalable architecture that can support PIV-C and PIV-I derived credentials. Note, this architecture is for enterprises ready for full VSC deployment. If your enterprise is still in the early phases of research, I recommend this great Microsoft tutorial to get started.
The great thing is that Microsoft is requiring TPM technology to part of the hardware stack for Windows 10. For an enterprise, this means you will already have the TPM in your infrastructure without additional costs.
VSC Management Platform
The management platform will provide centralized management for all of the VSC credentials issued within the enterprise. This platform will also enable administrators to easily manage the certificates at an enterprise level. The HID CMS product provides the features for enterprise VSC management along with advanced APIs for linking issuance and post issuance activities to automate the management of VSC credentials.
The CA will provide the certificate services for the VSC. In this example, we are using a cloud-based, managed certificate authority from IdenTrust. IdenTrust provides an entire spectrum of certificate options and has the core industry certifications that can allow for immediate scale and trust for immediate scale and trust for PIV-I and Direct Trusted Agent.
VSC Issuance Software
The issuance software walks the user step by step through the process of encoding their VSC and drastically streamlines the traditional virtual smart card issuance process and automates manual steps for initializing the VSC. Additionally, the issuance software provides the necessary authentication services to ensure the user has permissions to encode their VSC.
1) Configure CMS to issue Virtual Smart Cards
In the CMS Customization/Devices console, check the option for Virtual Smart Cards.
2) Connect the CMS to the Certificate Authority
Add a New Certificate Authority
3) Create the device policy
Now that the CMS has been configured for VSC and for the certificate authority, the next step is to configure the device policy. The device policy is what allows the enterprise to issue VSCs at scale as this feature allows the admin to set the PIN protection and certificate details at a global level.
4) Encode the VSC
Virtual Smart Cards give enterprises another extremely useful way to equip their workforce with strong authentication and data protection tools. Similar to the PIV Card, the VSC can provide unparalleled security to withstand the latest cyber threats. If you have more questions about the architecture or want to see a demonstration, please send us an email to email@example.com.
Blockchain technology has become a major discussion topic in recent years. Rightfully so because there is no question that Blockchain holds significant promise for the future. Many major companies are investing in this technology such as Microsoft, IBM, Cisco, SAP, as well as others. As with any new technology, there is a lot of claims made around Blockchain, and it is very difficult to separate the fiction and truth from this topic. Only time will tell whether the things that are said actually become reality or they just stay as false promises.
One topic, in particular, has caught my attention, the implementation of Public Key Infrastructure (PKI) and Blockchain. While the outcome is yet to be determined, I believe that Blockchain technology will deeply benefit from PKI and other identity technologies, rather than replacing them.
Blockchain at its core is a shared ledger, the technology provides a mechanism for multiple participants to agree upon the contents of the ledger, in a decentralized manner. These participants make up what often called as the Blockchain network. Blockchain leverages digital signatures, Elliptic-Curve Cryptography, and SHA-2 hashes, as the main cryptography for all transactions. Having to use Public Key or “asymmetric” cryptography system with Blockchain requires the private key to be protected to the highest level, that is because if you lose your private key with Bitcoin that essentially means losing your money. With all of this information, there’s no question that Blockchain stands significance in certain applications. The experiments made by the banking industry is a great example how Blockchain can secure bank transfers. However, because Blockchain is new technology, it has lots of room to develop and improve.
In the Bitcoin Blockchain, the ledger contains transactions involving the exchange of currency, but in the more general case, the contents of the ledger can be almost anything. When it comes to Public Key Infrastructure I believe that the basic setup will remain the same. That means that CA will issue and manage certificates needed for the trusted digital identities to implement strong authentication, digital signatures, and data encryption. But instead of running the infrastructure on a computer which requires a lot of maintenance, the CA would be running on the Blockchain instead. It would replace the single computer by a group of connected computers where the code is accessible to anyone and that would make PKI even more trustworthy and vigorous.
In order to really understand how implementing PKI on Blockchain would benefit over traditional PKI let’s go over some apparent advantages.The certificates are not signed, resulting in them being shorter which would reduce the time it takes to transmit a certificate backed by CA certificate chain.Validation of a certificate and its CA certificate chain is critical. But because Blockchain is a “distributed ledger”, the verifier has a local copy of the entire blockchain and is able to look up the hashes of certificates in the blockchain stores without network access, therefore no signatures need to be verified.
Lastly, in Blockchain PKI the use of certificate revocation list (CRLs) or responses to online certificate status protocol (OCSP) queries would no longer be required. This is an advantage because these lists can consume a lot of data, resulting in a slower overall process.
The technology is very exciting but the future is yet to be determined. Because of this technology being quite new, we can expect few bumps on the way as the technology matures. Blockchain will remain as one of the most interesting technologies to keep an eye on in the next few years.
What an amazing summer. Personally, it was the summer of PIV-C! It was great because I spent a majority of the summer traveling around the nation helping customers implement and get the most out of their PIV-C credentials. What was so rewarding was witnessing firsthand how the NIST (PIV) interoperability standards are really helping customers save money by allowing them to streamline and consolidate their multi-factor authentication platforms. In this blog, I will share some real-world techniques that can help your organization better utilize PIV-C cards to lower costs.
PIV-C Credential Conslidation Technique Savings Table
|Technique||How it saves money|
|Use 1 PIV-C Card for both LACS and (Legacy) PACS||Eliminate credential issuance costs|
|Easily (and securely) derive credentials for mobile devices||Eliminate travel and hardware costs|
|Consolidate encryption certificates||Eliminate downtime and 3rdparty certificate costs|
|Streamline remote access||Eliminate 3rd party licensing and support costs|
|Privileged and regular identities on 1 PIV-C Card||Eliminate credential issuance costs|
Use 1 Credential for both LACS and (Legacy) PACS:
New card technologies have been designed specifically to allow enterprise users to use their existing physical access control system (PACS) readers with the new PIV-C based smart cards. This means that enterprises can use their choice of Seos, iCLASS, MIFARE Classic or MIFARE DESFire physical access with optional HID or Indala Prox protocols to issue their PIV-C credentials. With this setup, users can use one credential to log in to their logical access resources and then use that same PIV-C credential to open doors and other physical access resources.
Easily (and securely) derive credentials for mobile devices:
Thanks to the NIST derived credential standards, enterprises have a clear security protocol for requesting and generating derived credentials for mobile devices. Now, a user can leverage their PIV-C card as a means to remotely identify themselves to create derived credential requests for their mobile devices. This means organizations can fully automate this process to securely deliver certificates to end user devices without any user downtime due to travel or other time-consuming processes related to manual certificate issuance.
Consolidate encryption digital certificates:
One of the great things I saw when traveling was the massive use of encryption. It was so nice to see organizations encrypting their data with PKI technology. However, a common challenge was how to manage older keys once the user got new keys (for example, sometimes they would lose their older key and then could not decrypt older messages). This is another area PIV-C starts to really pay off – encryption key history storage and consolidation. With the PIV standards, key history is automatically stored onto the user’s PIV card…even if they get a brand-new card. This means the user always has secure access to their current and older encryption keys on their PIV-C card. No longer do they have to manage different storage locations or be worried that they cannot decrypt older messages because they lost their previous encryption keys. Now all of their encryption keys are conveniently located on their PIV-C card!
Privileged and regular user identities on 1 PIV-C Card:
Privileged users represent a challenging situation. In addition to their administrative needs, privileged users also need lower access accounts to allow the identity to whom the account belongs to perform their non-administrative business tasks. Although enterprises can this issue by issuing multiple tokens or adjusting their domain controller to map the tokens to different accounts, both come with additional costs and administrative burdens.
Another approach is to load both the privileged and regular user account information onto one PIV-C card. This allows the privileged user to carry only 1 PIV-C card and does not require any domain or certificate changes. New card technology includes additional PKI slots built into the card for this specific purpose. Now the enterprise can issue multiple certificates for one identity on one card which can result in drastic credential savings. Also, it makes it much more convenient for the privileged user as they now only have to carry around 1 credential for their different systems.
The standardization and interoperability vision of NIST is paying off in practical and financial terms. Using both the basic and advanced PIV-C security features, enterprises can really begin to experience cost savings by issuing a credential that is standard and is extremely secure. I hope the techniques in this blog helped illustrate fundamental ways PIV-C can reduce costs. In the upcoming weeks, we are going to be publishing more on PIV-C advanced usages so make sure to subscribe to our list.
With Labor Day being on Monday, the end of summer is here. As the end of this season approaches, so does the compliance deadline for implementing multi-factor authentication controls for Department of Defense (DOD) contractors. As of the publishing date of this blog, there are only 123 days left to comply with NIST SP 800-171 security controls to meet the eligibility for defense contracts. When factoring in implementation time, weekends, and holidays, only 90 days are left.
Contract Eligibility and NIST SP 800-171
To ensure important government information stays secure, even when it is not being processed in a government system, DOD implemented a contract clause stating that all vendors doing business with DOD must have adequate security controls to even participate in the contracting process. These security controls, outlined in NIST SP 800-17 focus on Controlled Unclassified Information (CUI) and serve to provide consistency between the different corporations and to make sure the information is still staying secure.
Focus on multi-factor authentication
One of the founding security controls of NIST SP 800-17 is enforcing strong authentication. This is because the most devastating hacks have been due to insecure authentication techniques that allowed unauthorized users full control of an entire infrastructure because they simply guessed a password. The new MFA controls focus on eliminating this threat by enforcing controls that focus on:
- Knowing exactly who is trying to gain access
- Assure/certify the person is not able to get more information than they are privileged to
- Track actions within the system by privileged users
Multi-factor authentication is a necessity in order to meet the requirements. This can be done with cryptographic software, smart cards, hardware tokens, email encryption and PKI’s. The best way to manage all of this is with a Credential Management System (CMS). You can track and issue credentials and it’s all in one easy to use system.
What happens if I don’t comply?
If your organization does not comply, any existing contract becomes out of compliance resulting in a breach which consequently will disrupt payment. For new contracts, your organization will not meet the eligibility requirements to even submit a bid. In other words, your ability to transact with the DOD is eliminated. Therefore, it is in your company’s best interest to comply so you can continue bidding for government contracts.
Last minute MFA options for compliance
Recognizing time is running out, we wanted to share some last minute options to help you reach compliance as soon as possible. We strongly support the use of PIV-C to meet your MFA needs because of its interoperability and scalability properties. As such, below are the options to help you get a PIV-C MFA card fast.
- Use a cloud service: Various companies provide services that can quickly issue a PIV-C based token within hours. Please contact us at firstname.lastname@example.org and we can provide a list of recommended vendors.
- Install a PIV-C turnkey system: For enterprises desiring a long term approach, they can install on premise system that is fully customizable and scalable for their needs. This system is completely turnkey, contains all of the software, smart cards, hardware tokens, digital certificates and can be installed in 2-3 days. Once installed, you can track and issue credentials and it’s all in one easy to use system.
- Do it yourself PIV-C: If you just want to issue a smart card based MFA token ASAP, you can manually load a certificate using HID ActivClient and the Crescendo 144K card. This approach can enable compliance within hours.
Benefits of NIST SP 800-171 Compliance
Of course, change always presents challenges to any organization..especially when it comes to implementing new security controls. However, given the insecure nature of today’s computing infrastructure, NIST SP 800-171 will provide dramatic business and security dividends. For example:
- You can save money by consolidating your MFA issuance infrastructure.
- You will have peace of mind, knowing that your company is secure from hackers
- You can see what is going on behind the scenes. By being up to these standards, you are creating digital fingerprint.
- You will be able to see who is logged in and at what time the login occurred. This will allow you to verify if it is the person that is supposed to be logging in or not.
- This can save you money in the long run, by not having to pay costs that come associated with being hacked.
- You will also be able to save money by implementing a BYOD policy at your office. This could also increase employee happiness and productivity.
- The whole system is simple to use, yet secure.
Overall, the NIST SP 800-171 security controls were designed with the American people’s best interest in mind to ensure our defense information is kept secret. Without this protection in place consistently, our information remains at risk. We hope these options help you realize you can still become compliant within a few days.