Derived Credentials

NIST has coined the term derived credentials to refer to cryptographic credentials that are derived from those in a Personal Identity Verification (PIV) card or Common Access Card (CAC) and carried in a mobile device instead of the card. (A CAC card is a PIV card issued by the Department of Defense.)

The ability to carry cryptographic government credentials in mobile devices has important implications. Today, the requirement to use PIV/CAC cards means that different IT solutions must be developed for the government and for the private sector. IT solutions specifically developed for the government are expensive, while private sector solutions too often rely on passwords instead of cryptographic credentials. Using the same solutions for the government and the private sector would lower costs and increase security.

But protecting credentials stored in mobile devices is challenging. Smart phones are frequently stolen and many phones have no tamper resistant storage that could readily be used to protect credentials. Mobile devices are also vulnerable to malware, and it is difficult to protect credentials and credential activation passcodes against malware.

In 2012 we proposed using as a derived credential an uncertified key pair regenerated from user-supplied secrets such as a PIN and/or a biometric sample, and what we now call a protocredential stored in the mobile device. An adversary who captures the device cannot mount an offline attack against the user-supplied secrets, because the only way to test a guess of user-supplied secrets is to generate a key pair and attempt online authentication against a back-end, which limits the number of attempts. We also proposed a method of hiding cryptographic complexity from mobile app developers using a Prover Black Box (PBB) in the mobile device and a Verifier Black Box (VBB) in the back-end. These techniques are described in a blog post, a paper, and a presentation to the Cryptographic Key Management Workshop held at NIST in September 2012. They have the advantage of facilitating the development of new mobile apps, but the disadvantage of departing from the certificate-based authentication methodology favored by the Federal Government.

In March of 2014 NIST released the drafts of two documents with thoughts and guidelines on the deployment of derived credentials, Draft NISTIR 7981, and Draft NIST Special Publication 800-157, and requested comments on them. The NIST documents called for storing credentials equivalent to the user authentication and secure mail credentials carried in a PIV/CAC card in several kinds of cryptographic modules, which NIST calls tokens, including so-called software tokens. Using the same kind of credentials in mobile devices as in PIV/CAC cards leverages the existing Federal PKI infrastructure, and minimizes the changes that need to be made to existing applications. However, the software-token solution seemed to call for encrypting private keys with only 20 bits of entropy, which is clearly insufficient protection against an offline guessing attack by an adversary who captures the encrypted keys.

In comments sent to NIST, as well as in a blog post, we discussed the security challenge of storing credentials in a software token, and proposed a technique that provides strong security while preserving the advantages of the NIST solution. The technique consists of encrypting the credentials under a high-entropy key stored in a secure back-end that provides a key storage service, and retrieved by authenticating to the back-end with an uncertified key pair regenerated from a protocredential and an activation PIN immune to offline attack. In a technical report we further explained how the technique can also be used to improve the security of credentials stored in a Trusted Execution Environment, or in tamper resistant hardware; and we provided a particular example of a derived credentials architecture, which takes advantage of an existing MDM infrastructure.

Later, in a PowerPoint presentation at the 2014 GlobalPlatform TEE Conference and a pre-conference blog post, we observed that the concept of derived credentials is broadly applicable. It could be used to refer to any credentials carried in a mobile device that are derived from primary credentials carried in a smartcard and are functionally equivalent to the primary credentials, including not only authentication and email credentials, but also payment credentials. We argued that a TEE is ideally suited to protect derived credentials when combined with the virtual tamper resistance provided by the above-mentioned protocredential-based technique, because the trusted user interface feature of the TEE protects the activation PIN from being intercepted or phished by malware. (It also makes it possible to securely confirm important transactions with the user via a trusted path protected from malware.) In a post-conference blog post we described an incremental improvement on the virtual tamper resistance technique that obviates the need for setting up a secure channel to retrieve the high-entropy encryption key. (The technique is illustrated by an animation in the conference presentation.)

In a video interview during the TEE conference, Francisco Corella, CTO of Pomcor, explained the concept of derived credentials and virtual tamper resistance, and how a TEE can be used to implement them. The interview was conducted by Rob Peryer of iseepr, and can be found on the Global Platform website.

NIST has recently announced the final version of Special Publication 800-157 and released a file containing more than 400 comments on the draft publication and their dispositions by the author team. The comments reflect insightful thinking by many government and private sector organizations; but unfortunately, the dispositions fail to address many serious concerns expressed by the commenters. The following series of blog posts reviews the comments, their dispositions, a follow up NIST workshop, and related issues: