Mobile Derived PIV/CAC Credential – A Complete Solution for NIST 800-157
With the publication of FIPS 201-2, the ability to place an HSPD-12-compliant credential onto a mobile platform became permissible as defined in the draft NIST Special Publication 800-157.
This allows for greater flexibility for future PIV-enabled applications and operations, as the traditional challenges of leveraging strong public key cryptography in mobile devices can be met by derived credentials. Currently, NIST SP 800-157 only outlines PIV authentication from a mobile device to an agency’s corporate intranet.
In addition to HSPD-12 enablement of mobile devices, derived credentials provide a backup credential for an employee whose PIV badge is lost or damaged. This is helpful to remote employees, or staff who may not have easy access to a PIV enrollment center (e.g., employees deployed overseas).
The trust for the new credential is derived by the strong identity binding associated with the authenticated PIV smartcard during enrollment. It is important to note that only the trust is derived during enrollment; certificates themselves are cryptographically unique from the user’s PIV credentials.
After issuance, the PIV smartcard could be revoked or replaced without affecting the trust of the derived credential. This is similar in how an individual applies for a passport using the trust of another government-issued credential, such as their driver’s license. Once issued, their passport does not require replacement if their license expires or is revoked.
This white paper explores proven deployment methods and real-world use cases for deriving a mobile identity from an existing credential.Download File