Supporting the PIV Application in Mobile Devices with the UICC
Publication Date: June 2013
The increasing utilization of mobile devices such as smart phones and tablets has expanded the capability of employees to stay connected longer and be more active and efficient in their work. These connected devices are designed for the mass market often with little to no security enabled in their hardware or embedded into their applications. The mobile security requirements for a corporate or government employee are quite different, especially with organizations allowing employees to bring their own device (BYOD). Securing sensitive and confidential information within email clients and enabling secure access to remote services require an underpinning of security techniques and features.
This white paper was developed to provide guidance to U.S. Government policy makers and technologists on the key technical, business and policy considerations for supporting the Personal Identity Verification (PIV) application and credentials on mobile devices using the Universal Integrated Circuit Card (UICC).
The white paper sets out a strategy for securing mobile devices using a hardware-based “secure element” in the mobile device; the secure element is used for storing protected data and applications and providing a secure execution environment for those applications. A mobile device’s secure element may be present in different form factors–the UICC, an embedded smart chip or a smart microSD card. This white paper focuses on one form factor–the UICC that is present in most mobile devices. Although this document is specifically aimed at the U.S. Government market and PIV credentials, the approach employs techniques and technologies that can apply to any smart-card-enabled identity credential and token and any UICC-enabled smart phone or mobile device. This strategy will enable corporations, government agencies and mobile telecommunication companies to take advantage of and achieve scale for the growing need to provide secure PKI-based services on mobile devices.
The white paper includes discussion of the following topics:
- Use cases for PIV credentials on a mobile device
- Integration of the PIV application and credentials with the mobile phone and UICC
- Example provisioning and management model for the PIV applet and credentials on the UICC
- Impact on U.S. Government policies and issues to be addressed
- Efforts by industry stakeholders to support the defined approach
Incorporating the PIV credential in the UICC is a cost effective and beneficial solution as there are already well-deployed mechanisms to control the content of the UICC over the air. These mechanisms can ensure the secure activation of the credential functionality on the UICC along with its provisioning from the U.S. Government’s issuing authority. The UICC-based credential can then be made available through mobile PIV middleware for local mobile applications for a range of use cases (e.g., remote authentication, signature, encryption and decryption of data in transit and at rest).
This approach effectively balances the need for flexibility by handset makers with the need for security to protect government and commercial online identities. This architecture provides an approach that is interoperable with the current PIV infrastructure, leveraging the investment that has already been made.
About this White Paper
This white paper was developed by the Smart Card Alliance Identity Council, Mobile and NFC Council and Access Control Council to provide guidance to U.S. Government policy makers and technologists on the key technical, business and policy considerations for supporting the Personal Identity Verification (PIV) application and credentials on mobile devices using the UICC.
Council members involved in the development of this white paper included: Bell Identification B.V.; Booz Allen Hamilton; CH2M HILL; Deloitte & Touche LLP; Gemalto; General Services Administration (GSA); HID Global Corporation; Identification Technology Partners; IDmachines; Intercede Ltd; IQ Devices; NXP Semiconductors; Oberthur Technologies; SAIC; SafeNet, Inc.; SecureKey Technologies; XTec, Inc..
About the Identity Council
The Smart Card Alliance Identity Council is focused on promoting best policies and practices concerning person and machine identity, including strong authentication and the appropriate authorization across different use cases. Through its activities the Council encourages the use of digital identities that provide strong authentication across assurance environments through smart credentials–e.g., smart ID cards, mobile devices, enhanced driver’s licenses, and other tokens.
The Council addresses the challenges of securing identity and develops guidance for organizations so that they can realize the benefits that secure identity delivers. The Council engages a broad set of participants and takes an industry perspective, bringing careful thought, joint planning, and multiple organization resources to bear on addressing the challenges of securing identity information for proper use.
About the Smart Card Alliance Mobile and NFC Council
The Smart Card Alliance Mobile and NFC Council was formed to raise awareness and accelerate the adoption of payments, loyalty, marketing, promotion/coupons/offers, peer-to-peer, identity, and access control applications using NFC. The Council focuses on activities that will help to accelerate the practical application of the technology, providing a bridge between technology development/specification and the applications that can deliver business benefits to industry stakeholders.
The Council takes a broad industry view and brings together industry stakeholders in the different vertical markets that can benefit from mobile and NFC applications. The Council collaborates on: educating the market on the technology and the value of mobile and NFC applications; developing best practices for implementation; and working on identifying and overcoming issues inhibiting the industry
About the Access Control Council
The Smart Card Alliance Access Control Council is focused on accelerating the widespread acceptance, use, and application of smart card technology for physical and logical access control. The group brings together, in an open forum, leading users and technologists from both the public and private sectors and works on activities that are important to the access control community and that will help expand smart card technology adoption in this important market.