The Defense Department is having a particularly tough time integrating mobile technology into its mission, largely because every attempt to link it to the Common Access Card has been too cumbersome. But the Defense Information Systems Agency’s Purebred program may have found a way to bypass the physical CAC altogether.
“A CAC doesn’t play well in the mobile space,” said Jeremy Corey, lead engineer for DoD’s public key infrastructure. “It’s kind of awkward, and the form factor itself — you require some type of sleeve to integrate with that mobile device. What derived credential is, is a software form of those PKI credentials that are on the CAC today being loaded into a device and stored on the device.”
The idea is similar to the concepts behind Google Wallet or Apple Pay: like CACs, credit cards can be cumbersome to use in the mobile space. Rather than inputting the information from a card every time, why not directly link the phone to an account, and turn the phone into a digital version of the card?
“Purebred in itself is just a key management server with an app that resides on a mobile device,” Corey said. “It allows you to have a credential issued to you as a user. The derived portion stems from the vetting process that occurs when the user that has a CAC, that’s what we’re deriving from. It’s that vetting process of when they were issued that CAC. So we’re deriving credentials based on those certificates that were placed on the CAC.”
Before the Purebred program, it took 22 minutes to sideload a credential into a digital device during some soft-certificate pilots. By using derived credentials, the Purebred program reduced that time to three minutes.
DISA has also managed to make Purebred available across three major phone platforms — iOS, Android and BlackBerry — as well as tablets.
But the credentials aren’t quite as trusted as CAC yet.
“With derived credentials, the devil is in the details,” Corey said. “With direct credentials in Purebred we’re issuing what we call ‘level of assurance three’ credential.”
Meanwhile, CAC delivers a level-four credential.
Corey said it would depend on the owner of a resource whether or not the Purebred credentials would be acceptable for access.
“This can depend on the resource the user is trying to access,” Corey said. “If the resource has the ability and it’s within their authority to decide what credentials they want to trust, and if a particular resource will only trust hardware certificates, or a certificate policy that asserts hardware is how we refer to it, and CACs, then derived credential users wouldn’t be able to authenticate to that resource.”
And Corey said the digital credentials are no less secure than the CAC. In the event of a stolen or compromised device, the digital credentials can actually be revoked more easily than a CAC, because revoking the credentials wouldn’t require reissuing a CAC master certificate.
Meanwhile, Corey said the Purebred credentials will have some unique benefits.
“We received great interest from app owners or app developers with how they could utilize the derived credentials are placed onto the device,” he said. “So one of our solution fundamentals originally was just to get those credentials onto the native platform so that native applications on the device, that come with the device, out of the box, would be able to use those credentials. We’re talking about your native mail that you would launch every day to look at on your phone, your native web browser that comes with your device, whichever it may be. Your native VPN client that maybe you would use to connect into your corporate or headquarters network, as well as a single sign-on perhaps that is used in some organization. That’s where we aimed.”