Agencies must use 'roots of trust' to fill mobile security gaps, says NIST


Agencies must layer baseline security components on to mobile devices because they lack much of the security built into laptops and other enterprise technologies, says the National Institute of Standards and Technology.

According to its recently-released draft special publication called "Guidelines on Hardware Rooted Security in Mobile Devices," or NIST SP 800-164 (.pdf), agencies are to adopt three security mechanisms: roots of trust, an application programming interface to expose the roots of trust to the platform, and a policy enforcement engine.

Roots of trust, or ROTs, are technologies that provide trusted, security-critical functions and behave consistently, says the NIST publication. Authors prefer the use of hardware ROTs to software ROTs because they have a smaller attack surface and tend to be more reliable.

Devices should use ROTs for storage to provide a protected repository and interface for keying material, and for verification to confirm the authenticity of digital signatures associated with software or firmware. The publication says ROTs should also be used to ensure the integrity of device storage, and for reporting identities and sign assertions.

"RoTs must be exposed to the device and OS in order to establish a chain of trust for user applications," say report authors.

As such, APIs ensure the security functions provided by the ROTs can be applied elsewhere on the device—providing access to cryptographic keys and authentication credentials, for example.

The publication also recommends agencies use a policy enforcement engine to make processing and maintaining device polices, such as storage requirements and network configurations, easier. The tool must not only implement the correct policies on the device, but prevent all the requirements from conflicting.

The NIST guidance also requires agencies to implement some more basic security measures. First, agencies should confirm device integrity and the absence of corrupted hardware, firmware or software. Agencies should also isolate systems on the device so that if one portion is contaminated, the entire device is not vulnerable. Finally, protected storage should be used to preserve the confidentiality and integrity of data at rest, while the device is in use, or once access is blocked by an administrator.

For more:
- download the publication, SP 800-164 Draft (.pdf)

Related Articles:
NIST: Mobile devices inherently insecure
DARPA, NIST seek Android app security tool
PIV not the only route to mobile authentication, says panel