Incubator Program Yields BLE and NFC Credentialing

By Claire Swedberg

The Kantara Initiative has completed a project with Exponent in which the credentials of an emergency responder or other individual can be loaded onto a smartphone and then be accessed securely via BLE or NFC using another phone.

Technology consulting company Exponent has finished the second phase of a project for the Kantara Initiative, Identity and Privacy Incubatory (KIPI) program to provide mobile authentication and credentialing for emergency responders. The system enables the use of Bluetooth Low Energy (BLE) and Near Field Communication (NFC) with NIST's OPACITY standard so that individuals can identify themselves automatically via their smartphone.

This is the second phase of the Kantara First Responder Mobile Authentication Project, which is being undertaken by KIPI. The first phase focused on OPACTIY-standard technology using NFC-enabled smartphones to provide access control. The system proved to work well, the company reports, but NFC technology solutions at this point still only work with Android-enabled phones. Phase two takes the capacity a step further, with BLE functionality between two devices, including interoperability with Android- and iOS-based devices.

The Kantara Initiative is a non-profit industry consortium and trade association aimed at providing strategic vision and real-world innovation for digital-identity and data-privacy solutions. The association drafts specifications and makes recommendations for identity management. It collaborates with Rutgers University's Command, Control and Interoperability Center for Advanced Data Analysis (CCICADA), which serves the U.S. Department of Homeland Security's Centers of Excellence. With support from CCICADA, KIPI intends to advance the development of products and services with mass adoption potential, according to Colin Wallis, the organization's executive director and project manager.

Exponent has now undertaken two projects as part of the KIPI program. The company provides engineering and scientific consulting and employs 900 workers, approximately half of whom have Ph.D. degrees in 90 different technology areas. The firm has been providing consulting and testing services for smart-card-based ID programs for the past several decades, says John Fessler, Exponent's principal engineer. "We see the writing on the wall," he explains, "that people would rather use phones than cards for credentialing. Working with a mobile device is the way people want to go."

Recently, therefore, Exponent began engineering a solution using contactless technology in smartphones to enable authorized individuals to enter a locked door. Exponent had already developed a system by which NFC ID cards could be authenticated via an NFC reader built into a mobile phone, so now it developed a system by which a phone could authenticate an electronic ID stored on that phone, via a reader, such as the type used for physical access or built into another smartphone.

The firm built a system complying with the OPACITY protocol, Fessler explains, which is designed for rapid communication over a secure, encrypted channel. It operates with the ANSI 504 standard, as well as the NIST SP 800-73-4 standard used for government smart cards. With OPACITY, the company was able to set up a system that would enable a very fast transaction, such as one that would allow a person access through a turnstile at the tap of a phone or card.

As part of the KIPI project, Exponent built a system by which an app on a user's phone would leverage NFC technology to send data directly to another, according to Christopher Williams, Exponent's security and privacy consultant. That means a temporary controlled access point could be set up for emergency responders with nothing more than a cell phone running an app, to capture NFC data from responders' Android-based phones.

Phase one of the project began in October 2016. To load the credential on the phone, responders could utilize an NFC ID badge, which would be interrogated by the phone's reader, or they could read a bar code off a physical ID, such as a driver's license. "Once we had that credential on the phone," Fessler states, "Christopher enabled the phone to operate like a card."

If the phone is powered off, it will not respond when interrogated by another NFC device. If it is activated but locked, it will be shielded and not respond. However, if a user unlocks the phone and holds it up to a reader, the phone will sense an NFC transmission from the door reader. The reader, Williams says, will then send a request for response. The user's phone will ensure that the reader is authorized to communicate with it, then forward its credentials. "That sets up OPACITY in a third of a second," he adds.

That system still has limitations, though, since the full capabilities of NFC are only available on Android-based devices. Additionally, NFC requires a short transmission range, so credentialing and authentication still require that an individual be positioned directly in front of the reader. That could slow down credentialing in an environment such as an emergency response area. Therefore, Exponent moved forward with phase two, involving a BLE-based system using the same OPACITY data, but now transmitting it via Bluetooth Low Energy.

The recent fires in California have served as an example for a use case for this kind of solution, Exponent reports. FEMA (or another agency) could set up a perimeter area in which emergency responders could be provisioned with an ID number that would allow them entrance to a secured area. That ID could then be stored on a person's phone via an NFC or BLE transmission.

If responders are using BLE technology, they could walk or drive up to an official at the gate. The official, who would have an app on his or her phone, could thus "talk" to the devices of those lined up to enter. He or she could view data such as who was in line, along with that individual's credentials, and store the data on his or her own phone, as well as identify anyone lacking the proper credentials and prevent that person from entering.

If they use BLE, the officers would already have seen the responders' credentials by the time they reached the front of the line. A picture of each individual could be stored with his or her data as well. Since Exponent serves as a consultant on the project, the company does not manufacture or sell products. "What we did was take the code we developed and make it freely available for other users," Fessler says. "It's free on GitHub right now."

The third phase of the Kantara project will involve creating a commercial product through technology partners. "We'll be undertaking pilots and making firm proposals with a commercial context," Wallis states.

In some cases, Fessler says, agencies could create NFC- or BLE-based tokens that they could very quickly hand out to authorized parties. They could then gain access quickly, even if they did not have their phones with them. The system wouldn't need to be used only by emergency responders, Fessler notes. "Any time you want to authenticate," he says, adding, "Consider a pizza man at a guard facility. You can authenticate that person, and the beauty is there's no hardware, just phones."

"The entire thing is centered around three fundamentals," Fessler says: security, interoperability and the ability to work offline. The OPACITY protocol ensures the transmission will be secure, and not be made available to other parties. The agnostic feature is the interoperability between Android and iOS, he adds. "The only thing you would need is a phone and an app—no additional devices, and it's all open-source."

The third fundamental is the ability to work offline, Fessler reports. The system could work anywhere, even in an environment lacking a wired infrastructure or a cellular connection. "It could be nothing more than one dude standing out in the desert and the pizza guy shows up," he states. The technology could also enable an agency to create and update a list of approved and unapproved individuals. "What we have is secure phone to phone communication," Wallis says. "We think it's transformational."