NIST challenges solvers to store credentials on a SIM card that can be accessed by a mobile app to provide simple, secure authentication for emergency responders
The National Institute of Standards and Technology (NIST) Public Safety Communications Research (PSCR) Division and its co-sponsors are requesting solvers’ assistance to explore the possibilities and show that the Universal Integrated Circuit Card (UICC), commonly known as the SIM card, can be used as a secure storage container for public safety application credentials. Solvers are encouraged to participate in the Expanding the SIM Card Use for Public Safety Challenge (the “Challenge”) for a total prize purse of up to $100,000.
Challenge Background & Goals:
Public Safety personnel utilize their mobile devices to access sensitive information during every day job requirements and emergency situations. For improved mobile communications, public safety needs a secure mechanism for storing sensitive information; current external secure storage solutions can be bulky and cumbersome to use in emergency situations. They can also be expensive for public safety organizations to acquire and manage with their limited budgets. Current best practices recommend standards-based two-factor authentication, which often requires extra hardware, such as a token or a smart card, further inflating costs and increasing time in an emergency.
Since 2002, PSCR has collaborated with first responders, stakeholders, and innovators to ensure the development of reliable, intuitive, and mission-focused technologies for the public safety community. PSCR recognizes how cybersecurity affects every aspect of public safety communication. PSCR serves to develop and enhance security solutions to current and future public safety communications. This current Challenge complements public safety-specific Federated Identity Credential and Access Management (ICAM) research conducted by PSCR with other NISTlaboratories, such as NIST’s Information Technology Laboratory and their National Cybersecurity Center of Excellence.
This Challenge will convene first responders, mobile device providers, network providers, authentication providers, researchers, and solvers in order to collaborate and advance the state of mobile device security for public safety. PSCR and their co-sponsors are requesting solvers’ assistance to explore the possibilities for using the Universal Integrated Circuit Card (UICC), commonly known as the SIM card, as a secure storage container for application credentials. By leveraging solvers’ outside-of-the-box thinking to create innovative two-factor authentication solutions while educating public safety stakeholders on the benefit of authentication standards.
The SIM card, already used in most mobile devices, has characteristics that make it a robust storage device for critical mobile network subscriber data. The SIM card is a tamper-resistant hardware storage container and, if utilized as an application credential storage container, would enable applications to use the authentication credentials provisioned to it seamlessly. The SIM card offers several usability benefits for public safety, as it would be more user friendly; allow networks to provision credentials over-the-air via a secure channel; and potentially enable device sharing by keeping sensitive information on the removable SIM card. Additionally, as the SIM card is currently used in every mobile device, it could offer cost savings for public safety units as extra hardware would not be necessary.
This Challenge includes three phases and requires contestants to: securely store a fire on a SIM card; create a mobile application that accesses a user’s credentials stored on a SIM card; and authenticates to a FIDO 2 service provider. Each contestant will be evaluated individually against the listed evaluation criteria, and successful contestants will be invited to move to the next phase. Invited contestants will be awarded cash prizes at the end of Phase 1 ($1,000) and Phase 2 ($2,000) to assist with developing a prototype for Phase 3. The scores from the final phase will be the basis for the final prize challenge awards PSCR will award up to $100,000 to the winners of the Challenge.
In addition to cash prize awards, contestants will be given the opportunity to obtain feedback from industry, such as the co-sponsoring entities, through planned webinars and other sessions, in an effort to advance both their prototypes and their connections in the public safety and communications technology communities. After the completion of this Challenge, PSCR will keep the submitted prototypes for future public safety demonstrations.
Should a contestant prove successful, their solution could provide significant time and cost savings for public safety units; for example, the solution would provide:
- Increased security of public safety data on mobile/portable devices;
- Additional credential storage container without an external, bulky device;
- Sharing of mobile devices by multiple users by exchanging SIMs;
- Spur ideas for other potential hardware authentication solutions on mobile devices;
- Increased versatility by adding the ability to provision credentials to the SIM card remotely; and
- Potential cost savings as public safety units would not need to purchase separate hardware authentication tokens.
Phase 1: $20,000
Up to 20 contestants will be awarded an invitation to participate in Phase 2, Challenge Kickoff Webinar and awarded $1,000.
Phase 2: $20,000
Up to 10 contestants will be awarded an invitation to participate in Phase 3 and $2,000.
Phase 3: $60,000
Up to 5 final awards:
- 1st: $30,000
- 2nd: $15,000
- 3rd: $7,500
- Creativity in Public Safety Award (optional): $4,000
- Most Commercially Promising Award (optional): of business technical assistance valued up to $3,500.