Delivering learning content to mobile devices has presented unique challenges not experienced in a traditional Learning Management System (LMS) environment. Identifying the student, securing student progress, presenting content offline, and reporting progress in a secure way are just some of the obstacles preventing mobile content delivery standardization.
Two technologies, when used in conjunction, can potentially solve these problems. They are Common Access Card (CAC) and Experience Application Programming Interface (xAPI). Naval Education and Training Command (NETC) conducted an experimental project intended to securely record mobile learning events to a Learning Record Store (LRS) via xAPI statements using the CAC provided to United States Defense personnel and DoD learners. This process presented three challenges, with the first being to integrate a compatible CAC reader with Microsoft Surface, iOS (iPad), and Android native applications. CACs securely identify a student and provide encryption tools to encrypt data on mobile devices so only the user with the encrypting CAC can decrypt/access the data.
The next challenge was to securely transfer verified data to the LRS. The xAPI standard provides a way to sign each statement with a cryptographic signature, allowing the LRS to independently verify the integrity of each statement at any time. We used the same cryptographic certificates from the student’s CAC to securely sign each statement. The final challenge was to provide security while sending the statements to the LRS. The LRS implemented SSL client certificate authentication to allow access to send the statements. We again used the student’s CAC certificate to gain access to the LRS endpoint to securely transmit the data.
This paper details lessons learned from each aspect of this project, from identifying the student to securely transmitting the data. We successfully brought the secure CAC infrastructure to xAPI solving the problem of secure mobile content tracking and delivery.