david temoshok federal pki policy manager gsa office of governmentwide policy october 31, 2001
DESCRIPTION
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI. David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide Policy October 31, 2001. e-Gov and PKI Drivers. Government Paperwork Elimination and ESIGN Acts Public Expectations - PowerPoint PPT PresentationTRANSCRIPT
EDUCAUSE 2001, Indianapolis IN
Securing e-Government: Implementing the Federal PKI
David TemoshokFederal PKI Policy Manager
GSA Office of Governmentwide PolicyOctober 31, 2001
e-Gov and PKI Drivers
• Government Paperwork Elimination and ESIGN Acts
• Public Expectations
• Long-term Cost Savings
• The Need for Privacy and Security
– Government is held to higher standard
• Trading Partner Practices
Bill Payment $2.22 - $3.32 $0.65 - $1.10 71% - 67%
Insurance Policy $400 - $700 $200 - $350 50%
SoftwareDistribution $15 $0.20 - $0.50 97% - 67%
Procurement 70%
Motor VehicleRegistration $7 <$2 71%
Order-Filling (DOD) $24 $12 50%
Traditional
SystemInternet
Percent Savings
Business Driver: Savings by Process Type
Electronic Signatures in Global and National Commerce Act
• Signed by President Clinton on 6/30/00.• E-SIGN addresses:
– Commercial, consumer, and business transactions affecting interstate or foreign commerce;
– Legality of electronic signatures and records;– Preemption of inconsistent statutes/rules.
• E-SIGN does not address:– security, authentication, or records requirements;– interoperability;– Electronic signatures based on different technologies;– Rules for reliance/accepting different kinds of signatures.
• Federal Agency activities and requirements are generally not within the scope of this legislation; they are instead addressed by the Government Paperwork Elimination Act (GPEA).
GPEA Requirements
• Government Paperwork Elimination Act (GPEA) of 1998 addresses:– requirement for federal agencies to offer the public the
option of electronic filings/transactions/record-keeping for agency business by October 2003;
– Legality of electronic signatures and records; – Technology neutrality -- electronic signature alternatives.
• OMB required all agencies to report on GPEA implementation/compliance by 10/00. Including:– Information collections under Paperwork Reduction Act– Use of Electronic Signature.– Risk Assessment.
What is an Electronic Signature under E-SIGN?
“…means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.”
PIN or Password
Biometric Profile
Click through on software program’s dialog box
Typed names
Digitized image of a handwritten signature
Digital Signature or other encrypted
authentication system
Knowledge-basedAuthentication
• Authentication: Is originator who they really say they are? Achieved by binding the sender’s identity credentials to the
message (digital signature)
• Data Integrity: Has message/transaction been accidentally or maliciously been altered? Achieved via comparing hash of the data (digital signature)
• Confidentiality: Can message be read only by authorized entities? Encryption protects information from unauthorized disclosure
• Non-repudiation: Can sender or receiver dispute that message was actually sent or received? Enabled through digital signature process
Security Needs Met by PKI
• A trusted third-party, the Certificate Authority (CA), issues the digital certificate, containing:
- Name, Issuers name, Certificateholder’s public key, other attributes.
• The Issuer (CA) must verify and bind identity to the Electronic ID.
• The Issuer (CA) digitally signs the certificate so no one can change its
contents and certificate can be verified as authentic.
Public Key or Digital Certificates -The Electronic ID
CA Digital Certificate
Name: Joe CollegeSerial #: 123456Issuer: CA #78901Expiration: 12/1/02Public Key: 3S@*6Y76
CA Digital Certificate
Name: Joe CollegeSerial #: 123456Issuer: CA #78901Expiration: 12/1/02Public Key: 3S@*6Y76
CA’s Digital Signature
Unique identifier for certificate
Unique identifier for certificate issuer
Certificate expiration date (validity period)
Certificateholder’s public key
Ensures Certificate’s validity
• A Digitized Signature is a scanned image that can be pasted on any document.
• A Digital Signature is a numeric value that is created by performing cryptographic transformation of a message using the “signer’s” private key.
Digitized vs. Digital Signature
1BE*564(1@5GYT87^4>530^0<BG?!C64 4> 99 MH ?!C6 Nd%2V@x4 (1@#d6^* Nd%2V@xANRT48346509(1@ 23 ?!C64 JD HD G *564 QHD736 JFHF Nd%2V@x
Digital SignatureDigitized Signature
Why build a Federal PKI?
• Statutory mandates for e-government and implementing electronic signature technology
• Business Demands for improved services at lower cost
• Leverage infrastructure costs• Critical security need
Why not a Federal PKI?• Privacy concerns• Agency internal politics• Vendor battles for market space• Cost
Federal PKI Approach
• Determine need for PKI through risk assessment.
• Use PKI when electronic signature and document/data integrity must be assured (non-repudiation).
• Provide Federal PKI and PKI services contract for government-wide use -- ACES.
• Build Federal PKI Interoperability– Establish Federal PKI Policy Authority (for policy interoperability).
– Implement Federal Bridge CA using COTS (for technical interoperability).
• Organize federal agency PKI use around common citizen and industry groups.
The Core Federal PKI
DOD IECA
DOD PKI
GSA ACES
NFC PKI
Federal Bridge CA Available to all Federal agencies
Available to all Military personnel and dependents
Available to all Government vendors
and contractorsAvailable to all U.S. citizens, businesses, government agencies
PKI Interoperability
• Policy PKI Interoperability involves the determination of “Trusted” PKI domains which will meet the level of assurance needed.• Technical PKI interoperability involves the validation of certificates form a different PKI domain to determine validity of certificates and paths.• A small number of PKI domains makes it easier to achieve interoperability -- however it is still complex.
PKI Domain 1
PKI Domain 2
PKI Domain 3
Certification Policies & Practices Statements
Validation ProtocolsBi-lateral Agreements
The Challenge to PKI Interoperability
PKI interoperability becomes much more complex as the number of PKI domains increase.
The Solution: The Federal The Solution: The Federal Bridge CABridge CA
The Federal Bridge CA simplifies PKI interoperability:• Common and easy way to determine “Trusted” PKI domains and assurance levels (policy mapping);• Common and, relatively, easy way to validate certificate status through cross certification;• Standard Bi-lateral Agreement between the Bridge and Agency CA.
FPKI Policy Authority FBCA Operational Authority
PKI Policy Mapping -- Equivalence Example
DoD2
DoD3
DoD4
NFC PKIBasic
NFC PKIMedium)
NFC PKIHigh
NFC PKITest
FBCAHigh
FBCAMedium
FBCABasic
FBCARudimentary
GSA ACES (Med)
DoD IECA (Med)
FBCA Requirements NFC PKI DOD PKI DOD IECA PKI ACES PKI
• Common PKI solution encourages agencies to work together
• Allows equitable cost sharing among agencies• Efficient, effective, economical due to aggregation
of Federal needs • One digital identity credential can be used by
multiple Agency processes• “Anonymous” certificate numbering for
identification• Public pays nothing for digital ID.
ACES Program Vision
ACES Registration Processes
ACES Contractor Registration for Individuals
Agency Registration
Business Representative Registration
ACES Remote (On-line)Certificate Application Process
Public applies for certificate
Secure Web
FederalFederal
StateState
CommercialCommercial
Secure Web
ACES vendor validates ID to multiple independent databases
Applicant PIN activation process
ACES vendor registers applicant for certificate and mails one-time PIN
ACES vendor sendsregistered certificate
Authorized Web-basedApplication
Access AuthorizedSystem with ACESauthentication
Return PersonalizedServices/Benefits/Information
Validate ElectronicID (ACES) through standard on-line protocol (OCSP)
Secure Web
Citizen
Accessing Web-Based Applications and Services
ACES ContractedCertificate Authority
Federal Agency
AgencyApplication
AppAPI
AgencyApplication
AppAPI
CAMAAInterface
CAI/F
Crypto Library(RSA, DSA, ECDSA)
ACES CA
CAn
SubscriberCerts
Signature Devicewith CAM Private
Key
• CA Certificate List• Invalid Certificate List• Transaction Log
Subscriber
Subscriber
Scope of CAM
CAn
SubscriberCerts
CAn
SubscriberCerts
CAn
SubscriberCerts
- Parse Cert- Verify Issuer as an ACES CA- Verify Issuer’s signature- Verify operational period- Check cached Invalid Cert IDs- Get route to Issuer- Send signed Status Request & Cert
data to Issuer- Receive signed Status Response- Verify Status Response signature- Pass status & cert data to App- Log audit data
CAM Architecture
Who Can Be a Member of the ACES PKI?
• Certificate Authorities– ACES contractors
• Relying Parties – Any Federal agency– Non-federal entities if authorized by a Federal Agency for legitimate program purposes.
•Subscribers– Any individual in U.S. – Any individual as a representative of a business, organization, or governmental entity
• Securely store, protect, and transport cryptographic keys (public/private keys) and digital certificates.
• Capacity to hold multiple keys/certificates.• Provide secure computational and processing facility without
exposing sensitive information to risk.• Provides security for: generation of digital signature, use of
private key for personal authentication, portable permissions/logical access control.
• Convenience for end user.• PKI can be one set of functions on a multi-application smart
card.
PKI and Smart Cards
Should result in trust and confidence in E-Gov applications.
For More Information
Phone E-mail David Temoshok [email protected]
202-208-7655
Websiteshttp://cio.gov/fpkischttp://gsa.gov/ACES
http://ec.fed.gov