interagency advisory board (iab) meeting€¦ · •best way to protect is to generate and store on...
TRANSCRIPT
Interagency Advisory Board Meeting Agenda, Wednesday, May 23, 2012
1. Opening Remarks (Mr. Tim Baldridge, IAB Chair) 2. Revision of the Digital Signature Standard (Tim Polk, NIST)
3. Update on Content and Status of FIPS 201-2 (Hildy Ferraiolo, NIST)
4. The Importance, Expectation, and Value of FPKIMA (Chris Louden)
5. Use of PIV/CAC as a Payment Token in Transit Applications (Greg
Garback, WMATA)
6. Closing Remarks (Mr. Tim Baldridge, IAB Chair)
Chris Louden
FPKIMA Briefing May 23, 2012
Agenda
Context • PKI Enables… • What is the FPKIMA • Transaction Volume
43
Context
• Cyber security attacks commonplace • Identity Theft commonplace • Attacker sophistication increasing
• Advanced Persistent Threat • Organized Crime • Cloud based “attack for hire” • PKI elements being attacked
44
Context
• HSPD-12 Wide variations in the quality and security of forms of
identification used to gain access to secure Federal and other facilities where there is potential for terrorist attacks need to be eliminated. Therefore, it is the policy of the United States to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees).
45
Context
• Cyber Security Priorities 1. Trusted Internet Connections (TIC)- 2. Continuous Monitoring of Federal Information Systems 3. Strong Authentication– Passwords alone provide little
security. Federal smartcard credentials such as PIV (Personnel Identity Verification) and CAC (Common Access Cards) cards provide multi-factor authentication and digital signature and encryption capabilities, authorizing users to access Federal information systems with a higher level of assurance.
46
PKI Enables: Background
• Public Key Infrastructure (PKI) • Refers to the infrastructure needed to make use of Public
Key Cryptography in the real world
• Public Key Cryptography • Asymmetric Cryptography
• 2 Key system • Encrypt with one key, decrypt with the other
47
PKI Enables: Background
• Public Key Cryptography (Asymmetric Cryptography) • Everyone generates 2 Keys • Anything encrypted with one key is decrypted with the
other • Publish one of the keys, call it a “Public Key” • Keep the other key safe, call it a “Private Key”
• Best way to protect is to generate and store on a smart card
48
PKI Enables
• Encryption • Alice Encrypts a file using Bob’s Public Key, Bob decrypts it
with his Private Key • In practice PK used to encrypt a session key
• Enables data privacy, ability to securely transfer files without sharing session keys
49
PKI Enables
• Digital Signature • Bob signs a file with his Private Key, Anyone can validate
the signature using Bob’s Public Key • Sign by using the private key to encrypt a hash of the document • Validation ensures Alice signed it and the document is unchanged
• Enables proof of origin to mitigate phishing, mitigates data corruption/tampering, enables paper processes to move online, etc
50
PKI Enables
• Authentication • Challenge user to “prove possession of the private key” • Use of “Signed Authenticators”
• Biometrics, CHUIDS, etc
• Enables strong LOA4 authentication to physical and logical access systems, SSL, Mutual SSL/TLS
51
PKI Enables
• Everything depends on having the right Public Key • If it’s not really Bob’s Public Key… • Is Alice using Bob’s public Key or an Attacker’s public key?
52
PKI Enables: Certificate Authorities
• Certification Authorities (CAs) • Issue signed Certificates that bind a subject to a Public Key
• Attest that this is really Bob’s Public Key
• Issue signed Certificate Revocation Lists (CRLs) • List of any certificates that shouldn’t be trusted • Updated periodically
• Operate Repositories • Contain CRLs and Certificates issued by the CA
• CAs drive alignment and interoperability by enforcing consistent standards and policies
• The Infrastructure in the Public Key Infrastructure
53
PKI Enables: Certificate Authorities
• Summary • Public Key Cryptography provides Encryption, Signature,
and Authentication • Assuming you know you have the right public key
• CAs let you know you have the right key • Issue signed certificates binding Bob to his public key
• Enable Alice and Bob to trust each other • Alice and Bob trust the CA, so they can trust each other • CAs enforce consistent standards and policies, so Alice and
Bob can interoperate • Certificate Authorities Enable PKI
54
PKI Enables: Certificate Authorities
• Why trust a CA? • Published Policies
• Certificate Policy • (A CA can have multiple policies, identified in each certificate) • Certificate Profiles
• Independent Audits • Confirms CA practices meet policies
• Local policies generally dictate which CAs to trust • Considerable diligence and expertise required to judge the
trustworthiness of a CA
55
PKI Enables: Certificate Authorities
• How do you trust a CA? • You need the CAs public key to validate their Certificates
• How do you know you have the right public key? • CAs have certificates, just like Bob
• Who certified the CA? Who signed their certificate? • CAs can sign certificates for other CAs • Ultimately some CA starts the chain of trust
• The root of trust for the other CAs • Root CAs sign their own certificates, called “Trust Anchors”
• Trust Anchors have to be “Pre-Installed” before PK operations can work
56
Agenda
Context PKI Enables What is the FPKIMA • Value • Infrastructure
57
What is the FPKI Management Authority
• Responsible for FPKI Trust Infrastructure • Operates Certification Authorities for the FPKI • Operates the Common Policy Root • Operates the Federal Bridge CA (FBCA) • Operates the SHA-1 Federal Root (SHA1 FRCA) • Operates the E-Governance CAs
• Major functions • Platform, Security, Relationship, Community, and Program
Management
58
Common Policy Root
• Common Policy establishes rules for PIV Issuers • Identity Proofing, Key Sizes/Types, Algorithms, FIPS
Validation, etc
• Common Policy CA certifies CAs that meet the requirements of the Common Policy
• In order to trust Bob’s PIV Card… • Check Bob’s certificate • See if Bob’s CA has a certificate from the Common Policy
Root
59
Common Policy Root
FIPS 201-1: Section 4.2.2, Asymmetric Signature Field in CHUID: “The public key required
to verify the digital signature shall be provided in the certificates field in an X.509 digital signature certificate issued under [COMMON]…”
Section 4.4.2, Biometric Data Representation and Protection: “The X.509 certificate containing the public key required to verify the digital signature shall be issued under [COMMON]…”
Section 5.4.2, PKI Certificate: “All certificates issued to support PIV Card authentication shall be issued under the id-CommonHW policy and the id-CommonAuth policy5 as defined in the X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework [COMMON].”
60
Common Policy Root
• Verifying that a card is a real PIV Card requires validating certificates from the Common Policy Root
• Validating certificates from Common requires: • Getting Common’s certificates from the Repository • Getting Common’s CRLs from the Repository
• Updated every 12-18 hours
• Having the Common Policy Trust Anchor installed
61
Common Policy Root: Trust Store Status
62
VENDOR APPLICATION SUBMITTED
APPLICATION ACCEPTED AS COMPLETE BY VENDOR
VENDOR PROCESSING OF APPLICATION
VENDOR APPROVED CERTIFICATE INCLUSION
DISTRIBUTION DATE
COMMENTS
Microsoft 22-Mar-11
Adobe 15-Apr-11
Mozilla Ready for public discussion beginning 10-May-12
Apple 1-Feb-12
Java All required documentation has been submitted. Awaiting a response from Java.
Opera Opera has acknowledged receipt of the supplemental application package.
Chrome Browser
N/A N/A N/A N/A N/A Chrome Browser uses the trust store of the OS rather than distributing its own.
Chrome OS N/A N/A N/A N/A N/A Chromium OS source code leverages Mozilla NSS Library; includes Mozilla Public Distribution of Root CA Certificates
Common Policy Root: Mobile Trust Store Status
63
VENDOR APPLICATION SUBMITTED
APPLICATION ACCEPTED AS COMPLETE BY VENDOR
VENDOR PROCESSING OF APPLICATION
VENDOR APPROVED CERTIFICATE INCLUSION
DISTRIBUTION DATE
COMMENTS
Android Researching
iPhone 1-Feb-12
iPad 1-Feb-12
Blackberry Researching
Windows Phone 7
Microsoft is in the process of updating their application process for Mobile platform.
PKard 3-Mar-12
App to use smart card with iPhone
FPKIMA Certification Authorities (CAs)
• Federal Bridge CA (FBCA) • FBCA was originally developed to facilitate interoperability
between Federal agency enterprise PKI implementations • FBCA‘s role expanded to include external entities • FBCA Maps CA policies to standard federal policies
• Medium, Medium Hardware, PIV-I, etc
• Mapping function enables trust across different communities of interest
64
FPKIMA Certification Authorities (CAs)
• SHA-1 Federal Root CA (SHA1 FRCA) • SHA1 FRCA has been established for organizations that are not yet capable of
implementing the SHA-256 algorithm in their environment • Starting 1 Jan 2011, the Federal Public Key Infrastructure Policy Authority
(FPKIPA) prohibits the use of the SHA-1 algorithm for CAs signing Personal Identity Verification (PIV) Cards, and strongly discourages its use for any digital signatures
• FPKIMA implemented new Trust Infrastructure CAs, which use the SHA-256 signature hashing algorithm, for transitioning the FPKI community away from SHA-1
• “PIV-like” credentials are issued and managed in the SHA1 FRCA environment, but are not true PIV
• SHA1 FRCA will expire and be decommissioned by 31 Dec 2013
65
FPKIMA Certification Authorities (CAs)
• E-Governance CAs (EGCA) • EGCA issues PKI certificates to approved Credential Service Providers (CSPs),
at assurance levels 1 or 2, and to Federal Relying Party (RP) applications to enable mutual trust through mutual authentication
• Two separate CAs support each of the two certificate types: EGCA CSP2, and EGCA Apps
• EGCA CSP2 and EGCA Apps have issued three current certificates each • A third EGCA was established in support of the newly developed E-
Governance Trust Services (EGTS) • EGTS includes new certificate types for supporting Backend Attribute
Exchange (BAE) and digitally-signed metadata
66
67
USPS
STATE
TREASURY
NASADHSSSA
EntrustMSO
Verizon
VeriSign
ORC
VeriSign
Digicert
ORC
Key Mgt
VeriSign
DEAVeriSign SSP
SHA-1Key Mgt
Illinois
EOP
VA
HHS
Dept of Ed
Naval Research
NRC
Dept of Transportation
STATE PIVSTATE High
Assurance CAOCIO
FISCAL Service
Entrust
GPOUSPTO
ENTRUST
Verizon
ORC ACES
IDENTRUST ACES
CertiPath G2 Bridge
CertiPath Common Policy
Root G2
Netherlands Defense
Citi
HID
SAFE BioPharma
Bridge
J&JTRANS SPED
TC TrustCenter
Bristol Meyer
Exostar
Key Mgt
SHA-1Key Mgt
DoD Root CA 2
DoD CA 19thru
DoD CA 30
DoD EMAIL CA 19thru
DoD EMAIL CA 30Key Mgt
SHA-1Key Mgt
CertiPathBridge
EADS
Exostar
CertiPath Common Policy Root
Lockheed
Raytheon
Northrop
Exostar FTS
Identrust
DoD ECA
ORC
VeriSign
.
SHA-1 FRCA
FBCA
Common Policy CA
.
.
DOD IRoot
Trust Relationships
Repository Services
• High-availability repository services • 99.5% availability per the Federal PKI Policies • Fault-tolerant networking and content delivery • Load balancing and redundancy • Multi-protocol support for repository access (e.g., http,
ldap, dsp)
68
Current State of The FPKIMA Program-Metrics
• Increased Usage Before Re-design: less than 100 Million monthly usage requests FPKIMA Platform Management Services monthly usage has increased 1600%
over the last three years as PIV Usage increases In Jan 2012, there were over 1.6 billion requests
• Improved Performance Before Re-design: response time was between 20 to 30 seconds As usage continues to increase, Response Time for both the Common Policy
and Federal Bridge since Aug 2011 is less than 1/3 of a second (Average government benchmarks performance 2.7 seconds)
• As usage continues to increase the FPKI Trust Infrastructure has sustained nearly 100% availability
69
Technology Refresh
70
0
100
200
300
400
500
600
700
800
900
0
5
10
15
20
25
30
03-N
ov-0
9
17-N
ov-0
9
01-D
ec-0
9
15-D
ec-0
9
29-D
ec-0
9
12-Ja
n-10
26-Ja
n-10
09-F
eb-1
0
23-F
eb-1
0
09-M
ar-1
0
23-M
ar-1
0
06-A
pr-1
0
20-A
pr-1
0
04-M
ay-1
0
18-M
ay-1
0
01-Ju
n-10
15-Ju
n-10
29-Ju
n-10
13-Ju
l-10
27-Ju
l-10
10-A
ug-1
0
24-A
ug-1
0
07-S
ep-1
0
21-S
ep-1
0
05-O
ct-10
19-O
ct-10
02-N
ov-1
0
16-N
ov-1
0
30-N
ov-1
0
14-D
ec-1
0
28-D
ec-1
0
11-Ja
n-11
25-Ja
n-11
08-F
eb-1
1
22-F
eb-1
1
08-M
ar-1
1
22-M
ar-1
1
05-A
pr-1
1
19-A
pr-1
1
03-M
ay-1
1
17-M
ay-1
1
31-M
ay-1
1
14-Ju
n-11
28-Ju
n-11
12-Ju
l-11
26-Ju
l-11
09-A
ug-1
1
23-A
ug-1
1
Usa
ge (M
illio
ns)
Perf
orm
ance
(Sec
onds
)
Monthly Usage (HTTP) Monthly Usage (Directory) Daily Common Policy CRL Performance Daily FBCA Performance
71
0
0.1
0.2
0.3
0.4
0.5
0.6
01-S
ep-1
1
08-S
ep-1
1
15-S
ep-1
1
22-S
ep-1
1
29-S
ep-1
1
06-O
ct-11
13-O
ct-11
20-O
ct-11
27-O
ct-11
03-N
ov-1
1
10-N
ov-1
1
17-N
ov-1
1
24-N
ov-1
1
01-D
ec-1
1
08-D
ec-1
1
15-D
ec-1
1
22-D
ec-1
1
29-D
ec-1
1
05-Ja
n-12
12-Ja
n-12
19-Ja
n-12
26-Ja
n-12
02-F
eb-1
2
09-F
eb-1
2
16-F
eb-1
2
23-F
eb-1
2
01-M
ar-1
2
08-M
ar-1
2
15-M
ar-1
2
22-M
ar-1
2
29-M
ar-1
2
05-A
pr-1
2
12-A
pr-1
2
19-A
pr-1
2
26-A
pr-1
2
Performance for FPKIMA Platform Management Services6 Months ending April 2012
Daily Common Policy CRL Performance Daily FBCA Performance
FPKIMA - Repository Usage
72
0
200
400
600
800
1,000
1,200
1,400
1,600
1,800O
ct-0
9N
ov-0
9D
ec-0
9Ja
n-10
Feb-
10M
ar-1
0A
pr-1
0M
ay-1
0Ju
n-10
Jul-1
0A
ug-1
0S
ep-1
0O
ct-1
0N
ov-1
0D
ec-1
0Ja
n-11
Feb-
11M
ar-1
1A
pr-1
1M
ay-1
1Ju
n-11
Jul-1
1A
ug-1
1S
ep-1
1O
ct-1
1N
ov-1
1D
ec-1
1Ja
n-12
Feb-
12M
ar-1
2A
pr-1
2
Mon
thly
Req
uest
s M
illio
ns
Monthly Usage (HTTP) Monthly Usage (LDAP) Total Monthly Usage
73
0
1,000
2,000
3,000
4,000
5,000
Q1 Q2
Mill
ions
FPKIMA Trust Infrastructure Usage Quarter over Quarter
FY10 FY11 FY12
74
0
2
4
6
8
10
12
14
16
18
FY10 FY11 FY12
Billi
ons
FPKIMA Trust Infrastructure Annual Repository Requests
Actual Estimated