Strategies for the Implementation of PIV I Secure Identity Credentials

Transcription

1 Strategies for the Implementation of PIV I Secure Identity Credentials A Smart Card Alliance Educational Institute Workshop Access Security Usage Models for PIV I Trusted Identity Credentials Roger Roehr Principle, Roehr consulting 9 th Annual Smart Cards in Government Conference Washington DC Convention Center November 16-19, 2010

2 PIV-I Usage models Government and PIV-I First responder at Government site Government want to send a encrypted document for a contract. Internal use of PIV-I A company wants secure remote access for employees PIV-I to PIV-I One aircraft company want to digitally sign test results to another

3 Two parts to Access Policy (PIV-1) What are the requirements to get the credential? What are requirements for access? Technology (PIV-2) What operation capabilities of the credential? What the operation capabilities of the system?

4 What do you get from the Credential Identity I-9 Affiliation Background Check Attributes PIV Yes Yes Yes NO PIV-I Yes Yes NO NO TWIC Yes NO Yes NO

5 What are your access requirements? Who Validates the request? Identity proofing? Background checks? What are authentication requirements? What do you need for a audit?

6 Define Your Process Visitor is sponsored PIV card holder? No Collect Biometric & Breeder Document Yes Privilege for Escorted Access Does Credential Holder know the PIN? Yes No Collect Biometric & Verify Certificate Enter PIN Verify Biometric & Verify Certificate Privilege for Unescorted Access

7 Use case of send a encrypted A government person is going to send a encrypted to a contractor. 1. Get the certificate for recipient 2. Establish trust for the certificate 3. Encrypt with public key and send

8 The PKI Certificate Root Intermediate Credential Certificate

9 Which Root do You Trust?

10 How Roots Get Trust

11 The PKI Bridges Your Organization Root Bridge Other Organization Root Your Organization Intermediate Your Organization Certificates You only need to trust your root! Other Organization Intermediate Other Organization Certificates

12 How the Bridges Connect Fedral BCA Total: 12 15M users Common Policy CA SSPs VeriSign Cybertrust ORC Treasury GPO? Exostar Entrust IdenTrusT? Serving all other Agencies DOD DHS NASA Commerce USPS USPTO HHS DOE IL State DOJ DOD/ECA GPO Treasury Wells Fargo MIT LL UTexasSx SAFE Industry PKIs Abbott Labs, AstraZeneca, Bristol-Myers Squibb, Genzyme,GlaxoSmithKline, INC Research, Johnson & Johnson Merck, Pfizer, Procter & Gamble Sanofi-Aventis CertiPath Industry PKIs Boeing Raytheon Lockheed Martin CertiPath SSP

13 Boeing digitally signs a contract for the US Government Federal Bridge CertiPath Bridge Boeing s Root Treasury Root Boeing s Intermediate #3 Joe Boeing s Signing Certificates

14 Validation Your Organization Root Bridge Other Organization Root Your Organization Intermediate Other Organization Intermediate Your Organization Certificates Other Organization Certificates

15 OCSP Validation Your Organization Root Bridge Other Organization Root OPSP Responder OPSP Responder OPSP Responder Your Organization Intermediate Other Organization Intermediate OPSP Responder OPSP Responder Your Organization Certificates Other Organization Certificates

16 SCVP Validation Your Organization Root Bridge Other Organization Root Your Organization Intermediate SCVP Responder Other Organization Intermediate Your Organization Certificates Other Organization Certificates

17 The Public Key The message now can be encrypted with the Trusted public key

18 Physical Access Use Case Government agency wants to use PIV-I in physical access control system. 1. A sponsor need to establish a need for access. 2. Vetting of attributes and back ground check 3. The credential PKI need to be validated and the credential then need to be registers into the system 4. A physical access model need to be defined

19 Attributes Currently there is no standard format for electronic exchange of attributes The Back End Attributes exchange is a current task of the CIO council Some proprietary first response models have been field tested

20 Physical access models In all model PIV authentication certificates should be escrowed and check routinely Use PIV-I GUID and PIV with GUID at the door and issue PIV holders without GUID a credential. Use PIV FASC-N and issue PIV-I a credential Build a PACS with discovery system and use PIV Not available at this time

21 Credential Numbers PIV key Sign Key Finger print CHUID CHUID FASC-N (PIV) Agency Code GUID (PIV-I) Expiration Date Organization ID Signature FASC-N Agency Code System Code Credential Number Credential Series ICI Person ID Org Cat Org ID POA

22 PIV vs. PIV-I Identifiers PIV Identifier Agency Code System Code Credential Number Expiration Date (4 BCD -14bits) (4BCD 14bits) (6BCD 20bits) (8BDC -25 bits) Total of 73bits GSA Wiegand format adds 2 bits for parity Note: DOD & TWIC need CS and ICI 1BCD -4bit ea for total 8bits extra PIV-I Identifier Agency Code = 9999 GUID (128bits)

23 Final Thoughs Define use case first! PIV and PIV-I are not the same and will require different policy and system configuration PACS that are PIV compliant might not be PIV-I compliant Security only comes from proper implementation

24 Roger Roehr Smart Card Alliance 191 Clarksville Rd. Princeton Junction, NJ (800)