(PIV-I) Trusted ID across States, Counties, Cities and Businesses in the US

Transcription

1 (PIV-I) Trusted ID across States, Counties, Cities and Businesses in the US Brian A. Kowal, cryptovision cv cryptovision GmbH T: +49 (0) F: +49 (0) info(at)cryptovision.com 1

2 Agenda Business motivation for PIV/ What is PIV, Credential Case Studies (Enterprise) 2

3 Business motivation for PIV/ President George W. Bush in August 2004 signed Homeland Security Presidential Directive 12 (HSPD-12) HSPD-12 mandates a standard for a secure and reliable form of identification to be used by all Federal employees and contractors. HSPD-12 initiated the development of a set of technical standards and issuance policies (referred to as Federal Information Processing Standard, FIPS 201 that create the Federal identity infrastructure required to deploy and support an identity credential that can be used and trusted across all Federal agencies, regardless of which agency issues the credential. Independently issued Logical (PC/Web Login) & Physical Access ID Card Interoperable ID Card Interoperable credentials (PKI, Physical Access) 3

4 What is PIV PIV-Personal Identity Verification: is a standard created by US government to establish common, Interoperable, Secure Identification mechanism for US Government employees. It covers Policy for credential issuance (ID Proofing, expiration...etc). Technical Specifications for the components in the Eco System. Testing and Validation Process. Privileges are managed by the accepting agencies. Based on PKI capable, Dual Interface Smart Card with durability of 5 years. NIST-National Institute of Standard and Technical-Technology arm of US Govt. defines technical specification for interoperability. FIPS 201 SP-800-X NIST and GSA test the cards and components to certify compliance. FIPS 201 GSA APL Unlike many other standards in the industry, PIV not only covers the cards, but also cover most of the connecting components such as Readers, Middleware, Biometric scanners, Data formats 4

5 PIV, PIV-I, PIV-C PIV standards not only define technical specifications for interoperability but also define oncard data and policy requirements. PIV Card: Can be issued ONLY by US federal government agencies to federal Govt. Employees and contractors because some elements in PIV Standard are applicable to only US Govt. Employees. PIV I (Interoperable) : Issued by non-federal Government organizations. No background checks needed. US federal government agencies may trust this Credential. Includes PIV Authentication Certificate that chains to Federal Bridge Certificate Authority via Cross- Certification. PIV C (Compatible) : Issued by NFI (Non-Federal Issuer). No background checks needed. It just means that the card is compatible at a technical level with the PIV Infrastructure elements such as reader.. Policy requirements are not applicable to this card, it is NOT trustworthy by US Govt. Agencies. 5

6 Success through interoperability and economies of scale PIV-I and PIV-C (CIV) looked to benefit form economies of scale. As PIV, PIV-I and PIV-C credentials gained marketplace traction, the card and card reader become commodities and supporting middleware is available in popular operating systems, helping reduce the cost of implementation, speed deployment and simplify use. The reality of the benefits of economies of scale, as of today, are mixed. 6

7 PIV Card Applications 7

8 NIST SP

9 Card Capability Container - CCC The Card Capability Container (CCC) is a mandatory data object whose purpose is to facilitate compatibility of Government Smart Card Interoperability Specification (GSC- IS) applications with PIV Cards. 9

10 Card Holder Unique IDentifier - CHUID The Card Holder Unique Identifier (CHUID) data object is defined in SP and includes the Federal Agency Smart Credential Number (FASC-N) and the Global Unique Identification Number (GUID), which uniquely identify each card. For PIV Cards the CHUID is common between the contact and contactless interfaces and shall be accessible from both. For dual chip implementations, the CHUID is copied in its entirety between the two chips. 10

11 Federal Agency Smart Credential Number- FASC-N The FACS-N is a unique number assigned to one PIV card and individual only. It is 25 bytes in length and constructed of the following fields: 11

12 PIV Card Containers 9a PIV Authentication Certificate 9b PIV Management Key (9b Key) 9c PIV Digital Signature Certificate 9d PIV Encryption Certificate 9e PIV Card Authentication Certificate 12

13 PIV Card Containers 9a 9a PIV Authentication Certificate: This certificate and its associated private key is used to authenticate the card and the cardholder. This slot is used for things like system login. The end user PIN is required to perform any private key operations. Once the PIN has been provided successfully, multiple private key operations may be performed without additional cardholder consent. PIV FASC-N UUID NACI Status User Principal Name (UPN) PIV-I UUID NACI Status User Principal Name (UPN) 13

14 PIV Card Containers 9b 9b PIV Management Key (9b Key): Triple-DES key for PIV management 14

15 PIV Card Containers 9c 9c PIV Digital Signature Certificate: This certificate and its associated private key is used for digital signatures for the purpose of document signing, or signing files and executables. The end user PIN is required to perform any private key operations. The PIN must be submitted every time immediately before a sign operation, to ensure cardholder participation for every digital signature generated. PIV PIV-I Governmental Enterprise PIN Policy vs Corporate Enterprise PIN Policy 15

16 PIV Card Containers 9d 9d PIV Encryption Certificate: This certificate and its associated private key is used for encryption for the purpose of confidentiality. This slot is used for things like encrypting s or files. The end user PIN is required to perform any private key operations. Once the PIN has been provided successfully, multiple private key operations may be performed without additional cardholder consent. PIV PIV-I 16

17 PIV Card Containers 9e 9e PIV Card Authentication Certificate: This certificate and its associated private key is used to support additional physical access applications, such as providing physical access to buildings via PIV-enabled door locks. The end user PIN is NOT required to perform private key operations for this slot. PIV FASC-N UUID NACI Status PIV-I UUID NACI Status 17

18 Biometric Data for PIV Card The mandatory Cardholder Fingerprint data object specifies the primary and secondary fingerprints for off-card matching in accordance with FIPS 201 and [SP800-76]. The mandatory Cardholder Facial Image data object supports visual authentication by a guard, and may also be used for automated facial authentication in operatorattended PIV issuance, reissuance, and verification data reset processes. The facial image data object shall be encoded as specified in [SP800-76]. The optional Iris Images data object specifies compact images of the cardholder s irises. The images are suitable for use in iris recognition systems for automated identity verification. The iris images data object shall be encoded as specified in [SP800-76]. 18

19 PIV Data Containers Card Capability Container Card Holder Facial Image 9A PIV Authentication Key CHUID Printed Information 9B Card Management Key Certificate for PIV Authentication Certificate for Digital Signature 9C Digital Signature key Card Holder Fingerprints Security Object Certificate for Key management Certificate for Card Authentication Discovery Object 9D Key Management Key 9E Card Authentication key Iris Image..Optional proprietary containers Retired Retired Certificates Retired Certificates (20) Retired Certificates Retired Key Management Keys...20 PIN Required Accessible over contactless interface NIST Optional Data Containers NIST Mandatory Data Containers Internal vault for secret data Asymmetric Key Symmetric Key 9B key Auth is required for Writing Reading is Free or PIN protected ISO

20 PIV Implementation Just using a card alone does not bring much benefit. Depending upon scope and scale, Implementation of PIV requires usage of multiple components indicated. PACS: Using the card for physical access control requires use of PIV compatible Door readers and compatible PACS back end. LACS: This requires use of compatible middleware and PKI Network set-up. Needs Credentialing and issuance infrastructure: CMS, IDMS, CA. Rule of thumb: In a typical PIV implementation, the cost of the PIV card is only a small fraction of the entire budget 20

21 PIV Eco System 21

22 PIV Card Life Cycle This process differs for PIV and PIV-I/ PIV-C 22

23 Terminal/PC Middleware Middleware provides Standard Interface between the card and the third party applications 23

24 Physical Access Control Readers 24

25 IDMS/CMS Background Verification Issuance Credential Lifecycle Management?? 25

26 Evolving and updated specifications Updated PIV Card specification Compliant with latest PIV Specifications (SP ) Supports On-Card Fingerprint Verification (fastest) Supports key history (up to 20 Certificates) AES based secure messaging (OT- SCP03) Supports Elliptic Curve Crypto Supports fast data access mechanism Available on various memory sizes up to 128 KB Perso is faster (Key and Certificate loading) 26

27 DERIVED CREDENTIAL - HOW IT WORKS 1. Request Derived Credential Applicant sends a formal request for a derived credential Applicant provides PIN or biometric authentication A higher level of assurance and authentication utilizes biometric information or PIN to verify that the applicant is physically present during the credentialling process. 2. Applicant presents existing trusted credential Checks that the smart card/mobile ID is a valid card from a trusted, specific secured source or authority and has not been tampered with. 4. Verify information for eligibility Checks that all policy conditions have been met and that the applicant is elegible for derived credentials. 27

28 DERIVED CREDENTIAL - HOW IT WORKS Set PIN for Derived Credential The applicant is then prompted to create a new, personalized PIN that will be used to verify their credentials from here on out. 7. Process Completed The derived credentials are now registered, allowing for the credential lifecycle to be managed fully. 6. Select Available Derived Credentials Applicants mobile device/card is checked wirelessly to ensure that the device has a FIPS validated credential store/secure element. Keys and certificates are then programed into the device/card. 8. Lifecycle Management The derived credentials are now registered, allowing for the credential lifecycle to be managed fully. 28

29 DERIVED CREDENTIAL PRESENTATION on MOBILE 29 Identity Verification Verify signature, demographic information, facial photos, fingerprints and other identity information on smart card chip. Communication Interface Contactless Interface of NFC, Contact Interface or Bluetooth. Credential Check Select any credential and perform health check so all data passes content signature Web Services Integration Connect with various applications using SOAP and REST web services. Multi-Factor Authentication Check user status (active or revoked) with flexible authentication such as PIN, Fingerprint, OTP or PKI. Additional Services Limitless services avilable at customer s request for elections, benefit programs, law enforcement, medical record management, transport security, access control, vehicle registration, driver identification. 29

30 BOOZ ALLEN HAMILTON PIV-I CASE STUDY In 2008, Booz Allen launched it s PIV-I implementation Business Drivers: improve network security by migrating to PKI-based authentication. Provide PIV consulting/services to Fed Govt. Requirements: CMS had to connect to PeopleSoft (Oracle) for human resource services and Active Directory (Microsoft) for logical access. Log on Microsoft-based network and to sign & encrypt Did not replace Physical Access door panels to support FASC- N/data container 9e PIV Card Authentication Certificate for physical access Has issued over 20,000 PIV-I Cards 30

31 BOOZ ALLEN HAMILTON PIV-I CASE STUDY: ISSUES SHA-1 vs SHA-256 Federal Bridge Certificate Policy requires that signatures on certificates generated after December 31, 2010 use the SHA-256 hash algorithm vendors slow to resolve compatibility issues and implement required changes to fully support SHA-256 on desktops and corporate information systems. Biometrics The PIV-I specification requires the capture and storage of biometric data. However, because of privacy considerations, Booz Allen does not require the capture of biometric data as a condition of employment. To address this issue, Booz Allen implemented a non-piv-i smart card that can be issued to individuals who decline to submit their fingerprints. These cards are fully functional within Booz Allen but are not enabled for Federal Government interoperability. Non-U.S. based employees. As Booz Allen issued new smart cards to their non-u.s. based employees, the different privacy laws of those countries needed to be addressed, including significant restrictions on what data can be collected, how and where it can be stored, and whether it can be exported to a U.S.-based corporate data store. Cost Will be discussed in following slide. 31

32 SAIC PIV-I CASE STUDY In 2012, SAIC launched it s PIV-I implementation Business Drivers: Improved security, streamlined operations, and increased accountability Provide PIV consulting/services to Fed Govt. Use-Cases: Strong authentication for remote and wireless access to corporate networks Encryption of messages containing sensitive and regulated information Digital signatures for official corporate correspondence Digital signatures to make internal forms and processes paperless Has issued over 41,000 PIV-I Cards 32

33 SAIC PIV-I CASE STUDY Requirements: Ensure that PIV-I does not cost significantly more than the smart card strong authentication systems currently in use. Ensure that PIV-I does not require replacing existing smart card and badge infrastructures. Enable seamless interoperability between SAIC and its vendors, teammates, and customers, including using SAIC cards on teammate s and customer s computers (and vice versa). Take advantage of widespread and rapidly growing support for PIV on Windows, Mac, Linux, and mobile devices. Take advantage of the PIV standards to drive down the costs of procurement, integration, deployment, and operation of an enterprise smart card solution. 33

34 SAIC PIV-I CASE STUDY: ISSUES Requirements: Ensure that PIV-I does not cost significantly more than the smart card strong authentication systems currently in use. Ensure that PIV-I does not require replacing existing smart card and badge infrastructures. Enable seamless interoperability between SAIC and its vendors, teammates, and customers, including using SAIC cards on teammate s and customer s computers (and vice versa). Take advantage of widespread and rapidly growing support for PIV on Windows, Mac, Linux, and mobile devices. Take advantage of the PIV standards to drive down the costs of procurement, integration, deployment, and operation of an enterprise smart card solution. 34

35 COMMONWEALTH OF VIRGINIA PIV-I CASE STUDY In 2005, Virginia launched it s PIV-I implementation Business Drivers: Enhance Virginia's response and recovery efforts Show other states providing a First Responder Authentication Credential (FRAC) no longer delays efforts in any scenario requiring the deployment of emergency responders. Use-Cases: Rapidly authenticate (electronically) the identity of a person at the scene of an incident. Electronically authenticate a first responder s key skills so that incident commanders can assign personnel to tasks quickly and appropriately. Provide a level of trust between emergency responders across multiple jurisdictions in times of critical incidents, thus enhancing cooperation and the efficiency of the response efforts between Federal, state, regional, local, and private sector emergency personnel. Has issued over 16,000 PIV-I (FRAC) Cards 35

36 COMMONWEALTH OF VIRGINIA PIV-I CASE STUDY: ISSUES The FRAC was not fully integrated with existing Physical Access Control Systems or Logical Access Control Systems so it was not widely used on a daily basis. Mobile card readers were not widely deployed, thus the cards were not utilized at their full potential. After issuance was completed, all of the equipment used to issue the FRACs was returned to the contractor, limiting the ability for areas of Virginia like Arlington and Alexandria to invest local resources in the program. 36

37 PIV-I in the Enterprise: considerations for improvement Managing certificate trust: Managing certificate trust at an enterprise level can be very challenging, especially when cross-organizational trust is involved, such as through the Federal Bridge. Alternative Authentication for Lost Card: Authentication systems have difficulty providing for alternative authentication in the case of a lost card. This situation can create computer logon problems. Multiple forms of strong auth technology can be beneficial: Smart card authentication is very powerful when it is combined with an alternative, strong authentication technology, such as a one-time password. Having both forms available makes it possible to handle more use cases gracefully. Lack of PKI support for non-windows clients: Deploying signed and encrypted systems enterprise-wide requires support for non- Windows users, mobile users, and Web access users. 37

38 PIV-I in the Enterprise: considerations for improvement Terminal vs Web/Cloud login: Users who use a smart card to logon to their computer, and then need to use a different smart card to access a Web site that does not support PIV (e.g. PIV vs CAC), will need two smart card readers in order to be able to simultaneously use both smart cards. This is problematic, as most computers are only equipped with a single reader, and removing the smart card used for computer logon causes that computer screen to lock, preventing use of the other card. Employee Training: A clear plan outlining the design, the deployment, application enablement plans, and communications to employees is critical, Legacy Credentials Transition: Transition of existing legacy credentials. Inability to login or gain access to facility. 38

39 PIV-I in the Enterprise: considerations for improvement Improved Automation Needed: Implement a solution that allows for full life-cycle management of the credential including personal identification number (PIN) management, certificate updates, revocation, and key recovery. A key focus was minimizing the need for a user to visit a specific office to accomplish a task. The solution requires functionality be pushed to the desktop, enabling end user self-service. Too many PIN Entries: PIV security policy requires PIN entry every time the PKI certificates are accessed. Everyday employees found this security policy to be irritating CMS systems need to be interoperable with each other: Cards issued by one CMS should be updateable by another CMS system. Though CMS systems support standards, they execute the standards via proprietary, locked-down middleware and agents. 39

40 Editorial: Govt System Integrator Cost to deploy PIV-I Cost (editorial) Government contractors such as Booz Allen Hamilton, SAIC, Northrop are different animals to corporate enterprises. They did not implement PIV out of function (value/return) but to demonstrate to their largest customer that "we do identity like you do". In such cases, these projects did not go through the same approval/analysis scrutiny that other IT projects do nor were they held to the same metrics for success. This, unfortunately has given a false sense of PIV penetration/success in the private sector. Northrop spent $654m over 5 years for PIV deployment internally across 200k users. By any measure that is a major expense that most enterprise couldn t entertain unless it was tied to their largest customer and demonstrating alignment - not function or security. Evolution of Cost/Benefit of eid solutions business models still need to evolve The cost of PIV-I deployed in the private sector space, at this time, remains hard to justify based on the merit of the technology/value itself.. 40

41 CONCLUSIONS: PIV-I BENEFITS FOR ENTERPRISES Over 10 Million PIV, PIV-I cards actively being used as Enterprise IDs Economies of Scale: readers and software become commoditized. Employee improved efficiency/speed: faster access to secured networks and applications Open Standards Interoperability: among vendor products and different organizations Multiple suppliers: offer products and services that support PIV-I credentials, reducing costs and providing a choice of vendors. Improved Security: The implementation of the PIV-I identity proofing process and strong authentication technologies improves security for an organization s physical facilities and information systems. 41

42 CONCLUSIONS: PIV-I BENEFITS FOR ENTERPRISES Proven Technology: All Federal agencies have now implemented PIV credentials, allowing organizations to build their infrastructure using proven technology that has industry-wide acceptance. Multi-Application eid: PIV-I cards support multiple applications, allowing an individual to have one card that can be used for physical access and for different logical access applications. A single credential per individual represents a significant cost savings in the long term. Future-proof solutions: By building on open standards and a technology platform with an open architecture, organizations can future-proof their systems and add capabilities after initial implementation. Scalable: PIV, PIV-I implementations have proven to be scalable to millions of employees, supporting the largest organization s requirements. 42

43 Extra Slides 43

44 COMPARISON OF PIV, PIV-I AND CIV Personal Identity Verification-Interoperable (PIV), Personal Identity Verification-Interoperable (PIV-I) and Commercial Identity Verification (CIV) credentials US Government s Personal Identity Verification (PIV) credential In 2004, US Federal government established HSPD-12, a policy directive for Common Identification Standard for Federal employees and contractors. The directive offers: Common, secure, reliable identification for employees and contractors Visual and electronic identity verification Government-wide technical interoperability and authentication Benefits for this standard are: Non-Proprietary, Compatible COTS solutions. Native support in products (Ex: Windows OS). Lower costs of implementation compared proprietary solutions. Field Proven and mature technologies. Policy PIV PIV-I CIV Breeder documents Follows FIPS 201 Follows FIPS 201 Follows the issuing organization s policies Background checks National Agency Check with Investigation None required, directly impacts level of suitability for access Follows the issuing organization s policies Process Application, Adjudication, Enrollment, Issuance, Activation Follows FIPS 201, including separation of roles, strong biometric binding Follows Federal Bridge crosscertification certificate policies Follows SP for Federal issuance Follows the issuing organization s policies For Federal relying parties, follows SP

45 COMPARISON OF PIV, PIV-I AND CIV PIV PIV-I CIV Technology Card data model Must follow SP Must follow SP SP (recommended) Current primary credential number FASC-N2 (requires Federal agency code) Object identifiers Federal Bridge Federal Bridge Trustworthiness Trust among organizations Trusted identity, credential and suitability Federal Bridge UUID (no Federal agency code required) Trusted basic identity and credential but not suitability Clustered through Federal Bridge UUID (no Federal agency code required) Organization Internet Assigned Number Authority (IANA) (if exists) Trusted credential only within the issuing organization. Clustered alone Origin Organization NIST Federal CIO Council SCA Access Control Council Defining documents Motivation Markets Organizations that may issue and/or use the credential FIPS 201, SP and other related NIST publications HSPD-12 Federal agencies PIV-Interoperability for Non- Federal Issuers and FICAM PIV-I organizations doing business with government & for first responders Federal agencies and contractors State and local governments First responder organizations CIV Credential Leveraging FIPS 201 and the PIV Specifications Commercial could take advantage of the PIV infrastructure Commercial organizations and Federal agencies who accept medium hardware assurance 45