Interagency Advisory Board (IAB) Meeting. August 09, 2005

Transcription

1 Interagency Advisory Board (IAB) Meeting August 09, 2005

2 Agenda National Institute of Standards and Technology (NIST) Discussion on Reference Implementation and Conformance Testing IAB Working Group Updates Training Partnership Discussion Common Handheld Requirements Status National Aeronautics and Space Administration (NASA) Status Update How to Check Authenticity of Personal Identity Verification (PIV) Other IAB Initiatives Credential Card Migration Strategy

3 NIST Discussion on Reference Implementation and Conformance Testing 3

4 SP Reference Implementation Jim Dray IAB Meeting August 2005

5 Components SP800-73/Part 3 PIV card simulator o Written in C++ for wintel platforms o Runs TLP224 protocol on a local port o Native code simulation of a PIV card o Can load JavaCard(tm) applets via Sun s kit PIV middleware o Implements the Part 3 client API

6 Purpose Provides a worked example for developers NOT a deployable commercial product No code that can be loaded onto a real card o JavaCard loader would allow this but NIST is not providing reference JavaCard applets o PIV functionality expressed in C++/Windows Supports conformance test development

7 Conformance It is not possible to conform to the reference implementation The reference implementation provides an example that conforms to the PIV specs Conformance testing proves that an implementation conforms to specifications Reference implementations are developed for clarity, not performance

8 Availability Publicly available at Will be updated on an as-needed basis o New versions will be posted along with change notices o Old versions will be archived, available on request Basis for a possible PIV software toolkit

9 PIV Middleware and PIV Card Application Conformance Testing Toolkit Ramaswamy Chandramouli (Mouli) IAB Meeting August 2005

10 Agency A Application Agency B Application Agency C Application PIV MIDDLEWARE CSP/Bio API / CSP/Bio API / CSP/Bio API / Etc. Etc. Etc. PIV Client Application Programming Interface PIV Card Command Interface Host PC Card Reader Driver Card Reader Smart Card Reader PIV CARD PIV Card Application PIV Card Command Interface PIV Data Model

11 Scope Tests & Specs Test Suite has two Broad Categories of Tests o PIV Middleware (End-Point) Tests o PIV Card Application (End-Point) Tests SP Specifications Covered o End-Point Client API Chapter 6 of SP o End-Point PIV Card Application Card Command Interface Chapter 7 of SP o PIV Data Objects & Representations (Chapter 4 & 5 of SP ) o PIV Authentication Use Cases (C.1.2 and C.1.4 of Appendix C of SP )

12 PIV Middleware Tests Configuration The Test Toolkit The vendor provided PIV middleware which is the subject of this test The contact and contactless smart card readers or a dual interface reader A dual interface FIPS 201-compliant test PIV card or a PIV card emulator.

13 PIV Middleware Tests Summary Tests all the 9 Functions in PIV Client API (Chapter 6 of SP ) Tested for Response to all Valid and Error Return Codes

14 PIV Card Application Tests Configuration The test toolkit Contact and a contactless smart card readers or a dual interface reader An PIN input device A biometric fingerprint reader A PIV card that support contact and contactless interface which is the subject of this test.

15 PIV Card Application Tests Card Command Interface Tests Tests all 8 commands in card command interface (Chapter 7 of SP ) Card interface type (contact vs. contactless) Precondition for use (PIN verified, Currently Selected Application value) Expected Response status codes Right Content and Encoding for returned data Appropriate State Variables set in the card.

16 PIV Card Application Tests Data Objects Representation & Authentication Use Cases Tests Tests all 6 Mandatory data objects and any published of the 5 Optional data objects for - Correct Tag Codes & Lengths - Overall size limits for the buffer Authentication Use Case Tests consists of - Parsing Data and Checking for values of key fields such Expiration Date in CHUID, FASC-N etc - Verifying signatures are valid

17 Toolkit Features Summary The toolkit has a Graphical User Interface Provides a configuration file to enter valid parameter values for validation of data returned in responses to function calls. Each of the two broad categories of tests PIV Middleware Tests & PIV Card Application Tests can be loaded separately.

18 IAB Working Group Updates 18

19 Foreign National Working Group Initial meeting held on Thursday, July 14th Included representatives from: Department of State Department of Energy Department of Commerce Department of Interior Department of Defense Shared information on current processes for vetting foreign nationals within respective organizations Discussed potential challenges accommodating Personal Identity Verification (PIV) Shared compiled list of challenges with Office of Management and Budget (OMB) policy working group 19

20 Aggregate Buy Working Group Initial meeting held on Monday, July 25 th Outlined lessons-learned from the DoD to help other agencies avoid known pitfalls within the issuance process Reviewed initial draft specifications for contact and contactless technologies as it pertained to mandatory and optional contract line item numbers (CLIN) Aggregate buy will provide for: Cards Printers Printing consumables Smart card middleware Contact and contact-less readers 20

21 Physical Access and Integration Working Group The PAIWG is updating the Physical Access Control System (PACS) 2.2 guidance to conform with FIPS 201 and SP Tiger Team created a gap analysis that outlines the discrepancies between the documents 21

22 Training Partnership Discussion 22

23 HSPD-12 TRAINING MODULES UPDATE

24 Introduction Developing a series of web- based training modules and assessment tools to assist management, administrators and users in complying with FIPS 201 The series will assist in the consistent implementation of FIPS 201 across the Federal Government

25 Background Training will be focused on: increasing awareness, ensuring compliance, promoting the utility and benefits, and clarifying misunderstandings relating to HSPD-12 implementation. The depth of the training content will vary from high-level overviews to details concerning roles and responsibilities; including certifications, where necessary.

26 Timelines and Modules Delivery on 10/03/2005 includes: Module 1: PIV Roles and Responsibilities Delivery on 12/31/2005 includes: Module 2: PIV Overview Module 3: Privacy Awareness Module 4: Administrator Module 5: Appropriate Uses

27 Module 1 10/3/2005 Module 1 includes: An overview of the issuance process The specific roles and responsibilities associated with PIV-1 compliance Certification of employees in the specified roles at the conclusion of the training

28 Modules /31/2005 Module 2: PIV Overview - overview of HSPD-12 for all government employees, the impact on agencies, and card issuance Module 3: Privacy Awareness Awareness explains the uses of personal identity information collected and will dispel concerns about misuse of personal data within the system

29 Modules 2-5, 2 cont. Module 4: Administrator provides a basic overview of the technologies and approaches (i.e. Smartcards, Biometrics, Card Management) Module 5: Appropriate Uses discusses how the PIV card can be used for building access (physical) and logical access (i.e. to Federally controlled information systems)

30 Common Handheld Requirements Status 30

31 DM DC Information and Technology for Better Decision Making Information and Technology for Better Decision Making Joint Program Handheld/Mobile Device Status for Government Smart Card Interagency Advisory Board Presented by Mike Butler Director, Smart Card Programs and Operations Defense Manpower Data Center August 2005 August

32 DM DC Information and Technology for Better Decision Making Plan of Action Gather Requirements from User Community Consider DBIDS Lessons Learned Contract for Handheld Expertise Support Finalize Consolidated Requirements Market Survey of Products Capable of Customization and Modularity * Industry Capabilities Briefings * Statement of Work (SOW) for Development * Request for Proposal (RFP) for Development of Custom and Modular Handheld/Mobile Device(s) August 2005 * Only if COTS does not exist to meet our needs. 32

33 DM DC Information and Technology for Better Decision Making Handheld/Mobile Device Market Place August

34 DM DC Information and Technology for Better Decision Making Questions? Mike Butler (703) August

35 National Aeronautics and Space Administration (NASA) Status Update 35

36 Common Badging and Access Control System (CBACS) People, Technology, & Information Working Together For NASA Marshall Space Flight Center August, Government Smart Card Inter-Agency Advisory Board Explore. Discover. Understand. GSC-IAB 8/10/2005 IS05: Tim Baldridge Page 36

37 CBACS Initial Scope Smart Cards MISSION: (2002/2003) The Implementation of a multi-application, multi-technology smart card program with an Agencywide user base People, Technology, & Information Working Together For NASA VISION: To issue a common credential token (physical and logical identifier) that is. Used by NASA employees, contractors, and other people approved by NASA. Who require routine access to NASA physical and information resources. An inter-agency Federal Identity Credential conforming with emerging federal policy and technical interoperability During During Site Site Surveys, Surveys, issues issues were were determined determined on on several several fronts: fronts: diversity diversity of of existing existing PACS, PACS, need need for for common common processes, processes, difficulties difficulties in in logical logical roll-out, roll-out, and and flexibility/ease flexibility/ease of of use use of of system system Explore. Discover. Understand. GSC-IAB 8/10/2005 IS05: Tim Baldridge Page 37

38 CBACS Project Re-Direction Goals: (2004) Achieve High Business Value Through a Common Badging and Access Control System That Integrates with Smart Cards Provide Physical (versus Logical) Deployment of Smart Cards Initially Provides a Common Consistent and Reliable Environment Into Which to Release the Smart Card Gives Opportunity to Develop Agencywide Consistent Processes, Practices and Policies Enables Enterprise Data Capture and Management Promotes Data Validation Prior to SC Issuance Avoids Further Investment in Current PACS Systems People, Technology, & Information Working Together For NASA Explore. Discover. Understand. GSC-IAB 8/10/2005 IS05: Tim Baldridge Page 38

39 CBACS - Description An Integrated Services and IT Security Environment That Fulfills NASA and Homeland Security Presidential Directive (HSPD-12) Requirements for: NASA Identity Management System IDMS Central Authoritative Source for Personnel Identification Warehouse for Personnel Security Investigation Determinations Warehouse for Clearance Issuance & Uniform Universal Person Identification Code (UUPIC) Enterprise Physical Access Control System E-PACS Software for Common Badging Application Area Access Management Visitor Management System (Optional) Alarm Monitoring Application Integrated Digital Video Recording and Archiving System Smart Card Physical Access SC Hybrid Smart Card Utilized with E-PACS for Physical Access Provide Logical Access to NASA Computerized Systems During Final Phase of Implementation Central Card Management System CCMS Contact and Contact-less Smart Card Encoding Provides Logical Certificates to the Smart Card from the NASA CA Smart Card Life Cycle Management People, Technology, & Information Working Together For NASA Explore. Discover. Understand. GSC-IAB 8/10/2005 IS05: Tim Baldridge Page 39

40 CBACS - Conceptual Drawing People, Technology, & Information Working Together For NASA Explore. Discover. Understand. GSC-IAB 8/10/2005 IS05: Tim Baldridge Page 40

41 CBACS - System Life Cycle People, Technology, & Information Working Together For NASA IDMS E-PACS Smart Card CCMS Initiation Complete Complete Complete Complete Development and Acquisition Complete Ongoing Ongoing Ongoing Implementation Ongoing Ongoing Lab Lab Operations and Maintenance None None None None Disposal None None None None NIST Phasing Model View Explore. Discover. Understand. GSC-IAB 8/10/2005 IS05: Tim Baldridge Page 41

42 CBACS - Planning Approach New Work Planning Documents Compliance Reason for not complying or N/A People, Technology, & Information Working Together For NASA OMB Circular A-11 Business Plan NIST Special Publication , Risk Management Guide for Information Technology Systems NIST Special Publication , Guide for Developing Security Plans for Information Technology Systems NPR C, Sections 3.2, , and NPD , Emergency Preparedness Programs NPR , Security Procedures and Guidelines NPR Security of Information Technologies NPR , NASA Software Engineering Requirements, and NASA Standard , Software Assurance Standard Complies Complies Complies Will Comply Complies Complies Complies Will Comply Evaluation underway to ensure compliance Evaluation underway to ensure compliance Explore. Discover. Understand. GSC-IAB 8/10/2005 IS05: Tim Baldridge Page 42

43 How to Check Authenticity of PIV 43

44 Other Federal Agency Visitors Checking the Authenticity of PIV Challenge: An individual from Housing and Urban Development (HUD) visits a Department of Homeland Security (DHS) facility and presents HUD PIV How will the DHS facility know that this PIV is authentic, held by the right person, and still valid? Requirement: FIPS 201 (section 6.2) requires card issuers to provide the capability for credentials to be authenticated by other Federal Agencies 44

45 What Is Currently Done Within DoD? DoD components utilize the Defense National Visitors System (DNVS) XML Simple Object Access Protocol (SOAP) Java 45

46 46

47 47

48 Proposal Propose establishing a focus group to: Scope out the different ways in which credential cross recognition could be accomplished Examine and recommend a common approach and process for all Federal Agencies Examine and recommend ways to maximize/leverage current investments 48

49 Current Environment Issuing Smart Cards for over 5 Years Issued over 8.5 million cards to DOD personnel/contractors (3.2 mil. are active) Submitted on June 27, 2005, OMB mandated plan to become PIV compliant (plan approved) Deploying a dual-interface card utilizing V2 applets and new PIV applet at issuance or post issuance Any new cards introduced must be backwards compatibility to cards previously fielded 49

50 Architecture Security Domain Access Control Applet PIN, Secure Channel, External Authority Controls Access which who Access is Controller Controller applets granted Applet are access placed Appletto the on applets Accesscard API Access Control MOC Lib Access Control Access API MOC Lib Access Control Bio Access Controller Access API Applet Secure Transport MOC Lib Access API Access Control PIV Applet MOC Lib Access Control OP Domain API PKI Applet GC Applet Other Applets Bio Action Applet C C C JavaCard Runtime 50

51 Other IAB Initiatives 51

52 DoD Key Ceremony and System Tour Who: Government and Primary Contractor Support Personnel ONLY What: DoD Key Management 101 and System Tour When: Session 1: Thu, Aug 11th (1-4pm) Session 2: TBD Where: EDS DMDC Account office (1600 N Beauregard Street, Suite 100, Alexandria, VA 22311) Why: To assist government personnel in determining individual key management policies and procedures Please send your RSVP to Winn Whaley at: winifrid.whaley.ctr@osd.pentagon.mil by Tuesday, August 9th 52

53 Located 5 min off of I-395, the DMDCB/EDS office is south of the Pentagon and north of the Springfield Mixing Bowl. Location is NOT metro accessible (15 min+ taxi from Eisenhower stop). Electronic Data Systems 1600 North Beauregard Street Alexandria, VA Front Desk: From DC: 1. Take I-395 S to Exit 4 - Seminary Road West (veers to the right). Once on Seminary Road, immediately begin moving towards the left hand lane. 2. At 2nd light turn left onto N Beauregard Street 3. At 2nd light turn right (Clyde's entrance). Sign will read 1600 EDS. 4. Continue straight and at 2 nd left, turn left until you see Bldg Please do not park in the spaces marked "Clyde's" or you may be towed. 53

54 HSPD-12 Reminders Implementation plans were due to OMB on June, Other dates: August 19, 2005: Public comment on Special Publication (SP) August 27, 2005: Additional programs identified to OMB that must be Personal Identity Verification (PIV) compliant October 27, 2005: PIV I Notional October 27, 2006: PIV II Notional SP Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations Published in July 2005 Establishes the attributes required of organizations in order to reliably perform appropriate identity proofing and issuing of cards Describes methods for determining if a PIV issuer exhibits the required attributes Provides guidance to Federal agencies in establishing or obtaining the services of an issuer whose reliability is accredited 54

55 IAB Status Report IAB status report and dashboard Provides a monthly update of IAB: Working group activities Educational opportunities Announcements Upcoming meetings 55

56 IAB Website Initial presence Next iteration scheduled for September 56

57 Credential Card Migration Strategy IAB 9 August 2005

58 Card Migration Strategy Migration to attain PIV II compliance by 10/06 but start now Card purchases starting now Movement to 10/06 Dual-Interface (DI) 64k Java Card 2.2 Current GSC applets Printed in accordance with FIPS-201 guidelines Existing GSC-IS applets 64K Chip DI 64k Java Card 2.2 Current GSC applets Printed in accordance with FIPS-201 guidelines PIV-II End State Applet: Available and FIPS certified Existing GSC-IS applets 64K Chip New PIV II applet PIV-II Compliant

59 Card Migration Strategy Migration to attain PIV II compliance by 10/06 but start now DI cards issued pre 10/06 Post-Issuance Update: all Pre 2/06 DI Cards Existing GSC-IS applets 64K Chip New PIV II applet PIV-II Compliant Issued DI cards will be post managed through a post management portal DI Cards come back to portal, load PIV II cert onto PIV II applet (contains CHUID, bio container,cert and security object) Previously Issued Dual Interface Cards: PIV-II Compliant 64K Chip October 2006 Existing GSC-IS applets New PIV II applet

60 Technical Notes PIV-II applet will be loaded aside existing GSC applet set The PIV-II certificate, CHUID, biometric containers, and security object will be loaded into the new PIV II applet ( Note: bio container only populated when SP issued Middleware will be upgraded to support the additional PIV-II applet and data Physical Access (PA) systems will be upgraded to support use cases for PA authentication over the contactless interface All other data and credentials not mandatory in FIPS- 201 and SP will remain in the GSC applet set

61 Conclusions This approach allows agencies to start issuing currently available dual interface smart card platform now Enables agencies to upgrade once PIV-II certified products are available Disagreement with this approach technically?