DHS ID & CREDENTIALING INITIATIVE IPT MEETING October 14, 2004 Part 02 of 02
IMS/CMS Functional Specification General Issuance Requirements Issue a GSC-IS 2.1 compliant dual chip hybrid ICC/DESFire v0.5 smart card capable of encoding both physical and logical access credentials in a single integrated issuance process from a single issuance station. The following cards shall be supported: Axalto Cyberaccess 64K v1 SM4.1 GEMPLUS GEMExpresso Pro 64K v1 Issue cards to only valid persons existing in the authoritative DHS Certificate Authority Repository data source, MS Active Directory 2003 Issue cards through a workflow-oriented operator portal according to the issuance flow outlined. Provide no allowance for cardholder data additions or modifications to source data at the time of issuance (other than the cardholder photograph). All data relevant to the card shall be available and validated prior to issuance Seamlessly integrate Active Directory authoritative cardholder data with an external JDBC personnel data source for single-step card personalization (Contact Chip and DESFire encoding, and printing)
IMS/CMS Functional Specification Card Topology, Photography, and Printing Using a Fargo HDP600LC Smart Card Printer, print the front and back of the smart card in accordance with the card topology and data elements identified Generate and Print PDF417 and Code 39 Bar Codes in accordance with the requirements Capture a 300 DPI cardholder photograph using the Canon G5 camera. The photograph capture interface shall provide for photo cropping and enhancement in color, contrast and white balance. The final resulting photograph shall be stored to the enterprise MS 2003 Active Directory repository.
IMS/CMS Functional Specification Logical Access Issuance Requirements Issue a Java Card 2.1 smart card in accordance with Global Platform version 2.0 standards for Secure Channel card communications to the ICC for all key-related operations Issue a card with the card data model profile as specified Issue a card with three X.509 compliant PKI certificates to the card from a MS Windows 2003 CA using customized DHS certificate templates as detailed in Appendix E to perform the following functions. All certificates shall be issued using 1024 RSA encryption. The CMS and CA shall provide for escrow and recovery of the encryption certificate private key. Windows PKI logon with fingerprint biometric authentication to DHS Net Domain Email Signing (Outlook) Email encryption (Outlook) Client side Web site authentication through MS Internet Explorer 5.5, 6.0 and Netscape Navigator 6.2 for Windows Issue a card capable of ICC authentication using Match On Card (MOC) fingerprint biometrics applet incorporating a BSP from Precise Biometrics. Biometric authentication shall be the default method of authentication in lieu of PIN entry. Provide for enrollment of 2 fingerprints during original card issuance, only one fingerprint bring required for access, the other as an alternate backup Provide for full life cycle management of smartcard holders, including the following; Cardholder and certificate suspension and resumption Cardholder and certificate termination and card recycle for subsequent use Provide middleware client compatibility with Corestreet OCSP CRL validation authority. Provide middleware compatibility with the DoD CAC card to read CAC data and certificates. Provide middleware compatibility (read and enrollment of fingerprint templates) for Precise Biometrics BSP and fingerprint biometric Match on Card (MOC) functionality.
IMS/CMS Functional Specification Physical Access Issuance Requirements Issue a DESFire encoded card capable of providing physical access credentials necessary to authorize access to doors controlled by Lenel OnGuard System. Specifically, encode the DESFire contactless chip with the following information in a free read/write access control condition A single Fingerprint Biometric template A unique individual FASC Number for each cardholder generated by the CMS at issuance according to Cardholder Unique ID (CHUID) FASC-N specification With each card issued, automatically post cardholder and badge data/status information from the CMS and the physical access system. Only card issuance operations occurring in the CMS are currently synchronized with the physical access system.the following life cycle operations are not supported: Card Suspension Card Termination Card Replacement DESFire encoded cards shall be compatible with physical access door readers from Precise Biometrics using Match-on-Reader (MOR) fingerprint biometric authentication functionality
7. Physical and Cyber Access Systems Integration DHS Card Issuance System HR DHS Physical Security Define access rights to physical infrastructure Issue Badge Cardholder Data Preparation and HR / Provisioning System Provision User De-Provision User Define access rights to logical Infrastructure Capture Photo, PIN and Biometrics Encode Contact and Contactless Smart Card Backward Compatible Badging Functions PACS Client PACS Security Server PACS Interface Users Groups Roles Notify changes in card state CMS APIs CMS Logical Security Server Issue Badge Source: Lenel
Physical and Cyber Access Systems Integration Physical Access Readers Contactless (ISO 14443) Interface PIN or Fingerprint Biometrics Compliant to PACS Tech Info Guidance from PAIIWG Working with any Head-end systems and Controllers Interface between PACS Server and IMS/CMS Server Push down Cardholder Info from IMS/CMS to PACS Exchange Cardholder Status for Card Life Cycle Management Working toward a Common Life Cycle and Badging APIs Working with any Head-end Systems Suppliers Source: Lenel
Cardholder Database Preparation Prototype for Future Data Collection HQ PSAMS DAC Smart Card Issuance System HQ AD Cardholder Database HQ E-Dir
Agency A Data Master Cardholder Database Enterprise View Agency B Data Cardholder Data Exchange DHS Master Cardholder Database DHS Card Management System Agency C Data Collects, verifies and transforms data from different systems. A centralized repository for Card Holder Data. Provides the mechanism to generate DHS Access Cards (DAC).
DHS I&C System Architecture 1120 Vermont Ave DIMC Lab Forrestal BLDG. 7th & D HQ AIMS Issuance Server Microsoft 2003 Machine CA HR AD/DC DOE Fargo Card Printer AIMS Issuance Station DIMC Net PIX FIREWALL DCN DHS Net Office Of Security PIX FIREWALL Lenel PACS Server Microsoft 2003 CA Other DHS Networks Meta Connector CoreStreet OCSP Validation Authority CRL Web Server CoreStreet OCSP Responder
DHS PKI-PKE Architecture PKIs CA, RA, Repository (certs, CRLs) Validation Authority/ Responder LANs Validation Responder Secure Email Secure Web Server Database Directory/ Authentication Database Physical Access Servers
DHS Relying Parties for DAC DHS Infrastructure Transformation Program (Smart Card Logon, Secure Email) Homeland Secure Data Network (HSDN) emerge2 The DHS Consolidated IT Irastructure will serve the majority of the 180,000 DHS employees. The goal of the IT Infrastructure Transformation is for the Department to be able to share data from any point in DHS to any decision maker. The program seeks to remove lag time and complexity in accessing data, to create a robust platform on which to quickly launch new capabilities and to provide a cost-effective and reliable infrastructure. HSDN is an enterprise-wide classified network system, and provides shared services for DHS OEs, other Federal agencies, and State and Local governments; with specific controlled interconnections to Intelligence Community and Federal Law Enforcement resources. The mission of this program is to transform the business and financial management policies, processes and systems of DHS into a single solution that addresses the financial management, acquisition and asset management requirements for the department.
DHS Relying Parties for DAC First Responder s Portal Enterprise Web Services Web portal to coordinate all First Responder sites. The vision of this project is to consolidate existing and planned Web pages and Platforms of all the DHS component organizations, including the corporate Internet and Intranet sites. Disaster Management (DisasterHelp.gov) SAFECOM Joint disaster Management egov initiative EP&R/DHS sponsor. Federal umbrella program coordinating standards, policies, procedures, and research and development to enable public safety across local, tribal, state, and federal organizations to improve public safety response through more effective and efficient interoperable communications. GeoSpatial One Stop Part of a multi-agency business case. Department of the Interior (DOI) is the managing partner.
DHS Relying Parties for DAC etravel Part of a multi-agency business case. GSA is the managing partner. Business Gateway etraining (GoLearn) Part of a multi-agency business case. Office of Personnel Management (OPM) is the managing partner. erecords Management Part of a multi-agency business case. National Archives and Records Administration (NARA) is the managing partner. Recruitment One-Stop Enterprise HR Integration (EHRI) Part of a multi-agency business case. OPM is the managing partner. Part of a multi-agency business case. OPM is the managing partner.
DHS ID & CREDENTIALING INITIATIVE IPT MEETING October 14, 2004 End of Document