Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA
LANL s Multi-Factor Authentication (MFA) Initiatives NLIT Summit 2018 Glen Lee Network and Infrastructure Engineering Division Infrastructure Services Group (NIE-IS) glenleee@lanl.gov May 22, 2018 11:15 AM Location: 104A Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA LA-UR-18-23969 Approved for public release; distribution is unlimited
Our MFA Journey Where we were. Where we are. NO STATIC ACTIVE DIRECTORY PASSWORDS Where we are heading. CRYPTOCard Hardware One-Time Password Device Privileged Users Remote Access MIT Kerberos Business Apps P@$$w0rd! Static Active Directory Passwords Active Directory CRYPTOCard Hardware One-Time Password Device Remote Access MIT Kerberos Business Apps Active Directory Single-Sign-On (Federation SAML) PIV Card Static Active Directory Passwords Active Directory Privileged Users NIST SP 800-63-3 IAL3/AAL3 Credentials Other IALx/AALx Credentials Remote Access MIT Kerberos Active Directory Single-Sign-On (Federation SAML) Active Directory Business Apps OneID + Temporary Password Self-Service Portal + Temporary Password Self-Service Portal 6/13/2018 3
Technical Approach to achieving the DOE and FISMA MFA requirement DOE MFA Requirement Transition FISMA MFA Requirement Disable use of Static AD Password on the User s AD Account Disable use of Static AD Password on the User s AD Account Map both the PIV and the CRYPTOCard to the User s AD Account Multi-value AD attribute: 1. X509: PIV Cert 2. Kerberos: CC Identity Map only the PIV to the User s AD Account Multi-value AD attribute: 1. X509: PIV Cert Add CC to altsecurityidentities 2. Kerberos: CC Identity Need an AD password for some reason? Temporary Password Self-service Portal AD Security Group Active Directory MFA enforced Daily Need to use AD password or CRYPTOCard for some reason? Temporary Password Self-service Portal AD Security Group Active Directory PIV enforced Daily Static re-usable AD passwords are no longer an attack vector at LANL. 6/13/2018 4
What about those who don t have a PIV? Uncleared US citizens => PIV Supplemental Directive 206.2 was signed April 14, 2018 Implementation of Personal Identity Verification For Uncleared Contractors Others (FNs, Interns, Summer Hires, etc.) => PIV-like alternative Identity Assurance Level 3 / Authenticator Assurance Level 3 (IAL3/AAL3) Token Alternatives under consideration include LANL issued credential (more to come on this later) GSA USAccess temporary credential (service expected in September/October timeframe) Work in progress. Mobile devices => Derived Credentials NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials Alternatives under consideration include GSA USAccess service (requirements and planning phase) LANL issued (if Enterprise service will not be made available) All users will have a PIV or PIV-like credential to use for authentication. 6/13/2018 5
macos MFA Implementation Significant number of Mac systems at LANL Managed by Casper and most are not bound to a directory service (e.g., Active Directory) MFA approach for Mac Disable the use of static Active Directory passwords for access to network resources Leverage Kerberos tickets in lieu of Active Directory passwords Not dependent on the Mac being bound to a directory service Logon to the Mac is not impacted since device authentication is not the subject of the DOE MFA requirement System requirements macos Sierra 10.12.4 (or later) macos 10.11 (and earlier) are not supported NoMAD Menu application to help manage Kerberos tickets Standard on all LANL Mac systems LANL MFA Credential PIV Card, for those who have one CRYPTOCard Smartcard reader (for PIV users) Static Active Directory (AD) passwords are not needed on a Mac 6/13/2018 6
PIV on the Mac PIV (smartcards) are natively supported macos Sierra 10.12 (and later) Utilizes Apple s CryptoTokenKit framework instead the TokenD framework PIV logon to local accounts is supported Optional capability for LANL users The PKI Certification Authority (CA) chains are centrally managed macos keychain configured via JAMF server configuration profiles NoMAD improves user experience with PIV Alert / notification when PIV is left in reader Friendly names displayed to distinguish each certificate PIV works Apple applications without extra configurations Safari, Apple Mail Applications that pose a problem Firefox (requires 3rd party middleware to provide pkcs support for PIV) Adobe (only supports TokenD) Outlook for Mac (will support CryptoTokenKit soon) Remote Desktop Client for Mac (does not support smartcards) PIV does work natively on the Mac, but there are some challenges to overcome 6/13/2018 7
Our Approach to Alternative Credentials Compliant With NIST SP 800-63-3 Identity Assurance Level 3 (IAL3) Requirements Existing PIV Processes Sponsorship (name, affiliation, etc.) Identity Proofing (who are you?) Enrollment (photo, bio, etc.) Feeds Feeds Authenticator Assurance Level 3 (AAL3) Requirements Verifies Name: John Doe Affiliation: LANL SiteID: 123456 Issues NIST Approved Hardware Cryptographic Tokens Supply Chain Credential Management System (CMS) Integrated with Identity Data Source Internal PKI IAL3/AAL3 Credential that is functionally the same as PIV 6/13/2018 8
Remote Access Approach 1 2-factor Authentication to initiate remote session: Hey, it s me 2 Remote Access Secondary Challenge: Is this really you? 3 Remote Access Point Access Granted LANL Network 2nd authentication: Yes it is. 4 Establish secure remote access session. Okay, you can have access. Two-step Authentication Two-factor Authentication 2-Step authentication to ensure a LANL user really initiated the original request for access. 6/13/2018 9
Transitioning from LANL s Legacy Entrust PKI LANL Dependency on Legacy Entrust PKI Internal (local) applications LANL s Only Locally Trusted (OLT) PKI Full production mode and systems OLT PKI Certificate Tool Full production mode Wireless access LANL s Only Locally Trusted (OLT) PKI Testing with LANL s wireless implementation Email encryption on the desktop Email encryption on mobile devices LANL s Approach and Transition Readiness PIV Encryption certificate Native Outlook on Windows and Mac Energy Global Directory Service (EGDS) PIV Email Address Corrections in GSA USAccess Re-encryption Tool (DOD s MailCrypt) PIV Encryption certificate sans PIV GSA USAccess PIV Encryption Key Recovery Service Mobile Device Management (MDM) solution integrated with GSA / Entrust Service ~95% of Entrust users have PIV Piloting and assessing features Production ready Participating in DOE-wide effort to leverage OneID s connection to GSA Assessing its use at LANL ~75% of Entrust users have mobile Collaborating with DOE and GSA USAccess for both 3 rd Party and Selfservice models Long-term goal in collaboration with DOE and GSA USAccess LANL s MFA implementation facilitates the long-term goal of retiring the Entrust infrastructure and desktop components 6/13/2018 10
LANL s OneID Integration Authentication Hub (HUB) Attribute Exchange Service (AES) Work in Progress Production Future Federation (SAML) Ping s IdP Component LANL Identity Provider (IdP) Single Sign- On (SSO) Ping s SCIM Attribute Provisioning Component LANL Source(s) of Truth of People Data Lookup Interface LDAP Network/Apps PACS SAML Contract Provision LANL person attributes to OneID Return DUID for storage and future provisioning Request attributes using DUID or SiteID Return attributes for the requested DUID or SiteID LANL anticipates leveraging OneID to streamline the management of both internal and external users access to facilities, networks, and applications. 6/13/2018 11
Our MFA Destination Authenticate with PIV and PIV-like credentials Strong Authentication (including 2-step authentication) Federation (SAML) Single Sign-On (SSO) LANL Network SSO LANL Applications SSO DOE & Other Government Agency Applications and reading and sending secure email is important too! Search & Retrieve users public encryption certificate Energy Global Directory Service (EGDS) Retrieve & Configure Your PIV private encryption key Are we there yet? 6/13/2018 12
Questions? 6/13/2018 13