Secure Lightweight Activation and Lifecycle Management

Similar documents
Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

Leveraging HSPD-12 to Meet E-authentication E

AWARD TOP PERFORMER. Minex III FpVTE PFT II FRVT PRODUCT SHEET. Match on Card. Secure fingerprint verification directly on the card

Interagency Advisory Board Meeting Agenda, March 5, 2009

Who s Protecting Your Keys? August 2018

Single Secure Credential to Access Facilities and IT Resources

Biometric Use Case Models for Personal Identity Verification

Architecture 1 3. SecureToken. 32-bit microprocessor smart chip. Support onboard RSA key pair generation. Built-in advanced cryptographic functions

IMPLEMENTING AN HSPD-12 SOLUTION

Interagency Advisory Board Meeting Agenda, February 2, 2009

The Benefits of EPCS Beyond Compliance August 15, 2016

Interagency Advisory Board Meeting Agenda, February 2, 2009

An Overview of Draft SP Derived PIV Credentials and Draft NISTIR 7981 Mobile, PIV, and Authentication

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

How Next Generation Trusted Identities Can Help Transform Your Business

Power LogOn s Features - Check List

Indeed Card Management Smart card lifecycle management system

Sphinx Feature List. Summary. Windows Logon Features. Card-secured logon to Windows. End-user managed Windows logon data

(PIV-I) Trusted ID across States, Counties, Cities and Businesses in the US

DigitalPersona Altus. Solution Guide

Cryptologic and Cyber Systems Division

Guardium UI Login using a Smart card

Certification Authority

Interagency Advisory Board Meeting Agenda, Wednesday, February 27, 2013

Windows Smart Card Logon Use Case

CREDENTSYS CARD FAMILY

Leveraging the LincPass in USDA

Identity and Authentication PKI Portfolio

Open Mobile API The enabler of Mobile ID solutions. Alexander Summerer, Giesecke & Devrient 30th Oct. 2014

Derived Personal Identity Verification (PIV) Credentials (DPC) Proof of Concept Research

Interagency Advisory Board Meeting Agenda, Wednesday, May 23, 2012

Managing PIV Life-cycle & Converging Physical & Logical Access Control

Single Sign-On Architectures. Jan De Clercq Senior Member of Technical Staff Technology Leadership Group Hewlett-Packard

PKI Enhancements in Windows 7 and Windows Server 2008 R2

Interagency Advisory Board Meeting Agenda, Wednesday, April 24, 2013

PKI is Alive and Well: The Symantec Managed PKI Service

TWIC Reader Technology Phase

Strategies for the Implementation of PIV I Secure Identity Credentials

Securing Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA

Dissecting NIST Digital Identity Guidelines

NFC Identity and Access Control

Symantec Managed PKI Overview. v8.15

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

ENTRUST DATACARD DERIVED PIV CREDENTIAL SOLUTION

FAMILY BROCHURE. Gemalto SafeNet Authenticators. Diverse Form Factors for Convenient Strong Authentication

Meeting the requirements of PCI DSS 3.2 standard to user authentication

RSA Authentication Manager 8.2

SignCloud. Remote Digital Signature System

Interagency Advisory Board Meeting Agenda, December 7, 2009

Are You Flirting with Risk?

Are You Flirting with Risk?

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Check Point SmartEndpoint Security

FIPS and Mobility (SP Derived PIV Credentials) Sal Francomacaro FIPS201/PIV Team NIST ITL Computer Security Division

XenApp 5 Security Standards and Deployment Scenarios

Enterprise Adoption Best Practices

August, Actividentity CTO Office

DHS ID & CREDENTIALING INITIATIVE IPT MEETING

Creating Trust in a Highly Mobile World

Velocity Certificate Checking Service Installation Guide & Release Notes

Entrust Technical Integration Guide for Entrust Security Manager 7.1 SP3 and SafeNet Luna CA4

Interagency Advisory Board Meeting Agenda, Tuesday, November 1, 2011

ADmitMac PKI Executive Summary. 2010, Thursby Software Systems, Inc.

Overview of cryptovision's eid Product Offering. Presentation & Demo

Mobile Devices as Identity Carriers. Pre Conference Workshop October 14 th 2013

81 -key The Power of a Touch. ID DIRECTOR for Windows. Microsoft Partner. Adress 3349 Highway 138 BLDG A STE E Wall, NJ 07719

Identiv FICAM Readers

Secure Government Computing Initiatives & SecureZIP

Strong Authentication for Physical Access using Mobile Devices

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

TWIC Implementation Challenges and Successes at the Port of LA. July 20, 2011

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

The Open Protocol for Access Control Identification and Ticketing with PrivacY

cryptovision s Government Solutions Adam Ross, Ben Drisch cryptovision GmbH

Certificate Enrollment- and Signing Services for the Cloud. A behind-the-scenes presentation of a successful cooperation between

Considerations for the Migration of Existing Physical Access Control Systems to Achieve FIPS 201 Compatibility

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

IEEE Sec Dev Conference

YubiKey Smart Card Deployment Guide

Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control

The Gemalto offer for PKI market in Russia

Physical Access Control Systems and FIPS 201

Using PIV Technology Outside the US Government

BEYOND TRADITIONAL PASSWORD AUTHENTICATION: PKI & BLOCKCHAIN

FiXs - Federated and Secure Identity Management in Operation

DigitalPersona for Healthcare Organizations

TWIC Readers What to Expect

FIPS and NIST Special Publications Update. Smart Card Alliance Webinar November 6, 2013

No More Excuses: Feds Need to Lead with Strong Authentication!

Thales e-security. Security Solutions. PosAm, 06th of May 2015 Robert Rüttgen

VAM. Epic epcs Value-Added Module (VAM) Deployment Guide

Mandate. Delivery. with evolving. Management and credentials. Government Federal Identity. and. Compliance. using. pivclasss replace.

Intel and Symantec: Improving performance, security, manageability and data protection

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

Version 3.4 December 01,

BioPassport TM Enterprise Server

Securing Personal Mobile Device Access to Enterprise IT and Cloud Assets with Strong Authentication

Helping Meet the OMB Directive

Transcription:

Secure Lightweight Activation and Lifecycle Management Nick Stoner Senior Program Manager 05/07/2009

Agenda Problem Statement Secure Lightweight Activation and Lifecycle Management Conceptual Solution CMS Accessibility The Secure Token Versatile Authentication and LWA Service Sample Architecture Reduction in the Total Cost of PIV Card Deployments While Maintaining Security

Problem Statement Activation of PIV cards generally must occur at Full enrollment or activation stations Approximately 20% of Federal Employees must travel more than 25 miles to reach a full activation station Activation stations must have middleware, matching software, drivers, and the appropriate readers to support card activation A Card Management System (CMS) is generally deployed within an isolated network For standalone deployments on a single network, this is less problematic For managed services, this prevents most users from being able to access CMS Making CMS accessible outside isolated networks has large security and service availability concerns

Problem Statement (continued) The ability to perform biometric authentication as a means to begin activation is limited Biometric fingerprint as a primary means of authentication is not always supported Username / Password, Security Questions, Temporary PIN used instead Support of alternative biometrics is very limited or non-existent These issues also apply to the card s lifecycle Post-issuance updates, card unblock, certificate renewal, card renewal, suspend / resume, etc. Some lifecycle use cases can be supported via help desk calls, which carry additional costs

What is Needed to Solve These Problems? Make CMS accessible outside of isolated network Must maintain level of security Must provide serviceability A portable and secure mechanism for card activation and lifecycle events Integration of all necessary activation and lifecycle management components into a small and portable package Should not require installation of additional software on the client Devices must support standards based secure communication channels Device must be trusted and resistant to tampering Server to perform authentication and activation orchestration Fingerprint biometrics as primary means of authentication Tight integration with CMS to perform card activation and other lifecycle events Provide a pluggable framework for use of other biometric types in the future Support of standards based secure communication channels

CMS Accessibility Standalone deployments will have less accessibility issues Managed Service Offering Distributed Card Operations (DisCO) Project MSO CMS services to be publicly accessible Proof of concept complete Production deployment forthcoming Remaining Challenges Username / password still required Jumpkit portability Requires several available USB ports Software must be installed Untrusted client environment Serviceability management Existing Client USB USB USB DisCO Jumpkit

The Client and Secure Token Small, portable device with single USB interface Integrates Secure, tamper resistant activation environment (FIPS 140-2 Level 2) Biometric swipe sensor Zero installation activation and lifecycle management software resides on the token Client requires middleware and smart card reader (which would be needed to use the card anyways) Versatile Authentication Server is the only system that can access the token Tokens are pre-provisioned from server Protected by NIST SP800-56A compliant, 2048-bit PKI secure channel

Versatile Authentication Server and LWA Service A Versatile Authentication Server provides a multi-channel authentication framework capable of supporting authentication via a variety of technologies Username / password Digital Certificates One Time Passwords Biometrics (fingerprint, voiceprint, etc.) Deployed alongside CMS and includes a service that orchestrates card activation and lifecycle management Establishes a secure channel with token for passing of biometric data Biometric matching occurs on the server Prints are not stored on token or client Service leverages prints from CMS database Leverages HSM for securing of keys

Secure Lightweight Activation and Lifecycle Management Sample Architecture GSA MSO Internal Infrastructure Client w/ PIV Card and Secure Token 4T API Enrollment Services Directory Services GP SCP 01 Versatile Authentication Server Certificate Services Scheduling Services TLS LWA Service NIST SP800-56A Full Activation CMS BMS CCM API DisCO CMS CMS DB BMS DB

Reduce the Total Cost of PIV Card Deployment While Maintaining Security Reduce impacts to productivity Cardholders are not required to travel to a full activation station No need to install additional software on each client Reduce help desk calls User can authenticate with biometrics No need for out-of-band security questions or temporary PINs Leverage a single, portable device the Secure Token Provide the ability to manage serviceability Implement a pluggable authentication framework to support alternative biometric types FIPS 140-2 Level 2 secured client environment Secure communication channel for all transactions

Nick Stoner Email: nick.stoner@actividentity.com Phone: 407-927- 6695 Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback