240 likes | 449 Views
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI. David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide Policy October 31, 2001. e-Gov and PKI Drivers. Government Paperwork Elimination and ESIGN Acts Public Expectations
E N D
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David TemoshokFederal PKI Policy ManagerGSA Office of Governmentwide PolicyOctober 31, 2001
e-Gov and PKI Drivers • Government Paperwork Elimination and ESIGN Acts • Public Expectations • Long-term Cost Savings • The Need for Privacy and Security • Government is held to higher standard • Trading Partner Practices
Business Driver: Savings by Process Type Percent Savings Traditional System Internet Bill Payment $2.22 - $3.32 $0.65 - $1.10 71% - 67% Insurance Policy $400 - $700 $200 - $350 50% SoftwareDistribution $15 $0.20 - $0.50 97% - 67% Procurement 70% Motor Vehicle Registration $7 <$2 71% Order-Filling (DOD) $24 $12 50%
Electronic Signatures in Global and National Commerce Act • Signed by President Clinton on 6/30/00. • E-SIGN addresses: • Commercial, consumer, and business transactions affecting interstate or foreign commerce; • Legality of electronic signatures and records; • Preemption of inconsistent statutes/rules. • E-SIGN does not address: • security, authentication, or records requirements; • interoperability; • Electronic signatures based on different technologies; • Rules for reliance/accepting different kinds of signatures. • Federal Agency activities and requirements are generally not within the scope of this legislation; they are instead addressed by the Government Paperwork Elimination Act (GPEA).
GPEARequirements • Government Paperwork Elimination Act (GPEA) of 1998 addresses: • requirement for federal agencies to offer the public the option of electronic filings/transactions/record-keeping for agency business by October 2003; • Legality of electronic signatures and records; • Technology neutrality -- electronic signature alternatives. • OMB required all agencies to report on GPEA implementation/compliance by 10/00. Including: • Information collections under Paperwork Reduction Act • Use of Electronic Signature. • Risk Assessment.
What is an Electronic Signature under E-SIGN? “…means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.” Digitized image of a handwritten signature Knowledge-based Authentication Biometric Profile PIN or Password Digital Signature or other encrypted authentication system Click through on software program’s dialog box Typed names
Security Needs Met by PKI • Authentication: Is originator who they really say they are? • Achieved by binding the sender’s identity credentials to the message (digital signature) • Data Integrity: Has message/transaction been accidentally or maliciously been altered? • Achieved via comparing hash of the data (digital signature) • Confidentiality: Can message be read only by authorized entities? • Encryption protects information from unauthorized disclosure • Non-repudiation: Can sender or receiver dispute that message was actually sent or received? • Enabled through digital signature process
Public Key or Digital Certificates - The Electronic ID • A trusted third-party, the Certificate Authority (CA), issues the digital certificate, containing: -Name, Issuers name, Certificateholder’s public key, other attributes. • The Issuer (CA) must verify and bind identity to the Electronic ID. • The Issuer (CA) digitally signs the certificate so no one can change its contents and certificate can be verified as authentic. CA Digital Certificate Name: Joe College Serial #: 123456 Issuer: CA #78901 Expiration: 12/1/02 Public Key: 3S@*6Y76 Unique identifier for certificate Unique identifier for certificate issuer Certificate expiration date (validity period) Certificateholder’s public key CA’s Digital Signature Ensures Certificate’s validity
Digitized vs. Digital Signature • A Digitized Signature is a scanned image that can be pasted on any document. • A Digital Signature is a numeric value that is created by performing cryptographic transformation of a message using the “signer’s” private key. 1BE*564(1@5GYT87^4>530^0<BG?!C64 4> 99 MH ?!C6 Nd%2V@x4 (1@#d6^* Nd%2V@xANRT48346509(1@ 23 ?!C64 JD HD G *564 QHD736 JFHF Nd%2V@x Digitized Signature Digital Signature
Why build a Federal PKI? • Statutory mandates for e-government and implementing electronic signature technology • Business Demands for improved services at lower cost • Leverage infrastructure costs • Critical security need Why not a Federal PKI? • Privacy concerns • Agency internal politics • Vendor battles for market space • Cost
Federal PKI Approach • Determine need for PKI through risk assessment. • Use PKI when electronic signature and document/data integrity must be assured (non-repudiation). • Provide Federal PKI and PKI services contract for government-wide use -- ACES. • Build Federal PKI Interoperability • Establish Federal PKI Policy Authority (for policy interoperability). • Implement Federal Bridge CA using COTS (for technical interoperability). • Organize federal agency PKI use around common citizen and industry groups.
The Core Federal PKI DOD PKI NFC PKI Available to all Military personnel and dependents Federal Bridge CA Available to all Federal agencies DOD IECA GSA ACES Available to all Government vendors and contractors Available to all U.S. citizens, businesses, government agencies
PKI Interoperability PKI Domain 2 Certification Policies & Practices Statements Validation Protocols Bi-lateral Agreements PKI Domain 1 PKI Domain 3 • Policy PKI Interoperability involves the determination of “Trusted” PKI • domains which will meet the level of assurance needed. • Technical PKI interoperability involves the validation of certificates form • a different PKI domain to determine validity of certificates and paths. • A small number of PKI domains makes it easier to achieve • interoperability -- however it is still complex.
The Challenge to PKI Interoperability PKI interoperability becomes much more complex as the number of PKI domains increase.
The Solution: The Federal Bridge CA FPKI Policy Authority FBCA Operational Authority • The Federal Bridge CA simplifies PKI interoperability: • Common and easy way to determine “Trusted” PKI domains and assurance • levels (policy mapping); • Common and, relatively, easy way to validate certificate status through • cross certification; • Standard Bi-lateral Agreement between the Bridge and Agency CA.
PKI Policy Mapping -- Equivalence Example FBCA High DoD 4 NFC PKI High FBCA Medium DoD 3 DoD IECA (Med) GSA ACES (Med) NFC PKI Medium) FBCA Basic NFC PKI Basic DoD 2 FBCA Rudimentary NFC PKI Test FBCA Requirements NFC PKI DOD PKI DOD IECA PKI ACES PKI
ACES Program Vision • Common PKI solution encourages agencies to work together • Allows equitable cost sharing among agencies • Efficient, effective, economical due to aggregation of Federal needs • One digital identity credential can be used by multiple Agency processes • “Anonymous” certificate numbering for identification • Public pays nothing for digital ID.
ACES Registration Processes ACES Contractor Registration for Individuals Agency Registration Business Representative Registration
ACES Remote (On-line) Certificate Application Process ACES vendor validates ID to multiple independent databases Public applies for certificate Federal State Secure Web Commercial Applicant PIN activation process Secure Web ACES vendor registers applicant for certificate and mails one-time PIN ACES vendor sends registered certificate
Accessing Web-Based Applications and Services Federal Agency Access Authorized System with ACES authentication Authorized Web-based Application Secure Web Return Personalized Services/Benefits/ Information Validate Electronic ID (ACES) through standard on-line protocol (OCSP) Citizen ACES Contracted Certificate Authority
- Parse Cert - Verify Issuer as an ACES CA - Verify Issuer’s signature - Verify operational period - Check cached Invalid Cert IDs - Get route to Issuer - Send signed Status Request & Cert data to Issuer - Receive signed Status Response - Verify Status Response signature - Pass status & cert data to App - Log audit data Agency Application Agency Application App API App API CAnSubscriber Certs CAnSubscriber Certs CAnSubscriber Certs CAnSubscriber Certs CAM Architecture Scope of CAM Subscriber Crypto Library (RSA, DSA, ECDSA) ACES CA Subscriber AA Interface CA I/F CAM • CA Certificate List • Invalid Certificate List • Transaction Log Signature Device with CAM Private Key
Who Can Be a Member of the ACES PKI? • Certificate Authorities • ACES contractors • Relying Parties • Any Federal agency • Non-federal entities if authorized by a Federal Agency for legitimate program purposes. • Subscribers • Any individual in U.S. • Any individual as a representative of a business, organization, or governmental entity
PKI and Smart Cards • Securely store, protect, and transport cryptographic keys (public/private keys) and digital certificates. • Capacity to hold multiple keys/certificates. • Provide secure computational and processing facility without exposing sensitive information to risk. • Provides security for: generation of digital signature, use of private key for personal authentication, portable permissions/logical access control. • Convenience for end user. • PKI can be one set of functions on a multi-application smart card. Should result in trust and confidence in E-Gov applications.
For More Information Phone E-mail David Temoshok david.temoshok@gsa.gov 202-208-7655 Websites http://cio.gov/fpkisc http://gsa.gov/ACES http://ec.fed.gov