federal electronic identity initiatives – current status peter alterman, ph.d. chair, federal pki...
Post on 18-Dec-2015
217 views
TRANSCRIPT
Federal Electronic Identity Federal Electronic Identity Initiatives – Current StatusInitiatives – Current Status
Peter Alterman, Ph.D.Peter Alterman, Ph.D.Chair, Federal PKI Policy Authority and Chair, Federal PKI Policy Authority and
Asst. CIO for E-Authentication, NIHAsst. CIO for E-Authentication, NIH
BRIITE 2007 2
Federal InitiativesFederal Initiatives
• eAuthentication– Focus on eCommerce, services, etc.
• HSPD-12– Focus on security
BRIITE 2007 3
SecuritySecurity
BRIITE 2007 4
Homeland Security Presidential Directive 12Homeland Security Presidential Directive 12
• A Presidential Mandate for Federal Agencies to issue medium hardware assurance (or better) identity credentials for access to physical and logical government resources - inside-the-firewall contractors, too– Medium Hardware or High Assurance digital
certificates on PIV-2 cards (next generation Smartcards)
• Fast-tracked for implementation starting 10/2006• Led to new government standards for identity proofing
and vetting (FIPS 201) and for PKI hardware tokens (NIST SP 800- 7x series)
BRIITE 2007 5
Federal View of Electronic IDFederal View of Electronic ID
• A validated, proofed identity using breeder documents and databases (FIPS 201)
• A scheme for adding a name, biometrics (photo, fingerprints), numeric codes (CHUID, etc.) and substantial assurance digital certificates to a next-generation SmartCard
• Attributes are extensions not required by HSPD-12, but optionally consumed by Applications– SAML assertions and/or database entries for attribute
storage– USPerson profile being developed to standardize
attribute representation
BRIITE 2007 6
Current StatusCurrent Status
• All Federal Agencies are implementing the requirements of HSPD-12, which means 12 – 15 million high assurance digital certificates will be deployed and used by 2010.
• There are over 5.5 million high assurance digital certificates currently deployed and used in the Federal government
BRIITE 2007 7
Other Initiatives – Classified StuffOther Initiatives – Classified Stuff
• Defense, Law Enforcement, Intelligence Services
• Don’t want to know….
BRIITE 2007 8
E-Gov ServicesE-Gov Services
BRIITE 2007 9
Current State of Affairs (60 years Current State of Affairs (60 years old now)old now)
• You apply to the application owner for a password• You use the password to access the system• You forget the password• The application owner gives you a new password• You use the new password to access the system• You forget the password• <infinite do loop>• No identity proofing• No way to know who is actually on the system (Your
secretary? Your postdoc? Your dog? Osama?)
BRIITE 2007 10
eAuthentication InitiativeeAuthentication Initiative
• Provide electronic identity authentication services for online government applications
• Manage the Federal Federation – extends services to private sector credential providers and online services
• Set standards for assertion-based authentication tools
• Offers standard risk assessment tool• Standard Architecture and Policy foundations
BRIITE 2007 11
Foundational AssumptionFoundational Assumption
• Government online services shall trust externally-issued electronic identity credentials at known levels of assurance (LOA)
• Online applications shall determine required credential LOA using a standard methodology based on:1. Risk assessment using standard tool,2. OMB M-04-04 determines required authN LOA3. NIST SP 800-63 translates required LOA to
credential technology
BRIITE 2007 12
The Federal FederationThe Federal Federation
• Credential Service Providers
• Covers 4 LOA– Assertion-based identity
credentials for L 1, 2– Crypto-based identity
credentials for L 3, 4• Service Requirements
– Related to uptime, user support, etc.
• Interfederation Arrangements Encouraged
• Agency Applications
• Federal Agency Applications and Services
• Mandated by Administration• Service Requirements
– Related to uptime, user support, etc.
BRIITE 2007 13
Summary of Architecture and Summary of Architecture and Policy/Procedures Policy/Procedures
• Architecture– SAML assertions for LOA
1, 2 (encapsulate userid/passwords)
• Vendor interoperability required for addition to approved vendor list
• SAML 1.0 currently supported; SAML 2.0 specs being developed
– PKI or OTP for LOA 3– PKI for LOA 4
– Scheme translator Scheme translator availableavailable
• Policy/Procedures– Credential assessments for
all CSPs, • CAF for assertion-based
credentials; • cross certification with
Federal PKI for crypto-based credentials
– Federal PKI Policies define requirements for digital certificate trustworthiness
– Business and Legal Rules define service requirements for all LOA
BRIITE 2007 14
E-Authentication LOA and What E-Authentication LOA and What They MeanThey Mean**
• Little or no assurance of identity; assertion-based identity authentication
• Some assurance of identity; assertion-based identity authentication or policy-thin PKI
• Substantial assurance of identity; cryptographically-based identity authentication
• High assurance of identity; cryptographically-based identity authentication
Level 1
Level 2
Level 3
Level 4
* Codified in OMB Memorandum 04-04
BRIITE 2007 15
E-Authentication LOA and What E-Authentication LOA and What They Service**They Service**
• Online applications with little or no risk of harm from fraud, hacking; low risk
• Online applications with risk of some harm from fraud, hacking; some risks
• Online applications where there is risk of significant harm from fraud, hacking; significant risks
• Online applications where there is risk of substantial harm from fraud, hacking; substantial risks
Level 1
Level 2
Level 3
Level 4
** Codified in NIST SP 800-63
BRIITE 2007 16
General Considerations for Determining General Considerations for Determining LOA of an Electronic Identity CredentialLOA of an Electronic Identity Credential
• Identity Proofing – how sure are you that the person is who he or she claims to be?
• Identity Binding – how sure are you that the person proffering the EIC is the person to whom the credential was issued?
• Credential integrity – how well does the technology and its implementation resist hacking, fraud, etc.?
BRIITE 2007 17
Summary of Lower-Level Identity Summary of Lower-Level Identity CredentialsCredentials
• Level 1: UserID/Password, SAML assertion (XML text)
• Level 2: “High entropy” UserID/Password; “policy-lite” PKI, e.g., Fed PKI Citizen and Commerce Class & Federal PKI Rudimentary, TAGPMA Classic Plus (in development)
BRIITE 2007 18
Summary of Cryptographic-Summary of Cryptographic-Based Identity CredentialsBased Identity Credentials
• Level 3: One-time Password; Substantial assurance PKI at FPKI Basic, Medium
• Level 4: High assurance PKI at FPKI Medium Hardware, High
BRIITE 2007 19
A Little ComplicationA Little Complication
• The government has TWO LOA classifications:
1. Federal PKI LOA codified in the Certificate Policies of the Federal PKI Policy Authority
2. E-Authentication LOA codified in OMB M-04-04
BRIITE 2007 20
LOA Mapping E-Auth to Fed PKILOA Mapping E-Auth to Fed PKI
E-Auth Level 1
E-Auth Level 2
E-Auth Level 3
E-Auth Level 4
FPKI Rudimentary;C4
FPKI Medium/HW &Medium/HW-cbp
FPKI Basic
FPKI Medium & Medium-cbp
FPKI High (governments only)
BRIITE 2007 21
Fed PKI: View from 20,000 kmFed PKI: View from 20,000 km
FBCA
C4
eGCA (3)
Common Policy CA (HSPD-12)
CertiPath
SSPs
Industry PKIs
CertiPath SSP(HSPD-12-comparable)
SAFE
Industry PKIs
Serving all otherAgencies
BRIITE 2007 22
Fed PKI: View from 20,000 kmFed PKI: View from 20,000 km
FBCA
C4
eGCA (3)
Common Policy CA (HSPD-12)
CertiPath
SSPs
Industry PKIs
CertiPath “SSP”
DOD DHSNASA CommerceUSPS USPTOHHS DOE IL DOJ State DOD/ECAGPO DOD/Interop TreasuryWells FargoMIT LLUTexasSxCommercial “SSP-like”
Serving all otherAgencies
BoeingRaytheonLockheed Martin
VeriSignCybertrustORCTreasuryGPOExostarEntrust/CygnacomIdenTrusT?
Total: 15 – 20Musers
EAF member CSPsTLS certs
SAFE
Industry PKIsJohnson & JohnsonMerckPfizerProcter & GambleSanofi-AventisTAP Pharmaceuticals
Abbott Labs AstraZenecaBristol-Myers SquibbGenzymeGlaxoSmithKlineINC Research
(HSPD-12-comparable)State of VA first responders
~ 500k users!
BRIITE 2007 23
Interoperability InitiativesInteroperability Initiatives
• CertiPathCertiPath – Federal Bridge cross-certification complete
• SAFESAFE PKI Bridge and services – supporting digitally-signed electronic forms and document management
• inCommoninCommon –assertion-based technology, LOA 1 & 2 – demonstration projects with NSF – interfederation with NIH NOWNOW
BRIITE 2007 24
Technology ImplicationsTechnology Implications
• US Government LOA, • standardized risk assessment, • standards for PIV cards and identity proofing
and vetting
are here and INEVITABLY will migrate everywhere– Pickup already noted in aerospace contractor space,
homeland security
• Feds will have to deal with attributes eventually!
BRIITE 2007 25
Security and Online Services Security and Online Services Implications for Higher EdImplications for Higher Ed
• DHS first responders, DEA PKIs and CMS initiatives to enable online services and payments management will drive medical schools, hospitals and insurance chains to adopt Federal models for electronic identity authentication– Financial services firms under SEC regulation are already falling
in line, both within and outside the eAuthentication federation participation
– DEA issuing digital certs to pharmaceutical supply chain entities and plans to do so to service providers (MDs, PAs, NPs, etc.)
– Treasury transfers > $1B daily via PKI
• Availability of online government apps drive schools to federate to take advantage of services/apps
BRIITE 2007 26
What About Privacy?What About Privacy?
• No single database of identity credentials• No requirement for only one identity credential• The old tradeoff still exists: convenience vs. security• Are there forces out there that want to know who you are
at all times?– Of course; worry about RFID first.
BRIITE 2007 27
NIH E-Authentication Initiative GoalsNIH E-Authentication Initiative Goals
• Researchers use their institutional identity credentials to authenticate to NIH online applications and services
• Build a reliablereliable, securesecure, trustedtrusted IT infrastructure that supports e-authentication
BRIITE 2007 28
NIH E-Authentication Initiative GoalsNIH E-Authentication Initiative Goals
• Researchers use their institutional identity credentials to authenticate to NIH online applications and services
• Build a reliablereliable, securesecure, trustedtrusted IT infrastructure that supports e-authentication
BRIITE 2007 29
Current NIH InitiativesCurrent NIH Initiatives
• Interfederated with InCommon higher education Identity Management Federation at OMB LOA 1: low/no risk applications put online and consume identity credentials issued by universities that are members of InCommon;
• Extend interfederation agreement to OMB LOA 2 applications for universities that issue higher-assurance credentials under the InCommon Federation Silver program – for moderate risk applications (ETA 1/08);
• Direct trust relationship with University of Texas System Public Key Infrastructure
BRIITE 2007 30
NIH Pilot LOA 1 ApplicationsNIH Pilot LOA 1 Applications
• NLM Proxy Redirector (initial application )
• Good Clinical Practice (GCP)
• Community for Advanced Graduate Training (CAGT)
• NIH Login/ADFS/MOSS integration (general collaboration)
• More to follow
BRIITE 2007 31
NIH Pilot LOA 2 ApplicationsNIH Pilot LOA 2 Applications
• Electronic Research Administration (eRA)
• caBIG data (via Grid interoperability?)
• Firebird (FDA, SAFE, NIAID involvement)
• More to follow
BRIITE 2007 32
End State for NIHEnd State for NIH
• All NIH outward-facing, online apps risk assessed and credential LOA requirements determined
• Credential validation infrastructure and/or linkages at production operational level
• All NIH outward-facing, online apps connected to NIH Login front end with validation service enabling infrastructure (e.g., Shibboleth, etc.)
• End State achieved… ???
BRIITE 2007 33
ResourcesResources
• http://csrc.nist.gov/pki
• www.cio.gov/fpkipa
• www.cio.gov/ficc
• www.cio.gov/eauthentication
• www.smartcardalliance.org