Federal Public Key Infrastructures:

John VolmerComputing and Information Systems

OSG ESnet Requirements Gathering9 November 2009

• HSPD-12 and• DOE Entrust

DOE GRIDS

HQ CA

ANL(auto enroll)

Federal Bridge

FBCATreas

DoS

DHS

DoDNASA

Ill

US

Fed

eral

PK

Iw

ww

.cio

.gov

/fbca

Argonne Public Key Infrastructure Participation

TAGPMA

Venezuela

Chile

Mexico

Argentina NCSA

BrasilFNAL

TACCPurdue

UoV

SDSC

Dartmouth

Glo

bal

GR

ID C

As

ww

w.ig

tf.ne

t

EUGridPMACERN

Italy

Greece

Canada

Estonia

GermanyNetherlands

Austria

Armenia

Hungary

Portugal

Turkey

Croatia

SpainIreland

UK

Switzerland

Market: authentication

Market: secure email Market: authentication

Market: authenticationsecure email

DOEEntrust

PKI

G2B

Y-12

SNL

RFPantexPNNL

ORNL

LLNL

LANL

KCPHQ PCA

FIPS 199 = (L, M, L)

Market:: authentication

HSPD12

FIPS 199 = (H, H, M) FIPS 199 = (M, M, M)FIPS 199 = (L, L L)

Argonne National Laboratory

Australia

China

New Zealand

Phillipines

India

JapanMalaysia

Viet Nam

Thailand

Taiwan

South Korea

APGridPMA

CommonPolicy

US

Fed

eral

PK

Iw

ww

.cio

.gov

/fbca

Argonne Public Key Infrastructure Participation – HSPD-12/PIV

Glo

bal

GR

ID C

As

ww

w.ig

tf.ne

t

Market: authentication

HSPD12

FIPS 199 = (H, H, M)

Argonne National Laboratory

Federal Government HSPD-12 Initiative

Driven by Homeland Security Presidential Directive 12 (HSPD-12)– Secure and reliable forms of identification

– Physical and Logical Access

Vetting Requirements– Basic background investigation (SF-85)

– fingerprints taken

– photograph

– DOE Order 206.4

http://www.fedidcard.gov

Sponsor

Recommends badge

issuance

Registrar(federal)

Approves badge

issuance

Badge Issuer

Issues badge

Mutually Exclusive

Federal Government HSPD-12 Initiative

Card contains three certificates– Authentication

– Digital Signature

– Encryption (but no directory for certificate lookup!)

Enables Logical Access to Windows & MacOS (Demonstration?)

Discussion has begun on– PIV-Interoperable (PIV-I) - trusted certificates

– PIV-Compatible (PIV-C) - untrusted certificates

– Enable interoperability with suppliers, contractors, etc

– Exploit PIV standard: Windows 7 support, etc.

Ultimately 10M card holders, 600 at Argonne

HQ CA

Federal Bridge

US

Fed

eral

PK

Iw

ww

.cio

.gov

/fbca

Argonne Public Key Infrastructure Participation – DOE Entrust

Glo

bal

GR

ID C

As

ww

w.ig

tf.ne

t

Market: secure email

DOEEntrust

PKI

G2B

Y-12

SNL

RFPantexPNNL

ORNL

LLNL

LANL

KCPHQ PCA

FIPS 199 = (M, M, M)

Argonne National Laboratory

DOE Entrust PKI

70,000 certificates licensed– 450 certificates at Argonne

Used for secure electronic mail: encryption– DOE Complex

– DOD

– DHS

Logical Access ?– Version 8 uses Microsoft Certificate

Store

Enterprise Product– Encryption key escrow

– Automatic certificate renewal

http://www.cio.energy.gov/cybersecurity/pki.htm

G2B

Y-12

SNL

RFPantexPNNL

ORNL

LLNL

LANL

KCPHQ PCA

HQ CA

DOE Entrust PKI

Vetting requirements– In person either RA or Trusted Agent (TA)

– Photo id

Common Policy compliance– Periodically externally audited

USER ACKNOWLEDGEMENT AGREEMENT For Public Key Encryption and Digital Signature Services

U. S. Department of Energy (DOE) employees, contractors, and affiliates are responsible for acknowledging this user agreement when requesting, accepting, and/or using a DOE assigned digital certificate. Employees will be bound to the terms of this user agreement upon cessation of need or employment, whichever comes first. As an Entrust user, you must agree to the following prior to using the Entrust software:

Use Restricted to Official DOE Business and Unclassified Data: The Entrust user license, software, and electronic identity that are issued to you are the property of the U. S. Department of Energy and should only be used exclusively for legal, authorized, and legitimate DOE business only. The Entrust license and software MUST NOT BE USED to protect CLASSIFIED data!

Enforcement of either the Triple-DES Encryption or AES-256 Algorithms: Ensure that the encryption algorithms stay set to Triple DES, as specified in the NIST Federal Information Processing Standards (FIPS) 140-2 series, or Advanced Encryption Standard (AES-256), specified in FIPS-197, which DOE is obligated to follow. Settings can be verified by right-clicking the yellow key, selecting Entrust Options, then selecting the Security tab.

Accuracy of Representation:

Make true representation at all times regarding information in your certificate and other identification and authentication information. Not only should you provide accurate representation initially to receive Entrust, but you should also notify your local support center if your personal information changes (name change, organization change, email address change, etc.) throughout the duration of use so the certificate information is updated in the directory.

Protection of Private Keys: Private keys and associated information must be protected. This refers to the profile files that are created during the “Create Profile” process. This includes:

o Using a locking screen saver on machines that have the Entrust software installed; o Activating the locked screen saver anytime the machine is left unattended; and o Protecting your Entrust password at all times by not giving it to others and preferably by not writing it

down. If you must write it down, then ensure that it is stored in a locked safe or vault with restricted access only.

Additionally, inform your local Registration Authority or Trusted Agent at least one week in advance of a planned hardware swap-out. The encryption software and your personal profile credentials must be properly removed from the old system prior to releasing the system to untrusted hands.

Notification of Forgotten Password or Profile Loss, Disclosure, or Compromise:

Upon any actual or suspected loss, disclosure, or compromise of your private signing or decryption keys, activation codes, or Entrust password, you must immediately notify your local support center. Your support center will then notify your local Registration Authority or Trusted Agent.

Non-Transference of License and Cessation of Operation:

You may not transfer your Entrust user license to anyone else. If you no longer need the Entrust software, notify your local support center. The support center will then notify your local Registration Authority or Trusted Agent to revoke and archive your license.

Export of Entrust Software Prohibited: Please consult with your local Headquarters Security Officer if you have a requirement involving any foreign nationals.

Department of Energy Headquarters Certification Authority Information: Mary Ann Breland DOE PKI Program Manager For Questions or Problems regarding your Entrust account please contact your local computer support center, or 301-903-2500. AS AN ENTRUST USER, YOU AGREE TO USE DOE PKI SERVICES IN ACCORDANCE WITH THE TERMS FOUND IN THIS AGREEMENT. You demonstrate your knowledge and acceptance of the terms of this agreement by signing this user agreement form. This agreement is valid for the certificate and key lifetime or until cessation of need or employment, whichever comes first.

_________________ ______ ______________________ ________________________________________ User’s First Name MI Last Name User Signature ________________________________________ _____________ _________________________ User’s Email Address User’s Org Code Date SECRET KEYWORD Please answer ALL of the questions listed below. The question will be asked of you if you need to call our office for any reason regarding your Entrust certificate. The most common reasons we are contacted are for forgotten passwords, departmental changes, or name/email changes. What was the make and model of your first car? _____________________________________________ What year you graduated from high school? _____________________________________________ What is/was the name of your pet? _____________________________________________

Do not write below this line

IDENTITY PROOFING Date: ____________________ Type of identification presented: _______________________________________ Identification Number: _______________________________________

Person’s name as it appears on identification: _______________________________________ Registration Authority Name: _______________________________________ Registration Authority Signature: _______________________________________

Registration Agent Desktop DOE Entrust

DOE Grids

10

Which brings us to …

Questions and discussion

Other

RealID Act 2005

Standardized drivers licenses– Desire for smartcard platform

Standardized birth certificates

Growth of ISO 14443 RFID

ISO 14443 RFID Sources

HS

PD

-12/

PIV

Bad

ges

Est

. 10M

hol

ders

Detection ToolAnswer-To-Reset (ATR)

Responses

Gemalto Smart CardDiagnostic Utility

Integrated EngineeringISO 14443 Reader

Many devices are RFID responsive

Co

nta

ctle

ss P

aym

ent

Car

ds

(14M

issu

ed in

200

6)

3B 08 00 53 4F 43 53 84 90 00

3B 05 FF 72 17 E7 E2

Chip and Antenna visible through

translucent card

ISO 14443: smart card protocol over RFID

3B 0B 80 F9 A0 00 00 03

08 00 00 10 00

ePas

spo

rts

(US

+ 3

5 na

tions

)U

S is

sued

13M

in 2

006

3B 05 FF 29 A4 25 AD

Growth of Personal RFID

Stay tuned . . .

http://www.fips201.com/articles/2009/11/02/iab-october-meeting-audio