federal public key infrastructures: john volmer computing and information systems osg esnet...
TRANSCRIPT
![Page 1: Federal Public Key Infrastructures: John Volmer Computing and Information Systems OSG ESnet Requirements Gathering 9 November 2009 HSPD-12 and DOE Entrust](https://reader036.vdocuments.us/reader036/viewer/2022062712/56649c935503460f9494ed88/html5/thumbnails/1.jpg)
Federal Public Key Infrastructures:
John VolmerComputing and Information Systems
OSG ESnet Requirements Gathering9 November 2009
• HSPD-12 and• DOE Entrust
![Page 2: Federal Public Key Infrastructures: John Volmer Computing and Information Systems OSG ESnet Requirements Gathering 9 November 2009 HSPD-12 and DOE Entrust](https://reader036.vdocuments.us/reader036/viewer/2022062712/56649c935503460f9494ed88/html5/thumbnails/2.jpg)
DOE GRIDS
HQ CA
ANL(auto enroll)
Federal Bridge
FBCATreas
DoS
DHS
DoDNASA
Ill
US
Fed
eral
PK
Iw
ww
.cio
.gov
/fbca
Argonne Public Key Infrastructure Participation
TAGPMA
Venezuela
Chile
Mexico
Argentina NCSA
BrasilFNAL
TACCPurdue
UoV
SDSC
Dartmouth
Glo
bal
GR
ID C
As
ww
w.ig
tf.ne
t
EUGridPMACERN
Italy
Greece
Canada
Estonia
GermanyNetherlands
Austria
Armenia
Hungary
Portugal
Turkey
Croatia
SpainIreland
UK
Switzerland
Market: authentication
Market: secure email Market: authentication
Market: authenticationsecure email
DOEEntrust
PKI
G2B
Y-12
SNL
RFPantexPNNL
ORNL
LLNL
LANL
KCPHQ PCA
FIPS 199 = (L, M, L)
Market:: authentication
HSPD12
FIPS 199 = (H, H, M) FIPS 199 = (M, M, M)FIPS 199 = (L, L L)
Argonne National Laboratory
Australia
China
New Zealand
Phillipines
India
JapanMalaysia
Viet Nam
Thailand
Taiwan
South Korea
APGridPMA
CommonPolicy
![Page 3: Federal Public Key Infrastructures: John Volmer Computing and Information Systems OSG ESnet Requirements Gathering 9 November 2009 HSPD-12 and DOE Entrust](https://reader036.vdocuments.us/reader036/viewer/2022062712/56649c935503460f9494ed88/html5/thumbnails/3.jpg)
US
Fed
eral
PK
Iw
ww
.cio
.gov
/fbca
Argonne Public Key Infrastructure Participation – HSPD-12/PIV
Glo
bal
GR
ID C
As
ww
w.ig
tf.ne
t
Market: authentication
HSPD12
FIPS 199 = (H, H, M)
Argonne National Laboratory
![Page 4: Federal Public Key Infrastructures: John Volmer Computing and Information Systems OSG ESnet Requirements Gathering 9 November 2009 HSPD-12 and DOE Entrust](https://reader036.vdocuments.us/reader036/viewer/2022062712/56649c935503460f9494ed88/html5/thumbnails/4.jpg)
Federal Government HSPD-12 Initiative
Driven by Homeland Security Presidential Directive 12 (HSPD-12)– Secure and reliable forms of identification
– Physical and Logical Access
Vetting Requirements– Basic background investigation (SF-85)
– fingerprints taken
– photograph
– DOE Order 206.4
http://www.fedidcard.gov
Sponsor
Recommends badge
issuance
Registrar(federal)
Approves badge
issuance
Badge Issuer
Issues badge
Mutually Exclusive
![Page 5: Federal Public Key Infrastructures: John Volmer Computing and Information Systems OSG ESnet Requirements Gathering 9 November 2009 HSPD-12 and DOE Entrust](https://reader036.vdocuments.us/reader036/viewer/2022062712/56649c935503460f9494ed88/html5/thumbnails/5.jpg)
Federal Government HSPD-12 Initiative
Card contains three certificates– Authentication
– Digital Signature
– Encryption (but no directory for certificate lookup!)
Enables Logical Access to Windows & MacOS (Demonstration?)
Discussion has begun on– PIV-Interoperable (PIV-I) - trusted certificates
– PIV-Compatible (PIV-C) - untrusted certificates
– Enable interoperability with suppliers, contractors, etc
– Exploit PIV standard: Windows 7 support, etc.
Ultimately 10M card holders, 600 at Argonne
![Page 6: Federal Public Key Infrastructures: John Volmer Computing and Information Systems OSG ESnet Requirements Gathering 9 November 2009 HSPD-12 and DOE Entrust](https://reader036.vdocuments.us/reader036/viewer/2022062712/56649c935503460f9494ed88/html5/thumbnails/6.jpg)
HQ CA
Federal Bridge
US
Fed
eral
PK
Iw
ww
.cio
.gov
/fbca
Argonne Public Key Infrastructure Participation – DOE Entrust
Glo
bal
GR
ID C
As
ww
w.ig
tf.ne
t
Market: secure email
DOEEntrust
PKI
G2B
Y-12
SNL
RFPantexPNNL
ORNL
LLNL
LANL
KCPHQ PCA
FIPS 199 = (M, M, M)
Argonne National Laboratory
![Page 7: Federal Public Key Infrastructures: John Volmer Computing and Information Systems OSG ESnet Requirements Gathering 9 November 2009 HSPD-12 and DOE Entrust](https://reader036.vdocuments.us/reader036/viewer/2022062712/56649c935503460f9494ed88/html5/thumbnails/7.jpg)
DOE Entrust PKI
70,000 certificates licensed– 450 certificates at Argonne
Used for secure electronic mail: encryption– DOE Complex
– DOD
– DHS
Logical Access ?– Version 8 uses Microsoft Certificate
Store
Enterprise Product– Encryption key escrow
– Automatic certificate renewal
http://www.cio.energy.gov/cybersecurity/pki.htm
G2B
Y-12
SNL
RFPantexPNNL
ORNL
LLNL
LANL
KCPHQ PCA
HQ CA
![Page 8: Federal Public Key Infrastructures: John Volmer Computing and Information Systems OSG ESnet Requirements Gathering 9 November 2009 HSPD-12 and DOE Entrust](https://reader036.vdocuments.us/reader036/viewer/2022062712/56649c935503460f9494ed88/html5/thumbnails/8.jpg)
DOE Entrust PKI
Vetting requirements– In person either RA or Trusted Agent (TA)
– Photo id
Common Policy compliance– Periodically externally audited
USER ACKNOWLEDGEMENT AGREEMENT For Public Key Encryption and Digital Signature Services
U. S. Department of Energy (DOE) employees, contractors, and affiliates are responsible for acknowledging this user agreement when requesting, accepting, and/or using a DOE assigned digital certificate. Employees will be bound to the terms of this user agreement upon cessation of need or employment, whichever comes first. As an Entrust user, you must agree to the following prior to using the Entrust software:
Use Restricted to Official DOE Business and Unclassified Data: The Entrust user license, software, and electronic identity that are issued to you are the property of the U. S. Department of Energy and should only be used exclusively for legal, authorized, and legitimate DOE business only. The Entrust license and software MUST NOT BE USED to protect CLASSIFIED data!
Enforcement of either the Triple-DES Encryption or AES-256 Algorithms: Ensure that the encryption algorithms stay set to Triple DES, as specified in the NIST Federal Information Processing Standards (FIPS) 140-2 series, or Advanced Encryption Standard (AES-256), specified in FIPS-197, which DOE is obligated to follow. Settings can be verified by right-clicking the yellow key, selecting Entrust Options, then selecting the Security tab.
Accuracy of Representation:
Make true representation at all times regarding information in your certificate and other identification and authentication information. Not only should you provide accurate representation initially to receive Entrust, but you should also notify your local support center if your personal information changes (name change, organization change, email address change, etc.) throughout the duration of use so the certificate information is updated in the directory.
Protection of Private Keys: Private keys and associated information must be protected. This refers to the profile files that are created during the “Create Profile” process. This includes:
o Using a locking screen saver on machines that have the Entrust software installed; o Activating the locked screen saver anytime the machine is left unattended; and o Protecting your Entrust password at all times by not giving it to others and preferably by not writing it
down. If you must write it down, then ensure that it is stored in a locked safe or vault with restricted access only.
Additionally, inform your local Registration Authority or Trusted Agent at least one week in advance of a planned hardware swap-out. The encryption software and your personal profile credentials must be properly removed from the old system prior to releasing the system to untrusted hands.
Notification of Forgotten Password or Profile Loss, Disclosure, or Compromise:
Upon any actual or suspected loss, disclosure, or compromise of your private signing or decryption keys, activation codes, or Entrust password, you must immediately notify your local support center. Your support center will then notify your local Registration Authority or Trusted Agent.
Non-Transference of License and Cessation of Operation:
You may not transfer your Entrust user license to anyone else. If you no longer need the Entrust software, notify your local support center. The support center will then notify your local Registration Authority or Trusted Agent to revoke and archive your license.
Export of Entrust Software Prohibited: Please consult with your local Headquarters Security Officer if you have a requirement involving any foreign nationals.
Department of Energy Headquarters Certification Authority Information: Mary Ann Breland DOE PKI Program Manager For Questions or Problems regarding your Entrust account please contact your local computer support center, or 301-903-2500. AS AN ENTRUST USER, YOU AGREE TO USE DOE PKI SERVICES IN ACCORDANCE WITH THE TERMS FOUND IN THIS AGREEMENT. You demonstrate your knowledge and acceptance of the terms of this agreement by signing this user agreement form. This agreement is valid for the certificate and key lifetime or until cessation of need or employment, whichever comes first.
_________________ ______ ______________________ ________________________________________ User’s First Name MI Last Name User Signature ________________________________________ _____________ _________________________ User’s Email Address User’s Org Code Date SECRET KEYWORD Please answer ALL of the questions listed below. The question will be asked of you if you need to call our office for any reason regarding your Entrust certificate. The most common reasons we are contacted are for forgotten passwords, departmental changes, or name/email changes. What was the make and model of your first car? _____________________________________________ What year you graduated from high school? _____________________________________________ What is/was the name of your pet? _____________________________________________
Do not write below this line
IDENTITY PROOFING Date: ____________________ Type of identification presented: _______________________________________ Identification Number: _______________________________________
Person’s name as it appears on identification: _______________________________________ Registration Authority Name: _______________________________________ Registration Authority Signature: _______________________________________
![Page 9: Federal Public Key Infrastructures: John Volmer Computing and Information Systems OSG ESnet Requirements Gathering 9 November 2009 HSPD-12 and DOE Entrust](https://reader036.vdocuments.us/reader036/viewer/2022062712/56649c935503460f9494ed88/html5/thumbnails/9.jpg)
Registration Agent Desktop DOE Entrust
DOE Grids
![Page 10: Federal Public Key Infrastructures: John Volmer Computing and Information Systems OSG ESnet Requirements Gathering 9 November 2009 HSPD-12 and DOE Entrust](https://reader036.vdocuments.us/reader036/viewer/2022062712/56649c935503460f9494ed88/html5/thumbnails/10.jpg)
10
Which brings us to …
Questions and discussion
![Page 11: Federal Public Key Infrastructures: John Volmer Computing and Information Systems OSG ESnet Requirements Gathering 9 November 2009 HSPD-12 and DOE Entrust](https://reader036.vdocuments.us/reader036/viewer/2022062712/56649c935503460f9494ed88/html5/thumbnails/11.jpg)
Other
![Page 12: Federal Public Key Infrastructures: John Volmer Computing and Information Systems OSG ESnet Requirements Gathering 9 November 2009 HSPD-12 and DOE Entrust](https://reader036.vdocuments.us/reader036/viewer/2022062712/56649c935503460f9494ed88/html5/thumbnails/12.jpg)
RealID Act 2005
Standardized drivers licenses– Desire for smartcard platform
Standardized birth certificates
![Page 13: Federal Public Key Infrastructures: John Volmer Computing and Information Systems OSG ESnet Requirements Gathering 9 November 2009 HSPD-12 and DOE Entrust](https://reader036.vdocuments.us/reader036/viewer/2022062712/56649c935503460f9494ed88/html5/thumbnails/13.jpg)
Growth of ISO 14443 RFID
![Page 14: Federal Public Key Infrastructures: John Volmer Computing and Information Systems OSG ESnet Requirements Gathering 9 November 2009 HSPD-12 and DOE Entrust](https://reader036.vdocuments.us/reader036/viewer/2022062712/56649c935503460f9494ed88/html5/thumbnails/14.jpg)
ISO 14443 RFID Sources
HS
PD
-12/
PIV
Bad
ges
Est
. 10M
hol
ders
Detection ToolAnswer-To-Reset (ATR)
Responses
Gemalto Smart CardDiagnostic Utility
Integrated EngineeringISO 14443 Reader
Many devices are RFID responsive
Co
nta
ctle
ss P
aym
ent
Car
ds
(14M
issu
ed in
200
6)
3B 08 00 53 4F 43 53 84 90 00
3B 05 FF 72 17 E7 E2
Chip and Antenna visible through
translucent card
ISO 14443: smart card protocol over RFID
3B 0B 80 F9 A0 00 00 03
08 00 00 10 00
ePas
spo
rts
(US
+ 3
5 na
tions
)U
S is
sued
13M
in 2
006
3B 05 FF 29 A4 25 AD
Growth of Personal RFID
Stay tuned . . .
![Page 15: Federal Public Key Infrastructures: John Volmer Computing and Information Systems OSG ESnet Requirements Gathering 9 November 2009 HSPD-12 and DOE Entrust](https://reader036.vdocuments.us/reader036/viewer/2022062712/56649c935503460f9494ed88/html5/thumbnails/15.jpg)
http://www.fips201.com/articles/2009/11/02/iab-october-meeting-audio