issa fi xs briefing
TRANSCRIPT
![Page 1: Issa fi xs briefing](https://reader038.vdocuments.us/reader038/viewer/2022110122/55a89a501a28aba37f8b45ae/html5/thumbnails/1.jpg)
Federated Access Identity & Privacy Protection
Presented at:
Information Systems Security Association-Northern Virginia (ISSA-NOVA) Chapter Meeting
Presented by:
Daniel E. Turissini
Board Member, Federation for Identity and Cross-Credentialing Systems (FiXs)
http://www.FiXs.org
January 20, 2011
![Page 2: Issa fi xs briefing](https://reader038.vdocuments.us/reader038/viewer/2022110122/55a89a501a28aba37f8b45ae/html5/thumbnails/2.jpg)
The Federation for Identity & Cross-Credentialing Systems (FiXs)
• A 501(c)6 not-for-profit trade association formed in 2004 in collaboration with the DoD to provide secure and inter-operable use of identity credentials between and among government entities & industry
• A coalition of diverse companies/organizations supporting development & implementation of inter-operable identity cross-credentialing standards and systems
• Members include: government contractors, technology companies, major financial firms, not-for-profit organizations, DoD, GSA, state governments, etc.
![Page 3: Issa fi xs briefing](https://reader038.vdocuments.us/reader038/viewer/2022110122/55a89a501a28aba37f8b45ae/html5/thumbnails/3.jpg)
Federated Identity Solution
• Federated identity provides a strong, biometrically enabled electronic identity credential, that can be readily electronically validated by any Federal logical/physical access point that allows the decision maker or databases to make a local specific privilege and/or authorized ACCESS decision confident in: – the identity of the person attempting access; – the identity of the device attempting access; – the identity of vetted organization that they represent; – that the organization and the individual have a legal relationship to do
business with the federal government; and, – that the individual has been vetted in person and has undergone a
background investigation consistent with defined levels.
Credential assures you are who you say you are, Commander’s confirm what holder is permitted to access!
![Page 4: Issa fi xs briefing](https://reader038.vdocuments.us/reader038/viewer/2022110122/55a89a501a28aba37f8b45ae/html5/thumbnails/4.jpg)
The Foundation
• FiXs entered into formal Memorandum of Understanding (MOU) with the DoD that established terms & conditions under which FiXs & DoD will use their respective systems as part of an identity suite of systems in January 2006, updated February 2009: – https://www.dmdc.osd.mil/dmdcomn/owa/DMDC.FEDPIIPS
• The terms and conditions include: – Operational framework for inter-operability between DoD &FiXs – Specific operational responsibilities – Governance structure
• Authority To Operate Granted by DMDC
• Strong Certification & Accreditation Processes
Documentation available online at: http://www.fixs.org/library
![Page 5: Issa fi xs briefing](https://reader038.vdocuments.us/reader038/viewer/2022110122/55a89a501a28aba37f8b45ae/html5/thumbnails/5.jpg)
Federated Access DoD Application Relying Party’s (Access Rules)
Trusted Third Parties [External Certificate
Authorities (ECA)/ PIV-I]
Strong credentials with biometrics consistent with federal standards are essential to successful Access control
Strong Access Control
Subscribers (Credential Holders)
Strong Identity
Local Access
Decisions
![Page 6: Issa fi xs briefing](https://reader038.vdocuments.us/reader038/viewer/2022110122/55a89a501a28aba37f8b45ae/html5/thumbnails/6.jpg)
TESTED, SPOT – FiXs Inter-operability Pilot
• Successful assessment of the feasibility to utilize commercially - issued credentials in “feeding” the SPOT database – that adhere to FiXs-certified standards
• Issue FiXs-certified credentials - 3,000 contractor personnel
• Credentials authenticated across secure network against federated data stores
• Included “cleared” personnel, non-cleared personnel, first responders, other entities that interact with Army Material Command
• Monitor utilization, increases in productivity, & security profile
• Provided strategic assessment for future activities
![Page 7: Issa fi xs briefing](https://reader038.vdocuments.us/reader038/viewer/2022110122/55a89a501a28aba37f8b45ae/html5/thumbnails/7.jpg)
FiXs – Chain of Trust
![Page 8: Issa fi xs briefing](https://reader038.vdocuments.us/reader038/viewer/2022110122/55a89a501a28aba37f8b45ae/html5/thumbnails/8.jpg)
FiXs - Certified Credentials
CAC FiXs
2D barcode, 1D barcode & mag-stripe
on back
2 RFID antenna
Clear Contractor Markings
RFID, Barcodes, PIV Applet and Certificate Provide Issuer ID, Sponsor ID, Employee ID, & other Data Processed via Network
![Page 9: Issa fi xs briefing](https://reader038.vdocuments.us/reader038/viewer/2022110122/55a89a501a28aba37f8b45ae/html5/thumbnails/9.jpg)
Robust Validation Infrastructure
Application Servers
Local Area Network
Client/WS
Client/WS Inside and/or
Outside the LAN Client/WS
Alternative Validation Paths
(OCSP)
20 + FiXs Compliant PKI
Directories 50 + FiXs
Compliant CRLs
FiXs Validation Service (Site 1)
FiXs Validation Service (Site N)
CRL Update Path (ldap/ ldaps http/https)
https
Client/WS OCSP Repeater
![Page 10: Issa fi xs briefing](https://reader038.vdocuments.us/reader038/viewer/2022110122/55a89a501a28aba37f8b45ae/html5/thumbnails/10.jpg)
STEP 1: Apply Device Administrator goes to any-CA.ORC.com & completes online certificate registration application.
STEP 3: Print Administrator prints or PDFs the application form.
STEP 4: ID Proofing Administrator digitally signs the form & sends or takes the form with two valid forms of ID either to LRA or other Trusted Agent.
STEP 2: Submit The device’s key pair is generated in a cryptographic module, associated to device & the device’s public key is submitted to the CA along with the application.
STEP 5: Confirmation RA confirms that ID proofing is complete & correct.
STEP 7: Download Administrator returns to any-CA.ORC.com, performs a proof of possession, & downloads their certificate.
STEP 6: Issuance An CA issues the certificate & provides out-of-band download instructions to the applicant.
STEP 8: Install Administrator installs SD into device & applies tamper evident tape.
Device Credential Issuance Process
![Page 11: Issa fi xs briefing](https://reader038.vdocuments.us/reader038/viewer/2022110122/55a89a501a28aba37f8b45ae/html5/thumbnails/11.jpg)
Device Secure Access
Video Application
Servers
Local Area Network
Inside and/or Outside the LAN
Validation Paths (OCSP/SCVP) 20 + Federally
Compliant PKI Directories
50 + Federally Compliant CRLs
Credential Validation Service
CRL Update Path (ldap/ ldaps http/https)
3. Authenticated SSL VPN
Client/WS Validation Repeater (Optional)
1. Authenticated https
Client/WS 2/4. OCSP/SCVP
2. OCSP/SCVP
1. Mutual Certificate Authentication between Client & Video Server
2. Mutual Validation of Credentials https session established
3. Mutual Certificate Authentication between Video Server & Camera
4. Validation of Credential SSL VPN session established
![Page 12: Issa fi xs briefing](https://reader038.vdocuments.us/reader038/viewer/2022110122/55a89a501a28aba37f8b45ae/html5/thumbnails/12.jpg)
FiXs Certified Credential Authenticated at DoD Location
Company A FiXs Domain Server (FDS)
Company B FDS
Issuer FDS Companies
C, D, E
FiXs Trust Broker (FTB)
DMDC Trusted
Gateway Broker (TGB)
DMDC Domain Server (DDS)
Authentication Node Defense National Visitor Center
(DNVC) Defense Biometric Identification System
(DBIDS)
FiXs Authentication
Stations/ Handhelds
Legend: = Secure Connection = Transaction Path – no Fee = Transaction Path – w/ Fee
Company F FiXs Authentication
Node
![Page 13: Issa fi xs briefing](https://reader038.vdocuments.us/reader038/viewer/2022110122/55a89a501a28aba37f8b45ae/html5/thumbnails/13.jpg)
FiXs Certified Credential Authenticated at FiXs Location
Company A FDS
Company B FDS
Issuer FDS Companies
C, D, E
Hosted FTB
DMDC TGB
DMDC DDS
DNVC/ DBIDS
FiXs Authentication
Stations/ Handhelds
Legend: = Secure Connection = Transaction Path – no Fee = Transaction Path – w/ Fee
Company F FiXs Authentication
Node
![Page 14: Issa fi xs briefing](https://reader038.vdocuments.us/reader038/viewer/2022110122/55a89a501a28aba37f8b45ae/html5/thumbnails/14.jpg)
CAC Authentication at FiXs Location
Company A FDS
Company B FDS
Issuer FDS Companies
C, D, E
Hosted FTB
DMDC TGB
DMDC DDS
DNVC/ DBIDS Company F FiXs
Authentication Node
FiXs Authentication
Stations/ Handhelds
Legend: = Secure Connection = Transaction Path – no Fee = Transaction Path – w/ Fee
![Page 15: Issa fi xs briefing](https://reader038.vdocuments.us/reader038/viewer/2022110122/55a89a501a28aba37f8b45ae/html5/thumbnails/15.jpg)
FiXs Certified Credential Enhanced Logical Access Control
Remote Client/WS
1. Initial Enterprise Logon
2. Validate Device Certificate
Remote Client/WS
3. Authenticated SSL VPN Established
4. Initiate Application Logon
5. Validate ID Certificate
6. Access Attributes
Remote Client/WS
SSL VPN https
Border Server
Border Server
Border Server
Application Server
Application Server
Validation Data
Validation Data
FDS
![Page 16: Issa fi xs briefing](https://reader038.vdocuments.us/reader038/viewer/2022110122/55a89a501a28aba37f8b45ae/html5/thumbnails/16.jpg)
Contact Information
Dan Turissini - CTO, WidePoint Corporation, FiXs Board
703 246 8550
Dr. Michael Mestrovich, FiXs President
703 928 3157