david temoshok federal pki policy manager gsa office of governmentwide policy october 31 2001 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide Policy October 31, 2001 PowerPoint Presentation
Download Presentation
David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide Policy October 31, 2001

Loading in 2 Seconds...

play fullscreen
1 / 24

David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide Policy October 31, 2001 - PowerPoint PPT Presentation


  • 188 Views
  • Uploaded on

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI. David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide Policy October 31, 2001. e-Gov and PKI Drivers. Government Paperwork Elimination and ESIGN Acts Public Expectations

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide Policy October 31, 2001' - Faraday


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
david temoshok federal pki policy manager gsa office of governmentwide policy october 31 2001

EDUCAUSE 2001, Indianapolis IN

Securing e-Government:

Implementing the Federal PKI

David TemoshokFederal PKI Policy ManagerGSA Office of Governmentwide PolicyOctober 31, 2001
e gov and pki drivers
e-Gov and PKI Drivers
  • Government Paperwork Elimination and ESIGN Acts
  • Public Expectations
  • Long-term Cost Savings
  • The Need for Privacy and Security
    • Government is held to higher standard
  • Trading Partner Practices
business driver savings by process type
Business Driver: Savings by Process Type

Percent

Savings

Traditional

System

Internet

Bill Payment $2.22 - $3.32 $0.65 - $1.10 71% - 67%

Insurance Policy $400 - $700 $200 - $350 50%

SoftwareDistribution $15 $0.20 - $0.50 97% - 67%

Procurement 70%

Motor Vehicle

Registration $7 <$2 71%

Order-Filling (DOD) $24 $12 50%

electronic signatures in global and national commerce act
Electronic Signatures in Global and National Commerce Act
  • Signed by President Clinton on 6/30/00.
  • E-SIGN addresses:
    • Commercial, consumer, and business transactions affecting interstate or foreign commerce;
    • Legality of electronic signatures and records;
    • Preemption of inconsistent statutes/rules.
  • E-SIGN does not address:
    • security, authentication, or records requirements;
    • interoperability;
    • Electronic signatures based on different technologies;
    • Rules for reliance/accepting different kinds of signatures.
  • Federal Agency activities and requirements are generally not within the scope of this legislation; they are instead addressed by the Government Paperwork Elimination Act (GPEA).
gpea requirements
GPEARequirements
  • Government Paperwork Elimination Act (GPEA) of 1998 addresses:
    • requirement for federal agencies to offer the public the option of electronic filings/transactions/record-keeping for agency business by October 2003;
    • Legality of electronic signatures and records;
    • Technology neutrality -- electronic signature alternatives.
  • OMB required all agencies to report on GPEA implementation/compliance by 10/00. Including:
    • Information collections under Paperwork Reduction Act
    • Use of Electronic Signature.
    • Risk Assessment.
what is an electronic signature under e sign
What is an Electronic Signature under E-SIGN?

“…means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.”

Digitized image of a handwritten signature

Knowledge-based

Authentication

Biometric Profile

PIN or

Password

Digital Signature or other encrypted authentication system

Click through on software program’s dialog box

Typed names

security needs met by pki
Security Needs Met by PKI
  • Authentication: Is originator who they really say they are?
    • Achieved by binding the sender’s identity credentials to the message (digital signature)
  • Data Integrity: Has message/transaction been accidentally or maliciously been altered?
    • Achieved via comparing hash of the data (digital signature)
  • Confidentiality: Can message be read only by authorized entities?
    • Encryption protects information from unauthorized disclosure
  • Non-repudiation: Can sender or receiver dispute that message was actually sent or received?
    • Enabled through digital signature process
slide8

Public Key or Digital Certificates -

The Electronic ID

  • A trusted third-party, the Certificate Authority (CA), issues the digital certificate, containing:

-Name, Issuers name, Certificateholder’s public key, other attributes.

  • The Issuer (CA) must verify and bind identity to the Electronic ID.
  • The Issuer (CA) digitally signs the certificate so no one can change its contents and certificate can be verified as authentic.

CA Digital Certificate

Name: Joe College

Serial #: 123456

Issuer: CA #78901

Expiration: 12/1/02

Public Key: 3S@*6Y76

Unique identifier for certificate

Unique identifier for certificate issuer

Certificate expiration date (validity period)

Certificateholder’s public key

CA’s Digital Signature

Ensures Certificate’s validity

slide9

Digitized vs. Digital Signature

  • A Digitized Signature is a scanned image that can be pasted on any document.
  • A Digital Signature is a numeric value that is created by performing cryptographic transformation of a message using the “signer’s” private key.

1BE*564(1@5GYT87^4>530^0<BG?!C64 4> 99 MH ?!C6 Nd%2V@x4 (1@#d6^* Nd%2V@xANRT48346509(1@ 23 ?!C64 JD HD G *564 QHD736 JFHF Nd%2V@x

Digitized Signature

Digital Signature

why build a federal pki
Why build a Federal PKI?
  • Statutory mandates for e-government and implementing electronic signature technology
  • Business Demands for improved services at lower cost
  • Leverage infrastructure costs
  • Critical security need

Why not a Federal PKI?

  • Privacy concerns
  • Agency internal politics
  • Vendor battles for market space
  • Cost
federal pki approach
Federal PKI Approach
  • Determine need for PKI through risk assessment.
  • Use PKI when electronic signature and document/data integrity must be assured (non-repudiation).
  • Provide Federal PKI and PKI services contract for government-wide use -- ACES.
  • Build Federal PKI Interoperability
    • Establish Federal PKI Policy Authority (for policy interoperability).
    • Implement Federal Bridge CA using COTS (for technical interoperability).
  • Organize federal agency PKI use around common citizen and industry groups.
the core federal pki
The Core Federal PKI

DOD PKI

NFC PKI

Available to all Military personnel and dependents

Federal Bridge CA

Available to all Federal agencies

DOD IECA

GSA ACES

Available to all Government vendors and contractors

Available to all U.S. citizens, businesses, government agencies

pki interoperability
PKI Interoperability

PKI

Domain 2

Certification Policies

& Practices Statements

Validation Protocols

Bi-lateral Agreements

PKI

Domain 1

PKI

Domain 3

  • Policy PKI Interoperability involves the determination of “Trusted” PKI
  • domains which will meet the level of assurance needed.
  • Technical PKI interoperability involves the validation of certificates form
  • a different PKI domain to determine validity of certificates and paths.
  • A small number of PKI domains makes it easier to achieve
  • interoperability -- however it is still complex.
slide14

The Challenge to PKI Interoperability

PKI interoperability becomes much more complex as the number of PKI domains increase.

slide15

The Solution: The Federal Bridge CA

FPKI Policy Authority

FBCA Operational Authority

  • The Federal Bridge CA simplifies PKI interoperability:
  • Common and easy way to determine “Trusted” PKI domains and assurance
  • levels (policy mapping);
  • Common and, relatively, easy way to validate certificate status through
  • cross certification;
  • Standard Bi-lateral Agreement between the Bridge and Agency CA.
pki policy mapping equivalence example
PKI Policy Mapping -- Equivalence Example

FBCA

High

DoD

4

NFC PKI

High

FBCA

Medium

DoD

3

DoD IECA

(Med)

GSA ACES (Med)

NFC PKI

Medium)

FBCA

Basic

NFC PKI

Basic

DoD

2

FBCA

Rudimentary

NFC PKI

Test

FBCA Requirements

NFC PKI

DOD PKI

DOD IECA PKI

ACES PKI

slide17

ACES Program Vision

  • Common PKI solution encourages agencies to work together
  • Allows equitable cost sharing among agencies
  • Efficient, effective, economical due to aggregation of Federal needs
  • One digital identity credential can be used by multiple Agency processes
  • “Anonymous” certificate numbering for identification
  • Public pays nothing for digital ID.
slide18

ACES Registration Processes

ACES Contractor Registration for Individuals

Agency Registration

Business Representative Registration

slide19

ACES Remote (On-line)

Certificate Application Process

ACES vendor validates ID to multiple independent databases

Public applies for certificate

Federal

State

Secure Web

Commercial

Applicant PIN activation process

Secure Web

ACES vendor registers applicant for certificate and mails one-time PIN

ACES vendor sends

registered certificate

slide20

Accessing Web-Based

Applications and Services

Federal Agency

Access Authorized

System with ACES

authentication

Authorized

Web-based

Application

Secure Web

Return Personalized

Services/Benefits/

Information

Validate Electronic

ID (ACES) through

standard on-line protocol (OCSP)

Citizen

ACES Contracted

Certificate Authority

slide21

- Parse Cert

- Verify Issuer as an ACES CA

- Verify Issuer’s signature

- Verify operational period

- Check cached Invalid Cert IDs

- Get route to Issuer

- Send signed Status Request & Cert data to Issuer

- Receive signed Status Response

- Verify Status Response signature

- Pass status & cert data to App

- Log audit data

Agency

Application

Agency

Application

App

API

App

API

CAnSubscriber

Certs

CAnSubscriber

Certs

CAnSubscriber

Certs

CAnSubscriber

Certs

CAM Architecture

Scope of CAM

Subscriber

Crypto Library

(RSA, DSA, ECDSA)

ACES CA

Subscriber

AA

Interface

CA

I/F

CAM

  • CA Certificate List
  • Invalid Certificate List
  • Transaction Log

Signature Device

with CAM Private Key

slide22

Who Can Be a Member of the ACES PKI?

  • Certificate Authorities
    • ACES contractors
  • Relying Parties
    • Any Federal agency
    • Non-federal entities if authorized by a Federal Agency for legitimate program purposes.
  • Subscribers
    • Any individual in U.S.
    • Any individual as a representative of a business, organization, or governmental entity
slide23

PKI and Smart Cards

  • Securely store, protect, and transport cryptographic keys (public/private keys) and digital certificates.
  • Capacity to hold multiple keys/certificates.
  • Provide secure computational and processing facility without exposing sensitive information to risk.
  • Provides security for: generation of digital signature, use of private key for personal authentication, portable permissions/logical access control.
  • Convenience for end user.
  • PKI can be one set of functions on a multi-application smart card.

Should result in trust and confidence in E-Gov applications.

for more information

For More Information

Phone E-mail

David Temoshok david.temoshok@gsa.gov

202-208-7655

Websites

http://cio.gov/fpkisc

http://gsa.gov/ACES

http://ec.fed.gov