federal electronic identity initiatives current status n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Federal Electronic Identity Initiatives – Current Status PowerPoint Presentation
Download Presentation
Federal Electronic Identity Initiatives – Current Status

Loading in 2 Seconds...

play fullscreen
1 / 33

Federal Electronic Identity Initiatives – Current Status - PowerPoint PPT Presentation


  • 102 Views
  • Uploaded on

Federal Electronic Identity Initiatives – Current Status. Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO for E-Authentication, NIH. Federal Initiatives. eAuthentication Focus on eCommerce, services, etc. HSPD-12 Focus on security. Security.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Federal Electronic Identity Initiatives – Current Status' - alika-hays


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
federal electronic identity initiatives current status

Federal Electronic Identity Initiatives – Current Status

Peter Alterman, Ph.D.

Chair, Federal PKI Policy Authority and Asst. CIO for E-Authentication, NIH

federal initiatives
Federal Initiatives
  • eAuthentication
    • Focus on eCommerce, services, etc.
  • HSPD-12
    • Focus on security

BRIITE 2007

security
Security

BRIITE 2007

homeland security presidential directive 12
Homeland Security Presidential Directive 12
  • A Presidential Mandate for Federal Agencies to issue medium hardware assurance (or better) identity credentials for access to physical and logical government resources - inside-the-firewall contractors, too
    • Medium Hardware or High Assurance digital certificates on PIV-2 cards (next generation Smartcards)
  • Fast-tracked for implementation starting 10/2006
  • Led to new government standards for identity proofing and vetting (FIPS 201) and for PKI hardware tokens (NIST SP 800- 7x series)

BRIITE 2007

federal view of electronic id
Federal View of Electronic ID
  • Avalidated, proofed identity using breeder documents and databases (FIPS 201)
  • A scheme for adding a name, biometrics (photo, fingerprints), numeric codes (CHUID, etc.) and substantial assurance digital certificates to a next-generation SmartCard
  • Attributes are extensions not required by HSPD-12, but optionally consumed by Applications
    • SAML assertions and/or database entries for attribute storage
    • USPerson profile being developed to standardize attribute representation

BRIITE 2007

current status
Current Status
  • All Federal Agencies are implementing the requirements of HSPD-12, which means 12 – 15 million high assurance digital certificates will be deployed and used by 2010.
  • There are over 5.5 million high assurance digital certificates currently deployed and used in the Federal government

BRIITE 2007

other initiatives classified stuff
Other Initiatives – Classified Stuff
  • Defense, Law Enforcement, Intelligence Services
  • Don’t want to know….

BRIITE 2007

e gov services
E-Gov Services

BRIITE 2007

current state of affairs 60 years old now
Current State of Affairs (60 years old now)
  • You apply to the application owner for a password
  • You use the password to access the system
  • You forget the password
  • The application owner gives you a new password
  • You use the new password to access the system
  • You forget the password
  • <infinite do loop>
  • No identity proofing
  • No way to know who is actually on the system (Your secretary? Your postdoc? Your dog? Osama?)

BRIITE 2007

eauthentication initiative
eAuthentication Initiative
  • Provide electronic identity authentication services for online government applications
  • Manage the Federal Federation – extends services to private sector credential providers and online services
  • Set standards for assertion-based authentication tools
  • Offers standard risk assessment tool
  • Standard Architecture and Policy foundations

BRIITE 2007

foundational assumption
Foundational Assumption
  • Government online services shall trust externally-issued electronic identity credentials at known levels of assurance (LOA)
  • Online applications shall determine required credential LOA using a standard methodology based on:
    • Risk assessment using standard tool,
    • OMB M-04-04 determines required authN LOA
    • NIST SP 800-63 translates required LOA to credential technology

BRIITE 2007

the federal federation
Credential Service Providers

Covers 4 LOA

Assertion-based identity credentials for L 1, 2

Crypto-based identity credentials for L 3, 4

Service Requirements

Related to uptime, user support, etc.

Interfederation Arrangements Encouraged

Agency Applications

Federal Agency Applications and Services

Mandated by Administration

Service Requirements

Related to uptime, user support, etc.

The Federal Federation

BRIITE 2007

summary of architecture and policy procedures
Architecture

SAML assertions for LOA 1, 2 (encapsulate userid/passwords)

Vendor interoperability required for addition to approved vendor list

SAML 1.0 currently supported; SAML 2.0 specs being developed

PKI or OTP for LOA 3

PKI for LOA 4

Scheme translator available

Policy/Procedures

Credential assessments for all CSPs,

CAF for assertion-based credentials;

cross certification with Federal PKI for crypto-based credentials

Federal PKI Policies define requirements for digital certificate trustworthiness

Business and Legal Rules define service requirements for all LOA

Summary of Architecture and Policy/Procedures

BRIITE 2007

e authentication loa and what they mean
E-Authentication LOA and What They Mean*

Level 1

  • Little or no assurance of identity; assertion-based identity authentication
  • Some assurance of identity; assertion-based identity authentication or policy-thin PKI
  • Substantial assurance of identity; cryptographically-based identity authentication
  • High assurance of identity; cryptographically-based identity authentication

Level 2

Level 3

Level 4

BRIITE 2007

* Codified in OMB Memorandum 04-04

e authentication loa and what they service
E-Authentication LOA and What They Service**

Level 1

  • Online applications with little or no risk of harm from fraud, hacking; low risk
  • Online applications with risk of some harm from fraud, hacking; some risks
  • Online applications where there is risk of significant harm from fraud, hacking; significant risks
  • Online applications where there is risk of substantial harm from fraud, hacking; substantial risks

Level 2

Level 3

Level 4

BRIITE 2007

** Codified in NIST SP 800-63

general considerations for determining loa of an electronic identity credential
General Considerations for Determining LOA of an Electronic Identity Credential
  • Identity Proofing – how sure are you that the person is who he or she claims to be?
  • Identity Binding – how sure are you that the person proffering the EIC is the person to whom the credential was issued?
  • Credential integrity – how well does the technology and its implementation resist hacking, fraud, etc.?

BRIITE 2007

summary of lower level identity credentials
Summary of Lower-Level Identity Credentials
  • Level 1: UserID/Password, SAML assertion (XML text)
  • Level 2:“High entropy” UserID/Password; “policy-lite” PKI, e.g., Fed PKI Citizen and Commerce Class & Federal PKI Rudimentary, TAGPMA Classic Plus (in development)

BRIITE 2007

summary of cryptographic based identity credentials
Summary of Cryptographic-Based Identity Credentials
  • Level 3:One-time Password; Substantial assurance PKI at FPKI Basic, Medium
  • Level 4:High assurance PKI at FPKI Medium Hardware, High

BRIITE 2007

a little complication
A Little Complication
  • The government has TWO LOA classifications:
    • Federal PKI LOA codified in the Certificate Policies of the Federal PKI Policy Authority
    • E-Authentication LOA codified in OMB M-04-04

BRIITE 2007

loa mapping e auth to fed pki

E-Auth Level 1

FPKI Rudimentary;

C4

E-Auth Level 2

FPKI Basic

E-Auth Level 3

FPKI Medium &

Medium-cbp

E-Auth Level 4

FPKI Medium/HW &

Medium/HW-cbp

FPKI High

(governments only)

LOA Mapping E-Auth to Fed PKI

BRIITE 2007

fed pki view from 20 000 km

SAFE

Industry PKIs

Fed PKI: View from 20,000 km

Common Policy CA (HSPD-12)

SSPs

Serving all other

Agencies

CertiPathSSP

(HSPD-12-

comparable)

FBCA

CertiPath

C4

Industry PKIs

eGCA (3)

BRIITE 2007

fed pki view from 20 000 km1

SAFE

Industry PKIs

Fed PKI: View from 20,000 km

DOD DHS

NASA Commerce

USPS USPTO

HHS DOE

IL DOJ

State DOD/ECA

GPO DOD/Interop

Treasury

Wells Fargo

MIT LL

UTexasSx

Commercial “SSP-like”

Common Policy CA (HSPD-12)

Total: 15 – 20M

users

SSPs

VeriSign

Cybertrust

ORC

Treasury

GPO

Exostar

Entrust/Cygnacom

IdenTrusT?

Serving all other

Agencies

FBCA

CertiPath “SSP”

(HSPD-12-

comparable)

State of VA first responders

CertiPath

C4

Industry PKIs

Abbott Labs

AstraZeneca

Bristol-Myers Squibb

Genzyme

GlaxoSmithKline

INC Research

Johnson & Johnson

Merck

Pfizer

Procter & Gamble

Sanofi-Aventis

TAP Pharmaceuticals

Boeing

Raytheon

Lockheed Martin

eGCA (3)

~ 500k users!

EAF member CSPs

TLS certs

BRIITE 2007

interoperability initiatives
Interoperability Initiatives
  • CertiPath – Federal Bridge cross-certification complete
  • SAFE PKI Bridge and services – supporting digitally-signed electronic forms and document management
  • inCommon –assertion-based technology, LOA 1 & 2 – demonstration projects with NSF – interfederation with NIH NOW

BRIITE 2007

technology implications
Technology Implications
  • US Government LOA,
  • standardized risk assessment,
  • standards for PIV cards and identity proofing and vetting

are here and INEVITABLY will migrate everywhere

    • Pickup already noted in aerospace contractor space, homeland security
  • Feds will have to deal with attributes eventually!

BRIITE 2007

security and online services implications for higher ed
Security and Online Services Implications for Higher Ed
  • DHS first responders, DEA PKIs and CMS initiatives to enable online services and payments management will drive medical schools, hospitals and insurance chains to adopt Federal models for electronic identity authentication
    • Financial services firms under SEC regulation are already falling in line, both within and outside the eAuthentication federation participation
    • DEA issuing digital certs to pharmaceutical supply chain entities and plans to do so to service providers (MDs, PAs, NPs, etc.)
    • Treasury transfers > $1B daily via PKI
  • Availability of online government apps drive schools to federate to take advantage of services/apps

BRIITE 2007

what about privacy
What About Privacy?
  • No single database of identity credentials
  • No requirement for only one identity credential
  • The old tradeoff still exists: convenience vs. security
  • Are there forces out there that want to know who you are at all times?
    • Of course; worry about RFID first.

BRIITE 2007

nih e authentication initiative goals
NIH E-Authentication Initiative Goals
  • Researchers use their institutional identity credentials to authenticate to NIH online applications and services
  • Build a reliable, secure, trusted IT infrastructure that supports e-authentication

BRIITE 2007

nih e authentication initiative goals1
NIH E-Authentication Initiative Goals
  • Researchers use their institutional identity credentials to authenticate to NIH online applications and services
  • Build a reliable, secure, trusted IT infrastructure that supports e-authentication

BRIITE 2007

current nih initiatives
Current NIH Initiatives
  • Interfederated with InCommon higher education Identity Management Federation at OMB LOA 1: low/no risk applications put online and consume identity credentials issued by universities that are members of InCommon;
  • Extend interfederation agreement to OMB LOA 2 applications for universities that issue higher-assurance credentials under the InCommon Federation Silver program – for moderate risk applications (ETA 1/08);
  • Direct trust relationship with University of Texas System Public Key Infrastructure

BRIITE 2007

nih pilot loa 1 applications
NIH Pilot LOA 1 Applications
  • NLM Proxy Redirector (initial application )
  • Good Clinical Practice (GCP)
  • Community for Advanced Graduate Training (CAGT)
  • NIH Login/ADFS/MOSS integration (general collaboration)
  • More to follow

BRIITE 2007

nih pilot loa 2 applications
NIH Pilot LOA 2 Applications
  • Electronic Research Administration (eRA)
  • caBIG data (via Grid interoperability?)
  • Firebird (FDA, SAFE, NIAID involvement)
  • More to follow

BRIITE 2007

end state for nih
End State for NIH
  • All NIH outward-facing, online apps risk assessed and credential LOA requirements determined
  • Credential validation infrastructure and/or linkages at production operational level
  • All NIH outward-facing, online apps connected to NIH Login front end with validation service enabling infrastructure (e.g., Shibboleth, etc.)
  • End State achieved… ???

BRIITE 2007

resources
Resources
  • altermap@mail.nih.gov
  • http://csrc.nist.gov/pki
  • www.cio.gov/fpkipa
  • www.cio.gov/ficc
  • www.cio.gov/eauthentication
  • www.smartcardalliance.org

BRIITE 2007