1 / 26

EPA State PKI Analysis

EPA State PKI Analysis. National Governors Association January 9, 2001 Charleston, South Carolina. Items to Discuss. Security vs Paper Process Digital Signatures Purpose of the EPA Study Items collected during the EPA Study State results to date in the EPA Study Conclusions.

maximos-zale
Download Presentation

EPA State PKI Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EPA State PKI Analysis National Governors Association January 9, 2001 Charleston, South Carolina

  2. Items to Discuss • Security vs Paper Process • Digital Signatures • Purpose of the EPA Study • Items collected during the EPA Study • State results to date in the EPA Study • Conclusions

  3. Purpose of the EPA Study • To determine the extent of PKI usage in state government agencies • To demonstrate the use of non-ACES certificates in the ACES Certificate Arbitrator Module (CAM)

  4. Items collected during the EPA Study • General Level and scope of PKI activity in state • State EPA requirements - Does the State EPA employ the state or agency certificates for compliance report delivery? • Certificate Policy (CP) and Certificate Practice Statement (CPS)- Do these documents exist? • Requirements for Identity Proofing - individuals vs business • Access Control • Certificate Validation and Revocation • System Specifications • Key Management and Registration • Payment Model • Rollout Schedule and Future Plans • Cross certification

  5. State results to date in the EPA Study • Washington • Illinois • Pennsylvania • North Carolina • Virginia • Oregon

  6. State of Washington • Statewide PKI “portal” called Transact Washington (http://transact.wa.gov) • Each user gets a “My Transact” homepage with links to a registered application and an option to register for other applications • DST is the CA • Certificate registration, ID proofing, Renewals, Revocation, etc are outsourced to DST • TrustID™ Individual certificates used now • Business Rep certificates being considered • Three certificate assurance levels: High, Intermediate, Standard • Current application is sponsored by Department of Labor and Industries for worker compensation claims

  7. State of Washington - cont’d • Possible future applications for 2001 • Department of Health - exchange of medical records between providers • Department of Labor and Industries - filing workers compensation forms • Department of Retirement Systems - digitally signed financial transfers, management and planning • Department of Revenue - online tax filing • Employment Security Agency - file unemployment taxes

  8. State of Illinois • Running their own CA using Entrust line of PKI products hosted by the Department of Central Management Services (CMS) • Anticipate to issue 2 million certificates beginning 2001 • Local Registration Authority (LRA) located at state agencies and Secretary of State offices • Citizens can get certificates when they get their driver’s license • In-person identity proofing done at these facilities • Subscribers (clients) use either Entrust Entelligence client side or Entrust Roaming Server Side • Root Key generation ceremony scheduled for week of Jan 15, 2001 • Current Application - Department of Public Aid • available shortly after root key ceremony • anticipated to issue 240K certificates via 60 service providers • certificates to be used to gain access to electronic business and submission forms

  9. State of Illinois - cont’d • Future applications: • State EPA to use certificates for DMR submissions using web-based forms • Expected deployment is late 2001

  10. State of Pennsylvania • Via the Pennsylvania Department of Environmental Protection (DEP) • Applicants initially fill out a registration form online at which time they download an authorization form to take to a Notary. • Identity proofing done in person by a LRA or a Notary • Certificates issued for signatures and encryption, as determined by the key usage extension field in the certificate • ORC is CA for the pilot and will serve as Certificate Manufacturing Authority (CMA) • Applications - Department of Environmental Protection (DEP) • DMR submissions • Certificates used to sign XML-based web forms • Currently 4K-6K forms submitted each month in paper • Safe Drinking Water Lab Analysis • Certificates will be used to sign monthly analyses submitted from approximately 300 labs to DEP • Pending funding, soft rollout date of March, 2001 for one or both initiatives

  11. State of North Carolina • PKI efforts headed by Department of Information Resource Management (IRM) • Certificate authorities authorized to issue certificates: Verisign and Arcanvs • Certificates used for encryption and signatures using different key pairs • Two assurance levels • Base • Strong - requires in-person identity proofing before a notary or RA • Three types of certificates • unaffiliated individual • affiliated individual • organization

  12. State of North Carolina - cont’d • Just completed PKI pilot with following agencies: • Department of Revenue • Department of Corrections • Office of the State Auditor • Department of Revenue • Use of state centralized email messaging system by encrypting emails on the centralized system in order to satisfy privacy requirements • Used Outlook Express and Netscape Mail • 20 - 25 certificates were used • Department of Corrections • Database maintenance that local, city, and county law enforcement agencies can access via PIN/password pairs. • Web-based transactions • Netscape and Microsoft browsers performed certificate management • Approximately 10 certificates used to successfully replace PIN/password

  13. State of North Carolina - cont’d • Office of the State Auditor • Certificates used to facilitate encrypted emails and files on laptop computers while on-site in the field • Pilots used Verisign On-Site software • IRM served as the LRA • Two LRAs served 3 agencies; Revenue had their own LRA • Each agency preparing an evaluation report based on pilot results • Based upon report results, statewide strategy tentatively scheduled for rollout in March, 2001 • No signatures; encryption only due to legal concerns although Secretary of State has established specific guidelines for digital certificates, including digital signatures • Certificates to be issued to individuals as business representatives • Production rollout to follow same model as pilot; CA vendor not yet selected

  14. State of Virginia • Formed the digital signature initiative in January, 2000. • Purpose was to test digital certificates from a variety of vendors with different applications. The summary of their findings, including input from DST, can be found on the web site http://www.sotech.state.va.us/cots/ • Some agencies ran CA internally, others had a service provider. • Pilots ran about 2 months with fairly minimal results. • Generally still in the formative stages • Finalizing draft Certificate Policy in preparation for the release of their RFP for PKI services http://www.itc.virginia.edu/volt/ (VOLTstands for “Virginia OnLine Transaction”) • PKI usage will be internal as well as with the general population and businesses (G2G, G2C and G2B) • Dual key pairs/certificates with NO escrow/recovery

  15. State of Virginia - cont’d • Combination of in-person and online gathering of identity information as outlined in their draft CP. • ACES and State of Washington models seem attractive to them. • Also looking at requiring hardware tokens for key generation and storage to increase the assurance levels. • Plan to procure an outsourced provider of certificates, PIN services, integration services, resale of PKI software and other services surrounding the implementation of PKI. • Release is scheduled for Jan2001 with implementation to begin in June2001. • Looking at the Early Adopter program as was done in State of Washington and the meetings will continue throughout 2001 as they recruit early adopters.

  16. State of Oregon • PKI still in the formative stages • Current thoughts: • Certificate authorities must be certified by the state Division of Administrative Services • Certificates will be Class 1 and are obtained directly from a commercial CA derived from the approved list • Pilots under consideration - Department of Environmental Quality (DEQ) • Used for DMR submissions • Client side software package Waste Discharge Electronic Reporting Systems (WADRS) used to help user to prepare properly formatted DMR • Certificate used to either sign the DMR as part of WADRS or to sign the entire email, including DMR attachment using COTS mail client • Determination made based upon ability to view digitally signed document post signature • Pilot - late summer 2001; Production - possibly December 2001

  17. Conclusions • Most states still in formative stages in PKI • Issues with developing PKI: • Lack of PKI knowledgeable engineers • Lack of funding • Trade-offs associated with PKI • Technical • State run CA vs Trusted Third Party (TTP) • Liability, warranty, privacy concerns • Lack of knowledge within the states of their own PKI initiatives • ACES model seems to be very appealing for states

  18. Contact Information • EPA CDX PKI lead: • Kimberly Nelson • 202.260.8152 • Nelson.Kimberly@epa.gov

  19. Supplementary Information

  20. Security vs Paper Services

  21. Digital Signatures • A Transformation of a Message Using Public Key Cryptography • Virtually Impossible to Forge • Provides a High Level of Security

  22. What is PKI? • A complex suite of hardware, software and particular cryptographic components, combined with adherence to policies and procedures that enable business applications to operate in a secure environment. • Particular cryptographic components used are those of public key, or asymmetric, cryptography used for digital signatures and, optionally, encryption • Comprised of supporting services, such as a Certificate Authority (CA) and Concept of Operations (ConOps), as well as legal support of a Certificate Policy (CP) and Certificate Practice Statement (CPS)

  23. What is ACES? • Access Certificates for Electronic Services (ACES) • Sponsored by General Services Administration (GSA) • Supports the legal frameworks of Government Paperwork Elimination Act (GPEA) and e-Signature Law

  24. ACES Assumptions Government has already determined a need for PKI security services. • GPEA • PDD-63 • Procurement Changes • Internal performance imperatives

  25. ACES Assumptions The Government needs to deal with businesses or the public on a recurring basis -- -- monthly, quarterly, ad hoc • May be remote/unknown to the Government agency • May be Government trading partners • May be sectors of the general public, such as State EPA reporting entities (Why not government-to-government?)

  26. Encryption and Decryption • Plaintext is data that directly represents information constituting a message • Encryption transforms the plaintext data into unintelligible data called ciphertext • Decryption transforms ciphertext data back to the original plaintext data

More Related