NASA PKI and the Federal Environment

1. NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung

2. Background • eGov Act of 2002 established 24 applications in 4 areas • Government to Citizen Government to Business • Government to Government Internal Efficiency & Effectiveness • 25th, eAuthentication Initiative, cut across all four areas • Provides a consistent means to authenticate identity of users • December 2003 - OMB 04-04 established 4 identity authentication assurance levels for eGov transactions • 1 Little or no assurance 3 High assurance • 2 Some assurance 4 Very High Assurance • April-May 2004 - NASA updated our PKI requirements • Extant requirements developed in 1997 • Need to update for changing NASA environment • June 2004 - NIST 800-63 provided technical requirements for each authentication level • 1 PINs 3 PKI software • 2. Passwords 4 PKI hardware

3. Background, cont. • August 2004 - Homeland Security Presential Directive #12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors • Mandated NIST develop a Government-wide standard for secure and reliable forms of identification to be issued by the Federal Government to its employees and contractors • September 2004- NASA decides to continue using Entrust as its PKI and outsource operations to the Department of the Treasury • December 2004 - OMB 05-05 required agencies to use a Shared Service Provider (SSP) • February 2005 - NIST Federal Information Processing Standard (FIPS) 201: Personal Identity Verification for Federal Employees and Contractors (update draft March 2006) • Required a myriad of NIST Special Publications with guidance on different aspects of FIPS-201; 800-73, 800-76, 800-78, 800-79, 800-85A, 800-85B, 800-87, 800-96 • August 2005 - OMB 05-24 required agencies to develop and submit an HSPD-12 implementation plan

4. FIPS-201 PKI Implications • Mandates a PKI authentication certificate be on PIV 2 compliant smart card • Mandates two factor authentication for logical access to all agencies computer and network resources • Mandates PKI key sizes and digital signature algorithms • Requires changes to the FPKI Common Policy Framework Certificate Policy

5. So What Does This Mean for the NASA PKI? • NASA must provide PKI credentials to all employees and on-site (behind the firewall) contractors • NASA purchased 100,000 Entrust licences in March 2005 • Treasury must become an SSP if NASA wants to outsource our PKI operations to them • Treasury agrees and submits their application in April 2005 • Treasury completes the process June 2006 • NASA must begin to provide background checks for all new employees and contractors by October 27, 2006 • NASA must begin to issue FIPS-201 PIV 2 compliant badges to all new employees and contractors by October 27, 2006 • These badges must include a PKI authentication certificate • NASA must have an approved HSPD-12 implementation plan • Submitted December 2005 • OMB is asking agencies to update their plan by August 2006 • NASA must begin using two-factor authentication for all logical access to NASA resources

6. So What Does This Mean for the Federal PKI? • FPKI Common Policy Changes • Need to include OIDs for new authentication certificate • Need to include requirements for availability of CAs • Need to include requirements for availability of CRLs • Need to change publication frequency for CRLs • Need to change encryption and digital signature key sizes • Increase from current 1024 bit RSA to 2048 bit by 1 January 2009 • Need to change digital signature algorithm • Move from current SHA-1 to SHA-224 or SHA-256 by 1 January 2011 • Common Policy and FBCA Harmonization Required • One change will be agencies cross-certified with FBCA must assert the common policy OID beginning in 2008 • Forces agencies to make changes to their PKIs to comply • Unclear whether or not an agency must be subordinate to Common Policy CP starting in 2008

7. Backup Slides

8. NIST 800 Series Related to FIPS 201 • 800-73 Interfaces for Personal Identity Verification, March 2006 (updated April 20, 2006) • 800-76 Biometric Data Specification for Personal Identity Verification,
February 2006 • 800-78 Cryptographic Algorithms and Key Sizes for Personal Identity Verification,
April 2005 • 800-79 Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations,
July 2005 • 800-85A PIV Card Application and Middleware Interface Test Guidelines (SP800-73 compliance),April 2006 • Draft 800-85B, PIV Data Model Conformance Test Guidelines,May 25, 2006 • 800-87 Codes for the Identification of Federal and Federally-Assisted Organizations, October 2005 (document updated January 17, 2006) • Draft SP800-96 PIV Card/Reader Interoperability Guidelines

9. NASA’s Relationship to the FBCA & Common Policy CA Cross Certification [mutual or two-way reference] Federal Bridge CA Treasury Root CA (TRCA) Cross Certification [mutual or two-way reference] Sub Authorized [Sub ordinate reference] Sub Authorized [Sub ordinate reference] Common Policy CA NASA Operational CA (NOCA)

10. NASA FBCA Cross Certification Documentation CA Operation Policy PKI Directory User & RA Software Testing & Distribution RA Operation Tech Support SuperRA Service Training PK Enabled Services NASA’s Original PKI Architecture

11. Treasury NASA FBCA Cross Certification Documentation CA Operation Policy PKI Directory User & RA Software Testing & Distribution RA Operation Tech Support SuperRA Service Training PK Enabled Services NASA’s SSP PKI Architecture