The Other National E
advertisement
Federal Electronic Identity Initiatives – Current Status Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO for E-Authentication, NIH Federal Initiatives • eAuthentication – Focus on eCommerce, services, etc. • HSPD-12 – Focus on security BRIITE 2007 2 Security BRIITE 2007 3 Homeland Security Presidential Directive 12 • A Presidential Mandate for Federal Agencies to issue medium hardware assurance (or better) identity credentials for access to physical and logical government resources - inside-the-firewall contractors, too – Medium Hardware or High Assurance digital certificates on PIV-2 cards (next generation Smartcards) • Fast-tracked for implementation starting 10/2006 • Led to new government standards for identity proofing and vetting (FIPS 201) and for PKI hardware tokens (NIST SP 800- 7x series) BRIITE 2007 4 Federal View of Electronic ID • A validated, proofed identity using breeder documents and databases (FIPS 201) • A scheme for adding a name, biometrics (photo, fingerprints), numeric codes (CHUID, etc.) and substantial assurance digital certificates to a next-generation SmartCard • Attributes are extensions not required by HSPD12, but optionally consumed by Applications – SAML assertions and/or database entries for attribute storage – USPerson profile being developed to standardize attribute representation BRIITE 2007 5 Current Status • All Federal Agencies are implementing the requirements of HSPD-12, which means 12 – 15 million high assurance digital certificates will be deployed and used by 2010. • There are over 5.5 million high assurance digital certificates currently deployed and used in the Federal government BRIITE 2007 6 Other Initiatives – Classified Stuff • Defense, Law Enforcement, Intelligence Services • Don’t want to know…. BRIITE 2007 7 E-Gov Services BRIITE 2007 8 Current State of Affairs (60 years old now) • • • • • • • • • You apply to the application owner for a password You use the password to access the system You forget the password The application owner gives you a new password You use the new password to access the system You forget the password <infinite do loop> No identity proofing No way to know who is actually on the system (Your secretary? Your postdoc? Your dog? Osama?) BRIITE 2007 9 eAuthentication Initiative • Provide electronic identity authentication services for online government applications • Manage the Federal Federation – extends services to private sector credential providers and online services • Set standards for assertion-based authentication tools • Offers standard risk assessment tool • Standard Architecture and Policy foundations BRIITE 2007 10 Foundational Assumption • Government online services shall trust externally-issued electronic identity credentials at known levels of assurance (LOA) • Online applications shall determine required credential LOA using a standard methodology based on: 1. Risk assessment using standard tool, 2. OMB M-04-04 determines required authN LOA 3. NIST SP 800-63 translates required LOA to credential technology BRIITE 2007 11 The Federal Federation • Credential Service Providers • Agency Applications • Covers 4 LOA – Assertion-based identity credentials for L 1, 2 – Crypto-based identity credentials for L 3, 4 • Service Requirements – Related to uptime, user support, etc. • Interfederation Arrangements Encouraged • Federal Agency Applications and Services • Mandated by Administration • Service Requirements – Related to uptime, user support, etc. BRIITE 2007 12 Summary of Architecture and Policy/Procedures • Architecture – SAML assertions for LOA 1, 2 (encapsulate userid/passwords) • Policy/Procedures • Vendor interoperability required for addition to approved vendor list • SAML 1.0 currently supported; SAML 2.0 specs being developed – PKI or OTP for LOA 3 – PKI for LOA 4 – Credential assessments for all CSPs, • CAF for assertion-based credentials; • cross certification with Federal PKI for cryptobased credentials – Federal PKI Policies define requirements for digital certificate trustworthiness – Business and Legal Rules define service requirements for all LOA – Scheme translator available BRIITE 2007 13 E-Authentication LOA and What They Mean* • Little or no assurance of identity; assertion-based identity authentication • Some assurance of identity; assertion-based identity authentication or policy-thin PKI • Substantial assurance of identity; cryptographically-based identity authentication • High assurance of identity; cryptographically-based identity authentication Level 1 Level 2 Level 3 Level 4 * Codified in OMB Memorandum 04-04 BRIITE 2007 14 E-Authentication LOA and What They Service** • Online applications with little or no risk of harm from fraud, hacking; low risk • Online applications with risk of some harm from fraud, hacking; some risks • Online applications where there is risk of significant harm from fraud, hacking; significant risks • Online applications where there is risk of substantial harm from fraud, hacking; substantial risks Level 1 Level 2 Level 3 Level 4 ** Codified in NIST SP 800-63 BRIITE 2007 15 General Considerations for Determining LOA of an Electronic Identity Credential • Identity Proofing – how sure are you that the person is who he or she claims to be? • Identity Binding – how sure are you that the person proffering the EIC is the person to whom the credential was issued? • Credential integrity – how well does the technology and its implementation resist hacking, fraud, etc.? BRIITE 2007 16 Summary of Lower-Level Identity Credentials • Level 1: UserID/Password, SAML assertion (XML text) • Level 2: “High entropy” UserID/Password; “policy-lite” PKI, e.g., Fed PKI Citizen and Commerce Class & Federal PKI Rudimentary, TAGPMA Classic Plus (in development) BRIITE 2007 17 Summary of CryptographicBased Identity Credentials • Level 3: One-time Password; Substantial assurance PKI at FPKI Basic, Medium • Level 4: High assurance PKI at FPKI Medium Hardware, High BRIITE 2007 18 A Little Complication • The government has TWO LOA classifications: 1. Federal PKI LOA codified in the Certificate Policies of the Federal PKI Policy Authority 2. E-Authentication LOA codified in OMB M-0404 BRIITE 2007 19 LOA Mapping E-Auth to Fed PKI E-Auth Level 1 FPKI Rudimentary; C4 E-Auth Level 2 FPKI Basic E-Auth Level 3 FPKI Medium & Medium-cbp E-Auth Level 4 FPKI Medium/HW & Medium/HW-cbp FPKI High (governments only) BRIITE 2007 20 Fed PKI: View from 20,000 km Common Policy CA (HSPD-12) SSPs Serving all other Agencies FBCA CertiPath SSP (HSPD-12comparable) SAFE C4 CertiPath Industry PKIs Industry PKIs eGCA (3) BRIITE 2007 21 Fed PKI: View from 20,000 km DOD DHS NASA Commerce USPS USPTO HHS DOE IL DOJ State DOD/ECA GPO DOD/Interop Treasury Wells Fargo MIT LL UTexasSx Commercial “SSP-like” Common Policy CA (HSPD-12) Total: 15 – 20M users SSPs VeriSign Cybertrust Serving all other ORC Agencies Treasury GPO Exostar Entrust/Cygnacom IdenTrusT? FBCA CertiPath (HSPD-12comparable) SAFE C4 eGCA (3) ~ 500k users! EAF member CSPs TLS certs CertiPath Industry PKIs Abbott Labs AstraZeneca Bristol-Myers Squibb Genzyme GlaxoSmithKline INC Research “SSP” Johnson & Johnson Merck Pfizer Procter & Gamble Sanofi-Aventis TAP Pharmaceuticals BRIITE 2007 State of VA first responders Industry PKIs Boeing Raytheon Lockheed Martin 22 Interoperability Initiatives • CertiPath – Federal Bridge crosscertification complete • SAFE PKI Bridge and services – supporting digitally-signed electronic forms and document management • inCommon –assertion-based technology, LOA 1 & 2 – demonstration projects with NSF – interfederation with NIH NOW BRIITE 2007 23 Technology Implications • US Government LOA, • standardized risk assessment, • standards for PIV cards and identity proofing and vetting are here and INEVITABLY will migrate everywhere – Pickup already noted in aerospace contractor space, homeland security • Feds will have to deal with attributes eventually! BRIITE 2007 24 Security and Online Services Implications for Higher Ed • DHS first responders, DEA PKIs and CMS initiatives to enable online services and payments management will drive medical schools, hospitals and insurance chains to adopt Federal models for electronic identity authentication – Financial services firms under SEC regulation are already falling in line, both within and outside the eAuthentication federation participation – DEA issuing digital certs to pharmaceutical supply chain entities and plans to do so to service providers (MDs, PAs, NPs, etc.) – Treasury transfers > $1B daily via PKI • Availability of online government apps drive schools to federate to take advantage of services/apps BRIITE 2007 25 What About Privacy? • • • • No single database of identity credentials No requirement for only one identity credential The old tradeoff still exists: convenience vs. security Are there forces out there that want to know who you are at all times? – Of course; worry about RFID first. BRIITE 2007 26 NIH E-Authentication Initiative Goals • Researchers use their institutional identity credentials to authenticate to NIH online applications and services • Build a reliable, secure, trusted IT infrastructure that supports e-authentication BRIITE 2007 27 NIH E-Authentication Initiative Goals • Researchers use their institutional identity credentials to authenticate to NIH online applications and services • Build a reliable, secure, trusted IT infrastructure that supports e-authentication BRIITE 2007 28 Current NIH Initiatives • Interfederated with InCommon higher education Identity Management Federation at OMB LOA 1: low/no risk applications put online and consume identity credentials issued by universities that are members of InCommon; • Extend interfederation agreement to OMB LOA 2 applications for universities that issue higher-assurance credentials under the InCommon Federation Silver program – for moderate risk applications (ETA 1/08); • Direct trust relationship with University of Texas System Public Key Infrastructure BRIITE 2007 29 NIH Pilot LOA 1 Applications • NLM Proxy Redirector (initial application ) • Good Clinical Practice (GCP) • Community for Advanced Graduate Training (CAGT) • NIH Login/ADFS/MOSS integration (general collaboration) • More to follow BRIITE 2007 30 NIH Pilot LOA 2 Applications • • • • Electronic Research Administration (eRA) caBIG data (via Grid interoperability?) Firebird (FDA, SAFE, NIAID involvement) More to follow BRIITE 2007 31 End State for NIH • All NIH outward-facing, online apps risk assessed and credential LOA requirements determined • Credential validation infrastructure and/or linkages at production operational level • All NIH outward-facing, online apps connected to NIH Login front end with validation service enabling infrastructure (e.g., Shibboleth, etc.) • End State achieved… ??? BRIITE 2007 32 Resources • • • • • • altermap@mail.nih.gov http://csrc.nist.gov/pki www.cio.gov/fpkipa www.cio.gov/ficc www.cio.gov/eauthentication www.smartcardalliance.org BRIITE 2007 33
