Transcription
Public Key Infrastructure AnalysisentControlled Substances Ordering System (CSOS)/(MADI)PKI Certificate Policy Requirements AnalysishidocvedDrug Enforcement AdministrationOffice of Diversion ControlSuite 3-100600 Army Navy DriveArlington, Virginia 22202umPrepared forArcin response toAssist 5C-A-JMD-0072-DO-220February 3, 2000Prepared by PEC Solutions, Inc.
MADI PKI Certificate Policy RequirementsTABLE OF CONTENTS1.INTRODUCTION . 11.1 OVERVIEW AND BACKGROUND . 11.2 MISSION OF THE OFFICE OF DIVERSION CONTROL . 11.3 DOCUMENT ORGANIZATION . 21.4 DESCRIPTION OF TASK 2.2.1 . 31.5 ANALYSIS METHODOLOGY . 41.5.1Industry Stakeholder Groups Defined. 5DEFINITIONS, STANDARDS, AND INITIAL DESIGN GUIDANCE. 62.12.22.32.43.13.23.34.entFINDINGS FROM INTERVIEWS. 14REQUIREMENTS FOR SECURITY SERVICES . 14EXISTING SECURITY STANDARDS/ENVIRONMENT . 18CURRENT THREAT ENVIRONMENT . 27um3.CERTIFICATE POLICY (CP) . 6LEVEL OF ASSURANCE/SECURITY . 7INITIAL DESIGN GUIDANCE . 10TRUST MODEL . 13MADI PKI CERTIFICATE REQUIREMENTS. 314.14.2doc2.BACKGROUND . 31REQUIREMENTS . 32dAPPENDIX A- LIST OF INTERVIEWS, SITE VISITS, MEETINGS AND CONFERENCES . 36veAPPENDIX B- LIST OF DOCUMENTS REVIEWED. 40ArcEXHIBITS AND TABLEShiAPPENDIX C– DOCUMENT ACRONYMS . 42EXHIBIT 1-1. INTERACTION BETWEEN DEA REGISTRANTS. 2EXHIBIT 3-1. SECURITY SERVICES USED BY CURRENT SYSTEM . 15EXHIBIT 3-2. CONFIDENTIALITY USED BY STAKEHOLDERS . 16EXHIBIT 3-3. AUTHENTICATION USED BY STAKEHOLDERS. 17EXHIBIT 3-4. INTEGRITY USED BY STAKEHOLDERS . 17EXHIBIT 3-5. NON-REPUDIATION USED BY STAKEHOLDERS . 18EXHIBIT 3-6. TYPES OF SECURITY USED BY MANUFACTURERS. 19EXHIBIT 3-7. TYPES OF SECURITY USED BY DISTRIBUTORS . 19EXHIBIT 3-8. TYPES OF SECURITY USED BY CHAIN DRUG STORES . 20EXHIBIT 3-9. TYPES OF SECURITY USED BY PHARMACIES . 20EXHIBIT 3-10. TYPES OF SECURITY USED BY OTHER STAKEHOLDERS . 21EXHIBIT 3-11. SECURITY MANDATED TO STAKEHOLDERS BY EXTERNAL, NON-GOVERNMENT . 21EXHIBIT 3-12. USE OF PKI TECHNOLOGY . 22EXHIBIT 3-13. ASPECTS OF MADI PKI . 23EXHIBIT 3-14. MADI ENROLLMENT PROCESS . 24EXHIBIT 3-15. MADI DESIGN. 25EXHIBIT 3-16. MADI DESIGN. 26EXHIBIT 3-17. APPROACH NEEDED TO ORDER CONTROLLED SUBSTANCES . 27EXHIBIT 3-18. REQUIRED LEVEL OF SECURITY . 28EXHIBIT 3-19. REQUIRED LEVEL OF SECURITY . 29PEC Solutions, Inc.i2/3/2000
MADI PKI Certificate Policy RequirementsArchiveddocumentEXHIBIT 3-20. USING PKI TO RELIEVE INDUSTRY’S CURRENT LIABILITY . 30EXHIBIT 3-21. RISK MANAGEMENT . 30TABLE 2-1. FEDERAL PKI SEMANTIC FRAMEWORK APPROXIMATION . 8TABLE 2-2. DEA/INDUSTRY PRE-INTERVIEW INPUT ON MADI PROJECT . 11TABLE 4-1. MADI PKI REQUIREMENTS. 32PEC Solutions, Inc.ii2/3/2000
MADI PKI Certificate Policy Requirements1.Introduction1.1Overview and BackgroundUnder the authority of the Controlled Substances Act of 1970, the Drug EnforcementAdministration, Office of Diversion Control (OD) regulates the manufacture anddistribution of Controlled Substances in the United States. This regulatory control isdesigned to prevent the diversion of legitimate pharmaceutical drugs into illegal channelsand also to ensure that there is a sufficient supply for legitimate medical uses. Title 21,Code of Federal Regulations, Sections 1300-1399 sets forth in details the authority andresponsibilities of DEA in this area. It is further intended that their systems prevent theintroduction of contraband Controlled Substances into the legal distribution channels.umentThe Government Paperwork Elimination Act of 1999 (Title XXII of Public Law 105-277)mandates that Federal agencies allow for the option of electronic submission of requiredrecords and for the use of electronic signatures when practicable.docThe Manufacturers and Distributors (MADI) Public Key Infrastructure (PKI) will bedesigned to bring to this regulatory process the advantages of PKI. MADI will (1) reducethe amount of paper in the process (2) speed transaction times (3) lower costs pertransaction and (4) introduce security services into the process.ArchivedThe security services include those inherent in any PKI: (a) confidentiality ofcommunications- only authorized persons will be able to read encrypted communications;(b) authentication of sending party- the recipient will be able to positively identify thesender of a communication and subsequently to demonstrate to a third party, if required,that the sender was properly identified; (c) integrity of communications- it will bepossible for the recipient of a message to determine if the message content was altered intransit; (d) non-repudiation- the originator of a message can not convincingly deny to athird party that the originator sent it.1.2Mission of the Office of Diversion ControlThe Federal Code of Regulations Title 21, Sections 1300-1399, defines the registration,record keeping, inventory, ordering processing, prescribing, and miscellaneous activitiesas they relate to Controlled Substances. Persons who wish to participate in a ControlledSubstances business activity, i.e. manufacturing, distributing, dispensing, research,narcotic treatment programs, import, export, are required to register with the Office ofDiversion Control unless otherwise exempted from registration described in §1301.22.Registrants fall into two categories, A-Type registrants and B-Type registrants as shownbelow.The MADI Project focuses on both Type B registrants, Manufacturers and Distributors,and Type A registrants, Retail Pharmacies, Hospitals & HMOs. The MADI Project willreview the relationships and processes as they pertain to the DEA regulatory process andPEC Solutions, Inc.12/3/2000
MADI PKI Certificate Policy Requirementsthese two categories of registrants. The MADI Project will determine how the regulatoryprocess can be enhanced through the use of a PKI.Interaction Between DEA RegistrantsumentType B RegistrantsDrug ManufacturersdocType B RegistrantsDistributorshivedType A RegistrantsRetail Pharmacies, HMOs, Hospitals,and PractitionersArcEXHIBIT 1-1. INTERACTION BETWEEN DEA REGISTRANTS1.3Document OrganizationThe document is organized into the following sections:Section 1– The introduction provides a description for this task and provides an overviewof the goals and objectives of the task.Section 2– Section 2 provides definitions and standards that pertain to the classificationof Certificate Policies by levels of assurance and security.Section 3– Section 3 provides detail and summary data and findings produced by theinterviews, meetings, seminars, document reviews and site visits.Section 4– Section 4 provides Analysis of the data and findings to derive therequirements for the MADI PKI.PEC Solutions, Inc.22/3/2000
MADI PKI Certificate Policy RequirementsAppendix A Listing of Interviews, Site Visits, Meetings and ConferencesAppendix B Listing of Documents ReviewedAppendix C Listing of Acronyms1.4Description of Task 2.2.1Certificate Policy Requirements Analysis Task 2.2.1The objective of this task is to define the quality of the security services required by theMADI PKI. This analysis will result in a clear general understanding of Certificate Policy(CP) requirements, but will not contain the level of detail found in a CP. During Task 3 aCP and a Certificate Practice Statement (CPS) will be developed drawing from the resultsof the analysis.documentDuring this task PEC and DEA will define the level of security that the MADI Proof ofConcept (POC) PKI must incorporate in order to support the requirements of DEA andIndustry. The trust model most appropriate to the organizations and processes involvedmust also be determined. The analysis will involve making critical risk managementdecisions and trade-offs in levels of security, cost and resource allocation, time, technicalfeasibility, and user acceptance. This will be an interactive process between PEC andDEA.hivedThe analysis will result in a statement of the obligations and liabilities of the CertificationAuthority (CA), Registration Authorities (RA), users, and relying parties. It is based on anunderstanding of relevant Federal and State laws, DEA Regulations, and acceptedcustoms and practices of the Industry.ArcThe analysis will provide recommendations in the context of the MADI PKI, regardingthe assurances, and guarantees that the Certification Authority must make to the users andrelying parties who accept and use the Certification Authority’s certificates and theresponsibilities and obligations of users and relying parties of the CertificationAuthority’s certificates. This will include liability issues, issues of financial responsibility,interpretation and enforcement of the policy or Certification Practice Statement andpossible fees associated with the PKI.PEC will determine the requirements of the MADI Certification Authority pertaining tooperational procedures. Some of these requirements may apply to the RegistrationAuthority’s and directories/repositories. The analysis will also focus on the physical,procedural, and personnel security controls that the MADI Certification Authority willimplement. In the final Certificate Policy and Certification Practice Statement the MADICertification Authority will make representations to users and relying parties regardingthese matters. A representative list of topics that must be considered includes: sitelocation and construction; power, air conditioning; protection against fire, water, damage;media storage; background checks and clearance procedures for employees; training andPEC Solutions, Inc.32/3/2000
MADI PKI Certificate Policy Requirementscertification requirements for employees; role and authority separation for employees;identification and documentation of employees.Another type of security control requirements will also be analyzed, technical securitycontrols. In this part of the analysis the technical controls needed by the MADICertification Authority to ensure the secure function of key generation, userauthentication, certificate management, audit, backup and archiving are determined.Representative areas of this analysis include key pair generation, private key protection,computer security controls, network security controls, and activation data.A final area that will be considered is the certificate profile. The X.509 standard for PKIcertificates is a complex data structure that permits many versions or profiles. This part ofthe analysis will determine the best and most feasible profile for user certificates andCRLs.documentDuring this phase of the analysis PEC will make a determination as to which of the trustmodels is most appropriate for the MADI PKI. The four models are usually described ashierarchy; network/mesh; trust list; key ring. These models each have advantages anddisadvantages. A choice of trust model has implications for decisions on productselection, cost, architecture, policies and procedures, and risk management.May '99Task Name1Task 2.2.1 Cert Policy Requirements Analysis (KO 29 Weeks)Jun '99Jul '99Aug '99Sep '99Oct '99Nov '99Analysis MethodologyArcAnalysis Methodologyhi1.5vedIDThe methodology used for this analysis:(1) Interviews with selected DEA and Industry representatives(2) Review of documents recommended by DEA and Industry(3) Visits to sites recommended by DEA and Industry(4) Follow-up of leads and sources developed during (1)-(3) above and(5) Questionnaires submitted to selected Industry representatives.Appendix A of this document contains the listing of all interviews conducted, site visitsmade, conferences and meetings attended in the preparation of this analysis. Appendix Bcontains a listing of all documents read and reviewed in preparation for this analysis.PEC Solutions, Inc.42/3/2000Dec '99
MADI PKI Certificate Policy Requirements1.5.1 Industry Stakeholder Groups DefinedIn the current DEA 222 Form process, Stakeholders that are directly involved in theprocess are organized and defined here into high level categories.Each of these categories of Stakeholders are distinct in terms of their:Position in the process flowßImpact of the process on their operationsßMotivation/Desire to ChangeßTechnology InfrastructureßAcceptance of TechnologyßSensitivity to IT CostentßumManufacturersveddocRepresentative drug manufacturers were chosen from those who manufacture Schedule 2Controlled Substances and process varying volumes of DEA 222 Forms: Three largevolume manufacturers, one medium and two small volume manufacturers for a total ofsix interviews. Manufacturers process and fill DEA 222 Forms sent from their customers.Some manufacturers also transfer drugs or product internally using the DEA 222 Form.hiDistributorArcRepresentative drug distributors were chosen from those who distribute Schedule 2Controlled Substances and process varying volumes of DEA 222 Forms: Four largevolume distributors, two medium and one small volume distributors for a total of seveninterviews. Distributors send DEA 222 Forms to their supplier. Distributors also receiveDEA 222 Forms from their customers.Chain Drug Stores/Grocery Chain Stores with In-house PharmaciesRepresentative drug store chains and grocery stores that operate in-store pharmacies werechosen from those who either use an independent distributor to provide Schedule 2Controlled Substances to the stores or those that centrally warehouse and distributeSchedule 2 Controlled Substances to their stores. Four large volume chain drug storestwo that centrally warehouse and distribute and two that do not, one medium chaingrocery store with in-store pharmacies and one small chain grocery store with in-storepharmacies were interviewed.Those that centrally warehouse and distribute Schedule 2 Controlled Substances have asimilar volume and processing as a distributor. Those that utilize the services of anindependent distributor have the same volume and process as an independent pharmacy.PEC Solutions, Inc.52/3/2000
MADI PKI Certificate Policy RequirementsPharmaciesRepresentative pharmacy associations were chosen from those who represent the interestsof both independent pharmacists and state boards of pharmacies. Three associations wereinterviewed. Pharmacies process DEA 222 Forms, which are then sent to a distributor tobe filled.HMOs and OthersOther representative groups who utilize the DEA 222 Form were chosen from healthcaremaintenance organizations (HMOs) and drug treatment clinics. Two HMOs and onemethadone treatment clinic were interviewed. These groups process DEA 222 Forms,which are then sent to a distributor or directly to a manufacturer to be filled.DEA/Pharmacy Boards/State RegulatorsumentDEA Headquarters and Field Office personnel were designated by the Office of DiversionControl to participate in the interview process. DEA provided information on theregulatory issues of State Boards of Pharmacies and State regulators.Definitions, Standards, and Initial Design Guidance2.1Certificate Policy (CP)doc2.hivedThe X.509 Standard defines a Certificate Policy as “a named set of rules that indicate theapplicability of a certificate to a particular community and/or class of application withcommon security requirements.”ArcRequest For Comment (RFC) 2527 is the Internet Engineering Task Force (IETF)Standard for the format and content of a Certificate Policy. It is widely accepted as the USGovernment and US Industry/Commercial Standard. It is a line by line standardization ofthe “named set of rules”. Request For Comment 2527 also defines the CertificationPractice Statement. The Certification Practice Statement is a more detailed description ofthe practices followed by the Certification Authority to implement the Certificate Policy.The Certificate Policy is a document intended for the public, the users and the relyingparties; it is normally published in the same Repository that the Certification Authority’scertificates are published. The Certification Practice Statement is not always a publicdocument, as it may contain details of operation useful to an adversary.It is explained in the Request For Comment 2527 that when a Certification Authorityissues a Public Key Certificate (PKC) to an entity, the Certification Authoritycryptographically binds a public key value to a set of information that identifies thatentity. The entity can be a human user, an organization, or perhaps some item ofequipment. The entity is the subject of the certificate. The Certification Authority certifiesthat the entity holds the private key value corresponding to the public key value in thePublic Key Certificate. A Public Key Certificate is used by a “certificate user” or “relyingPEC Solutions, Inc.62/3/2000
MADI PKI Certificate Policy Requirementsparty” that needs to use, and rely on the accuracy of, the Public Key Certificate. Typicallythe user wants to verify a digital signature of a certificate subject or to encryptinformation for the certificate subject.It is re-stated for emphasis here that the fundamental assumption of PKI is: The subject ofa Public Key Certificate does hold the corresponding private key. The CertificationAuthority establishes this through some Proof of Possession (POP) test/assumption. TheProof of Possession test/assumption can range from very weak to very strong.entRequest For Comment 2527 further explains the degree to which the certificate user cantrust the Certification Authority’s binding of the public key. The trust depends on severalfactors. These factors include: the practices followed by the Certification Authority inauthenticating the identity of the subject of the certificate; the Certification Authority’soperating policy, procedures and controls; the subject’s obligations, particularly those inconnection with protecting the private key and reporting them lost or compromised; andthe stated undertakings and legal obligations of the Certification Authority such aswarranties and limitations on liabilities.2.2documThe degree to which a prudent user should trust the Certification Authority’s binding ofpublic key and subject of certificate is best measured by the Level of Assurance/Securityat which the Certification Authority is operated.Level of Assurance/SecurityArchivedThere is no universally agreed upon standard for the syntax or semantics to be used indescribing Levels of Assurance/Security. There is a Government of Canada (GOC)standard and an evolving US Government standard, based very closely on theGovernment of Canada standard. The levels in both are: Rudimentary; Basic; Medium;and High.In the Request For Comment 2527 format for a Certificate Policy there is a large set ofitems recommended for inclusion. The items each have relevance in determining ordescribing the level of assurance at which a Certification Authority operates. The itemsshould each be at least considered by the Certificate Policy writer. The items that arerelevant should be completed in detail. The items that are not relevant may be noted as“no stipulation’. Set forth below is a short list of issues, derived primarily from the itemsof the standard. Item (13) is not drawn from the standard but is included to provide asimple threat context for the evaluation.Determining how a Certificate Policy addresses a very similar subset (1) - (12) of thesesignificant issues is a shorthand method under consideration by the Federal PKI (FPKI)Steering Committee for evaluating the overall level of assurance that a Certificate Policyis written to. For the purposes of this analysis we have adopted a close approximation ofthe Federal PKI semantic framework.PEC Solutions, Inc.72/3/2000
MADI PKI Certificate Policy RequirementsFEDERAL PKI SEMANTIC FRAMEWORK APPROXIMATIONMedium LevelHigh LevelCertificationAuthority doesrevoke end entitycertificate ifprivate key islost orcompromised,and CRLs arepublished at leastevery 12 hours; 2hours ifCertificationAuthority’sprivate key iscompromisedCertificationAuthority doesrevoke end entitycertificates ifprivate key is lostor compromised,and CRLs arepublished every 4hours; ½ hour ifCertificationAuthority’sprivate key iscompromisedCertificationAuthority action ifprivate key is lostor compromisedCertificationAuthority doesnot bother torevoke endentitycertificates ifprivate key islost orcompromised;no CRL ispublishedCertificationAuthority doesrevoke endentity certificateif private key islost orcompromised,and CRLs arepublished atleast every 24hours; 6 hours ifCertificationAuthority’sprivate key iscompromised2Division ofauthority/capabilityamong CertificationAuthority personnel(i.e. N personintegrity)All criticalCertificationAuthorityfunctions can beperformed byone personAll criticalCertificationAuthorityfunctions mustbe performedby at least 2people3Certificate validityperiodCertificateduration forsignature key isup to 6 years ifCRLs arepublished; oneyear with noCRLs published4Backup ofCertificationAuthority and endentity keysAll criticalCertificationAuthorityfunctions must beaccomplished byat least 3 peopleCertificateduration forsignature key isup to 4 yearsCertificateduration forsignature key isup to 2 yearsCertificateduration forsignature key is upto 1 yearCertificationAuthority andend-entityprivate key isnot backed up;no requirementforconfidentialityprivate keyCertificationAuthority andend-entitysignature keysmust not bebacked up;confidentialityprivate keys arebacked upCertificationAuthority andend-entitysignature privatekeys must not bebacked up;confidentialityprivate keys arebacked upCertificationAuthority and endentity signatureprivate keys mustnot be backed up;confidentialityprivate keys mustbe backed upArcveddocAll criticalCertificationAuthorityfunctions mustbe done by atleast 3 peoplehium1tBasic LevelenRudimentaryLevelPEC Solutions, Inc.82/3/2000
MADI PKI Certificate Policy RequirementsInterval betweenrequest andissuance ofcertificateNo stipulationEnd-entitycertificatesissued within 5days of requestby RegistrationAuthorityEnd-entitycertificates areissued within twodays of requestby RegistrationAuthorityEnd-entitycertificates areissuedimmediately uponrequest byRegistrationAuthority6External auditingExternal auditfor compliancewith CertificatePolicy isperformedevery threeyearsExternal auditfor compliancewith CertificatePolicy isperformedevery 2 yearsExternal auditfor compliancewith CertificatePolicy isperformed everyyearExternal audit forcompliance withCertificate Policyis performedevery year7NamingrequirementsEnd entitycertificates donot requiredistinguishednamesEnd entitycertificatesrequiredistinguishednamesEnd entitycertificatesrequiredistinguishednamesEnd entitycertificates requiredistinguishednames8Proof of possessionprotocolsEnd-entities donot have toprovepossession ofprivate key toobtaincertificateEnd-entities dohave to provepossession ofprivate key toobtaincertificateEnd entities dohave to provepossession ofprivate key toobtain certificateEnd entities dohave to provepossession ofprivate key toobtain certificate9CertificationAuthority standardfor proof ofidentity fromcertificationapplicantEnd entityidentityproofing is notrequired;registration canbe done inperson or on lineEnd entityidentityproofing isrequired; it canbe done on-lineor in person to aRegistrationAuthority, 2forms of IDrequiredEnd entityidentity proofingfor certificateissuancerequired; it canbe done on-lineor in person; itrequires two IDsincluding at leastone picture IDissued by aGovernmententityEnd entity identityproofing forcertificateissuance required;requires personalappearance withtwo IDs includingat least one apicture ID issuedby a governmententity10Requirements forCertificationAuthority recordmaintenanceNo requirementas to how longCertificationAuthorityactivity recordsmust bemaintainedCertificationAuthorityactivity recordsmust bemaintained forat least 7.5yearsCertificationAuthorityactivity recordsmust bemaintained for atleast 10.5 yearsCertificationAuthority activityrecord must bemaintained for atleast 20 ½ yearsArchiveddocument5PEC Solutions, Inc.92/3/2000
MADI PKI Certificate Policy RequirementsAsymmetric keylength modulusNo requirementon asymmetrickey modulusKeys must havethe securityequivalent of1024 bit RSAmodulusKeys must havethe securityequivalent of1024 bit RSAmodulusKeys must havethe securityequivalent of2048 bit RSAmodulus12CertificationAuthority signingkey and end entitiesprivate gning key andend entitiesprivate keysmay be inhardware orsoftwareCertificationAuthoritysigning keymust be inhardware; endentities privatekeys may be inhardware orsoftwareCertificationAuthority signingkey must be inhardware; endentities privatekeys may be inhardware orsoftwareCertificationAuthority signingkey and endentities privatekeys shall be inhardware13Extent of damage ifthe end entityprivate keycompromisedNo injury orloss accrues toenterprise fromcompromise ofend entityprivate keyInjury accruesto enterprise ifthe end entityprivateconfidentialitykey iscompromised; itwould causeonly minorinjury if the endentity privatesigning key iscompromisedSerious injuryaccrues toenterprise if theend entity privateconfidentialitykey iscompromised; itcould causesignificantfinancial loss orrequire legalaction forcorrection if theend entity privatesigning key iscompromisedExtreme injuryaccrues to theenterprise if theend entityconfidentialityprivate key iscompromised; itcould cause lossof life,imprisonment, ormajor financialloss if the endentity privatesignature key iscompromisedArchiveddocument11Table 2-1. Federal PKI Semantic Framework Approximation2.3Initial Design GuidancePrior to the initiation of the interview phase of the project, MADI project personnelreceived input from both DEA and Industry. Much of the early input was subsequentlyechoed in the interviews. The early input was very consistent among both DEA andIndustry personnel. This provided PEC with sufficient guidance to allow more focus onother areas of discussion during the interviews. An example of the type of guidance is theneed for high availability of the PKI infrastructure.The input from DEA came primarily in a series of formal meetings. In these meetingsDEA personnel (1) attempted to educate the MADI team in the responsibilities andPEC Solutions, Inc.102/3/2000
MADI PKI Certificate Policy Require
The X.509 standard for PKI certificates is a complex data structure that permits many versions or profiles. This part of the analysis will determine the best and most feasible profile for user certificates and CRLs. During this phase of the analysis PEC will make a determination as to which of the trust models is most appropriate for the MADI PKI.
