Transcription
Strategies for the Implementation ofPIV – I Secure Identity CredentialsA Smart Card Alliance Educational Institute WorkshopAccess Security Usage Models for PIV – I Trusted IdentityCredentials Roger Roehr Principle, Roehr consulting9th Annual Smart Cards in Government ConferenceWashington DC Convention Center ― November 16-19, 2010Property of the Smart Card Alliance 2010
PIV-I Usage models Government and PIV-I First responder at Government site Government want to send a encrypteddocument for a contract. Internal use of PIV-I A company wants secure remote access foremployees PIV-I to PIV-I One aircraft company want to digitally signtest results to anotherProperty of the Smart Card Alliance 2010
Two parts to Access Policy (PIV-1) What are the requirements to get thecredential? What are requirements for access? Technology (PIV-2) What operation capabilities of thecredential? What the operation capabilities of thesystem?Property of the Smart Card Alliance 2010
What do you get from the Property of the Smart Card Alliance 2010
What are your access requirements? Who Validates the request? Identity proofing? Background checks? What are authentication requirements? What do you need for a audit?Property of the Smart Card Alliance 2010
Define Your ProcessVisitor issponsoredPIV cardholder?NoCollectBiometric &BreederDocumentPrivilege for EscortedAccessYesDoesCredentialHolder knowthe PIN?NoCollectBiometric &VerifyCertificateYesEnterPINVerify Biometric& VerifyCertificateProperty of the Smart Card Alliance 2010Privilege for UnescortedAccess
Use case of send a encrypted email A government person is going to send aencrypted email to a contractor.1. Getthe certificate for recipient2. Establish3. Encrypttrust for the certificatewith public key and sendProperty of the Smart Card Alliance 2010
The PKI CertificateRootIntermediateCredential CertificateProperty of the Smart Card Alliance 2010
Which Root do You Trust?Property of the Smart Card Alliance 2010
How Roots Get TrustProperty of the Smart Card Alliance 2010
The PKI BridgesYour OrganizationRootBridgeCRLYour OrganizationIntermediateCRLOther OrganizationRootCRLYou onlyneed to trustyour root!Your OrganizationCertificatesCRLOther OrganizationIntermediateCRLOther OrganizationCertificatesProperty of the Smart Card Alliance 2010
How the Bridges ConnectCommon Policy CATotal: 12 – USPTOHHSDOEIL State DOJDOD/ECAGPOTreasuryWells FargoMIT LLUTexasSxServing all otherAgenciesCertiPath SSPSAFECertiPathIndustry PKIsAbbott Labs , AstraZeneca,Bristol-Myers Squibb,Genzyme,GlaxoSmithKline, INCResearch, Johnson & JohnsonMerck, Pfizer, Procter & GambleSanofi-AventisProperty of the Smart Card Alliance 2010Industry PKIsBoeingRaytheonLockheed Martin
Boeing digitally signs a contractfor the US GovernmentFederal BridgeCertiPath BridgeCRLBoeing’s RootCRLCRLBoeing’s Intermediate#3Treasury RootCRLCRLJoe Boeing’sSigning CertificatesProperty of the Smart Card Alliance 2010
CRL ValidationYour OrganizationRootBridgeCRLOther OrganizationRootCRLYour OrganizationIntermediateCRLOther OrganizationIntermediateCRLCRLYour OrganizationCertificatesOther OrganizationCertificatesProperty of the Smart Card Alliance 2010
OCSP ValidationYour OrganizationRootBridgeCRLOPSPResponderOther OrganizationRootCRLOPSPResponderYour OrganizationIntermediateCRLOPSPResponderOther ponderYour OrganizationCertificatesOther OrganizationCertificatesProperty of the Smart Card Alliance 2010
SCVP ValidationYour OrganizationRootBridgeOther OrganizationRootCRLCRLSCVPYour OrganizationIntermediateResponderCRLCRLOther OrganizationIntermediateCRLYour OrganizationCertificatesOther OrganizationCertificatesProperty of the Smart Card Alliance 2010
The Public KeyThe message now can beencrypted with the Trustedpublic keyProperty of the Smart Card Alliance 2010
Physical Access Use Case Government agency wants to use PIV-I inphysical access control system.1. A sponsor need to establish a need foraccess.2. Vetting of attributes and back ground check3. The credential PKI need to be validated andthe credential then need to be registers intothe system4. A physical access model need to be definedProperty of the Smart Card Alliance 2010
Attributes Currently there is no standard format forelectronic exchange of attributes The Back End Attributes exchange is acurrent task of the CIO council Some proprietary first response models havebeen field testedProperty of the Smart Card Alliance 2010
Physical access models In all model PIV authentication certificatesshould be escrowed and check routinely Use PIV-I GUID and PIV with GUID at the doorand issue PIV holders without GUID acredential. Use PIV FASC-N and issue PIV-I a credential Build a PACS with discovery system and usePIV Not available at this timeProperty of the Smart Card Alliance 2010
Credential NumbersPIVkeyFingerprintCHUIDFASC-N (PIV)Agency CodeSignKeyCHUIDGUID (PIV-I)Expiration DateOrganization IDSignatureFASC-NAgency CodeSystem CodeCredential NumberCredential SeriesICIPerson IDOrg CatOrg IDPOAProperty of the Smart Card Alliance 2010
PIV vs. PIV-I IdentifiersPIV IdentifierAgency CodeSystem CodeCredential NumberExpiration Date(4 BCD -14bits)(4BCD – 14bits)(6BCD – 20bits)(8BDC -25 bits)Total of 73bits GSA Wiegand format adds 2 bits for parityNote: DOD & TWIC need CS and ICI 1BCD -4bit ea for total 8bits extraPIV-I IdentifierAgency Code 9999GUID (128bits)Property of the Smart Card Alliance 2010
Final Thoughs Define use case first! PIV and PIV-I are not the same and willrequire different policy and systemconfiguration PACS that are PIV compliant might not bePIV-I compliant Security only comes from properimplementationProperty of the Smart Card Alliance 2010
Roger Roehrroger.roehr@gmail.com703-407-8249 Smart Card Alliance 191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828 www.smartcardalliance.orgProperty of the Smart Card Alliance 2010
Certificate Verify Biometric & Verify Certificate No No Privilege for Unescorted Access . The PKI Certificate Root Intermediate Credential Certificate . . USPS USPTO HHS DOE IL State DOJ DOD/ECA GPO T
