EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide Policy October 31, 2001
e-Gov and PKI Drivers Government Paperwork Elimination and ESIGN Acts Public Expectations Long-term Cost Savings The Need for Privacy and Security –Government is held to higher standard Trading Partner Practices
Bill Payment $ $3.32 $ $ % - 67% Insurance Policy $400 - $700 $200 - $350 50% Software Distribution $15 $ $ % - 67% Procurement 70% Motor Vehicle Registration $7 <$2 71% Order-Filling (DOD) $24 $12 50% Traditional System Internet Percent Savings Business Driver: Savings by Process Type
Electronic Signatures in Global and National Commerce Act Signed by President Clinton on 6/30/00. E-SIGN addresses: –Commercial, consumer, and business transactions affecting interstate or foreign commerce; –Legality of electronic signatures and records; –Preemption of inconsistent statutes/rules. E-SIGN does not address: – security, authentication, or records requirements; – interoperability; –Electronic signatures based on different technologies; –Rules for reliance/accepting different kinds of signatures. Federal Agency activities and requirements are generally not within the scope of this legislation; they are instead addressed by the Government Paperwork Elimination Act (GPEA).
GPEA Requirements Government Paperwork Elimination Act (GPEA) of 1998 addresses: –requirement for federal agencies to offer the public the option of electronic filings/transactions/record-keeping for agency business by October 2003; –Legality of electronic signatures and records; –Technology neutrality -- electronic signature alternatives. OMB required all agencies to report on GPEA implementation/compliance by 10/00. Including: –Information collections under Paperwork Reduction Act –Use of Electronic Signature. –Risk Assessment.
What is an Electronic Signature under E-SIGN? “…means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.” PIN or Password Biometric Profile Click through on software program’s dialog box Typed names Digitized image of a handwritten signature Digital Signature or other encrypted authentication system Knowledge-based Authentication
Authentication: Is originator who they really say they are? 4Achieved by binding the sender’s identity credentials to the message (digital signature) Data Integrity: Has message/transaction been accidentally or maliciously been altered? 4Achieved via comparing hash of the data (digital signature) Confidentiality: Can message be read only by authorized entities? 4Encryption protects information from unauthorized disclosure Non-repudiation: Can sender or receiver dispute that message was actually sent or received? 4Enabled through digital signature process Security Needs Met by PKI
A trusted third-party, the Certificate Authority (CA), issues the digital certificate, containing: - Name, Issuers name, Certificateholder’s public key, other attributes. The Issuer (CA) must verify and bind identity to the Electronic ID. The Issuer (CA) digitally signs the certificate so no one can change its contents and certificate can be verified as authentic. Public Key or Digital Certificates - The Electronic ID CA Digital Certificate Name: Joe College Serial #: Issuer: CA #78901 Expiration: 12/1/02 Public Key: CA Digital Certificate Name: Joe College Serial #: Issuer: CA #78901 Expiration: 12/1/02 Public Key: CA’s Digital Signature Unique identifier for certificate Unique identifier for certificate issuer Certificate expiration date (validity period) Certificateholder’s public key Ensures Certificate’s validity
A Digitized Signature is a scanned image that can be pasted on any document. A Digital Signature is a numeric value that is created by performing cryptographic transformation of a message using the “signer’s” private key. Digitized vs. Digital Signature 99 MH ?!C6 23 ?!C64 JD HD G *564 QHD736 JFHF Digital SignatureDigitized Signature
Why build a Federal PKI? Statutory mandates for e-government and implementing electronic signature technology Business Demands for improved services at lower cost Leverage infrastructure costs Critical security need Why not a Federal PKI? Privacy concerns Agency internal politics Vendor battles for market space Cost
Federal PKI Approach Determine need for PKI through risk assessment. Use PKI when electronic signature and document/data integrity must be assured (non-repudiation). Provide Federal PKI and PKI services contract for government-wide use -- ACES. Build Federal PKI Interoperability –Establish Federal PKI Policy Authority (for policy interoperability). –Implement Federal Bridge CA using COTS (for technical interoperability). Organize federal agency PKI use around common citizen and industry groups.
The Core Federal PKI DOD IECA DOD PKI GSA ACES NFC PKI Federal Bridge CA Available to all Federal agencies Available to all Military personnel and dependents Available to all Government vendors and contractors Available to all U.S. citizens, businesses, government agencies
PKI Interoperability Policy PKI Interoperability involves the determination of “Trusted” PKI domains which will meet the level of assurance needed. Technical PKI interoperability involves the validation of certificates form a different PKI domain to determine validity of certificates and paths. A small number of PKI domains makes it easier to achieve interoperability -- however it is still complex. PKI Domain 1 PKI Domain 2 PKI Domain 3 Certification Policies & Practices Statements Validation Protocols Bi-lateral Agreements
The Challenge to PKI Interoperability PKI interoperability becomes much more complex as the number of PKI domains increase.
The Solution: The Federal Bridge CA The Federal Bridge CA simplifies PKI interoperability: Common and easy way to determine “Trusted” PKI domains and assurance levels (policy mapping); Common and, relatively, easy way to validate certificate status through cross certification; Standard Bi-lateral Agreement between the Bridge and Agency CA. FPKI Policy AuthorityFBCA Operational Authority
PKI Policy Mapping -- Equivalence Example DoD 2 DoD 3 DoD 4 NFC PKI Basic NFC PKI Medium) NFC PKI High NFC PKI Test FBCA High FBCA Medium FBCA Basic FBCA Rudimentary GSA ACES (Med) DoD IECA (Med) FBCA RequirementsNFC PKIDOD PKIDOD IECA PKIACES PKI
Common PKI solution encourages agencies to work together Allows equitable cost sharing among agencies Efficient, effective, economical due to aggregation of Federal needs One digital identity credential can be used by multiple Agency processes “Anonymous” certificate numbering for identification Public pays nothing for digital ID. ACES Program Vision
ACES Registration Processes ACES Contractor Registration for Individuals Agency Registration Business Representative Registration
ACES Remote (On-line) Certificate Application Process Public applies for certificate Secure Web Federal State Commercial ACES vendor validates ID to multiple independent databases Applicant PIN activation process ACES vendor registers applicant for certificate and mails one-time PIN ACES vendor sends registered certificate
Authorized Web-based Application Access Authorized System with ACES authentication Return Personalized Services/Benefits/ Information Validate Electronic ID (ACES) through standard on-line protocol (OCSP) Secure Web Citizen Accessing Web-Based Applications and Services ACES Contracted Certificate Authority Federal Agency
Agency Application App API Agency Application App API CAM AA Interface CA I/F Crypto Library (RSA, DSA, ECDSA) ACES CA CA n Subscriber Certs Signature Device with CAM Private Key CA Certificate List Invalid Certificate List Transaction Log Subscriber Scope of CAM CA n Subscriber Certs CA n Subscriber Certs CA n Subscriber Certs - Parse Cert -Verify Issuer as an ACES CA -Verify Issuer’s signature -Verify operational period -Check cached Invalid Cert IDs -Get route to Issuer -Send signed Status Request & Cert data to Issuer -Receive signed Status Response -Verify Status Response signature -Pass status & cert data to App -Log audit data CAM Architecture
Who Can Be a Member of the ACES PKI? Certificate Authorities – ACES contractors Relying Parties – Any Federal agency – Non-federal entities if authorized by a Federal Agency for legitimate program purposes. Subscribers – Any individual in U.S. – Any individual as a representative of a business, organization, or governmental entity
Securely store, protect, and transport cryptographic keys (public/private keys) and digital certificates. Capacity to hold multiple keys/certificates. Provide secure computational and processing facility without exposing sensitive information to risk. Provides security for: generation of digital signature, use of private key for personal authentication, portable permissions/logical access control. Convenience for end user. PKI can be one set of functions on a multi-application smart card. PKI and Smart Cards Should result in trust and confidence in E-Gov applications.
For More Information Phone David Temoshok Websites