Trusted Identities That Drive Global Commerce IdenTrust: NCMS Presentation JPAS Logon changes requiring PKI credentials Richard Jensen, October 19 th 2011.

Slides:



Advertisements
Similar presentations
Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
Advertisements

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Digital Certificate Installation & User Guide For Class-2 Certificates.
Digital Certificate Installation & User Guide For Class-2 Certificates.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
The Federation for Identity and Cross-Credentialing Systems (FiXs) FiXs ® - Federated and Secure Identity Management in Operation Implementing.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
PKI Implementation in the Real World
United States DoD Public Key Infrastructure: Deploying the PKI Token
Comergence 3/14/13. What Does Comergence Do? Comergence provides streamlined processing and centralized storage of Correspondent applications nationwide.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
EDUCAUSE Fed/Higher ED PKI Coordination Meeting
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
NDSU Lunchbytes "Are They Really Who They Say They Are?" Digital or Electronic Signature Information Rick Johnson, Theresa Semmens, Lorna Olsen April 24,
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Certificate and Key Storage Tokens and Software
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.
INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.
Digital Signature Technologies & Applications Ed Jensen Fall 2013.
Digital Certificates. What is a Digital Certificate? A digital certificate is the equivalent of your business card in the e-commerce world. It says who.
Digital Certificate Installation & User Guide For Class - 2 Certificates.
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.
Copyright ©1997 NetDox, Inc. All Rights Reserved. CONFIDENTIAL 1 DATE HERE Julie Grace - NetDox, Inc. Emerging Internet Commerce.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
E-commerce Law Electronic signatures and security.
Masud Hasan Secue VS Hushmail Project 2.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
U.S. Department of Agriculture eGovernment Program August 14, 2003 eAuthentication Agency Application Pre-Design Meeting eGovernment Program.
1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Configuring Directory Certificate Services Lesson 13.
U.S. General Services Administration Federal Technology Service November 9, 1999 Judith Spencer Director, Center for Governmentwide Security Office of.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
Security Overview  System protection requirements areas  Types of information protection  Information Architecture dimensions  Public Key Infrastructure.
NDSU Lunchbytes "Are They Really Who They Say They Are?" Digital or Electronic Signature Information Rick Johnson, Theresa Semmens, Lorna Olsen April 24,
Federal Acquisition Service U.S. General Services Administration eOffer/eMod Training eOffer/eMod Training Keonia Cobbins Systems Development Office of.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
DIGITAL SIGNATURE.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.
PKI Services for CYPRUS STOCK EXCHANGE Kostas Nousias.
Copyright 2013 Exostar LLC.| All Rights Reserved.| Proprietary and Confidential1 Identity Proofing Service United Technologies Corporation September 26.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Federal Acquisition Service U.S. General Services Administration February 25, 2016 “The Modification Submission Process”
Identity and Access Management
Installation & User Guide
Digital Signatures and Forms
NAAS 2.0 Features and Enhancements
EDUCAUSE Fed/Higher ED PKI Coordination Meeting
Installation & User Guide
HIMSS National Conference New Orleans Convention Center
PKI (Public Key Infrastructure)
Presentation transcript:

Trusted Identities That Drive Global Commerce IdenTrust: NCMS Presentation JPAS Logon changes requiring PKI credentials Richard Jensen, October 19 th 2011

Copyright ©2011 IdenTrust, Inc. | All Rights Reserved 2 Agenda  Summary of PKI requirement  What is PKI  What are these things called Digital Certificates  Who’s behind this  Types of Certificates  What’s the difference  Getting a Certificate  Where do you begin  What’s required  Documentation and forms  Trusted Correspondent Program  Questions

Copyright ©2011 IdenTrust, Inc. | All Rights Reserved 3 So what is PKI?  In broad terms, Public Key Infrastructure (PKI) refers to the methods, technologies and techniques that together provide a secure infrastructure that enables users of a basically unsecured public network (the Internet) to securely and privately exchange information  A systemic approach where every participant agrees to abide by a specific set of rules (the Policy) regarding Identity Management  Application owners want to ensure that the people trying to access their sites really are who they say they are  End Users have someone verify their identity so they can be issued a Digital Certificate to use in online transactions or to access protected sites  Certificate Authorities (like IdenTrust) issue Digital Certificates to individuals once they are certain of a person’s identity, based on a set of rules (the Policy) Policy CA Digital Certificates Policy CA Digital Certificates Applications

Copyright ©2011 IdenTrust, Inc. | All Rights Reserved 4 Who is in charge of this program?  The DoD established the External Certificate Authority (ECA) program to accommodate the issuance of DoD approved PKI certificates to individuals that do not have or qualify for a Common Access Card (CAC). DoD is the ‘owner’ of the ECA Policy  DISA Manages the ECA Program. ECA is just the name of the Certificate Policy under which the credentials are issued. DISA certifies Certificate Authorities (like IdenTrust) after the CA goes through a rigorous set of testing to meet ECA Policy requirements: Security, System Architecture, Fulfillment, Processes, Revocation, etc.  DMDC decided to accept ECA certificates for use in the JPAS system. JPAS is simply an application that relies on the integrity of ECA certificates

Copyright ©2011 IdenTrust, Inc. | All Rights Reserved 5 PKI’s ‘product’ is a Digital Certificate  a PKI Digital Certificate is a Digital Identity issued to an individual so they can:  Authenticate your identity to an online system. For JPAS this augments the username and password currently in use  Digitally sign documents. You can use your Digital Certificate to replace your wet ink signature; and  Encrypt documents and transactions. Digital Certificates allow you to send encrypted so that only the intended recipient can view your message and attachments

Copyright ©2011 IdenTrust, Inc. | All Rights Reserved 6 What type of certificate does JPAS require?  Both certificate types are hardware based certificates and must be stored on a FIPS level 2 or higher Key Storage Mechanism (KSM) per DoD policy  KSM’s available are either Smart Cards (similar to CAC Cards) or USB devices  JPAS strongly recommends the KSM be in a Smart Card format. DoD facilities may not let you bring a USB token on site 1. ECA Medium Hardware Assurance; or 2. ECA Medium Token Assurance

Copyright ©2011 IdenTrust, Inc. | All Rights Reserved 7 What’s the difference?  Both ECA certificate types are hardware based certificates  One key difference is who performs the Identity Vetting  The hardware devices are exactly the same  However, there is a ‘mapping’ difference  ECA Medium Hardware is a higher assurance certificate than Medium Token  Some DoD applications require Medium Hardware In either case, you must meet face to face with the person performing the identity vetting Certificate TypeIdentity VettingMapping ECA Medium Hardware Assurance  IdenTrust Registration Agent  Trusted Agent  Medium High level of Federal Bridge ECA Medium Token Assurance  IdenTrust Registration Agent  Trusted Agent  Notary Public  Authorized DoD Employee  Medium level of Federal Bridge

Copyright ©2011 IdenTrust, Inc. | All Rights Reserved 8 How do you get an ECA certificate?

Copyright ©2011 IdenTrust, Inc. | All Rights Reserved 9 Choose one of the three (you’d better choose correctly!) 

Copyright ©2011 IdenTrust, Inc. | All Rights Reserved 10 IdenTrust has a customized approach for JPAS

Copyright ©2011 IdenTrust, Inc. | All Rights Reserved 11 All you have to do is click on the “buy” button

Copyright ©2011 IdenTrust, Inc. | All Rights Reserved 12 Go through the on-line application process

Copyright ©2011 IdenTrust, Inc. | All Rights Reserved 13 What is required? There are identity documents to show to the Trusted Agent or Notary

Copyright ©2011 IdenTrust, Inc. | All Rights Reserved 14 Then you both get to sign (this example is Medium Hardware) Once for the applicant… And once for the Trusted Correspondent…

Copyright ©2011 IdenTrust, Inc. | All Rights Reserved 15 Then you both get to sign (this example is Medium Token) Once for the applicant… And once for the Notary…

Copyright ©2011 IdenTrust, Inc. | All Rights Reserved 16 There is also a Subscribing Organization Agreement  Requires the signature of someone within the company who can agree to the conditions of the ECA contract for the applicant  Company is acknowledging that the associate is getting a certificate as a representative of the company and that they agree to allow the associate to use the certificate on their behalf

Copyright ©2011 IdenTrust, Inc. | All Rights Reserved 17 Both forms are sent to the Registration department  The Registration team conducts an investigation into the probability of the identity  They assign a “confidence score” based on a comprehensive criteria  Once they decide, they send an to the applicant informing of the decision  If favorable, they send certificate retrieval instructions  If un-favorable, they send information regarding rejection   ?

Copyright ©2011 IdenTrust, Inc. | All Rights Reserved 18 If successful, you’ll receive…  An from the Registration department telling you you’ve been approved  A package with a letter on retrieval instructions and your hardware  Guidance on protecting your device  A CD with Drivers and middle-ware for your computer to understand your certificate  Instructions on how to:  Load the drivers  Prepare the KSM  Load the private keys  Certificate test  Once your certificate test is complete  Go to JPAS and register your certificate

Copyright ©2011 IdenTrust, Inc. | All Rights Reserved 19 Who, What, Where, When, How: Trusted Correspondent Who: Typically in HR or Security What: Internal associate who perform identity vetting on company’s own employees Where: In person appointments When: Whenever an employee needs a certificate How: Company ‘officer’ signs a separate agreement accepting terms/conditions for the actions of their employee to act as a Trusted Correspondent.  Your company becomes liable for the truthfulness of the identity  Agrees to rules regarding documentation and identity checking  Must follow the “letter of the law” just like we do  No short cuts, just because they’re your employees

Copyright ©2011 IdenTrust, Inc. | All Rights Reserved 20 Benefits of having your own Trusted Correspondent No need to wait for an appointment with the CA Allows ‘bulk loading’ for multiple users  Eliminates the need for individual users to go through the entire application process  Minimum of five per submission  All supporting documents must be included together Streamlines processing  CA does not have to do some of the usual steps (VoE) Reduces costs Enhanced control  Upon termination of an employee, a TC can immediately revoke certificate  New employees can be added quicker  May be able to resolve basic certificate issuance quicker than relying on CA The only cost is for the certificate of the TC candidate  The TC is required to have their own Medium Hardware certificate so they can send encrypted s back and forth to the CA

Copyright ©2011 IdenTrust, Inc. | All Rights Reserved 21 TC Addendum to Subscribing Organization Agreement Company officer signs this agreement:

Copyright ©2011 IdenTrust, Inc. | All Rights Reserved 22 And begin ‘bulk loading’ your associates TC sends completed spreadsheet via signed and encrypted to Registration Department

Copyright ©2011 IdenTrust, Inc. | All Rights Reserved 23 Questions? Richard Jensen Director of Government Sales ECA Program Manager Associate Member NCMS ? Contact Info:

Copyright ©2011 IdenTrust, Inc. | All Rights Reserved 24 NCMS Members qualify for a 20% Discount

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.