Download presentation
Presentation is loading. Please wait.
Published byAngela Richard Modified over 9 years ago
1
Electronic Security and PKI Richard Guida Chair, Federal PKI Steering Committee Chief Information Officers Council Richard.Guida@cio.treas.gov; 202-622-1552 http://gits-sec.treas.gov
2
Authentication and Confidentiality: Technical Approaches Shared secrets ( including “Symmetric Crypto”) –Personal ID Numbers –Passwords –Biometrics (including digitized signatures) Public key technology (“Asymmetric Crypto”) –Key pair - no shared secrets
3
Shared-Secret Approach Shared secret for authentication or confidentiality –Different for each pair of users –No nonrepudiation –Need to pre-arrange and securely transport –If one party fails to protect, both compromised
4
4 Public Key Technology Approach Two keys, mathematically linked One is kept private, other is made public Private not deducible from public For digital signature: One key signs, the other validates For confidentiality: One key encrypts, the other decrypts
5
5 Public Key Technology Advantages No shared secret - hence good foundation for nonrepudiation –Improved further with hardware token Identity/signature cryptographically bound to entire document Credential (digital certificate) is interoperable and extensible
6
An electronic credential which: –Binds an individual’s public key to his or her identity –Is digitally signed by a trusted third party (called Certification Authority) Provides a trusted way to obtain an individual’s public key –Digital Signature on the certificate precludes undetected alteration of contents Public Key (Digital) Certificate
7
Public Key Infrastructure Registration Authorities to identity proof users Certification Authorities to issue certificates and CRLs Repositories (publicly available data bases) to hold certificates and CRLs Some mechanism to recover data when encryption keys are lost/compromised Certificate Policy and related paper
8
Federal PKI Approach Establish Federal PKI Policy Authority (for policy interoperability) Develop/deploy Bridge CA using COTS (for technical interoperability) –Prototype 2/8/00, production end of 2000 Deal with directory issues in parallel –Border directory concept; “White Pages” Use ACES for public transactions
9
Federal PKI Policy Authority Voluntary interagency group - NOT an “agency” Governing body for interoperability through FBCA – Agency/FBCA certificate policy mappings Oversees operation of FBCA, authorizes issuance of FBCA certificates
10
Federal Bridge CA Non-hierarchical hub (“peer to peer”) Maps levels of assurance in disparate certificate policies (“policyMapping”) Ultimate bridge to CAs external to Federal government Allows certificates issued by one agency to be accepted by other agencies/parties
11
Intra-Agency PKI Examples DOD (>250K certs => >>4M by 2002; high assurance with smartcards) FAA (~1K certs => 20K+ in 2000; software now, migrating to smartcards) FDIC (~7K certs => 20K+ in 2000) NASA (~1K certs => 25K+ in 2000) USPTO (~1K certs => 15K+ in 2000)
12
Electronic Signatures under GPEA Government Paperwork Elimination Act (October 1998) Technology neutral - agencies select based on specifics of applications (e.g., risk) Gives electronic signature full legal effect Focus: transactions with Federal agencies Draft OMB Guidance 3/99; final 5/00
13
Organization
14
PKI Use and Implementation Issues Misunderstanding what it can and can’t do Requiring legacy fixes to implement Waiting for standards to stabilize High cost - a yellow herring Interoperability woes - a red herring Legal trepidation - the brightest red herring
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.