EDUCAUSE 2001, Indianapolis IN

Securing e-Government: Implementing the Federal PKI

David TemoshokFederal PKI Policy Manager

GSA Office of Governmentwide PolicyOctober 31, 2001

e-Gov and PKI Drivers

• Government Paperwork Elimination and ESIGN Acts

• Public Expectations

• Long-term Cost Savings

• The Need for Privacy and Security

– Government is held to higher standard

• Trading Partner Practices

Bill Payment $2.22 - $3.32 $0.65 - $1.10 71% - 67%

Insurance Policy $400 - $700 $200 - $350 50%

SoftwareDistribution $15 $0.20 - $0.50 97% - 67%

Procurement 70%

Motor VehicleRegistration $7 <$2 71%

Order-Filling (DOD) $24 $12 50%

Traditional

SystemInternet

Percent Savings

Business Driver: Savings by Process Type

Electronic Signatures in Global and National Commerce Act

• Signed by President Clinton on 6/30/00.• E-SIGN addresses:

– Commercial, consumer, and business transactions affecting interstate or foreign commerce;

– Legality of electronic signatures and records;– Preemption of inconsistent statutes/rules.

• E-SIGN does not address:– security, authentication, or records requirements;– interoperability;– Electronic signatures based on different technologies;– Rules for reliance/accepting different kinds of signatures.

• Federal Agency activities and requirements are generally not within the scope of this legislation; they are instead addressed by the Government Paperwork Elimination Act (GPEA).

GPEA Requirements

• Government Paperwork Elimination Act (GPEA) of 1998 addresses:– requirement for federal agencies to offer the public the

option of electronic filings/transactions/record-keeping for agency business by October 2003;

– Legality of electronic signatures and records; – Technology neutrality -- electronic signature alternatives.

• OMB required all agencies to report on GPEA implementation/compliance by 10/00. Including:– Information collections under Paperwork Reduction Act– Use of Electronic Signature.– Risk Assessment.

What is an Electronic Signature under E-SIGN?

“…means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.”

PIN or Password

Biometric Profile

Click through on software program’s dialog box

Typed names

Digitized image of a handwritten signature

Digital Signature or other encrypted

authentication system

Knowledge-basedAuthentication

• Authentication: Is originator who they really say they are? Achieved by binding the sender’s identity credentials to the

message (digital signature)

• Data Integrity: Has message/transaction been accidentally or maliciously been altered? Achieved via comparing hash of the data (digital signature)

• Confidentiality: Can message be read only by authorized entities? Encryption protects information from unauthorized disclosure

• Non-repudiation: Can sender or receiver dispute that message was actually sent or received? Enabled through digital signature process

Security Needs Met by PKI

• A trusted third-party, the Certificate Authority (CA), issues the digital certificate, containing:

- Name, Issuers name, Certificateholder’s public key, other attributes.

• The Issuer (CA) must verify and bind identity to the Electronic ID.

• The Issuer (CA) digitally signs the certificate so no one can change its

contents and certificate can be verified as authentic.

Public Key or Digital Certificates -The Electronic ID

CA Digital Certificate

Name: Joe CollegeSerial #: 123456Issuer: CA #78901Expiration: 12/1/02Public Key: 3S@*6Y76

CA Digital Certificate

Name: Joe CollegeSerial #: 123456Issuer: CA #78901Expiration: 12/1/02Public Key: 3S@*6Y76

CA’s Digital Signature

Unique identifier for certificate

Unique identifier for certificate issuer

Certificate expiration date (validity period)

Certificateholder’s public key

Ensures Certificate’s validity

• A Digitized Signature is a scanned image that can be pasted on any document.

• A Digital Signature is a numeric value that is created by performing cryptographic transformation of a message using the “signer’s” private key.

Digitized vs. Digital Signature

1BE*564(1@5GYT87^4>530^0<BG?!C64 4> 99 MH ?!C6 Nd%2V@x4 (1@#d6^* Nd%2V@xANRT48346509(1@ 23 ?!C64 JD HD G *564 QHD736 JFHF Nd%2V@x

Digital SignatureDigitized Signature

Why build a Federal PKI?

• Statutory mandates for e-government and implementing electronic signature technology

• Business Demands for improved services at lower cost

• Leverage infrastructure costs• Critical security need

Why not a Federal PKI?• Privacy concerns• Agency internal politics• Vendor battles for market space• Cost

Federal PKI Approach

• Determine need for PKI through risk assessment.

• Use PKI when electronic signature and document/data integrity must be assured (non-repudiation).

• Provide Federal PKI and PKI services contract for government-wide use -- ACES.

• Build Federal PKI Interoperability– Establish Federal PKI Policy Authority (for policy interoperability).

– Implement Federal Bridge CA using COTS (for technical interoperability).

• Organize federal agency PKI use around common citizen and industry groups.

The Core Federal PKI

DOD IECA

DOD PKI

GSA ACES

NFC PKI

Federal Bridge CA Available to all Federal agencies

Available to all Military personnel and dependents

Available to all Government vendors

and contractorsAvailable to all U.S. citizens, businesses, government agencies

PKI Interoperability

• Policy PKI Interoperability involves the determination of “Trusted” PKI domains which will meet the level of assurance needed.• Technical PKI interoperability involves the validation of certificates form a different PKI domain to determine validity of certificates and paths.• A small number of PKI domains makes it easier to achieve interoperability -- however it is still complex.

PKI Domain 1

PKI Domain 2

PKI Domain 3

Certification Policies & Practices Statements

Validation ProtocolsBi-lateral Agreements

The Challenge to PKI Interoperability

PKI interoperability becomes much more complex as the number of PKI domains increase.

The Solution: The Federal The Solution: The Federal Bridge CABridge CA

The Federal Bridge CA simplifies PKI interoperability:• Common and easy way to determine “Trusted” PKI domains and assurance levels (policy mapping);• Common and, relatively, easy way to validate certificate status through cross certification;• Standard Bi-lateral Agreement between the Bridge and Agency CA.

FPKI Policy Authority FBCA Operational Authority

PKI Policy Mapping -- Equivalence Example

DoD2

DoD3

DoD4

NFC PKIBasic

NFC PKIMedium)

NFC PKIHigh

NFC PKITest

FBCAHigh

FBCAMedium

FBCABasic

FBCARudimentary

GSA ACES (Med)

DoD IECA (Med)

FBCA Requirements NFC PKI DOD PKI DOD IECA PKI ACES PKI

• Common PKI solution encourages agencies to work together

• Allows equitable cost sharing among agencies• Efficient, effective, economical due to aggregation

of Federal needs • One digital identity credential can be used by

multiple Agency processes• “Anonymous” certificate numbering for

identification• Public pays nothing for digital ID.

ACES Program Vision

ACES Registration Processes

ACES Contractor Registration for Individuals

Agency Registration

Business Representative Registration

ACES Remote (On-line)Certificate Application Process

Public applies for certificate

Secure Web

FederalFederal

StateState

CommercialCommercial

Secure Web

ACES vendor validates ID to multiple independent databases

Applicant PIN activation process

ACES vendor registers applicant for certificate and mails one-time PIN

ACES vendor sendsregistered certificate

Authorized Web-basedApplication

Access AuthorizedSystem with ACESauthentication

Return PersonalizedServices/Benefits/Information

Validate ElectronicID (ACES) through standard on-line protocol (OCSP)

Secure Web

Citizen

Accessing Web-Based Applications and Services

ACES ContractedCertificate Authority

Federal Agency

AgencyApplication

AppAPI

AgencyApplication

AppAPI

CAMAAInterface

CAI/F

Crypto Library(RSA, DSA, ECDSA)

ACES CA

CAn

SubscriberCerts

Signature Devicewith CAM Private

Key

• CA Certificate List• Invalid Certificate List• Transaction Log

Subscriber

Subscriber

Scope of CAM

CAn

SubscriberCerts

CAn

SubscriberCerts

CAn

SubscriberCerts

- Parse Cert- Verify Issuer as an ACES CA- Verify Issuer’s signature- Verify operational period- Check cached Invalid Cert IDs- Get route to Issuer- Send signed Status Request & Cert

data to Issuer- Receive signed Status Response- Verify Status Response signature- Pass status & cert data to App- Log audit data

CAM Architecture

Who Can Be a Member of the ACES PKI?

• Certificate Authorities– ACES contractors

• Relying Parties – Any Federal agency– Non-federal entities if authorized by a Federal Agency for legitimate program purposes.

•Subscribers– Any individual in U.S. – Any individual as a representative of a business, organization, or governmental entity

• Securely store, protect, and transport cryptographic keys (public/private keys) and digital certificates.

• Capacity to hold multiple keys/certificates.• Provide secure computational and processing facility without

exposing sensitive information to risk.• Provides security for: generation of digital signature, use of

private key for personal authentication, portable permissions/logical access control.

• Convenience for end user.• PKI can be one set of functions on a multi-application smart

card.

PKI and Smart Cards

Should result in trust and confidence in E-Gov applications.

For More Information

Phone E-mail David Temoshok david.temoshok@gsa.gov

202-208-7655

Websiteshttp://cio.gov/fpkischttp://gsa.gov/ACES

http://ec.fed.gov