strategies for the implementation of piv – i secure ...€¦ · physical access use case...
TRANSCRIPT
Property of the Smart Card Alliance © 2010
Access Security Usage Models for PIV – I Trusted Identity Credentials Roger Roehr Principle, Roehr consulting
Strategies for the Implementation of PIV – I Secure Identity Credentials A Smart Card Alliance Educational Institute Workshop
9th Annual Smart Cards in Government Conference Washington DC Convention Center ― November 16-19, 2010
Property of the Smart Card Alliance © 2010
PIV-I Usage models
Government and PIV-I First responder at Government site Government want to send a encrypted document for a contract.
Internal use of PIV-I A company wants secure remote access for employees
PIV-I to PIV-I One aircraft company want to digitally sign test results to another
Property of the Smart Card Alliance © 2010
Two parts to Access
Policy (PIV-1) What are the requirements to get the credential?
What are requirements for access? Technology (PIV-2)
What operation capabilities of the credential?
What the operation capabilities of the system?
Property of the Smart Card Alliance © 2010
What do you get from the Credential
Identity I-9 Affiliation Background
Check Attributes
PIV Yes Yes Yes NO
PIV-I Yes Yes NO NO
TWIC Yes NO Yes NO
Property of the Smart Card Alliance © 2010
What are your access requirements?
Who Validates the request? Identity proofing? Background checks? What are authentication requirements? What do you need for a audit?
Property of the Smart Card Alliance © 2010
Define Your Process
Visitor is sponsored
Collect Biometric & Breeder Document
PIV card holder?
Does Credential
Holder know the PIN?
Yes
Yes
Enter PIN
Collect Biometric & Verify Certificate
Verify Biometric & Verify Certificate
No
No
Privilege for Unescorted Access
Privilege for Escorted Access
Property of the Smart Card Alliance © 2010
Use case of send a encrypted email
A government person is going to send a encrypted email to a contractor.
1. Get the certificate for recipient
2. Establish trust for the certificate
3. Encrypt with public key and send
Property of the Smart Card Alliance © 2010
The PKI Certificate
Root
Intermediate
Credential Certificate
Property of the Smart Card Alliance © 2010
Which Root do You Trust?
Property of the Smart Card Alliance © 2010
How Roots Get Trust
Property of the Smart Card Alliance © 2010
The PKI Bridges
Your Organization Root
Your Organization Intermediate
Your Organization Certificates
Bridge
CRL
CRL
CRL
Other Organization Root
CRL
Other Organization Intermediate
CRL
Other Organization Certificates
You only need to trust
your root!
Property of the Smart Card Alliance © 2010
How the Bridges Connect
Fedral BCA
Common Policy CA
CertiPath
SSPs
Industry PKIs
CertiPath SSP DOD DHS NASA Commerce USPS USPTO HHS DOE IL State DOJ DOD/ECA GPO Treasury Wells Fargo MIT LL UTexasSx
Serving all other Agencies
Boeing Raytheon Lockheed Martin
VeriSign Cybertrust ORC Treasury GPO? Exostar Entrust IdenTrusT?
Total: 12 – 15M users
SAFE
Industry PKIs Abbott Labs , AstraZeneca, Bristol-Myers Squibb, Genzyme,GlaxoSmithKline, INC Research, Johnson & Johnson Merck, Pfizer, Procter & Gamble Sanofi-Aventis
Property of the Smart Card Alliance © 2010
Boeing digitally signs a contract for the US Government
Treasury Root
Federal Bridge
CRL
CRL
Boeing’s Root
CRL
Boeing’s Intermediate #3
CRL
Joe Boeing’s Signing Certificates
CertiPath Bridge
CRL
Property of the Smart Card Alliance © 2010
CRL Validation
Your Organization Root
Your Organization Intermediate
Your Organization Certificates
Bridge
CRL
CRL
CRL
Other Organization Root
CRL
Other Organization Intermediate
CRL
Other Organization Certificates
Property of the Smart Card Alliance © 2010
OCSP Validation
Your Organization Root
Your Organization Intermediate
Your Organization Certificates
Bridge Other Organization Root
Other Organization Intermediate
Other Organization Certificates
CRL
OPSP Responder
CRL
OPSP Responder
CRL
OPSP Responder
CRL
OPSP Responder
CRL
OPSP Responder
Property of the Smart Card Alliance © 2010
SCVP Validation
Your Organization Root
Your Organization Intermediate
Your Organization Certificates
Bridge
CRL
CRL
CRL
Other Organization Root
CRL
Other Organization Intermediate
CRL
Other Organization Certificates
SCVP
Responder
Property of the Smart Card Alliance © 2010
The Public Key
The message now can be encrypted with the Trusted public key
Property of the Smart Card Alliance © 2010
Physical Access Use Case
Government agency wants to use PIV-I in physical access control system. 1. A sponsor need to establish a need for
access. 2. Vetting of attributes and back ground check 3. The credential PKI need to be validated and
the credential then need to be registers into the system
4. A physical access model need to be defined
Property of the Smart Card Alliance © 2010
Attributes
Currently there is no standard format for electronic exchange of attributes
The Back End Attributes exchange is a current task of the CIO council
Some proprietary first response models have been field tested
Property of the Smart Card Alliance © 2010
Physical access models
In all model PIV authentication certificates should be escrowed and check routinely
Use PIV-I GUID and PIV with GUID at the door and issue PIV holders without GUID a credential.
Use PIV FASC-N and issue PIV-I a credential Build a PACS with discovery system and use
PIV Not available at this time
Property of the Smart Card Alliance © 2010
Credential Numbers
PIV key
Finger print
CHUID
CHUID
FASC-N (PIV)
Sign
Key
Agency Code
GUID (PIV-I)
Expiration Date
Organization ID
Signature
FASC-N
Agency Code
System Code
Credential Number
Credential Series
ICI
Person ID
Org Cat
Org ID
POA
Property of the Smart Card Alliance © 2010
PIV vs. PIV-I Identifiers
GUID (128bits)
Expiration Date
(8BDC -25 bits)
Agency Code
(4 BCD -14bits)
System Code
(4BCD – 14bits)
Credential Number
(6BCD – 20bits)
Agency Code = 9999
PIV Identifier
PIV-I Identifier Note: DOD & TWIC need CS and ICI 1BCD -4bit ea for total 8bits extra
Total of 73bits GSA Wiegand format adds 2 bits for parity
Property of the Smart Card Alliance © 2010
Final Thoughs
Define use case first! PIV and PIV-I are not the same and will
require different policy and system configuration
PACS that are PIV compliant might not be PIV-I compliant
Security only comes from proper implementation
Property of the Smart Card Alliance © 2010
Smart Card Alliance 191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828 www.smartcardalliance.org
Roger Roehr [email protected] 703-407-8249