330 likes | 346 Views
Explore the current status of the Federal Electronic Identity Initiatives, including eAuthentication, HSPD-12, and the implementation of high assurance digital certificates for access to government resources.
E N D
Federal Electronic Identity Initiatives – Current Status Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO for E-Authentication, NIH
Federal Initiatives • eAuthentication • Focus on eCommerce, services, etc. • HSPD-12 • Focus on security BRIITE 2007
Security BRIITE 2007
Homeland Security Presidential Directive 12 • A Presidential Mandate for Federal Agencies to issue medium hardware assurance (or better) identity credentials for access to physical and logical government resources - inside-the-firewall contractors, too • Medium Hardware or High Assurance digital certificates on PIV-2 cards (next generation Smartcards) • Fast-tracked for implementation starting 10/2006 • Led to new government standards for identity proofing and vetting (FIPS 201) and for PKI hardware tokens (NIST SP 800- 7x series) BRIITE 2007
Federal View of Electronic ID • Avalidated, proofed identity using breeder documents and databases (FIPS 201) • A scheme for adding a name, biometrics (photo, fingerprints), numeric codes (CHUID, etc.) and substantial assurance digital certificates to a next-generation SmartCard • Attributes are extensions not required by HSPD-12, but optionally consumed by Applications • SAML assertions and/or database entries for attribute storage • USPerson profile being developed to standardize attribute representation BRIITE 2007
Current Status • All Federal Agencies are implementing the requirements of HSPD-12, which means 12 – 15 million high assurance digital certificates will be deployed and used by 2010. • There are over 5.5 million high assurance digital certificates currently deployed and used in the Federal government BRIITE 2007
Other Initiatives – Classified Stuff • Defense, Law Enforcement, Intelligence Services • Don’t want to know…. BRIITE 2007
E-Gov Services BRIITE 2007
Current State of Affairs (60 years old now) • You apply to the application owner for a password • You use the password to access the system • You forget the password • The application owner gives you a new password • You use the new password to access the system • You forget the password • <infinite do loop> • No identity proofing • No way to know who is actually on the system (Your secretary? Your postdoc? Your dog? Osama?) BRIITE 2007
eAuthentication Initiative • Provide electronic identity authentication services for online government applications • Manage the Federal Federation – extends services to private sector credential providers and online services • Set standards for assertion-based authentication tools • Offers standard risk assessment tool • Standard Architecture and Policy foundations BRIITE 2007
Foundational Assumption • Government online services shall trust externally-issued electronic identity credentials at known levels of assurance (LOA) • Online applications shall determine required credential LOA using a standard methodology based on: • Risk assessment using standard tool, • OMB M-04-04 determines required authN LOA • NIST SP 800-63 translates required LOA to credential technology BRIITE 2007
Credential Service Providers Covers 4 LOA Assertion-based identity credentials for L 1, 2 Crypto-based identity credentials for L 3, 4 Service Requirements Related to uptime, user support, etc. Interfederation Arrangements Encouraged Agency Applications Federal Agency Applications and Services Mandated by Administration Service Requirements Related to uptime, user support, etc. The Federal Federation BRIITE 2007
Architecture SAML assertions for LOA 1, 2 (encapsulate userid/passwords) Vendor interoperability required for addition to approved vendor list SAML 1.0 currently supported; SAML 2.0 specs being developed PKI or OTP for LOA 3 PKI for LOA 4 Scheme translator available Policy/Procedures Credential assessments for all CSPs, CAF for assertion-based credentials; cross certification with Federal PKI for crypto-based credentials Federal PKI Policies define requirements for digital certificate trustworthiness Business and Legal Rules define service requirements for all LOA Summary of Architecture and Policy/Procedures BRIITE 2007
E-Authentication LOA and What They Mean* Level 1 • Little or no assurance of identity; assertion-based identity authentication • Some assurance of identity; assertion-based identity authentication or policy-thin PKI • Substantial assurance of identity; cryptographically-based identity authentication • High assurance of identity; cryptographically-based identity authentication Level 2 Level 3 Level 4 BRIITE 2007 * Codified in OMB Memorandum 04-04
E-Authentication LOA and What They Service** Level 1 • Online applications with little or no risk of harm from fraud, hacking; low risk • Online applications with risk of some harm from fraud, hacking; some risks • Online applications where there is risk of significant harm from fraud, hacking; significant risks • Online applications where there is risk of substantial harm from fraud, hacking; substantial risks Level 2 Level 3 Level 4 BRIITE 2007 ** Codified in NIST SP 800-63
General Considerations for Determining LOA of an Electronic Identity Credential • Identity Proofing – how sure are you that the person is who he or she claims to be? • Identity Binding – how sure are you that the person proffering the EIC is the person to whom the credential was issued? • Credential integrity – how well does the technology and its implementation resist hacking, fraud, etc.? BRIITE 2007
Summary of Lower-Level Identity Credentials • Level 1: UserID/Password, SAML assertion (XML text) • Level 2:“High entropy” UserID/Password; “policy-lite” PKI, e.g., Fed PKI Citizen and Commerce Class & Federal PKI Rudimentary, TAGPMA Classic Plus (in development) BRIITE 2007
Summary of Cryptographic-Based Identity Credentials • Level 3:One-time Password; Substantial assurance PKI at FPKI Basic, Medium • Level 4:High assurance PKI at FPKI Medium Hardware, High BRIITE 2007
A Little Complication • The government has TWO LOA classifications: • Federal PKI LOA codified in the Certificate Policies of the Federal PKI Policy Authority • E-Authentication LOA codified in OMB M-04-04 BRIITE 2007
E-Auth Level 1 FPKI Rudimentary; C4 E-Auth Level 2 FPKI Basic E-Auth Level 3 FPKI Medium & Medium-cbp E-Auth Level 4 FPKI Medium/HW & Medium/HW-cbp FPKI High (governments only) LOA Mapping E-Auth to Fed PKI BRIITE 2007
SAFE Industry PKIs Fed PKI: View from 20,000 km Common Policy CA (HSPD-12) SSPs Serving all other Agencies CertiPathSSP (HSPD-12- comparable) FBCA CertiPath C4 Industry PKIs eGCA (3) BRIITE 2007
SAFE Industry PKIs Fed PKI: View from 20,000 km DOD DHS NASA Commerce USPS USPTO HHS DOE IL DOJ State DOD/ECA GPO DOD/Interop Treasury Wells Fargo MIT LL UTexasSx Commercial “SSP-like” Common Policy CA (HSPD-12) Total: 15 – 20M users SSPs VeriSign Cybertrust ORC Treasury GPO Exostar Entrust/Cygnacom IdenTrusT? Serving all other Agencies FBCA CertiPath “SSP” (HSPD-12- comparable) State of VA first responders CertiPath C4 Industry PKIs Abbott Labs AstraZeneca Bristol-Myers Squibb Genzyme GlaxoSmithKline INC Research Johnson & Johnson Merck Pfizer Procter & Gamble Sanofi-Aventis TAP Pharmaceuticals Boeing Raytheon Lockheed Martin eGCA (3) ~ 500k users! EAF member CSPs TLS certs BRIITE 2007
Interoperability Initiatives • CertiPath – Federal Bridge cross-certification complete • SAFE PKI Bridge and services – supporting digitally-signed electronic forms and document management • inCommon –assertion-based technology, LOA 1 & 2 – demonstration projects with NSF – interfederation with NIH NOW BRIITE 2007
Technology Implications • US Government LOA, • standardized risk assessment, • standards for PIV cards and identity proofing and vetting are here and INEVITABLY will migrate everywhere • Pickup already noted in aerospace contractor space, homeland security • Feds will have to deal with attributes eventually! BRIITE 2007
Security and Online Services Implications for Higher Ed • DHS first responders, DEA PKIs and CMS initiatives to enable online services and payments management will drive medical schools, hospitals and insurance chains to adopt Federal models for electronic identity authentication • Financial services firms under SEC regulation are already falling in line, both within and outside the eAuthentication federation participation • DEA issuing digital certs to pharmaceutical supply chain entities and plans to do so to service providers (MDs, PAs, NPs, etc.) • Treasury transfers > $1B daily via PKI • Availability of online government apps drive schools to federate to take advantage of services/apps BRIITE 2007
What About Privacy? • No single database of identity credentials • No requirement for only one identity credential • The old tradeoff still exists: convenience vs. security • Are there forces out there that want to know who you are at all times? • Of course; worry about RFID first. BRIITE 2007
NIH E-Authentication Initiative Goals • Researchers use their institutional identity credentials to authenticate to NIH online applications and services • Build a reliable, secure, trusted IT infrastructure that supports e-authentication BRIITE 2007
NIH E-Authentication Initiative Goals • Researchers use their institutional identity credentials to authenticate to NIH online applications and services • Build a reliable, secure, trusted IT infrastructure that supports e-authentication BRIITE 2007
Current NIH Initiatives • Interfederated with InCommon higher education Identity Management Federation at OMB LOA 1: low/no risk applications put online and consume identity credentials issued by universities that are members of InCommon; • Extend interfederation agreement to OMB LOA 2 applications for universities that issue higher-assurance credentials under the InCommon Federation Silver program – for moderate risk applications (ETA 1/08); • Direct trust relationship with University of Texas System Public Key Infrastructure BRIITE 2007
NIH Pilot LOA 1 Applications • NLM Proxy Redirector (initial application ) • Good Clinical Practice (GCP) • Community for Advanced Graduate Training (CAGT) • NIH Login/ADFS/MOSS integration (general collaboration) • More to follow BRIITE 2007
NIH Pilot LOA 2 Applications • Electronic Research Administration (eRA) • caBIG data (via Grid interoperability?) • Firebird (FDA, SAFE, NIAID involvement) • More to follow BRIITE 2007
End State for NIH • All NIH outward-facing, online apps risk assessed and credential LOA requirements determined • Credential validation infrastructure and/or linkages at production operational level • All NIH outward-facing, online apps connected to NIH Login front end with validation service enabling infrastructure (e.g., Shibboleth, etc.) • End State achieved… ??? BRIITE 2007
Resources • altermap@mail.nih.gov • http://csrc.nist.gov/pki • www.cio.gov/fpkipa • www.cio.gov/ficc • www.cio.gov/eauthentication • www.smartcardalliance.org BRIITE 2007