210 likes | 322 Views
Enterprise PACS Best Practices. J’son Tyson & Will Morrison Co-Chair, ICAMSC Modernized Physical Access Working Group (MPAWG). June 18, 2013. Agenda. Review Evolution of PIV and PACS Discuss PACS-enabled Authentication Mechanisms Identify the PACS in EPACS Requirements
E N D
Enterprise PACS Best Practices J’son Tyson & Will Morrison Co-Chair, ICAMSC Modernized Physical Access Working Group (MPAWG) June 18, 2013
Agenda • Review Evolution of PIV and PACS • Discuss PACS-enabled Authentication Mechanisms • Identify the PACS in EPACS Requirements • Review the MPAWG and get involved!
Evolution of PIV and for PACS Homeland Security Presidential Directive 12 was issued August 27, 2004 to create a common identification standard for federal employees and contractors for accessing federally-controlled facilities and federal information systems. HSPD-12 aimed to: • Enhance security • Increase Federal Government efficiency • Reduce identity fraud • Create government-wide standard for secure and reliableforms of identification
Evolution of PIV and for PACS SP 800-116 November 2008 FIPS 201 February 2005 HSPD-12 August 2004 M-05-24 August 2005 FIPS 201-1 March 2006 2000 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2013 2012 M-11-11 February 2011 FIPS 201-2 Anticipated 2013 ICAMSC PIV in EPACS Guidance (update to federated PACS Guidance) Anticipated 2013 FICAM Roadmap & Implementation Guidance v1.0 November 2009 *FICAM Roadmap & Implementation Guidance v2.0 Dec. 2011 2011 *Including Chapter 10: Modernized PACS
Evolution of PIV and for PACS What is next for the PACS world? Federal Information Processing Standards Publication 201-2 (FIPS 201-2) Anticipated: • Nexus for updating NIST SP 800-116 • Deprecates use of CHUID as an authentication mechanism (low) • CAK becomes mandatory • Impose use of PKI-AUTH (PAK) or CAK for token authentication
PACS-enabled Authentication Mechanisms • An agency PACS cannot be considered PIV-enabled if it is not leveraging the authentication mechanisms in accordance with the guidance in SP 800-116. • Federal Agency Smart Credential Number (FASC-N): • A fixed length (75 Bit) data object;the primary identified on the PIV Card for physical access control. • FASC-N Identifier: A subset of the FASC-N, it is a unique identifier. • For full interoperability of a PACS it must at a minimum be able to distinguish fourteen digits (i.e., a combination of an Agency Code, • System Code, and Credential Number) when matching FASC-N • based credentials to enrolled card holders. • Cardholder Unique Identifier (CHUID): • An authentication mechanism that is implemented by transmission of the data object from the PIV Card to the PACS. Source: NIST SP 800-116
PACS-enabled Authentication Mechanisms • Card Authentication Key (CAK) [‘keyk’]: Defined in NIST SP 800-73; An authentication mechanism that is implemented by a key challenge/response protocol • Public Key Infrastructure (PKI):Defined in X.509 Certification Policy for the Federal Bridge Certification Authority (FBCA); A set of policies, processes, server platforms, software, and workstations used for administering certificates and public/private key pairs, including the ability to issue, maintain, and revoke public key certificates. • PKI-PIV Authentication Key (PKI-AUTH) or (PAK):Defined in FIPS 201-2; A PIV authentication mechanism that is implemented by an asymmetric key challenge/response protocol using the PIV authentication key of the PIV card and a contact reader.
Discussion Items • How is your agency planning to accommodate potential PACS-related changes (i.e., FIPS 201-2, NIST SP 800-116-1, etc.)? • Is your agency facing challenges around use of PKI-Auth or CAK for token authentication and if so, what types of challenges?
PACS-enabled Authentication Mechanisms • What are the Challenge Factors? • Something you Have • e.g., PIV or PIV-I Card (Challenge/Response) • Something you Know • e.g., PIN (to unlock card) • Something you Are • e.g., Biometrics (fingerprint, iris)
PACS-enabled Authentication Mechanisms Source: NIST SP 800-116
PACS-enabled Authentication Mechanisms CL? = Authentication Mode is available on the contactless interface INT? = Authentication Mode is interoperable across cards from other PIV issuers
PACS-enabled Authentication Mechanisms CL? = Authentication Mode is available on the contactless interface INT? = Authentication Mode is interoperable across cards from other PIV issuers
PIV in EPACS PACS will need to: • Provision or register the PIV Authentication Key (PKI-AUTH / PAK) or Card Authentication Cert (CAK) OR • Provision or register a PKI credential derived from PAK/CAK AND • Electronically validate PKI certificate • Validate/Challenge the private key of registered PIV/PKI certificate
Discussion Items • What steps is your agency taking to implement an enterprise PACS?
Discussion Items • In what areas does your agency need more guidance to support implementation of an enterprise PACS? • What approaches or “best practices” to implementing an enterprise PACS have successfully worked for your agency? • What advice or “lessons learned” would you give to other agencies in the initial stages of implementing an enterprise PACS?
Get Involved in the MPAWG • Will Morrison, FAA • William.Morrison@faa.gov • J’sonTyson, FEMA • J'son.Tyson@fema.dhs.gov
Challenge Factors • Grayed areas do not appear in NIST SP 800-116 • Low assurance factors indicate no cryptographic verification • The CAK may be a symmetric or asymmetric key