1 / 11

NASA PKI and the Federal Environment

NASA PKI and the Federal Environment. 13th Fed-Ed PKI Meeting 15 June ‘06. Presenter: Tice DeYoung. Background. eGov Act of 2002 established 24 applications in 4 areas Government to Citizen  Government to Business Government to Government  Internal Efficiency & Effectiveness

york
Download Presentation

NASA PKI and the Federal Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung

  2. Background • eGov Act of 2002 established 24 applications in 4 areas • Government to Citizen Government to Business • Government to Government Internal Efficiency & Effectiveness • 25th, eAuthentication Initiative, cut across all four areas • Provides a consistent means to authenticate identity of users • December 2003 - OMB 04-04 established 4 identity authentication assurance levels for eGov transactions • 1 Little or no assurance 3 High assurance • 2 Some assurance 4 Very High Assurance • April-May 2004 - NASA updated our PKI requirements • Extant requirements developed in 1997 • Need to update for changing NASA environment • June 2004 - NIST 800-63 provided technical requirements for each authentication level • 1 PINs 3 PKI software • 2. Passwords 4 PKI hardware

  3. Background, cont. • August 2004 - Homeland Security Presential Directive #12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors • Mandated NIST develop a Government-wide standard for secure and reliable forms of identification to be issued by the Federal Government to its employees and contractors • September 2004- NASA decides to continue using Entrust as its PKI and outsource operations to the Department of the Treasury • December 2004 - OMB 05-05 required agencies to use a Shared Service Provider (SSP) • February 2005 - NIST Federal Information Processing Standard (FIPS) 201: Personal Identity Verification for Federal Employees and Contractors (update draft March 2006) • Required a myriad of NIST Special Publications with guidance on different aspects of FIPS-201; 800-73, 800-76, 800-78, 800-79, 800-85A, 800-85B, 800-87, 800-96 • August 2005 - OMB 05-24 required agencies to develop and submit an HSPD-12 implementation plan

  4. FIPS-201 PKI Implications • Mandates a PKI authentication certificate be on PIV 2 compliant smart card • Mandates two factor authentication for logical access to all agencies computer and network resources • Mandates PKI key sizes and digital signature algorithms • Requires changes to the FPKI Common Policy Framework Certificate Policy

  5. So What Does This Mean for the NASA PKI? • NASA must provide PKI credentials to all employees and on-site (behind the firewall) contractors • NASA purchased 100,000 Entrust licences in March 2005 • Treasury must become an SSP if NASA wants to outsource our PKI operations to them • Treasury agrees and submits their application in April 2005 • Treasury completes the process June 2006 • NASA must begin to provide background checks for all new employees and contractors by October 27, 2006 • NASA must begin to issue FIPS-201 PIV 2 compliant badges to all new employees and contractors by October 27, 2006 • These badges must include a PKI authentication certificate • NASA must have an approved HSPD-12 implementation plan • Submitted December 2005 • OMB is asking agencies to update their plan by August 2006 • NASA must begin using two-factor authentication for all logical access to NASA resources

  6. So What Does This Mean for the Federal PKI? • FPKI Common Policy Changes • Need to include OIDs for new authentication certificate • Need to include requirements for availability of CAs • Need to include requirements for availability of CRLs • Need to change publication frequency for CRLs • Need to change encryption and digital signature key sizes • Increase from current 1024 bit RSA to 2048 bit by 1 January 2009 • Need to change digital signature algorithm • Move from current SHA-1 to SHA-224 or SHA-256 by 1 January 2011 • Common Policy and FBCA Harmonization Required • One change will be agencies cross-certified with FBCA must assert the common policy OID beginning in 2008 • Forces agencies to make changes to their PKIs to comply • Unclear whether or not an agency must be subordinate to Common Policy CP starting in 2008

  7. Backup Slides

  8. NIST 800 Series Related to FIPS 201 • 800-73 Interfaces for Personal Identity Verification, March 2006 (updated April 20, 2006) • 800-76 Biometric Data Specification for Personal Identity Verification,
February 2006 • 800-78 Cryptographic Algorithms and Key Sizes for Personal Identity Verification,
April 2005 • 800-79 Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations,
July 2005 • 800-85A PIV Card Application and Middleware Interface Test Guidelines (SP800-73 compliance),April 2006 • Draft 800-85B, PIV Data Model Conformance Test Guidelines,May 25, 2006 • 800-87 Codes for the Identification of Federal and Federally-Assisted Organizations, October 2005 (document updated January 17, 2006) • Draft SP800-96 PIV Card/Reader Interoperability Guidelines

  9. NASA’s Relationship to the FBCA & Common Policy CA Cross Certification [mutual or two-way reference] Federal Bridge CA Treasury Root CA (TRCA) Cross Certification [mutual or two-way reference] Sub Authorized [Sub ordinate reference] Sub Authorized [Sub ordinate reference] Common Policy CA NASA Operational CA (NOCA)

  10. NASA FBCA Cross Certification Documentation CA Operation Policy PKI Directory User & RA Software Testing & Distribution RA Operation Tech Support SuperRA Service Training PK Enabled Services NASA’s Original PKI Architecture

  11. Treasury NASA FBCA Cross Certification Documentation CA Operation Policy PKI Directory User & RA Software Testing & Distribution RA Operation Tech Support SuperRA Service Training PK Enabled Services NASA’s SSP PKI Architecture

More Related