The EAuthentication Initiative PKI and the U.S. Federal eAuthentication Architecture Peter Alterman,

1
The E-Authentication Initiative PKI and the
U.S. Federal e-Authentication ArchitecturePeter
Alterman, Ph.D.Assistant CIO for
e-Authentication, NIH andChair, Federal PKI
Policy Authority
The E-Authentication Initiative
2
Purpose and Function of the E-Authentication
Initiative

• To provide a single source of identity
  authentication services for Federal Agency
  Applications
• To develop and promulgate policies and procedures
  to sustain a common identity federation for the
  Federal Government in support of e-Gov and HSPD-12

3
Summary of E-Authentication Approach

• Four Levels of Assurance of Identity (LOA) from
  Policy
• LOA 1 and 2 are assertion-based Userid/password,
  SAML, Shibboleth, etc.
• LOA 3 and 4 are cryptographically-based PKI,
  etc.
• LOA required based on standard Risk Assessment
• Agency Applications (AAs) autonomous for
  authorization decisions
• AAs rely on credentials issued by external
  Credential Service Providers who submit to an
  assessment based on a Credential Assessment
  Framework
• Principle of reusable credentials

4
Why Does PKI Fit into the e-Authentication
Architecture?

• While the bulk of the early phase rollouts of
  e-Gov applications are web-enabled applications..
• 2003 OASIS survey identified signed electronic
  forms as the highest priority use for PKI (1)
• Does anybody want to estimate how many Government
  forms are in use?
• (1) OASIS Public Key Infrastructure Technical
  Committee, Analysis of June 2003 Survey on
  Obstacles to PKI Deployment and Usage, August 8,
  2003 http//www.oasis-open.org/committees/pki/pkio
  bstaclesjune2003surveyreport.pdf

5
What Role Does PKI Play in the e-Authentication
Architecture?

• Reliably satisfies identity assurance levels 3
  4 (OMB M-04-04)
• Reliably satisfies risk levels 3 4 (FIPS 199,
  SP 800-63)
• Mandated for HSPD-12 on SmartCards
• In Hoc Signo Wences PKI with Bridge
  interoperability is a great example of federated
  identity management
• PKI integrates well with emerging technologies
  that link authentication and authorization, e.g.,
  SAML

6
Therefore..

• PKI is the prime candidate technology for
  satisfying electronic forms signing business
  processes
• PKI is the prime candidate for satisfying the
  authentication needs of business transactions
  that require levels 3 and 4 identity assurance
• PKI is an excellent technology match for
  e-Authentication authentication and authorization
  implementations

7
Status of PKI in the Federal e-Authentication
Architecture

• HSPD-12 and derivative documents mandate medium
  assurance PKI for logical and physical access to
  resources for Feds and contractors
• Operational PKIs in defense and civilian agencies
  now DOD and State Department PKIs are
  hardware-based
• Federal Bridge is operational and linked to all
  currently operational Federal PKIs, State of
  Illinois PKI and prototype Higher Ed Bridge
  links to Canada, Australia, UK and EU under way
• Other Federal Agencies rolling out PKIs in near
  future, either self-managed or acquired from
  approved service providers under ACES or Common
  Policy Shared Service Provider Program.
• Higher Education Bridge, Pharmaceutical Industry
  Bridge, Aerospace Industry Bridge

8
How PKIs Link to the e-Authentication Architecture

• Existing Federal Agencies cross-certify and
  interoperate through the Federal Bridge
• New Federal Agencies use the Common Policy
  Framework and shared service providers (SSPs)
• External PKIs (governments, corporations,
  colleges and universities, etc.) cross-certify
  and interoperate with the Federal Bridge
• Other bridges cross-certify and interoperate with
  the Federal Bridge

9
Interfederation Interoperability

• Assertion-level trust transactions require
  federation-to-federation policy and technology
  interoperability initiatives
• Under way with inCommon (Internet2)
• Crypto-level trust transactions mediated by
  Federal Bridge
• Under way with Higher Education Bridge,
  Pharmaceutical Industry Bridge, Aerospace Bridge

10
Figure FPKI
The Federal PKI The E-AuthenticationFederated
Approach
Step 2 The user is passed directly to the AA
AA
Federal PKI
T
FBCACertificate Policy
ACES
w
o
E-GovernanceCertificate Policy
Step 3 The user authenticates to the AA
directly using SSL or TLS.
FBCACertification Authority
Other Bridge
CAs
w
XKMS OCSP CAM SOAP Others
a
E-GovernanceCertification Authority
y
Agencies
(Legacy
C
Agency CA policy)
r
(Mutual authentication of
o
Step 4 The AA uses the validation service to
validate the certificate
SAML/SSL Certificates only)
s
Validation Service
States
s
-
c
e
Private Sector
Two way Cross-certified
r
t
(FBCA High FBCA Medium)
i
Federal PKI
f
Foreign Entities
FPKI Common Policy Framework
i
e
(FCPF) Certificate Policy
d
FCPF Policy
certified
Certification Authority
-
(Trust anchor for Common FPKI
Policy hierarchical PKI subscribers)
Two Way Cross
Optionally Two Way Cross
Citizen Commerce
Class Common (C4) Certificate Policy
certified
Qualified Shared Service Provider
C4 Policy
-
Certification Authority
USDA/NCF
(Included in browser list of
CAs
)
One way Cross
Verisign
-
certified
DST
Federal PKI
Two way Cross
-
certified
Wells Fargo
AOL
PEPCO
11
More PKI Information

• peter.alterman_at_nih.gov
• http//csrc.nist.gov/pki
• http//www.cio.gov/fbca
• http//pki.od.nih.gov
• http//www.middleware.internet2.edu/pki04