Federal Conformance and Interoperability Testing EAuthentication and Homeland Security Presidential

1
Federal Conformance and Interoperability Testing
E-Authentication and Homeland Security
Presidential Directive 12David Temoshok
Director, Identity Policy and Management GSA
Office of Governmentwide Policy
Electronic Authentication Partnership August 11,
2005
2
Session Topics

• EAI SAML Interoperability Testing
• FBCA Interoperability Testing for Federal PKI
• Overview of HSPD 12 and FIPS 201 Requirements
• NIST Conformance Testing for HSPD 12
• GSA Acquisition Approach for HSPD 12

3
EAI Key Architecture Design Considerations

• No central registry of personal information,
  attributes, or authorization privileges
  decentralized approach means federation.
• Different authentication assurance levels are
  needed for different types of transactions.
• Architecture must support multiple authentication
  technologies.
• Architecture must support multiple protocols.
• Federal Government will not mandate a single
  proprietary solution, therefore, Architecture
  must support multiple COTS products.
• Federal Government will adopt prevailing industry
  standards that best meet the Governments needs.
• All architecture components must interoperate
  with ALL other components.
• Controls must protect privacy of personal
  information.

4
E-Authentication Technical Interfaces Base Case
Data/Information Flows
Step 1 User goes to Portal to select the AA
and CS
Step 1 No PII is presented to the portal, no
transaction data is recorded, no system of
records is maintained.
Policy Enforcement Point
Step 2 Users simply sign on using previously
established processes with CSP (PIN, Password).
PIN, Passwords are expressed only to CSP, not to
e-Auth Portal or AA.
Policy Enforcement Point
Step 3 CSP provides SAML assertion with users
common name assurance level (at a minimum) to
the AA.
Policy Enforcement Point
5
Federal Interoperability Lab

• Tests interoperability of products for
  participation in e-Authentication architecture.
• Conformance testing to Fed e-Authentication
  Interface Specification
• Interoperability testing among all approved
  products
• Currently 11 SAML 1.0 products on Approved
  Product List.
• See URL http//cio.gov/eauthentication
• Multiple protocol interoperability testing will
  be very complex
• 4/07/05 RFI for Certificate Path
  Discovery/Validation Service
• GSA intends to continue to test architecture
  components for interoperability and capability to
  meet governmentwide use requirements

6
Federal PKI Interoperability Testing

• The Federal PKI (FPKI) incorporates multiple
  cross-certified federal/nonfederal CAs that have
  demonstrated interoperability among each other.
• To participate in the FPKI, domain entities must
  successfully demonstrate compliance with 3 tests
  policy mapping at designated assurance levels,
  procedural compliance audit, and technical
  interoperability testing.
• The Federal Bridge Certification Authority (FBCA)
  is an information system that implements the
  Federal PKI. It is directed to solve the
  technical interoperability challenge of the
  Federal PKI to meld individual entity initiatives
  that use PKI products from a variety of
  commercial vendors into a seamless, interoperable
  Federal PKI.
• The FBCA functions as a non-hierarchical hub
  allowing entities to create a certificate trust
  path from its domain back to the domain of the
  entity that issued the certificate using
  cross-certificates, so that the levels of
  assurance honored by disparate PKIs can be
  reconciled.
• The FBCA operates a test facility for the
  following mandatory tests
• Successful exchange of PKI certificates
• Directory interoperability
• Ability of each party to validate the others CA
  certificates and cross certificates.

7
HSPD-12 Presidential Policy Driver
Home Security Presidential Directive 12
(HSPD-12) Policy for a Common Identification
Standard for Federal Employees and
Contractors Dated August 27, 2004
8
HSPD 12 Requirements

• Secure and reliable forms of personal
  identification that are
• Based on sound criteria to verify an individual
  employees identity
• Strongly resistant to fraud, tampering,
  counterfeiting, and terrorist exploitation
• Rapidly verified electronically
• Issued only by providers whose reliability has
  been established by an official accreditation
  process
• Applicable to all government organizations and
  contractors except identification associated with
  National Security Systems
• Used for access to federally-controlled
  facilities and logical access to
  federally-controlled information systems
• Flexible in selecting appropriate security level
  includes graduated criteria from least secure
  to most secure
• Implemented in a manner that protects citizens
  privacy

9
Fiscal Year 2005 FIPS 201 Schedule
10
FIPS 201 Personal Identity Verification
Requirements Phased Implementation

• Part 1 Common Identification and Security
  Requirements
• Identity proofing, registration, and issuance
  requirements
• Privacy requirements
• PIV Part 1 implementation 10/05
• Part 2 Common Interoperability Requirements
• Detailed technical specifications
• Expands and enhances functionality required by
  GSC-IS 2.1
• PIV Part 2 implementation 10/06

11
FIPS 201 PIV Requirements Identity Proofing,
Registration

• PIV Cards issued only to individuals whose true
  identity has been verified.
• Background investigation is mandatory
• 2 forms of original identity source documents are
  mandatory, at least one must be valid Federal or
  State government issued picture ID
• Applicant must appear in-person at least once
  before credentialing authority
• PIV card Issuing Organizations must be accredited
  in accordance with NIST SP 800-79 before
  performing FIPS 201 services
• PIV identity proofing, registration, and issuance
  process must provide for separation of duties
• No credential may be issued unless authorized by
  appropriate credentialing authority
• Registration process must provide for capture of
  mandatory biometrics data
• Full set of fingerprints for law enforcement
  checks
• Digital facial image used for printing on the
  card
• 2 digital fingerprints for storage on the card
• Security of the PIV card Issuing Organizations
  computer systems must be accredited in accordance
  with NIST SP 800-37.

12
FIPS 201 PIV Card Visual Data

• Mandatory
• Photograph
• Name
• Employee Affiliation
• Organizational Affiliation
• Card Expiration Date
• Card Serial Number (unique to issuer)
• Issuer Identification

• Optional
• Cardholders written signature
• Rank
• Agency Seal
• Issue Date
• Information for Returning Lost Card
• Color Codes
• Agency-specific information

13
FIPS 201 PIV Card Technical Requirements

• Mandatory
• Integrated circuit (smart card) to store/process
  data
• Contact and contact-less chips and interface
• Optional
• Magnetic stripe
• Bar code

14
FIPS 201 PIV Card Digital Credentials

• Mandatory
• PIN (used to prove identity of the cardholder to
  the card)
• Cardholder Unique Identifier (CHUID, used to
  prove identity of cardholder to external entity)
• PIV Authentication Key (used authenticate card
  and prove identity of cardholder to external
  entity)
• Two biometric fingerprints (used to prove
  identity of cardholder to external entity)

• Optional
• PIV Card Authentication Key (used to authenticate
  the card, may employ symmetric or asymmetric key
  pair)
• Digital Signature Key (used to generate digital
  signatures)
• Encryption Key
• Card Management Key (imported to card by Issuer,
  used for personalization or post-issuance
  activities)

15
FIPS 201 PIV Testing Program

• NIST Conformance Testing
• Conformance testing PIV middleware and PIV card
  application (SP 800-73 compliance)
• See NIST SP 800-85 (Draft) issued 8/5/05
• PIV 2 Product Interoperability testing
• PIV 2 Product Performance testing

16
NIST Conformance Test Suites

• NIST FIPS-201 Reference Implementation 6/25/05
• NIST Conformance Test Suites 8/05/05
• Conformance validation to the requirements of
  FIPS 201, and related technical specifications
  (NIST SP 800-73, 800-76, 800-78)
• Represents functional testing certification
• Certification testing for cryptographic module
  security requirements are conducted under FIPS
  140-2 and will be combined with FIPS 201
  functional testing
• NIST will designate one or more accredited NVLAP
  labs (for 140-2 certification) to perform FIPS
  201 conformance testing and validation
• BKP Security Labs, Santa Clara, CA 200648-
  0InfoGard Laboratories, Inc., San Luis Obispo,
  CA 100432- 0COACT Inc. CAFE Laboratory,
  Columbia, MD 200416- 0Atlan Laboratories,
  McLean, VA 200492- 0CygnaCom Solutions, Inc.,
  McLean, VA 200002- 0DOMUS Information
  Technology Security Laboratory, Ottawa Ontario
  K1G 5L2, CANADA 200017- 0EWA - Canada IT
  Security Evaluation Test Facility, Ottawa
  Ontario K1P 6L5, CANADA 200556- 0BT
  Cryptographic Module Testing Laboratory, Fleet,
  Hampshire GU51 2UZ, UNITED KINGDOM 200626-
  0LogicaCMG FIPS Laboratory, Leatherhead Surrey
  KT22 7LP, UNITED KINGDOM 200583- 0

17
GSA Acquisition Approach for HSPD 12

• Key governmentwide initiatives have established
  program, policy, and technical requirements for
  commercial products and services.
• GSA Is establishing approved products/services
  for specific business lines based on compliance
  with established requirements.
• Approved products are made available on
  governmentwide basis. Agencies are directed to
  use only the approved products/services for
  authentication/identity management, HSPD 12 needs
• GSA will establish and publish procedures for
  applying and qualifying for each BPA
• Define pre-requisite qualifying requirements,
  application procedures, evaluation procedures,
  and ongoing qualifying requirements in BPAs
• Approved products and services will be made
  available through GSA IT Multi-Award Schedule 70
• Under E-Gov Act of 2002, State and local
  Governments can acquire products/services
  directly from IT Schedule 70.

18
For More Information

• Supporting Publications
• NIST SP 800-73 Interfaces for PIV Card
  Interfaces and Commands
• NIST SP 800-76 Biometric Data Specification for
  PIV
• NIST SP 800-78 Cryptographic Algorithms and Key
  Sizes for PIV
• NIST SP 800-79 Issuing Organization
  Accreditation Guideline
• GSA Implementation Guidance Identity Management
  Handbook

• Visit our Websites
• http//www.cio.gov/eauthentication
• http//www.cio.gov/ficc
• http//www.cio.gov/fbca
• http//www.cio.gov/fpkipa
• http//csrc.nist.gov/piv-project/
• http//www.cio.gov/fpkisc
• http//www.smart.gov/
• Or contact
• David Temoshok
• Director, Identity Policy and Management
• 202-208-7655
• david.temoshok_at_gsa.gov