Title: Federal Conformance and Interoperability Testing EAuthentication and Homeland Security Presidential
1Federal Conformance and Interoperability Testing
E-Authentication and Homeland Security
Presidential Directive 12David Temoshok
Director, Identity Policy and Management GSA
Office of Governmentwide Policy
Electronic Authentication Partnership August 11,
2005
2Session Topics
- EAI SAML Interoperability Testing
- FBCA Interoperability Testing for Federal PKI
- Overview of HSPD 12 and FIPS 201 Requirements
- NIST Conformance Testing for HSPD 12
- GSA Acquisition Approach for HSPD 12
3EAI Key Architecture Design Considerations
- No central registry of personal information,
attributes, or authorization privileges
decentralized approach means federation. - Different authentication assurance levels are
needed for different types of transactions. - Architecture must support multiple authentication
technologies. - Architecture must support multiple protocols.
- Federal Government will not mandate a single
proprietary solution, therefore, Architecture
must support multiple COTS products. - Federal Government will adopt prevailing industry
standards that best meet the Governments needs. - All architecture components must interoperate
with ALL other components. - Controls must protect privacy of personal
information.
4 E-Authentication Technical Interfaces Base Case
Data/Information Flows
Step 1 User goes to Portal to select the AA
and CS
Step 1 No PII is presented to the portal, no
transaction data is recorded, no system of
records is maintained.
Policy Enforcement Point
Step 2 Users simply sign on using previously
established processes with CSP (PIN, Password).
PIN, Passwords are expressed only to CSP, not to
e-Auth Portal or AA.
Policy Enforcement Point
Step 3 CSP provides SAML assertion with users
common name assurance level (at a minimum) to
the AA.
Policy Enforcement Point
5Federal Interoperability Lab
- Tests interoperability of products for
participation in e-Authentication architecture. - Conformance testing to Fed e-Authentication
Interface Specification - Interoperability testing among all approved
products - Currently 11 SAML 1.0 products on Approved
Product List. - See URL http//cio.gov/eauthentication
- Multiple protocol interoperability testing will
be very complex - 4/07/05 RFI for Certificate Path
Discovery/Validation Service - GSA intends to continue to test architecture
components for interoperability and capability to
meet governmentwide use requirements
6Federal PKI Interoperability Testing
- The Federal PKI (FPKI) incorporates multiple
cross-certified federal/nonfederal CAs that have
demonstrated interoperability among each other. - To participate in the FPKI, domain entities must
successfully demonstrate compliance with 3 tests
policy mapping at designated assurance levels,
procedural compliance audit, and technical
interoperability testing. - The Federal Bridge Certification Authority (FBCA)
is an information system that implements the
Federal PKI. It is directed to solve the
technical interoperability challenge of the
Federal PKI to meld individual entity initiatives
that use PKI products from a variety of
commercial vendors into a seamless, interoperable
Federal PKI. - The FBCA functions as a non-hierarchical hub
allowing entities to create a certificate trust
path from its domain back to the domain of the
entity that issued the certificate using
cross-certificates, so that the levels of
assurance honored by disparate PKIs can be
reconciled. - The FBCA operates a test facility for the
following mandatory tests - Successful exchange of PKI certificates
- Directory interoperability
- Ability of each party to validate the others CA
certificates and cross certificates.
7HSPD-12 Presidential Policy Driver
Home Security Presidential Directive 12
(HSPD-12) Policy for a Common Identification
Standard for Federal Employees and
Contractors Dated August 27, 2004
8HSPD 12 Requirements
- Secure and reliable forms of personal
identification that are - Based on sound criteria to verify an individual
employees identity - Strongly resistant to fraud, tampering,
counterfeiting, and terrorist exploitation - Rapidly verified electronically
- Issued only by providers whose reliability has
been established by an official accreditation
process - Applicable to all government organizations and
contractors except identification associated with
National Security Systems - Used for access to federally-controlled
facilities and logical access to
federally-controlled information systems - Flexible in selecting appropriate security level
includes graduated criteria from least secure
to most secure - Implemented in a manner that protects citizens
privacy
9Fiscal Year 2005 FIPS 201 Schedule
10FIPS 201 Personal Identity Verification
Requirements Phased Implementation
- Part 1 Common Identification and Security
Requirements - Identity proofing, registration, and issuance
requirements - Privacy requirements
- PIV Part 1 implementation 10/05
- Part 2 Common Interoperability Requirements
- Detailed technical specifications
- Expands and enhances functionality required by
GSC-IS 2.1 - PIV Part 2 implementation 10/06
-
11FIPS 201 PIV Requirements Identity Proofing,
Registration
- PIV Cards issued only to individuals whose true
identity has been verified. - Background investigation is mandatory
- 2 forms of original identity source documents are
mandatory, at least one must be valid Federal or
State government issued picture ID - Applicant must appear in-person at least once
before credentialing authority - PIV card Issuing Organizations must be accredited
in accordance with NIST SP 800-79 before
performing FIPS 201 services - PIV identity proofing, registration, and issuance
process must provide for separation of duties - No credential may be issued unless authorized by
appropriate credentialing authority - Registration process must provide for capture of
mandatory biometrics data - Full set of fingerprints for law enforcement
checks - Digital facial image used for printing on the
card - 2 digital fingerprints for storage on the card
- Security of the PIV card Issuing Organizations
computer systems must be accredited in accordance
with NIST SP 800-37. -
12FIPS 201 PIV Card Visual Data
- Mandatory
- Photograph
- Name
- Employee Affiliation
- Organizational Affiliation
- Card Expiration Date
- Card Serial Number (unique to issuer)
- Issuer Identification
- Optional
- Cardholders written signature
- Rank
- Agency Seal
- Issue Date
- Information for Returning Lost Card
- Color Codes
- Agency-specific information
13FIPS 201 PIV Card Technical Requirements
- Mandatory
- Integrated circuit (smart card) to store/process
data - Contact and contact-less chips and interface
- Optional
- Magnetic stripe
- Bar code
-
14FIPS 201 PIV Card Digital Credentials
- Mandatory
- PIN (used to prove identity of the cardholder to
the card) - Cardholder Unique Identifier (CHUID, used to
prove identity of cardholder to external entity) - PIV Authentication Key (used authenticate card
and prove identity of cardholder to external
entity) - Two biometric fingerprints (used to prove
identity of cardholder to external entity)
- Optional
- PIV Card Authentication Key (used to authenticate
the card, may employ symmetric or asymmetric key
pair) - Digital Signature Key (used to generate digital
signatures) - Encryption Key
- Card Management Key (imported to card by Issuer,
used for personalization or post-issuance
activities)
15FIPS 201 PIV Testing Program
- NIST Conformance Testing
- Conformance testing PIV middleware and PIV card
application (SP 800-73 compliance) - See NIST SP 800-85 (Draft) issued 8/5/05
- PIV 2 Product Interoperability testing
- PIV 2 Product Performance testing
16NIST Conformance Test Suites
- NIST FIPS-201 Reference Implementation 6/25/05
- NIST Conformance Test Suites 8/05/05
- Conformance validation to the requirements of
FIPS 201, and related technical specifications
(NIST SP 800-73, 800-76, 800-78) - Represents functional testing certification
- Certification testing for cryptographic module
security requirements are conducted under FIPS
140-2 and will be combined with FIPS 201
functional testing - NIST will designate one or more accredited NVLAP
labs (for 140-2 certification) to perform FIPS
201 conformance testing and validation - BKP Security Labs, Santa Clara, CA 200648-
0InfoGard Laboratories, Inc., San Luis Obispo,
CA 100432- 0COACT Inc. CAFE Laboratory,
Columbia, MD 200416- 0Atlan Laboratories,
McLean, VA 200492- 0CygnaCom Solutions, Inc.,
McLean, VA 200002- 0DOMUS Information
Technology Security Laboratory, Ottawa Ontario
K1G 5L2, CANADA 200017- 0EWA - Canada IT
Security Evaluation Test Facility, Ottawa
Ontario K1P 6L5, CANADA 200556- 0BT
Cryptographic Module Testing Laboratory, Fleet,
Hampshire GU51 2UZ, UNITED KINGDOM 200626-
0LogicaCMG FIPS Laboratory, Leatherhead Surrey
KT22 7LP, UNITED KINGDOM 200583- 0
17GSA Acquisition Approach for HSPD 12
- Key governmentwide initiatives have established
program, policy, and technical requirements for
commercial products and services. - GSA Is establishing approved products/services
for specific business lines based on compliance
with established requirements. - Approved products are made available on
governmentwide basis. Agencies are directed to
use only the approved products/services for
authentication/identity management, HSPD 12 needs - GSA will establish and publish procedures for
applying and qualifying for each BPA - Define pre-requisite qualifying requirements,
application procedures, evaluation procedures,
and ongoing qualifying requirements in BPAs - Approved products and services will be made
available through GSA IT Multi-Award Schedule 70 - Under E-Gov Act of 2002, State and local
Governments can acquire products/services
directly from IT Schedule 70.
18For More Information
- Supporting Publications
- NIST SP 800-73 Interfaces for PIV Card
Interfaces and Commands - NIST SP 800-76 Biometric Data Specification for
PIV - NIST SP 800-78 Cryptographic Algorithms and Key
Sizes for PIV - NIST SP 800-79 Issuing Organization
Accreditation Guideline - GSA Implementation Guidance Identity Management
Handbook
- Visit our Websites
- http//www.cio.gov/eauthentication
- http//www.cio.gov/ficc
- http//www.cio.gov/fbca
- http//www.cio.gov/fpkipa
- http//csrc.nist.gov/piv-project/
- http//www.cio.gov/fpkisc
- http//www.smart.gov/
- Or contact
- David Temoshok
- Director, Identity Policy and Management
- 202-208-7655
- david.temoshok_at_gsa.gov