Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker

Published bySamson Harbert Modified over 9 years ago

Similar presentations

Presentation on theme: "Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker"— Presentation transcript:

1 Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker dunker@vt.edu

2 Background 2008 Board of Visitors Resolution on increasing administrative efficiencies through expansion of automated systems and enhanced security charged Vice Presidents to develop a plan to continue to automate the University’s administrative systems utilizing modern information technology processes and security tools to gain process efficiencies. 2

3 Automating Processes Involves Personal digital identities Decisions on the part of sponsors of automated electronic systems, applications Integration – secure authentication 3

4 Requirement Ability to determine, with some level of certainty, that the person presenting themselves in an online transaction is who they say they are. Identity Assurance 4

5 VT Enterprise Personal Digital Identities Guest accounts – little or no assurance in identity Personal Identifier (PID), Active Directory account, Oracle ID – some assurance in identity. Personal Digital Certificate (PDC) on eToken – 2-factor, high assurance in identity 5

6 Identity Proofing, Issuing Credentials Guest accounts – guest is invited via e- mail to create ID PID – issued remotely; user answers questions based on information in university data base. Identity proofing part of admission or hiring process. PDC – issued in person, requires PID, government-issued photo IDs. 6

7 PDC Issued on Aladdin eToken, certified at FIPS 140- 2 level 2. Tamper-resistant Private key cannot be exported off eToken Face-to-face identity verification; 2 government- issued photo Ids; must match information in our Enterprise Directory 2-person issuance process (RAA and CAA) Available to all employees Enabled for authentication and digital signature Employee signs agreement not to share 7

8 Standard/Guidance for Sponsors Office of Management Budget M-04-04, E- Authentication Guidance for Federal Agencies; http://www.whitehouse.gov/omb/memoranda/fy04 /m04-04.pdf http://www.whitehouse.gov/omb/memoranda/fy04 /m04-04.pdf National Institute of Standards and Technology Special Publication 800-63, Electronic Authentication Guideline; http://csrc.nist.gov/publications/drafts/800-63- rev1/SP800-63-Rev1_Dec2008.pdf 8

9 Process 1.Determine potential impact of authentication error 2.Map potential impact level to LOA of personal digital identity 3.Select credentials 4.Request technical review from Identity Management Services 5.Implement digital credentials 6.Validate with security review 7.Document; reassess annually 9

10 Potential Impact Profile Level 10 Potential Impact Profile Levels Consequences 012345 Inconvenience, distress, or damage to standing or reputation N/ALowMod HighVery high Financial loss or university liabilityN/ALowMod HighVery high Harm to university programs or public interests N/A LowModHighVery high Unauthorized release of sensitive informationN/A LowModHighVery high Personal safetyN/A LowMod (or) High Very high Penalties for civil, criminal, or disciplinary violations N/A LowModHighVery high

11 11 LOA Identity assertion Identity proofing requirements Authentication factorsDigital credential examples 0No identity is asserted. None No authentication is required. Site is open to public 1Little or no confidence in the validity of the asserted identity Some identity information is acquired. Little or no verification is performed. Single-factor authentication with password Guest accounts 2Some confidence that the asserted identity is valid Some identity information is acquired, with some level of verification. Single-factor authentication with password or biometric attribute PID and password; Active Directory ID and password; Oracle ID and password. Finger print reader. Hokie Passport card with photo 3Moderate degree of confidence in validity of the asserted identity Matching of the collected identity information is strengthened by additional identity verification from a trusted authority. Identity proofing may be in-person or in some circumstances, remote. A minimum of two authentication factors is required; i.e., something you know and (something you have or something you are) Personal digital certificates; finger print readers requiring passwords or PINs, 4High degree of confidence in the validity of the asserted identity In-person identity proofing is required, including referencing a biometric attribute. A minimum of two authentication factors is required, including a cryptographic key stored on a hardware token that does not allow the export of authentication keys. Personal digital certificate (PDC) on Aladdin eToken USB device protected with password 5Very high degree of confidence in the validity of the asserted identity In-person identity proofing is required, including recording a biometric attribute. Three authentication factors are required, including a biometric attribute and a cryptographic key stored on a hardware token that meets certain technical specifications. Fingerprint reader with PIN, plus something you have Levels of assurance of personal digital identities

12 Integration: CAS Version 3.1+ Recognizes login credential and assigns LOA Passes LOA to application in SAML payload Supports guest accounts, PID, PDC for login 12

13 Levels of Assurance using CAS 13 LOA values defined by VT CAS, reflecting NIST 800-63NIST 800-63 CAS client must support SAML 1.1 messages. urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1- 0-2:1 – Guest Id/password urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1- 0-2:2 - PID/password urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1- 0-2:3 - NOT USED urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1- 0-2:4 - PDC on eToken

14 References National Institute of Standards and Technology Special Publication 800-63, Electronic Authentication Guideline; http://csrc.nist.gov/publications/drafts/800-63-rev1/SP800-63- Rev1_Dec2008.pdf Office of Management Budget M-04-04, E-Authentication Guidance for Federal Agencies; http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf University of Wisconsin, Madison, User Authentication and Levels of Assurance; http://www.cio.wisc.edu/security/initiatives/authentication.aspx Virginia Tech, Standard for Use of Personal Digital Identities 14

Download ppt "Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker"

Similar presentations

Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.

15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
NMFS FIS ER eSignature Project Risk Analysis October 1, 2008.

NMFS FIS ER eSignature Project Risk Analysis October 1, 2008.
Public Key Infrastructure (PKI) Hosting Services.

Public Key Infrastructure (PKI) Hosting Services.
Federal Identity Management

Federal Identity Management
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
“Personal Identity Verification (PIV) of Federal Employees and Contractors” October 27, 2005 Homeland Security Presidential Directive 12 (HSPD-12)

“Personal Identity Verification (PIV) of Federal Employees and Contractors” October 27, 2005 Homeland Security Presidential Directive 12 (HSPD-12)
Department of Labor HSPD-12

Department of Labor HSPD-12
The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,

The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
1 Enabling Open Government Using the OIDF/ICF Open Trust Framework OASIS Identity Management 2009 September 29, 2009 Don Thibeau, ED, OpenID Foundation.

1 Enabling Open Government Using the OIDF/ICF Open Trust Framework OASIS Identity Management 2009 September 29, 2009 Don Thibeau, ED, OpenID Foundation.
U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.

U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.
1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.

1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.
Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.

Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.
EDUCAUSE Fed/Higher ED PKI Coordination Meeting

EDUCAUSE Fed/Higher ED PKI Coordination Meeting
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

Similar presentations

Ads by Google