15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung
15June’062 NASA PKI and the Federal Environment Background eGov Act of 2002 established 24 applications in 4 areas –Government to Citizen Government to Business –Government to Government Internal Efficiency & Effectiveness –25th, eAuthentication Initiative, cut across all four areas »Provides a consistent means to authenticate identity of users December OMB established 4 identity authentication assurance levels for eGov transactions –1 Little or no assurance 3 High assurance –2 Some assurance4 Very High Assurance April-May NASA updated our PKI requirements – Extant requirements developed in 1997 –Need to update for changing NASA environment June NIST provided technical requirements for each authentication level –1 PINs3 PKI software –2. Passwords4 PKI hardware
15June’063 NASA PKI and the Federal Environment Background, cont. August Homeland Security Presential Directive #12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors –Mandated NIST develop a Government-wide standard for secure and reliable forms of identification to be issued by the Federal Government to its employees and contractors September NASA decides to continue using Entrust as its PKI and outsource operations to the Department of the Treasury December OMB required agencies to use a Shared Service Provider (SSP) February NIST Federal Information Processing Standard (FIPS) 201: Personal Identity Verification for Federal Employees and Contractors (update draft March 2006) –Required a myriad of NIST Special Publications with guidance on different aspects of FIPS-201; , , , , A, B, , August OMB required agencies to develop and submit an HSPD-12 implementation plan
15June’064 NASA PKI and the Federal Environment FIPS-201 PKI Implications Mandates a PKI authentication certificate be on PIV 2 compliant smart card Mandates two factor authentication for logical access to all agencies computer and network resources Mandates PKI key sizes and digital signature algorithms Requires changes to the FPKI Common Policy Framework Certificate Policy
15June’065 NASA PKI and the Federal Environment So What Does This Mean for the NASA PKI? NASA must provide PKI credentials to all employees and on-site (behind the firewall) contractors –NASA purchased 100,000 Entrust licences in March 2005 Treasury must become an SSP if NASA wants to outsource our PKI operations to them –Treasury agrees and submits their application in April 2005 –Treasury completes the process June 2006 NASA must begin to provide background checks for all new employees and contractors by October 27, 2006 NASA must begin to issue FIPS-201 PIV 2 compliant badges to all new employees and contractors by October 27, 2006 –These badges must include a PKI authentication certificate NASA must have an approved HSPD-12 implementation plan –Submitted December 2005 –OMB is asking agencies to update their plan by August 2006 NASA must begin using two-factor authentication for all logical access to NASA resources
15June’066 NASA PKI and the Federal Environment So What Does This Mean for the Federal PKI? FPKI Common Policy Changes –Need to include OIDs for new authentication certificate –Need to include requirements for availability of CAs –Need to include requirements for availability of CRLs –Need to change publication frequency for CRLs –Need to change encryption and digital signature key sizes »Increase from current 1024 bit RSA to 2048 bit by 1 January 2009 –Need to change digital signature algorithm »Move from current SHA-1 to SHA-224 or SHA-256 by 1 January 2011 Common Policy and FBCA Harmonization Required –One change will be agencies cross-certified with FBCA must assert the common policy OID beginning in 2008 Forces agencies to make changes to their PKIs to comply Unclear whether or not an agency must be subordinate to Common Policy CP starting in 2008
15June’067 NASA PKI and the Federal Environment Backup Slides
15June’068 NASA PKI and the Federal Environment NIST 800 Series Related to FIPS 201 Interfaces for Personal Identity Verification, March 2006 (updated April 20, 2006) Biometric Data Specification for Personal Identity Verification, February 2006 Cryptographic Algorithms and Key Sizes for Personal Identity Verification, April 2005 Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations, July 2005 A PIV Card Application and Middleware Interface Test Guidelines (SP compliance),April 2006 Draft B, PIV Data Model Conformance Test Guidelines, May 25, 2006 Codes for the Identification of Federal and Federally- Assisted Organizations, October 2005 (document updated January 17, 2006) Draft SP PIV Card/Reader Interoperability Guidelines
15June’069 NASA PKI and the Federal Environment NASA’s Relationship to the FBCA & Common Policy CA Sub Authorized [Sub ordinate reference] Sub Authorized [Sub ordinate reference] Cross Certification [mutual or two-way reference] Common Policy CA Federal Bridge CA Treasury Root CA (TRCA) NASA Operational CA (NOCA) Cross Certification [mutual or two-way reference]
15June’0610 NASA PKI and the Federal Environment NASA’s Original PKI Architecture RA Operation CA Operation PKI Directory FBCA Cross Certification Policy Tech Support User & RA Software Testing & Distribution Training Documentation SuperRA Service PK Enabled Services NASA
15June’0611 NASA PKI and the Federal Environment NASA’s SSP PKI Architecture Treasury RA Operation CA Operation PKI Directory FBCA Cross Certification Policy Tech Support User & RA Software Testing & Distribution Training Documentation SuperRA Service PK Enabled Services NASA