Presentation is loading. Please wait.

Presentation is loading. Please wait.

Government-University Identity Management Opportunities Peter Alterman, Ph.D. Chair, U.S. Federal PKI Policy Authority and Assistant CIO/E-Authentication,

Published byMiranda Manning Modified over 8 years ago

Similar presentations

Presentation on theme: "Government-University Identity Management Opportunities Peter Alterman, Ph.D. Chair, U.S. Federal PKI Policy Authority and Assistant CIO/E-Authentication,"— Presentation transcript:

1 Government-University Identity Management Opportunities Peter Alterman, Ph.D. Chair, U.S. Federal PKI Policy Authority and Assistant CIO/E-Authentication, NIH

2 2 Current State of Affairs (60 years old now) You apply to the application owner for a password You use the password to access the system You forget the password The application owner gives you a new password You use the new password to access the system You forget the password No identity proofing No way to know who is actually on the system (Your secretary? Your postdoc? Your dog? Osama?)

3 3 Foundational Assumption Government online services shall trust externally-issued electronic identity credentials at known levels of assurance (LOA) Online applications shall determine required credential LOA using a standard methodology based on: 1.Risk assessment using standard tool, 2.OMB M-04-04 determines required authN LOA 3.NIST SP 800-63 translates required LOA to credential technology

4 4 E-Authentication LOA and What They Mean Little or no assurance of identity; assertion-based identity authentication Some assurance of identity; assertion-based identity authentication or policy-thin PKI Substantial assurance of identity; cryptographically-based identity authentication High assurance of identity; cryptographically-based identity authentication Level 1 Level 2 Level 3 Level 4 * Codified in OMB Memorandum 04-04

5 5 E-Authentication LOA and What They Service** Online applications with little or no risk of harm from fraud, hacking; low risk Online applications with risk of some harm from fraud, hacking; some risks Online applications where there is risk of significant harm from fraud, hacking; significant risks Online applications where there is risk of substantial harm from fraud, hacking; substantial risks Level 1 Level 2 Level 3 Level 4 ** Codified in NIST SP 800-63

6 6 General Considerations for Determining LOA of an Electronic Identity Credential (EIC) Identity Proofing – how sure are you that the person is who he or she claims to be? Identity Binding – how sure are you that the person proffering the EIC is the person to whom the credential was issued? Credential integrity – how well does the technology and its implementation resist hacking, fraud, etc.?

7 7 Summary of Lower-Level Identity Credentials Level 1: UserID/Password, SAML assertion (XML text) Level 2: “High entropy” UserID/Password; “policy-lite” PKI, e.g., Fed PKI Citizen and Commerce Class & Federal PKI Rudimentary, TAGPMA Classic Plus (in development)

8 8 Summary of Cryptographic- Based Identity Credentials Level 3: One-time Password; Substantial assurance PKI at FPKI Basic, Medium Level 4: High assurance PKI at FPKI Medium Hardware, High

9 9 A Little Complication The government has TWO LOA classifications: 1.Federal PKI LOA codified in the Certificate Policies of the Federal PKI Policy Authority 2.E-Authentication LOA codified in OMB M- 04-04

10 10 LOA Mapping E-Auth to Fed PKI E-Auth Level 1 E-Auth Level 2 E-Auth Level 3 E-Auth Level 4 FPKI Rudimentary; C4 FPKI Medium/HW & Medium/HW-cbp FPKI Basic FPKI Medium & Medium-cbp FPKI High (governments only)

11 11 How Can A School Credential be Trusted and Used by a Government Application? Preferred path - School joins an Identity Federation that has policy and technology interoperability agreements with E-Authentication Federation Requirements – Each Federation agrees to ensure its members operate according to minimum requirements for members of the other’s Federation. –Presumes substantive policy, technology and management commonality Alternate path 1 – School becomes a member Credential Service Provider (CSP) of the E- Authentication Federation directly, signing on to the Federation’s technology, business, operating and legal requirements Alternate path 2 – One-to-one relationships (sssh!)

12 12 US Government E-Authentication Interfederation Model

13 13 E-Authentication Federation Membership Requirements Credential service providers [CSP] submit to credential assessment and evaluation of LOA Both Application providers and CSPs sign on to Federation business and operating “standards,” legal agreements.

14 14 E-Authentication – InCommon Interfederation Status Candor requires this disclaimer: they’re still trying to figure it out after two years and two tries Current status: Said to be getting close with inCommon. Policy-grounded MOA on the table and molding; technical interoperability targeted for SAML 2.0; USPerson profile analog of eduPerson profile in 2.0 version but still pretty much generic. inCommon needs to up its policy, procedures, documentation and audit requirements to play long-term E-Authentication needs to up its privacy protections

15 15 Fed PKI “Interfederation” Model

16 16 Fed PKI Cross Certification Process Application - LOA? Policy Mapping –Mapping Matrices online –Cert Policy WG mapping review –Collegial back and forth discussions Technical Interoperability Testing –Testing Protocol online –Directory and profiles tested (LDAP and/or X.500) Review of summary of independent audit results –Map CP –> CPS and CPS -> PKI Operations –Independent auditors, not FPKI auditors Whole process laid out in “Criteria & Methodology” document online

17 17 FPKI Does Interfederate Cross-certified (test) with Higher Education PKI Bridge, 01/2002 Cross-certified (production) with CertiPath – Aerospace Industry PKI Bridge at Medium Hardware (EAuth Level 4), 07/2006 Cross-certification under way with SAFE-Biopharma PKI Bridge, Medium and Medium Hardware Processes and procedures spelled out in “Criteria and Methodology” Document online

18 18 Current Model for Assertion-Based Interfederation (still a work in progress) For E-Authentication Federation and InCommon to interfederate at LOA 1 (!), E-Auth is requiring InC to: –upgrade its policy, audit and management infrastructure to comply with EAuth model, e.g., compliance with Credential Assessment Framework for LOA 1, signing Business and Operating Standards and sign Legal Agreement –Satisfy technical interoperability testing using SAML 1.0 technology, though work is proceeding to migrate to SAML 2.0 technology InCommon has designated this state of operation “InCommon Bronze” Compatibility with E-Authentication requirements for LOA 2 is called “InCommon Silver”

19 19 What about Level 3 Government Apps Today? Universities issuing PKI-based electronic credentials may cross-certify with the Federal PKI at Basic Assurance or above –Ex. MIT Lincoln Lab, University of Texas System (in process) –Usually 3 – 6 months Or acquire digital certificates from a vendor currently cross-certified with the Federal Bridge at Basic assurance or above –Many options

20 20 Seeded Questions Q: What about the recent DOD notice that PKI individual certs are required for access to their web resources. Will DOD sites ever trust university-issued certificates for access or will we have to shell out $$ to get to them? A: If you think YOU are fussing about this, imagine how furious State Dep’t. and NASA are. Imagine how furious their contractors are. A: We (Fed PKI) have been talking to DOD about this issue and we hope to see progress in 2007. Q: What the heck is “password entropy?” A: See next slide

21 21 Password Entropy (Copied From Bill Burr)* Entropy is measure of randomness in a password –Stated in bits, a password with 24 bits of entropy is as hard to guess as a 24 bit random number –The more entropy required in the password, the more trials the system can allow It’s easy to calculate the entropy of a system-generated, random password —But users can’t remember these Much harder to estimate the entropy of user-chosen passwords –Composition rules and dictionary rules may increase entropy *NIST KBA Symposium, Feb. 9, 2004

22 22 Resources www.cio.gov/eauthentication www.cio.gov/fpkipa http://csrc.nist.gov www.cio.gov/ficc

23 23 Notes 1.) How does your institution issue IDs? Is there a signature station requiring photo ID? What about non-resident scientists from Japan? 2.) What is password entropy? Complex vs. long passwords. How often must they be changed? Can they be re-used? Pass dictionary test? 3.) How secure is the authentication infrastructure? Can one person jeopardize the process? How are ID records stored? 4.) How is the process documented? Are there templates to use as a framework that will pass Federal standards?

Download ppt "Government-University Identity Management Opportunities Peter Alterman, Ph.D. Chair, U.S. Federal PKI Policy Authority and Assistant CIO/E-Authentication,"

Similar presentations

PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.

PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Federal PKI Architecture Update

Federal PKI Architecture Update
Ongoing Efforts to Build The US Federal PKI Bridge

Ongoing Efforts to Build The US Federal PKI Bridge
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.

15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification.

Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification.
The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,

The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,
US E-authentication and the Culture of Compliance RL “Bob” Morgan University of Washington CAMP, June 2005.

US E-authentication and the Culture of Compliance RL “Bob” Morgan University of Washington CAMP, June 2005.
Federal Electronic Identity Initiatives – Current Status Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO for E-Authentication,

Federal Electronic Identity Initiatives – Current Status Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO for E-Authentication,
Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.

Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.

1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.
The U.S. Federal PKI and the Federal Bridge Certification Authority

The U.S. Federal PKI and the Federal Bridge Certification Authority
EDUCAUSE Fed/Higher ED PKI Coordination Meeting

EDUCAUSE Fed/Higher ED PKI Coordination Meeting
1 eAuthentication in Higher Education Tim Bornholtz Session #47.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Emergence of Identity Management: A Federal Perspective Dr. Peter Alterman Chair, Federal PKI Policy Authority.

Emergence of Identity Management: A Federal Perspective Dr. Peter Alterman Chair, Federal PKI Policy Authority.

Similar presentations

Ads by Google