Presentation is loading. Please wait.

Presentation is loading. Please wait.

Key & Card Management 101 Federal Agency Government Employees Presented by Winifrid Whaley, Senior Business Services Analyst Jason Stenstrom, Senior Systems.

Published byAmos Henry Modified over 8 years ago

Similar presentations

Presentation on theme: "Key & Card Management 101 Federal Agency Government Employees Presented by Winifrid Whaley, Senior Business Services Analyst Jason Stenstrom, Senior Systems."— Presentation transcript:

1 Key & Card Management 101 Federal Agency Government Employees Presented by Winifrid Whaley, Senior Business Services Analyst Jason Stenstrom, Senior Systems Engineer Prepared for Aug 2005

2 Information and Technology for Better Decision Making MDDC 2Aug 2005 Overview Key & Cardstock Management  Federal Pre-Issuance Specification  Key Management  Cardstock Management DoD’s PIV Approach  Architecture  Lesson Learned

3 Information and Technology for Better Decision Making MDDC 3Aug 2005 A focused discussion Registration Issuance Integration Pre-Issuance Specifications Card Specifications SP 800-85 SP 800-73 MOC Cross Certification Certificate Management

4 Information and Technology for Better Decision Making MDDC 4Aug 2005 Today’s Goals 1.Identify the differences between the card specification and the Pre-Issuance Technical Requirements documents 2.Comprehend the basic requirements for implementing key management within your infrastructure 3.Identify the required pieces for drafting an organizational card issuance process flow

5 Information and Technology for Better Decision Making MDDC 5Aug 2005 Why can’t I just issue a card?

6 Information and Technology for Better Decision Making MDDC 6Aug 2005 Not a “K-Mart” Process Advance planning and coordination is required for card platform and key management Card products require Agency specific keys on each “batch” of cards Agencies need to test cardstock and insure that it integrates within their infrastructure

7 Information and Technology for Better Decision Making MDDC 7Aug 2005 Identity Management Not a building badge Nor an access badge Not just a personnel process - Security Process because of PKI It is identity Management

8 Information and Technology for Better Decision Making MDDC 8Aug 2005 Create CAC DEERS DISA Certificate Authority HSM HSM Card Content Server SSL v3 RAPIDS Application Server 1) Request DEERS Data RAPIDS Workstation 3)Request CAC Encoding 2) Print CAC 4) Synchronize CAC SSL v3 Secure Channel Card Manager Data Applets PKI Applets

9 Information and Technology for Better Decision Making MDDC 9Aug 2005 House Analogy Card Specification is the blueprint for your home Pre-Issuance Specification contains the building codes and additional specs for the house Keys grant access to your house and the rooms of your house and Key Management is the lifecycle monitoring of those keys

10 Information and Technology for Better Decision Making MDDC 10Aug 2005 Card and Pre-Issuance Specifications

11 Information and Technology for Better Decision Making MDDC 11Aug 2005 What is the card specification? Identifies the card functionality and behaviors expected Outlines contractual requirements that must be fulfilled by the card Industry/ISO standards Physical attributes Security Card functionality

12 Information and Technology for Better Decision Making MDDC 12Aug 2005 Why create a pre-issuance spec?  Documents requirements and expectations from Card Issuer to Card Manufacturer  Key Management  Card Configuration Management  Cardstock Inventory Management  Provides consistent process across vendors, products, and agencies  Outlines communication channels  Details shipping requirements  Outlines process for automated data transfer between Card Issuer and Card Manufacturer

13 Information and Technology for Better Decision Making MDDC 13Aug 2005 What criteria shapes the spec?  Card Usability  Gather requirements from end users  Identify Long Range usage goals (both operational and technical)  Product Availability  Verify availability of products that meet your end user requirements and mid-term usage goals  Card Management Process/System  Spec outlines card issuer business and technical process  Spec clearly outlines process for sharing/storing card data between card issuer and card manufacturer

14 Information and Technology for Better Decision Making MDDC 14Aug 2005 Key Management

15 Information and Technology for Better Decision Making MDDC 15Aug 2005 What is Key Management ? 1.The process for transmitting non-PKI keys between card issuer and card manufacturer and 2.The internal administrative and security procedures used by the card issuer and card manufacturer to protect the keys and key components for the full lifecycle of those keys/key component

16 Information and Technology for Better Decision Making MDDC 16Aug 2005  Each agency’s PIV cards will be used for asserting identity and for signing or encrypting data.  If an agency’s keys are compromised those tokens may be compromised and the goals of HSPD-12 will not be met within that organization Why is Key Management important? ”__” cards compromised

17 Information and Technology for Better Decision Making MDDC 17Aug 2005 How is Key Management accomplished?  Key Management Configuration  Process for differentiating multiple keys across vendors, products, and customers  Required format and diversification algorithm for creation of keys  Key Exchange and Storage  Security requirements (technical and operational) at card issuer and card manufacturer facilities  Process for administering key ceremonies

18 Information and Technology for Better Decision Making MDDC 18Aug 2005 Key Management Configuration is…  Each organization defining the schema for each non- PKI key across their vendors and/or products  Diversification  One master key plus the unique card data ensures that each card has a unique key to decrease the potential of card compromise. So if someone spends a lot of resource cracking the key on one card, they have only compromised one card and not all.

19 Information and Technology for Better Decision Making MDDC 19Aug 2005 Key Exchange and Storage is…  The basic security requirements (technical and operational) at card issuer and card manufacturer facilities  What physical security should be implemented at the card issuer and card manufacturer facilities  Determining the personnel involved and the process procedures:  How keys are transmitted between card issuer and card manufacturer  Who is authorized to receive keys and participate in the key management process  What products are managed within the infrastructure  When new keys are introduced into the production environment  Where key management activities will occur

20 Information and Technology for Better Decision Making MDDC 20Aug 2005  Consists of the generation or import of a transport key composed of multiple key components (at least 3) in the Hardware Security Module (HSM) used to unwrap the Open Platform (OP) Master Keys.  Key is split into three components for separation of duty / shared control so that no one person has knowledge of the complete key.  Each component is protected by one or two officers depending on the organization security policy.  Allows for cloning of transport keys in HSMs which enables the transport of all master keys between different sites or HSMs. What is a Key Ceremony?

21 Information and Technology for Better Decision Making MDDC 21Aug 2005 House Analogy - Keys Transport Keys grant access to your house Master Keys grant access to various rooms within your house

22 Information and Technology for Better Decision Making MDDC 22Aug 2005 Transport keys are…..  the unique key to transmit all “sub” keys between the card issuer and the card manufacturer  3DES-112 bit keys  used to wrap/backup/export or unwrap/restore/import OP Master Keys  are permanently defined in the HSMs Transport Keys

23 Information and Technology for Better Decision Making MDDC 23Aug 2005 Master Keys are….  “subkeys” transmitted by the card issuer and card manufacturer under the transport key and are used to “lock” specific batches of a card issuer’s cardstock  3DES-112 bit keys  groups of three master keys that correspond to the three CAC keys required to open a secure channel (MAC,ENC,KEK)  permanently defined in the HSM OP Master Keys

24 Information and Technology for Better Decision Making MDDC 24Aug 2005  Multiple keys during program lifecycle  Lots of key (test, production, SDK, etc.)  Multiple vendors over program lifecycle  Annually changing keys (keeps exposure to compromise small)  New Vendor, Product end of life, etc.  Example: Timeline (over the course of a few years how often a key could change) How is Key Management Implemented Key Management C1/P1/K1 FY05FY06FY07 C1/P1/K3 C2/P1/K2 C2/P1/K4 C1/P3/K10C2/P3/K13 C1/P2/K6 C2/P2/K7 C1/P2/K5 C2/P2/K8 C1/P3/K9 C2/P2/K11 C1/P3/K12 C2/P3/K14

25 Information and Technology for Better Decision Making MDDC 25Aug 2005  Key Management is a coordinated process between the internal and external teams at the card issuer and the card manufacturer  Key Management Procedures and Policies are needed to ensure compliance is met and security is maintained  Key Compromise leads to a broken trust chain and ends identity management Key Management Summary

26 Information and Technology for Better Decision Making MDDC 26Aug 2005 Cardstock Acceptance & Management

27 Information and Technology for Better Decision Making MDDC 27Aug 2005 Why is acceptance testing important? Why you need to validate process - Products may have issues Card product may not operate as advertised Card provided may not meet original agreement – card body differences, physical printing, security devices, Acceptance testing is verification that products received meet the requirements

28 Information and Technology for Better Decision Making MDDC 28Aug 2005 What is Cardstock Inventory Management?  Cradle to grave tracking of card products  Requested by Agency and created by Card Manufacturer  Stored in vendor vaults  En route to Agency  Stored in Agency location (s)  Issued to Agency personnel  Lost, stolen, reissued, or damaged  Final destruction

29 Information and Technology for Better Decision Making MDDC 29Aug 2005 What is Cardstock Inventory Management?  Process for requesting orders  Personnel authorized to submit orders from Card Issuer to Card Manufacturer  Format and timeline for processing orders  Process for packaging of orders  Labeling of individual stacks and cartons  US and International Shipping requirements  Preferred Carriers  Process for shipping of orders  Authorized locations and personnel for order shipments  Format and timeline for processing Orders

30 Information and Technology for Better Decision Making MDDC 30Aug 2005 What is the importance of Chip Management?  Chips may change  Chip space  Applets

31 Information and Technology for Better Decision Making MDDC 31Aug 2005 DoD’s PIV Approach

32 Information and Technology for Better Decision Making MDDC 32Aug 2005 DoD Distributed Issuance 870 U.S. Sites 96 European Sites 45 Asia Pacific Sites 1,425 Sites Deployed Worldwide as of June 2005 394 Deployable Sites 18 Shipboard Sites 1 Central Issuance Site

33 Information and Technology for Better Decision Making MDDC 33Aug 2005 DoD’s Identity Management Nov. 1999Directed to implement smart card/PKI technology Oct. 2000First site issuing CACs Now  Issued over 8.5 million cards to DOD personnel/contractors  3.2M of 3.5 M population have active CACs  Over 2M readers/middleware deployed  Logical access – PKI  Single sign on & PK-enabled websites growing  Physical access – not so fast  But with HSPD-12 – momentum growing  Submitted on June 27, 2005, OMB mandated plan to become PIV compliant (plan approved)  Deploying a dual-interface card utilizing V2 applets and new PIV applet at issuance or post issuance  Any new cards introduced must be backwards compatibility to cards previously fielded

34 Information and Technology for Better Decision Making MDDC OCT 05 – PIV IOCT 06 – PIV II 1. Identity Proofing Breeder Documents Investigations Completion and Reporting Fingerprint Collection and Reporting Training 2. Topology Policy Decisions Software Changes Advertisement – Internal and External 3. Authentication & Data Structure Software/Hardware Changes 4. PKI Two-way Federal Bridge cross certification Software/Hardware Changes Migration Strategy 5. Calls to Card Software & Middleware Changes Card Platform changes 6. Biometrics Fingerprints – collection, extraction, storage, and verification Facial image 7. Privacy Assessment - Policy and AuditAudit – incl. Contactless 8. Certification and Accreditation System-wide C&AAnnual Verification

35 Information and Technology for Better Decision Making MDDC 35Aug 2005  Card Topology  Alter card topology and educate CAC Community (DoD end users, Customs/ Border Patrol, etc.)  Card (Platform)  Pilot Dual Interface 64K contactless card in Q1/Q2 2006  Card (Applets)  Develop, test, and FIPS certify New PIV compliant applets  Document Capture/Proofing  Currently evaluating various vendor products  Biometrics  Currently capture 2 fingerprints. Must upgrade equipment to include a 10 print capture device  Camera  Seeking new equipment as DPI on current camera not PIV compliant. PIV Technical Changes

36 Information and Technology for Better Decision Making MDDC 36Aug 2005  Document Capture/Proofing  FIPS 201 requires breeder documents used to establish identity be captured, authenticated, and the images be available for retrieval at an issuance or physical access station. In addition, DoD has chosen to store the captured/authenticated images.  NAC verification prior to issuance  Collection of 10 prints, storage of NAC results, and presenting results to Federal Partners. PIV Operational Changes

37 Information and Technology for Better Decision Making MDDC 37Aug 2005  Security enhanced by centralizing ACRs under issuer’s control  Biometrics used as an access control rule (ACR)for applets provides:  Flexibility to add much needed access control rules (ACR) to the current ones in use.  Reuse capability through the sharing of biometrics controllers and ACRs. Access Control Rule Changes

38 Information and Technology for Better Decision Making MDDC 38Aug 2005 Architecture JavaCard Runtime GC Applet Other Applets Access Control PKI Applet CCCCCC Access Control Access Control Access Control Bio Action Applet Access Control Security Domain Access Control Applet PIN, Secure Channel, External Authority OP Domain API PIV Applet MOC Lib Access API Controls which applets are placed on card Controls who is granted access to the applets Access Controller Applet MOC Lib Access API Access Controller Applet MOC Lib Access API Secure Transport Bio Access Controller Applet MOC Lib Access API

39 Information and Technology for Better Decision Making MDDC 39Aug 2005 1. Access Control Applet 2. Biometrics Controller Applet 3. Biometrics Action Applet JavaCard Runtime Security Domain Access Control Applet PIN, Secure Channel, External Authority OP Domain API GC Applet Other Applets Access Control PKI Applet Access Controller Applet MOC Lib Access API CCCCCC Access Control Access Control Access Controller Applet MOC Lib Access API Access Control Bio Access Controller Applet MOC Lib Access API Access Controller Applet MOC Lib Access API Bio Action Applet Access Control 12 3 Three Major Components

40 Information and Technology for Better Decision Making MDDC 40Aug 2005 Preparatory Steps 1.Load Access Control Applet 2.Load Bio Template 3.Load Bio Action Applet 4.Register Bio Action Applet Access Control Rules Action Steps (Bio Unlocks Door) 1.Card inserted in Bio Lock 2.Bio Lock signals for Bio Capture and transmits to Access Control Applet (ACA) 3.Access Control Applet compares captured bio to stored bio on card and set the access control state for bio controller 4.Bio Lock calls Bio Action Applet on Card 5.Bio Action Applet checks access control rule in ACA. 6.ACA state is determined to Yes and tell Bio Action Applet. 7.Bio Action Applet release Bio Lock “Unlock Command” 8. Door opens Two Phase Process

41 Information and Technology for Better Decision Making MDDC 41Aug 2005 JavaCard Runtime Security Domain Access Control Applet PIN, Secure Channel, External Authority OP Domain API GC Applet Other Applets Access Control PKI Applet Access Controller Applet MOC Lib Access API CCCCCC Access Control Access Control Access Controller Applet MOC Lib Access API Access Control Bio Access Controller Applet MOC Lib Access API Access Controller Applet MOC Lib Access API Bio Action Applet Access Control Preparatory Steps 1.Load Access Control Applet 2.Load Bio Template Phase One: Preparation

42 Information and Technology for Better Decision Making MDDC 42Aug 2005 JavaCard Runtime Security Domain Access Control Applet PIN, Secure Channel, External Authority OP Domain API GC Applet Other Applets Access Control PKI Applet Access Controller Applet MOC Lib Access API CCCCCC Access Control Access Control Access Controller Applet MOC Lib Access API Access Control Bio Access Controller Applet MOC Lib Access API Access Controller Applet MOC Lib Access API Bio Action Applet Access Control The Rule The Applet Preparatory Steps 3. Load Bio Action Applet 4. Register Bio Action Applet Access Control Rules Bio 1 only Phase One: Preparation

43 Information and Technology for Better Decision Making MDDC 43Aug 2005 JavaCard Runtime Security Domain Access Control Applet PIN, Secure Channel, External Authority OP Domain API GC Applet Other Applets Access Control PKI Applet Access Controller Applet MOC Lib Access API CCCCCC Access Control Access Control Access Controller Applet MOC Lib Access API Access Control Bio Access Controller Applet MOC Lib Access API Access Controller Applet MOC Lib Access API Bio Action Applet Access Control Action Steps (Bio Unlocks Door) 1.Card inserted in Bio Lock 2.Bio Lock signals for Bio Capture and transmits to Access Controller Applet (ACA) 3.Access Control Applet compares captured bio to stored bio on card and set the access control state for bio controller 1 3 2 2 Phase Two: Usage

44 Information and Technology for Better Decision Making MDDC 44Aug 2005 JavaCard Runtime Security Domain Access Control Applet PIN, Secure Channel, External Authority OP Domain API GC Applet Other Applets Access Control PKI Applet Access Controller Applet MOC Lib Access API CCCCCC Access Control Access Control Access Controller Applet MOC Lib Access API Access Control Bio Access Controller Applet MOC Lib Access API Access Controller Applet MOC Lib Access API Bio Action Applet Access Control Action Steps (Bio Unlocks Door) 4. Bio Lock calls Bio Action Applet on Card 5. Bio Action Applet checks access control rule in ACA. 6. ACA state is determined to Yes and tells Bio Action Applet. 7 65 4 Phase Two: Usage

45 Information and Technology for Better Decision Making MDDC 45Aug 2005 JavaCard Runtime Security Domain Access Control Applet PIN, Secure Channel, External Authority OP Domain API GC Applet Other Applets Access Control PKI Applet Access Controller Applet MOC Lib Access API CCCCCC Access Control Access Control Access Controller Applet MOC Lib Access API Access Control Bio Access Controller Applet MOC Lib Access API Access Controller Applet MOC Lib Access API Bio Action Applet Access Control Action Steps (Bio Unlocks Door) 7. Bio Action Applet release Bio Lock “Unlock Command” 8. Door opens 8 7 65 4 Phase Two: Usage

46 Information and Technology for Better Decision Making MDDC 46Aug 2005 JavaCard Runtime Security Domain Access Control Applet PIN, Secure Channel, External Authority OP Domain API GC Applet Other Applets Access Control PKI Applet Access Controller Applet MOC Lib Access API CCCCCC Access Control Access Control Access Controller Applet MOC Lib Access API Access Control Bio Access Controller Applet MOC Lib Access API Access Controller Applet MOC Lib Access API Bio Action Applet Access Control 12 3 Flexibility to add much needed access control rules (ACR). Reuse capability through the sharing of biometrics controllers and ACRs. Summary

47 Information and Technology for Better Decision Making MDDC 47Aug 2005 Summary  Pre-Issuance Specification is the building block for both key and cardstock management  Provides guidance to the card manufacturer on what will be ordered and the accepted format for processing the order  Provides guidance to the card issuer implementation team and the card manufacturer team on what the key management procedures are  Key Management is critical as a compromised token weakens an organization’s identity management architecture

48 Information and Technology for Better Decision Making MDDC 48Aug 2005 Summary  Meeting the requirements of HSPD-12/PIV will be a strenuous process for all involved  Let’s leverage past lessons learned and implement specifications together  So we can all experience success together

49 Information and Technology for Better Decision Making MDDC 49Aug 2005 Questions?

50 Information and Technology for Better Decision Making MDDC 50Aug 2005 Backup slides

51 Information and Technology for Better Decision Making MDDC 51Aug 2005 CryptomoduleBSI Master Key Label HSM Key Derivation in HSM CUID (10 bytes) CPLC DATA IC Fabricator (1) IC Type (2) IC Batch Identifier (3) IC Serial Number(4) … … 1234 16-byte OP Master Key 16-byte XAUT Master Key OP Diversified Key XAUT Diversified Key 1. Get CUID2. Diversify Keys Key Handle CAC Key Diversification (1)

52 Information and Technology for Better Decision Making MDDC 52Aug 2005 DES Encode DES Decode DES Encode MasterKeyL (8bytes) MasterKeyR (8bytes) MasterKeyL (8bytes) DES Encode DES Decode DES Encode MasterKeyL (8bytes) MasterKeyR (8bytes) MasterKeyL (8bytes) CardKeyL (8bytes)CardKeyR (8bytes) 8bytes CUID (10 bytes) IC Fabricator IC Type IC Serial Number IC BatchID DataL (8bytes) 1 2 3 4 5 6 7 8 9 10 1 3 5 7 9 2 6 82 4 6 8 10 1 5 7 DataR (8bytes) CAC Key Diversification (2)

53 Information and Technology for Better Decision Making MDDC 53Aug 2005 Master HSM Issuance OP Master Key Sets ENC MAC KEK READ WRITE XAUT Master Keys HSM Application Key Management System (Offline) Keys Are NOT Extractable Root Key Transport Key Key Ceremony Key Management System

Download ppt "Key & Card Management 101 Federal Agency Government Employees Presented by Winifrid Whaley, Senior Business Services Analyst Jason Stenstrom, Senior Systems."

Similar presentations

For Joe Broghamer Philip S. Lee May 5, 2005 Implementing PIV Specifications HSPD-12 Workshop.

For Joe Broghamer Philip S. Lee May 5, 2005 Implementing PIV Specifications HSPD-12 Workshop.
June 27, 2005 Preparing your Implementation Plan.

June 27, 2005 Preparing your Implementation Plan.
Mobile Devices in the DoD

Mobile Devices in the DoD
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.

15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
1 1 A Synopsis of Federal Information Processing Standard (FIPS) 201 for Personal Identity Verification (PIV) of Federal Employees and Contractors Presentation.

1 1 A Synopsis of Federal Information Processing Standard (FIPS) 201 for Personal Identity Verification (PIV) of Federal Employees and Contractors Presentation.
Public Key Infrastructure (PKI) Hosting Services.

Public Key Infrastructure (PKI) Hosting Services.
1 GP Confidential ©2013 1 GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)

1 GP Confidential © GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
U.S. Department of Agriculture HSPD 12 Program HSPD 12 Personal Identity Verification (PIV) I Core Training: Issuers.

U.S. Department of Agriculture HSPD 12 Program HSPD 12 Personal Identity Verification (PIV) I Core Training: Issuers.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
United States DoD Public Key Infrastructure: Deploying the PKI Token

United States DoD Public Key Infrastructure: Deploying the PKI Token
“Personal Identity Verification (PIV) of Federal Employees and Contractors” October 27, 2005 Homeland Security Presidential Directive 12 (HSPD-12)

“Personal Identity Verification (PIV) of Federal Employees and Contractors” October 27, 2005 Homeland Security Presidential Directive 12 (HSPD-12)
Department of Labor HSPD-12

Department of Labor HSPD-12
Cryptography Usage in TWIC (Draft v4 8Dec06)

Cryptography Usage in TWIC (Draft v4 8Dec06)
Transformations at GPO: An Update on the Government Printing Office's Future Digital System George Barnum Coalition for Networked Information December.

Transformations at GPO: An Update on the Government Printing Office's Future Digital System George Barnum Coalition for Networked Information December.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Similar presentations

Ads by Google