Interagency Advisory Board (IAB) Meeting
August 09, 2005
Agenda• National Institute of Standards and Technology (NIST)
Discussion on Reference Implementation and Conformance Testing
• IAB Working Group Updates
• Training Partnership Discussion
• Common Handheld Requirements Status
• National Aeronautics and Space Administration (NASA) Status Update
• How to Check Authenticity of Personal Identity Verification (PIV)
• Other IAB Initiatives
• Credential Card Migration Strategy
3
NIST Discussion on Reference Implementation and Conformance
Testing
SP800SP800--73 Reference 73 Reference ImplementationImplementation
Jim DrayIAB MeetingAugust 2005
ComponentsComponents
• SP800-73/Part 3 PIV card simulatoro Written in C++ for wintel platformso Runs TLP224 protocol on a local porto Native code simulation of a PIV cardo Can load JavaCard(tm) applets via Sun’s kit
• PIV middlewareo Implements the Part 3 client API
PurposePurpose
• Provides a worked example for developers• NOT a deployable commercial product• No code that can be loaded onto a real card
o JavaCard loader would allow this but NIST is not providing reference JavaCard applets
o PIV functionality expressed in C++/Windows• Supports conformance test development
ConformanceConformance
• It is not possible to ‘conform’ to the reference implementation
• The reference implementation provides an example that conforms to the PIV specs
• Conformance testing proves that an implementation conforms to specifications
• Reference implementations are developed for clarity, not performance
AvailabilityAvailability
• Publicly available at http://csrc.nist.gov/piv-project
• Will be updated on an as-needed basiso New versions will be posted along with change
noticeso Old versions will be archived, available on
request• Basis for a possible PIV software toolkit
PIV Middleware and PIV PIV Middleware and PIV Card Application Card Application Conformance Testing Conformance Testing ToolkitToolkit
Ramaswamy Chandramouli (Mouli)IAB MeetingAugust 2005
Agency A Application
PIV Client Application Programming Interface
PIV Card Command Interface
Card Reader Driver
Card Reader
PIV Card Application
PIV Data Model
PIV Card Command Interface
PIV
MIDDLEWARE
Host PC
Smart Card Reader
PIV CARD
CSP/Bio API / Etc.
Agency B Application
Agency C Application
CSP/Bio API / Etc.
CSP/Bio API / Etc.
Agency A Application
PIV Client Application Programming Interface
PIV Card Command Interface
Card Reader Driver
Card Reader
PIV Card Application
PIV Data ModelPIV Data Model
PIV Card Command Interface
PIV
MIDDLEWARE
Host PC
Smart Card Reader
PIV CARD
CSP/Bio API / Etc.
Agency B Application
Agency C Application
CSP/Bio API / Etc.
CSP/Bio API / Etc.
Scope Scope –– Tests & SpecsTests & Specs• Test Suite has two Broad Categories of Tests
o PIV Middleware (End-Point) Testso PIV Card Application (End-Point) Tests
• SP 800-73 Specifications Coveredo End-Point Client API – Chapter 6 of SP 800-73.o End-Point PIV Card Application Card Command
Interface – Chapter 7 of SP800-73.o PIV Data Objects & Representations (Chapter 4
& 5 of SP 800-73) o PIV Authentication Use Cases (C.1.2 and C.1.4
of Appendix C of SP 800-73)
PIV Middleware Tests ConfigurationPIV Middleware Tests Configuration
• The Test Toolkit• The vendor provided PIV middleware
which is the subject of this test• The contact and contactless smart card
readers or a dual interface reader• A dual interface FIPS 201-compliant test
PIV card or a PIV card emulator.
PIV Middleware Tests SummaryPIV Middleware Tests Summary
• Tests all the 9 Functions in PIV Client API (Chapter 6 of SP 800-73)
• Tested for Response to all Valid and Error Return Codes
PIV Card Application Tests PIV Card Application Tests ConfigurationConfiguration
• The test toolkit • Contact and a contactless smart card readers
or a dual interface reader• An PIN input device• A biometric fingerprint reader• A PIV card that support contact and
contactless interface which is the subject of this test.
PIV Card Application Tests PIV Card Application Tests ––Card Command Interface TestsCard Command Interface Tests
• Tests all 8 commands in card command interface (Chapter 7 of SP 800-73)
• Card interface type (contact vs. contactless)• Precondition for use (PIN verified,
Currently Selected Application value)• Expected Response status codes• Right Content and Encoding for returned
data• Appropriate State Variables set in the card.
PIV Card Application Tests PIV Card Application Tests –– Data Data Objects Representation & Objects Representation & Authentication Use Cases TestsAuthentication Use Cases Tests
• Tests all 6 Mandatory data objects and any published of the 5 Optional data objects for
- Correct Tag Codes & Lengths- Overall size limits for the buffer
• Authentication Use Case Tests consists of- Parsing Data and Checking for values of
key fields such Expiration Date in CHUID,FASC-N etc
- Verifying signatures are valid
Toolkit Features SummaryToolkit Features Summary• The toolkit has a Graphical User Interface• Provides a configuration file to enter valid
parameter values for validation of data returned in responses to function calls.
• Each of the two broad categories of tests –PIV Middleware Tests & PIV Card Application Tests can be loaded separately.
18
IAB Working Group Updates
19
Foreign National Working Group
Initial meeting held on Thursday, July 14th
Included representatives from:− Department of State− Department of Energy− Department of Commerce− Department of Interior− Department of Defense
Shared information on current processes for vetting foreign nationals within respective organizations
Discussed potential challenges accommodating Personal Identity Verification (PIV)
Shared compiled list of challenges with Office of Management and Budget (OMB) policy working group
20
Aggregate Buy Working Group
Initial meeting held on Monday, July 25th
Outlined lessons-learned from the DoD to help other agencies avoid known pitfalls within the issuance process
Reviewed initial draft specifications for contact and contactless technologies as it pertained to mandatory and optional contract line item numbers (CLIN)
Aggregate buy will provide for:− Cards− Printers− Printing consumables− Smart card middleware− Contact and contact-less readers
21
Physical Access and Integration Working Group
The PAIWG is updating the Physical Access Control System (PACS) 2.2 guidance to conform with FIPS 201 and SP 800-73
Tiger Team created a gap analysis that outlines the discrepancies between the documents
22
Training Partnership Discussion
HSPDHSPD--12 TRAINING 12 TRAINING MODULES UPDATEMODULES UPDATE
IntroductionIntroduction
►► Developing a series of webDeveloping a series of web--based training modules and based training modules and assessment tools to assist assessment tools to assist management, administrators management, administrators and users in complying with and users in complying with FIPS 201FIPS 201
►► The series will assist in the The series will assist in the consistent implementation of consistent implementation of FIPS 201 across the Federal FIPS 201 across the Federal GovernmentGovernment
BackgroundBackground
►► Training will be focused on:Training will be focused on:increasing awareness,increasing awareness,ensuring compliance,ensuring compliance,promoting the utility and benefits, andpromoting the utility and benefits, andclarifying misunderstandings relating clarifying misunderstandings relating to HSPDto HSPD--12 implementation.12 implementation.
►► The depth of the training content The depth of the training content will vary from highwill vary from high--level overviews level overviews to details concerning roles and to details concerning roles and responsibilities; including responsibilities; including certifications, where necessary.certifications, where necessary.
Timelines and ModulesTimelines and Modules
►► Delivery on 10/03/2005 Delivery on 10/03/2005 includes:includes:
Module 1: PIV Roles and Module 1: PIV Roles and Responsibilities Responsibilities
►► Delivery on 12/31/2005 Delivery on 12/31/2005 includes:includes:
Module 2: PIV OverviewModule 2: PIV OverviewModule 3: Privacy AwarenessModule 3: Privacy AwarenessModule 4: AdministratorModule 4: AdministratorModule 5: Appropriate UsesModule 5: Appropriate Uses
Module 1 Module 1 –– 10/3/2005 10/3/2005
►► Module 1 includes:Module 1 includes:An overview of the An overview of the issuance processissuance processThe The specific roles and specific roles and responsibilities responsibilities associated with PIVassociated with PIV--1 1 compliancecomplianceCertification of Certification of employees in the employees in the specified roles at the specified roles at the conclusion of the conclusion of the trainingtraining
Modules 2Modules 2--5 5 –– 12/31/200512/31/2005
►► Module 2: PIV OverviewModule 2: PIV Overview-- overview of HSPDoverview of HSPD--12 for all 12 for all government employees, government employees, the the impact on agencies, and card impact on agencies, and card issuanceissuance
►► Module 3: Privacy Module 3: Privacy AwarenessAwareness –– explains explains the the uses of personal identity uses of personal identity information collected and will information collected and will dispel concerns about misuse dispel concerns about misuse of personal data within the of personal data within the systemsystem
Modules 2Modules 2--5, cont.5, cont.
►► Module 4: AdministratorModule 4: Administrator ––provides a basic overview of the provides a basic overview of the technologies and approaches (i.e. technologies and approaches (i.e. Smartcards, Biometrics, Card Smartcards, Biometrics, Card Management)Management)
►► Module 5: Appropriate UsesModule 5: Appropriate Uses–– discusses how the PIV card can discusses how the PIV card can be used for building access be used for building access (physical) and logical access (i.e. to (physical) and logical access (i.e. to Federally controlled information Federally controlled information systems)systems)
30
Common Handheld Requirements Status
Information and Technology for Better Decision MakingMD DC
3131August 2005
Information and Technology for Better Decision MakingInformation and Technology for Better Decision MakingInformation and Technology for Better Decision Making
Interagency Advisory BoardInteragency Advisory Board
Joint Program Handheld/Mobile Joint Program Handheld/Mobile Device Status forDevice Status for
Government Smart CardGovernment Smart Card
Presented by
Mike ButlerDirector, Smart Card Programs and Operations
Defense Manpower Data Center
Presented by
Mike ButlerMike ButlerDirector, Smart Card Programs and Operations
Defense Manpower Data Center
August 2005
Information and Technology for Better Decision MakingMD DC
3232August 2005
Plan of ActionPlan of ActionGather Requirements from User CommunityConsider DBIDS Lessons LearnedContract for Handheld Expertise SupportFinalize Consolidated RequirementsMarket Survey of Products Capable of Customization and Modularity * Industry Capabilities Briefings* Statement of Work (SOW) for Development* Request for Proposal (RFP) for Development of Custom and Modular Handheld/Mobile Device(s)
Gather Requirements from User CommunityConsider DBIDS Lessons LearnedContract for Handheld Expertise SupportFinalize Consolidated RequirementsMarket Survey of Products Capable of Customization and Modularity * Industry Capabilities Briefings* Statement of Work (SOW) for Development* Request for Proposal (RFP) for Development of Custom and Modular Handheld/Mobile Device(s)
* Only if COTS does not exist to meet our needs.
Information and Technology for Better Decision MakingMD DC
3333August 2005
Handheld/Mobile Device Market PlaceHandheld/Mobile Device Market Place
Information and Technology for Better Decision MakingMD DC
3434August 2005
Questions?Questions?
Mike Butler(703) 696-7396
Mike Butler(703) 696-7396
35
National Aeronautics and Space Administration (NASA) Status Update
GSC-IAB 8/10/2005IS05: Tim BaldridgePage 36
Explore.Discover.
Understand.
People,Technology, &
InformationWorking
Together ForNASACommon Badging and Access
Control System (CBACS)
Marshall Space Flight Center
August, 9 2005Government Smart Card
Inter-Agency Advisory Board
GSC-IAB 8/10/2005IS05: Tim BaldridgePage 37
Explore.Discover.
Understand.
People,Technology, &
InformationWorking
Together ForNASA
CBACS – Initial Scope – Smart Cards
MISSION: (2002/2003)The Implementation of a multi-application, multi-technology smart card program with an Agencywide user base
VISION:To issue a common credential token (physical and logical identifier) that is….Used by NASA employees, contractors, and other people approved by NASA….Who require routine access to NASA physical and information resources.An inter-agency Federal Identity Credential conforming with emerging federal policy and technical interoperability
During Site Surveys, issues were determined on several fronts: diversity of existing PACS, need for common processes, difficulties in logical roll-out, and flexibility/ease of use of system
During Site Surveys, issues were determined on several fronts: diversity of existing PACS, need for common processes, difficulties in logical roll-out, and flexibility/ease of use of system
GSC-IAB 8/10/2005IS05: Tim BaldridgePage 38
Explore.Discover.
Understand.
People,Technology, &
InformationWorking
Together ForNASA
CBACS – Project Re-Direction
Goals: (2004)Achieve High Business Value Through a Common Badging and Access Control System That Integrates with Smart Cards Provide Physical (versus Logical) Deployment of Smart Cards Initially
Provides a Common Consistent and Reliable Environment Into Which to Release the Smart CardGives Opportunity to Develop Agencywide Consistent Processes, Practices and PoliciesEnables Enterprise Data Capture and ManagementPromotes Data Validation Prior to SC IssuanceAvoids Further Investment in Current PACS Systems
GSC-IAB 8/10/2005IS05: Tim BaldridgePage 39
Explore.Discover.
Understand.
People,Technology, &
InformationWorking
Together ForNASA
CBACS - DescriptionAn Integrated Services and IT Security Environment That Fulfills NASA and Homeland Security Presidential Directive (HSPD-12) Requirements for:
NASA Identity Management System – IDMS• Central Authoritative Source for Personnel Identification• Warehouse for Personnel Security Investigation Determinations• Warehouse for Clearance Issuance & Uniform Universal Person Identification
Code (UUPIC)Enterprise Physical Access Control System – E-PACS
• Software for Common Badging Application• Area Access Management• Visitor Management System (Optional)• Alarm Monitoring Application• Integrated Digital Video Recording and Archiving System
Smart Card Physical Access – SC• Hybrid Smart Card • Utilized with E-PACS for Physical Access• Provide Logical Access to NASA Computerized Systems During Final Phase of
ImplementationCentral Card Management System – CCMS
• Contact and Contact-less Smart Card Encoding• Provides Logical Certificates to the Smart Card from the NASA CA• Smart Card Life Cycle Management
GSC-IAB 8/10/2005IS05: Tim BaldridgePage 40
Explore.Discover.
Understand.
People,Technology, &
InformationWorking
Together ForNASA
CBACS - Conceptual Drawing
GSC-IAB 8/10/2005IS05: Tim BaldridgePage 41
Explore.Discover.
Understand.
People,Technology, &
InformationWorking
Together ForNASA
CBACS - System Life Cycle
IDMS E-PACS Smart Card CCMS
Initiation
Development and Acquisition
Implementation
Disposal
Complete
Complete
Ongoing
Complete
Ongoing
Ongoing
Complete
Ongoing
Complete
Ongoing
None None
Lab
None
Lab
None
Operations and Maintenance None None None None
NIST 800-18 Phasing Model View
GSC-IAB 8/10/2005IS05: Tim BaldridgePage 42
Explore.Discover.
Understand.
People,Technology, &
InformationWorking
Together ForNASA
CBACS - Planning Approach
New Work Planning Documents Compliance Reason for not complying or N/A
OMB Circular A-11 – Business Plan Complies
NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems
Complies
NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems
Complies
NPR 7120.5C, Sections 3.2, 3.4 3.5.2, and 3.5.3
Will Comply Evaluation underway to ensure compliance
NPD 8710.1, Emergency Preparedness Programs
Complies
NPR 1620.1, Security Procedures and Guidelines
Complies
NPR 2810.1 Security of Information Technologies
Complies
NPR 7150.2, NASA Software Engineering Requirements, and NASA Standard 8739.8, Software Assurance Standard
Will Comply Evaluation underway to ensure compliance
43
How to Check Authenticity of PIV
44
Other Federal Agency VisitorsChecking the Authenticity of PIV
Challenge:An individual from Housing and Urban Development (HUD) visits a Department of Homeland Security (DHS) facility and presents HUD PIVHow will the DHS facility know that this PIV is authentic, held by the right person, and still valid?
Requirement:FIPS 201 (section 6.2) requires card issuers to provide the capability for credentials to be authenticated by other Federal Agencies
45
What Is Currently Done Within DoD?
DoD components utilize the Defense National Visitors System (DNVS)− XML− Simple Object Access
Protocol (SOAP)− Java
46
47
48
Proposal
Propose establishing a focus group to:− Scope out the different ways in which credential cross
recognition could be accomplished− Examine and recommend a common approach and
process for all Federal Agencies− Examine and recommend ways to maximize/leverage
current investments
49
Current Environment• Issuing Smart Cards for over 5 Years• Issued over 8.5 million cards to DOD personnel/contractors
(3.2 mil. are active)• Submitted on June 27, 2005, OMB mandated plan to
become PIV compliant (plan approved)− Deploying a dual-interface card utilizing V2 applets and new PIV applet
at issuance or post issuance− Any new cards introduced must be backwards compatibility to cards
previously fielded
50
Architecture
JavaCard Runtime
GCApplet
OtherApplets
Access Control
PKIApplet
CCC
AccessControl
AccessControl
AccessControl
BioActionApplet
AccessControl
Security Domain
Access ControlApplet
PIN, Secure
Channel,ExternalAuthority
OP Domain
API
PIVApplet
MOC LibAccess
API
Controls which applets are placed on card
Controls who is granted access to the applets
AccessController
Applet
MOC LibAccess
API
AccessController
Applet
MOC LibAccess
API
Secure Transport
BioAccess
ControllerApplet
MOC LibAccess
API
51
Other IAB Initiatives
52
DoD Key Ceremony and System Tour
Who:Government and Primary Contractor Support Personnel ONLY
What:DoD Key Management 101 and System Tour
When:Session 1: Thu, Aug 11th (1-4pm)Session 2: TBD
Where:EDS DMDC Account office (1600 N Beauregard Street, Suite 100, Alexandria, VA 22311)
Why:To assist government personnel in determining individual key management policies and procedures
Please send your RSVP to Winn Whaley at:[email protected] by Tuesday, August 9th
53
Located 5 min off of I-395, the DMDCB/EDS office is south of the Pentagon and north of the Springfield “Mixing Bowl”.
Location is NOT metro accessible (15 min+ taxi from Eisenhower stop).
Electronic Data Systems1600 North Beauregard StreetAlexandria, VA 22311Front Desk: 703-820-0200
From DC:1. Take I-395 S to Exit 4 - Seminary Road West (veers to the right).
Once on Seminary Road, immediately begin moving towards the lefthand lane.
2. At 2nd light turn left onto N Beauregard Street3. At 2nd light turn right (Clyde's entrance). Sign will read 1600 EDS. 4. Continue straight and at 2nd left, turn left until you see Bldg 1600. 5. Please do not park in the spaces marked "Clyde's" or you may be
towed.
54
HSPD-12 Reminders
Implementation plans were due to OMB on June, 27 2005
Other dates:− August 19, 2005: Public comment on Special Publication (SP) 800-85− August 27, 2005: Additional programs identified to OMB that must be
Personal Identity Verification (PIV) compliant− October 27, 2005: PIV I Notional − October 27, 2006: PIV II Notional
SP 800-79 - Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations− Published in July 2005− Establishes the attributes required of organizations in order to reliably
perform appropriate identity “proofing” and issuing of cards − Describes methods for determining if a PIV issuer exhibits the required
attributes− Provides guidance to Federal agencies in establishing or obtaining the
services of an issuer whose reliability is accredited
55
IAB Status Report
IAB status report and dashboard
Provides a monthly update of IAB:− Working group activities− Educational
opportunities− Announcements− Upcoming meetings
56
IAB Website
www.smart.gov/iab
Initial presence
Next iteration scheduled for September
Credential Card Migration Strategy
IAB9 August 2005
Card Migration StrategyMigration to attain PIV II compliance by 10/06 but start now
•Dual-Interface (DI) 64k Java Card 2.2
•Current GSC applets
•Printed in accordance with FIPS-201 guidelines
Existing GSC-IS applets
64K Chip
Card purchases starting now
•DI 64k Java Card 2.2
•Current GSC applets
•Printed in accordance with FIPS-201 guidelines
•PIV-II End State Applet: Available and FIPS certified
Existing GSC-IS applets
New PIV II applet
64K Chip
Movement to 10/06
PIV-II Compliant
Card Migration StrategyMigration to attain PIV II compliance by 10/06 but start now
DI cards issued pre 10/06
Existing GSC-IS applets
New PIV II applet
64K Chip
PIV-II Compliant
Issued DI cards will be post managed through a post management portal
DI Cards come back to portal, load PIV II cert onto PIV II applet(contains CHUID, bio container ,cert and security object)
Post-Issuance Update: all Pre 2/06 DI Cards
Existing GSC-IS applets
64K Chip
New PIV II applet
Previously Issued Dual Interface Cards: PIV-II Compliant
October 2006
Technical Notes• PIV-II applet will be loaded aside existing GSC applet
set– The PIV-II certificate, CHUID, biometric containers, and
security object will be loaded into the new PIV II applet ( Note: bio container only populated when SP 800- 76 issued
• Middleware will be upgraded to support the additional PIV-II applet and data
• Physical Access (PA) systems will be upgraded to support use cases for PA authentication over the contactless interface
• All other data and credentials not mandatory in FIPS-201 and SP800-73 will remain in the GSC applet set
Conclusions
• This approach allows agencies to start issuing currently available dual interface smart card platform now
• Enables agencies to upgrade once PIV-II certified products are available
• Disagreement with this approach technically?