Strategies for the Implementation of PIV – I Secure ...€¦ · Physical Access Use Case...

Property of the Smart Card Alliance © 2010

Access Security Usage Models for PIV – I Trusted Identity Credentials   Roger Roehr   Principle, Roehr consulting

Strategies for the Implementation of PIV – I Secure Identity Credentials A Smart Card Alliance Educational Institute Workshop

9th Annual Smart Cards in Government Conference Washington DC Convention Center ― November 16-19, 2010


PIV-I Usage models

 Government and PIV-I  First responder at Government site  Government want to send a encrypted document for a contract.

 Internal use of PIV-I  A company wants secure remote access for employees

  PIV-I to PIV-I  One aircraft company want to digitally sign test results to another


Two parts to Access

 Policy (PIV-1)  What are the requirements to get the credential?

 What are requirements for access?  Technology (PIV-2)

 What operation capabilities of the credential?

 What the operation capabilities of the system?


What do you get from the Credential

Identity I-9 Affiliation Background

Check Attributes

PIV Yes Yes Yes NO

PIV-I Yes Yes NO NO

TWIC Yes NO Yes NO


What are your access requirements?

 Who Validates the request?  Identity proofing?  Background checks?  What are authentication requirements?  What do you need for a audit?


Define Your Process

Visitor is sponsored

Collect Biometric & Breeder Document

PIV card holder?

Does Credential

Holder know the PIN?

Yes

Yes

Enter PIN

Collect Biometric & Verify Certificate

Verify Biometric & Verify Certificate

No

No

Privilege for Unescorted Access

Privilege for Escorted Access


Use case of send a encrypted email

 A government person is going to send a encrypted email to a contractor.

1. Get the certificate for recipient

2. Establish trust for the certificate

3. Encrypt with public key and send


The PKI Certificate

Root

Intermediate

Credential Certificate


Which Root do You Trust?


How Roots Get Trust


The PKI Bridges

Your Organization Root

Your Organization Intermediate

Your Organization Certificates

Bridge

CRL

CRL

CRL

Other Organization Root

CRL

Other Organization Intermediate

CRL

Other Organization Certificates

You only need to trust

your root!


How the Bridges Connect

Fedral BCA

Common Policy CA

CertiPath

SSPs

Industry PKIs

CertiPath SSP DOD DHS NASA Commerce USPS USPTO HHS DOE IL State DOJ DOD/ECA GPO Treasury Wells Fargo MIT LL UTexasSx

Serving all other Agencies

Boeing Raytheon Lockheed Martin

VeriSign Cybertrust ORC Treasury GPO? Exostar Entrust IdenTrusT?

Total: 12 – 15M users

SAFE

Industry PKIs Abbott Labs , AstraZeneca, Bristol-Myers Squibb, Genzyme,GlaxoSmithKline, INC Research, Johnson & Johnson Merck, Pfizer, Procter & Gamble Sanofi-Aventis


Boeing digitally signs a contract for the US Government

Treasury Root

Federal Bridge

CRL

CRL

Boeing’s Root

CRL

Boeing’s Intermediate #3

CRL

Joe Boeing’s Signing Certificates

CertiPath Bridge

CRL


CRL Validation




Bridge

CRL

CRL

CRL


CRL


CRL



OCSP Validation




Bridge Other Organization Root



CRL

OPSP Responder

CRL

OPSP Responder

CRL

OPSP Responder

CRL

OPSP Responder

CRL

OPSP Responder


SCVP Validation




Bridge

CRL

CRL

CRL


CRL


CRL


SCVP

Responder


The Public Key

The message now can be encrypted with the Trusted public key


Physical Access Use Case

 Government agency wants to use PIV-I in physical access control system. 1. A sponsor need to establish a need for

access. 2. Vetting of attributes and back ground check 3.  The credential PKI need to be validated and

the credential then need to be registers into the system

4. A physical access model need to be defined


Attributes

 Currently there is no standard format for electronic exchange of attributes

 The Back End Attributes exchange is a current task of the CIO council

 Some proprietary first response models have been field tested


Physical access models

 In all model PIV authentication certificates should be escrowed and check routinely

 Use PIV-I GUID and PIV with GUID at the door and issue PIV holders without GUID a credential.

 Use PIV FASC-N and issue PIV-I a credential  Build a PACS with discovery system and use

PIV  Not available at this time


Credential Numbers

PIV key

Finger print

CHUID

CHUID

FASC-N (PIV)

Sign

Key

Agency Code

GUID (PIV-I)

Expiration Date

Organization ID

Signature

FASC-N

Agency Code

System Code

Credential Number

Credential Series

ICI

Person ID

Org Cat

Org ID

POA


PIV vs. PIV-I Identifiers

GUID (128bits)

Expiration Date

(8BDC -25 bits)

Agency Code

(4 BCD -14bits)

System Code

(4BCD – 14bits)

Credential Number

(6BCD – 20bits)

Agency Code = 9999

PIV Identifier

PIV-I Identifier Note: DOD & TWIC need CS and ICI 1BCD -4bit ea for total 8bits extra

Total of 73bits GSA Wiegand format adds 2 bits for parity


Final Thoughs

 Define use case first!  PIV and PIV-I are not the same and will

require different policy and system configuration

 PACS that are PIV compliant might not be PIV-I compliant

 Security only comes from proper implementation


 Smart Card Alliance  191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828  www.smartcardalliance.org

Roger Roehr [email protected] 703-407-8249

Date post:	03-Jun-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Strategies for the Implementation of PIV – I Secure ...€¦ · Physical Access Use Case...

Documents