Electronic Security and PKI

1
Electronic Security and PKI
Richard Guida Chair, Federal PKI Steering
Committee Chief Information Officers Council
Richard.Guida_at_cio.treas.gov 202-622-1552 http//g
its-sec.treas.gov
2
Authentication and Confidentiality Technical
Approaches

• Shared secrets ( including Symmetric Crypto)
• Personal ID Numbers
• Passwords
• Biometrics (including digitized signatures)
• Public key technology (Asymmetric Crypto)
• Key pair - no shared secrets

3
Shared-Secret Approach

• Shared secret for authentication or
  confidentiality
• Different for each pair of users
• No nonrepudiation
• Need to pre-arrange and securely transport
• If one party fails to protect, both compromised

4
Public Key Technology Approach

• Two keys, mathematically linked
• One is kept private, other is made public
• Private not deducible from public
• For digital signature One key signs, the other
  validates
• For confidentiality One key encrypts, the other
  decrypts

5

Public Key (Digital) Certificate

• An electronic credential which
• Binds an individuals public key to his or her
  identity
• Is digitally signed by a trusted third party
  (called Certification Authority)
• Provides a trusted way to obtain an individuals
  public key
• Digital Signature on the certificate precludes
  undetected alteration of contents

6
Public Key Infrastructure

• Registration Authorities to identity proof users
• Certification Authorities to issue certificates
  and CRLs
• Repositories (publicly available data bases) to
  hold certificates and CRLs
• Some mechanism to recover data when encryption
  keys are lost/compromised
• Certificate Policy and related paper

7
Federal PKI Approach

• Establish Federal PKI Policy Authority (for
  policy interoperability)
• Develop/deploy Bridge CA using COTS (for
  technical interoperability)
• Prototype 2/8/00, production end of 2000
• Deal with directory issues in parallel
• Border directory concept White Pages
• Use ACES for public transactions

8
Federal PKI Policy Authority

• Voluntary interagency group - NOT an agency
• Governing body for interoperability through FBCA
• Agency/FBCA certificate policy mappings
• Oversees operation of FBCA, authorizes issuance
  of FBCA certificates

9
Federal Bridge CA

• Non-hierarchical hub (peer to peer)
• Maps levels of assurance in disparate certificate
  policies (policyMapping)
• Ultimate bridge to CAs external to Federal
  government
• Allows certificates issued by one agency to be
  accepted by other agencies/parties

10
Intra-Agency PKI Examples

• DOD (250K certs 4M by 2002 high assurance
  with smartcards)
• FAA (1K certs 20K in 2000 software now,
  migrating to smartcards)
• FDIC (7K certs 20K in 2000)
• NASA (1K certs 25K in 2000)
• USPTO (1K certs 15K in 2000)

11
Access Certs for Electronic Services

• No-cost certificates for the public
• For business with Federal agencies only (but
  agencies may allow other uses on case basis)
• On-line registration, vetting with legacy data
  information protected under Privacy Act
• Regular mail one-time PIN to get certificate
• Agencies billed per-use and/or per-certificate

12
Access Certs for Electronic Services

• First award 9/99 (DST), second award 10/99 (ORC),
  third award 10/99 (ATT)
• Contract has provisions for ACES-enabling
  applications
• Potential use with state/local government
• Certificates available now
• 500K free certs

13
Electronic Signatures under GPEA

• Government Paperwork Elimination Act (October
  1998)
• Technology neutral - agencies select based on
  specifics of applications (e.g., risk)
• Gives electronic signature full legal effect
• Focus transactions with Federal agencies
• Draft OMB Guidance 3/99 final 5/00

14
Organization
15
PKI Use and Implementation Issues

• Misunderstanding what it can and cant do
• Requiring legacy fixes to implement
• Waiting for standards to stabilize
• High cost - a yellow herring
• Interoperability woes - a red herring
• Legal trepidation - the brightest red herring