EPA State PKI Analysis - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

EPA State PKI Analysis

Description:

General Level and scope of PKI activity in state ... Use of state centralized email messaging system by encrypting emails on the ... – PowerPoint PPT presentation

Number of Views:65
Avg rating:3.0/5.0
Slides: 27
Provided by: nga
Category:
Tags: epa | pki | analysis | state

less

Transcript and Presenter's Notes

Title: EPA State PKI Analysis


1
EPA State PKI Analysis
  • National Governors Association
  • January 9, 2001
  • Charleston, South Carolina

2
Items to Discuss
  • Security vs Paper Process
  • Digital Signatures
  • Purpose of the EPA Study
  • Items collected during the EPA Study
  • State results to date in the EPA Study
  • Conclusions

3
Purpose of the EPA Study
  • To determine the extent of PKI usage in state
    government agencies
  • To demonstrate the use of non-ACES certificates
    in the ACES Certificate Arbitrator Module (CAM)

4
Items collected during the EPA Study
  • General Level and scope of PKI activity in state
  • State EPA requirements - Does the State EPA
    employ the state or agency certificates for
    compliance report delivery?
  • Certificate Policy (CP) and Certificate Practice
    Statement (CPS)- Do these documents exist?
  • Requirements for Identity Proofing - individuals
    vs business
  • Access Control
  • Certificate Validation and Revocation
  • System Specifications
  • Key Management and Registration
  • Payment Model
  • Rollout Schedule and Future Plans
  • Cross certification

5
State results to date in the EPA Study
  • Washington
  • Illinois
  • Pennsylvania
  • North Carolina
  • Virginia
  • Oregon

6
State of Washington
  • Statewide PKI portal called Transact Washington
    (http//transact.wa.gov)
  • Each user gets a My Transact homepage with
    links to a registered application and an option
    to register for other applications
  • DST is the CA
  • Certificate registration, ID proofing, Renewals,
    Revocation, etc are outsourced to DST
  • TrustID Individual certificates used now
  • Business Rep certificates being considered
  • Three certificate assurance levels High,
    Intermediate, Standard
  • Current application is sponsored by Department of
    Labor and Industries for worker compensation
    claims

7
State of Washington - contd
  • Possible future applications for 2001
  • Department of Health - exchange of medical
    records between providers
  • Department of Labor and Industries - filing
    workers compensation forms
  • Department of Retirement Systems - digitally
    signed financial transfers, management and
    planning
  • Department of Revenue - online tax filing
  • Employment Security Agency - file unemployment
    taxes

8
State of Illinois
  • Running their own CA using Entrust line of PKI
    products hosted by the Department of Central
    Management Services (CMS)
  • Anticipate to issue 2 million certificates
    beginning 2001
  • Local Registration Authority (LRA) located at
    state agencies and Secretary of State offices
  • Citizens can get certificates when they get their
    drivers license
  • In-person identity proofing done at these
    facilities
  • Subscribers (clients) use either Entrust
    Entelligence client side or Entrust Roaming
    Server Side
  • Root Key generation ceremony scheduled for week
    of Jan 15, 2001
  • Current Application - Department of Public Aid
  • available shortly after root key ceremony
  • anticipated to issue 240K certificates via 60
    service providers
  • certificates to be used to gain access to
    electronic business and submission forms

9
State of Illinois - contd
  • Future applications
  • State EPA to use certificates for DMR submissions
    using web-based forms
  • Expected deployment is late 2001

10
State of Pennsylvania
  • Via the Pennsylvania Department of Environmental
    Protection (DEP)
  • Applicants initially fill out a registration form
    online at which time they download an
    authorization form to take to a Notary.
  • Identity proofing done in person by a LRA or a
    Notary
  • Certificates issued for signatures and
    encryption, as determined by the key usage
    extension field in the certificate
  • ORC is CA for the pilot and will serve as
    Certificate Manufacturing Authority (CMA)
  • Applications - Department of Environmental
    Protection (DEP)
  • DMR submissions
  • Certificates used to sign XML-based web forms
  • Currently 4K-6K forms submitted each month in
    paper
  • Safe Drinking Water Lab Analysis
  • Certificates will be used to sign monthly
    analyses submitted from approximately 300 labs to
    DEP
  • Pending funding, soft rollout date of March, 2001
    for one or both initiatives

11
State of North Carolina
  • PKI efforts headed by Department of Information
    Resource Management (IRM)
  • Certificate authorities authorized to issue
    certificates Verisign and Arcanvs
  • Certificates used for encryption and signatures
    using different key pairs
  • Two assurance levels
  • Base
  • Strong - requires in-person identity proofing
    before a notary or RA
  • Three types of certificates
  • unaffiliated individual
  • affiliated individual
  • organization

12
State of North Carolina - contd
  • Just completed PKI pilot with following agencies
  • Department of Revenue
  • Department of Corrections
  • Office of the State Auditor
  • Department of Revenue
  • Use of state centralized email messaging system
    by encrypting emails on the centralized system in
    order to satisfy privacy requirements
  • Used Outlook Express and Netscape Mail
  • 20 - 25 certificates were used
  • Department of Corrections
  • Database maintenance that local, city, and county
    law enforcement agencies can access via
    PIN/password pairs.
  • Web-based transactions
  • Netscape and Microsoft browsers performed
    certificate management
  • Approximately 10 certificates used to
    successfully replace PIN/password

13
State of North Carolina - contd
  • Office of the State Auditor
  • Certificates used to facilitate encrypted emails
    and files on laptop computers while on-site in
    the field
  • Pilots used Verisign On-Site software
  • IRM served as the LRA
  • Two LRAs served 3 agencies Revenue had their own
    LRA
  • Each agency preparing an evaluation report based
    on pilot results
  • Based upon report results, statewide strategy
    tentatively scheduled for rollout in March, 2001
  • No signatures encryption only due to legal
    concerns although Secretary of State has
    established specific guidelines for digital
    certificates, including digital signatures
  • Certificates to be issued to individuals as
    business representatives
  • Production rollout to follow same model as pilot
    CA vendor not yet selected

14
State of Virginia
  • Formed the digital signature initiative in
    January, 2000.
  • Purpose was to test digital certificates from a
    variety of vendors with different applications.
    The summary of their findings, including input
    from DST, can be found on the web site
    http//www.sotech.state.va.us/cots/
  • Some agencies ran CA internally, others had a
    service provider.
  • Pilots ran about 2 months with fairly minimal
    results.
  • Generally still in the formative stages
  • Finalizing draft Certificate Policy in
    preparation for the release of their RFP for PKI
    services http//www.itc.virginia.edu/volt/ (VOLT
    stands for Virginia OnLine Transaction)
  • PKI usage will be internal as well as with the
    general population and businesses (G2G, G2C and
    G2B)
  • Dual key pairs/certificates with NO
    escrow/recovery

15
State of Virginia - contd
  • Combination of in-person and online gathering of
    identity information as outlined in their draft
    CP.
  • ACES and State of Washington models seem
    attractive to them.
  • Also looking at requiring hardware tokens for key
    generation and storage to increase the assurance
    levels.
  • Plan to procure an outsourced provider of
    certificates, PIN services, integration services,
    resale of PKI software and other services
    surrounding the implementation of PKI.
  • Release is scheduled for Jan2001 with
    implementation to begin in June2001.
  • Looking at the Early Adopter program as was done
    in State of Washington and the meetings will
    continue throughout 2001 as they recruit early
    adopters.

16
State of Oregon
  • PKI still in the formative stages
  • Current thoughts
  • Certificate authorities must be certified by the
    state Division of Administrative Services
  • Certificates will be Class 1 and are obtained
    directly from a commercial CA derived from the
    approved list
  • Pilots under consideration - Department of
    Environmental Quality (DEQ)
  • Used for DMR submissions
  • Client side software package Waste Discharge
    Electronic Reporting Systems (WADRS) used to help
    user to prepare properly formatted DMR
  • Certificate used to either sign the DMR as part
    of WADRS or to sign the entire email, including
    DMR attachment using COTS mail client
  • Determination made based upon ability to view
    digitally signed document post signature
  • Pilot - late summer 2001 Production - possibly
    December 2001

17
Conclusions
  • Most states still in formative stages in PKI
  • Issues with developing PKI
  • Lack of PKI knowledgeable engineers
  • Lack of funding
  • Trade-offs associated with PKI
  • Technical
  • State run CA vs Trusted Third Party (TTP)
  • Liability, warranty, privacy concerns
  • Lack of knowledge within the states of their own
    PKI initiatives
  • ACES model seems to be very appealing for states

18
Contact Information
  • EPA CDX PKI lead
  • Kimberly Nelson
  • 202.260.8152
  • Nelson.Kimberly_at_epa.gov

19
Supplementary Information
20
Security vs Paper Services
21
Digital Signatures
  • A Transformation of a Message Using Public Key
    Cryptography
  • Virtually Impossible to Forge
  • Provides a High Level of Security

22
What is PKI?
  • A complex suite of hardware, software and
    particular cryptographic components, combined
    with adherence to policies and procedures that
    enable business applications to operate in a
    secure environment.
  • Particular cryptographic components used are
    those of public key, or asymmetric, cryptography
    used for digital signatures and, optionally,
    encryption
  • Comprised of supporting services, such as a
    Certificate Authority (CA) and Concept of
    Operations (ConOps), as well as legal support of
    a Certificate Policy (CP) and Certificate
    Practice Statement (CPS)

23
What is ACES?
  • Access Certificates for Electronic Services
    (ACES)
  • Sponsored by General Services Administration
    (GSA)
  • Supports the legal frameworks of Government
    Paperwork Elimination Act (GPEA) and e-Signature
    Law

24
ACES Assumptions
  • Government has already determined a need for PKI
    security services.
  • GPEA
  • PDD-63
  • Procurement Changes
  • Internal performance imperatives

25
ACES Assumptions
  • The Government needs to deal with businesses or
    the public on a recurring basis --
  • -- monthly, quarterly, ad hoc
  • May be remote/unknown to the Government agency
  • May be Government trading partners
  • May be sectors of the general public, such as
    State EPA reporting entities
  • (Why not government-to-government?)

26
Encryption and Decryption
  • Plaintext is data that directly represents
    information constituting a message
  • Encryption transforms the plaintext data into
    unintelligible data called ciphertext
  • Decryption transforms ciphertext data back to the
    original plaintext data
Write a Comment
User Comments (0)
About PowerShow.com