Federal Electronic Identity Initiatives Current Status Peter

Federal Electronic Identity Initiatives – Current Status Peter Alterman, Ph. D. Chair, Federal PKI Policy Authority and Asst. CIO for E-Authentication, NIH BRIITE 2007

Federal Initiatives • e. Authentication – Focus on e. Commerce, services, etc. • HSPD-12 – Focus on security BRIITE 2007 2

Security BRIITE 2007 3

Homeland Security Presidential Directive 12 • A Presidential Mandate for Federal Agencies to issue medium hardware assurance (or better) identity credentials for access to physical and logical government resources - inside-the-firewall contractors, too – Medium Hardware or High Assurance digital certificates on PIV-2 cards (next generation Smartcards) • Fast-tracked for implementation starting 10/2006 • Led to new government standards for identity proofing and vetting (FIPS 201) and for PKI hardware tokens (NIST SP 800 - 7 x series) BRIITE 2007 4

Federal View of Electronic ID • A validated, proofed identity using breeder documents and databases (FIPS 201) • A scheme for adding a name, biometrics (photo, fingerprints), numeric codes (CHUID, etc. ) and substantial assurance digital certificates to a next -generation Smart. Card • Attributes are extensions not required by HSPD 12, but optionally consumed by Applications – SAML assertions and/or database entries for attribute storage – USPerson profile being developed to standardize attribute representation BRIITE 2007 5

Current Status • All Federal Agencies are implementing the requirements of HSPD-12, which means 12 – 15 million high assurance digital certificates will be deployed and used by 2010. • There are over 5. 5 million high assurance digital certificates currently deployed and used in the Federal government BRIITE 2007 6

Other Initiatives – Classified Stuff • Defense, Law Enforcement, Intelligence Services • Don’t want to know…. BRIITE 2007 7

E-Gov Services BRIITE 2007 8

Current State of Affairs (60 years old now) • • • You apply to the application owner for a password You use the password to access the system You forget the password The application owner gives you a new password You use the new password to access the system You forget the password No identity proofing No way to know who is actually on the system (Your secretary? Your postdoc? Your dog? Osama? ) BRIITE 2007 9

e. Authentication Initiative • Provide electronic identity authentication services for online government applications • Manage the Federal Federation – extends services to private sector credential providers and online services • Set standards for assertion-based authentication tools • Offers standard risk assessment tool • Standard Architecture and Policy foundations BRIITE 2007 10

Foundational Assumption • Government online services shall trust externally-issued electronic identity credentials at known levels of assurance (LOA) • Online applications shall determine required credential LOA using a standard methodology based on: 1. Risk assessment using standard tool, 2. OMB M-04 -04 determines required auth. N LOA 3. NIST SP 800 -63 translates required LOA to credential technology BRIITE 2007 11

The Federal Federation • Credential Service Providers • Agency Applications • Covers 4 LOA – Assertion-based identity credentials for L 1, 2 – Crypto-based identity credentials for L 3, 4 • Service Requirements – Related to uptime, user support, etc. • Interfederation Arrangements Encouraged • Federal Agency Applications and Services • Mandated by Administration • Service Requirements – Related to uptime, user support, etc. BRIITE 2007 12

Summary of Architecture and Policy/Procedures • Architecture – SAML assertions for LOA 1, 2 (encapsulate userid/passwords) • Policy/Procedures • Vendor interoperability required for addition to approved vendor list • SAML 1. 0 currently supported; SAML 2. 0 specs being developed – PKI or OTP for LOA 3 – PKI for LOA 4 – Credential assessments for all CSPs, • CAF for assertion-based credentials; • cross certification with Federal PKI for cryptobased credentials – Federal PKI Policies define requirements for digital certificate trustworthiness – Business and Legal Rules define service requirements for all LOA – Scheme translator available BRIITE 2007 13

E-Authentication LOA and What They Mean* • Little or no assurance of identity; assertion-based identity authentication • Some assurance of identity; assertion-based identity authentication or policy-thin PKI • Substantial assurance of identity; cryptographically-based identity authentication • High assurance of identity; cryptographically-based identity authentication Level 1 Level 2 Level 3 Level 4 * Codified in OMB Memorandum 04 -04 BRIITE 2007 14

E-Authentication LOA and What They Service** • Online applications with little or no risk of harm from fraud, hacking; low risk • Online applications with risk of some harm from fraud, hacking; some risks • Online applications where there is risk of significant harm from fraud, hacking; significant risks • Online applications where there is risk of substantial harm from fraud, hacking; substantial risks Level 1 Level 2 Level 3 Level 4 ** Codified in NIST SP 800 -63 BRIITE 2007 15

General Considerations for Determining LOA of an Electronic Identity Credential • Identity Proofing – how sure are you that the person is who he or she claims to be? • Identity Binding – how sure are you that the person proffering the EIC is the person to whom the credential was issued? • Credential integrity – how well does the technology and its implementation resist hacking, fraud, etc. ? BRIITE 2007 16

Summary of Lower-Level Identity Credentials • Level 1: User. ID/Password, SAML assertion (XML text) • Level 2: “High entropy” User. ID/Password; “policy-lite” PKI, e. g. , Fed PKI Citizen and Commerce Class & Federal PKI Rudimentary, TAGPMA Classic Plus (in development) BRIITE 2007 17

Summary of Cryptographic. Based Identity Credentials • Level 3: One-time Password; Substantial assurance PKI at FPKI Basic, Medium • Level 4: High assurance PKI at FPKI Medium Hardware, High BRIITE 2007 18

A Little Complication • The government has TWO LOA classifications: 1. Federal PKI LOA codified in the Certificate Policies of the Federal PKI Policy Authority 2. E-Authentication LOA codified in OMB M-0404 BRIITE 2007 19

LOA Mapping E-Auth to Fed PKI E-Auth Level 1 FPKI Rudimentary; C 4 E-Auth Level 2 FPKI Basic E-Auth Level 3 FPKI Medium & Medium-cbp E-Auth Level 4 FPKI Medium/HW & Medium/HW-cbp FPKI High (governments only) BRIITE 2007 20

Fed PKI: View from 20, 000 km Common Policy CA (HSPD-12) SSPs Serving all other Agencies FBCA Certi. Path SSP (HSPD-12 comparable) SAFE C 4 Certi. Path Industry PKIs e. GCA (3) BRIITE 2007 21

Fed PKI: View from 20, 000 km DOD DHS NASA Commerce USPS USPTO HHS DOE IL DOJ State DOD/ECA GPO DOD/Interop Treasury Wells Fargo MIT LL UTexas. Sx Commercial “SSP-like” Total: 15 – 20 M users Common Policy CA (HSPD-12) SSPs Veri. Sign Cybertrust Serving all other ORC Agencies Treasury GPO Exostar Entrust/Cygnacom Iden. Trus. T? FBCA Certi. Path (HSPD-12 comparable) SAFE C 4 e. GCA (3) ~ 500 k users! EAF member CSPs TLS certs Certi. Path Industry PKIs Abbott Labs Astra. Zeneca Bristol-Myers Squibb Genzyme Glaxo. Smith. Kline INC Research “SSP” Johnson & Johnson Merck Pfizer Procter & Gamble Sanofi-Aventis TAP Pharmaceuticals BRIITE 2007 State of VA first responders Industry PKIs Boeing Raytheon Lockheed Martin 22

Interoperability Initiatives • Certi. Path – Federal Bridge crosscertification complete • SAFE PKI Bridge and services – supporting digitally-signed electronic forms and document management • in. Common –assertion-based technology, LOA 1 & 2 – demonstration projects with NSF – interfederation with NIH NOW BRIITE 2007 23

Technology Implications • US Government LOA, • standardized risk assessment, • standards for PIV cards and identity proofing and vetting are here and INEVITABLY will migrate everywhere – Pickup already noted in aerospace contractor space, homeland security • Feds will have to deal with attributes eventually! BRIITE 2007 24

Security and Online Services Implications for Higher Ed • DHS first responders, DEA PKIs and CMS initiatives to enable online services and payments management will drive medical schools, hospitals and insurance chains to adopt Federal models for electronic identity authentication – Financial services firms under SEC regulation are already falling in line, both within and outside the e. Authentication federation participation – DEA issuing digital certs to pharmaceutical supply chain entities and plans to do so to service providers (MDs, PAs, NPs, etc. ) – Treasury transfers > $1 B daily via PKI • Availability of online government apps drive schools to federate to take advantage of services/apps BRIITE 2007 25

What About Privacy? • • No single database of identity credentials No requirement for only one identity credential The old tradeoff still exists: convenience vs. security Are there forces out there that want to know who you are at all times? – Of course; worry about RFID first. BRIITE 2007 26

NIH E-Authentication Initiative Goals • Researchers use their institutional identity credentials to authenticate to NIH online applications and services • Build a reliable, secure, trusted IT infrastructure reliable secure that supports e-authentication BRIITE 2007 27

NIH E-Authentication Initiative Goals • Researchers use their institutional identity credentials to authenticate to NIH online applications and services • Build a reliable, secure, trusted IT infrastructure reliable secure that supports e-authentication BRIITE 2007 28

Current NIH Initiatives • Interfederated with In. Common higher education Identity Management Federation at OMB LOA 1: low/no risk applications put online and consume identity credentials issued by universities that are members of In. Common; • Extend interfederation agreement to OMB LOA 2 applications for universities that issue higher-assurance credentials under the In. Common Federation Silver program – for moderate risk applications (ETA 1/08); • Direct trust relationship with University of Texas System Public Key Infrastructure BRIITE 2007 29

NIH Pilot LOA 1 Applications • NLM Proxy Redirector (initial application ) • Good Clinical Practice (GCP) • Community for Advanced Graduate Training (CAGT) • NIH Login/ADFS/MOSS integration (general collaboration) • More to follow BRIITE 2007 30

NIH Pilot LOA 2 Applications • • Electronic Research Administration (e. RA) ca. BIG data (via Grid interoperability? ) Firebird (FDA, SAFE, NIAID involvement) More to follow BRIITE 2007 31

End State for NIH • All NIH outward-facing, online apps risk assessed and credential LOA requirements determined • Credential validation infrastructure and/or linkages at production operational level • All NIH outward-facing, online apps connected to NIH Login front end with validation service enabling infrastructure (e. g. , Shibboleth, etc. ) • End State achieved… ? ? ? BRIITE 2007 32

Resources • • • altermap@mail. nih. gov http: //csrc. nist. gov/pki www. cio. gov/fpkipa www. cio. gov/ficc www. cio. gov/eauthentication www. smartcardalliance. org BRIITE 2007 33