c48f53ff94b2743c305f25a2e21ebaf4.ppt
- Количество слайдов: 33
SWIM Common PKI and policies & procedures for establishing a Trust Framework Kick-off meeting Patrick MANA Project lead 29 November 2017
Agenda § § § § Welcome - Introduction Tour de table Project scope/objective Technical content Tasks/deliverables Contribution Next steps AOB SWIM Common PKI and policies & procedures for establishing a Trust framework 2
Why this initiative? § The local deployment of a Public Key Infrastructure (PKI) at a stakeholder is a well-established technical undertaking that can rely on proven technology and best practices. Even the basic processes and policies required to operate the PKI locally are a local issue in the first place. However to establish the required trust in the other parties on a European scale, a commonly agreed set of processes and policies is required especially with the aim to ensure the interoperability of digital certificates. SWIM Common PKI and policies & procedures for establishing a Trust framework 3
The SESAR Deployment Programme and 2017 CEF Transport Calls Project objectives to cover Family 5. 1. 4 Common PKI and Cyber Security Identify business objectives ü ü Information to be exchanged and business impact if compromised Properties of information to be exchanged International data exchange (e. g. FAA) Trustworthiness on business level Develop overall architecture ü ü Define trust models/structure supporting the identified business objectives Identify minimum requirements for the technical tools and how to use the tools ü Define content of certificates Develop policies / standards / legal framework ü ü Match business objectives and policies with technical solutions Define legal and organizational framework PKI implementation supported by cyber security defenses ü Define minimum cyber security objectives and requirements for Common PKI service(s) ü Define minimum cyber security objectives and requirements for PKI clients Develop guidance material ü ü Develop guidance material to support SWIM Service Provider Develop guidance material to support SWIM Service Consumers
SWIM Common PKI (Family 5. 1. 4) Common Bridge PKI 5
Description/Scope/Objective § The project aims at developing and deploying a common framework for both integrating local PKI deployments in an interoperable manner as well as providing interoperable digital certificates to the users of SWIM. The resulting PKI and its associated trust framework, which will be part of the cyber security infrastructure of aviation systems, are required to sign, emit and maintain digital certificates and revocation lists as required in the family 5. 1. 4. The digital certificates will allow user authentication and encryption/decryption when and where needed in order to ensure that information can be securely transferred. All aviation Stakeholders (ANSPs, Airspace users, MIL, Airport, etc …) will benefit from the project. § The scope of the project includes the definition and development of a dedicated common PKI and its associated trust framework for Europe, its integration and validation with some Stakeholders. It will ensure the interoperability of digital certificates within Europe and with other regions. § The project also aims at preparing the development of the systems needed to operate a PKI and its associated trust framework in order to produce and manage digital certificates, e. g. Certification Authorities, validation services such as OCSP (Online Certificate Status Protocol) or CRL (Certificate Revocation List), user interfaces, systems supporting the Registration Authority and Policy Management Authority roles. These systems will be developed through procurement, for which the project will prepare the Call For Tenders (CFT). SWIM Common PKI and policies & procedures for establishing a Trust framework 6
Tasks for 5. 1. 4 (1/2) 1. Develop the Trust Framework policies and procedures § § § Define the Policy Management Authority (PMA) (Terms Of Reference (To. R), procedures) Develop/approve the initial Certificate Policy/Certification Practices Statement(s) Develop the Membership Agreement Ensure interoperability with others PKIs, e. g. US Federal Bridge Etc. 2. Develop Common PKI specifications (for both development and operations) § § Develop high-level architecture Functional Technical Specifications (including certificates specs) 3. Define the (SWIM) interfaces to the Common PKI § § § Define Users interface Define validation interfaces (e. g. OCSP interface (Online Certificate Status Protocol), CRL interface (Certification Revocation List)) etc. SWIM Common PKI and policies & procedures for establishing a Trust framework 7
Tasks for 5. 1. 4 (2/2) 4. Interface with SWIM Governance Project § Interaction with SWIM governance project deliverables 5. Prepare the material for the potential launch of a CFT (scope still to be defined) § Develop the draft of technical and contractual specifications 6. Prepare all necessary material for operations § § Develop guidance for SWIM service providers Develop guidance for SWIM service consumers 7. Project Management SWIM Common PKI and policies & procedures for establishing a Trust framework 8
TECHNICAL CONTENT SWIM Common PKI and policies & procedures for establishing a Trust framework 9
Common PKI § Designed for ATM and providing ATM specific services : § § Compliant with SWIM PKI requirements as set in SESAR 14. 1. 4 -D 44 -002 (Families 5. 1. 4 & 5. 2. 3) Can be the response to ICAO/AFSG need for a European PKI ATM specific services: support to safety case, DSU Able to comply with US (FAA) PKI § Recommended to have a fully dedicated PKI (producing and managing only those aviation certificates, not shared with other domains) § Governance : Liaise with SWIM governance SWIM Common PKI and policies & procedures for establishing a Trust framework 10
Common PKI and Trust Framework § Common PKI and Trust framework: … not only a PKI § § § Means to ensure interoperability Policies and procedures to establish a Trust framework Cross-certification with at least US (FAA/FBCA) Dedicated Certification Authority platform Day-to-day operations by a contractor Aspects of Service Provision under governance liaising with SWIM governance: § Policy Management Authority & Registration Authority § Root Certification Authority “key” components § Public Key Infrastructure for European ATM Stakeholders: ANSPs, AUs, AOs, … § § § Digital security keys Identification & authentication Encryption if needed Common Bridge PKI 11
Common PKI & Trust Framework: Goals § Enhances the security of ATM information. § § It ensures that the users of services are those who have been authorised. It ensures the identity of services providers. It ensures the identity of information senders. It ensures the identity of information receivers. § Ensures the interoperability of the certificates and the secured exchanges of information § Supports the secure cooperation amongst ATM Stakeholders in the framework of an increasing inter-connection of systems (e. g. AMHS, SWIM) by: § § § Providing a unique service and reference for European ATM identity and authentication management; Providing a mutual and trustworthy recognition of security certificates with other ICAO regions. Facilitates and extends the access and use of identity & authentication services to those ATM Stakeholders not yet using such services. SWIM Common PKI and policies & procedures for establishing a Trust framework 12
Why is a Cybersecurity Trust Framework Needed Cyber-security can not be effectively developed at the lower levels, it needs to start at the top: • Establishing these common and mutually agreed upon methods to protect the aviation community from its cybersecurity risk needs to be centrally established and manage. • Managed aviation cybersecurity through a federated Framework to govern aviation community as a whole through that get integrated into • The various workgroups and programs to ensure global interoperability reducing the overall burden and impacts to the community as a whole • Provide a frame of established common governance documents e. g. business, technical, legal, privacy • This project intends to develop a Trust framework related to Common Bridge PKI. SWIM Common PKI and policies & procedures for establishing a Trust framework
Specific objectives through the Cybersecurity Trust Framework SPECIFICATIONS DEVELOPMENT. Develops common specifications for secure collaboration and information exchange through federation across the aviation community. Establish common methods and solutions that align and enable global interoperability. The specifications fall into these categories: • Secure information exchange • Identity credentials/digital identities and attributes • Federated identity • Information assurance GLOBAL GOVERNANCE. Establishes policy and governance for the aviation community. • Interoperable Identity Federation Trust Framework • Common Operating Rules • Legal Framework & Allocation of Liabilities • Accreditation & Trustmark COMMON BRIDGE. Hosts a Common Bridge for Aviation only Membership that enables secure collaboration between all aviation Stakeholders. SWIM Common PKI and policies & procedures for establishing a Trust framework
Elements of Trust Framework for Common PKI Trust Framework Organization Membership Agreement Operational Trust Framework Multilateral Trust & Operating Agreement Trust Framework Governance Body Trust Framework Provider Identity Providers Common Bridge & Credential Exchange Operator Credential Service Providers Attribute Providers Governance Trust Framework Accreditation Certification & Audit Process Relying Parties Attribute Exchange Service Certificate Policy Criteria & Methodology for Cross-Certification Service Agreement Trust Framework Organization Governance Common Operating Rules Certificate Policy Certification Practice Statement Membership/Participation Governance Documents Trust Framework Governance Documents Technical Specifications
Cross-certification (1/2): What collaboration WITHOUT a cross-certification bridge looks like CA 5 CA 1 CA 4 CA 2 CA 3 SWIM Common PKI and policies & procedures for establishing a Trust framework 16
Cross-certification (2/2): What collaboration WITH a cross-certification bridge looks like Common Bridge (Trust Anchor) CA 1 CA 2 CA 3 CA 4 SWIM Common PKI and policies & procedures for establishing a Trust framework CA 5 17
Common PKI/Bridge/Trust Anchor SWIM Common PKI and policies & procedures for establishing a Trust framework 18
Common PKI: ICAO/AFSG - AMHS SWIM Common PKI and policies & procedures for establishing a Trust framework 19
SWIM Common PKI and policies & procedures for establishing a Trust framework 20
Other Bridges/CAs (e. g. FAA, ICAO in the future) Common Bridge & Root Certification Authority RA Issuing CA-1 (e. g. Non Safety Critical, Special Case) Issuing CA-2 (e. g. Safety Critical) PMA Issuing CA-3 (e. g. Reserve (Safety Critical)) … SWIM Governance Issuing CA-X Root signing Others: Local Applications/users/systems EUROCONTROL PMA: Policy Management Authority RA: Registration Authority Users/ apps/ systems Local RA Local CA Local Applications Local Applications/users/systems Local RA Subscribers: States/ Stakeholders
Deliverables § See excel SWIM Common PKI and policies & procedures for establishing a Trust framework 22
Contribution (see RACI table) SWIM Common PKI and policies & procedures for establishing a Trust framework 23
THANK YOU patrick. mana@eurocontrol. int SWIM Common PKI and policies & procedures for establishing a Trust framework 24
BACK-UP SLIDES enter your presentation title 25
X. 509 Digital certificates § Can be used for: § External exchanges: SWIM and non-SWIM § Interoperability : no more need for cross-certification § Strong authentication § Internal exchanges: § Internal Machine to Machine exchanges § Can replace a Stakeholder “own” PKI SWIM Common PKI and policies & procedures for establishing a Trust framework 26
Public Key Infrastructure SWIM Common PKI and policies & procedures for establishing a Trust framework 27
Cross-certification (1/2) SWIM Common PKI and policies & procedures for establishing a Trust framework 28
Cross-certification (2/2) SWIM Common PKI and policies & procedures for establishing a Trust framework 29
World wide PKI – ICAO trust bridge hierarchy … The dream SWIM Common PKI and policies & procedures for establishing a Trust framework 30
Trust relations in a federated trust model SWIM Common PKI and policies & procedures for establishing a Trust framework 31
World wide PKI - Regional CA's with Cross-certification … the reality to start with SWIM Common PKI and policies & procedures for establishing a Trust framework 32
Regional cross-certificate trust model SWIM Common PKI and policies & procedures for establishing a Trust framework 33