Derived credentials. NIST SP 800-63-1 ( 5.3.5) provides for long term derived credentials



Similar documents
Trust Elevation Using Risk-Based Multifactor Authentication. Cathy Tilton

The Convergence of IT Security and Physical Access Control

Biometrics in Identity as a Service

The Convergence of IT Security and Physical Access Control

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

CoSign by ARX for PIV Cards

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

Audio: This overview module contains an introduction, five lessons, and a conclusion.

solutions Biometrics integration

HSPD-12 Implementation Architecture Working Group Concept Overview. Version 1.0 March 17, 2006

Office of the Chief Information Officer Department of Energy Identity, Credential, and Access Management (ICAM)

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

What Does it Mean to be PIVish in PACS ICAM PIV in E-PACS Guidance v2.0.2 the short form. December 3, 2012

Moving to Multi-factor Authentication. Kevin Unthank

SECURITY IMPLICATIONS OF NFC IN AUTHENTICATION AND IDENTITY MANAGEMENT

Deriving a Trusted Mobile Identity from an Existing Credential

NOAA HSPD-12 PIV-II Implementation October 23, Who is responsible for implementation of HSPD-12 PIV-II?

Justice Management Division

US Security Directive FIPS 201

Announcing Approval of Federal Information Processing Standard (FIPS) Publication 201-2,

An Operational Architecture for Federated Identity Management

NC CJIN Governing Board. 13 October, George A. White

NIST s FIPS 201: Personal Identity Verification (PIV) of Federal Employees and Contractors Masaryk University in Brno Faculty of Informatics

Understanding the differences in PIV, PIV-I, PIV-C August 23, 2010

Smart Card Setup Guide

DEPARTMENTAL REGULATION

Strong Authentication for PIV and PIV-I using PKI and Biometrics

Required changes to Table 6 2 in FIPS 201

Identity and Access Management Initiatives in the United States Government

Executive Summary P 1. ActivIdentity

STATEMENT OF WORK. For

GOVERNMENT USE OF MOBILE TECHNOLOGY

Multi-Factor Authentication for your Analytics Implementation. Siamak Ziraknejad VP, Product Management

Information Technology Policy

WHITEPAPER SECUREAUTH AND CAC HSPD-12 AUTHENTICATION TO WEB, NETWORK, AND CLOUD RESOURCES

SAML for EPCS (Electronic Prescription of Controlled Substances)

The Government-wide Implementation of Biometrics for HSPD-12

I N F O R M A T I O N S E C U R I T Y

No additional requirements to use the PIV I card for physical facility access have been identified.

VASCO: Compliant Digital Identity Protection for Healthcare

Your privacy and the safety of your accounts and information is our top priority, which is why we ve added extra security to our mobile services.

2. APPLICABILITY AND SCOPE

U.S. Department of Agriculture HSPD 12 Program. USDA HSPD-12 Implementing PIV USDA

SecurityManager. Enterprise Personnel & Physical Security Case Management Solution for Federal Agencies

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

GSA FIPS 201 Evaluation Program

Integration of Access Security with Cloud- Based Credentialing Services

I N F O R M A T I O N S E C U R I T Y

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

For Official Use Only (FOUO)

Practical Challenges in Adopting PIV/PIV-I

Smart Cards and Biometrics in Physical Access Control Systems

GAO PERSONAL ID VERIFICATION. Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards

ADDING STRONGER AUTHENTICATION for VPN Access Control

Who s There? A Methodology for Selecting Authentication Credentials. VA-SCAN October 5, 2009 Mary Dunker dunker@vt.edu

FOUR PILLARS FOR A SUCCESSFUL PIV ECOSYSTEM

1. The human guard at the access control entry point determines whether the PIV Card appears to be genuine and has not been altered in any way.

PROTECT YOUR WORLD. Identity Management Solutions and Services

HSPD-12 Homeland Security Presidential Directive #12 Overview

Ericsson Mobile digital identity

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

Exchanging Medical Records Online with Direct

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

Frequently Asked Questions (FAQs) SIPRNet Hardware Token

Implementing Federal Personal Identity Verification for VMware View. By Bryan Salek, Federal Desktop Systems Engineer, VMware

Identity & Privacy Protection

Using FIPS 201 and the PIV Card for the Corporate Enterprise

Rich Furr Head, Global Regulatory Affairs and Chief Compliance Officer, SAFE-BioPharma Association. SAFE-BioPharma Association

OpenID & Strong Authentication

Government Compliance Document FIPS 201, FIPS 197, FIPS 140-2

ARC Outreach on HSPD 12 and Mandatory Use of ODIN

Authentication, Authorization, and Audit Design Pattern: Internal User Identity Authentication

Glossary of Key Terms

Federal Identity, Credential, and Access Management Trust Framework Solutions. Relying Party Guidance For Accepting Externally-Issued Credentials

SIGNIFICANT CHANGES DOCUMENT

Schlumberger PKI /Corporate Badge Deployment. Neville Pattinson Director of Business Development & Technology IT & Public Sector

Mobile Driver s License Solution

NACCU Migrating to Contactless:

Architecture for Issuing DoD Mobile Derived Credentials. David A. Sowers. Master of Science In Computer Engineering

Introduction to SAML

Department of Defense PKI Use Case/Experiences

Identity, Credential, and Access Management. Open Solutions for Open Government

2013 AWS Worldwide Public Sector Summit Washington, D.C.

Improving Online Security with Strong, Personalized User Authentication

Department of Veteran Affairs VA HANDBOOK 6510 VA IDENTITY AND ACCESS MANAGEMENT

Biometrics and National Strategy for Trusted Identities in Cyberspace Improving the Security of the Identity Ecosystem September 19

NCSU SSO. Case Study

These Frequently Asked Questions include information about both the Remote Identity Proofing (RIDP) and

Alternative authentication what does it really provide?

Status: Final. Form Date: 30-SEP-13. Question 1: OPDIV Question 1 Answer: OS

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

NIST Test Personal Identity Verification (PIV) Cards

Transcription:

Daon your trusted Identity Partner Derived Credentials A Use Case Cathy Tilton Daon 1 February 2012 Derived credentials NIST SP 800-63-1 ( 5.3.5) provides for long term derived credentials Derived credential can satisfy UP TO the level of the original credential (assuming other provisions of SP 800-63-1 are met for that level) Verification of the original credential satisfies identity proofing requirements. For Level 4, binding must be done in person + biometric validation required. Revocation status(es) may be optionally tightly bound. 2

Use Case - USDA USDA has many people out in the field. They want to use the HSPD-12 cards or a derived credential to authenticate access to USDA systems, but don t have an infrastructure in place to read the cards or fingerprints. These people are mobile (inspectors, etc.), and they would like to extend their systems to the field via mobile devices. They need a solution that doesn t require an investment in infrastructure, that would provide LOA3 access. 3 Use Case - DoD A member of the forces registers his mobile phone as a credential derived from his CAC card. The phone cannot be used to access any LoA4 or higher services, but while in the field, the member of the forces can get access to critical logistical information that ensures that his operation runs smoothly, even when he is removed from land-based internet access. In addition, there is an application that runs right on his smart phone to access this logistical information - he can access this application and authenticate using his smart phone using only the widely-available cellular telephone data connections A DOD employee is in the field in a foreign location and needs to validate the folks they are dealing with are folks they are authorized to conduct business with. Using their portable device and the derived credential from their PIV, they call to validate the terms of the transaction and the authorized recipient of the goods or services. 4

Use Case - CMS A CMS employee with a PIV card realizes that they will be travelling for the next two weeks with no access to dedicated workstations with PIV card readers. She will need access to patient record maintenance services at CMS that require some form of LoA 3 authentication. She will have her mobile phone with her, as well as access to internet cafes. She enrolls her smartphone as a derived credential for authentication purposes whenever she accesses the patient record maintenance services. 5 Use Case - CMS Although not required, she notifies CMS in advance that she will be using the derived credential, so that their centralized Identity Management system can flow down the information to the business unit in CMS responsible for the patient record maintenance service - this action automatically registers the derived credential for use as the primary authentication mechanism during the request period, for access to services requiring LoA3 or below authentication. 6

Use Case - CBP A CBP employee is in the field near the border and needs to call up an application to deal with a person suspected of trying to enter the country illegally. Using their smartphone based derived credential as an alternative, but tied to their PIV, they access the app on their portable device to obtain and enter information and deal with the individual. 7 Use Case - GSA GSA has plans to create an MVNO (Mobile Virtual Network Operator), where a contractor (or set of contractors) creates a virtual mobile network from all the carriers mobile network offerings. This MVNO would address requirements around government only access, and on-campus only access to the network and internal government systems. They want to derive a credential that uses the mobile device as an authentication device based on the employee s/contractor s PIV card to access the network and even to authenticate to systems and physical gates and doors for access. 8

Use Case - GSA How this would work The user: 1)Authenticates to the campus (MVNO) network before entering the building via their smartphone based derived credential; - This sets a short-time-use code on the NFC chip on the phone; 2)Approaches the door and/or gate and swipes the phone to gain physical access; 3)Once inside the building, requests access to a system (usually using SSO); - The system requests authentication using the same derived credential and, upon successful authentication, allows them access to the system. 9 Identity Management Challenges Security Protecting data at rest and in transit Users managing multiple identities and passwords Termination of entitlements Inconsistent policy enforcement Compliance management E Gov Act 2002, HSPD 12, FISMA, FIPS 201, HIPAA, PHI, CFATS, NERC CIP, EU DPD, JPIPL, etc. Knowing who has access to what, proving it, enforcing it, and monitoring it Segregation of duties to prevent abuses Creating and managing internal and external user identities Business enablement Need for access to information by external users Interoperability with agencies, partners, and citizens Streamlined user experience and enhanced productivity

The Future of Identity & Digital Interaction We are at the pivotal intersection of two fundamental & global paradigm shifts 1. The move to digital interactions Has been occurring since the web went mainstream Social networking leading to greater online presence Identity fraud rates are high and growing Current methods (PINs/Passphrase based) are woefully inadequate, alternatives are extremely expensive 2. The emerging ubiquity of connected mobile computing devices (e.g. smart phones) Massive consumer adoption Always connected, managed computing platform in your hands at all times Greater utility beyond handset Universal IdentityTrust! 11 For purpose of discussion only Assume the following derived credential: Identity is A unique risk-based, multi-factor authentication capability that leverages latest generation smart phones (e.g., iphone, Blackberry, Android), smart tablets (e.g., iphone/playbook) and traditional mobile devices Identity technology combines multiple authentication techniques for greatest identity confidence: Voice (Who you are) Device (What you have) Palm (Who you are) PKI (What you have) GPS (Where you are) PIN (What you know) (other as devices become enabled) Face (Who you are) Placing biometric levels of identity assurance in the hands of consumers 12

Registration process PIV Enrollment / Issuance Enrollment / Registration Derived Credential Validate Card/User Validate Phone/User Secure Store Notes: 1) Assumes user has already enrolled in ; however, such enrollment could also occur at time of binding. 2) may be performed online or in-person (attended). Derived credential binding PIV Card User Fingerprint Template Card Client PIV System CRL or OCSP Response Authority PIN Fingerprint Computer or Terminal with Card Reader/Fingerprint Device Secure Identity Store Identity Data Mobile Device Identifier Request / Response Mobile s/shared Keys SRP Mobile Device

Application binding CSSO controls access User Relying System(s) Authority PC Client, Browser, or Mobile App Request/Response Unique Identifier Request / Result SRP Cert Validity Request / Response CRL or OCSP Response PIV System Mobile Device with App Identity Data Secure Identity Store Operational usage User Access or other Transaction Request Relying System(s) Authority PC Client, Browser, or Mobile App Request / Result CRL or OCSP Response Request / Response SRP Cert Validity Request / Response (Optional) PIV System Mobile Device with App Identity Data Secure Identity Store

Configuration Secure Access Anytime Anywhere Web Workstation Mobile Transaction Validation Requests and Results CAC/HSPD-12 Card Benefits: Interoperable Agency Validation Continuous Vetting Outcomes (CRL) Card Client Facility Access Card Info Card Identifier, User Name and Access Request PIV System Card Identifier, User Name and Digital Virtual Identity Store Daon Repository CRL or OCSP Responder User Name User Name User Name Directory Services Single Sign On (SSO) EnterpriseAccessManager (EAM) Periodic Validity Check HR Mission System A Mission System B ConfidentID Mobile Biometric Store Transaction Validation Requests and Results Benefits: Significantly Reduced/Zero Infrastructure Costs Future Proofing Policy Based Levels Secure Access, Anytime, Anywhere The Key Challenge: Bridging the Gap between Security and Convenience Goal Trust, Security, Customer Service 18

User preferences are important Biometrics is the most preferred additional form of authentication for US online banking users 19 The role of risk assessment Not every problem is a Level 4 problem Level Confidence in Asserted Identity s Validity 1 Little or none 2 Some 3 High 4 Very High 20

Contact Info: Catherine Tilton VP, Stds & Tech, Daon 11955 Freedom Dr, Suite 16000 Reston, VA 20190 703-984-4080 cathy.tilton@daon.com 21

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information