HSPD-12 Implementation Architecture Working Group Concept Overview. Version 1.0 March 17, 2006



Similar documents
GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

NOAA HSPD-12 PIV-II Implementation October 23, Who is responsible for implementation of HSPD-12 PIV-II?

Issuance and use of PIV at FAA

The Implementation of Homeland Security Presidential Directive 12

NSF AuthentX Identity Management System (IDMS) Privacy Impact Assessment. Version: 1.1 Date: 12/04/2006. National Science Foundation

U.S. Department of Agriculture HSPD 12 Program. USDA HSPD-12 Implementing PIV USDA

Justice Management Division

What Does it Mean to be PIVish in PACS ICAM PIV in E-PACS Guidance v2.0.2 the short form. December 3, 2012

The Convergence of IT Security and Physical Access Control

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

1. The human guard at the access control entry point determines whether the PIV Card appears to be genuine and has not been altered in any way.

Life After PIV. Authentication In Federated Spaces. Presented to. Card Tech/Secure Tech. May By Lynne Prince Defense Manpower Data Center

An Operational Architecture for Federated Identity Management

NIST s FIPS 201: Personal Identity Verification (PIV) of Federal Employees and Contractors Masaryk University in Brno Faculty of Informatics

Audio: This overview module contains an introduction, five lessons, and a conclusion.

GSA FIPS 201 Evaluation Program

Single Sign-On. Security and comfort can be friend. Arnd Langguth. September, 2006

Announcing Approval of Federal Information Processing Standard (FIPS) Publication 201-2,

Frequently Asked Questions (FAQs) SIPRNet Hardware Token

The Government-wide Implementation of Biometrics for HSPD-12

NEIS HELP DESK FAQS. HSPD-12 Policy/Business Process. General HSPD-12 FAQs can be found online at:

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

DEPARTMENT OF DEFENSE GUIDEBOOK FOR CAC-ELIGIBLE CONTRACTORS FOR UNCLASSIFIED NETWORK ACCESS

DEPARTMENTAL REGULATION

The Convergence of IT Security and Physical Access Control

For Official Use Only (FOUO)

Page 1. Smart Card Applications. Lecture 7: Prof. Sead Muftic Matei Ciobanu Morogan. Lecture 7 : Lecture 7 : Smart Card Applications

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

U.S. Department of Housing and Urban Development

Deriving a Trusted Mobile Identity from an Existing Credential

Federal Identity Management Handbook

Privacy Impact Assessment of. Personal Identity Verification Program

U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE. Privacy Impact Assessment

Expiring Certificates on LincPass Cards

HSPD-12 Homeland Security Presidential Directive #12 Overview

Department of Defense INSTRUCTION

SecurityManager. Enterprise Personnel & Physical Security Case Management Solution for Federal Agencies

Information Technology Policy

Emergency Response Official Credentials A Smart Card Alliance White Paper. Salvatore D Agostino CEO, IDmachines LLC sal@idmachines.

DRAFT Pan Canadian Identity Management Steering Committee March 1, 2010

Derived credentials. NIST SP ( 5.3.5) provides for long term derived credentials

FOUR PILLARS FOR A SUCCESSFUL PIV ECOSYSTEM

How to Use Your LincPass Credential

solutions Biometrics integration

Executive Summary P 1. ActivIdentity

Status: Final. Form Date: 30-SEP-13. Question 1: OPDIV Question 1 Answer: OS

Understanding the differences in PIV, PIV-I, PIV-C August 23, 2010

IDaaS: Managed Credentials for Local & State Emergency Responders

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

US Security Directive FIPS 201

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

Personal Identity Verification (PIV) of Federal Employees and Contractors

Enrolling with PIV and PIV-I Velocity Enrollment Manager

GAO PERSONAL ID VERIFICATION. Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards

Reclamation Manual Directives and Standards

Personal Identity Verification

E X E C U T I V E O F F I CE O F T H E P R E S I D EN T

Personal Identity Verification (PIV) of Federal Employees and Contractors

Strong Authentication for PIV and PIV-I using PKI and Biometrics

Office of the Chief Information Officer Department of Energy Identity, Credential, and Access Management (ICAM)

Smart Cards and Biometrics in Physical Access Control Systems

I N F O R M A T I O N S E C U R I T Y

Moving to Multi-factor Authentication. Kevin Unthank

Implementing Federal Personal Identity Verification for VMware View. By Bryan Salek, Federal Desktop Systems Engineer, VMware

Deploying Smart Cards in Your Enterprise

SYMANTEC NON-FEDERAL SHARED SERVICE PROVIDER PKI SERVICE DESCRIPTION

Personal Identity Verification (PIV) of Federal Employees and Contractors DRAFT

GSI Credential Management with MyProxy

e-authentication guidelines for esign- Online Electronic Signature Service

Agency to System Infrastructure Provider Interface Specification

NASA PIV smartcards at Headquarters Frequently Asked Questions (FAQ s)

FEDERAL IDENTITY, CREDENTIAL, AND ACCESS MANAGEMENT AND PERSONAL IDENTITY VERIFICATION (PIV) SOLUTIONS

Using FICAM as a model for TSCP Best Prac:ces in Physical Iden:ty and Access Management. TSCP Symposium November 2013

Federal PKI (FPKI) Community Transition to SHA-256 Frequently Asked Questions (FAQ)

Personal Identity Verification (PIV) of Federal Employees and Contractors

intertrax Suite intertrax exchange intertrax monitor intertrax connect intertrax PIV manager User Guide Version

I N F O R M A T I O N S E C U R I T Y

Federal Identity, Credentialing, and Access Management. Personal Identity Verification Interoperable (PIV-I) Test Plan. Version 1.1.

GoldKey Software. User s Manual. Revision WideBand Corporation Copyright WideBand Corporation. All Rights Reserved.

Practical Challenges in Adopting PIV/PIV-I

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

Using FIPS 201 and the PIV Card for the Corporate Enterprise

Identity and Access Management Initiatives in the United States Government

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

U.S. Department of Energy Washington, D.C.

Identity, Credential, and Access Management. An information exchange For Information Security and Privacy Advisory Board

PIV Scheduler Tool. Screen Shots from May 1, :00am Eastern

Identity - Privacy - Security

Microsoft Windows Server 2003 Integration Guide

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

USAccess System- Registrar. Help Guide. Prepared for

Government Compliance Document FIPS 201, FIPS 197, FIPS 140-2

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Department of Defense MANUAL

CoSign by ARX for PIV Cards

Transcription:

HSPD-12 Implementation Architecture Working Group Concept Overview Version 1.0 March 17, 2006

Table of Contents 1 PIV Lifecycle... 3 2 High Level Component Interaction Diagram... 4 3 PIV Infrastructure Components... 5 3.1 PIV Enrollment Service Providers... 5 3.2 PIV Systems Infrastructure Providers... 5 3.3 PIV Production Service Providers... 6 3.4 PIV Finalization Service Providers... 6 3.5 FPKI SSP... 7 2

1 PIV Lifecycle Figure 1 shows the stages in the PIV lifecycle. It begins with an agency deciding to sponsor an applicant, which establishes an affiliation with the agency and the need for a credential under agency policies. Once applicant affiliation and eligibility is determined, the applicant begins enrollment, providing proof of identity to an enrollment official who takes a picture and fingerprints. After enrollment, the Office of Personnel Management (OPM) checks suitability. At a minimum, OPM checks the fingerprints against the national criminal history database (via the Federal Bureau of Investigation). Once an agency official successfully adjudicates the results, card production begins. This model divides card production into two steps to allow card instantiation and surface printing to be done by a service provider with sophisticated printers. After applicant biometric verification, card personalization is finalized. The agency then provides a ready to use card to the applicant. Once the cardholder possesses a usable card, cardholder use and maintenance cases follow. Detailed systems use cases for each stage depend on agency infrastructure choices (i.e., which shared components are used). Figure 1: Organization of Use Cases Affiliation (Sponsorship) Enrollment Agencies determine applicant should begin enrollment. Includes contractor and personnel sponsorship, and affiliation maintenance activities. Applicant provides I-9 proof of identity, fingerprints and picture are captured. Background Checks Applicant fingerprints are provided to OPM for background checks. Adjudication must complete before card production begins. Production Smart card is manufactured, printed, and pre-personalized. Finalization Final card personalization and activation is performed, and card is provided to applicant ready to use. (PIV Issuance) holder Use is used for logical and physical access to remote and local resources, and for encrypted and signed electronic messaging. PIV Maintenance Post-issuance maintenance activities such as PIN reset, certificate updates, revocation, and renewal, suspension, updates, temporary access for forgotten cards, and end of lifecycle processing. 3

2 High Level Component Interaction Diagram Figure 2 shows how the shared components interact for the affiliation, enrollment, suitability, card production, and card finalization use cases 1. The diagram depicts an agency that has outsourced all functions to shared components. However, agencies may elect to perform some functions on their own. For example, and agency with a deployed Management System (CMS) may elect not to use a PIV Systems Infrastructure Provider (SIP), but could still leverage the other shared components by using their standardized interfaces. In addition, existing agency enrollment stations could act as the PIV Enrollment Service Provider (ESP) for some locations, using the standardized interfaces to interact with the other shared components. Figure 2: Component Interaction First, the issuing agency provides affiliation (sponsorship) feeds, adjudication results, and revocation requests to the SIP. The SIP provides reports back to the agency. Adjudicator Personnel COTR Results Issuing Agency s Third, the SIP sends fingerprint data collected from the ESP to OPM for suitability checks, and results are sent to the agency. OPM FBI Second, the ESP retrieves applicant data from the SIP, enrolls the applicant, and sends enrollment data back to the SIP. Agency affiliation, adjudication, and revocation data Fourth, after agency adjudication the PSP accepts cardholder information from the SIP needed to print the card. When card printing is completed card data is returned to the SIP, including which chip ID was used for this applicant. The card is then locked with a transport key and shipped to the designated FSP. Camera Camera Document Reader Document Reader Enrollment Enrollment Service Enrollment Enrollment Service Officer Provider Officer Provider Enrollment Data Helpdesk Operations Security Helpdesk Operations Security Systems Systems Infrastructure Infrastructure IDMS CMS Provider IDMS CMS Provider Data CMS Inventory CMS Printing Inventory Printing Production Production Distribution Service Provider Distribution Service Provider PACS Agency / LACS PACS / LACS Signed Objects Printed and Pre-Personalized s Sixth, the certificate could be requested and loaded at the FSP, if desired. CRL Key Mgt. CRL Key Mgt. FPKI SSP FPKI SSP Reader Reader Finalization Finalization Officer Officer Finalization Service Finalization Service Provider Provider Fifth, the FSP matches the applicant biometric, and then uses the SIP CMS to unlock the card, load the signed objects, and finalize the configuration. The card leaves the FSP ready to use. This step is often referred to as issuance because it is the last step in issuance process. 1 Not all interactions described in section 3 are displayed for readability. 4

3 PIV Infrastructure Components The following sections provide more description for the shared components shown in Section Three. The Component descriptions below assume an agency elected to outsource all functions. Agencies may elect to perform some or all of the functions within this model on their own; however, the same functions are applicable regardless of the strategy chosen. Future stages of this effort will define interface specifications among the components, including encryption and strong authentication. 3.1 PIV Enrollment Service Providers PIV Enrollment Service Providers (ESPs) provide local presence (i.e., at agency sites) for enrollment of applicants. PIV ESPs are used after agency affiliation has been determined. PIV ESPs enroll applicants only when authorized by agencies. The PIV ESP performs the following functions: 1. Identity Proofing according to FIPS 201 standards, I-9 documentation; and 2. Capture of biometric sample, including picture and 10-slap fingerprints. 1. The PIV ESPs retrieve applicant information from the SIP, including authorization to enroll; and 2. The PIV ESPs send all enrollment data back to the SIP for further processing. 3.2 PIV Systems Infrastructure Providers PIV Systems Infrastructure Providers (SIPs) provide the software functionality required to manage PIV credentials. Specifically, PIV SIPs build, host, and operate software that provides agencies with critical Identity Management System (IDMS) and Management System (CMS) functionality. In this context, PIV SIPS act as Application Service Providers (ASPs). The PIV SIP performs the following functions on behalf of agencies: 1. All CMS functionality; 2. Tracking PIV credential state from affiliation, enrollment, suitability, production, finalization, and maintenance; 3. Interfacing with agency systems (e.g. HR, PACS and LACS) and other shared components through standard interfaces; and 4. Auditing, Logging, and Accounting of transactions. 1. The PIV SIP accepts affiliation data from agency systems (e.g., personnel systems, contractor registries); 2. The PIV SIP accepts enrollment data from agency enrollment stations and/or PIV ESPs, and transmits applicant information to the stations; 5

3. The PIV SIP sends fingerprints to OPM services for criminal history checks; 4. The PIV SIP accepts adjudication results from agency adjudicators, including authorization to begin production; 5. The PIV SIP sends cardholder information to agency card printing stations or PIV PSPs; 6. The PIV SIP accepts the chip ID used for each used for each cardholder from the PSP; and 7. The PIV SIP sends signed objects to the FSP for card insertion. 3.3 PIV Production Service Providers PIV Production Service providers (PSPs) produce and personalize PIV smart cards. Personalization is limited to surface printing and electrical pre-personalization (i.e., load and instantiate). The PIV PSP locks the cards with a transport key and ships them to an agencydesignated location for finalization. This finalization is often referred to as issuance, but it is really just the last step in the issuance process. The PIV PSP performs the following functions: 1. production; 2. surface personalization (i.e., cardholder data and agency template); and 3. Electrical pre-personalization (i.e., load and instantiate applets and containers). 1. The agency provides card print specifications, including visual security features; 2. The agency and PIV PSP share a transport key used during card shipment; 3. The FSP sends cardholder information needed to print individual cards; 4. The SIP designates a location to deliver the cards after production; 5. The PIV PSP sends the chip identifier (id) used for each cardholder to the SIP; and 6. The PIV PSP ships the card to the agency-designated location (FSP) locked with the transport key. 3.4 PIV Finalization Service Providers PIV Finalization Service Providers (PIV FSPs) provide local presence to finalize personalization of the cards and complete issuance to the applicant. In practice, FSP operations may be managed by the same organization which handles ESP operations for an agency. The FSP will perform the following functions: 1. Verify applicant biometric; 2. Unlock the card (the card is locked during shipment with a transport key); 3. Initialize the card into the Agency CMS; 4. Load signed objects onto the card; and 5. allow for PIN selection by the verified cardholder. 1. The PIV FSP is be shipped the physical card; 6

2. The PIV FSP uses the SIP CMS to unlock the card; 3. The PIV FSP uses the SIP CMS to load signed objects onto the card based on the association of the cardholder to the chip confirmed by the biometric match; and 4. The PIV FSP uses the SIP CMS to allow setting of the PIN. 3.5 FPKI SSP The Federal PKI has already established the Shared Service Provider (SSP) program for PKI related services. More information is available at http://www.cio.gov/fpkipa/. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information