Government Smart Card Interagency Advisory Board Moving to SHA-2: Overview and Treasury Activities October 27, 2010



Similar documents
Federal PKI (FPKI) Community Transition to SHA-256 Frequently Asked Questions (FAQ)

Department of Defense SHA-256 Migration Overview

Interagency Advisory Board Meeting Agenda, July 28, 2010

GSA FIPS 201 Evaluation Program

Identity and Access Management Initiatives in the United States Government

Identity, Credential, and Access Management. An information exchange For Information Security and Privacy Advisory Board

Interagency Advisory Board Meeting Agenda, May 27, 2010

Test Plan for Department of Defense (DoD) Public Key Infrastructure (PKI) Interagency/Partner Interoperability. Version 1.0.3

Department of Defense PKI Use Case/Experiences

What Does it Mean to be PIVish in PACS ICAM PIV in E-PACS Guidance v2.0.2 the short form. December 3, 2012

Interagency Advisory Board Meeting Agenda, March 5, 2009

Audio: This overview module contains an introduction, five lessons, and a conclusion.

From. Medusa. Midas. Lynn Kluegel Glen Lee. Lee Neely. Melissa Nimmo LA-UR Unclassified

Federal PKI TWG Federal PKI Directory Profile v2.3 (draft)

Interagency Advisory Board Meeting Agenda, August 25, 2009

Federal Public Key Infrastructure Technical Working Group Meeting Minutes

Integration of Access Security with Cloud- Based Credentialing Services

Understanding the differences in PIV, PIV-I, PIV-C August 23, 2010

Identity, Credential, and Access Management. Open Solutions for Open Government

Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance

HIPAA Security Regulations: Assessing Vendor Capabilities and Negotiating Agreements re: PKI and Security

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

NIST Test Personal Identity Verification (PIV) Cards

I. Configuring Digital signature certificate in Microsoft Outlook 2003:

NIST Cyber Security Activities

Cisco Trust Anchor Technologies

Federal Identity, Credentialing, and Access Management. Identity Scheme Adoption Process

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

Certification Practice Statement

I N F O R M A T I O N S E C U R I T Y

Cryptographic and Security Testing Laboratory. Deputy Laboratory Director, CST Laboratory Manager

CoSign by ARX for PIV Cards

I N F O R M A T I O N S E C U R I T Y

Federal Identity, Credential, and Access Management Trust Framework Solutions. Relying Party Guidance For Accepting Externally-Issued Credentials

How To Send An Encrypted In Outlook 2000 (For A Password Protected ) On A Pc Or Macintosh (For An Ipo) On Pc Or Ipo (For Pc Or For A Password Saf ) On An Iphone Or

Interagency Advisory Board Meeting Agenda, September 27, 2010

Verification of digitally signed PDFs

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

State of PKI for SSL/TLS

Government Information Security System with ITS Product Pre-qualification

Frequently Asked Questions (FAQs) SIPRNet Hardware Token

FEDERAL IDENTITY, CREDENTIAL, AND ACCESS MANAGEMENT AND PERSONAL IDENTITY VERIFICATION (PIV) SOLUTIONS

Information Technology Policy

SECURE DIGITAL SIGNATURES FOR APPRAISERS

OPC UA vs OPC Classic

Installing your Digital Certificate & Using on MS Out Look 2007.

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Draft Middleware Specification. Version X.X MM/DD/YYYY

Federal Identity, Credential, and Access Management Trust Framework Solutions. Overview

Office of the Chief Information Officer Department of Energy Identity, Credential, and Access Management (ICAM)

DoD CAC Middleware Requirements Release 4.0

Overview Most of the documentation out there on the transition from SHA-1 certificates to SHA-2 certificates will tell you three things:

FCCX Briefing. Information Security and Privacy Advisory Board. June 13, 2014

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008

Guide to Using DoD PKI Certificates in Outlook

CipherShare Features and Benefits

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016

APPENDIX C TABLE OF CONTENTS

DEPARTMENTAL REGULATION

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

GAO PERSONAL ID VERIFICATION. Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards

Release Notes. NCP Secure Client Juniper Edition. 1. New Features and Enhancements. 2. Problems Resolved

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Federal PKI. Trust Infrastructure. Overview V1.0. September 21, 2015 FINAL

Microsoft Trusted Root Certificate: Program Requirements

Authentication, Authorization, and Audit Design Pattern: Internal User Identity Authentication

EMC Celerra Version 5.6 Technical Primer: Public Key Infrastructure Support

Analyzing the MD5 collision in Flame

NISTIR 7676 Maintaining and Using Key History on Personal Identity Verification (PIV) Cards

Arkansas Department of Information Systems Arkansas Department of Finance and Administration

How to use Certificate in Microsoft Outlook

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Mobile Device as a Platform for Assured Identity for the Federal Workforce

More on SHA-1 deprecation:

1. Server Microsoft FEP Instalation

February 2015 Federal Mobile Computing Summit Collaboration Session Summary

Digital Signatures and Interoperability

Using etoken for Securing s Using Outlook and Outlook Express

Practical Challenges in Adopting PIV/PIV-I

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

X.509 Certificate Policy For The Federal Bridge Certification Authority (FBCA) Version 2.24

HSPD-12 Implementation Architecture Working Group Concept Overview. Version 1.0 March 17, 2006

2007 Microsoft Office System Document Encryption

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

Concept of Electronic Approvals

Microsoft Identity Lifecycle Manager & Gemalto.NET Solutions. Jan 23 rd, 2007

DIGIPASS CertiID. Getting Started 3.1.0

Human Factors in Information Security

SP A Framework for Designing Cryptographic Key Management Systems. 5/25/2012 Lunch and Learn Scott Shorter

FICC Shared Service Provider (SSP) Industry Day, 3/11. Questions and Answers

CA-DAY Michael Kranawetter, Chief Security Advisor (Tom Albertson, Security Program Manager) Microsoft

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

Wildcard and SAN: Understanding Multi-Use SSL Certificates

Is Your SSL Website and Mobile App Really Secure?

Office of Inspector General

Developing a Federal Vision for Identity Management

Using PIV Smart Cards on Linux for Authentication to Windows Active Directory

How to use Certificate in Outlook Express

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

Transcription:

Government Smart Card Interagency Advisory Board Moving to SHA-2: Overview and Treasury Activities October 27, 2010

Interagency Advisory Board Meeting Agenda, October 27, 2010 1. Opening Remarks 2. A Discussion on the Implementation of Treasury s SHA-256 (Mike Cockrell and Darren Kiel, Treasury HSPD-12 / IdAM PMO) 3. The Relationship of Fair Information Practice Principles to Identity and Credentialing Programs (Helen Foster, DHS and Naomi Lefkovitz, FTC) 4. The Impact of Identity Theft (Anne Wallace, Identity Theft Assistance Corporation) 5. A Discussion on the Improvements to FPKI Infrastructure (Judy Spencer, GSA and Chris Louden, Protiviti) 6. Closing Remarks

Moving to SHA-2 Today s Agenda 1. Introduction: Treasury HSPD-12 high-level solution architecture 2. SHA-2 overview: drivers, requirements and impact 3. Treasury activities: Treasury s SHA-2 migration plan 4. Audience engagement: Participation and feedback from you 5

Moving to SHA-2: Introduction Treasury HSPD-12 high-level solution architecture Treasury continues to work with GSA to ensure SHA-2 compliance on Treasury PIV cards Treasury Production Migration: November 7 GSA Production Migration: Early-mid December 6

Moving to SHA-2: Overview The need to migrate to SHA-2 Weaknesses recently discovered in SHA-1 dramatically lower its practical security strength below 80 bits, to the point where it is theoretically possible to produce a collision This in turn puts trust at risk for Federal PIV-reliant applications Examples: Someone is authenticating to my network environment as me Someone authored this document, but it wasn t me My application trusts a PIV certificate signed by a rogue CA because it looks trustworthy 7

Moving to SHA-2: Overview SHA-2 requirements and recommendations To mitigate this risk, the Federal community is migrating to SHA-2, which employs up to 256 bits of security and strengthens the PIV PKI trust model The Federal community has published various documents reflecting the need to move to SHA-2, particularly as it pertains to digital signatures, by the end of 2010: NIST SP800-57, Recommendation for Key Management. http://csrc.nist.gov/publications/pubssps.html NIST SP800-78, Cryptographic Algorithms and Key Sizes for Personal Identification Verification (PIV). http://csrc.nist.gov/publications/pubssps.html DRAFT NIST SP800-131, Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes http://csrc.nist.gov/publications/pubsdrafts.html NIST s Policy on Hash Functions. http://csrc.nist.gov/groups/st/hash/policy.html Federal Common Policy. http://www.idmanagement.gov/fpkipa/ 8

Moving to SHA-2: Overview Impact to PIV card usage Not all PIV-reliant solutions support SHA-2 According to Microsoft, Windows Vista, Windows 7 and Server 2008/2008 R2 provide full SHA-2 support Windows XP SP3 and Server 2003 SP2, with hotfixes applied, provide limited support, though they are incapable of generating new hashes based on SHA-2. http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx Other PIV-reliant solutions vary in SHA-2 capability. Sources for determining solution interoperability: Vendor material, such as product documentation and administrator guides FPKI SHA-256 Tracking Spreadsheet (via SHA-256 WG mailing list) NIST material, such as the Secure Hash Standards Validation List. This is a list of products that have been validated for SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. http://csrc.nist.gov/groups/stm/cavp/documents/shs/shaval.htm Test results 9

Moving to SHA-2: Overview Federal recommendations for SHA-256 readiness Recommendations from the Federal PKI Policy Authority (Source: FPKI SHA-256 Memorandum. October 07, 2010) Inventory existing PK-enabled applications that use certificates for authentication, digital signature and/or encryption Determine which applications are at risk by verifying COTS SHA-256 support and minimum required versions Request SHA-256 signed test CA certificates from the FICAM SHA-256 Test Infrastructure (email: wendy.brown@pgs.protiviti.com) or through the GSA/ USAccess Program (email: stephen.duncan@gsa.gov) Create a SHA-256 test plan, testing three fundamental capabilities: Capability to accept SHA-256 signed PIV certificates and CRLs Capability to process SHA-256 signed data Capability to produce SHA-256 signatures Report test results to: https://www.idmanagement.gov/fpkipa/sha2 Contact FPKI.Webmaster@gsa.gov for username/password Contact FPKI.Webmaster@gsa.gov to obtain further SHA-256 information or participate in the SHA-256 dialog 10

Moving to SHA-2: Treasury Activities Treasury PKI SHA-2 migration plan Phase 1 - Test Card Acquisition: Treasury Bureaus acquired test cards and device certificates issued with SHA-2 Phase 2 Application Testing: Bureaus test applications against development environment Periodic, temporary transition of development PKI environment is necessary Bureaus have further opportunities to obtain SHA-2 PIV cards and device certs Phase 3 Development Transition: Development PKI environment permanently transitions to SHA-2. This includes all Treasury-issued certificates and validity data Development CA certificates are also re-keyed to reflect SHA-2 Treasury is currently in this phase Phase 4 Production Transition: Production PKI environment permanently transitions to SHA-2. This includes all Treasury-issued certificates and validity data Production CA certificates are also re-keyed to reflect SHA-2 Other activities such as Federal Bridge re-certification may occur at this time Bureaus do not need to re-key cards previously issued with SHA-1 11

Moving to SHA-2: audience engagement Has your organization started using SHA-2 already, and if so, what were your biggest lessons learned? Examples: Issue PIV/PKI certificates and validity data with SHA-2 Domain authentication using SHA-2 PIV card Remote access using SHA-2 PIV card Sign and validate SHA-2 secure email What are some of the biggest challenges preparing for SHA-2 as your organization has discovered? Does your organization have remaining SHA-2 issues to address prior to the end of the year? 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information