Federated Access Identity & Privacy Protection

Presented at:

Information Systems Security Association-Northern Virginia (ISSA-NOVA) Chapter Meeting

Presented by:

Daniel E. Turissini

Board Member, Federation for Identity and Cross-Credentialing Systems (FiXs)

http://www.FiXs.org

January 20, 2011

The Federation for Identity & Cross-Credentialing Systems (FiXs)

•  A 501(c)6 not-for-profit trade association formed in 2004 in collaboration with the DoD to provide secure and inter-operable use of identity credentials between and among government entities & industry

•  A coalition of diverse companies/organizations supporting development & implementation of inter-operable identity cross-credentialing standards and systems

•  Members include: government contractors, technology companies, major financial firms, not-for-profit organizations, DoD, GSA, state governments, etc.

Federated Identity Solution

•  Federated identity provides a strong, biometrically enabled electronic identity credential, that can be readily electronically validated by any Federal logical/physical access point that allows the decision maker or databases to make a local specific privilege and/or authorized ACCESS decision confident in: –  the identity of the person attempting access; –  the identity of the device attempting access; –  the identity of vetted organization that they represent; –  that the organization and the individual have a legal relationship to do

business with the federal government; and, –  that the individual has been vetted in person and has undergone a

background investigation consistent with defined levels.

Credential assures you are who you say you are, Commander’s confirm what holder is permitted to access!

The Foundation

•  FiXs entered into formal Memorandum of Understanding (MOU) with the DoD that established terms & conditions under which FiXs & DoD will use their respective systems as part of an identity suite of systems in January 2006, updated February 2009: –  https://www.dmdc.osd.mil/dmdcomn/owa/DMDC.FEDPIIPS

•  The terms and conditions include: –  Operational framework for inter-operability between DoD &FiXs –  Specific operational responsibilities –  Governance structure

•  Authority To Operate Granted by DMDC

•  Strong Certification & Accreditation Processes

Documentation available online at: http://www.fixs.org/library

Federated Access DoD Application Relying Party’s (Access Rules)

Trusted Third Parties [External Certificate

Authorities (ECA)/ PIV-I]

Strong credentials with biometrics consistent with federal standards are essential to successful Access control

Strong Access Control

Subscribers (Credential Holders)

Strong Identity

Local Access

Decisions

TESTED, SPOT – FiXs Inter-operability Pilot

•  Successful assessment of the feasibility to utilize commercially - issued credentials in “feeding” the SPOT database – that adhere to FiXs-certified standards

•  Issue FiXs-certified credentials - 3,000 contractor personnel

•  Credentials authenticated across secure network against federated data stores

•  Included “cleared” personnel, non-cleared personnel, first responders, other entities that interact with Army Material Command

•  Monitor utilization, increases in productivity, & security profile

•  Provided strategic assessment for future activities

FiXs – Chain of Trust

FiXs - Certified Credentials

CAC FiXs

2D barcode, 1D barcode & mag-stripe

on back

2 RFID antenna

Clear Contractor Markings

RFID, Barcodes, PIV Applet and Certificate Provide Issuer ID, Sponsor ID, Employee ID, & other Data Processed via Network

Robust Validation Infrastructure

Application Servers

Local Area Network

Client/WS

Client/WS Inside and/or

Outside the LAN Client/WS

Alternative Validation Paths

(OCSP)

20 + FiXs Compliant PKI

Directories 50 + FiXs

Compliant CRLs

FiXs Validation Service (Site 1)

FiXs Validation Service (Site N)

CRL Update Path (ldap/ ldaps http/https)

https

Client/WS OCSP Repeater

STEP 1: Apply Device Administrator goes to any-CA.ORC.com & completes online certificate registration application.

STEP 3: Print Administrator prints or PDFs the application form.

STEP 4: ID Proofing Administrator digitally signs the form & sends or takes the form with two valid forms of ID either to LRA or other Trusted Agent.

STEP 2: Submit The device’s key pair is generated in a cryptographic module, associated to device & the device’s public key is submitted to the CA along with the application.

STEP 5: Confirmation RA confirms that ID proofing is complete & correct.

STEP 7: Download Administrator returns to any-CA.ORC.com, performs a proof of possession, & downloads their certificate.

STEP 6: Issuance An CA issues the certificate & provides out-of-band download instructions to the applicant.

STEP 8: Install Administrator installs SD into device & applies tamper evident tape.

Device Credential Issuance Process

Device Secure Access

Video Application

Servers

Local Area Network

Inside and/or Outside the LAN

Validation Paths (OCSP/SCVP) 20 + Federally

Compliant PKI Directories

50 + Federally Compliant CRLs

Credential Validation Service

CRL Update Path (ldap/ ldaps http/https)

3. Authenticated SSL VPN

Client/WS Validation Repeater (Optional)

1. Authenticated https

Client/WS 2/4. OCSP/SCVP

2. OCSP/SCVP

1.  Mutual Certificate Authentication between Client & Video Server

2.  Mutual Validation of Credentials https session established

3.  Mutual Certificate Authentication between Video Server & Camera

4.  Validation of Credential SSL VPN session established

FiXs Certified Credential Authenticated at DoD Location

Company A FiXs Domain Server (FDS)

Company B FDS

Issuer FDS Companies

C, D, E

FiXs Trust Broker (FTB)

DMDC Trusted

Gateway Broker (TGB)

DMDC Domain Server (DDS)

Authentication Node Defense National Visitor Center

(DNVC) Defense Biometric Identification System

(DBIDS)

FiXs Authentication

Stations/ Handhelds

Legend: = Secure Connection = Transaction Path – no Fee = Transaction Path – w/ Fee

Company F FiXs Authentication

Node

FiXs Certified Credential Authenticated at FiXs Location

Company A FDS

Company B FDS

Issuer FDS Companies

C, D, E

Hosted FTB

DMDC TGB

DMDC DDS

DNVC/ DBIDS

FiXs Authentication

Stations/ Handhelds

Legend: = Secure Connection = Transaction Path – no Fee = Transaction Path – w/ Fee

Company F FiXs Authentication

Node

CAC Authentication at FiXs Location

Company A FDS

Company B FDS

Issuer FDS Companies

C, D, E

Hosted FTB

DMDC TGB

DMDC DDS

DNVC/ DBIDS Company F FiXs

Authentication Node

FiXs Authentication

Stations/ Handhelds

Legend: = Secure Connection = Transaction Path – no Fee = Transaction Path – w/ Fee

FiXs Certified Credential Enhanced Logical Access Control

Remote Client/WS

1.  Initial Enterprise Logon

2. Validate Device Certificate

Remote Client/WS

3. Authenticated SSL VPN Established

4. Initiate Application Logon

5. Validate ID Certificate

6. Access Attributes

Remote Client/WS

SSL VPN https

Border Server

Border Server

Border Server

Application Server

Application Server

Validation Data

Validation Data

FDS

Contact Information

Dan Turissini - CTO, WidePoint Corporation, FiXs Board

turissd@orc.com

703 246 8550

Dr. Michael Mestrovich, FiXs President

Michael.Mestrovich@fixs.org

703 928 3157