Issa fi xs briefing
-
Upload
federation-for-identity-and-cross-credentialing-systems-fixs -
Category
Technology
-
view
130 -
download
1
Transcript of Issa fi xs briefing
Federated Access Identity & Privacy Protection
Presented at:
Information Systems Security Association-Northern Virginia (ISSA-NOVA) Chapter Meeting
Presented by:
Daniel E. Turissini
Board Member, Federation for Identity and Cross-Credentialing Systems (FiXs)
http://www.FiXs.org
January 20, 2011
The Federation for Identity & Cross-Credentialing Systems (FiXs)
• A 501(c)6 not-for-profit trade association formed in 2004 in collaboration with the DoD to provide secure and inter-operable use of identity credentials between and among government entities & industry
• A coalition of diverse companies/organizations supporting development & implementation of inter-operable identity cross-credentialing standards and systems
• Members include: government contractors, technology companies, major financial firms, not-for-profit organizations, DoD, GSA, state governments, etc.
Federated Identity Solution
• Federated identity provides a strong, biometrically enabled electronic identity credential, that can be readily electronically validated by any Federal logical/physical access point that allows the decision maker or databases to make a local specific privilege and/or authorized ACCESS decision confident in: – the identity of the person attempting access; – the identity of the device attempting access; – the identity of vetted organization that they represent; – that the organization and the individual have a legal relationship to do
business with the federal government; and, – that the individual has been vetted in person and has undergone a
background investigation consistent with defined levels.
Credential assures you are who you say you are, Commander’s confirm what holder is permitted to access!
The Foundation
• FiXs entered into formal Memorandum of Understanding (MOU) with the DoD that established terms & conditions under which FiXs & DoD will use their respective systems as part of an identity suite of systems in January 2006, updated February 2009: – https://www.dmdc.osd.mil/dmdcomn/owa/DMDC.FEDPIIPS
• The terms and conditions include: – Operational framework for inter-operability between DoD &FiXs – Specific operational responsibilities – Governance structure
• Authority To Operate Granted by DMDC
• Strong Certification & Accreditation Processes
Documentation available online at: http://www.fixs.org/library
Federated Access DoD Application Relying Party’s (Access Rules)
Trusted Third Parties [External Certificate
Authorities (ECA)/ PIV-I]
Strong credentials with biometrics consistent with federal standards are essential to successful Access control
Strong Access Control
Subscribers (Credential Holders)
Strong Identity
Local Access
Decisions
TESTED, SPOT – FiXs Inter-operability Pilot
• Successful assessment of the feasibility to utilize commercially - issued credentials in “feeding” the SPOT database – that adhere to FiXs-certified standards
• Issue FiXs-certified credentials - 3,000 contractor personnel
• Credentials authenticated across secure network against federated data stores
• Included “cleared” personnel, non-cleared personnel, first responders, other entities that interact with Army Material Command
• Monitor utilization, increases in productivity, & security profile
• Provided strategic assessment for future activities
FiXs – Chain of Trust
FiXs - Certified Credentials
CAC FiXs
2D barcode, 1D barcode & mag-stripe
on back
2 RFID antenna
Clear Contractor Markings
RFID, Barcodes, PIV Applet and Certificate Provide Issuer ID, Sponsor ID, Employee ID, & other Data Processed via Network
Robust Validation Infrastructure
Application Servers
Local Area Network
Client/WS
Client/WS Inside and/or
Outside the LAN Client/WS
Alternative Validation Paths
(OCSP)
20 + FiXs Compliant PKI
Directories 50 + FiXs
Compliant CRLs
FiXs Validation Service (Site 1)
FiXs Validation Service (Site N)
CRL Update Path (ldap/ ldaps http/https)
https
Client/WS OCSP Repeater
STEP 1: Apply Device Administrator goes to any-CA.ORC.com & completes online certificate registration application.
STEP 3: Print Administrator prints or PDFs the application form.
STEP 4: ID Proofing Administrator digitally signs the form & sends or takes the form with two valid forms of ID either to LRA or other Trusted Agent.
STEP 2: Submit The device’s key pair is generated in a cryptographic module, associated to device & the device’s public key is submitted to the CA along with the application.
STEP 5: Confirmation RA confirms that ID proofing is complete & correct.
STEP 7: Download Administrator returns to any-CA.ORC.com, performs a proof of possession, & downloads their certificate.
STEP 6: Issuance An CA issues the certificate & provides out-of-band download instructions to the applicant.
STEP 8: Install Administrator installs SD into device & applies tamper evident tape.
Device Credential Issuance Process
Device Secure Access
Video Application
Servers
Local Area Network
Inside and/or Outside the LAN
Validation Paths (OCSP/SCVP) 20 + Federally
Compliant PKI Directories
50 + Federally Compliant CRLs
Credential Validation Service
CRL Update Path (ldap/ ldaps http/https)
3. Authenticated SSL VPN
Client/WS Validation Repeater (Optional)
1. Authenticated https
Client/WS 2/4. OCSP/SCVP
2. OCSP/SCVP
1. Mutual Certificate Authentication between Client & Video Server
2. Mutual Validation of Credentials https session established
3. Mutual Certificate Authentication between Video Server & Camera
4. Validation of Credential SSL VPN session established
FiXs Certified Credential Authenticated at DoD Location
Company A FiXs Domain Server (FDS)
Company B FDS
Issuer FDS Companies
C, D, E
FiXs Trust Broker (FTB)
DMDC Trusted
Gateway Broker (TGB)
DMDC Domain Server (DDS)
Authentication Node Defense National Visitor Center
(DNVC) Defense Biometric Identification System
(DBIDS)
FiXs Authentication
Stations/ Handhelds
Legend: = Secure Connection = Transaction Path – no Fee = Transaction Path – w/ Fee
Company F FiXs Authentication
Node
FiXs Certified Credential Authenticated at FiXs Location
Company A FDS
Company B FDS
Issuer FDS Companies
C, D, E
Hosted FTB
DMDC TGB
DMDC DDS
DNVC/ DBIDS
FiXs Authentication
Stations/ Handhelds
Legend: = Secure Connection = Transaction Path – no Fee = Transaction Path – w/ Fee
Company F FiXs Authentication
Node
CAC Authentication at FiXs Location
Company A FDS
Company B FDS
Issuer FDS Companies
C, D, E
Hosted FTB
DMDC TGB
DMDC DDS
DNVC/ DBIDS Company F FiXs
Authentication Node
FiXs Authentication
Stations/ Handhelds
Legend: = Secure Connection = Transaction Path – no Fee = Transaction Path – w/ Fee
FiXs Certified Credential Enhanced Logical Access Control
Remote Client/WS
1. Initial Enterprise Logon
2. Validate Device Certificate
Remote Client/WS
3. Authenticated SSL VPN Established
4. Initiate Application Logon
5. Validate ID Certificate
6. Access Attributes
Remote Client/WS
SSL VPN https
Border Server
Border Server
Border Server
Application Server
Application Server
Validation Data
Validation Data
FDS
Contact Information
Dan Turissini - CTO, WidePoint Corporation, FiXs Board
703 246 8550
Dr. Michael Mestrovich, FiXs President
703 928 3157