Transcript Argonne-ONR Project Office Beam Physics Overview

Federal Public Key Infrastructures:
• HSPD-12 and
• DOE Entrust
John Volmer
Computing and Information Systems
OSG ESnet Requirements Gathering
9 November 2009
DHS
Ill
Treas
DoS
FBCA
Common
Policy
Market:: authentication
G2B ORNL
KCP
HQ PCA
Y-12
SNL
HSPD12
RF
DOE
Entrust
PKI
Brasil
Mexico
Dartmouth
FNAL
TACC
UoV
Purdue
Australia
India
Phillipines Japan
Malaysia
ThailandNew Zealand
South Korea
Venezuela
Viet Nam
Taiwan China
LANL
Armenia
Estonia
LLNL
HQ CA
PantexPNNL
FIPS 199 = (H, H, M)
APGridPMA
NCSA
Argentina
SDSC
Chile
www.igtf.net
NASA DoD
TAGPMA
Global GRID CAs
Market: authentication
secure email
www.cio.gov/fbca
Federal Bridge
US Federal PKI
Argonne Public Key Infrastructure Participation
Greece
Italy
UK
Germany
Netherlands
CERN
Hungary
Turkey
Ireland
DOE GRIDS
FIPS 199 = (M, M, M)
Croatia
Portugal
Austria
Switzerland
Canada
Spain
EUGridPMA
FIPS 199 = (L, L L)
Market: secure email
(auto enroll)
Market: authentication
Market: authentication
ANL
Argonne National
Laboratory
FIPS 199 = (L, M, L)
Market: authentication
HSPD12
FIPS 199 = (H, H, M)
Argonne National
Laboratory
www.igtf.net
Global GRID CAs
www.cio.gov/fbca
US Federal PKI
Argonne Public Key Infrastructure Participation – HSPD-12/PIV
Federal Government HSPD-12 Initiative
 Driven by Homeland Security Presidential
Directive 12 (HSPD-12)
– Secure and reliable forms of identification
– Physical and Logical Access
 Vetting Requirements
–
–
–
–
Basic background investigation (SF-85)
fingerprints taken
photograph
DOE Order 206.4
Sponsor
Registrar
Badge Issuer
(federal)
Recommends
badge
issuance
http://www.fedidcard.gov
Approves
badge
issuance
Mutually Exclusive
Issues badge
Federal Government HSPD-12 Initiative
 Card contains three certificates
– Authentication
– Digital Signature
– Encryption (but no directory for certificate lookup!)
 Enables Logical Access to Windows & MacOS
(Demonstration?)
 Discussion has begun on
–
–
–
–
PIV-Interoperable (PIV-I) - trusted certificates
PIV-Compatible (PIV-C) - untrusted certificates
Enable interoperability with suppliers, contractors, etc
Exploit PIV standard: Windows 7 support, etc.
 Ultimately 10M card holders, 600 at Argonne
Y-12
SNL
RF
DOE
Entrust
PKI
LANL
LLNL
HQ CA
PantexPNNL
FIPS 199 = (M, M, M)
Market: secure email
Argonne National
Laboratory
www.igtf.net
Global GRID CAs
G2B ORNL
KCP
HQ PCA
www.cio.gov/fbca
Federal Bridge
US Federal PKI
Argonne Public Key Infrastructure Participation – DOE Entrust
DOE Entrust PKI
 70,000 certificates licensed
– 450 certificates at Argonne
 Used for secure electronic mail:
encryption
– DOE Complex
– DOD
– DHS
 Logical Access ?
– Version 8 uses Microsoft Certificate
Store
 Enterprise Product
– Encryption key escrow
– Automatic certificate renewal
http://www.cio.energy.gov/cybersecurity/pki.htm
G2B ORNL
KCP
HQ PCA
LANL
Y-12
LLNL
SNL
RF
HQ CA
PantexPNNL
USER ACKNOWLEDGEMENT AGREEMENT
For Public Key Encryption and Digital Signature Services
DOE Entrust PKI
U. S. Department of Energy (DOE) employees, contractors, and affiliates are responsible for acknowledging this user
agreement when requesting, accepting, and/or using a DOE assigned digital certificate. Employees will be bound to the
terms of this user agreement upon cessation of need or employment, whichever comes first.
As an Entrust user, you must agree to the following prior to using the Entrust software:
 Vetting requirements
– In person either RA or Trusted Agent (TA)
– Photo id
 Common Policy compliance

Use Restricted to Official DOE Business and Unclassified Data:
The Entrust user license, software, and electronic identity that are issued to you are the property of the U. S.
Department of Energy and should only be used exclusively for legal, authorized, and legitimate DOE business
only. The Entrust license and software MUST NOT BE USED to protect CLASSIFIED data!

Enforcement of either the Triple-DES Encryption or AES-256 Algorithms:
Ensure that the encryption algorithms stay set to Triple DES, as specified in the NIST Federal Information
Processing Standards (FIPS) 140-2 series, or Advanced Encryption Standard (AES-256), specified in FIPS-197,
which DOE is obligated to follow. Settings can be verified by right-clicking the yellow key, selecting Entrust
Options, then selecting the Security tab.

Accuracy of Representation:
Make true representation at all times regarding information in your certificate and other identification and
authentication information. Not only should you provide accurate representation initially to receive Entrust, but
you should also notify your local support center if your personal information changes (name change, organization
change, email address change, etc.) throughout the duration of use so the certificate information is updated in the
directory.

Protection of Private Keys:
Private keys and associated information must be protected. This refers to the profile files that are created during
the “Create Profile” process. This includes:
o Using a locking screen saver on machines that have the Entrust software installed;
o Activating the locked screen saver anytime the machine is left unattended; and
o Protecting your Entrust password at all times by not giving it to others and preferably by not writing it
down. If you must write it down, then ensure that it is stored in a locked safe or vault with restricted
access only.
– Periodically externally audited
Additionally, inform your local Registration Authority or Trusted Agent at least one week in advance of a planned
hardware swap-out. The encryption software and your personal profile credentials must be properly removed from
the old system prior to releasing the system to untrusted hands.
Department of Energy Headquarters Certification Authority Information:
Mary Ann Breland
DOE PKI Program Manager
For Questions or Problems regarding your Entrust account please contact your local computer
support center, or 301-903-2500.

Notification of Forgotten Password or Profile Loss, Disclosure, or Compromise:
Upon any actual or suspected loss, disclosure, or compromise of your private signing or decryption keys,
activation codes, or Entrust password, you must immediately notify your local support center. Your support center
will then notify your local Registration Authority or Trusted Agent.

Non-Transference of License and Cessation of Operation:
You may not transfer your Entrust user license to anyone else. If you no longer need the Entrust software, notify
your local support center. The support center will then notify your local Registration Authority or Trusted Agent
to revoke and archive your license.

Export of Entrust Software Prohibited:
Please consult with your local Headquarters Security Officer if you have a requirement involving any foreign
nationals.
AS AN ENTRUST USER, YOU AGREE TO USE DOE PKI SERVICES IN ACCORDANCE WITH THE TERMS
FOUND IN THIS AGREEMENT.
You demonstrate your knowledge and acceptance of the terms of this agreement by signing this user agreement form. This
agreement is valid for the certificate and key lifetime or until cessation of need or employment, whichever comes first.
_________________
User’s First Name
______
MI
______________________
Last Name
________________________________________
User’s Email Address
________________________________________
User Signature
_____________
User’s Org Code
_________________________
Date
SECRET KEYWORD
Please answer ALL of the questions listed below. The question will be asked of you if you need to call our office for any
reason regarding your Entrust certificate. The most common reasons we are contacted are for forgotten passwords,
departmental changes, or name/email changes.
What was the make and model of your first car?
_____________________________________________
What year you graduated from high school?
_____________________________________________
What is/was the name of your pet?
_____________________________________________
Do not write below this line
IDENTITY PROOFING
Date: ____________________
Type of identification presented:
_______________________________________
Identification Number:
_______________________________________
Person’s name as it appears on identification: _______________________________________
Registration Authority Name:
_______________________________________
Registration Authority Signature:
_______________________________________
Registration Agent Desktop
DOE
Grids
DOE
Entrust
Which brings us to …
Questions and discussion
10
Other
RealID Act 2005
Standardized drivers licenses
– Desire for smartcard platform
Standardized birth certificates
Growth of ISO 14443 RFID
Growth of Personal RFID
ISO 14443: smart card protocol over RFID
Detection Tool
Contactless Payment Cards
(14M issued in 2006)
HSPD-12/PIV Badges
ePassports
Est. 10M holders
(US + 35 nations)
US issued 13M in 2006
ISO 14443 RFID
Sources
Integrated Engineering
ISO 14443 Reader
Answer-To-Reset (ATR)
Responses
Many devices are RFID
responsive
3B 0B 80 F9 A0 00 00 03
08 00 00 10 00
3B 05 FF 29 A4 25 AD
3B 08 00 53 4F 43 53 84
90 00
3B 05 FF 72 17 E7 E2
Chip and Antenna
visible through
translucent card
Gemalto Smart Card
Diagnostic Utility
Stay tuned . . .
http://www.fips201.com/articles/2009/11/
02/iab-october-meeting-audio