VA Public Key Infrastructure Project by qza17959

VIEWS: 186 PAGES: 35

									VA Public Key Infrastructure
          Project
Co-chair - Cathie Ward OI&T
  – cathie.ward@mail.va.gov
Co-chair - Daniel Maloney VHA
  – daniel.maloney@med.va.gov
Web Sites
http://vaww.va.gov/vapki.htm or
  http://www.va.gov/vapki.htm
             PKI INFOSEC99 PRESENTATION   1
FOCUS OF THIS SESSION

  Concepts/terminology
  Importance of PKI for VA
  VA PKI project status/plans
  Federal-wide context
  ISO involvement



          PKI INFOSEC99 PRESENTATION   2
PKI INFOSEC99 PRESENTATION   3
           Business Issues (1)
 On electronic mail from the Internet, how do you
  know who sent you this message?
 Who verifies the sender is really who they say they
  are?
 How do I ensure that an electronic mail message I
  send or received has not been changed as it
  moved across the Network (VA WAN or Internet)?
 How can I make my electronic mail message
  unreadable by everyone except the individuals I
  select?
                  PKI INFOSEC99 PRESENTATION          4
           Business Issues (2)

 How can I create a standard way to control
  access to systems such as Web Servers?
 How do I know that I am communicating with the
  proper system
 How can I be assured that the programming code
  I just received came from the stated source and
  has not been modified?



                 PKI INFOSEC99 PRESENTATION         5
PKI INFOSEC99 PRESENTATION   6
           WHAT IS PKI

Public Key Infrastructure
A combination of products, services,
 policies, and agreements for secure
 interaction across “open networks” like
 the Internet



              PKI INFOSEC99 PRESENTATION   7
   PKI - BASIC PRICIPLES
A pair of related keys as opposed to a
 single key
When either key encrypts, the other key
 decrypts
The private key is closely guarded and
 never given out - PROTECT YOUR
 PRIVATE KEY
The public key and who it belongs to are
 publicly available
              PKI INFOSEC99 PRESENTATION    8
    ADVANTAGES OF PUBLIC KEY
          TECHNOLOGY

Public key is not secret, hence easier to
 distribute than private/symmetric keys
Can be used for:
  – authentication
  – non repudiation
  – data integrity
  – confidentiality
               PKI INFOSEC99 PRESENTATION    9
PKI FOR AUTHENTICATION

Assurance of identity
Both parties comfortable they are
 communicating with the party they think
 they are doing business with
Attainable through digital signatures and
 Public Key certificates


             PKI INFOSEC99 PRESENTATION    10
PKI FOR CONFIDENTIALITY


Restricts communication to the parties
 involved in the transaction
Keys encrypted for key transfer




              PKI INFOSEC99 PRESENTATION   11
PKI FOR DATA INTEGRITY


Data unchanged from its source
Data not accidentally or maliciously
 altered



            PKI INFOSEC99 PRESENTATION   12
PKI FOR NON REPUDIATON

Neither party is able to deny having
 participated in the transaction after the
 fact
Integrity and origin of the data verifiable
 by a third party (e.g. judge)



                PKI INFOSEC99 PRESENTATION     13
     DIGITAL SIGNATURE

Unique to the signer
Under the signer’s sole control
Capable of being verified by a 3rd party
Linked to the data being signed
Will detect but not prevent alteration



               PKI INFOSEC99 PRESENTATION   14
DIGITIZED SIGNATURE PROBLEMS
          (Bit Mapped)
      Example:

Not high security
Easily forged
Easily reproduced
Can cut and past anywhere
Not legal proof of anything

             PKI INFOSEC99 PRESENTATION   15
PUBLIC KEY CERTIFICATE

 Trusted third party vouches for
  someone’s public key
 Binds an entity (name, id) to a
  specific public key




            PKI INFOSEC99 PRESENTATION   16
HOW CERTIFICATES ARE ISSUED

Individual personally appears before CA
 with proof of identity - process is similar
 to applying for a passport or driver’s
 license
CA creates PKI certificate and signs it with
 CA digital signature
CA posts certificate to on-line directory

                PKI INFOSEC99 PRESENTATION     17
         KEY RECOVERY

Provides secondary means of access to
 cryptography keys used for data
 confidentiality
Solves multiple problems:
  – lost or compromised keys
  – careless, disgruntled or absent employee
  – law enforcement/surveillance


                PKI INFOSEC99 PRESENTATION     18
 KEY RECOVERY MECHANISM



Escrow with third party
Encapsulation into key recovery block
Hybrid




             PKI INFOSEC99 PRESENTATION   19
       PKI NOT A CURE-ALL

Part of comprehensive security
 package
PKI systems also use private /
 symmetric keys
  – Key generation is faster
  – Operations are faster
  – Used for encrypting data in bulk
             PKI INFOSEC99 PRESENTATION   20
 PKI ARCHITECTURAL ENTITIES

Certification authority (CA)
Registration authority(s)
Certificate archive
Directory / Repository
Certificate policies, practices, CONOPS



               PKI INFOSEC99 PRESENTATION   21
   POLICY FRAMEWORK

Follows IETF- PKIX template
General provisions
Identification and authentication
 (proofing)
Operational requirements
Security controls


              PKI INFOSEC99 PRESENTATION   22
       VA PKI PURPOSE
Integrate with VA’s overall security
 framework
Provide a common utility for VA
Work through policy and technology
 issues together
Support pilots that require one or more of
 the following: strong authentication,
 integrity, non repudiation, confidentiality

              PKI INFOSEC99 PRESENTATION   23
    WHY VA NEEDS PKI
Encrypt e-mail messages moving across
 open networks
Added exposure from open networks
 like the Internet
Protection from viruses - unauthorized
 code
Existing authentication methods not
 scalable and not as secure
Vendors’ security products depend on it
             PKI INFOSEC99 PRESENTATION    24
FEDERAL WIDE CONTEXT
Government Paperwork Elimination Act
 (GPEA)
Digital Signature Act of 1999 (proposed)
OMB GPEA guidance out for comment
GSA ACES contract - one option for
 citizen access
NIST - standards including federal X509
 certificate profile
              PKI INFOSEC99 PRESENTATION    25
     PROGRESS AT VA
CIO Council backing - broad
 participation
Funding from VHA, VBA, and O/M
Web site - vaww.va.gov/vapki.htm
Capabilities demo and pilots
 Design Decision Document (April 6)
Certificate Policy Draft

             PKI INFOSEC99 PRESENTATION   26
     WHAT COMES NEXT
Expand S-MIME secure e-mail test
Implement Web pilots
Pilot ISO role in certificate
 enrollment/revocation
Provide interim key recovery capability
Issue interim certificate policy
Integrate PKI Project with MS Windows
 2000 rollout
               PKI INFOSEC99 PRESENTATION   27
       ISO INVOLVEMENT

Understand how it works
Understand potential uses (the list is
 growing)
Use it for secure communications
Support PKI in role of local registration
 authority
Administer Certificate Policy/Accreditation
               PKI INFOSEC99 PRESENTATION    28
    WHAT YOU CAN DO
Upgrade workstation configuration
  – (Outlook 98, IE 4.0 or 5 with 128 bit
    encryption)
Enroll for Verisign Certificate
Learn how to use S-MIME for
 signature and encryption
Help develop policy/procedures
Participate in local registration pilot
              PKI INFOSEC99 PRESENTATION    29
                         Sending a message




PKI INFOSEC99 PRESENTATION            30
              Using Your Private Key




PKI INFOSEC99 PRESENTATION        31
                         Reading a message




PKI INFOSEC99 PRESENTATION             32
            Checking message Integrity




PKI INFOSEC99 PRESENTATION       33
                       Viewing a Certificate




PKI INFOSEC99 PRESENTATION             34
 FOR YOUR ADDRESS BOOK

Co-chair - Cathie Ward OI&T
  – cathie.ward@mail.va.gov
Co-chair - Daniel Maloney VHA
  – daniel.maloney@med.va.gov
Web Site - vaww.va.gov/vapki.htm



              PKI INFOSEC99 PRESENTATION   35

								
To top