EPTWG SYMM-CAK ​Requirements Draft - SIA

wanderooswarrenΤεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 3 χρόνια και 4 μήνες)

50 εμφανίσεις




TO:


Evaluation Program Technical Working Group (EPTWG)

FROM:

Chi Hickey
, Program Manager,

FICAM Testing Program


DATE:

J
u
ly 26
, 2013

RE:


Initial Requirements for

SYMM
-
CAK


EPTWG
Members
,

The
Federal Identity, Credential
,

and Access Management (
FICAM
)

Testing Program
has
published
FICAM Testing Program Functional Requirements and Test Cases

[FRTC] to provide architecture
-
agnostic testing of Enterprise Physical Access Control System
s (E
-
PACS). [FRTC] focuses on end
-
to
-
end system testing and primarily evaluates PKI
-
based authentication methods (i.e. PKI
-
CAK, PKI
-
AUTH, PKI
-
AUTH+BIO(
-
A))
. These methods

are interoperable across all agencies.

The FICAM Testing Program does not seek to i
nfluence architectures, technology processes, procedures
and selections made by industry. The objective of the program is to ensure FICAM conformance for
listing on the GSA Approved products List (APL) for acquisition by federal agencies and departments.


The FICAM Testing Program
is
in the process of forming requirements for SYMM
-
CAK.
This
authentication method is defined by FIPS 201
-
1 as optional and its technical implementation is
described in NIST SP 800
-
73
-
3.
The
FICAM Testing Program
requirements

will subsequently be used
to update [FRTC] with detailed requirements and test cases for the evaluation of SYMM
-
CAK solutions.

SYMM
-
CAK presents many challenges
.
FICAM Personal Identity Verification (PIV) in E
-
PACS,
version 2.1, dated January 31, 2013
, [
PIV in
E
-
PACS]

discusses this topic
.
S
everal controls in [
PIV in
E
-
PACS]
Section
8

affect SYMM
-
CAK
.
[
PIV in
E
-
PACS]
Appendix A

discusses

SYMM
-
CAK and
related management issues.

The National Institute of Standards and Technology (
NIST
)

has published specif
ic guidance for FISMA
-
compliant solutions that impact the use of cryptography within an E
-
PACS. This guidance provides
insight into protection and management of keys, protocols, and security controls.

With this information in mind, the FICAM Testing Progr
am proposes the
following
requirements that
must be met by industry solutions that leverage SYMM
-
CAK:

1.

The solution proposed must be designed in accordance
with the following guidance



NIST
Special Publication
800
-
37


Certification and Accreditation for
Systems



NIST
Special Publication
800
-
57 Parts 1 thru 3


Recommendations for Key Management



NIST
Special Publication
800
-
108


Key Derivation for Symmetric Diversified Keys

2.

The specific method for diversification of keys must be non
-
proprietary and openly
published


3.

The solution proposed must provide adequate protection of keying material

a.

Symmetric
Master Keys must be protected commensurate with the controls and security for
Certificate Authority private keys as defined in Federal PKI Policy Authority “X.509

Certificate Policy For The U.S. Federal PKI Common Policy Framework”

b.

Symmetric
Diversified Keys must be protected in accord with FIPS 140
-
2 Level 2.

Please provide comments on these requirements to
GSA
-
FICAM
-
TESTING@LISTSERV.GSA.GOV

on or before close of business, Wednesday,
August

14, 2013.


Chi Hickey

Program Manager
, FICAM Testing Program

GSA OGP

Chi.H
ickey
@gsa.gov