MiY Government Credentials Quick Start Guide

chainbirdinhandSecurity

Feb 23, 2014 (3 years and 3 months ago)

98 views





Version 1.0













MiY

Government Credentials

Quick Start Guide






















©
2014

Cogent, Inc. All rights reserved.

This document contains commercial information and trade secrets of Cogent, Inc. which
are confidential and
proprietary in nature and are subject to protection under law. Access to the information contained herein, howsoever
acquired and of whatsoever nature, will not entitle the accessor thereof to acquire any right thereto. The data subjec
t to
this restriction are contained in all sheets of this document. Disclosure of any such information or trade secrets shall
not be made without the prior written permission of Cogent, Inc.

No part of this publication may be reproduced, stored in a retrie
val system, or transmitted, in any form or by any
means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of Cogent,
Inc.

The information in this document is subject to change without notice. The software
mentioned in this document is
furnished under license and may only be used or copied in accordance with the terms of such license. Contact software
manufacturers directly for terms of software licenses for any software mentioned in this document not origin
ating from
Cogent, Inc.

All brand or product names are the trademarks or registered trademarks of their respective holders.

Cogent Document #
MiY
-
GOV
-
1
.00 (1)



Document Revision History


Version

Date

Author

Comment

0.9

2/17/2012

Chris P

Initial

versio
n

CP

1.0

2/26/2012

Chris C

Format / Review / Finalize






































Contents






iii


Proprietary

Contents

1

Overview

5

2

Settings Configuration

5

3

Getting Started

7

3.1

Do you require a credential to by fully enrolle
d and verified on the central server
before allowed access?

................................
................................
................................
.................

7

3.2

Do you want data read from government credentials stored on the device?

................

7

3.3

Do you want to lockout credentials from the system after repeated failed fingerprint
match attempts?

................................
................................
................................
...........................

7

3.4

Do you require all card certificates to be validated, including container sign
ing
certificates?

................................
................................
................................
................................
...

8

4

Configuring Certificate Validation

8

4.1

SCVP

................................
................................
................................
................................
....

9

4.1
.1

SCVP Test Client

................................
................................
................................
....

9

4.2

OCSP

................................
................................
................................
................................
.

10

4.3

CRL

................................
................................
................................
................................
...

10

What types of credentials are
used in the system?

11

4.4

PIV

................................
................................
................................
................................
.....

11

4.4.1

Modes

................................
................................
................................
..................

11

4.4.2

Certificate Validatio
n

................................
................................
..........................

11

4.5

TWIC

................................
................................
................................
................................
.

12

4.5.1

Modes

................................
................................
................................
..................

12

4.5.2

TPK (TWIC Privacy Key)

................................
................................
.......................

12

4.5.3

TWIC Cancelled Card List (Hotlist)

................................
................................
.....

12

4.5.4

Certificate Validation

................................
................................
..........................

13

4.6

CAC

................................
................................
................................
................................
...

14

4.7

Modes

................................
................................
................................
...............................

14

4.7.1

Certificate Validation

................................
................................
..........................

15

4.8

Mixed Card Population
................................
................................
................................
....

15

4.8.1

Certificate Validation

................................
................................
..........................

15




Contents






iv


Proprietary

This page was intentionally left blank.




2

-

Settings Configuration





5


Proprietary

1

Overview

This document is designed to help configure MiY software and devices for MiY
Gove
rnment solutions. It describes important settings and functionality for standard
configurations depending on the types of government credentials, including PIV, TWIC
and CAC.


2

Settings Configuration

All government settings are configurable from the MiY Se
curity Manager System
Settings/Govt Cred tab, as shown below. General government settings are also
configurable from the MiY Security Manager at the Zone and Device level from the Govt
Cred tab.



2

-

Settings Configuration





6


Proprietary



In a standalone system (no server), all government setti
ngs are configurable from the
device menu Device Info/Security/Settings screen.



3

-

Getting Started





7


Proprietary


3

Getting Started

The following questions should be considered when setting up an MiY system for use
with government credenitals and MiY
-
ID Gov devices.

3.1

Do you require a cred
ential to by fully enrolled and verified on the central
server before allowed access?

If so, then enable the
Server Credential Validation Required

setting. This allows full
control of which credentials are allowed access to the system, similar to a white
-
list. If a
credential is not manually set to Valid from the MiY Security Manager, then the
credential will not gain access even if otherwise valid.

3.2

Do you want data read from government credentials stored on the device?

Set the Card Data Storage Mode sett
ing as follows:



StoreNoData


The device will not save any data read from the card.
Note: In TWIC
modes, enabling this setting means that the credential must be enrolled on the MiY
server before the TPK can be used to access the biometric over the contact
less card
interface.



StoreDataRequiredForAccessOnly (default)


This is the default setting and stores a
minimal amount of data, such as the FASCN and TPK (TWIC Privacy Key).
Note: In TWIC
modes, this allows the device to read the TPK from a TWIC card ove
r the contact card
interface and store it for later use over the contactless card interface.



StoreAllDataPossible


The device will read as much data as possible from containers
read during access. Enabling this setting will result in longer access times
to read the
extra data.

3.3

Do you want to lockout credentials from the system after repeated failed
fingerprint match attempts?

This setting is available to meet TWIC access requirements, but may not be practical. If
enabled, a credential is locked out from
the system if the user fails to match their
fingerprint consecutively up to the
Failed Match Retry Attempts

setting on the General
tab. The default is one (1) retry, which means that if a user fails to match 2 times in a
row then they are locked out. Onc
e locked out, the credential cannot gain access to any

4

-

Configuring Certificate Valid
ation





8


Proprietary

device until manually unlocked by an Administrator from the MiY Security Manager or
the device menu Device Info/Security/Unlock Credential.

3.4

Do you require all card certificates to be validated, includi
ng container signing
certificates?

If so, enable
Always Validate Certificates (Full Trust)

to ensure that any certificate read
from the card is validated. If not, only card certificates, such as PIVAuth and CardAuth,
which must be validated according to P
IV standards are checked. We recommend
enabling this setting.

4

Configuring Certificate Validation

The
Certificate Validation Server

is the server that receives requests to validate
certificates from the devices. Upon receiving a certificate validation req
uest, the server
performs SCVP, OCSP or basic CRL checks as configured in the Certificate Validation
Settings. The
Certificate Validation Server

is typically the MiY server, unless custom
certificate validation is necessary by a 3
rd

party.


Set the
Certif
icate Validation Server

to the IP Address or Hostname of the server
machine running the MiY Security Service. This setting should be the same IP/Hostname
as the Server Address in the System Settings/Network tab.


Enable
Use TLS

and set the
Certificate Val
idation Port

to 6041 (default server TLS port).
The Certificate Validation Port should be the same as the Server TLS Port in the System
Settings/Network tab. Note: the only reason to not enable TLS is if you want to send all
certificate validation reques
ts to your own server for custom processing.


Set the
Validation Timeout

in Seconds to control how long the device will wait for
certificate validation.


4

-

Configuring Certificate Validation





9


Proprietary


4.1

SCVP

The MiY server performs SCVP validation by using the GSA approved SCVP Test Client
v2.0.0. The
SCVP Test Client is available from the GSA website and must be installed on
the same machine as the MiY Security Service.


To use the GSA SCVP certificate validation server, set the
SCVP Server

to the IP Address
of the GSA server (currently 159.142.160.236
) and set the
SCVP Check Mode

to
OnServer.

4.1.1

SCVP Test Client

When installing the SCVP Test Client, the default installation location is C:
\
scvp. If you
install it to a location other than the default, you must update the
SCVPClientToolDirectory setting in
the MiY Service Console and restart the MiY security
service.


To change the SCVPClientToolDirectory in MiY Security Service v1.0
, edit the
ServiceApp.exe.config XML file in the MiY Security Service installation folder. Set the
SCVPClientToolDirectory ent
ry to the location of the SCVP client tool application and
restart the service.

<setting name="SCVPClientToolDirectory" serializeAs="String">


<value>D:
\
scvp
\
TestRunnerFiles
\
scvp</value>

</setting>


To change the SCVPClientToolDirectory in MiY Secur
ity Service v1.5
, login to the MiY
Service Console and update the SCVPClientToolDirectory from the Settings tab. Simply
browse to the directory where the scvpclient.exe file is located, which is typically
$InstalledDrive$
\
scvp
\
TestRunnerFiles
\
scvp. After

updating the setting, restart the
service with the Stop/Start buttons on the MiY Service Console.




4

-

Configuring Certificate Validation





10


Proprietary


4.2

OCSP

To use an OCSP certificate validation server, set the
OCSP Server URL

to the location of
the OCSP server, such as
htt
p://myocsp.com

or
http://myocsp.com:1440
. Set the
OCSP
Check Mode

as follows:



None


OCSP checking disabled.



OnDevice


The device sends an OCSP request directly to the OCSP server and must
have network access to the

OCSP server.



OnServer


The device sends a request to the Certificate Validation Server (typically the
MiY server), which sends an OCSP request to the OCSP server and responds back to the
device.



OnDeviceIfPassThenServer


OnDevice and if the certificate

passes, then OnServer. This
is not a typical configuration. The OnDevice or OnServer check should be sufficient to
check the OCSP server in a single attempt.

4.3

CRL

Certificate Revocation Lists are also supported for very simple systems, but are not
recomm
ended for large systems where OCSP or SCVP is preferred. If using SCVP or
OCSP, CRL checking is not needed.


To use CRLs, you must manually upload your CRLs to the MiY server using the MiY
Security Manager Government Credentials/CRLs tab. Then, configure

CRL checking as
follows:



None


No CRL checking is performed.



OnDevice


CRLs are uploading to the devices and the device performs the CRL check.



OnServer


CRLs are not uploaded to the devices and the device requests the server to
perform the CRL check.




4

-

Configuring Certificate Validation





11


Proprietary


What types of credentials are used in the system?

PIV, TWIC, CAC or Mixed
Population? The types of credentials used in the system determine the basic system
configuration.

4.4

PIV

PIV credentials include any card issued with a PIV applet. Newer CACs and

TWIC cards
contain a PIV applet, but also contain specific CAC and TWIC applets. GSA also issues
PIV cards and any 3
rd

party may support their own PIV issuance.

4.4.1

Modes

Set
Verify Mode

to the desired PIV mode:



PIV_Chuid


Verifies the CHUID, including cont
ainer signature and signing certificate
based on configuration.



PIV_Biometric


Verifies the fingerprint, including container signature and signing
certification based on configuration.



PIV_PIVAuthKey (PKI)


Validates user PIN and verifies challenge to ca
rd with PIVAuth
certificate, including certificate validation based on configuration.



PIV_CardAuthKey (CAK) Verifies challenge to card with CardAuth certificate, including
certificate validation based on configuration.



PIV_PKI_BIO


Performs PIV_PIVAuthKey

and PIV_Biometric.



PIV_CAK_BIO


Performs PIV_CardAuthKey and PIV_Biometric.

4.4.2

Certificate Validation

The type of certificate validation for a PIV system depends on who is issuing the PIV
cards and what certificate authority (CA) they are using.



For GSA iss
ued PIV cards, you should use the GSA SCVP server.



If using PIV cards issued by a non
-
GSA 3
rd

party, then you have several options:

o

Use their OCSP server, if available.

o

Use the GSA SCVP server. This requires that the 3
rd

party submit a request to
GSA to h
ave their CA chain added to the GSA server.

o

Use basic CRLs, which requires the 3
rd

party to supply their CRLs and an
Administrator must manually add them through the MiY Security Manager.




4

-

Configuring Certificate Validation





12


Proprietary


4.5

TWIC

TWIC credentials are cards issued by the Transportation Wor
ker Identification Credential
security program and contain the TWIC applet.

4.5.1

Modes

Set
Verify Mode

to desired TWIC mode:



TWIC_MARSEC1


CHUID verification



TWIC_MARSEC2


Card Authentication Key (CAK)



TWIC_MARSEC3


CHUID + BIO (requires TPK over contactles
s card interface)



TWIC_MARSEC4


CAK + BIO (requires TPK over contactless card interface)

4.5.2

TPK (TWIC Privacy Key)

Set the TPK Lookup Mode for decrypting the biometric container over contactless card
interface.



None


The TPK is not used to decrypt the biome
tric container. Biometric modes
(MARSEC3 and MARSEC4) can only read the biometric container with the contact card
interface.



OnDevice (default)


The TPK is retrieved from the device to decrypt the biometric
container for use with contactless card interfa
ce.



OnServer


The TPK is retrieved from the MiY server to decrypt the biometric container
for use with contactless card interface.



OnDeviceIfNotFoundThenServer


If the TPK is not found on the device, then the TPK is
retrieved from the MiY server.

4.5.3

TWIC Ca
nceled Card List (Hotlist)

Unlike the PIV standards which rely on certificate validation to reject credentials, the
TWIC standards rely on use of the TWIC Cancelled Card List (CCL) (formerly hotlist) to
reject cancelled cards. The MiY Security Manager can

be configured to download the
TWIC CCL on an interval if it has internet access or the hotlist can be manually uploaded.
Configure the TWIC CCL for automatic download or manual upload from the Government
Credential/TWIC Hotlist tab in the MiY Security Ma
nager.



4

-

Configuring Certificate Validation





13


Proprietary

Set the TWIC Hotlist Check Mode as follows:



None


No TWIC CCL check is performed.



OnDevice


The TWIC CCL is uploaded to all devices and checked on the device when
configured for TWIC modes. This setting is recommended on poor networks where the
device cannot reliably send requests to the MiY server or where the devices are
routinely offline.



OnServer


The TWIC CCL is not uploaded to the devices and the devices send a request
to the MiY server to check the CCL. This setting is recommended if the

devices have a
good network and reliable connectivity to the MiY server. This reduces the overhead of
constantly uploaded the CCL to all the devices.



OnDeviceIfNotFoundThenServer


This setting combines OnDevice and OnServer checks.
In the event that th
e CCL had not fully been uploaded to a device, the credential would
still fail the extra server check.


4.5.4

Certificate Validation

The TWIC standard does not rely directly on certificate, but CRLs can be retrieved and
uploaded to the MiY server if desired. Th
is is not required by the TWIC standard
because they rely on the TWIC CCL (hotlist).


However, the TWIC standard does recommend the verification of certificate signatures
on the device. This means that the TWIC CA chain must be uploaded to all devices,
wh
ich currently consists of the TWIC ROOT, TWIC CA1 and TWIC CA2 certificates. The
device can then verify the signature of all TWIC certificates against this CA chain.


Enable the
Verify Certificate Signatures On
-
Device

setting. From the Government
Credent
ial/Trusted CAs tab, upload the TWIC trusted CAs (TWIC ROOT, TWIC CA1, TWIC
CA2), as shown below.



4

-

Configuring Certificate Validation





14


Proprietary



4.6

CAC

All non
-
expired CAC cards should have a PIV applet and you can refer to the PIV
standards. However, we also support legacy CAC authentication modes f
or backwards
compatibility and additional use cases.

4.7

Modes

Set the
Verify Mode

to the desired CAC mode:



CAC


Verifies CAC card expiration.



CACPIN


Verifies CAC card expiration and PIN.



CACPINFinger


Verifies CAC card expiration, PIN and fingerprint.


4

-

Configuring Certificate Vali
dation





15


Proprietary

4.7.1

Cer
tificate Validation

For CAC cards, you would typically use OCSP and specify the OCSP server as
http://ocsp.disa.mil.

4.8

Mixed Card Population

Set the
Verify Mode

to the desired mixed mode:



AnyCard


Verifies card expiration.



AnyCardPIN


Verifies card expirat
ion and PIN.



AnyCardPINFinger


Verifies card expiration, PIN and fingerprint.


Mixed mode allow for higher flexibility in systems where various credential types are
used for access, including PIV, TWIC and CAC.

4.8.1

Certificate Validation

Certification validat
ion is not performed in mixed mode because strict standards are not
followed to allow for flexibility with all card types.