Public Key Infrastructure: Whats Happening Inside and Outside VA

1
Public Key InfrastructureWhats Happening
Insideand Outside VA

• Presented by
• Dan Maloney, VHA OI, ES
• Suzette Holston, VHA OI, MISS
• and
• Fred Catoe, VA Office of Cyber Security

2
Today youll learn

• Basic PKI Concepts
• Background of VAPKI
• Status of VAPKI
• Identity Proofing
• Role of Local Registration Authority
• Federal Government PKI
• What Some Other Agencies Are Doing
• How VA is Using PKI
• VA PKI Web Site http//www.va.gov/vapki.htm

3
Business Issues (1) d

• How do I ensure that an electronic mail message I
  sent or received has not been changed as it moved
  across the Network (VA WAN or Internet)?
• When receiving electronic mail from the Internet,
  how do you know who sent this message?
• Who verifies the sender is really who they say
  they are?
• How can I make my electronic mail message
  unreadable by anyone other than the intended
  recipient?

4
Business Issues (2) d

• How can we strengthen the authentication process
  for access to computer systems? (something you
  know, have, are)
• How can we create a One VA standard method to
  control access to systems such as Web Servers?
• How do I know that I am communicating with the
  proper system?
• How can I be assured that the programming code I
  just received came from the stated source and has
  not been modified?

5
PKI - BASIC PRINCIPLES c

• A pair of related keys as opposed to a single
  shared key
• When either key encrypts, the other key decrypts
• The private key is closely guarded and never
  given out - PROTECT YOUR PRIVATE KEY
• The public key and who it belongs to are publicly
  available (Public Key Certificate)

6
Basic PKI Concepts

• PKI Defined
• Combination of hardware, software, policies and
  procedures
• Framework for Public Key Cryptography
• Asymmetric Key Pair
• Digital Signature
• Authentication
• Encryption

7
Basic PKI Concepts

• PKI Provides
• Strong Authentication
• Data Integrity
• Confidentiality
• Non-Repudiation

8
VAPKI Background

• Established in Fiscal Year 1999
• Departmentally Managed and Funded
• VA CIO Council
• VA Cyber Security Working Group
• VA Office of Cyber Security
• Industry Partners
• Cygnacom Solutions, Inc.
• VeriSign

9
VAPKI Background

• Outsourced Certificate Authority
• Subscriber Certificates
• Signature
• Encryption
• VA Server Certificates for Secure Socket Layer
  (SSL)
• Service to Sign Application Packets
• VAPKI Help Desk - vapkihelp_at_cygnacom.com
• VAPKI Website http//www.va.gov/vapki.htm

10
VAPKI Status

• VA Directive 6213, VA Public Key Infrastructure
  Signed 6/14/2001
• VAPKI Certificate Policy in Departmental
  Concurrence 6/20/2001
• VeriSign Onsite Enterprise Edition Installed
  6/11/2001 (2 key sets, simplified process,
  encryption key escrow)

11
VAPKI Status

• VAPKI Subscriber Database Installed 6/10/2001
• VAPKI Local Registration Authority Documentation
  and Training
• Direct Directory Lookup being established using
  LDAP
• Improved Integration with VAs Exchange E-mail
  Directory

12
Identity Proofing

• Positive Identification of PKI Applicants
• Cornerstone of PKI Integrity
• VAPKI Requires Face-to-Face ID
• Compromise Abolishes PKI Trust

13
Role of the Local Registration Authority (LRA)

• Maintain Integrity of VAPKI Certificate Policy
• Positively Identify VAPKI Applicants and Issue
  PINs
• Maintain Subscriber Database for Facility
• Initiate Certificate Revocation and Recovery

14
Federal Government PKI

• Federal PKI Steering Committee (FPKISC)
• Chaired by the General Services Administration
  (GSA)
• Representation from Civilian and Military
  Agencies
• Bridging Government PKI programs at the
  International, Federal and the State Level
• VA Involved Since 1998

15
Federal Government PKI

• FPKISC Workgroups include Health Care, Business,
  Technical and Legal and Policy
• Federal Bridge Certificate Authority (FBCA)
• Managed by FPKISC and GSA
• Creates trust paths among individual Agency PKIs
• Employs a distributed model
• Bridges the gap among dissimilar PKI products
• Funding received from FPKISC for VA and SSA
  project test cross certification in Healthcare
  environment

16
Federal Government PKI

• FBCA (Continued)
• Open and Ready for Business
• VeriSign will Cross-Certify with FBCA
• Federal PKI Policy Authority
• Manage Federal Bridge Certificate Authority
  Certificate Policy
• Chaired by Treasury
• Voting Members are OMB, GSA, Treasury, DoD,
  Justice and State
• VA will become voting member once cross-certified
  with FBCA

17
Federal Government PKI

• Access Certificates for Electronic Services
  (ACES)
• Provides signature certificates for public
  (including veterans)
• Creates PKI for Government Paperwork Elimination
  Act (GPEA) Candidate Applications
• Administered by GSA
• Industry Partners are
• ATT
• Digital Signature Trust (DST)
• Operational Research Consultants (ORC)

18
What Other Agencies Are Doing with PKI

• Department of Defense (DoD)
• Federal Emergency Management Administration
  (FEMA)
• Environmental Protection Agency (EPA)
• Social Security Administration (SSA)
• National Institute of Standards and Technology
  (NIST)

19
How VA is Using PKI

• VAPKI for Secure Electronic Mail
• Digitally Signed Messages
• Encrypted for Recipient Only
• Disaster Emergency Management Program (DEMPS)
• First VA application PKI-enabled
• Web-based application PKI-enabled for
  authentication and authorization
• Currently in beta testing

20
How VA is Using PKI

• VAPKI and VAs Computer Incident Response
  Capability (VACIRC)
• Currently Digitally Signed Bulletins and Alerts
• Future Testing of Encrypted Alerts
• VA/SSA Medical Evidence Exchange
• VA Express Smart Card for veterans

21
VA SSA Secure Exchange of Medical Evidence Project

• Goal - Enable SSA and VA to evaluate viability of
  SSA receiving electronic medical evidence from
  VA, in a private and secure manner
• Move towards the goal of 95 of responses that
  can be fulfilled with electronic extracts
• Decrease overall processing time, e.g. days
  elapsed per request for completion
• Solution in pilot to minimize paper
• Use standardized extracts from VA Medical
  automation systems
• Return using encrypted electronic mail messages
• Pilot at Jackson and Biloxi Mississippi VAMCs
• Evaluation and management review
• Duration May 1 to September 1

22
VA/SSA Secure EmailWorkstation VistA Data
Extract Delivery Flow
Step 1) Create VistA Data Attachment
VistA Data Capture
VistA
Network Drive
1. Open VistA. Use Health Summary
2. Initiate Data Capture in terminal emulator
software with Incoming Data command
3. Store the file on the network drive and close
the data capture process
Step 2) Create Email with Data File Attachment

4. Within Outlook, create a new email including
the VistA data capture file as an attachment
5. Apply encryption for message contents and
attachments and send email to Social Security
Administration
6. Delete all VistA data capture files that have
been saved to the network drive. Files will be
automatically deleted daily by the system if not
done so manually.
23
What Information is on the
?

• On the front of the card is a color photo, bar
  coded SSN, name and patient ID (first letter of
  last name and last 4 digits of SSN).
• The computer chip stores personal, military
  service, contact, insurance, eligibility,
  employer, and emergency medical information PIN
  protected, G-8 compatible, GSA compatible
• The computer chip also stores the digital
  certificate once veterans obtain it.

24
Enabled for PKI Certificates

• Will allow veterans to conduct business with the
  VA through the Internet from VA Kiosk to enable
  eGovernment
• Digital signing will allow veterans to legally
  identify themselves without a hand-written
  signature.
• A password was mailed to veterans soon after they
  received their VA Express Card. The password will
  be used at a kiosk to request a digital
  certificate
• Will enable veterans to access interactive VA web
  sites, complete electronic forms, digitally sign
  and submit them, when and where it is most
  convenient for veterans.
• VA and our contractors are working with GSA ACES
  vendors to enable this capability

25
How VA is Using PKI

• VBA Education Service
• Considering ACES for Service to Veterans with
• WAVE - monthly certification of enrollment status
  from veteran to authorize benefit
• NetCert - Schools certify that veteran is
  enrolled.
• VONAPP - On line VA educational benefits and
  Compensation and Pension Applications
• VA Currently Researching PKI Uses With
• DEA
• DoD

26
Prescriptions for Controlled Substances

• Issue - Electronic prescriptions are allowed by
  Drug Enforcement Administration (DEA) for non
  controlled substances. DEA approached VA to help
  to pilot the use of strong technical controls
  like PKI with prescriptions for controlled
  substances
• DEA is revising existing regulations and wants to
  pilot proposed system
• Major authentication, integrity, non repudiation,
  privacy and confidentiality requirements
• Proposed solution to be piloted is to use PKI and
  smart cards
• Requires major review and adaptation of existing
  VA Medical Automation Systems
• Analysis and Lab testing stage

27
PKI Lessons Learned

• On line submission is great for delivery of
  customer service, in addition to traditional
  methods
• PKI Applications can be easy to use, e.g. SSL,
  secure electronic mail
• Later versions of applications and browsers are
  more predictable, so specify versions to be used
• For staff ID proofing, build upon your existing
  organization
• Initial Setup can be difficult so prepare
  detailed setup documentation
• PKI is new to many and users will need training
• Planning and Help Desks are essential

28
Summary

• If you have an application that needs PKI for
  staff, VA PKI certificates are available now
• VA PKI is a Viable Component of the VA Security
  Infrastructure
• ISOs play a Critical Role in VAPKI Integrity
• VA is Active in Federal PKI Arena
• VA Embraces ACES for Service to Veterans
• PKI will Become Ubiquitous in Government

29
For Questions Contact
VA PKI Web Site http//www.va.gov/vapki.htm Help
Desk vapkihelp_at_cygnacom.com
Suzette Holston VHA OI, MISS suzette.holston_at_med.v
a.gov 785-350-4546
Ruth Anderson VA Office of Cyber
Security ruth.anderson_at_mail.va.gov 202.273.9842
Fred Catoe VA Office of Cyber Security fred.catoe_at_
mail.va.gov 202.273.8122

• Dan Maloney
• VHA OI, Director of Emerging Technologies
• daniel.maloney_at_med.va.gov
• 301.734.0107