EPA State PKI Analysis

1
EPA State PKI Analysis

• National Governors Association
• January 9, 2001
• Charleston, South Carolina

2
Items to Discuss

• Security vs Paper Process
• Digital Signatures
• Purpose of the EPA Study
• Items collected during the EPA Study
• State results to date in the EPA Study
• Conclusions

3
Purpose of the EPA Study

• To determine the extent of PKI usage in state
  government agencies
• To demonstrate the use of non-ACES certificates
  in the ACES Certificate Arbitrator Module (CAM)

4
Items collected during the EPA Study

• General Level and scope of PKI activity in state
• State EPA requirements - Does the State EPA
  employ the state or agency certificates for
  compliance report delivery?
• Certificate Policy (CP) and Certificate Practice
  Statement (CPS)- Do these documents exist?
• Requirements for Identity Proofing - individuals
  vs business
• Access Control
• Certificate Validation and Revocation
• System Specifications
• Key Management and Registration
• Payment Model
• Rollout Schedule and Future Plans
• Cross certification

5
State results to date in the EPA Study

• Washington
• Illinois
• Pennsylvania
• North Carolina
• Virginia
• Oregon

6
State of Washington

• Statewide PKI portal called Transact Washington
  (http//transact.wa.gov)
• Each user gets a My Transact homepage with
  links to a registered application and an option
  to register for other applications
• DST is the CA
• Certificate registration, ID proofing, Renewals,
  Revocation, etc are outsourced to DST
• TrustID Individual certificates used now
• Business Rep certificates being considered
• Three certificate assurance levels High,
  Intermediate, Standard
• Current application is sponsored by Department of
  Labor and Industries for worker compensation
  claims

7
State of Washington - contd

• Possible future applications for 2001
• Department of Health - exchange of medical
  records between providers
• Department of Labor and Industries - filing
  workers compensation forms
• Department of Retirement Systems - digitally
  signed financial transfers, management and
  planning
• Department of Revenue - online tax filing
• Employment Security Agency - file unemployment
  taxes

8
State of Illinois

• Running their own CA using Entrust line of PKI
  products hosted by the Department of Central
  Management Services (CMS)
• Anticipate to issue 2 million certificates
  beginning 2001
• Local Registration Authority (LRA) located at
  state agencies and Secretary of State offices
• Citizens can get certificates when they get their
  drivers license
• In-person identity proofing done at these
  facilities
• Subscribers (clients) use either Entrust
  Entelligence client side or Entrust Roaming
  Server Side
• Root Key generation ceremony scheduled for week
  of Jan 15, 2001
• Current Application - Department of Public Aid
• available shortly after root key ceremony
• anticipated to issue 240K certificates via 60
  service providers
• certificates to be used to gain access to
  electronic business and submission forms

9
State of Illinois - contd

• Future applications
• State EPA to use certificates for DMR submissions
  using web-based forms
• Expected deployment is late 2001

10
State of Pennsylvania

• Via the Pennsylvania Department of Environmental
  Protection (DEP)
• Applicants initially fill out a registration form
  online at which time they download an
  authorization form to take to a Notary.
• Identity proofing done in person by a LRA or a
  Notary
• Certificates issued for signatures and
  encryption, as determined by the key usage
  extension field in the certificate
• ORC is CA for the pilot and will serve as
  Certificate Manufacturing Authority (CMA)
• Applications - Department of Environmental
  Protection (DEP)
• DMR submissions
• Certificates used to sign XML-based web forms
• Currently 4K-6K forms submitted each month in
  paper
• Safe Drinking Water Lab Analysis
• Certificates will be used to sign monthly
  analyses submitted from approximately 300 labs to
  DEP
• Pending funding, soft rollout date of March, 2001
  for one or both initiatives

11
State of North Carolina

• PKI efforts headed by Department of Information
  Resource Management (IRM)
• Certificate authorities authorized to issue
  certificates Verisign and Arcanvs
• Certificates used for encryption and signatures
  using different key pairs
• Two assurance levels
• Base
• Strong - requires in-person identity proofing
  before a notary or RA
• Three types of certificates
• unaffiliated individual
• affiliated individual
• organization

12
State of North Carolina - contd

• Just completed PKI pilot with following agencies
• Department of Revenue
• Department of Corrections
• Office of the State Auditor
• Department of Revenue
• Use of state centralized email messaging system
  by encrypting emails on the centralized system in
  order to satisfy privacy requirements
• Used Outlook Express and Netscape Mail
• 20 - 25 certificates were used
• Department of Corrections
• Database maintenance that local, city, and county
  law enforcement agencies can access via
  PIN/password pairs.
• Web-based transactions
• Netscape and Microsoft browsers performed
  certificate management
• Approximately 10 certificates used to
  successfully replace PIN/password

13
State of North Carolina - contd

• Office of the State Auditor
• Certificates used to facilitate encrypted emails
  and files on laptop computers while on-site in
  the field
• Pilots used Verisign On-Site software
• IRM served as the LRA
• Two LRAs served 3 agencies Revenue had their own
  LRA
• Each agency preparing an evaluation report based
  on pilot results
• Based upon report results, statewide strategy
  tentatively scheduled for rollout in March, 2001
• No signatures encryption only due to legal
  concerns although Secretary of State has
  established specific guidelines for digital
  certificates, including digital signatures
• Certificates to be issued to individuals as
  business representatives
• Production rollout to follow same model as pilot
  CA vendor not yet selected

14
State of Virginia

• Formed the digital signature initiative in
  January, 2000.
• Purpose was to test digital certificates from a
  variety of vendors with different applications.
  The summary of their findings, including input
  from DST, can be found on the web site
  http//www.sotech.state.va.us/cots/
• Some agencies ran CA internally, others had a
  service provider.
• Pilots ran about 2 months with fairly minimal
  results.
• Generally still in the formative stages
• Finalizing draft Certificate Policy in
  preparation for the release of their RFP for PKI
  services http//www.itc.virginia.edu/volt/ (VOLT
  stands for Virginia OnLine Transaction)
• PKI usage will be internal as well as with the
  general population and businesses (G2G, G2C and
  G2B)
• Dual key pairs/certificates with NO
  escrow/recovery

15
State of Virginia - contd

• Combination of in-person and online gathering of
  identity information as outlined in their draft
  CP.
• ACES and State of Washington models seem
  attractive to them.
• Also looking at requiring hardware tokens for key
  generation and storage to increase the assurance
  levels.
• Plan to procure an outsourced provider of
  certificates, PIN services, integration services,
  resale of PKI software and other services
  surrounding the implementation of PKI.
• Release is scheduled for Jan2001 with
  implementation to begin in June2001.
• Looking at the Early Adopter program as was done
  in State of Washington and the meetings will
  continue throughout 2001 as they recruit early
  adopters.

16
State of Oregon

• PKI still in the formative stages
• Current thoughts
• Certificate authorities must be certified by the
  state Division of Administrative Services
• Certificates will be Class 1 and are obtained
  directly from a commercial CA derived from the
  approved list
• Pilots under consideration - Department of
  Environmental Quality (DEQ)
• Used for DMR submissions
• Client side software package Waste Discharge
  Electronic Reporting Systems (WADRS) used to help
  user to prepare properly formatted DMR
• Certificate used to either sign the DMR as part
  of WADRS or to sign the entire email, including
  DMR attachment using COTS mail client
• Determination made based upon ability to view
  digitally signed document post signature
• Pilot - late summer 2001 Production - possibly
  December 2001

17
Conclusions

• Most states still in formative stages in PKI
• Issues with developing PKI
• Lack of PKI knowledgeable engineers
• Lack of funding
• Trade-offs associated with PKI
• Technical
• State run CA vs Trusted Third Party (TTP)
• Liability, warranty, privacy concerns
• Lack of knowledge within the states of their own
  PKI initiatives
• ACES model seems to be very appealing for states

18
Contact Information

• EPA CDX PKI lead
• Kimberly Nelson
• 202.260.8152
• Nelson.Kimberly_at_epa.gov

19
Supplementary Information
20
Security vs Paper Services
21
Digital Signatures

• A Transformation of a Message Using Public Key
  Cryptography
• Virtually Impossible to Forge
• Provides a High Level of Security

22
What is PKI?

• A complex suite of hardware, software and
  particular cryptographic components, combined
  with adherence to policies and procedures that
  enable business applications to operate in a
  secure environment.
• Particular cryptographic components used are
  those of public key, or asymmetric, cryptography
  used for digital signatures and, optionally,
  encryption
• Comprised of supporting services, such as a
  Certificate Authority (CA) and Concept of
  Operations (ConOps), as well as legal support of
  a Certificate Policy (CP) and Certificate
  Practice Statement (CPS)

23
What is ACES?

• Access Certificates for Electronic Services
  (ACES)
• Sponsored by General Services Administration
  (GSA)
• Supports the legal frameworks of Government
  Paperwork Elimination Act (GPEA) and e-Signature
  Law

24
ACES Assumptions

• Government has already determined a need for PKI
  security services.
• GPEA
• PDD-63
• Procurement Changes
• Internal performance imperatives

25
ACES Assumptions

• The Government needs to deal with businesses or
  the public on a recurring basis --
• -- monthly, quarterly, ad hoc
• May be remote/unknown to the Government agency
• May be Government trading partners
• May be sectors of the general public, such as
  State EPA reporting entities
• (Why not government-to-government?)

26
Encryption and Decryption

• Plaintext is data that directly represents
  information constituting a message
• Encryption transforms the plaintext data into
  unintelligible data called ciphertext
• Decryption transforms ciphertext data back to the
  original plaintext data