piv token issuance piv token issuance
play

PIV Token Issuance PIV Token Issuance Ketan Mehta - PowerPoint PPT Presentation

Dec 21, 2023 •180 likes •324 views

PIV Token Issuance PIV Token Issuance Ketan Mehta Mehta_Ketan@bah.com October 6, 2004 1 Agenda Agenda Definition and Purpose Issuance Process Token Issuance Authority Requirements Token Personalization Requirements

  1. PIV Token Issuance PIV Token Issuance Ketan Mehta Mehta_Ketan@bah.com October 6, 2004 1

  2. Agenda Agenda • Definition and Purpose • Issuance Process • Token Issuance Authority Requirements • Token Personalization Requirements • Standards Compliance 2

  3. Definition and Purpose Definition and Purpose • Definition o The process of issuing identity credentials on a token • Purpose o Provide an identity token to the applicant o Create and maintain a directory server that reports on the status of the token 3

  4. PIV Token Issuance Process PIV Token Issuance Process Query Database for 1 Verify Identity Duplicate . 2 Verify Person Authentication Token & Data Update Update Database with a Issuance New Record 3 4 Verify/Edit Database User Data, Token Issuance Collect Authority Fingerprint & Photo 4

  5. PIV Token Issuance Process PIV Token Issuance Process Query Database for 1 Verify Identity Duplicate . 2 Verify Person Authentication Token & Data Update Update Database with a Issuance New Record 3 4 Verify/Edit Database User Data, Token Issuance Collect Authority Fingerprint & Photo 6 Generate 5 Public/Private Key Begin Token Pair Generation Process User Selects PIN Print Token Initialize Token Install Demographic Data onto Token 5

  6. PIV Token Issuance Process PIV Token Issuance Process Query Database for 1 Verify Identity Duplicate . 2 Verify Person Authentication Token & Data Update Update Database with a Issuance New Record 3 4 Verify/Edit Database User Data, Token Issuance Collect Authority Fingerprint & Photo Obtain Public Key Certs from CA 6 8 Generate 5 CERT Public/Private Key Begin Token Pair Generation Process User Selects PIN PKI Print Token Initialize Token Applets Repository Install Demographic Data onto Token CERT 7 Public Key sent to CA CA 6

  7. PIV Token Issuance Process PIV Token Issuance Process Query Database for 1 Verify Identity Duplicate . 2 Verify Person Authentication Token & Data Update Update Database with a Issuance New Record 3 4 Verify/Edit Database User Data, Token Issuance Collect Authority Fingerprint & Photo Obtain Public Key Certs from CA 6 8 Generate 5 CERT Public/Private Key Begin Token Pair Generation Process User Selects PIN PKI Print Token Initialize Token Applets Repository Install Demographic Data onto Token CERT Install Public-Key 7 Certificates and Private 9 Key on Chip CERT CA Public Key sent to CA 7

  8. PIV Token Issuance Process PIV Token Issuance Process 11 Update Registry 1 Verify Identity Query Database . 2 Verify Person Authentication Token Token & Data Update Status Issuance Update Database 3 4 Registry Verify/Edit Database User Data, Token Issuance Collect Authority Fingerprint & Photo Obtain Public Key Certs from CA 6 8 Generate 5 CERT Public/Private Key Begin Token Pairs Generation Process User Selects PIN PKI Print Token Initialize Token Applets Repository Install Demographic Data onto Token CERT 10 Issue Token Install Public-Key 7 Certificates and Private 9 Key on Chip CERT CA Public Key sent to CA 8

  9. Token Issuance Authority Requirements Token Issuance Authority Requirements Issuance authority shall assure that PIV tokens cannot be cloned, • counterfeited, modified without authorization, probed to obtain cryptographic keys, and used to gain access by anyone other than the authorized applicant. All applicants that are issued a PIV token must appear in person to obtain • credentials. The PIV token personalization shall include printing of photograph, name and • information on the token as well as loading the relevant Token applications, biometrics, Personal Identification Number (PIN), PKI certificates, and symmetric keys. Biometric characteristics captured during the PIV token personalization • include two index fingerprints and a digital photograph. Issuance authority will maintain a LDAP directory server that reports on the • status of the token and may provide additional authentication services. Issuance authority may acquire Certificate Authority services who shall • maintain and operate Certificate Revocation List and On-line Certificate Status Protocol. 9

  10. Token Issuance Authority Requirements Token Issuance Authority Requirements Access to LDAP and OCSP servers will be authenticated and access to the • status information is at the agency discretion; agencies may choose to make the certificate or token status information publicly available to unauthenticated parties. All certificates issued to support PIV token authentication shall be issued • under the id-CommonHW policy as defined in the X.509 Certificate Policy for the Common Policy Framework. This standard mandates the inclusion of a 1024-bit RSA Identity • Authentication key within a PIV token. The associated certificate and all other certificates in the verification chain including the Root trust anchor must be included on the PIV token. Digital signatures (optional feature) generated by infrastructure components • must be generated using 2048-bit RSA private keys. 10

  11. Token Personalization Requirements Token Personalization Requirements Following authentication data is required on the token: • A Token holder unique identification string (CHUID) o Personal Identification Number (PIN) o Biometric templates o Symmetric keys o Asymmetric key pairs and associated certificates o Biometric match-on-card is NOT required • The token shall support contact (ISO 7816) and contactless (ISO 14443) • interfaces. The standard does not require dual interface readers; an agency can choose contact readers for logical access application and contactless readers for physical access. The assurance levels being considered require both symmetric and asymmetric • key challenge-response protocols. In addition to these operations, the agency may require Token holder to submit PIN. The CHUID and biometric templates shall be stored in the root file system of • the Token. The CHUID must be openly readable. 11

  12. Standards Compliance Standards Compliance The format of the CHUID shall be as defined in PACS • The format of biometric templates shall be as defined in CBEFF • The public key certificates stored on the PIV token shall conform to RFC 3280 • The internal format of cryptographic keys stored on the Token is not specified • in this standard The physical access control systems where the reader is not connected to • general purpose desktop computing system, the reader-to-host system interface is not specified in this standard. The CHUID data element that contains the Token holder’s FASC-N identifier • is used for various symmetric key based challenge-response schemes that are specified within the PACS model. 12

  13. Questions Questions Comments Comments Discussion Discussion 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

HOTNOW HOT Token HOTNOW l TOKEN SALE THE FIRST UTILITY TOKEN WITH REAL INTRINSIC VALUE REINVENT

HOTNOW HOT Token HOTNOW l TOKEN SALE THE FIRST UTILITY TOKEN WITH REAL INTRINSIC VALUE REINVENT

HOTNOW HOT Token HOTNOW l TOKEN SALE THE FIRST UTILITY TOKEN WITH REAL INTRINSIC VALUE REINVENT DIGITAL MARKETING BY ENABLING THE FIRST GAMIFIED ONLINE-TO-OFFLINE ECONOMY FOR EMERGING ASIA PURPOSE Make Digital Marketing Accessible For All

374 views • 14 slides
Waste Biofuel Circular Economy | Zero Emissions GREEN BOND ISSUANCE Using Blockchain Technology

Waste Biofuel Circular Economy | Zero Emissions GREEN BOND ISSUANCE Using Blockchain Technology

Waste Biofuel Circular Economy | Zero Emissions GREEN BOND ISSUANCE Using Blockchain Technology Securities and Markets Regulation according to CNMV criteria ESI Supervisor: N EAF: 212 STO (SECURITY TOKEN OFFERING) WASTE BIOFUEL WBT

545 views • 17 slides
Kidnapping's Cesar Cerrudo Revenge Argeniss Token Token Who am I? Who am I? Argeniss

Kidnapping's Cesar Cerrudo Revenge Argeniss Token Token Who am I? Who am I? Argeniss

Kidnapping's Cesar Cerrudo Revenge Argeniss Token Token Who am I? Who am I? Argeniss Founder and CEO A i F d d CEO I have been working on security for + 8 years I have found and helped to fix hundreds of

335 views • 16 slides
Token Ring Developed by IBM, adopted by IEEE as 802.5 standard Token rings latter

Token Ring Developed by IBM, adopted by IEEE as 802.5 standard Token rings latter

Token Ring Developed by IBM, adopted by IEEE as 802.5 standard Token rings latter extended to FDDI (Fiber Distributed Data Interface) and 802.17 (Resilient Packet Ring) standards Nodes connected in a ring Data always flows in

809 views • 16 slides
GNUK TOKEN AND GNUPG GNUK TOKEN AND GNUPG SCDAEMON SCDAEMON minimizing the attack surface

GNUK TOKEN AND GNUPG GNUK TOKEN AND GNUPG SCDAEMON SCDAEMON minimizing the attack surface

GNUK TOKEN AND GNUPG GNUK TOKEN AND GNUPG SCDAEMON SCDAEMON minimizing the attack surface NIIBE Yutaka <gniibe@fsij.org> FOSDEM 2018 This is a talk of my experience to have better control (by its user) of computing for privacy

610 views • 37 slides
MUNICIPAL DEBT ISSUANCE FUNDAMENTALS SESSION 1: THE PATH TO ISSUANCE SEPTEMBER 9, 2020 Jay

MUNICIPAL DEBT ISSUANCE FUNDAMENTALS SESSION 1: THE PATH TO ISSUANCE SEPTEMBER 9, 2020 Jay

MUNICIPAL DEBT ISSUANCE FUNDAMENTALS SESSION 1: THE PATH TO ISSUANCE SEPTEMBER 9, 2020 Jay Goldstone, Former Chief Operating Officer and Chief Financial Officer, City of San Diego Steve Heaney, Former Co-Head Municipal Securities Group, Stifel

744 views • 49 slides
STEPS FOR REPORTING DEBT ISSUANCE TO CDIAC: REPORT OF PROPOSED DEBT ISSUANCE (RPDI) & REPORT

STEPS FOR REPORTING DEBT ISSUANCE TO CDIAC: REPORT OF PROPOSED DEBT ISSUANCE (RPDI) & REPORT

STEPS FOR REPORTING DEBT ISSUANCE TO CDIAC: REPORT OF PROPOSED DEBT ISSUANCE (RPDI) & REPORT OF FINAL SALE (RFS) WILL BEGIN SOON Upcoming CDIAC Events MARCH 17-19, 2015 DATE AND LOCATIONTO BE ANNOUNCED Municipal Debt Essentials

486 views • 17 slides
Token to Words Expanding identified token to words numbers+type = word list

Token to Words Expanding identified token to words numbers+type = word list

Token to Words Expanding identified token to words numbers+type = word list homographs+type = words symbols broken down and pronounced unknown words: as word or letter sequence 11-752, LTI, Carnegie Mellon (define (token_to_words

836 views • 48 slides
Item 4. ESER 2010 Final Issuance and ESER 2014 2 nd Issuance 1 Earthquake Safety and Emergency

Item 4. ESER 2010 Final Issuance and ESER 2014 2 nd Issuance 1 Earthquake Safety and Emergency

Item 4. ESER 2010 Final Issuance and ESER 2014 2 nd Issuance 1 Earthquake Safety and Emergency Response (ESER) 2010 and 2014 General Obligation Bond Programs Presentation to the Capital Planning Committee February 22, 2016 PSB: West faade

234 views • 10 slides
Co-Founder, Managing Partner, SPiCE VC - Security Token Pioneers @AmiBenDavid 1 st Fully

Co-Founder, Managing Partner, SPiCE VC - Security Token Pioneers @AmiBenDavid 1 st Fully

P R E S E N T A T I O N B Y A M I B E N D A V I D Co-Founder, Managing Partner, SPiCE VC - Security Token Pioneers @AmiBenDavid 1 st Fully tokenized VC fund 4 th ever Security Token 1 st Regulation-enforcing Token (DS Protocol) Focused on

488 views • 21 slides
BEYOND THE CLOSING BEYOND THE CLOSING A Guide to Post A Guide to Post- -Issuance Issuance

BEYOND THE CLOSING BEYOND THE CLOSING A Guide to Post A Guide to Post- -Issuance Issuance

BEYOND THE CLOSING BEYOND THE CLOSING A Guide to Post A Guide to Post- -Issuance Issuance Compliance Compliance Presented by: Womble Carlyle Sandridge & Rice, PLLC Paul H Billow Paul H. Billow G. Thomas Lee Activities relating to a

655 views • 27 slides
Issuance of Taxable Wastewater Refunding Bonds Sets debt issuance limitations/requirements. 1.

Issuance of Taxable Wastewater Refunding Bonds Sets debt issuance limitations/requirements. 1.

Issuance of Taxable Wastewater Refunding Bonds Sets debt issuance limitations/requirements. 1. Provides Committee/Council with expectations for 2. sale results and staff performance. Provides staff flexibility to set/change sale date 3. and

445 views • 10 slides
Lecture 19: Dictionaries Counting Words Creating token from a text file: 1 def file to

Lecture 19: Dictionaries Counting Words Creating token from a text file: 1 def file to

Lecture 19: Dictionaries Counting Words Creating token from a text file: 1 def file to tokens(filename): 2 with open (filename) as fin: 3 return fin.read().split() Create token counts for each unique token: 1 def wc list(tokens): 2 uniq =

259 views • 7 slides
Bond Issuance 6.50% p.a. indicative rate in USD (Swap equivalent level in EUR and GBP:

Bond Issuance 6.50% p.a. indicative rate in USD (Swap equivalent level in EUR and GBP:

Bond Issuance 6.50% p.a. indicative rate in USD (Swap equivalent level in EUR and GBP: indicatively 5% p.a. in EUR and 5.50% p.a. in GBP) For a 2yr Issue from a USD500mio Note Issuance Programme Listed in Luxembourg Transaction Highlights

418 views • 13 slides
Security model for hybrid token-based networking models By Rudy Borgstede Contents

Security model for hybrid token-based networking models By Rudy Borgstede Contents

Security model for hybrid token-based networking models By Rudy Borgstede Contents Project Background Complex Resource Provisioning and Token-Based Networking Token Validation Service, the Java Aaauthreach project

504 views • 21 slides
Bond Issuance, Muni A Bond Issuance, Muni Advisor R visor Rule and le and Continuing Disclosure

Bond Issuance, Muni A Bond Issuance, Muni Advisor R visor Rule and le and Continuing Disclosure

Bond Issuance, Muni A Bond Issuance, Muni Advisor R visor Rule and le and Continuing Disclosure Continuing Disclosure Presenters: Lawrence Flynn Walter Goldsmith Topics for Discussion Continuing Disclosure - Background and post-MCDC

364 views • 20 slides
OPEN BANKING TALES FROM THE FRONTIER Anca Zaharia Jason Maude @ancaleuca @jasonmaude What is

OPEN BANKING TALES FROM THE FRONTIER Anca Zaharia Jason Maude @ancaleuca @jasonmaude What is

OPEN BANKING TALES FROM THE FRONTIER Anca Zaharia Jason Maude @ancaleuca @jasonmaude What is open banking? The legislation and associated technology that allow customers of financial institutions greater control of data that those

712 views • 43 slides
#MicroFocusCyberSummit Shifting Security Left Bringing security into continuous integration and

#MicroFocusCyberSummit Shifting Security Left Bringing security into continuous integration and

#MicroFocusCyberSummit Shifting Security Left Bringing security into continuous integration and delivery Brenton Scott Witonski <>< , Acxiom Brandon Spruth, Target Lucas von Stockhausen, Fortify #MicroFocusCyberSummit WHY ARE YOU

711 views • 44 slides
Riverwalk Transportation & Access Summit #1 April 26, 2017 AGENDA 6:00 PM Introduce

Riverwalk Transportation & Access Summit #1 April 26, 2017 AGENDA 6:00 PM Introduce

Riverwalk Transportation & Access Summit #1 April 26, 2017 AGENDA 6:00 PM Introduce project team 6:10 PM Project purpose, approach and transportation and access plan toolbox 7:00 PM Activity in groups with facilitators - challenges,

771 views • 28 slides
The Right Fit Pilot RFPP Overview Project Case Management - navigator support model

The Right Fit Pilot RFPP Overview Project Case Management - navigator support model

Overview The Right Fit Pilot RFPP Overview Project Case Management - navigator support model Presentation: Housing Central Testing systems change Understanding/addressing the affordable November 2018 accessible housing gap

198 views • 4 slides
An open protocol to allow secure authorization in a simple and standard method from web, mobile

An open protocol to allow secure authorization in a simple and standard method from web, mobile

An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. OAuth 2.0 Definition Why is this relevant for IXP operators? OAuth 2.0 Roles The resource owner is the user - you

523 views • 29 slides
A Consumer-Centric Architecture for Energy Data Analytics Rayman Preet Singh, S. Keshav, and Tim

A Consumer-Centric Architecture for Energy Data Analytics Rayman Preet Singh, S. Keshav, and Tim

A Consumer-Centric Architecture for Energy Data Analytics Rayman Preet Singh, S. Keshav, and Tim Brecht 1 Home Energy Data 2 Smart Meter Deployments Trials Water Electricity Gas 3 Projects Energy Retail Association Energy Data Use

267 views • 23 slides
NCCoE: Mobile App Single-Sign On Achieving a secure, reliable, accessible SSO solution for Public

NCCoE: Mobile App Single-Sign On Achieving a secure, reliable, accessible SSO solution for Public

NCCoE: Mobile App Single-Sign On Achieving a secure, reliable, accessible SSO solution for Public Safety & First Responders 2017 PUBLIC SAFETY BROADBAND STAKEHOLDER MEETING 1 #PSCR2017 Introductions Bill Fisher NIST, National

453 views • 29 slides
Slovak Banking API Standard. Rastislav Hudec, Marcel Laznia 01. Slovak Banking API Standard:

Slovak Banking API Standard. Rastislav Hudec, Marcel Laznia 01. Slovak Banking API Standard:

Slovak Banking API Standard. Rastislav Hudec, Marcel Laznia 01. Slovak Banking API Standard: Introduction 1.1 Why did SBA decide to prepare API standard? We knew that from January 13, 2018, banks in Slovakia had to open for the Third

368 views • 32 slides

More recommend