Federal Internet Law & Policy
An Educational Project
Crypto :: PKI & Federal Bridge
"On the Internet, no one knows you are a dog."
- Peter Steiner, New York Times Cartoon 1993
In the magnificent anti-utopian cinema Brazil, the hero of the movie Sam Lowry is promoted from the bowels of the dark bureaucracy to a new position with the Information Retrieval Office. On his first day at the new office, he is baffled at the door by "not even a pretense of a security check." Our hero declares to the door clerk, "My name is Sam Lowry."
"You're expected," says the clerk.
"Don't you want to search me?"
"No, sir," says the clerk.
"My I.D. cards?" suggests Sam.
"No need, sir."
"But I could be anybody," declares Sam.
"No you couldn't, sir," retorts the clerk.
The invasive utopian vision of Brazil is quite contrary to existence in cyberspace; you can be anybody. And this creates a bit of an issue of authenticating just who you might be. One mechanism of authenticating the identity of parties is through Public Key Infrastructure (PKI).
PKI establishes the identity of a party and then associates the identity of a party with a cryptographic key. The US National Institute for Standards and Technology (NIST) describes PKI as follows:
A public key cryptographic system is a cryptographic system where two mathematically related keys are used to encipher and decipher information. In a public key cryptographic system, one key is used to encipher or decipher the information and other key is used to perform the reverse operation. One of the keys must be kept secret and that is known as a private key, while the other key may be distributed to anyone and is called the public key. Within a PKI, a data structure called a certificate is used to bind a specific identity to a specific public key and information on how the public key can be used... Certification Authorities (CAs) are trusted entities that issue certificates to users within a PKI and provide status information about the certificates the CA has issued.
[NIST Bridge Certificate Authorities] The PKI can authenticate multiple aspects of transactions. It can
- Authenticate the individual,
- Authenticate the message (the message sent is the message received),
- Establish non repudiation (correspondents cannot deny the transaction), and
- Assure confidentiality (only the authorized parties to the transaction can read the transaction).
Here is the dance:
Step 1: Individual goes to certificate authority who
Step 2: issues a credential and
Step 3: posts the credential to certificate repository.
Step 4: Individual interacts with relying party who
Step 5: consults certificate repository which
Step 6: authenticates individual.
Step 7: Relying party responds to individual.
The NIST Computer Security Resource Center
is taking a leadership rule in the development of a Federal Public Key Infrastructure that supports digital signatures and other public key-enabled security services. NIST is coordinating with industry and technical group developing PKI technology to foster interoperability of PKI products and projects. In support of digital signatures, NIST has worked with the Federal PKI Steering Committee to produce digital signature guidance. [CSRC PKI]
Federal Bridge Certificate Authority
PKI is great: a key that enables transactions. A dilemma is manifest, however, out of the creation of multiple and incompatible public key systems. With a plethora of federal agencies and offices using multiple PKI, this has the potential to create a burden for any party seeking to do transactions with federal offices. One cumbersome solution is to get a key for every system and have a key collection that looks like a high school janitor's. Another solution which minimizes the number of keys is to create one unified system. While some countries have adopted national unified PKI, the US has not. Another solution is a bridge that links certificate authorities together. This is the solution of the Federal Bridge Certificate Authority.
The Federal Bridge Certificate Authority (FBCA) (not to be confused with the FCBA) makes keys from participating certificate authorities (CAs) interoperable. It is an intermediary which recognizes the credibility and authenticity of key A and key B, recognizing the keys as meeting the demands of the other. Note that the Certificate Authorities, not users, interface with the FBCA. The result is fewer keys needed in order to interoperate with more bodies. (CAs can also have direct relationships with each other instead of cooperating through a Bridge Authority.)
FBCA is organizationally under the Federal CIO Council. The governing body is the Federal PKI Policy Authority. Initial participants include GSA, Department of Justice, Department of Commerce, NSA, OMB, and Department of Treasury. Available at the FBCA website is contact information and forms needed to cross certify with the FBCA.
Federal Government Activity
- April 21, 2005 -- Draft Special Publication 800-57, Recommendation for Key Management
Part 1 (General):
Adobe.PDF (471 KB)
Part 2 (Best Practices for Key Management Organizations):
Adobe.PDF (319 KB)
Drafts of NIST Special Publication 800-57 Recommendation for Key Management, Parts 1 and 2 are available for public comment. This Recommendation provides cryptographic key management guidance. Part 1 provides guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements for U.S. government agencies.
Comments will be accepted on Part 1 until June 3, 2005. Please send comments to Key_mgmt@nist.gov, with "Comments on SP 800-57, Part 1" in the subject line. Comments will be accepted on Part 2 until May 18, 2005. Please send comments to Key_mgmt@nist.gov, with "Comments on SP 800-57, Part 2" in the subject line.
- Federal Public-key Infrastructure Business Working Group (FPKI-BWG) "The FPKI-BWG co-chaired by GSA and the ACES vendors, brings together agency and ACES vendor representatives in a forum designed to discuss both agency-specific and cross-cutting agency PKI needs and how those needs can be reached. The group is developing a business case analysis and having agencies present their PKI implementation "best practices". The group is exploring different PKI solutions suited to each agency's applications. The BWG will interact and work in cooperation with the technical, and legal and policy working groups"
- PKI Interoperability
- FBCA Federal Bridge Certificate Authority "The FBCA is a non-hierarchical “hub” that is designed to permit disparate agency public key infrastructures to interoperate seamlessly. In essence, the FBCA allows the recipient to accept with confidence the sender’s electronic credential (the certificate) and thus permits the transaction to consummate."
- US National Archives and Records Administration, Records Management Guidance for Agencies Implementing Electronic Signature Technologies.
- Department of Treasury, Electronic Authentication Policy <www.fms.treas.gov/eauth/>.
- NCS Public Key Infrastructure
News & Blogs