Digital Trust

Emerging Technology Presentation from CTST

May 7, 2009 · 3 Comments

Earlier this week I gave a presentation on an Emerging Technology panel at Card Tech Secure Tech (CTST) in New Orleans. Much of the content was taken from the Virginia Security Summit presentation given a week prior, but I elaborated on using smart cards for strong authentication. A couple of the slides got into using digital certificates to prove someone’s “real” identity to a relying party using OpenID extensions and digital certificate path discovery & validation.

Where do we go from here? I would like to see some of the identity verification concepts that I touched on in the presentation be tested in a pilot. There are also opportunities here to evolve the OpenID specs and extensions, such as PAPE. TrustBearer would like to continue this discussion and explore some pilot ideas. Contact me if you are interested.

→ 3 CommentsCategories: government
Tagged: , , , , , , ,

The TrustBearer Roadshow Moves from San Francisco to New Orleans

May 1, 2009 · Leave a Comment

Last week TrustBearer was at the RSA Conference. Next week, we will be in New Orleans, at Card Tech Secure Tech 2009: The Americas (CTST).

TrustBearer Poker Tables

We had a righteous time at RSA. We showed off our latest engineering accomplishments. We had a party, sponsoring poker tables at Verisign’s casino night. And, we observed the apparent themes of this years conference.

Overheard, here and there, in the Moscone Center at the RSA conference was an adage— something like “nothing is new at such an industry conference”. You could also add that the difference between a new technology and a one that is re-packaged to look new is hard to distinguish.

At RSAC, there were many product claims contemporaneous with the world we live in. For several years now, many companies have bragged about the ‘greenness’ of their products. This year, adapting to economic realities, many businesses have marketed their products as pedestrian and cost-effective—the later, a trusted stand-by for marketers. There was also a natural swarm of companies towards health care and government verticals due to presidential directives, economic stimulus packages, and the admission that these are more vibrant parts of the current economy.

Just as with economic factors, broader technological trends have found a place in the messaging of security and identity companies. There is virtualization, for one. Consider also smart phones and mobile communications. There were dozens of companies at RSA showing mobile products; several of these are singularly devoted to two-factor authentication with mobile phones. Perhaps, the most permeable marketing meme, in this regard, was the talk of cloud computing and services— “security in the cloud”.

You might say ‘TrustBearer is Moving PKI to the Cloud’

With anxiety, I write that we’re moving PKI to the cloud in order to improve credential management and end-user authentication. But this is a tiresome, clichéd way to say it.

A core philosophy of TrustBearer products is the simplification of using credentials with PKI. We use modern web technologies, what you might call Web 2.0 or cloud services, to achieve this. However, the principle of our approach is actually to relocate the gears of PKI from the client to a dynamic, centrally managed service. We want to free the end-user of PKI from burdensome tasks and decisions.

What’s New

Our latest products and features are continuing to simply the issuance, management, usage, and renewal of identity credentials. At RSA, we showed how we’ve integrated TrustBearer technology with Verisign Managed PKI, the improve the user experience here:

Improved Installation
We’ve reduced the steps required to install our cross-platform browser add-on. The installation does not require administrative rights and does not require the browser to be restarted, or even refreshed.

2-Click Issuance; 0-Click Renewal
With two clicks, users are issued a pin-protected, federally-validated certificate, which is linked to a an existing account for two-factor authentication.

2-Click Enrollment

When a certificate is going to expire, it can be auto-renewed. This is managed by a policy, but in the simplest sense a user’s certificate is automatically updated, without user interaction.

Auto Certificate Renewal

The case of renewal, illustrates the work we’ve been doing to make PKI easier to administer. At the server, TrustBearer provides a central place to manage policies for keys; certificate issuance and renewal; whitelisting and blacklisting authentication factors (e.g. software tokens); and delegating trust.

Newly Supported Devices
We now support Trusted Platform Modules, a built-in crypto-processor on almost all business PCs. We’ve also developed a software token, encrypted with AES-128 or AES-256, for users that don’t have a hardware token.

If you are interesting in a demo, contact us.

→ Leave a CommentCategories: central authentication · multi-factor auth · new feature! · trustbearer · two-factor auth
Tagged: , , ,

Presentation on OpenID, SAML and Authentication

April 29, 2009 · 1 Comment

This past Monday I gave a presentation as part of the Identity Management track at the first Virginia Security Summit in Richmond, VA. The audience here was a mixture of Virginia state & local technology decision makers (CIO / CTO) and implementers. This included local government, education and transportation representatives.

The session description was rather broad.

A comprehensive security plan has to start with user authentication. It is not an easy task when the range of users is constantly growing and shifting, as are potential threats. Using just one tactic is not enough – it takes a combination of technologies and procedures. This session looks at the latest technologies and approaches as well as their strengths and shortcomings.

So, I decided to give a primer on the Security Assertion Markup Language (SAML) and OpenID single sign on standards. At the beginning of the presentation I took a poll of the crowd and found that about one quarter of those in attendance (~50 people) knew something about each of these standards.

In addition to comparing and contrasting SAML and OpenID, I also talked about several strong authentication options available for each of these SSO standards. I basically wanted to convey that there are better options then making users (citizens) create yet another username & password, and various strong authentication technologies can be used with both OpenID & SAML.

One resource online that really helped me frame some ideas was the Overlap of identity technologies article published on the Google OAuth & Federated Login Research site. This is an excellent summary authored by Eric Sachs, Ashish Jain, Paul Madsen. Thanks, guys.

I’m going to be giving a similar, but more authentication focused talk at CTST in New Orleans next Tuesday, May 5. Track D: Emerging Technology, D14: Smart Cards, Tokens & Digital Identity, 4:00 PM – 5:30 PM. Hope to catch some of you out there.

→ 1 CommentCategories: government
Tagged: , , , , , ,

Calling all device providers: Get your own OpenID & SAML Provider

March 20, 2009 · Leave a Comment

Just over a year ago we launched the first* OpenID Provider that exclusively supported smart cards and other USB security devices. Last summer we added SAML login support for Google Apps & Salesforce.com. One of the groups of people that has been most interested in our OpenID provider has been device manufacturers: the companies that make and resell smart cards, biometric readers, and various other types of USB security devices.

TrustBearer OpenID gives these device providers a simple way to demonstrate the value of their devices to end users. It lets users login to useful online services with a very secure cryptographic hardware device. The one question that these customers might have is: Who is TrustBearer?

We are answering that question today by making it irrelevant! TrustBearer is now offering a service to create and host custom-branded OpenID & SAML Identity Provider to security device providers and resellers. This service includes,

  • A custom URL (such as https://superCard.mySmartID.com)
  • Custom graphics and theme for the site
  • Custom application settings & links for OpenID & SAML sites that are relevant to their customers

We are charging a one-time set-up fee and a monthly fee to create and host this service. Please contact us if you are interested.

Custom OpenID / SAML Identity Provider

* I believe we were the first to launch an OpenID Provider that exclusively supported smart cards. C’mon, it made Slashdot.

→ Leave a CommentCategories: product

Recap of the March 2009 Government Smart Card IAB Meeting

March 9, 2009 · 2 Comments

It’s been a busy year so far. Last week we began our full-time presence in DC. I moved from Fort Wayne to DC and will be working in the city for the foreseeable future. Our company headquarters will stay in Fort Wayne, and will continue to be the primary site of our software engineering team. The DC office will serve as both a business development and client support location. Most of our customers are in the greater-DC area, and it makes a lot of sense for us to have full-time staff here. It is good to be back.

GSC IAB banner

Every month or so, the Government Smart Card Interagency Advisory Board (IAB) holds a public meeting to discuss the HSPD-12 State of the Union. There are several presentations given about notable smart card and related projects, and there’s plenty of time for Q&A as well as networking. The meetings are attended by both government employees & contractors as well as many vendors. Normally, we wouldn’t make a special trip from Fort Wayne to DC for these meetings, but now that I’m local I’ll be attending these meetings more often.

For this March 5th, 2009 meeting located in the GSA Auditorium we got to hear from the following speakers:

  • Tim Baldridge (NASA) gave the opening and closing remarks, as well as an update on the PAIIWG id, which is being built on the PIV GUID.
  • Judy Spencer (GSA) talked about the future of the government’s Identity Management Strategy and the creation of the Federal Identity , Credential, and Access Management (ICAM) sub-committee
  • Jarrod Frahm (Dept. of State) gave an interesting presentation on how the Dept. of State is using a separate smart card with Match-On-Card Biometrics for authentication, and mentioned the department’s plans for merging this MoC smart card with their PIV smart cards.
  • Craig Wilson (FEMA) gave a summary of the impressive Winter Chill exercise that took place earlier this year. First Responders with PIV, CAC and FRAC smart cards performed geo-location-aware, near-real-time electronic validations across the US. This exercise was used to demonstrate the capabilities of validating cardholders in the field who might be relocated during a disaster.
  • Steve Duncan (GSA) was scheduled to give an update on GSA’s Managed Service Office (MSO) Shared Service Providers, but had to cancel at the last-minute.
  • Bill MacGregor (NIST) followed-up on the Dept. of State’s match-on-card biometric project and commented on NIST’s stance of MoC support on PIV cards.

The presentations should eventually make their way up to the GSC IAB web site. FIPS201.com has posted audio from previous IAB meetings. I learned something new from all of the presentations. I’ll comment on a few items that I found especially interesting.

ICAM: The Future of the Government’s IDM strategy

  • The ICAM sub-committee is being co-chaired by Judy Spencer & Paul Grant (DoD). The fundamentals haven’t changed: The IdAM guidance will be built upon the eAuthentication’s M-04-04 and NIST SP 800-63.
  • The eAuth portal will be moving from SAML version 1 to 2. 
  • eAuth will be partnering with Liberty Alliance for levels 1 and 2.
  • Commercial digital certificates that are cross-certified with the Federal Bridge are now available from VeriSign. (See the Press Release)
  • ICAM’s next steps are to publish a PIV Interoperability for non-federal entities guide & publish an ICAM roadmap & implementation guide. Also, they plan to establish a Citizen Outreach Focus Group

BLADE / PKI – Department of State

  • BLADE: “Biometric Logical Access Development & Execution”
  • Before PIV cards were widely available, the Dept. of State started a pilot program that allows users to access applications using a smart card and match-on-card biometric applet in-place-of or in-addition-to a PIN. Due to the size & compatibility requirements of the MoC applet, DoS could not include this functionality on their official PIV cards. Precise Biometrics is providing the MoC applets and readers.
  • DoS is using the BLADE smart cards to provide PKI logon via kerberos. Their long-term goal is to provide logon to all DoS websites.
  • DoS is currently trying to create a hybrid PIV / BLADE-MoC smart card – they need more storage space on the smart card chip. Until this issue is solved, DoS cardholders will use the BLADE card for logical access and their PIV cards for physical access.
  • One of their biggest challenges is hardware and software deployment overseas.
  • The interesting part of this project is that it has re-ignited NIST’s interest in Match-On-Card biometrics support. Bill MacGregor (NIST) commented on this in a later presentation.
  • Jarrod Frahm gave the presentation and he is the BLADE PM. Mark McCloy is the PKI PM. Steven Gregory is the IIB Branch Chief.

NIST’s thoughts on Match-On-Card for PIV

  • Bill MacGregor (NIST) gave a follow-up presentation on how MoC is being considered as a PIN replacement option for PIV cards. 
  • Motivations for MoC support include improved usability and improved security & reliability
  • What’s not changing: Backwards compatibility with existing PIV card standard, the authentication model, FIPS 140-2 Level 2 requirements, metrics for biometrics testing (MINEX)
  • The NIST process for adopting new technology recommendations: 1. R&D (NIST IRs, papers, presentations), 2. Best Practice Guidelines (Special Pubs), 3. Standards (ANSI, ISO and, rarely, FIPS)
  • NIST R&D for MoC includes, so far:
  • Moving forward:
    • FY 2009: Revisit & formalize requirements
    • FY 2009: Recommend an implementation approach
      • consider ISO/IEC 24787 mapping (updated on 3/11/09 – Thanks, Bill)
      • propose modifications to 800-73, 800-76, FIPS 201
    • “Enable a direction based on merits.”

“Winter Chill” – FEMA’s electronic validation exercise

  • Craig Wilson, Senior Consultant for FEMA, gave an exciting presentation on FEMA’s latest in-the-field exercise dubbed “Winter Chill”. 
  • The exercise involved state and local Federal Emergency Response Officials (FEROs) and representatives from DoD and FEMA.
  • The exercise included moving these representatives around from one site to another and validating their identity using electronic validation of PIV, CAC and FRAC smart cards as well as state-issued Drivers Licenses.
  • In addition to the real-time validation of these credentials, the geo-location was tagged and reported in “near real-time”. (I guess they didn’t want to commit to saying “real-time)
  • Duane Stafford, representing the State of Virginia (VDOT?) talked about how VA provided the geospatial awareness technology.
  • The software was demo’d during the meeting. 
  • As we entered the IAB meeting there were two entrances being manned by some of the same representatives that validated credentials during Winter Chill. The high-assurance entrance scanned PIV cards. The low-assurance entrance scanned driver’s licenses. My newly-issued driver’s license passed with flying colors.

Proposal of a new PIV GUID 

  • Tim Baldridge (NASA) gave a summary of the work done to evolve the PIV FASC-N.
  • Problem: Current PIV card ID number (FASC-N) was not designed to support non-federal PIV Card Issuers (PCIs).
  • Proposal: A GUID (128-bit value, i.e. HUGE) shall be assigned to each issued PIV card according to RFC 4122.
  • Dependencies: 
    • The proposal infers a requirement to update the data model for signed objects, including certs, to include the GUID in addition tot he FASC-N.
    • Development of new functionality in the PIV standard and guidance to support “Mutual Registration” by Relying Parties in co-operation with the PCI.

After the PIV GUID presentation and wrap-up there was some more Q&A. There was some more discussion around this Mutual Registration topic and Match-On-Card biometrics. The part that I found particularly interesting was the MoC Philosophy. The idea is simple:

I control access to my card with my fingerprints that I enrolled.

This really helped me grasp a new motivation for MoC. The fingerprint does not belong on the server. If a user is using it in place of a PIN, it should be treated like a PIN. Only the user should be able to enroll their MoC fingerprints. There may be an unblock function that the server provides, but the user should be in control of the enrollment process and know that their fingerprint templates are only  stored on the smart card.

I hope this was helpful to those who couldn’t attend. Now that I’m around DC more often, I’d be happy to meet-up more often in-person. Also, I recently launched the company’s official Twitter feed. Send me an @TrustBearer reply on Twitter to get in-touch.

→ 2 CommentsCategories: government
Tagged: , , , , , , , , , ,