What is SHA-256?

Download PDF
7 downloads 174 Views 351KB Size Report
Comment
Jul 28, 2010 - Are Improving Business Processes using Digital Identities (Sherry. Ansher .... SHA-256 is a stronger hash
Interagency Advisory Board Meeting Agenda, July 28, 2010 1.

Opening Remarks

2

Research Collaboration in the Cloud: How NCI and Research Partners Are Improving Business Processes using Digital Identities (Sherry Ansher, NIH/NCI and Cindy Cullen CTO Safe Bio-Pharma)

3.

Minimum Standards for Proof and Verification of Personal Identity (Graham Whitehead, NAPSO)

4.

Planned Changes to the Federal PKI (Judy Spencer, FICAM Co-Chair)

5.

The Status and Future Plans for the GSA Shared Service (Steve Duncan, MSO Director)

6.

The ICAM Return on Investment (ROI) WG (Tim Gaines, ICAM Chair)

7.

Proposed Federal Profile for SAML 2.0 for LOA 1 through 4(Tim Baldridge, FICAM AWG)

8.

TSCP Implementation Pilots to demonstrate NTSIC Goals & Objectives (Keith Ward)

9.

Closing Remarks

Federal Public Key Infrastructure

Federal PKI Authority SHA-256 Infrastructure Enhancement 28 July 2010 Judy Spencer Federal ICAM Subcommittee Co-Chair

Federal Public Key Infrastructure

Agenda  New FPKI Root and Intermediate Certificates What are root and Intermediate certificates What is changing When is it coming What do you have to do

 Use of SHA-256  What is SHA-256  How is SHA-256 used  How does it impact you  What do you have to do

 Discussion 54

Federal Public Key Infrastructure

What are Root and Intermediate Certificates?  A root certificate is a self-signed certificate issued by a Certification Authority (CA) – “Root CA”  A Relying Party (RP) “Trusts” a certificate if a valid path, which may include Intermediate Certificates, is known to a Root CA in the RP “Trust Store”.  Federal Common Policy Framework (Common Policy) CA  Root certificate used as a Public Federal PKI Trust Anchor – Included in COTS products, as are other Commercial PKI Trust Anchors

 Intermediate certificates issued only to Federal Entity CAs

 Federal Bridge CA  Cross-Certified with Common Policy CA  Cross-Certified non-Federal Entity CAs and legacy Federal CAs  Not used as a Trust Anchor; used to provide policy mapping

55

Federal Public Key Infrastructure

New FPKI Certificates – What is Changing?  New CAs for Common Policy and the Federal Bridge  New CA Directory Names (Issuer Names) – Common: cn=Federal Common Policy CA, ou=FPKI, o=U.S. Government, c=US – Bridge: cn=Federal Bridge CA, ou=FPKI, o=U.S. Government, c=US

 SHA-256 Signature Algorithm  New Root and Intermediate/Cross CA certificates issued

 New URIs to access FPKI CA certificates and CRLs  Provides real-time load balancing – fpkia.gsa.gov (current) – http.fpki.gov, ldap.fpki.gov, dsp.fpki.gov (new)

56

Federal Public Key Infrastructure

New FPKI Roots – What is Changing? (Con’t)

 Common root certificate in more COTS product trust stores  FPKI MA applying to get it into lists ASAP  e.g., Microsoft, Adobe, Java, Apple, Mozilla, Oracle

 TBD: Legacy Federal CAs moved from Bridge to Common  FPKIPA reaching out to Legacy Federal CAs  Decision by end of July 2010

57

Federal Public Key Infrastructure

New FPKI Roots – When is it coming?

 Sept 30, 2010: New Common and Bridge CAs online  Q1 FY11: Reissue certificates  The FPKI MA will issue new cross certificates from the new Common Policy CA to FBCA and all SSP CAs  The FPKI MA will issue new Federal Bridge cross-certificates to all Affiliate CAs currently cross certified with the FBCA

 During September – December Transition Period:  There will be dual Common and Bridge roots (old and new) to allow time for relying party (client workstation) transition

58

Federal Public Key Infrastructure

New FPKI Roots – What do you have to do?

 Review FDCC Guidance on managing PKI Trust Anchors  Affiliate CAs Cross Certify with new Federal Bridge CA  Push new Common Policy root and applicable Intermediate certificates to update end user trust stores  Notify FPKI MA that “push” to users is complete  FPKI MA will revoke legacy intermediate/cross-certificates

59

Federal Public Key Infrastructure

Agenda  New FPKI Roots What is a root What is changing When is it coming? What do you have to do?

 Use of SHA-256  What is SHA-256  How is SHA-256 used?  How does it impact you?  What do you have to do?

 Discussion 60

Federal Public Key Infrastructure

Use of SHA-256 – What is SHA-256?

 SHA-1 is a depreciated hash algorithm currently in use for certificate digital signatures  SHA-256 is a stronger hash algorithm for digital signature  Stronger than SHA-1 algorithm currently used in the FPKI

 NIST-Approved algorithm for certificate signature use  NIST SP 800-131 DRAFT Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes

61

Federal Public Key Infrastructure

Use of SHA-256 – How is SHA-256 used?

 SHA-256 is used for digital signing  A block of data is input into the SHA-256 Hash Algorithm to obtain a fixedsized bit stream that serves as the message authentication in the digital signature for content integrity.

62

Federal Public Key Infrastructure

Use of SHA-256 – How it impacts you

 You will need to process SHA-256 based signatures  New FPKI CA certificates will be signed using SHA-256  New FPKI CA CRLs will be signed using SHA-256  Secure correspondence will be signed using SHA-256 – e.g., secure emails between FPKI MA and Affiliates

     

New PIV Authentication Certificates will be signed using SHA-256 New PIV Card Auth Certificates will be signed using SHA-256 New Digital Signature Certificates will be signed using SHA-256 New Encryption Certificates will be signed using SHA-256 New Device Certificates will be signed using SHA-256 New SSL/TLS Web Certificates will be signed using SHA-256 63

Federal Public Key Infrastructure

Use of SHA-256 – What do you have to do

 The FPKI Policy Authority recommends the following:  Review NIST SPs 800-57 Part 1, 800-78, 800-131  Inventory existing public key enabled applications within your Agency or Organization that use FPKI PIV certificates for authentication, digital signature, and or/ encryption  Evaluate your application compatibility to process SHA-256 – – – –

Verify COTS Vendor/Manufacturer support of SHA-256 Verify COTS product minimum required versions for SHA-256 support Obtain SHA-256 signed test certificates Create a Test Plan and evaluate applications that may be at risk for SHA-256 support. – Voluntarily report testing results to idmanagement.gov 64

Federal Public Key Infrastructure

Agenda  New FPKI Roots What is a root What is changing When is it coming? What do you have to do?

 Use of SHA-256  What is SHA-256  How is SHA-256 used?  How does it impact you?  What do you have to do?

 Discussion 65