Skip Maine state header navigation
Abstract
This document defines the security policies required by State of Maine for the implementation of the PKI project.
 |
Prepared by |
Brian
Komar, President
IdentIT Inc.
Federal Bridge Assurance Levels
Certificate Policy Requirements
FIPS 140-2 Encryption Requirements
Physical Security Requirements for Offline CAs.
Physical Security Requirements for Online CAs
Patching and Antivirus Application
Responsibilities for key management
PKI Application-Specific Security Policies.
|
Date |
Author |
Version |
Change Reference |
|
8/28/2007 |
Brian Komar |
1.0 |
Document Created. |
|
8/29/2007 |
Brian Komar |
1.1 |
Updates based on phone meeting |
|
11/05/2007 |
Michael Pomerleau |
1.2 |
Updates CERTS team members & meetings of security staff. |
|
11/18/2007 |
Michael Pomerleau |
1.3 |
Updates from reviews. |
State of Maine requires the definition of five assurance levels for the initial deployment of the PKI project. Assurance levels are defined within an organization’s Certificate Policies and Practices Statement (CPS). Assurance levels define the processes and measures taken to identify the subject of a certificate before the certificate is issued to the certificate requestor. In addition, certificate policies define the circumstances under which a certificate may be used. This definition can include:
· Usage of the certificate.
· Does the certificate prove the identity of the certificate?
· Does the certificate enforce non-repudiation? In other words, can the subject of the certificate deny that they signed an object with the private key of the certificate?
· What value of purchases may be signed by the private key? The higher the assurance that the certificate’s private key holder is the subject of the certificate, the higher the value of purchases supported by the certificate.
· Identification requirements
· Will the user require photo identification? Photo identification ties the name of the requestor to a photo identifier.
· If photo identification is required, what forms are supported? Will a State of Maine employee badge be sufficient, or should federal or state identification, such as a passport or driver’s license be required.
· How will the enrollment agent record the identification shown?
· Record the identification’s unique identifier in a secured database for future verification.
· Record non-specific information about the identification, such as expiry date.
· Auditing of issued certificate is sufficient.
|
Assurance Level |
CA & CSS |
Subscriber |
RA |
|
Rudimentary |
Level 1 (Hardware or Software) |
N/A |
Level 1 (Hardware or Software) |
|
Basic |
Level 2 (Hardware or Software) |
Level 1 |
Level 1 (Hardware or Software) |
|
Medium |
Level 2 (Hardware) |
Level 1 |
Level 2 (Hardware) |
|
Medium Hardware |
Level 2 (Hardware) |
Level 2 (Hardware) |
Level 2 (Hardware) |
|
High |
Level 3 (Hardware) |
Level 2 (Hardware) |
Level 2 (Hardware) |
|
Note |
State of Maine CAs will be operating with FIPS 140-2 level 3 hardware, so there is no need to define a Medium Hardware assurance level in the State of Maine CPS.
For the initial PKI deployment, four certificate policies are required as shown in the following table:
Table 0.1 Title
|
|
||
|
Certificate Policy |
Object Identifier (OID) |
Certificate Policy URL |
|
|
||
|
State of Maine Rudimentary |
1.3.6.1.4.1.29494.509.2.1 |
http://pki.maine.gov/Policies/rudimentary.html |
|
State of Maine Basic |
1.3.6.1.4.1.29494.509.2.2 |
http://pki.maine.gov/Policies/basic.html |
|
State of Maine Medium |
1.3.6.1.4.1.29494.509.2.3 |
http://pki.maine.gov/Policies/medium.html |
|
State of Maine High |
1.3.6.1.4.1.29494.509.2.4 |
http://pki.maine.gov/Policies/high.html |
|
Note |
The State of Maine acquired an SNMP arc from the IANA and the above table was updated with the acquired arc details.
The State of Maine will not deploy certificates based on the Federal Bridge Rudimentary certificate policy. Through the use of Microsoft Certificate Services, all requests are authenticated, meeting the minimum requirements for Federal Bridge Basic assurance level.
To meet the Federal Bridge CP, the following identification requirements are specified:
No identification requirement; applicant may apply and receive a certificate by providing his or her e-mail address
Per the Federal Bridge CP, a certificate issued under the Rudimentary assurance level is intended for the following usage:
This level provides the lowest degree of assurance concerning identity of the individual. One of the primary functions of this level is to provide data integrity to the information being signed. This level is relevant to environments in which the risk of malicious activity is considered to be low. It is not suitable for transactions requiring authentication, and is generally insufficient for transactions requiring confidentiality, but may be used for the latter where certificates having higher levels of assurance are unavailable.
To meet the State of Maine Basic assurance level, the subject of the certificate must have been vetted by an appropriate hiring authority, such as the State Bureau of Human Resources, where the subject’s name, date of birth, address and personal information was verified as prerequisite to the OIT account creation process.. The subject’s knowledge of the associated user account and password is required for the automated issuance of a certificate. A certificate that uses the State of Maine Basic assurance level is not intended for purchases or non-repudiation. The certificate may be used to prove that the original content is not modified, or that the user has access to any data encrypted with the private key.
To meet the Federal Bridge CP, the following identification requirements are specified:
Identity may be established by in-person proofing before a Registration Authority or Trusted Agent; or remotely verifying information provided by applicant including ID number and account number through record checks either with the applicable agency or institution or through credit bureaus or similar databases, and confirms that: name, DoB, address and other personal information in records are consistent with the application and sufficient to identify a unique individual.
Address confirmation: a) Issue credentials in a manner that confirms the address of record supplied by the applicant; orb) Issue credentials in a manner that confirms the ability of the applicant to receive telephone communications at a number associated with the applicant in records, while recording the applicant’s voice.
Per the Federal Bridge CP, a certificate issued under the Basic assurance level is intended for the following usage:
This level provides a basic level of assurance relevant to environments where there are risks and consequences of data compromise, but they are not considered to be of major significance. This may include access to private information where the likelihood of malicious access is not high. It is assumed at this security level that users are not likely to be malicious.
To meet the State of Maine Medium assurance level, the subject of the certificate must be identified in a face-to-face interview where the subject presents photo identification. The photo identification must be one piece of federal-issued photo identification or two non-Federal government IDs, of which one shall be photo identification.
The Registration Authority (RA) will record the identification before issuing the certificate. The database is protected to ensure that the privacy information is protected.
To meet the Federal Bridge CP, the following identification requirements are specified:
Identity shall be established by in-person proofing before the Registration Authority, Trusted Agent or an entity certified by a State or Federal Entity as being authorized to confirm identities; information provided shall be verified to ensure legitimacy. A trust relationship between the Trusted Agent and the applicant which is based on an in-person antecedent may suffice as meeting the in-person identity proofing requirement. Credentials required are either one Federal Government-issued Picture I.D., or two Non-Federal Government I.D.s, one of which shall be a photo I.D. (e.g., Drivers License)
Per the Federal Bridge CP, a certificate issued under the Medium assurance level is intended for the following usage:
This level is relevant to environments where risks and consequences of data compromise are moderate. This may include transactions having substantial monetary value or risk of fraud, or involving access to private information where the likelihood of malicious access is substantial.
To meet the State of Maine High assurance level, the subject of the certificate must be identified in a face-to-face interview where the subject presents photo identification. The photo identification must be one piece of federal-issued photo identification or two non-Federal government IDs, of which one shall be photo identification.
The Registration Authority (RA) will record the identification before issuing the certificate. The database is protected to ensure that the privacy information is protected.
A State of Maine High assurance certificate and related private key are stored on a two-factor hardware device, such as a smart card. A smart card prevents export of the associated private key, and requires both access to the smart card and knowledge of the smart card’s PIN to access the private key.
To meet the Federal Bridge CP, the following identification requirements are specified:
Identity established by in-person appearance before the Registration Authority or Trusted Agent; information provided shall be checked to ensure legitimacy
Credentials required are either one Federal Government-issued Picture I.D., or two Non-Federal Government I.D.s, one of which shall be a photo I.D. (e.g., Drivers License)
Per the Federal Bridge CP, a certificate issued under the High assurance level is intended for the following usage:
This level is reserved for cross-certification with government entities and is appropriate for those environments where the threats to data are high, or the consequences of the failure of security services are high. This may include very high value transactions or high levels of fraud risk.
The following general security policies are proposed for the Public Key Infrastructure design project.
Certificates issued to users will be revoked before the expiration of the certificate validity period in the following circumstances:
· An employee voluntarily resigns. If an employee terminates their employment at State of Maine, all certificates issued to the user will be revoked. Use the revocation reason code of Change of Affiliation when revoking the certificate.
· An employee is terminated. If an employee is terminated for any reason, the certificates issued to the user will be immediately revoked. Use the revocation reason code of Change of Affiliation when revoking the certificate.
· Change of PKI-related administrative role. If a user’s responsibilities are changed so that they no longer hold a PKI-related administrative role, such as an enrollment agent, the PKI administrative certificate must be immediately revoked. Use the revocation reason code of Cease of Operation when revoking the certificate.
· An employee retires. If an employee retires from the State of Maine that received certificates from the State of Maine PKI, the certificates issued to the employee will be immediately terminated at the time of retirement. Use the revocation reason code of Change of Affiliation when revoking the certificate.
· An employee is suspended. If an employee is suspended, all certificates issued to the user must be revoked. When the employee returns from their suspension, new certificates must be issued to the user. Use the revocation reason code of Change of Affiliation when revoking the certificate.
· An employee passes away. If an employee dies, all certificates issued to the employee must be revoked. Use the revocation reason code of Change of Affiliation when revoking the certificate.
· A computer is stolen. If a computer is stolen, all software certificates issued to the computer and to the users of the computer must be immediately revoked. Use the revocation reason code of Key Compromise when revoking the certificate.
· A Certification Authority is compromised. If a Certification Authority (CA) computer is compromised, all certificates issued by that CA, and the CAs subordinate to that CA in the CA hierarchy are considered compromised. The CA certificate must be revoked with a revocation reason of CA compromise.
· A smart card or other two factor device is lost or misplaced. If a smart card is lost, the holder of the smart card must report the smart card as missing to the IT Customer Support Center (Help Desk). When notice is received, the smart card must be revoked with a revocation reason of key compromise.
· A certificate template is updated requiring redeployment of certificates. If a certificate template is updated, all previous certificates based on the previous version must be revoked, allowing replacement by the modified certificate template. Use the revocation reason code of Superseded when revoking the certificate.
|
Note |
In the cases of retirement, resignation, termination, suspension, or death, the associated user account must be disabled in the enterprise directory.
To allow recognition of revoked certificates, the following revocation publication intervals must be used by State of Maine:
· For offline CAs, such as root CAs and policy CAs, only base CRLs must be published. The base CRLs must be published at least every 26 weeks.
· For online CAs, base CRLs must be published at least every three days and delta CRLs must be published at least daily to allow earlier detection of revoked certificates by client computers and applications that support delta CRLs.
|
Note |
It is essential that updated CRLs are published at or before the expiration date of the previous CRL. If there is an outage, the updated CRLs must be manually published to the defined publication points.
All applications that support CRL checking must enable strong CRL checking. Strong CRL checking ensures that whenever a certificate is presented to the application, the application will perform a revocation check on that certificate and the other certificates in the assembled certificate chain.
Certification Authorities in the production network must implement FIPS 140-2 level 3 Security Requirements for Cryptographic Modules to ensure the highest level of security for cryptographic functions performed by the CA.
|
Note |
Details on FIPS 140-2 can be found at http://www.nist.gov/fips140-2. The actual FIPS 140-2 specification may be downloaded from http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf.
To meet FIPS 140-2 level 3 certification, a hardware security module (HSM) must have the following attributes:
· The HSM must be tamper evident. This may be accomplished by coating the cryptographic module with an epoxy or resin that must be broken to gain physical access to key material protected by the HSM.
· The HSM must implement role-based authentication, to allow for role separation in management of the HSM. The authentication system determines whether an operator is authorized to perform the requested management function through cryptographic module authentication.
· The operating system of the HSM must meet the functional requirements specified in the Common Criteria Protection Profiles and be evaluated at Common Criteria evaluation level EAL3 or higher.
· The HSM must destroy the key material if tampering is detected. This provides the maximum level of security for the private keys protected by the HSM.
· To maintain security of the CSP, all plaintext CSP management functions should be performed from ports or interfaces that are logically separated from other interfaces or an isolated dedicated connection. Encrypted transfer of plaintext CSPs is permitted.
|
Note |
HSMs on the test network may use FIPS 140-2 level 2 devices, rather than FIPS 140-2 level 3 devices.
The following security policies were drafted for the physical security requirements for offline CAs:
· All key material of the offline CA must be protected by a FIPS 140-2 level 3 compliant HSM.
· The HSM must be physically protected to prevent access to the HSM by unauthorized personnel.
· CA computer must be stored in a server room that uses card key controls to limit physical access to the server room.
· CA computer must be stored in a five-sided server rack (top, left, right, back, and front) that is locked.
· All access attempts to the server room must be recorded.
· All individuals managing the CA servers must swipe for entry into the server room.
· All individuals managing the CA servers must sign into a log book on both entry and exit. The record should include the date and time the person enters and exits the server room, and include the work performed on the CAs.
· Backups of the HSM and the CA must be performed each time that the offline CA is accessed for PKI functions. This includes publication of a new base CRL, renewal of the root CA certificate, issuance of subordinate CA certificates, revocation of subordinate CA certificates, and renewal of subordinate CA certificates.
· The backup must include a full backup of the HSM, backups of any HSM-related files on the local file system, a system state backup of the CA computer, a manual backup of the CA database, and manual backups of critical configuration files.
· System controls for the HSMs such as keys or smart cards must be stored in a safe.
· Backups must be stored both onsite in a safe location that is a different physical location than the CA computer and HSM and at an offsite location.
· Backups must be rotated using the methods used for network-based backups performed on the State of Maine computer systems.
o Backups must include data retention
o Backups of the CA audit logs must be kept for the lifetime of the CA so that complete histories of the audit logs are maintained.
o Duplicates of backed up data do not need to be retained; other backups can be rotated and replaced.
o A renewal of the CA certificates does not allow the destruction of the previous audit backup logs for that CA.
· System controls for HSMs, backup tokens, and other HSM physical control tools must be stored in a fire resistant safe.
· Security controls to HSMs must be stored in secure lock box to protect access to the HSM.
· PINs for HSM system controls must never be stored with the HSM system controls.
· All HSM access must implement KofN controls to prevent a single administrator from compromising the CA.
o The administrator typing commands at the CA console cannot be a KofN control approver for that operation cycle.
o The quorum required must be 3 cards.
o The total number of cards in the key set must be at least 8
o For the Hardware Security Module (HSM) security world protecting the Root and Policy CAs, administration is governed by a quorum of 3 which must represent 3 out of the 4 following branches of the State of Maine Government: Executive, Legislative, Judicial and Constitutional Offices.
o A quorum of 3 cards must be stored off site for disaster recovery purposes. The PINs must be stored in tamper proof evident envelopes at the off site location.
o For creation and changes to the Root and Policy CAs, the quorum of 3 must represent 3 out of the 4 following branches of the State of Maine Government: Executive, Legislative, Judicial and Constitutional Offices.
o For operations of the Root and Policy CAs, the quorum of 3 must represent 3 operations card members with at least one from CA Administrator and Certificate Manager groups.
· PINs are required for HSM security controls. Owners of the security controls must implement a private PIN that should not be shared.
The following security policies were drafted for the physical security requirements for offline CAs:
· All key material of the online CA must be protected by a FIPS 140-2 level 3 compliant HSM.
· The HSM must be physically protected to prevent access to the HSM by unauthorized personnel.
· CA computer must be stored in a server room that uses card key controls to limit physical access to the server room.
· CA computer must be stored in a five-sided server rack (top, left, right, back, and front) that is locked.
· All access attempts to the server room must be recorded.
· All individuals must swipe for entry into the server room when managing the CA servers.
· All individuals managing the CA servers must sign into a log book on both entry and exit. The record should include the date and time the person enters and exits the server room, and include the work performed on the CAs.
· Backups of the CA must be performed nightly as part of the network-based backup solution. Full backups of the CA database using a system state backup, backups of any HSM-related files on the local file system, and manual backups of the CA database, and critical configuration files must be included in the backup set.
· System controls for the HSMs such as keys or smart cards must be stored in a safe.
· Backups must be stored both onsite in a safe location that is a different physical location than the CA computer and HSM and at an offsite location.
· Backups must be rotated using the methods used for other network-based backups performed on the State of Maine computer systems.
o Backups must include data retention.
o Backups of the CA audit logs must be kept for the lifetime of the CA so that complete histories of the audit logs are maintained.
o Duplicates of backed up data do not need to be retained; other backups can be rotated and replaced.
o A renewal of the CA certificates does not allow the destruction of the previous audit backup logs for that CA.
· System controls for HSMs, backup tokens, and other HSM physical control tools must be stored in a fire resistant safe.
· Security controls to HSMs must be stored in a secure lock box to protect access to the HSM.
· PINs for HSM system controls must never be stored with the HSM system controls.
· All HSM configuration changes must implement KofN controls to prevent a single administrator from compromising the CA.
· Online issuing CAs must be in the same security world as their policy CA, using the same personal security controls.