The Federation for Identity and Cross-Credentialing Systems (FiXs) is a coalition of commercial companies, government contractors, and not-for-profit organizations who have established and maintain a worldwide, interoperable identity and cross-credentialing network built on security, privacy, trust, standard operating rules, policies, and technical standards. Founded and incorporated as a not for profit in 2004 and based in Fairfax, Virginia, FiXs was formed to pilot a federated identity transaction model.
FiXs provides a trusted mechanism for federated identity infrastructure within and between public and private sector organizations with accuracy and trust through the application of a Federated Trust Model. The FiXs network capabilities can be accessed worldwide, in remote or fixed environments, wired or wirelessly, and in real-time.
Modeled after the financial industry’s highly-secure and widely-accepted ATM (Automated Teller Machine) approach, the FiXs network is a secure, scalable system that provides trusted, interoperable identity verification and credential authentication for network users accessing a range of government and commercial facilities. The FiXs network meets federally-mandated requirements, supports physical and logical access applications and integrates with an organization’s existing personnel system, while leveraging the network’s economies of scale.
The Federation includes more than 20 members, including systems integrators, financial institutions, and organizations focused on promoting improved workforce protection and systems security for critical infrastructure. The U.S. Department of Defense (DoD) and the General Services Administration (GSA) are participating government organizations. FiXs members contribute ideas, technologies, and best practices for implementing a secure identity cross-credentialing network based on open standards, sound business processes, and proven technologies and security.
The FiXs network uses available identity credential technology in conjunction with biometric identification. FiXs can be used within and between public and private sector organizations and promotes a trusted mechanism for federated identity infrastructures. It is important to note that FiXs does not grant or deny physical or logical access for any credential bearer. Rather, it delivers a trusted infrastructure that provides participating members with an assured means to authenticate the actual identity of individuals presenting FiXs-certified credentials for access to facilities and systems.
FiXs is an open membership organization. Members join to contribute to and influence the evolution and development of the FiXs network, its capabilities, and certified applications, to learn the latest technologies and strategies for robust identity management programs, and to meet and engage in dialogue with compatible business interests.
1. Federated Access
Identity & Privacy Protection
Presented at:
Information Systems Security Association-Northern
Virginia (ISSA-NOVA) Chapter Meeting
Presented by:
Daniel E. Turissini
Board Member, Federation for Identity and Cross-
Credentialing Systems (FiXs)
http://www.FiXs.org
January 20, 2011
2. The Federation for Identity & Cross-
Credentialing Systems (FiXs)
• A 501(c)6 not-for-profit trade association formed in 2004
in collaboration with the DoD to provide secure and inter-
operable use of identity credentials between and among
government entities & industry
• A coalition of diverse companies/organizations
supporting development & implementation of inter-
operable identity cross-credentialing standards and
systems
• Members include: government contractors, technology
companies, major financial firms, not-for-profit
organizations, DoD, GSA, state governments, etc.
3. Federated Identity Solution
• Federated identity provides a strong, biometrically
enabled electronic identity credential, that can be readily
electronically validated by any Federal logical/physical
access point that allows the decision maker or databases
to make a local specific privilege and/or authorized
ACCESS decision confident in:
– the identity of the person attempting access;
– the identity of the device attempting access;
– the identity of vetted organization that they represent;
– that the organization and the individual have a legal relationship to do
business with the federal government; and,
– that the individual has been vetted in person and has undergone a
background investigation consistent with defined levels.
Credential assures you are who you say you are,
Commander’s confirm what holder is permitted to access!
4. The Foundation
• FiXs entered into formal Memorandum of Understanding
(MOU) with the DoD that established terms & conditions
under which FiXs & DoD will use their respective
systems as part of an identity suite of systems in January
2006, updated February 2009:
– https://www.dmdc.osd.mil/dmdcomn/owa/DMDC.FEDPIIPS
• The terms and conditions include:
– Operational framework for inter-operability between DoD &FiXs
– Specific operational responsibilities
– Governance structure
• Authority To Operate Granted by DMDC
• Strong Certification & Accreditation Processes
Documentation available online at: http://www.fixs.org/library
5. Federated Access DoD Application
Relying Party’s
(Access Rules)
Trusted Third Parties
[External Certificate
Authorities (ECA)/ PIV-I]
Strong credentials with biometrics consistent with federal
standards are essential to successful Access control
Strong
Access Control
Subscribers
(Credential Holders)
Strong Identity
Local
Access
Decisions
6. TESTED, SPOT – FiXs Inter-operability Pilot
• Successful assessment of the feasibility to utilize
commercially - issued credentials in “feeding” the SPOT
database – that adhere to FiXs-certified standards
• Issue FiXs-certified credentials - 3,000 contractor
personnel
• Credentials authenticated across secure network against
federated data stores
• Included “cleared” personnel, non-cleared personnel,
first responders, other entities that interact with Army
Material Command
• Monitor utilization, increases in productivity, & security
profile
• Provided strategic assessment for future activities
8. FiXs - Certified Credentials
CAC FiXs
2D barcode,
1D barcode &
mag-stripe
on back
2 RFID antenna
Clear Contractor
Markings
RFID, Barcodes, PIV Applet and Certificate Provide Issuer ID,
Sponsor ID, Employee ID, & other Data Processed via Network
9. Robust Validation Infrastructure
Application Servers
Local Area
Network
Client/WS
Client/WS
Inside and/or
Outside the LANClient/WS
Alternative
Validation Paths
(OCSP)
20 + FiXs
Compliant PKI
Directories
50 + FiXs
Compliant CRLs
FiXs
Validation
Service
(Site 1)
FiXs
Validation
Service
(Site N)
CRL Update Path
(ldap/ ldaps
http/https)
https
Client/WS
OCSP Repeater
10. STEP 1: Apply
Device Administrator goes to any-CA.ORC.com &
completes online certificate registration application.
STEP 3: Print
Administrator prints or PDFs
the application form.
STEP 4: ID Proofing
Administrator digitally signs the
form & sends or takes the form
with two valid forms of ID either
to LRA or other Trusted Agent.
STEP 2: Submit
The device’s key pair is
generated in a cryptographic
module, associated to device &
the device’s public key is
submitted to the CA along with
the application.
STEP 5: Confirmation
RA confirms that ID proofing is
complete & correct.
STEP 7: Download
Administrator returns to any-
CA.ORC.com, performs a proof of
possession, & downloads their
certificate.
STEP 6: Issuance
An CA issues the certificate &
provides out-of-band download
instructions to the applicant.
STEP 8: Install
Administrator installs SD into
device & applies tamper evident
tape.
Device Credential Issuance Process
11. Device Secure Access
Video
Application
Servers
Local Area
Network
Inside and/or
Outside the LAN
Validation Paths
(OCSP/SCVP)
20 + Federally
Compliant PKI
Directories
50 + Federally
Compliant CRLs
Credential
Validation
Service
CRL Update Path
(ldap/ ldaps
http/https)
3. Authenticated SSL VPN
Client/WS Validation Repeater
(Optional)
1. Authenticated https
Client/WS
2/4. OCSP/SCVP
2. OCSP/SCVP
1. Mutual Certificate Authentication
between Client & Video Server
2. Mutual Validation of Credentials
https session established
3. Mutual Certificate Authentication
between Video Server & Camera
4. Validation of Credential SSL VPN
session established
12. FiXs Certified Credential Authenticated at DoD
Location
Company A
FiXs Domain Server (FDS)
Company B
FDS
Issuer FDS
Companies
C, D, E
FiXs Trust Broker
(FTB)
DMDC
Trusted
Gateway
Broker
(TGB)
DMDC Domain Server
(DDS)
Authentication Node
Defense National Visitor Center
(DNVC)
Defense Biometric Identification System
(DBIDS)
FiXs
Authentication
Stations/
Handhelds
Legend:
= Secure Connection
= Transaction Path – no Fee
= Transaction Path – w/ Fee
Company F FiXs
Authentication
Node
13. FiXs Certified Credential Authenticated at FiXs
Location
Company A
FDS
Company B
FDS
Issuer FDS
Companies
C, D, E
Hosted
FTB
DMDC
TGB
DMDC
DDS
DNVC/
DBIDS
FiXs
Authentication
Stations/
Handhelds
Legend:
= Secure Connection
= Transaction Path – no Fee
= Transaction Path – w/ Fee
Company F FiXs
Authentication
Node
14. CAC Authentication at FiXs Location
Company A
FDS
Company B
FDS
Issuer FDS
Companies
C, D, E
Hosted
FTB
DMDC
TGB
DMDC
DDS
DNVC/
DBIDS Company F FiXs
Authentication
Node
FiXs
Authentication
Stations/
Handhelds
Legend:
= Secure Connection
= Transaction Path – no Fee
= Transaction Path – w/ Fee
15. FiXs Certified Credential Enhanced Logical
Access Control
Remote
Client/WS
1. Initial Enterprise
Logon
2. Validate Device
Certificate
Remote
Client/WS
3. Authenticated SSL
VPN Established
4. Initiate
Application Logon
5. Validate ID
Certificate
6. Access
Attributes
Remote
Client/WS
SSL VPN https
Border
Server
Border
Server
Border
Server
Application
Server
Application
Server
Validation
Data
Validation
Data
FDS
16. Contact Information
Dan Turissini - CTO, WidePoint Corporation, FiXs Board
turissd@orc.com
703 246 8550
Dr. Michael Mestrovich, FiXs President
Michael.Mestrovich@fixs.org
703 928 3157