Date post: | 20-Apr-2018 |
Category: |
Documents |
Upload: | hoangthuan |
View: | 226 times |
Download: | 3 times |
United States DoD Public Key Infrastructure:
Deploying the PKI TokenR. Michael Green
Director, DoD PKI PMO(410) 854-4900
Becky HarrisDeputy Director, DoD PKI PMO
(703) [email protected]
NIST PKI Review 26 April 02UNCLASSIFIED
UNCLASSIFIED
The Goal: To enhance the business processes and improve the IA posture of the DoD through widespread use of PK-enabled applications.
United States DoD Public Key Infrastructure
Program
UNCLASSIFIED
http://iase.disa.mil (must be from .mil or .gov domain)http://www.c3i.osd.mil/org/sio/ia/pki/index.html
4/24/02 2UNCLASSIFIED
DoD PKIDoD PKIProgram Management and Policy
• 9 April 99 ASD (C3I) MemorandumAssigned DoD PKI Program Management Office (PMO) Responsibility to NSA with DISA Deputy PM
• 6 May 99 DEPSECDEF Memorandum Defined DoD PKI Policy Objectives
• 10 Nov 99 DEPSECDEF MemorandumEstablished DoD Smart Card Strategy
• 12 Aug 00 ASD (C3I) Memorandum(Rewrite of 6 May DoD PKI Memo)
4/24/02 3
UNCLASSIFIED
UNCLASSIFIED
The Challenge The Challenge -- It’s a hard problemIt’s a hard problemEvent Driven SecurityEvent Driven Security
Robustness GrowthRobustness Growth
Certification Authorities
LRAs*
Tokens
Applications
Directories
Time
Assurance Level
Release 3 Release 4
Assurance Level
Assurance Level
Assurance Level
Assurance Level
* Local Registration Authorities 4/24/02 4UNCLASSIFIED
DoD Public Key Capability Requires Coordinated Convergence
4/24/02 5UNCLASSIFIED
CAC Issuance &
Configuration Management PK Infrastructure
Workstation
Enablement
PK EnablementR
elat
ed E
vent
s
PKI in Evolution
3.xPIN
unlock/reset Time
Surety(Quality of Certificate)
Release 3
Release 3.0.1Release 3.1
Release 3.x
3.1
email cert issuance via
post issuance portal
Release 4.0
4.0KMI
CI-14.X
Upgrade to
DEERS/RAPIDS
4/24/02 6
Release 4
UNCLASSIFIED
3.0.1
Win 2000 Smart Card
logon
DoD PKI Registration Scenarios
Repository/Directory
DoD Root Certification Authority
Certification Authority
RAPIDS Workstation and Verifying Official (VO)
End UserEnd User
PersonnelDatabase
End User Application
Local Registration Authority (LRA)
4/24/02 7
End User Application
UNCLASSIFIED
# People Requiring Certs and # People Issued Certs
0200,000400,000600,000800,000
1,000,0001,200,0001,400,000
Army Navy AirForce
MarineCorps
Other
Num
ber
Req
uire
d
Total Req’d 3,109,983Total Issued 558,659 (14 April 02)
4/24/02 8UNCLASSIFIED
Current StatusCurrent Status• DoD PKI Release 3 Operational -
October 01
• Key Management Infrastructure Capability Increment-1 (KMI CI-1) awarded Nov 01; will provide Release 4.
• Established PKI Interoperability Testing capability
• Reviewing and approving DoD PKI Certificate Practice Statements
4/24/02 9UNCLASSIFIED
Preparing for the Future• Collected Tactical PKI User requirements
• Working with NIST & Smart Card Senior Coordinating Group to define process to add applets to FIPS 140 certified cards while maintaining FIPS 140 certification
• Updating the DoD PKI Certificate Policy (CP)
• Finalizing the DoD Key Recovery Policy
• Developed high-level approach to PK-Enabled applications
4/24/02 10UNCLASSIFIED
Future PKI Activities• DoD Policy Rewrite/Milestone Review
• SIPRNET Plan
• MS Logon Agreement - Release 3.0.1
• Code Signing - Release 3.1
• Private Web Server Certs/Client Side Authentication
• Biometrics4/24/02 11UNCLASSIFIED
Other Activities• Directories, Directories,
Directories
• DoD PKI and Allied Interoperability
• DoD PKI “versus” Federal and IC
• Vetting and piloting tactical and SIPRNET requirements
4/24/02 12UNCLASSIFIED
DoD PK-Enabled Applications
• PKI provides the underlying foundation for security services, but PK-enabled applications are required in order to implement them
• We Must Depend on Industry to Maintain the Apps
• Evaluated Applications that can process our Certificates with little User Involvement 4/24/02 13UNCLASSIFIED
• PK-Enabled Services/Applications:– Medium Grade Services (MGS) -
secure, interoperable e-mail– Secure Web Services– DoD-specific applications (e.g.
Defense Travel System, Wide Area Work Flow)
4/24/02 14UNCLASSIFIED
DoD PK-Enabled Applications
DoD PKI and KMI TokenProtection Profile
• Used Smart Card Security Users Group Smart Card Protection Profile as baseline document
• Information Assurance Technical Framework Forum Protection Profiles: http://www.iatf.net/protection_profiles/index.cfm
• Previous draft was released for public comment October 00 - Feb 01
• Tokens meeting this protection profile:– required by mid-late 2003
4/24/02 15UNCLASSIFIED
Token PP FIPS 140 Requirements
• FIPS 140-2 Level 2 for Subscribers *• FIPS 140-2 Level 3 for Registration
Authorities
* If the DoD Common Access Card issuing infrastructure is not capable of issuing two different levels of cards, then all CACs will be required to meet FIPS 140-2 Level 3.
4/24/02 16UNCLASSIFIED
Biometrics, DMDC and CAC
• DMDC has been collecting and storing fingerprints (template & minutia) when issuing cards.
4/24/02 17
• Biometric data is not stored on the CAC
• In the event of a forgotten PIN, biometric (fingerprint) can be provided by user at a RAPIDS workstation for authentication and to unlock her CAC
UNCLASSIFIED
Adding Biometrics to PKI & CAC• Pilots under way now• Discrete points where biometrics can be
added:– CAC task order/purchase*– middleware upgrades*– DMDC/RAPIDS/DEERS upgrades** Probably need all three of these before fully
incorporating biomentrics• May impact CAC FIPS 140 certification
UNCLASSIFIED 4/24/02 18