VA Public Key Infrastructure Project

1
VA Public Key Infrastructure Project

• Co-chair - Cathie Ward OIT
• cathie.ward_at_mail.va.gov
• Co-chair - Daniel Maloney VHA
• daniel.maloney_at_med.va.gov
• Web Sites - http//vaww.va.gov/vapki.htm or
  http//www.va.gov/vapki.htm

2
BRIEFING TOPICS

• Background of VA PKI Project
• PKI Project Direction and Status
• Pertinent Federal-wide Initiatives
• NT/Exchange Integration Issues
• Microsoft site license PKI features

3
WHAT IS PKI

• Public Key Infrastructure
• A combination of products, services, policies,
  and agreements for secure interaction across
  networks including open networks like the
  Internet

4
PKI - BASIC PRICIPLES

• A pair of related keys as opposed to a single key
• When either key encrypts, the other key decrypts
• The private key is closely guarded and never
  given out - PROTECT YOUR PRIVATE KEY
• The public key and who it belongs to are publicly
  available

5
VA PKI PURPOSE

• Integrate with VAs overall security framework
• Provide a common utility for VA
• Work through policy and technology issues
  together
• Support pilots that require one or more of the
  following strong authentication, integrity, non
  repudiation, confidentiality

6
WHY VA NEEDS PKI

• Encrypt e-mail messages moving across open
  networks
• Added exposure from open networks like the
  Internet
• Protection from viruses - unauthorized code
• Existing authentication methods not scalable and
  not as secure
• Vendors security products depend on it

7
PKI ARCHITECTURAL ENTITIES

• Certification authority (CA)
• Registration authority(s)
• Certificate archive
• Directory / Repository
• Certificate policies, practices, CONOPS

8
PKI NOT A CURE-ALL

• Part of comprehensive security package
• PKI systems also use private / symmetric keys
• Key generation is faster
• Operations are faster
• Used for encrypting data in bulk

9
PROGRESS AT VA

• CIO Council backing - broad participation
• Funding from VHA, VBA, and O/M
• Web site - vaww.va.gov/vapki.htm
• Capabilities demo and pilots
• Design Decision Document (April 6, 1999)
• Certificate Policy Draft

10
VA PKI PROJECT DECISIONS- MAY 24

• Contract for expanded CA functions
• Contract for management, help desk and RA
  application support
• Post draft Certificate Policy as interim guidance
• Continue to assess Windows 2000 PKI
  feasibility/timing

11
VERISIGN CONTRACT FOR EXPANDED CA FUNCTIONS

• Includes key recovery, local tailoring and
  expedited enrollment
• VeriSigns first offer - one year, services only
• Subsequent year - costs would escalate
• Waiting on 2nd, more detailed VeriSign proposal

12
CYGNACOM OPERATIONS SUPPORT CONTRACT

• Project management support
• Help desk
• Database to distribute RA function to ISOs
• Due to OAMM for action by July 1

13
SECURE E-MAIL PILOT - NEXT STEPS

• Expand, beginning with security/IG community
• Put help desk in place for assistance and problem
  resolution
• Pursue SSA/VA medical data exchange
• Inform users of their records management
  responsibilities
• Test key escrow

14
WEB PILOTS

• Planned
• VBA Automated Verification of Enrollment
• IG limited access database
• Distributed PKI registration application
• Discussion stage - VA/DEA Pilot and Credentialing

15
CERTIFICATE POLICY - PURPOSE

• Single policy for VA - all inclusive
• Basis for trust
• single certificate for all VA apps
• interoperability achieve via policy mapping
• Requires high assurance operating environment

16
VA CERTIFICATE POLICY- HIGHLIGHTS

• Presented according to PKIX part 4 template
• Medium assurance only (DoD has 4 levels)
• Applies to people, as well as infrastructure
  components
• PKI Work Group arbitrates (PMA)
• Specifies uniform X509 certificate content/ format

17
VA CERTIFICATE DISTINGUISHED NAME EXAMPLES

• For VA employee
• CUS, OVA, OUVA-employee, OUVHA, CNDan
  Maloney
• For Business Partner
• CUS, OVA, OUVA-partner, OUSSA, CNJane Smith

18
KEY RECOVERY OBJECTIVES

• Provides secondary means to access data
  confidentiality cryptography keys
• Solves multiple problems
• lost or compromised keys
• careless, disgruntled or absent employee
• lay enforcement/surveillance

19
KEY RECOVERY STATUS

• No stated Federal mandates
• VA e-mail policy makes each person responsible
• Both prominent technology options have drawbacks
• Key escrow requires separate key for encryption

20
KEY RECOVERY APPROACH

• Research policy mandates/options
• Test key escrow with secure e-mail

21
FEDERAL-WIDE INIATIVES

• OMB GPEA Guidance
• Make high use forms and information electronic
• Provide for optional use of electronic signatures
• Report progress to OMB
• ACES
• Now scheduled for late 99 availability
• An option for certificates issued to general
  public

22
NT/EXCHANGE INTEGRATION ISSUES

• Use of GAL with non MS certificates (e.g.
  VeriSign)
• Certificate profile/naming constraints
• Distribution of standard, pre-configured mail
  client
• Testing of released Outlook 2000

23
WINDOWS 2000 CONDITIONS TO MONITOR

• Release date
• VA roll out schedule
• VA test bed for Win 2000 PKI features
• Impact on Interoperability
• Standard compliance

24
WIN 2000 PKI ARCHITECTURE QUESTIONS

• Trust model - how many servers, CAs, roots?
• Relationship to NT domain hierarchy
• Support for non VA certificates
• Certificate format/content
• In particular rules for subject (distinguished)
  names

25
WHAT YOU CAN DO

• Upgrade workstation configuration
• (Outlook 98, IE 4.0 or 5 with 128 bit encryption)
• Enroll for Verisign Certificate
• Learn how to use S-MIME for signature and
  encryption
• Help develop policy/procedures
• Participate in local registration pilot

26
Agreements

• Microsoft to produce a white paper describing
  their vision for PKI with the VA
• Joint NT / PKI work group for testing and
  evaluation of Windows 2000 PKI
• Joint sponsorship of standardized software
  configuration for clients and servers
• Clarification of Interoperability issue of
  Certificates in the MS Exchange GAL

27
FOR YOUR ADDRESS BOOK

• Co-chair - Cathie Ward OIT
• cathie.ward_at_mail.va.gov
• Co-chair - Daniel Maloney VHA
• daniel.maloney_at_med.va.gov
• Web Sites - http//vaww.va.gov/vapki.htm or
  http//www.va.gov/vapki.htm