Title: Colleen Carboni
1 Department of Defense (DOD) Class 3 Medium
Assurance Public Key Infrastructure (PKI)
Status 21 September 2000
Gilda McKinnon DISA D25 (703) 681-9024 mckinnog_at_nc
r.disa.mil
- Colleen Carboni
- DISA D25
- (703) 681-6139
- carbonic_at_ncr.disa.mil
2Agenda
- DoD Class 3 PKI
- Medium Assurance Pilot, Release 1.0
- Class 3 PKI Release 2.0
- Class 3 PKI Release 3.0
- Common Access Card (CAC) Beta
- Registration
- Training
- Application Support
- External Certification Authorities and Interim
External Certification Authorities - Using the DoD PKI - An Example
- Way Ahead
3DoD Class 3 PKIComponents and Statistics
NSA
- Operational on
- NIPRNET
- 41,402 identity
- 26,494 email
- 2,906 servers
- 646 LRAs
- 107 RAs
- SIPRNET
- 117 identity
- 51 servers
- 3 RAs
- 2 LRAs
Certificate Authority (CA)
RootServer
Directory
DECC Detatchment Chambersburg, PA and DECC
Detatchment Denver, CO
Local RegistrationAuthority (LRA)
Registration Authority (RA)
- CA Architecture is highly centralized
- LRAs highly decentralized
24 X 7 Help Desk 1-800-582-4764 weblog_at_chamb.disa.
mil
Users
4Medium Assurance PKI Pilot, Release 1.0
- Operational on -
- NIPRNET since April 1998
- SIPRNET since September 1999
- Certificates are valid until their expiration
date - Interoperable with Class 3 PKI Release 2.0
- NIPRNET user registration should transition to
Class 3 PKI - 31 Dec 00 - Exceptions will be made on a case by case basis
by the PKI PMO
5Class 3 PKI Release 2.0Enhancements
- Operational July 31, 2000
- Asserts Class 3 level of assurance
- Enhancements
- Key Escrow/Key Recovery
- FIPS 140-1 level 2 hardware signing of
certificates - Added Policy Object Identifiers to differentiate
between HW/SW certificates - FIPS 140-1 level 2 smart cards for registration
personnel - Larger capacity infrastructure
- Improved firewall protection of the enclaves
- Training
- RA/LRA training started in May 00 will continue
through FY01
RAISING THE BAR
6Transitioning Registration Authorities (RAs),
Local Registration Authorities (LRAs), and
Users to Class 3 PKI
- RA and LRA Workstation Requirement
- Pentium or higher, 64MB RAM
- Windows NT 4.0 OS (Service Pack 4)
- Netscape Communicator 4.73 or higher (US Version
- non-export) with Personal Security Manager
(PSM) 1.1 - FIPS 140-1 level 2 Hardware token
- Dedicated printer (non-networked)
- NIPRNET/INTERNET connectivity
- LRA application 2.1
- Use Windows NT lockdown procedure
- User
- Netscape Communicator 4.73 with PSM 1.1
Instructions for establishing an RA/LRA
workstation are at
http//iase.disa.mil/documentlib.htmlPKIDOCS
7Class 3 PKI Release 3.0Enhancements
- Establishes connection to Defense Enrollment
Eligibility Reporting System (DEERS), DEERS
provides the PKI Unique Identification Number - Enables Real-time Automated Personnel
Identification System (RAPIDS) Verification
Officers (VOs) to issue - PKI certificates on Common Access Card (CAC)
- Schedule
- CAC BETA 1st QTR FY01
- System Security Assessment 1st QTR FY01
- Release 3.0 2nd QTR FY01
8Common Access Card (CAC) BETAID Certificate
Issuance
VO \ LRA
9Common Access Card (CAC) BETAEmail Certificate
Issuance
- If you know your e-mail address at initial
issuance of CAC - VO/LRA will issue both identity and email
certificates on your CAC - If not, once you do know your email address
- You can return to the VO/LRA at a later date to
obtain your email certificates - or
- You can go to your CINC/Service/Agency LRA for
your certificates on a software token.
10PKI Integration with CAC
- Teaming with DMDC
- PKI registration built into RAPIDS terminal
- Process is transparent
- When card issued, private key and certificate
placed on card - Floppy containing same keys may also be provided
- Applications still mostly required this form of
certificate - Identification information for certificate and
directory from DEERS - For both RAPIDS registration and native PKI LRA
registration - Unique user id from DEERS
- Needed to sync directories across DoD
11Registration Authorities and Local Registration
Authorities
- Registration Authorities (RAs)
- List of RAs can be found at
- http//iase.disa.mil/PKI/RA/ra.html
- Local Registration Authorities (LRAs)
- List of LRAs can be found at
- http//iase.disa.mil/PKI/RA/lra.html
12Training Information
- Training will be provided monthly throughout FY01
- 4 days Local Registration Authority (LRA)
Training - 1 day Registration Authority (RA) Training
- An additional 16 hours of LRA training at Defense
Security Service Academy (DSSA) each quarter - Three (3) 1 week on-site training sessions are
planned for C/S/As - Attendees must coordinate registration for RA/LRA
class with their respective C/S/A PKI
representative
http//iase.disa.mil/PKI/PKITrain.html
13Application Support
- Requirement Documentation
- Department of Defense Class 3 Public Key
Infrastructure Interface Specification, Version
1.2, dated August 10, 2000, draft - Department of Defense CLASS 3 PKI Public
Infrastructure Public Key-Enabled of Application
Requirements, dated July 31, 2000 - Documents are available at http//iase.disa.mil/do
cumentlib.htmlPKIDOCS - Class 3 PKI Testbed
- Mirrors DoD PKI Class 3 operational environment
- Resides at the DISA Joint Interoperability Test
Command (JITC) - Additional information at http//jitc/fhu.disa.mil
- Working with Defense Information Assurance
Program on process for PK-enabling applications
14Application SupportSome Examples
Planned Initial App.
Status Users Capability Army Chief of Staff AC
Issuing Certs 5K Oct
98 DISA AC Reg.
Complete 8K Nov 98 Electronic Document AC, IA
C/S/As Issuing 6K Dec 98 Access (EDA)
Certs Wide Area
Workflow AC, IA C/S/As
Issuing 6K Feb 99 Prototype DDForm 250 DS
Certs Navy AC, DS
Issuing Certs 100K Feb 99 Defense Security AC, DS
Reg. Complete 300 to May
99 Service 2.5K Defense Travel AC, IA, DS
C/S/As working 400K 2Q FY00 System
process Defense Message System DS,
Encryption C/S/As Issuing 5K
Sep 99 Medium Grade Service
Certs next 6 mos.
Access Control AC
Digital Signature DS
Identification and Authentication IA
15External Certificate Authority (ECA) Interim
External Certificate Authority (IECA)
- An ECA is an entity authorized to issue
certificates interoperable with the DoD PKI to
non-DoD personnel - What is an IECA?
- Entity authorized to issue certificates
interoperable with the DoD PKI to non-DoD
personnel, for a period of one year - Why an Interim ECA?
- Need to work out best practices, understand
technical and process issues, understand and
resolve legal concerns before finalizing ECA
approach and processes. - IECA Help Desk and Website
- E-mail pkieca_at_ncr.disa.mil
- Phone (703) 681-6139
- http//www.disa.mil/infosec/pkieca
16IECA Web Site
http//www.disa.mil/infosec/pkieca
17DOD PKI Trust Model in IECA Environment
DOD PKI
Med
Root CA
Level 1
...
IECA 1
IECA 2
IECA m
Med
CA-1
Med
CA-2
Med
CA-n
Level 2
..
Level 3
- Certificates signed by Commercial Root
- DOD applications will need to trust multiple
roots - Minimizes liability risks for DOD
- Separate Certification Authority for DOD
- Certificates have predetermined expiration
18DOD PKI Trust Model in ECA Environment (DRAFT)
DOD PKI
Med
Root CA
Level 1
...
ECA 1
ECA 2
ECA m
Med
CA-1
Med
CA-2
Med
CA-n
Level 2
..
Level 3
- Certificates signed by Commercial CA
- ECA may be certified by DOD root
- Applications will not have to handle multiple
roots
19IECA Vendors
-
- Operational Research Consultants (ORC) Daniel
Turissini (703) 535-5301 turissd_at_orc.com - Digital Signature Trust (DST) Keren Cummins
(301) 379-2493 kcummins_at_digsigtrust.com - VeriSign James Brandt (410) 691-2100
jbrandt_at_verisign.com - General Dynamics Sandra Wheeler (781) 455-5958
sandra.wheeler_at_gd-cs.com
20IECA Status Update
-
- IECA Pilot has been extended for one more year
(until September 2001) - All four IECAs are currently signing new MOAs
- DoD contributed to four programs/organizations
for the purchase of IECA certificates - Medium Grade Services (MGS)
- Joint Electronic Commerce Program Office (JECPO)
- Defense Technical Information Center (DTIC)
- Military Traffic Management Command (MTMC)
- As demand/activity increases expect certificate
cost to substantially decrease
21- Using the DoD PKI
- An Example
22The I Assure Advantage http//www.disa.mil/D4/dii
oss/iachar.html
- Key Points
- Contract supports up to TS / SCI security
requirements - 7 year multi-award contract
- All tasks MUST BE competed, no follow-on work
from previous contracts
Solutions-based Contractors can tailor services
and products for each task order proposal
Complements Enterprise Software Initiative I
Assure vendors can provide integration services
for ESI products
- Task Areas
- Policy, planning, process, program and project
management support - Standards, Architecture, Engineering and
Integration support - Solution Fielding / Implementation and operations
- Education, training, and awareness certification
and accreditation and IA support
23DISA I ASSURE - Employed the DoD PKI in the
Paperless Pre-Award of Contract Process
DITCO
1
DOD CA
DISN
4
TDY
1-800
Skyline 6 Room 513 164.117.75.xx
4
INTERNET
x1df4MS_at_
(Evaluators)
2
x1df4MS_at_
Vendors
Encrypted Text
IDS
PKI
FW
(Used ICEA certificates)
24The Way Ahead
- Provide support to Common Access Card (CAC) Beta
and Release 3.0 - Expand use of SIPRNET PKI
- Continue development of application enabling
guidance and enabling templates - Continue incremental releases of DOD PKI to
improve product, service, and availability - Envision seamless transition to Target PKI
Continue Satisfying The Warfighter Requirements!
25DOD PKI Working Groups
- DOD PKI Certificate Policy Management Working
Group - co-chair - NSA - Mr. Gary Dahlquist
gndahlq_at_missi.ncsc.mil - co-chair - DOD GC - Ms. Shauna Russell -
russels_at_osdgc.osd.mil - DOD PKI Business Working Group (BWG)
- co-chair - NSA - Ms. Debra Grempler -
DAGremp_at_missi.ncsc.mil - co-chair - DISA - Ms. Gilda McKinnon -
McKinnog_at_ncr.disa.mil - DOD PKI Technical Working Group (TWG)
- co-chair - DISA - Mr. Adam Britt -
britta_at_ncr.disa.mil - co-chair - NSA - Mr. Dave Fillingham
dwfilli_at_missi.ncsc.mil
26PKI Website Information
- http//iase.disa.mil
- Information Assurance Support Environment
- available to .mil and .gov
- http//www.disa.mil/infosec/pkieca
- External Certification Authorities
- http//www.disa.mil/infosec/pki-int.html
- DOD PKI Medium Assurance Interoperability
- DOD PKI Medium Assurance X.509 v3 certificate
standard profiles (formats and examples)