Colleen Carboni

1
Department of Defense (DOD) Class 3 Medium
Assurance Public Key Infrastructure (PKI)
Status 21 September 2000
Gilda McKinnon DISA D25 (703) 681-9024 mckinnog_at_nc
r.disa.mil

• Colleen Carboni
• DISA D25
• (703) 681-6139
• carbonic_at_ncr.disa.mil

2
Agenda

• DoD Class 3 PKI
• Medium Assurance Pilot, Release 1.0
• Class 3 PKI Release 2.0
• Class 3 PKI Release 3.0
• Common Access Card (CAC) Beta
• Registration
• Training
• Application Support
• External Certification Authorities and Interim
  External Certification Authorities
• Using the DoD PKI - An Example
• Way Ahead

3
DoD Class 3 PKIComponents and Statistics
NSA

• Operational on
• NIPRNET
• 41,402 identity
• 26,494 email
• 2,906 servers
• 646 LRAs
• 107 RAs
• SIPRNET
• 117 identity
• 51 servers
• 3 RAs
• 2 LRAs

Certificate Authority (CA)
RootServer
Directory
DECC Detatchment Chambersburg, PA and DECC
Detatchment Denver, CO
Local RegistrationAuthority (LRA)
Registration Authority (RA)

• CA Architecture is highly centralized
• LRAs highly decentralized

24 X 7 Help Desk 1-800-582-4764 weblog_at_chamb.disa.
mil
Users
4
Medium Assurance PKI Pilot, Release 1.0

• Operational on -
• NIPRNET since April 1998
• SIPRNET since September 1999
• Certificates are valid until their expiration
  date
• Interoperable with Class 3 PKI Release 2.0
• NIPRNET user registration should transition to
  Class 3 PKI - 31 Dec 00
• Exceptions will be made on a case by case basis
  by the PKI PMO

5
Class 3 PKI Release 2.0Enhancements

• Operational July 31, 2000
• Asserts Class 3 level of assurance
• Enhancements
• Key Escrow/Key Recovery
• FIPS 140-1 level 2 hardware signing of
  certificates
• Added Policy Object Identifiers to differentiate
  between HW/SW certificates
• FIPS 140-1 level 2 smart cards for registration
  personnel
• Larger capacity infrastructure
• Improved firewall protection of the enclaves
• Training
• RA/LRA training started in May 00 will continue
  through FY01

RAISING THE BAR
6
Transitioning Registration Authorities (RAs),
Local Registration Authorities (LRAs), and
Users to Class 3 PKI

• RA and LRA Workstation Requirement
• Pentium or higher, 64MB RAM
• Windows NT 4.0 OS (Service Pack 4)
• Netscape Communicator 4.73 or higher (US Version
  - non-export) with Personal Security Manager
  (PSM) 1.1
• FIPS 140-1 level 2 Hardware token
• Dedicated printer (non-networked)
• NIPRNET/INTERNET connectivity
• LRA application 2.1
• Use Windows NT lockdown procedure
• User
• Netscape Communicator 4.73 with PSM 1.1

Instructions for establishing an RA/LRA
workstation are at
http//iase.disa.mil/documentlib.htmlPKIDOCS
7
Class 3 PKI Release 3.0Enhancements

• Establishes connection to Defense Enrollment
  Eligibility Reporting System (DEERS), DEERS
  provides the PKI Unique Identification Number
• Enables Real-time Automated Personnel
  Identification System (RAPIDS) Verification
  Officers (VOs) to issue
• PKI certificates on Common Access Card (CAC)
• Schedule
• CAC BETA 1st QTR FY01
• System Security Assessment 1st QTR FY01
• Release 3.0 2nd QTR FY01

8
Common Access Card (CAC) BETAID Certificate
Issuance
VO \ LRA
9
Common Access Card (CAC) BETAEmail Certificate
Issuance

• If you know your e-mail address at initial
  issuance of CAC
• VO/LRA will issue both identity and email
  certificates on your CAC
• If not, once you do know your email address
• You can return to the VO/LRA at a later date to
  obtain your email certificates
• or
• You can go to your CINC/Service/Agency LRA for
  your certificates on a software token.

10
PKI Integration with CAC

• Teaming with DMDC
• PKI registration built into RAPIDS terminal
• Process is transparent
• When card issued, private key and certificate
  placed on card
• Floppy containing same keys may also be provided
• Applications still mostly required this form of
  certificate
• Identification information for certificate and
  directory from DEERS
• For both RAPIDS registration and native PKI LRA
  registration
• Unique user id from DEERS
• Needed to sync directories across DoD

11
Registration Authorities and Local Registration
Authorities

• Registration Authorities (RAs)
• List of RAs can be found at
• http//iase.disa.mil/PKI/RA/ra.html

• Local Registration Authorities (LRAs)
• List of LRAs can be found at
• http//iase.disa.mil/PKI/RA/lra.html

12
Training Information

• Training will be provided monthly throughout FY01
• 4 days Local Registration Authority (LRA)
  Training
• 1 day Registration Authority (RA) Training
• An additional 16 hours of LRA training at Defense
  Security Service Academy (DSSA) each quarter
• Three (3) 1 week on-site training sessions are
  planned for C/S/As
• Attendees must coordinate registration for RA/LRA
  class with their respective C/S/A PKI
  representative

http//iase.disa.mil/PKI/PKITrain.html
13
Application Support

• Requirement Documentation
• Department of Defense Class 3 Public Key
  Infrastructure Interface Specification, Version
  1.2, dated August 10, 2000, draft
• Department of Defense CLASS 3 PKI Public
  Infrastructure Public Key-Enabled of Application
  Requirements, dated July 31, 2000
• Documents are available at http//iase.disa.mil/do
  cumentlib.htmlPKIDOCS
• Class 3 PKI Testbed
• Mirrors DoD PKI Class 3 operational environment
• Resides at the DISA Joint Interoperability Test
  Command (JITC)
• Additional information at http//jitc/fhu.disa.mil
  
• Working with Defense Information Assurance
  Program on process for PK-enabling applications

14
Application SupportSome Examples
Planned Initial App.
Status Users Capability Army Chief of Staff AC
Issuing Certs 5K Oct
98 DISA AC Reg.
Complete 8K Nov 98 Electronic Document AC, IA
C/S/As Issuing 6K Dec 98 Access (EDA)
Certs Wide Area
Workflow AC, IA C/S/As
Issuing 6K Feb 99 Prototype DDForm 250 DS
Certs Navy AC, DS
Issuing Certs 100K Feb 99 Defense Security AC, DS
Reg. Complete 300 to May
99 Service 2.5K Defense Travel AC, IA, DS
C/S/As working 400K 2Q FY00 System
process Defense Message System DS,
Encryption C/S/As Issuing 5K
Sep 99 Medium Grade Service
Certs next 6 mos.
Access Control AC
Digital Signature DS
Identification and Authentication IA
15
External Certificate Authority (ECA) Interim
External Certificate Authority (IECA)

• An ECA is an entity authorized to issue
  certificates interoperable with the DoD PKI to
  non-DoD personnel
• What is an IECA?
• Entity authorized to issue certificates
  interoperable with the DoD PKI to non-DoD
  personnel, for a period of one year
• Why an Interim ECA?
• Need to work out best practices, understand
  technical and process issues, understand and
  resolve legal concerns before finalizing ECA
  approach and processes.
• IECA Help Desk and Website
• E-mail pkieca_at_ncr.disa.mil
• Phone (703) 681-6139
• http//www.disa.mil/infosec/pkieca

16
IECA Web Site
http//www.disa.mil/infosec/pkieca
17
DOD PKI Trust Model in IECA Environment
DOD PKI
Med
Root CA
Level 1
...
IECA 1
IECA 2
IECA m
Med
CA-1
Med
CA-2
Med
CA-n
Level 2
..
Level 3

• Certificates signed by Commercial Root
• DOD applications will need to trust multiple
  roots
• Minimizes liability risks for DOD
• Separate Certification Authority for DOD
• Certificates have predetermined expiration

18
DOD PKI Trust Model in ECA Environment (DRAFT)
DOD PKI
Med
Root CA
Level 1
...
ECA 1
ECA 2
ECA m
Med
CA-1
Med
CA-2
Med
CA-n
Level 2
..
Level 3

• Certificates signed by Commercial CA
• ECA may be certified by DOD root
• Applications will not have to handle multiple
  roots

19
IECA Vendors

• Operational Research Consultants (ORC) Daniel
  Turissini (703) 535-5301 turissd_at_orc.com
• Digital Signature Trust (DST) Keren Cummins
  (301) 379-2493 kcummins_at_digsigtrust.com
• VeriSign James Brandt (410) 691-2100
  jbrandt_at_verisign.com
• General Dynamics Sandra Wheeler (781) 455-5958
  sandra.wheeler_at_gd-cs.com

20
IECA Status Update

• IECA Pilot has been extended for one more year
  (until September 2001)
• All four IECAs are currently signing new MOAs
• DoD contributed to four programs/organizations
  for the purchase of IECA certificates
• Medium Grade Services (MGS)
• Joint Electronic Commerce Program Office (JECPO)
• Defense Technical Information Center (DTIC)
• Military Traffic Management Command (MTMC)
• As demand/activity increases expect certificate
  cost to substantially decrease

21

• Using the DoD PKI
• An Example

22
The I Assure Advantage http//www.disa.mil/D4/dii
oss/iachar.html

• Key Points
• Contract supports up to TS / SCI security
  requirements
• 7 year multi-award contract
• All tasks MUST BE competed, no follow-on work
  from previous contracts

Solutions-based Contractors can tailor services
and products for each task order proposal
Complements Enterprise Software Initiative I
Assure vendors can provide integration services
for ESI products

• Task Areas
• Policy, planning, process, program and project
  management support
• Standards, Architecture, Engineering and
  Integration support
• Solution Fielding / Implementation and operations
• Education, training, and awareness certification
  and accreditation and IA support

23
DISA I ASSURE - Employed the DoD PKI in the
Paperless Pre-Award of Contract Process
DITCO
1
DOD CA
DISN
4
TDY
1-800
Skyline 6 Room 513 164.117.75.xx
4
INTERNET
x1df4MS_at_
(Evaluators)
2
x1df4MS_at_
Vendors
Encrypted Text
IDS
PKI
FW
(Used ICEA certificates)
24
The Way Ahead

• Provide support to Common Access Card (CAC) Beta
  and Release 3.0
• Expand use of SIPRNET PKI
• Continue development of application enabling
  guidance and enabling templates
• Continue incremental releases of DOD PKI to
  improve product, service, and availability
• Envision seamless transition to Target PKI

Continue Satisfying The Warfighter Requirements!
25
DOD PKI Working Groups

• DOD PKI Certificate Policy Management Working
  Group
• co-chair - NSA - Mr. Gary Dahlquist
  gndahlq_at_missi.ncsc.mil
• co-chair - DOD GC - Ms. Shauna Russell -
  russels_at_osdgc.osd.mil
• DOD PKI Business Working Group (BWG)
• co-chair - NSA - Ms. Debra Grempler -
  DAGremp_at_missi.ncsc.mil
• co-chair - DISA - Ms. Gilda McKinnon -
  McKinnog_at_ncr.disa.mil
• DOD PKI Technical Working Group (TWG)
• co-chair - DISA - Mr. Adam Britt -
  britta_at_ncr.disa.mil
• co-chair - NSA - Mr. Dave Fillingham
  dwfilli_at_missi.ncsc.mil

26
PKI Website Information

• http//iase.disa.mil
• Information Assurance Support Environment
• available to .mil and .gov
• http//www.disa.mil/infosec/pkieca
• External Certification Authorities
• http//www.disa.mil/infosec/pki-int.html
• DOD PKI Medium Assurance Interoperability
• DOD PKI Medium Assurance X.509 v3 certificate
  standard profiles (formats and examples)