United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD...
-
Upload
patrick-miller -
Category
Documents
-
view
228 -
download
2
Transcript of United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD...
![Page 1: United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 rmgree2@missi.ncsc.mil Becky.](https://reader033.fdocuments.net/reader033/viewer/2022051618/56649ccb5503460f94994174/html5/thumbnails/1.jpg)
United States DoD Public Key Infrastructure:
Deploying the PKI Token R. Michael Green
Director, DoD PKI PMO
(410) 854-4900
Becky Harris
Deputy Director, DoD PKI PMO
(703) 882-1600
NIST PKI Review 26 April 02UNCLASSIFIED
UNCLASSIFIED
![Page 2: United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 rmgree2@missi.ncsc.mil Becky.](https://reader033.fdocuments.net/reader033/viewer/2022051618/56649ccb5503460f94994174/html5/thumbnails/2.jpg)
The Goal: To enhance the business processes and improve the IA posture of the DoD through widespread use of PK-enabled applications.
United States DoD Public Key Infrastructure
Program
UNCLASSIFIED
http://iase.disa.mil (must be from .mil or .gov domain)
http://www.c3i.osd.mil/org/sio/ia/pki/index.html
4/24/02 2UNCLASSIFIED
![Page 3: United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 rmgree2@missi.ncsc.mil Becky.](https://reader033.fdocuments.net/reader033/viewer/2022051618/56649ccb5503460f94994174/html5/thumbnails/3.jpg)
DoD PKIDoD PKI Program Management and Policy
• 9 April 99 ASD (C3I) Memorandum Assigned DoD PKI Program Management Office (PMO) Responsibility to NSA with DISA Deputy PM
• 6 May 99 DEPSECDEF Memorandum Defined DoD PKI Policy Objectives
• 10 Nov 99 DEPSECDEF Memorandum Established DoD Smart Card Strategy
• 12 Aug 00 ASD (C3I) Memorandum (Rewrite of 6 May DoD PKI Memo) 4/24/02 3
UNCLASSIFIED
UNCLASSIFIED
![Page 4: United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 rmgree2@missi.ncsc.mil Becky.](https://reader033.fdocuments.net/reader033/viewer/2022051618/56649ccb5503460f94994174/html5/thumbnails/4.jpg)
The Challenge - It’s a hard problemThe Challenge - It’s a hard problemEvent Driven SecurityEvent Driven Security
Robustness GrowthRobustness Growth
Certification Authorities
LRAs*
Tokens
Applications
Directories
Time
Assurance Level
Release 3 Release 4
Assurance Level
Assurance Level
Assurance Level
Assurance Level
* Local Registration Authorities 4/24/02 4UNCLASSIFIED
![Page 5: United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 rmgree2@missi.ncsc.mil Becky.](https://reader033.fdocuments.net/reader033/viewer/2022051618/56649ccb5503460f94994174/html5/thumbnails/5.jpg)
DoD Public Key Capability Requires Coordinated Convergence
4/24/02 5UNCLASSIFIED
CAC Issuance &
Configuration Management PK Infra
structure
Workstation
Enablement
PK Enablement
Rel
ated
Eve
nts
![Page 6: United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 rmgree2@missi.ncsc.mil Becky.](https://reader033.fdocuments.net/reader033/viewer/2022051618/56649ccb5503460f94994174/html5/thumbnails/6.jpg)
PKI in Evolution
3.x
PIN
unlock/reset Time
Surety(Quality of Certificate)
Release 3
Release 3.0.1Release 3.1
Release 3.x
3.1
email cert issuance via
post issuance portal
Release 4.0
4.0
KMI
CI-14.X
Upgrade to
DEERS/RAPIDS
4/24/02 6
Release 4
UNCLASSIFIED
3.0.1
Win 2000 Smart Card
logon
![Page 7: United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 rmgree2@missi.ncsc.mil Becky.](https://reader033.fdocuments.net/reader033/viewer/2022051618/56649ccb5503460f94994174/html5/thumbnails/7.jpg)
DoD PKI Registration Scenarios
Repository/Directory
DoD Root Certification Authority
Certification Authority
RAPIDS Workstation and Verifying Official (VO)
End UserEnd User
PersonnelDatabase
End User Application
Local Registration Authority (LRA)
4/24/02 7
End User Application
UNCLASSIFIED
![Page 8: United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 rmgree2@missi.ncsc.mil Becky.](https://reader033.fdocuments.net/reader033/viewer/2022051618/56649ccb5503460f94994174/html5/thumbnails/8.jpg)
# People Requiring Certs and # People Issued Certs
0
200,000
400,000
600,000
800,000
1,000,000
1,200,000
1,400,000
Army Navy AirForce
MarineCorps
Other
Nu
mb
er
Req
uir
ed
Total Req’d 3,109,983Total Issued 558,659 (14 April 02)
4/24/02 8UNCLASSIFIED
![Page 9: United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 rmgree2@missi.ncsc.mil Becky.](https://reader033.fdocuments.net/reader033/viewer/2022051618/56649ccb5503460f94994174/html5/thumbnails/9.jpg)
Current StatusCurrent Status• DoD PKI Release 3 Operational -
October 01
• Key Management Infrastructure Capability Increment-1 (KMI CI-1) awarded Nov 01; will provide Release 4.
• Established PKI Interoperability Testing capability
• Reviewing and approving DoD PKI Certificate Practice Statements
4/24/02 9UNCLASSIFIED
![Page 10: United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 rmgree2@missi.ncsc.mil Becky.](https://reader033.fdocuments.net/reader033/viewer/2022051618/56649ccb5503460f94994174/html5/thumbnails/10.jpg)
Preparing for the Future
• Collected Tactical PKI User requirements
• Working with NIST & Smart Card Senior Coordinating Group to define process to add applets to FIPS 140 certified cards while maintaining FIPS 140 certification
• Updating the DoD PKI Certificate Policy (CP)
• Finalizing the DoD Key Recovery Policy
• Developed high-level approach to PK-Enabled applications
4/24/02 10UNCLASSIFIED
![Page 11: United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 rmgree2@missi.ncsc.mil Becky.](https://reader033.fdocuments.net/reader033/viewer/2022051618/56649ccb5503460f94994174/html5/thumbnails/11.jpg)
Future PKI Activities
• DoD Policy Rewrite/Milestone Review
• SIPRNET Plan
• MS Logon Agreement - Release 3.0.1
• Code Signing - Release 3.1
• Private Web Server Certs/Client Side Authentication
• Biometrics4/24/02 11UNCLASSIFIED
![Page 12: United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 rmgree2@missi.ncsc.mil Becky.](https://reader033.fdocuments.net/reader033/viewer/2022051618/56649ccb5503460f94994174/html5/thumbnails/12.jpg)
Other Activities• Directories, Directories,
Directories
• DoD PKI and Allied Interoperability
• DoD PKI “versus” Federal and IC
• Vetting and piloting tactical and SIPRNET requirements
4/24/02 12UNCLASSIFIED
![Page 13: United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 rmgree2@missi.ncsc.mil Becky.](https://reader033.fdocuments.net/reader033/viewer/2022051618/56649ccb5503460f94994174/html5/thumbnails/13.jpg)
DoD PK-Enabled Applications
• PKI provides the underlying foundation for security services, but PK-enabled applications are required in order to implement them
• We Must Depend on Industry to Maintain the Apps
• Evaluated Applications that can process our Certificates with little User Involvement 4/24/02 13UNCLASSIFIED
![Page 14: United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 rmgree2@missi.ncsc.mil Becky.](https://reader033.fdocuments.net/reader033/viewer/2022051618/56649ccb5503460f94994174/html5/thumbnails/14.jpg)
• PK-Enabled Services/Applications:– Medium Grade Services (MGS) -
secure, interoperable e-mail
– Secure Web Services
– DoD-specific applications (e.g. Defense Travel System, Wide Area Work Flow)
4/24/02 14UNCLASSIFIED
DoD PK-Enabled Applications
![Page 15: United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 rmgree2@missi.ncsc.mil Becky.](https://reader033.fdocuments.net/reader033/viewer/2022051618/56649ccb5503460f94994174/html5/thumbnails/15.jpg)
DoD PKI and KMI Token Protection Profile
• Used Smart Card Security Users Group Smart Card Protection Profile as baseline document
• Information Assurance Technical Framework Forum Protection Profiles: http://www.iatf.net/protection_profiles/index.cfm
• Previous draft was released for public comment October 00 - Feb 01
• Tokens meeting this protection profile:– required by mid-late 2003
4/24/02 15UNCLASSIFIED
![Page 16: United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 rmgree2@missi.ncsc.mil Becky.](https://reader033.fdocuments.net/reader033/viewer/2022051618/56649ccb5503460f94994174/html5/thumbnails/16.jpg)
Token PP FIPS 140 Requirements
• FIPS 140-2 Level 2 for Subscribers *
• FIPS 140-2 Level 3 for Registration
Authorities
* If the DoD Common Access Card issuing infrastructure is
not capable of issuing two different levels of cards, then all
CACs will be required to meet FIPS 140-2 Level 3.
4/24/02 16UNCLASSIFIED
![Page 17: United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 rmgree2@missi.ncsc.mil Becky.](https://reader033.fdocuments.net/reader033/viewer/2022051618/56649ccb5503460f94994174/html5/thumbnails/17.jpg)
Biometrics, DMDC and CAC
• DMDC has been collecting and storing fingerprints (template & minutia) when issuing cards.
4/24/02 17
• Biometric data is not stored on the CAC
• In the event of a forgotten PIN, biometric (fingerprint) can be provided by user at a RAPIDS workstation for authentication and to unlock her CAC
UNCLASSIFIED
![Page 18: United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 rmgree2@missi.ncsc.mil Becky.](https://reader033.fdocuments.net/reader033/viewer/2022051618/56649ccb5503460f94994174/html5/thumbnails/18.jpg)
Adding Biometrics to PKI & CAC• Pilots under way now• Discrete points where biometrics can be
added:– CAC task order/purchase*– middleware upgrades*– DMDC/RAPIDS/DEERS upgrades*
* Probably need all three of these before fully incorporating biomentrics
• May impact CAC FIPS 140 certification
UNCLASSIFIED 4/24/02 18
![Page 19: United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 rmgree2@missi.ncsc.mil Becky.](https://reader033.fdocuments.net/reader033/viewer/2022051618/56649ccb5503460f94994174/html5/thumbnails/19.jpg)
3/13/02 19UNCLASSIFIED