Department of Defense (DOD) Class 3 Medium Assurance Public Key Infrastructure (PKI) Status 21 September 2000 Gilda McKinnon Colleen Carboni DISA D25 (703) 681-9024 mckinnog@ncr.disa.mil DISA D25 (703) 681-6139 carbonic@ncr.disa.mil Agenda • DoD Class 3 PKI • Medium Assurance Pilot, Release 1.0 • Class 3 PKI Release 2.0 • Class 3 PKI Release 3.0 – Common Access Card (CAC) Beta • • • • Registration Training Application Support External Certification Authorities and Interim External Certification Authorities • Using the DoD PKI - An Example • Way Ahead 2 DoD Class 3 PKI Components and Statistics • Operational on – NIPRNET • • • • • 41,402 identity 26,494 email 2,906 servers 646 LRAs 107 RAs NSA Root Server Directory – SIPRNET • • • • 117 identity 51 servers 3 RAs 2 LRAs • CA Architecture is highly centralized • LRAs highly decentralized Certificate Authority (CA) Local Registration Authority (LRA) DECC Detatchment Chambersburg, PA and DECC Detatchment Denver, CO Registration Authority (RA) Users 24 X 7 Help Desk 1-800-582-4764 weblog@chamb.disa.mil 3 Medium Assurance PKI Pilot, Release 1.0 • Operational on – NIPRNET since April 1998 – SIPRNET since September 1999 • Certificates are valid until their expiration date • Interoperable with Class 3 PKI Release 2.0 • NIPRNET user registration should transition to Class 3 PKI - 31 Dec 00 – Exceptions will be made on a case by case basis by the PKI PMO 4 Class 3 PKI Release 2.0 Enhancements • Operational July 31, 2000 • Asserts Class 3 level of assurance • Enhancements – Key Escrow/Key Recovery – FIPS 140-1 level 2 hardware signing of certificates – Added Policy Object Identifiers to differentiate between HW/SW certificates – FIPS 140-1 level 2 smart cards for registration personnel – Larger capacity infrastructure – Improved firewall protection of the enclaves • Training – RA/LRA training started in May 00 will continue through FY01 5 Transitioning Registration Authorities (RAs), Local Registration Authorities (LRAs), and Users to Class 3 PKI • RA and LRA Workstation Requirement: – Pentium or higher, 64MB RAM – Windows NT 4.0 OS (Service Pack 4) – Netscape Communicator 4.73 or higher (US Version non-export) with Personal Security Manager (PSM) 1.1 – FIPS 140-1 level 2 Hardware token – Dedicated printer (non-networked) – NIPRNET/INTERNET connectivity – LRA application 2.1 – Use Windows NT lockdown procedure • User – Netscape Communicator 4.73 with PSM 1.1 Instructions for establishing an RA/LRA workstation are at http://iase.disa.mil/documentlib.html#PKIDOCS 6 Class 3 PKI Release 3.0 Enhancements • Establishes connection to Defense Enrollment Eligibility Reporting System (DEERS), DEERS provides the PKI Unique Identification Number • Enables Real-time Automated Personnel Identification System (RAPIDS) Verification Officers (VOs) to issue PKI certificates on Common Access Card (CAC) • Schedule: – CAC BETA 1st QTR FY01 – System Security Assessment 1st QTR FY01 – Release 3.0 2nd QTR FY01 7 Common Access Card (CAC) BETA ID Certificate Issuance 1 2 VO \ LRA Person Authentication& Data Update Establish User Generate Keys Obtain Certificates Load Keys Inquiry Demographic and Personnel information ID Card, Picture and Fingerprint DEERS Data Base 8 3 Establish Updates to Directory from DEERS ID and Demographic Information 5 Public Key 4 6 Private Key generation on the card. Directory Services 7 CERT CERT Smart Card Certificate Authority 8 Common Access Card (CAC) BETA Email Certificate Issuance • If you know your e-mail address at initial issuance of CAC – VO/LRA will issue both identity and email certificates on your CAC • If not, once you do know your email address – You can return to the VO/LRA at a later date to obtain your email certificates; or – You can go to your CINC/Service/Agency LRA for your certificates on a software token. 9 PKI Integration with CAC • Teaming with DMDC • PKI registration built into RAPIDS terminal – Process is transparent – When card issued, private key and certificate placed on card – Floppy containing same keys may also be provided • Applications still mostly required this form of certificate • Identification information for certificate and directory from DEERS – For both RAPIDS registration and native PKI LRA registration • Unique user id from DEERS – Needed to sync directories across DoD 10 Registration Authorities and Local Registration Authorities • Registration Authorities (RAs) – List of RAs can be found at http://iase.disa.mil/PKI/RA/ra.html • Local Registration Authorities (LRAs) – List of LRAs can be found at http://iase.disa.mil/PKI/RA/lra.html 11 Training Information • Training will be provided monthly throughout FY01 – 4 days Local Registration Authority (LRA) Training – 1 day Registration Authority (RA) Training • An additional 16 hours of LRA training at Defense Security Service Academy (DSSA) each quarter • Three (3) 1 week on-site training sessions are planned for C/S/As • Attendees must coordinate registration for RA/LRA class with their respective C/S/A PKI representative http://iase.disa.mil/PKI/PKITrain.html 12 Application Support • Requirement Documentation: – Department of Defense Class 3 Public Key Infrastructure Interface Specification, Version 1.2, dated August 10, 2000, draft – Department of Defense CLASS 3 PKI Public Infrastructure Public Key-Enabled of Application Requirements, dated July 31, 2000 – Documents are available at http://iase.disa.mil/documentlib.html#PKIDOCS • Class 3 PKI Testbed – Mirrors DoD PKI Class 3 operational environment – Resides at the DISA Joint Interoperability Test Command (JITC) – Additional information at http://jitc/fhu.disa.mil • Working with Defense Information Assurance Program on process for PK-enabling applications 13 Application Support Some Examples App. Status Planned Initial Users Capability Army Chief of Staff AC Issuing Certs 5K Oct 98 DISA AC Reg. Complete 8K Nov 98 Electronic Document AC, I&A C/S/A’s Issuing 6K Dec 98 6K Feb 99 100K Feb 99 300 to May 99 Access (EDA) Certs Wide Area Workflow AC, I&A C/S/A’s Issuing Prototype DDForm 250 DS Certs Navy AC, DS Issuing Certs Defense Security AC, DS Reg. Complete Service Defense Travel System 2.5K AC, I&A, DS C/S/A’s working Access Control = AC 2Q FY00 5K Sep 99 process Defense Message System DS, Encryption C/S/A’s Issuing Medium Grade Service 400K Certs Digital Signature = DS next 6 mos. Identification and Authentication = I&A 14 External Certificate Authority (ECA) & Interim External Certificate Authority (IECA) • An ECA is an entity authorized to issue certificates interoperable with the DoD PKI to non-DoD personnel • What is an IECA? – Entity authorized to issue certificates interoperable with the DoD PKI to non-DoD personnel, for a period of one year • Why an Interim ECA? – Need to work out best practices, understand technical and process issues, understand and resolve legal concerns before finalizing ECA approach and processes. • IECA Help Desk and Website – E-mail: pkieca@ncr.disa.mil – Phone: (703) 681-6139 – http://www.disa.mil/infosec/pkieca 15 IECA Web Site http://www.disa.mil/infosec/pkieca DOD PKI Trust Model in IECA Environment DOD PKI Med Root CA Level 1 Level 2 Med CA-1 Med CA-2 Med CA-n Harris 9234567890 Smith.John.C.1234567890 Level 3 • • • • • Jones.Alice.B.0987654321 IECA 1 IECA 2 ... ….. IECA m Lambert 9934567890 Gilbert.Sally.K. 6789012345 Certificates signed by Commercial Root DOD applications will need to trust multiple roots Minimizes liability risks for DOD Separate Certification Authority for DOD Certificates have predetermined expiration 17 DOD PKI Trust Model in ECA Environment (DRAFT) DOD PKI Med Root CA Level 1 Med CA-1 Level 2 Med CA-2 Med CA-n Harris 9234567890 Smith.John.C.1234567890 Level 3 Jones.Alice.B.0987654321 ECA 1 ECA 2 ... ….. ECA m Lambert 9934567890 Gilbert.Sally.K. 6789012345 • Certificates signed by Commercial CA • ECA may be certified by DOD root • Applications will not have to handle multiple roots 18 IECA Vendors • Operational Research Consultants (ORC): Daniel Turissini; (703) 535-5301; turissd@orc.com • Digital Signature Trust (DST): Keren Cummins; (301) 379-2493; kcummins@digsigtrust.com • VeriSign: James Brandt; (410) 691-2100; jbrandt@verisign.com • General Dynamics: Sandra Wheeler; (781) 4555958; sandra.wheeler@gd-cs.com 19 IECA Status Update • IECA Pilot has been extended for one more year (until September 2001) • All four IECAs are currently signing new MOAs • DoD contributed to four programs/organizations for the purchase of IECA certificates – Medium Grade Services (MGS) – Joint Electronic Commerce Program Office (JECPO) – Defense Technical Information Center (DTIC) – Military Traffic Management Command (MTMC) • As demand/activity increases expect certificate cost to substantially decrease 20 Using the DoD PKI An Example 21 The I Assure Advantage http://www.disa.mil/D4/diioss/iachar.html Key Points: • Contract supports up to TS / SCI security requirements • 7 year multi-award contract • All tasks MUST BE competed, no follow-on work from previous contracts Most of the work awarded under this contract will be professional services, however, …. the contract is structured to permit purchase of a full range of Information Assurance (IA) solutions, including the hardware, software and enabling products necessary to implement these solutions. Solutions-based: Contractors can tailor services and products for each task order proposal; Complements Enterprise Software Initiative: I Assure vendors can provide integration services for ESI products Task Areas: • Policy, planning, process, program and project management support • Standards, Architecture, Engineering and Integration support • Solution Fielding / Implementation and operations • Education, training, and awareness; certification and accreditation; and IA support 22 DISA ‘I ASSURE’ - Employed the DoD PKI in the Paperless “Pre-Award” of Contract Process DITCO 1 DOD CA 4 DISN TDY ‘1-800’ Skyline 6 Room 513 164.117.75.xx 4 IDS HQ Chantilly, VA 38.249.212.xx x1df4MS@ 3 INTERNET (Evaluators) x1df4MS@ IDS PKI FW Encrypted Text Vendors 2 (Used ICEA certificates) 23 The Way Ahead • Provide support to Common Access Card (CAC) Beta and Release 3.0 • Expand use of SIPRNET PKI • Continue development of application enabling guidance and enabling templates • Continue incremental releases of DOD PKI to improve product, service, and availability • Envision seamless transition to Target PKI Continue Satisfying The Warfighter Requirements! 24 DOD PKI Working Groups • DOD PKI Certificate Policy Management Working Group: – co-chair - NSA - Mr. Gary Dahlquist gndahlq@missi.ncsc.mil – co-chair - DOD GC - Ms. Shauna Russell - russels@osdgc.osd.mil • DOD PKI Business Working Group (BWG): – co-chair - NSA - Ms. Debra Grempler - DAGremp@missi.ncsc.mil – co-chair - DISA - Ms. Gilda McKinnon - McKinnog@ncr.disa.mil • DOD PKI Technical Working Group (TWG): – co-chair - DISA - Mr. Adam Britt - britta@ncr.disa.mil – co-chair - NSA - Mr. Dave Fillingham dwfilli@missi.ncsc.mil 25 PKI Website Information • http://iase.disa.mil – Information Assurance Support Environment • available to .mil; and .gov • http://www.disa.mil/infosec/pkieca – External Certification Authorities • http://www.disa.mil/infosec/pki-int.html – DOD PKI Medium Assurance Interoperability • DOD PKI Medium Assurance X.509 v3 certificate standard profiles (formats and examples) 26