United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 [email protected] Becky.

United States DoD Public Key Infrastructure:

Deploying the PKI Token R. Michael Green

Director, DoD PKI PMO

(410) 854-4900

[email protected]

Becky Harris

Deputy Director, DoD PKI PMO

(703) 882-1600

[email protected]

NIST PKI Review 26 April 02UNCLASSIFIED

UNCLASSIFIED

The Goal: To enhance the business processes and improve the IA posture of the DoD through widespread use of PK-enabled applications.

United States DoD Public Key Infrastructure

Program

UNCLASSIFIED

http://iase.disa.mil (must be from .mil or .gov domain)

http://www.c3i.osd.mil/org/sio/ia/pki/index.html

4/24/02 2UNCLASSIFIED

DoD PKIDoD PKI Program Management and Policy

• 9 April 99 ASD (C3I) Memorandum Assigned DoD PKI Program Management Office (PMO) Responsibility to NSA with DISA Deputy PM

• 6 May 99 DEPSECDEF Memorandum Defined DoD PKI Policy Objectives

• 10 Nov 99 DEPSECDEF Memorandum Established DoD Smart Card Strategy

• 12 Aug 00 ASD (C3I) Memorandum (Rewrite of 6 May DoD PKI Memo) 4/24/02 3

UNCLASSIFIED

UNCLASSIFIED

The Challenge - It’s a hard problemThe Challenge - It’s a hard problemEvent Driven SecurityEvent Driven Security

Robustness GrowthRobustness Growth

Certification Authorities

LRAs*

Tokens

Applications

Directories

Time

Assurance Level

Release 3 Release 4

Assurance Level

Assurance Level

Assurance Level

Assurance Level

* Local Registration Authorities 4/24/02 4UNCLASSIFIED

DoD Public Key Capability Requires Coordinated Convergence

4/24/02 5UNCLASSIFIED

CAC Issuance &

Configuration Management PK Infra

structure

Workstation

Enablement

PK Enablement

Rel

ated

Eve

nts

PKI in Evolution

3.x

PIN

unlock/reset Time

Surety(Quality of Certificate)

Release 3

Release 3.0.1Release 3.1

Release 3.x

3.1

email cert issuance via

post issuance portal

Release 4.0

4.0

KMI

CI-14.X

Upgrade to

DEERS/RAPIDS

4/24/02 6

Release 4

UNCLASSIFIED

3.0.1

Win 2000 Smart Card

logon

DoD PKI Registration Scenarios

Repository/Directory

DoD Root Certification Authority

Certification Authority

RAPIDS Workstation and Verifying Official (VO)

End UserEnd User

PersonnelDatabase

End User Application

Local Registration Authority (LRA)

4/24/02 7

End User Application

UNCLASSIFIED

# People Requiring Certs and # People Issued Certs

0

200,000

400,000

600,000

800,000

1,000,000

1,200,000

1,400,000

Army Navy AirForce

MarineCorps

Other

Nu

mb

er

Req

uir

ed

Total Req’d 3,109,983Total Issued 558,659 (14 April 02)

4/24/02 8UNCLASSIFIED

Current StatusCurrent Status• DoD PKI Release 3 Operational -

October 01

• Key Management Infrastructure Capability Increment-1 (KMI CI-1) awarded Nov 01; will provide Release 4.

• Established PKI Interoperability Testing capability

• Reviewing and approving DoD PKI Certificate Practice Statements

4/24/02 9UNCLASSIFIED

Preparing for the Future

• Collected Tactical PKI User requirements

• Working with NIST & Smart Card Senior Coordinating Group to define process to add applets to FIPS 140 certified cards while maintaining FIPS 140 certification

• Updating the DoD PKI Certificate Policy (CP)

• Finalizing the DoD Key Recovery Policy

• Developed high-level approach to PK-Enabled applications

4/24/02 10UNCLASSIFIED

Future PKI Activities

• DoD Policy Rewrite/Milestone Review

• SIPRNET Plan

• MS Logon Agreement - Release 3.0.1

• Code Signing - Release 3.1

• Private Web Server Certs/Client Side Authentication

• Biometrics4/24/02 11UNCLASSIFIED

Other Activities• Directories, Directories,

Directories

• DoD PKI and Allied Interoperability

• DoD PKI “versus” Federal and IC

• Vetting and piloting tactical and SIPRNET requirements

4/24/02 12UNCLASSIFIED

DoD PK-Enabled Applications

• PKI provides the underlying foundation for security services, but PK-enabled applications are required in order to implement them

• We Must Depend on Industry to Maintain the Apps

• Evaluated Applications that can process our Certificates with little User Involvement 4/24/02 13UNCLASSIFIED

• PK-Enabled Services/Applications:– Medium Grade Services (MGS) -

secure, interoperable e-mail

– Secure Web Services

– DoD-specific applications (e.g. Defense Travel System, Wide Area Work Flow)

4/24/02 14UNCLASSIFIED

DoD PK-Enabled Applications

DoD PKI and KMI Token Protection Profile

• Used Smart Card Security Users Group Smart Card Protection Profile as baseline document

• Information Assurance Technical Framework Forum Protection Profiles: http://www.iatf.net/protection_profiles/index.cfm

• Previous draft was released for public comment October 00 - Feb 01

• Tokens meeting this protection profile:– required by mid-late 2003

4/24/02 15UNCLASSIFIED

Token PP FIPS 140 Requirements

• FIPS 140-2 Level 2 for Subscribers *

• FIPS 140-2 Level 3 for Registration

Authorities

* If the DoD Common Access Card issuing infrastructure is

not capable of issuing two different levels of cards, then all

CACs will be required to meet FIPS 140-2 Level 3.

4/24/02 16UNCLASSIFIED

Biometrics, DMDC and CAC

• DMDC has been collecting and storing fingerprints (template & minutia) when issuing cards.

4/24/02 17

• Biometric data is not stored on the CAC

• In the event of a forgotten PIN, biometric (fingerprint) can be provided by user at a RAPIDS workstation for authentication and to unlock her CAC

UNCLASSIFIED

Adding Biometrics to PKI & CAC• Pilots under way now• Discrete points where biometrics can be

added:– CAC task order/purchase*– middleware upgrades*– DMDC/RAPIDS/DEERS upgrades*

* Probably need all three of these before fully incorporating biomentrics

• May impact CAC FIPS 140 certification

UNCLASSIFIED 4/24/02 18

3/13/02 19UNCLASSIFIED