United States DoD Public Key Infrastructure:

Deploying the PKI TokenR. Michael Green

Director, DoD PKI PMO(410) 854-4900

rmgree2@missi.ncsc.mil

Becky HarrisDeputy Director, DoD PKI PMO

(703) 882-1600Harris1B@ncr.disa.mil

NIST PKI Review 26 April 02UNCLASSIFIED

UNCLASSIFIED

The Goal: To enhance the business processes and improve the IA posture of the DoD through widespread use of PK-enabled applications.

United States DoD Public Key Infrastructure

Program

UNCLASSIFIED

http://iase.disa.mil (must be from .mil or .gov domain)http://www.c3i.osd.mil/org/sio/ia/pki/index.html

4/24/02 2UNCLASSIFIED

DoD PKIDoD PKIProgram Management and Policy

• 9 April 99 ASD (C3I) MemorandumAssigned DoD PKI Program Management Office (PMO) Responsibility to NSA with DISA Deputy PM

• 6 May 99 DEPSECDEF Memorandum Defined DoD PKI Policy Objectives

• 10 Nov 99 DEPSECDEF MemorandumEstablished DoD Smart Card Strategy

• 12 Aug 00 ASD (C3I) Memorandum(Rewrite of 6 May DoD PKI Memo)

4/24/02 3

UNCLASSIFIED

UNCLASSIFIED

The Challenge The Challenge -- It’s a hard problemIt’s a hard problemEvent Driven SecurityEvent Driven Security

Robustness GrowthRobustness Growth

Certification Authorities

LRAs*

Tokens

Applications

Directories

Time

Assurance Level

Release 3 Release 4

Assurance Level

Assurance Level

Assurance Level

Assurance Level

* Local Registration Authorities 4/24/02 4UNCLASSIFIED

DoD Public Key Capability Requires Coordinated Convergence

4/24/02 5UNCLASSIFIED

CAC Issuance &

Configuration Management PK Infrastructure

Workstation

Enablement

PK EnablementR

elat

ed E

vent

s

PKI in Evolution

3.xPIN

unlock/reset Time

Surety(Quality of Certificate)

Release 3

Release 3.0.1Release 3.1

Release 3.x

3.1

email cert issuance via

post issuance portal

Release 4.0

4.0KMI

CI-14.X

Upgrade to

DEERS/RAPIDS

4/24/02 6

Release 4

UNCLASSIFIED

3.0.1

Win 2000 Smart Card

logon

DoD PKI Registration Scenarios

Repository/Directory

DoD Root Certification Authority

Certification Authority

RAPIDS Workstation and Verifying Official (VO)

End UserEnd User

PersonnelDatabase

End User Application

Local Registration Authority (LRA)

4/24/02 7

End User Application

UNCLASSIFIED

# People Requiring Certs and # People Issued Certs

0200,000400,000600,000800,000

1,000,0001,200,0001,400,000

Army Navy AirForce

MarineCorps

Other

Num

ber

Req

uire

d

Total Req’d 3,109,983Total Issued 558,659 (14 April 02)

4/24/02 8UNCLASSIFIED

Current StatusCurrent Status• DoD PKI Release 3 Operational -

October 01

• Key Management Infrastructure Capability Increment-1 (KMI CI-1) awarded Nov 01; will provide Release 4.

• Established PKI Interoperability Testing capability

• Reviewing and approving DoD PKI Certificate Practice Statements

4/24/02 9UNCLASSIFIED

Preparing for the Future• Collected Tactical PKI User requirements

• Working with NIST & Smart Card Senior Coordinating Group to define process to add applets to FIPS 140 certified cards while maintaining FIPS 140 certification

• Updating the DoD PKI Certificate Policy (CP)

• Finalizing the DoD Key Recovery Policy

• Developed high-level approach to PK-Enabled applications

4/24/02 10UNCLASSIFIED

Future PKI Activities• DoD Policy Rewrite/Milestone Review

• SIPRNET Plan

• MS Logon Agreement - Release 3.0.1

• Code Signing - Release 3.1

• Private Web Server Certs/Client Side Authentication

• Biometrics4/24/02 11UNCLASSIFIED

Other Activities• Directories, Directories,

Directories

• DoD PKI and Allied Interoperability

• DoD PKI “versus” Federal and IC

• Vetting and piloting tactical and SIPRNET requirements

4/24/02 12UNCLASSIFIED

DoD PK-Enabled Applications

• PKI provides the underlying foundation for security services, but PK-enabled applications are required in order to implement them

• We Must Depend on Industry to Maintain the Apps

• Evaluated Applications that can process our Certificates with little User Involvement 4/24/02 13UNCLASSIFIED

• PK-Enabled Services/Applications:– Medium Grade Services (MGS) -

secure, interoperable e-mail– Secure Web Services– DoD-specific applications (e.g.

Defense Travel System, Wide Area Work Flow)

4/24/02 14UNCLASSIFIED

DoD PK-Enabled Applications

DoD PKI and KMI TokenProtection Profile

• Used Smart Card Security Users Group Smart Card Protection Profile as baseline document

• Information Assurance Technical Framework Forum Protection Profiles: http://www.iatf.net/protection_profiles/index.cfm

• Previous draft was released for public comment October 00 - Feb 01

• Tokens meeting this protection profile:– required by mid-late 2003

4/24/02 15UNCLASSIFIED

Token PP FIPS 140 Requirements

• FIPS 140-2 Level 2 for Subscribers *• FIPS 140-2 Level 3 for Registration

Authorities

* If the DoD Common Access Card issuing infrastructure is not capable of issuing two different levels of cards, then all CACs will be required to meet FIPS 140-2 Level 3.

4/24/02 16UNCLASSIFIED

Biometrics, DMDC and CAC

• DMDC has been collecting and storing fingerprints (template & minutia) when issuing cards.

4/24/02 17

• Biometric data is not stored on the CAC

• In the event of a forgotten PIN, biometric (fingerprint) can be provided by user at a RAPIDS workstation for authentication and to unlock her CAC

UNCLASSIFIED

Adding Biometrics to PKI & CAC• Pilots under way now• Discrete points where biometrics can be

added:– CAC task order/purchase*– middleware upgrades*– DMDC/RAPIDS/DEERS upgrades** Probably need all three of these before fully

incorporating biomentrics• May impact CAC FIPS 140 certification

UNCLASSIFIED 4/24/02 18

3/13/02 19UNCLASSIFIED