Colleen Carboni - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Colleen Carboni

Description:

Department of Defense (DOD) Class 3 Medium Assurance Public Key Infrastructure (PKI) Status 21 September 2000 Gilda McKinnon DISA D25 (703) 681-9024 – PowerPoint PPT presentation

Number of Views:77
Avg rating:3.0/5.0
Slides: 27
Provided by: MOW74
Category:

less

Transcript and Presenter's Notes

Title: Colleen Carboni


1
Department of Defense (DOD) Class 3 Medium
Assurance Public Key Infrastructure (PKI)
Status 21 September 2000
Gilda McKinnon DISA D25 (703) 681-9024 mckinnog_at_nc
r.disa.mil
  • Colleen Carboni
  • DISA D25
  • (703) 681-6139
  • carbonic_at_ncr.disa.mil

2
Agenda
  • DoD Class 3 PKI
  • Medium Assurance Pilot, Release 1.0
  • Class 3 PKI Release 2.0
  • Class 3 PKI Release 3.0
  • Common Access Card (CAC) Beta
  • Registration
  • Training
  • Application Support
  • External Certification Authorities and Interim
    External Certification Authorities
  • Using the DoD PKI - An Example
  • Way Ahead

3
DoD Class 3 PKIComponents and Statistics
NSA
  • Operational on
  • NIPRNET
  • 41,402 identity
  • 26,494 email
  • 2,906 servers
  • 646 LRAs
  • 107 RAs
  • SIPRNET
  • 117 identity
  • 51 servers
  • 3 RAs
  • 2 LRAs

Certificate Authority (CA)
RootServer
Directory
DECC Detatchment Chambersburg, PA and DECC
Detatchment Denver, CO
Local RegistrationAuthority (LRA)
Registration Authority (RA)
  • CA Architecture is highly centralized
  • LRAs highly decentralized

24 X 7 Help Desk 1-800-582-4764 weblog_at_chamb.disa.
mil
Users
4
Medium Assurance PKI Pilot, Release 1.0
  • Operational on -
  • NIPRNET since April 1998
  • SIPRNET since September 1999
  • Certificates are valid until their expiration
    date
  • Interoperable with Class 3 PKI Release 2.0
  • NIPRNET user registration should transition to
    Class 3 PKI - 31 Dec 00
  • Exceptions will be made on a case by case basis
    by the PKI PMO

5
Class 3 PKI Release 2.0Enhancements
  • Operational July 31, 2000
  • Asserts Class 3 level of assurance
  • Enhancements
  • Key Escrow/Key Recovery
  • FIPS 140-1 level 2 hardware signing of
    certificates
  • Added Policy Object Identifiers to differentiate
    between HW/SW certificates
  • FIPS 140-1 level 2 smart cards for registration
    personnel
  • Larger capacity infrastructure
  • Improved firewall protection of the enclaves
  • Training
  • RA/LRA training started in May 00 will continue
    through FY01

RAISING THE BAR
6
Transitioning Registration Authorities (RAs),
Local Registration Authorities (LRAs), and
Users to Class 3 PKI
  • RA and LRA Workstation Requirement
  • Pentium or higher, 64MB RAM
  • Windows NT 4.0 OS (Service Pack 4)
  • Netscape Communicator 4.73 or higher (US Version
    - non-export) with Personal Security Manager
    (PSM) 1.1
  • FIPS 140-1 level 2 Hardware token
  • Dedicated printer (non-networked)
  • NIPRNET/INTERNET connectivity
  • LRA application 2.1
  • Use Windows NT lockdown procedure
  • User
  • Netscape Communicator 4.73 with PSM 1.1

Instructions for establishing an RA/LRA
workstation are at
http//iase.disa.mil/documentlib.htmlPKIDOCS
7
Class 3 PKI Release 3.0Enhancements
  • Establishes connection to Defense Enrollment
    Eligibility Reporting System (DEERS), DEERS
    provides the PKI Unique Identification Number
  • Enables Real-time Automated Personnel
    Identification System (RAPIDS) Verification
    Officers (VOs) to issue
  • PKI certificates on Common Access Card (CAC)
  • Schedule
  • CAC BETA 1st QTR FY01
  • System Security Assessment 1st QTR FY01
  • Release 3.0 2nd QTR FY01

8
Common Access Card (CAC) BETAID Certificate
Issuance
VO \ LRA
9
Common Access Card (CAC) BETAEmail Certificate
Issuance
  • If you know your e-mail address at initial
    issuance of CAC
  • VO/LRA will issue both identity and email
    certificates on your CAC
  • If not, once you do know your email address
  • You can return to the VO/LRA at a later date to
    obtain your email certificates
  • or
  • You can go to your CINC/Service/Agency LRA for
    your certificates on a software token.

10
PKI Integration with CAC
  • Teaming with DMDC
  • PKI registration built into RAPIDS terminal
  • Process is transparent
  • When card issued, private key and certificate
    placed on card
  • Floppy containing same keys may also be provided
  • Applications still mostly required this form of
    certificate
  • Identification information for certificate and
    directory from DEERS
  • For both RAPIDS registration and native PKI LRA
    registration
  • Unique user id from DEERS
  • Needed to sync directories across DoD

11
Registration Authorities and Local Registration
Authorities
  • Registration Authorities (RAs)
  • List of RAs can be found at
  • http//iase.disa.mil/PKI/RA/ra.html
  • Local Registration Authorities (LRAs)
  • List of LRAs can be found at
  • http//iase.disa.mil/PKI/RA/lra.html

12
Training Information
  • Training will be provided monthly throughout FY01
  • 4 days Local Registration Authority (LRA)
    Training
  • 1 day Registration Authority (RA) Training
  • An additional 16 hours of LRA training at Defense
    Security Service Academy (DSSA) each quarter
  • Three (3) 1 week on-site training sessions are
    planned for C/S/As
  • Attendees must coordinate registration for RA/LRA
    class with their respective C/S/A PKI
    representative

http//iase.disa.mil/PKI/PKITrain.html
13
Application Support
  • Requirement Documentation
  • Department of Defense Class 3 Public Key
    Infrastructure Interface Specification, Version
    1.2, dated August 10, 2000, draft
  • Department of Defense CLASS 3 PKI Public
    Infrastructure Public Key-Enabled of Application
    Requirements, dated July 31, 2000
  • Documents are available at http//iase.disa.mil/do
    cumentlib.htmlPKIDOCS
  • Class 3 PKI Testbed
  • Mirrors DoD PKI Class 3 operational environment
  • Resides at the DISA Joint Interoperability Test
    Command (JITC)
  • Additional information at http//jitc/fhu.disa.mil
  • Working with Defense Information Assurance
    Program on process for PK-enabling applications

14
Application SupportSome Examples
Planned Initial App.
Status Users Capability Army Chief of Staff AC
Issuing Certs 5K Oct
98 DISA AC Reg.
Complete 8K Nov 98 Electronic Document AC, IA
C/S/As Issuing 6K Dec 98 Access (EDA)
Certs Wide Area
Workflow AC, IA C/S/As
Issuing 6K Feb 99 Prototype DDForm 250 DS
Certs Navy AC, DS
Issuing Certs 100K Feb 99 Defense Security AC, DS
Reg. Complete 300 to May
99 Service 2.5K Defense Travel AC, IA, DS
C/S/As working 400K 2Q FY00 System
process Defense Message System DS,
Encryption C/S/As Issuing 5K
Sep 99 Medium Grade Service
Certs next 6 mos.
Access Control AC
Digital Signature DS
Identification and Authentication IA
15
External Certificate Authority (ECA) Interim
External Certificate Authority (IECA)
  • An ECA is an entity authorized to issue
    certificates interoperable with the DoD PKI to
    non-DoD personnel
  • What is an IECA?
  • Entity authorized to issue certificates
    interoperable with the DoD PKI to non-DoD
    personnel, for a period of one year
  • Why an Interim ECA?
  • Need to work out best practices, understand
    technical and process issues, understand and
    resolve legal concerns before finalizing ECA
    approach and processes.
  • IECA Help Desk and Website
  • E-mail pkieca_at_ncr.disa.mil
  • Phone (703) 681-6139
  • http//www.disa.mil/infosec/pkieca

16
IECA Web Site
http//www.disa.mil/infosec/pkieca
17
DOD PKI Trust Model in IECA Environment
DOD PKI
Med
Root CA
Level 1
...
IECA 1
IECA 2
IECA m
Med
CA-1
Med
CA-2
Med
CA-n
Level 2
..
Level 3
  • Certificates signed by Commercial Root
  • DOD applications will need to trust multiple
    roots
  • Minimizes liability risks for DOD
  • Separate Certification Authority for DOD
  • Certificates have predetermined expiration

18
DOD PKI Trust Model in ECA Environment (DRAFT)
DOD PKI
Med
Root CA
Level 1
...
ECA 1
ECA 2
ECA m
Med
CA-1
Med
CA-2
Med
CA-n
Level 2
..
Level 3
  • Certificates signed by Commercial CA
  • ECA may be certified by DOD root
  • Applications will not have to handle multiple
    roots

19
IECA Vendors
  • Operational Research Consultants (ORC) Daniel
    Turissini (703) 535-5301 turissd_at_orc.com
  • Digital Signature Trust (DST) Keren Cummins
    (301) 379-2493 kcummins_at_digsigtrust.com
  • VeriSign James Brandt (410) 691-2100
    jbrandt_at_verisign.com
  • General Dynamics Sandra Wheeler (781) 455-5958
    sandra.wheeler_at_gd-cs.com

20
IECA Status Update
  • IECA Pilot has been extended for one more year
    (until September 2001)
  • All four IECAs are currently signing new MOAs
  • DoD contributed to four programs/organizations
    for the purchase of IECA certificates
  • Medium Grade Services (MGS)
  • Joint Electronic Commerce Program Office (JECPO)
  • Defense Technical Information Center (DTIC)
  • Military Traffic Management Command (MTMC)
  • As demand/activity increases expect certificate
    cost to substantially decrease

21
  • Using the DoD PKI
  • An Example

22
The I Assure Advantage http//www.disa.mil/D4/dii
oss/iachar.html
  • Key Points
  • Contract supports up to TS / SCI security
    requirements
  • 7 year multi-award contract
  • All tasks MUST BE competed, no follow-on work
    from previous contracts

Solutions-based Contractors can tailor services
and products for each task order proposal
Complements Enterprise Software Initiative I
Assure vendors can provide integration services
for ESI products
  • Task Areas
  • Policy, planning, process, program and project
    management support
  • Standards, Architecture, Engineering and
    Integration support
  • Solution Fielding / Implementation and operations
  • Education, training, and awareness certification
    and accreditation and IA support

23
DISA I ASSURE - Employed the DoD PKI in the
Paperless Pre-Award of Contract Process
DITCO
1
DOD CA
DISN
4
TDY
1-800
Skyline 6 Room 513 164.117.75.xx
4
INTERNET
x1df4MS_at_
(Evaluators)
2
x1df4MS_at_
Vendors
Encrypted Text
IDS
PKI
FW
(Used ICEA certificates)
24
The Way Ahead
  • Provide support to Common Access Card (CAC) Beta
    and Release 3.0
  • Expand use of SIPRNET PKI
  • Continue development of application enabling
    guidance and enabling templates
  • Continue incremental releases of DOD PKI to
    improve product, service, and availability
  • Envision seamless transition to Target PKI

Continue Satisfying The Warfighter Requirements!
25
DOD PKI Working Groups
  • DOD PKI Certificate Policy Management Working
    Group
  • co-chair - NSA - Mr. Gary Dahlquist
    gndahlq_at_missi.ncsc.mil
  • co-chair - DOD GC - Ms. Shauna Russell -
    russels_at_osdgc.osd.mil
  • DOD PKI Business Working Group (BWG)
  • co-chair - NSA - Ms. Debra Grempler -
    DAGremp_at_missi.ncsc.mil
  • co-chair - DISA - Ms. Gilda McKinnon -
    McKinnog_at_ncr.disa.mil
  • DOD PKI Technical Working Group (TWG)
  • co-chair - DISA - Mr. Adam Britt -
    britta_at_ncr.disa.mil
  • co-chair - NSA - Mr. Dave Fillingham
    dwfilli_at_missi.ncsc.mil

26
PKI Website Information
  • http//iase.disa.mil
  • Information Assurance Support Environment
  • available to .mil and .gov
  • http//www.disa.mil/infosec/pkieca
  • External Certification Authorities
  • http//www.disa.mil/infosec/pki-int.html
  • DOD PKI Medium Assurance Interoperability
  • DOD PKI Medium Assurance X.509 v3 certificate
    standard profiles (formats and examples)
Write a Comment
User Comments (0)
About PowerShow.com