(Demonstration of the DoD's use of its public key infrastructure (PKI). Other participants included Col. Jay DeFrank, director, DoD Press Operations, R. Michael Green, director, PKI Program Office, Jim Degenford, DoD PKI advocate, Mike Byrne, STS International and Army Spc. Trenton Dugan.)
DeFrank: Morning. I'm Colonel Jay DeFrank. I'm the director of Press Operations here at DOD.
This morning we've got a ceremony to commemorate the 1 millionth DoD public key infrastructure certificate. It will be hosted by the Honorable John Stenbit, the assistant secretary of Defense for Command, Control, Communication and Intelligence. And also present is Mr. Robert Lentz, the DoD director of Information Assurance; Mr. R. Michael Green, from the NSA, the NSA director, DoD PKI; and Ms. Rebecca Harris, deputy director, DoD PKI.
This will be a sole-subject event, so if you have questions beyond the scope of the public key infrastructure, please either see me or Col. Ken McClellan after, and we'll get you an answer.
So with that, Mr. Stenbit.
Stenbit: Morning.
Q: Good morning.
Stenbit: Good of you to join us this morning. It's actually a notable occasion. I think this means that we're 1.34th [correction: one-third] of our way forward. The actual activity of identifying all of the members of the DoD family, both military, civilian and associated contractors, with the PKI and the certificate, is a really important move forward in our basic goals to move forward to a network-centric kind of world.
Just for a brief review, the point of all of this is to allow people to have broader access to information freely over a network that posts that information.
Now clearly, if we don't have a very strong sense of authentication of who it is that's actually accessing that, that information, we're going to sort of block it all in little stovepipes. And that's what we're trying to break down. So a absolutely key implementer to allow us to get to this more horizontal information-sharing world is an ability to know with whom we're sharing and to be able to dynamically adjust our principles of access to information as the situation requires.
So today one could characterize the system as about every five years, somebody goes out and checks whether your security clearance is appropriate, and then after that happens, you know, you get on the computers and sometimes they know who you are and sometimes they don't know who you are. It's a rather bureaucratic process.
What we're after now is firm identification of everybody, so we can understand who got on the network, what they did, what information they accessed, and then the ability to change their level of access as we move on electronically -- absolutely crucial or we cannot go to a network-centric world. That's my big vision -- is to go to a network-centric world. Those of you who have heard me talk about it know that that's my big vision. And so this is a very crucial activity, from my point of view.
Happy to be here to celebrate this 100th - 1 millionth -- excuse me -- if we were only at a hundred, we'd be in trouble - 1 millionth distribution of the certificate and the card. So with that, thank you very much.
Green: Thank you, Mr. Stenbit.
I am Michael Green. I am the director of the PKI PMO. And since the inception of this PKI program in 1999, early in '99, and since our merger with the Common Access Card program in late '99, the DoD has made great success in fielding this public key infrastructure.
Today, as you know, we're here to celebrate the issuance of certificates to the millionth DoD employee who has received his certificate. And we'll introduce him in just a minute. But I wanted to just give you a little set of statistics to show you the progress that we have made. The millionth person to receive certificates includes the issuance of about 875,000 of these Common Access Cards, which are the new military ID cards, and which have public key certificates on them, and another 125,000 software certificates, that is not on cards, for other people who cannot be issued cards so that they can use.
The program has seen about 2,500 registration personnel trained to operate systems to register personnel into them, both for use on the NIPRNet and the SIPRNET. We have over 1,000 registration workstations out there in the field at somewhere on the order of 500 sites to date. And this is about one-third of the way through our installation activities, as Mr. Stenbit mentioned.
We've also put server certificates out there on 10,000 web servers that were identified as private web servers for DoD. So we've secured that number of web servers over this time. We've purchased 750,000 card readers and middle-ware packages so that we can enable local workstations to get them ready for people to use these cards. Last year we also gained oversight over the enabling of applications to use these public key certificates. And we have a number of those applications that have enabled [PKI] already and are out there being used in the field, some of which are commercial packages. Microsoft Outlook, for example, is something that you can use right out of the box, and we can enable that with our DoD certificate. So easy to use, and we've been moving along quite nicely there.
We're working to provide interoperability with the federal sector and the commercial sectors, and we believe our activities there will extend to our allied and coalition partnerships, also. So we're taking that very seriously. These efforts are enabling us, I believe, to make great progress towards the e-business- and e-government-centric kinds of activities that were set forth for us under things like the Government Paperwork Elimination Act.
And finally, I'd just like to mention to you that I believe this is probably the best example of a partnership that I have seen in any of the DoD programs that I've worked in. Army, Navy, Air Force, Marine Corps -- we deal with 25 other DoD agencies. NSA, DISA have just worked beautifully together to make this activity come move forward.
I'd like to give kind of a special mention to the Army. General Cuviello, who is in charge of the information assurance program for the Army, has been a real leader in putting in place the Army knowledge online to make use of this technology. And he has taken the first step on making sure that all his general officers and senior executives are enabled use this technology. He's also, of course, leading the biometrics activity, which we hope will eventually be incorporated into this, and we'll be able to make use of biometrics.
We also have a wonderful partnership with the access-card program and the Defense Manpower Data Center. Mr. Scheflen here is here today. He's the director of the Defense Manpower Data Center, and we've worked very closely with him to integrate our PKI activities with the DEERS database and the RAPIDS workstations that we need to register some of these people.
So when we talk about transforming technologies in order to provide these networks with security and trust in order to meet Mr. Stenbit's goal of providing power to the edge of our DoD infrastructure, we believe that the public key infrastructure is positioned to play a large role in meeting that goal.
We're going to stop right now and take questions, if you all have any; and then we have a demo. We'll introduce our one-millionth recipient, and he's going to do a little demo for us that you'll be able to see how we use this technology. So we'd ask if you have any questions you'd like bring forward.
Yes, ma'am?
Q: Is PKI mandatory for everyone in DoD, or do the Services maybe use other existing technologies that they choose to use, instead of PKI?
Green: It is mandatory in the sense that if you decide to use public key infrastructure, you will use this one. It is THE PKI for Department of Defense. When the deputy secretary of Defense issued the original policy memorandum in May of '99, that's exactly what was put forward, that the DoD will use this technology. And if you decide you need it to provide your security services, we'll have one PKI system throughout the Department of Defense. And I say it that way because there are still situations where, when you're doing security work, you might decide to do it another way. I don't want to get into the technical differences, but there are other options available when we talk about bringing security to the communications.
Q: So the vendors have to get the direction from DoD on how to implement this?
Green: Yes. When we look at the applications that we will enable and use -- actually Mr. Stenbit has another policy that he owns called NSTISP which is a committee -- we won't tell you what that acronym stands for, but products that we purchase, including PKI applications, will be certified in accordance with the international common criteria and the NIAP program, the National Information Assurance Partnership, that NIST and NSA has. So, we're trying to only procure products that have been certified through that process.
Sir?
Q: Why did it take three years to get to this point?
Green: Anytime you build a large system like this, it takes time. But there were a few things that happened along the way that slowed us down. And I would say the primary thing was our merger with the common access card program. The original program that we had put together saw us doing software certificates only. And probably in '02 to '03, we would have talked about making the step to hardware tokens, smart cards.
What happened in late '99 was there was a separate activity that was looking at using smart cards throughout the Department of Defense. And we decided it would be wise to pull these two things together. We had funding, for example, in our program to buy tokens, and we could use that funding to support the smart card program, the access card program. So, when we merged, it caused a slight technical glitch. We had to figure out how we could incorporate our registration process into the DEERS rapid system that Mr. Scheflen already owned and operated.
Green. But it allowed us the affordability so that I no longer have to worry about it. It's my machine that has the software token; I can go anywhere.
Green: That's right.
It's a big advantage to have these two together.
Green: And it brought more security to the program. Turns out that the Defense Manpower Data Center has a big database where they have virtually all DoD employees enrolled in there, and we can take advantage of that so we have another security check to know who it was we were registering into the system. So it provided more trust.
You had a question?
Q: Yeah. Right now this seems to be primarily function oriented. Is there going to be something similar for everyone, all military, to take the place of the current ID cards
Green: No decision has been made on that yet. We've always anticipated that once we work our way through the active military contractor civilians and active reserve, that we could easily extend this to other people in the DoD -- retirees, dependents and so forth. So we could easily do that when the time comes. We're working on the active employees first.
Did that answer your question?
Q: Yeah.
Green: I think what we'd like to do now is introduce Army Specialist Trenton Dugan, who is the one-millionth person that we have registered into the PKI system. We actually -- (applause). Congratulations. Specialist Dugan works here at the Pentagon. We did actually have his card issued to him a couple of days ago -- this is not something you do on the spot -- and test it out and so forth. So we wanted to make sure that everything was proper, and that has been done. So he's going to now demonstrate a couple of the ways that the DoD is using this card today.
So I'm going to turn it over to Jim Degenford, and he's going to take it from here.
Degenford: Thank you, Mike.
As Mike mentioned, my name is Jim Degenford. I'm with the PKI office. I'd like to welcome the ladies and gentlemen of the press this morning to our little demonstration.
And I wanted to just mention that Trenton Dugan is with the 3rd U.S. Infantry, traditionally known as the Old Guard. It's the oldest active-duty infantry unit in the Army, serving our nation since 1784.
All right, Trenton, if you want to go ahead and insert your card into the laptop. (Pause.) All right. This is a demonstration, so -- (laughter). (Pause.)
Okay. This is the standard log-on screen that DoD users will see before they log onto the network. The specialist will now enter his pin into the computer to unlock the common access card that contains his PKI certificate. And he's logging into the laptop now. Okay. And he has brought up his desktop that is on the ASDPA LAN.
Trenton, if you would, open up your Microsoft Outlook mail tool. And we have prepared an e-mail for Trenton to send to our DOD press officer. Okay. And this e-mail will be signed using the millionth PKI certificate set. He goes up to the red certificate that signifies digital signature and clicks that to digitally sign the e-mail. And then, Trenton, if you would, click on the blue padlock -- that provides the encryption functioning and the application -- and go ahead and click "send." Okay.
He will then be prompted for his PIN again, to authenticate to the card. Okay. And there's his PIN again.
Okay. And the e-mail has been signed and encrypted. If you would, just open that e-mail, Trenton, and show that the blue encryption icon -- go ahead, double-click on the e-mail, open it up. Okay. There's the blue padlock that signifies that the message has been encrypted, that provides privacy to the e-mail, and the red ribbon signifies that the e-mail has been digitally signed.
Thank you, Trenton. If you would, go ahead and close that e-mail.
And the next demonstration we're going to show you is secure two- way authentication to a Web server. He's going to open his Microsoft Internet Explorer. And we have the IA -- Information Assurance -- support environment Web page up there. And he is going to use his PKI certificate to authenticate himself to the Web site. Go ahead, Trenton, and click on that link. Brings up his certificate set. Click "okay." And what's -- now there's a cryptographic process that's going on there under SSL to -- which provides the -- authenticate yourself to the card again, if you would. Enter your PIN. Okay. And the padlock signifies that this is a secure link under SSL. And what you have witnessed is security two-way authentication. Trenton not only knows the Web sites that he's going to, but he is also authenticating himself, so we know who's coming into our Web sites.
Okay. Thank you very much, Trenton. (Applause.)
And I did want to mention that we also have a demonstration of the PKI technology with biometrics. If you're interested, we would like to invite you to come up afterwards and we can do that for you off-line.
Thank you very much.
Green: Thank you for being here, and that concludes our session this morning.
Stenbit: And you can see how important this is, if we start to have people that are unknown to other people getting involved in collaborative kind of planning or other military operations, how important it is to be able to really strongly authenticate people. This is really crucial to this vision, and I'm very pleased that we're able to make this progress.
Q: How often do they have to change the numbers, the -- I mean the PIN numbers?
Green: The PINs?
Q: Yeah.
Green: I don't think there is a date on the PIN.
Stenbit: I think it's basically when the card wears out.
Green: We replace your certificate at least every three years, so you would have the opportunity to change your PIN then. We also have ways you can update your PIN or replace your PIN if it has been forgotten. So all of that's part of that process.
Stenbit: That's an extremely important part for people of my age who don't remember well! (Laughter.)
Green: Okay, well, if you want to come forward, we'll be glad to answer any other questions and we'll be glad to show you our biometric demo, too. So thank you all very much.
Green: Thank you very much.
THIS TRANSCRIPT WAS PREPARED BY THE FEDERAL NEWS SERVICE INC., WASHINGTON, D.C. FEDERAL NEWS SERVICE IS A PRIVATE COMPANY. FOR OTHER DEFENSE RELATED TRANSCRIPTS NOT AVAILABLE THROUGH THIS SITE, CONTACT FEDERAL NEWS SERVICE AT (202) 347-1400.
