DON Current and Future PKI and PKE Activities
By James Mauck - Published, May 18, 2010
The Secretary of Defense has embraced public key cryptography as a critical component of defense-in-depth and contributor to the overall Department of Defense information assurance (IA) strategy for protecting its information and networks. DoD Instruction 8520.2, "Public Key Infrastructure (PKI) and Public Key Enabling (PKE)" establishes the requirements for PK-enabling all email, private web servers and networks.
This article outlines some of the Department of the Navy's current and future activities related to implementation of DoD and DON PKI policies — specifically in the areas of public key enablement of DON networks and personal electronic devices (PEDs); DON private web servers and applications; and future PK-enablement of Secret Internet Protocol Router Network workstations using SIPRNET hardware tokens.
Public Key Enablement of DON Networks and Email
Today, approximately 85 percent of all DON enterprise network users authenticate their identity to their workstations using their Common Access Card (CAC) and its embedded PKI certificates through a process called cryptographic logon or CLO. CLO provides two-factor strong authentication and provides a higher level of assurance than traditional passwords. Multiple network defense exercises have shown that passwords are a weak link because they are easy to share, not hard to gather through social engineering efforts, and are easy to break using advanced password cracking tools. CLO mitigates many of the risks associated with passwords because to masquerade as a user, a potential attacker must physically have control of a user's CAC and know his or her personal identification number (PIN).
The Department is fielding solutions that will help reduce the number of "CLO exception" user categories like afloat users, system administrators, and Navy and Marine Corps reservists. Deployment of Real-Time Automated Personnel Identification System (RAPIDS) infrastructure to the shipboard environment will enable issuance, maintenance and replacement of damaged CACs for personnel while underway. Issuance of the "alternate token," which is a non-CAC smart card, is enabling cryptographic logon for higher privileged secondary accounts used for system administration. Also, previous technical limitations are being eliminated, which will enable all Navy and Marine Corps reservists to authenticate their identity via CLO to their reservist accounts using their reservist Common Access Card.
Use of digital signature and encryption capabilities are critical to the DON's efforts to protect sensitive information while in transit over email. Digital signature capability reduces our adversaries' ability to gather information through the use of targeted malicious email messages known as "spear phishing." By validating the digital signature associated with an email message, DON users can read and review the message and any attachments with a higher level of confidence, knowing that the email was sent by the author as indicated and that the message contents were not altered during transmission.
Through a series of PED policy messages beginning in August 2007, the DON CIO directed the migration to PED models that are PKI-compatible, like the BlackBerry. The combination of modernized PED handheld units, along with installation of smart card readers that communicate wirelessly with PEDs via an encrypted Bluetooth link, provide mobile workers with the capability to send signed and/or encrypted email while on the go. This extends email signature and encryption capabilities from the desktop environment to the edges of our enterprise networks, enabling the protection of sensitive information on mobile devices and helps prevent spear phishing attempts directed at mobile workers.
Public Key Enablement of DON Private Web Servers and Applications
In 2009, the DON CIO provided updated PKI and PK-enablement guidance via two Naval messages. The September message defined at a high level, the Department's PK-enablement waiver request process. The December message contained guidance on how to properly PK-enable DON private web servers, portals and applications. The DON Deputy CIOs (Navy and Marine Corps) will be providing service-specific guidance on PK-enabling and PKE waiver request processes.
A DoD private web server is defined as any DoD-owned, operated or controlled web server that provides access to sensitive information that has not been reviewed and approved for public release. Properly PK-enabling private web servers, portals and applications requires that user authentication be accomplished using properly validated PKI certificates instead of usernames and passwords.
In addition to certificates issued by the DoD or a DoD External Certificate Authority, recent DoD policy changes have expanded the categories of acceptable PKI certificates to include certificates issued by any DoD-approved external public key infrastructure operated by a non-DoD organization. Non-DoD organizations include U.S. federal agencies that issue Federal Information Processing Standards Publication (FIPS PUB 201-1) compliant personal identity verification (PIV) cards under direction of Homeland Security Presidential Directive 12 (HSPD 12), in addition to other DoD-approved state/local/tribal government organizations, and external DoD business partners approved by DoD.
PKI provides a mechanism for strongly authenticating identities on which authorization decisions may be made. Improper use of PKI as an access control mechanism may inadvertently allow unintended users to gain access to systems and information for which they are not authorized. In many cases web server, portal and application owners need to implement and configure access controls, as necessary, to enforce need-to-know requirements.
Examples of access control mechanisms include access control lists, mapping of users' PKI certificates to their individual account, and dynamic authorization decisions based on user attributes.
SIPRNET PKI
In early fiscal year 2011, SIPRNET users will begin seeing familiar Non-classified Internet Protocol Router Network (NIPRNET) PKI capabilities employed on the SIPRNET to enhance security. These enhancements will include issuance of SIPRNET smart cards, implementation of a SIPRNET CLO, PK-enablement of SIPRNET web servers, and signature and encryption of SIPRNET email. Although there is currently a DoD SIPRNET PKI deployed and in operation, its use is limited and most commonly associated with authentication to web servers and applications via SIPRNET software certificates or enforcement of communities of interest.
The foundation for the future SIPRNET PKI is already being laid, and key initiatives of the DoD-wide program are being led by recognized subject matter experts from within the DON and its services. The DoD is in the process of replicating the DoD authoritative identity repository, called Defense Enrollment Eligibility Reporting System (DEERS), from the NIPRNET to the SIPRNET. To ensure PKI interoperability across federal Secret level networks, the Committee on National Security Systems (CNSS) is standing up a PKI root under which all federal Secret level PKIs, including DoD's, will be subordinated. DoD's SIPRNET root and issuance certification authorities will then be deployed, enabling issuance of SIPRNET PKI certificates to web servers, portals, applications, and the SIPRNET smart card that will be used for logon.
In spring 2010, representatives across the Department will be participating in a DoD pilot that will validate SIPRNET smart card issuance processes and test SIPRNET cryptographic logon capabilities. After successfully completing the pilot under the current SIPRNET Public Key Infrastructure, SIPRNET token roll out will begin in increasingly larger phases under the newly deployed CNSS-subordinated DoD PKI.
PKI technology is key to the DON's defense-in-depth strategy and protection of DON sensitive information. It provides the foundation for robust authentication to enable accurate access control decisions made within DON networks, private web servers and applications. Increased acceptance of PKI credentials issued by federal and non-DoD external business partners is enabling secure information sharing within the DON and DoD. Deployment of the DoD SIPRNET PKI, implementation of SIPRNET CLO, and PK-enablement of SIPRNET websites and applications will transform how we control access and share sensitive information in the classified environment in the future.
James Mauck is a contractor supporting the DON CIO Cybersecurity and Critical Infrastructure Team. He is the subject matter expert on PKI and PKE.