Presentation is loading. Please wait.

Presentation is loading. Please wait.

United States DoD Public Key Infrastructure: Deploying the PKI Token

Similar presentations

Presentation on theme: "United States DoD Public Key Infrastructure: Deploying the PKI Token"— Presentation transcript:

1 United States DoD Public Key Infrastructure: Deploying the PKI Token
UNCLASSIFIED United States DoD Public Key Infrastructure: Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) Becky Harris Deputy Director, DoD PKI PMO (703) NIST PKI Review April 02 UNCLASSIFIED 1 1

2 United States DoD Public Key Infrastructure Program
UNCLASSIFIED United States DoD Public Key Infrastructure Program The Goal: To enhance the business processes and improve the IA posture of the DoD through widespread use of PK-enabled applications. (must be from .mil or .gov domain) UNCLASSIFIED 4/24/

3 DoD PKI Program Management and Policy
UNCLASSIFIED DoD PKI Program Management and Policy 9 April 99 ASD (C3I) Memorandum Assigned DoD PKI Program Management Office (PMO) Responsibility to NSA with DISA Deputy PM 6 May 99 DEPSECDEF Memorandum Defined DoD PKI Policy Objectives 10 Nov 99 DEPSECDEF Memorandum Established DoD Smart Card Strategy 12 Aug 00 ASD (C3I) Memorandum (Rewrite of 6 May DoD PKI Memo) UNCLASSIFIED 4/24/

4 The Challenge - It’s a hard problem Event Driven Security Robustness Growth
Applications Assurance Level Assurance Level Tokens LRAs* Assurance Level Assurance Level Directories Certification Authorities Assurance Level Release 3 Release 4 Time * Local Registration Authorities UNCLASSIFIED 4/24/

5 DoD Public Key Capability Requires Coordinated Convergence
Configuration Management CAC Issuance & PK Infrastructure Workstation Enablement PK Enablement Related Events UNCLASSIFIED 4/24/

6 email cert issuance via post issuance portal
PKI in Evolution Surety (Quality of Certificate) Release 4 Release 4.0 Release 3.x Release 3.1 Release 3 Release Win 2000 Smart Card logon 3.0.1 cert issuance via post issuance portal 3.1 3.x PIN unlock/reset 4.0 KMI CI-1 Upgrade to 4.X DEERS/RAPIDS Time UNCLASSIFIED 4/24/

7 DoD PKI Registration Scenarios
DoD Root Certification Authority Certification Authority Repository/Directory Personnel Database End User End User RAPIDS Workstation and Verifying Official (VO) Local Registration Authority (LRA) End User Application End User Application UNCLASSIFIED 4/24/

8 # People Requiring Certs and # People Issued Certs
Total Req’d 3,109,983 Total Issued ,659 (14 April 02) UNCLASSIFIED 4/24/

9 Current Status DoD PKI Release 3 Operational - October 01
Key Management Infrastructure Capability Increment-1 (KMI CI-1) awarded Nov 01; will provide Release 4. Established PKI Interoperability Testing capability Reviewing and approving DoD PKI Certificate Practice Statements UNCLASSIFIED 4/24/

10 Preparing for the Future
Collected Tactical PKI User requirements Working with NIST & Smart Card Senior Coordinating Group to define process to add applets to FIPS 140 certified cards while maintaining FIPS 140 certification Updating the DoD PKI Certificate Policy (CP) Finalizing the DoD Key Recovery Policy Developed high-level approach to PK-Enabled applications UNCLASSIFIED 4/24/

11 Future PKI Activities DoD Policy Rewrite/Milestone Review SIPRNET Plan
MS Logon Agreement - Release 3.0.1 Code Signing - Release 3.1 Private Web Server Certs/Client Side Authentication Biometrics UNCLASSIFIED 4/24/

12 Other Activities Directories, Directories, Directories
DoD PKI and Allied Interoperability DoD PKI “versus” Federal and IC Vetting and piloting tactical and SIPRNET requirements UNCLASSIFIED 4/24/

13 DoD PK-Enabled Applications
PKI provides the underlying foundation for security services, but PK-enabled applications are required in order to implement them We Must Depend on Industry to Maintain the Apps Evaluated Applications that can process our Certificates with little User Involvement UNCLASSIFIED 4/24/

14 DoD PK-Enabled Applications
PK-Enabled Services/Applications: Medium Grade Services (MGS) - secure, interoperable Secure Web Services DoD-specific applications (e.g. Defense Travel System, Wide Area Work Flow) UNCLASSIFIED 4/24/

15 DoD PKI and KMI Token Protection Profile
Used Smart Card Security Users Group Smart Card Protection Profile as baseline document Information Assurance Technical Framework Forum Protection Profiles: Previous draft was released for public comment October 00 - Feb 01 Tokens meeting this protection profile: required by mid-late 2003 UNCLASSIFIED 4/24/

16 Token PP FIPS 140 Requirements
FIPS Level 2 for Subscribers * FIPS Level 3 for Registration Authorities * If the DoD Common Access Card issuing infrastructure is not capable of issuing two different levels of cards, then all CACs will be required to meet FIPS Level 3. UNCLASSIFIED 4/24/

17 Biometrics, DMDC and CAC
DMDC has been collecting and storing fingerprints (template & minutia) when issuing cards. Biometric data is not stored on the CAC In the event of a forgotten PIN, biometric (fingerprint) can be provided by user at a RAPIDS workstation for authentication and to unlock her CAC UNCLASSIFIED 4/24/

18 Adding Biometrics to PKI & CAC
Pilots under way now Discrete points where biometrics can be added: CAC task order/purchase* middleware upgrades* DMDC/RAPIDS/DEERS upgrades* * Probably need all three of these before fully incorporating biomentrics May impact CAC FIPS 140 certification UNCLASSIFIED 4/24/


Download ppt "United States DoD Public Key Infrastructure: Deploying the PKI Token"

Similar presentations

Ads by Google