Presentation is loading. Please wait.

Presentation is loading. Please wait.

United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 Becky.

Similar presentations


Presentation on theme: "United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 Becky."— Presentation transcript:

1 United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 rmgree2@missi.ncsc.mil Becky Harris Deputy Director, DoD PKI PMO (703) 882-1600 Harris1B@ncr.disa.mil NIST PKI Review 26 April 02 UNCLASSIFIED

2 The Goal: To enhance the business processes and improve the IA posture of the DoD through widespread use of PK-enabled applications. United States DoD Public Key Infrastructure Program UNCLASSIFIED http://iase.disa.mil (must be from.mil or.gov domain) http://www.c3i.osd.mil/org/sio/ia/pki/index.html 4/24/02 2 UNCLASSIFIED

3 DoD PKI DoD PKI Program Management and Policy 9 April 99ASD (C3I) Memorandum Assigned DoD PKI Program Management Office (PMO) Responsibility to NSA with DISA Deputy PM 6 May 99 DEPSECDEF Memorandum Defined DoD PKI Policy Objectives 10 Nov 99DEPSECDEF Memorandum Established DoD Smart Card Strategy 12 Aug 00ASD (C3I) Memorandum (Rewrite of 6 May DoD PKI Memo) 4/24/02 3 UNCLASSIFIED

4 The Challenge - It’s a hard problem Event Driven Security Robustness Growth Certification Authorities LRAs* Tokens Applications Directories Time Assurance Level Release 3 Release 4 Assurance Level Assurance Level Assurance Level Assurance Level * Local Registration Authorities 4/24/02 4 UNCLASSIFIED

5 DoD Public Key Capability Requires Coordinated Convergence 4/24/02 5 UNCLASSIFIED CAC Issuance & Configuration Management PK Infrastructure Workstation Enablement PK Enablement Related Events

6 PKI in Evolution 3.x PIN unlock/reset Time Surety ( Quality of Certificate) Release 3 Release 3.0.1 Release 3.1 Release 3.x 3.1 email cert issuance via post issuance portal Release 4.0 4.0 KMI CI-1 4.X Upgrade to DEERS/RAPIDS 4/24/02 6 Release 4 UNCLASSIFIED 3.0.1 Win 2000 Smart Card logon

7 DoD PKI Registration Scenarios Repository/Directory DoD Root Certification Authority Certification Authority RAPIDS Workstation and Verifying Official (VO) End User Personnel Database End User Application Local Registration Authority (LRA) 4/24/02 7 End User Application UNCLASSIFIED

8 # People Requiring Certs and # People Issued Certs Total Req’d 3,109,983 Total Issued 558,659 (14 April 02) 4/24/02 8 UNCLASSIFIED

9 Current Status DoD PKI Release 3 Operational - October 01 Key Management Infrastructure Capability Increment-1 (KMI CI-1) awarded Nov 01; will provide Release 4. Established PKI Interoperability Testing capability Reviewing and approving DoD PKI Certificate Practice Statements 4/24/02 9 UNCLASSIFIED

10 Preparing for the Future Collected Tactical PKI User requirements Working with NIST & Smart Card Senior Coordinating Group to define process to add applets to FIPS 140 certified cards while maintaining FIPS 140 certification Updating the DoD PKI Certificate Policy (CP) Finalizing the DoD Key Recovery Policy Developed high-level approach to PK- Enabled applications 4/24/02 10 UNCLASSIFIED

11 Future PKI Activities DoD Policy Rewrite/Milestone Review SIPRNET Plan MS Logon Agreement - Release 3.0.1 Code Signing - Release 3.1 Private Web Server Certs/Client Side Authentication Biometrics 4/24/02 11 UNCLASSIFIED

12 Other Activities Directories, Directories, Directories DoD PKI and Allied Interoperability DoD PKI “versus” Federal and IC Vetting and piloting tactical and SIPRNET requirements 4/24/02 12 UNCLASSIFIED

13 DoD PK-Enabled Applications PKI provides the underlying foundation for security services, but PK-enabled applications are required in order to implement them We Must Depend on Industry to Maintain the Apps Evaluated Applications that can process our Certificates with little User Involvement 4/24/02 13 UNCLASSIFIED

14 PK-Enabled Services/Applications: –Medium Grade Services (MGS) - secure, interoperable e-mail –Secure Web Services –DoD-specific applications (e.g. Defense Travel System, Wide Area Work Flow) 4/24/02 14 UNCLASSIFIED DoD PK-Enabled Applications

15 DoD PKI and KMI Token Protection Profile Used Smart Card Security Users Group Smart Card Protection Profile as baseline document Information Assurance Technical Framework Forum Protection Profiles: http://www.iatf.net/protection_profiles/index.cfm Previous draft was released for public comment October 00 - Feb 01 Tokens meeting this protection profile: –required by mid-late 2003 4/24/02 15 UNCLASSIFIED

16 Token PP FIPS 140 Requirements FIPS 140-2 Level 2 for Subscribers * FIPS 140-2 Level 3 for Registration Authorities * If the DoD Common Access Card issuing infrastructure is not capable of issuing two different levels of cards, then all CACs will be required to meet FIPS 140-2 Level 3. 4/24/02 16 UNCLASSIFIED

17 Biometrics, DMDC and CAC DMDC has been collecting and storing fingerprints (template & minutia) when issuing cards. 4/24/02 17 Biometric data is not stored on the CAC In the event of a forgotten PIN, biometric (fingerprint) can be provided by user at a RAPIDS workstation for authentication and to unlock her CAC UNCLASSIFIED

18 Adding Biometrics to PKI & CAC Pilots under way now Discrete points where biometrics can be added: –CAC task order/purchase* –middleware upgrades* –DMDC/RAPIDS/DEERS upgrades* * Probably need all three of these before fully incorporating biomentrics May impact CAC FIPS 140 certification UNCLASSIFIED 4/24/02 18

19 3/13/02 19 UNCLASSIFIED


Download ppt "United States DoD Public Key Infrastructure : Deploying the PKI Token R. Michael Green Director, DoD PKI PMO (410) 854-4900 Becky."

Similar presentations


Ads by Google