Department of Defense SHA-256 Migration Overview

Similar documents
Federal PKI (FPKI) Community Transition to SHA-256 Frequently Asked Questions (FAQ)

Government Smart Card Interagency Advisory Board Moving to SHA-2: Overview and Treasury Activities October 27, 2010

Department of Defense PKI Use Case/Experiences

DoD CAC Middleware Requirements Release 4.0

Implementing Federal Personal Identity Verification for VMware View. By Bryan Salek, Federal Desktop Systems Engineer, VMware

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

Agenda. DoD PKI Operational Status DoD PKI SIPRNET Token. Interoperability Public Key Enablement. Dynamic Access

Test Plan for Department of Defense (DoD) Public Key Infrastructure (PKI) Interagency/Partner Interoperability. Version 1.0.3

Draft Middleware Specification. Version X.X MM/DD/YYYY

I N F O R M A T I O N S E C U R I T Y

Frequently Asked Questions (FAQs) SIPRNet Hardware Token

2013 AWS Worldwide Public Sector Summit Washington, D.C.

Office of the Chief Information Officer Department of Energy Identity, Credential, and Access Management (ICAM)

Certification Path Processing in the Tumbleweed Validation Authority Product Line Federal Bridge CA Meeting 10/14/2004

ACTIVE MICROSOFT CERTIFICATIONS:

Secure Messaging Challenge Technical Demonstration

I N F O R M A T I O N S E C U R I T Y

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, DC

GSA FIPS 201 Evaluation Program

Spine Warranted Environment Specification

CA-DAY Michael Kranawetter, Chief Security Advisor (Tom Albertson, Security Program Manager) Microsoft

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

NOAA HSPD-12 PIV-II Implementation October 23, Who is responsible for implementation of HSPD-12 PIV-II?

Identity & Privacy Protection

Axway Validation Authority Suite

FOUR PILLARS FOR A SUCCESSFUL PIV ECOSYSTEM

Identity, Credential, and Access Management. An information exchange For Information Security and Privacy Advisory Board

NIST Test Personal Identity Verification (PIV) Cards

Understanding the differences in PIV, PIV-I, PIV-C August 23, 2010

How To Get A Certificate From Ms.Net For A Server Server

ACTIVE MICROSOFT CERTIFICATIONS:

GOVERNMENT USE OF MOBILE TECHNOLOGY

FBCA Cross-Certificate Remover 1.12 User Guide

Using PIV Smart Cards on Linux for Authentication to Windows Active Directory

Deriving a Trusted Mobile Identity from an Existing Credential

What Does it Mean to be PIVish in PACS ICAM PIV in E-PACS Guidance v2.0.2 the short form. December 3, 2012

PROTECT YOUR WORLD. Identity Management Solutions and Services

DEPARTMENT OF DEFENSE ONLINE CERTIFICATE STATUS PROTOCOL RESPONDER INTEROPERABILITY MASTER TEST PLAN VERSION 1.0

AT&T Global Network Client for Windows Product Support Matrix January 29, 2015

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

Is Your SSL Website and Mobile App Really Secure?

Accessing CAC-Restricted Sites From Home

Securing MFPs in a CAC Environment: Today and Tomorrow Critical Considerations

Strong Authentication for Future Web Applications

The Government-wide Implementation of Biometrics for HSPD-12

SIGNIFICANT CHANGES DOCUMENT

Standardizing PKI in Higher Education Apple PKI and Universal Hi-Ed Spec proposal

NIST s FIPS 201: Personal Identity Verification (PIV) of Federal Employees and Contractors Masaryk University in Brno Faculty of Informatics

2014 IBM Corporation

RAPIDS Self Service User Guide

Identity, Credential, and Access Management. Open Solutions for Open Government

DEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0

Cryptographic and Security Testing Laboratory. Deputy Laboratory Director, CST Laboratory Manager

Microsoft vs. Red Hat. A Comparison of PKI Vendors

Derived credentials. NIST SP ( 5.3.5) provides for long term derived credentials

EXPLORING SMARTCARDS: AN INDEPENDENT LOOK TO TECHNOLOGIES AND MARKET

Managed Portable Security Devices

STATEMENT OF WORK. For

ACTIVE MICROSOFT CERTIFICATIONS:

Overview ActivClient for Windows 6.2


NIST Cyber Security Activities

Public Key Infrastructure

Security Policy for FIPS Validation

I. Configuring Digital signature certificate in Microsoft Outlook 2003:

Use of Common Access Cards (CACs) from Home on Windows 7 without Middleware

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

CoSign by ARX for PIV Cards

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

Microsoft Identity Lifecycle Manager & Gemalto.NET Solutions. Jan 23 rd, 2007

Citrix MetaFrame XP Security Standards and Deployment Scenarios

Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance

The Convergence of IT Security and Physical Access Control

Essential Next Steps for the U.S. Government in the Transition to IPv6

Biometrics, Tokens, & Public Key Certificates

Analysis One Code Desc. Transaction Amount. Fiscal Period

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Tactics, Techniques, & Procedures (TTP) Dual Persona Personal Identity Verification (PIV) Authorization Certificate

Department of Defense INSTRUCTION. Public Key Infrastructure (PKI) and Public Key (PK) Enabling

DEPARTMENTAL REGULATION

Threat Model for Software Reconfigurable Communications Systems

An Operational Architecture for Federated Identity Management

DoD Root Certificate Chaining Problem

Upgrading and Improving the Trust of Microsoft Windows Certificate Authorities

Trusting the ECA Certificate Authority in Microsoft Internet Explorer

From. Medusa. Midas. Lynn Kluegel Glen Lee. Lee Neely. Melissa Nimmo LA-UR Unclassified

Protecting Your Name on the Internet The Business Benefits of Extended Validation SSL Certificates

PRIME IDENTITY MANAGEMENT CORE

Federal Identity, Credentialing, and Access Management. Identity Scheme Adoption Process

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

Digital Signature Application

Odyssey Access Client FIPS Edition

Windows Server 2008 R2 Boot Manager Security Policy For FIPS Validation

Transcription:

Department of Defense SHA-256 Migration Overview 18 March 2011 Tim Fong DoD-CIO/ IIA Timothy.Fong@osd.mil

General Observations This is Important INFOSEC: Algorithms can be compromised over time. Crypto algorithms constantly move to higher levels of complexity This is a Challenge Transition to SHA-256 with limited or no mission operations breakage This will be Hard Large complex DoD Network of Networks with SHA-1 implementations (workstations, applications, web services, etc ) This is just the beginning Planning takes time, DoD & vendors are not ready, impacts not fully understood 2

Directives NIST SP 800-78, Cryptographic Algorithms and Key Sizes for Personal Identity Verification (PIV) Eff 1 JAN 2011 Federal Agencies will migrate their PKI cert from SHA-1 to SHA-256 HSPD-12 and FIPS Pub 201-1 PIV Standard States PKI will be used for authentication All new PIV credentials will have PKI certificates w/sha-256 OMB 11-11 (3 Feb 2011) Con t Guidance HSPD-12 Full use of the PIV credentials for access to federal facilities and information systems DoD-CIO Memo (14 OCT 2010) DoD s Migration Cryptographic Algorithms Components conduct portfolio assessment and develop a POAM Improving Security by supporting stronger cryptographic keys and more robust algorithms. 3

DoD CAC/PKI today Successful Deployment and Implementation > 90% of target Population has a DoD CAC w/sha-1 certs (ID, Email, Encryption) Provides digital identities that are unique and un-forgeable Used by ~3.7 million personnel 98% of DoD servers use certificates Trusted for use in virtual network transactions: Network Logon & Web Authentication E-mail signing & encryption Digital signing Most DoD Business Systems & Applications use PKI (e.g.,dts, ATAAPS, Military Efficiency Reports) PKI is the key to Secure and Assured Information Sharing. 4

What has changed? Federal partners began issuing PKI certs with SHA-256 crypto algorithms and stopped issuing SHA-1 on 1 Jan 2011 Will impact systems & applications using PKI Most current DoD systems & applications will not be able to process the new algorithm without software upgrades Impacts already experienced at North Chicago, (DoD VA) Immediate impact to DoD Mission Assurance within the Department Secure information sharing with our external partners (Federal and Industry) DoD is committed to maintaining the assurance of PKI credentials and supports need to migrate Potential Interoperability & Secure Information Sharing Challenge 5

What DoD Knows About SHA-256 Today High level DoD assessment conducted in 4QFY10 DoD Test & Evaluation WG initial findings o SHA- 256 is not supported in older version of Microsoft OS Minimum MS OS is Windows XP SP3 Full functional support begins with MS Windows Vista/Win7 o Most widely deployed CAC middleware currently does not support SHA-256 for MS OS/applications Middleware does not implement MS mini drivers Mini drivers must be used within MS cryptography architecture to access SHA-256 algorithms DoD is aware of other application problems documented by Federal Partners 6

What we re planning to do Strategy: Transition DoD IT environment over time Provide DoD Guidance w/roadmap and Milestones Engage Vendors & Manufacturers to determine plans for product support of SHA-256 Upgrade systems & applications to handle SHA-256 as soon as possible but NLT 31 Dec 2012 PKI/CAC infrastructure can begin to issue SHA-256 as soon as IT infrastructure can support its use but NLT 1 Jan 2013 Once SHA-256 issuance begins in DoD, users will receive CACs with SHA-256 through the normal CAC 3-Year Lifecycle Goal: Implement transition plan as quickly as possible Resource Owners Develop detailed Plan of Actions & Milestones (POAM) Upgrade affected systems & applications NLT 31 Dec 2012 Follow the Guidance Supporting Operations: Internal and External Customers. Don t Break Anything 7

DoD SHA-256 Transition Major Milestones 1 JAN 2011 31 MAR 2011 1 JAN 2012 30 JUN 2012 Federal Migration Key dates 30 SEP 2012 1 JAN 2013 31 DEC 2013 New PIV credential w/sha-256 Federal Partner Interop Issues All Federal Partners CRLs & OCSP signed w/sha-256 Cease Use of SHA-1 in Federal Infrastructure DoD PK Infrastructure Cross Certify w/new SHA-1 Federal Root Begin to Upgrade PKI & RAPIDS Infrastructure CAs capable of signing w/sha-256 DoD CACs signed w/sha-256 DoD CRLs & OCSP signed w/sha-256 CC/S/A Mission System Transition Begin server and Workstations upgrades Upgrade System Portfolios to support SHA-256 Workstations email signed w/sha-256 Certs Servers AuthN w/sha256 (Bi-modal) 50% Upgraded Vendor Engagement 75% Upgraded 100% Upgraded Servers use SHA-256 Certs Workstations use SHA-256 Certs Industry Day Formal RFI RFI Responses

What we re going to do Operational Strategy: Bi-modal Operations Support Minimize operational impact Efficiently migrate systems to support use of SHA-256. o Infrastructure will support both SHA-1 and SHA-256 for a period of time o Transition AuthN to bi-modal to support DoD and external customers o Phase in DoD use of SHA-256 signed certs while phasing out SHA-1 Support basic capabilities: Crypto Logon, Email Signing, Digital Signing, Web Authentication Priorities: Operation of DoD systems, and Interoperability between DoD and approved external PKIs Major actions & milestones: o Upgrade affected Systems and Applications NLT 31 DEC 2012 Domain Controllers, AuthN servers, Web servers, Email servers Workstations, CAC middleware, Email clients Digital Signing and Certificate Validation software o Upgrade PKI and RAPIDS Infrastructure by 31 DEC 2012 o Start issuing DoD certs w/sha-256 NLT 01 JAN 2013 o Stop issuing DoD certs w/sha-1 NLT 31 DEC 2012 9

Crypto Logon What C/S/A need to do to use SHA-256 25FEB2011 1JAN2012 30JUN2012 30SEP2012 1JAN2013 Upgrade: 1) Domain Controller software w/ms Server 2003 & hotfix or w/ms Server 2008 2) Workstation O/S w/vista SP2 or WIN7 3) Card reader middleware: Active Client 6.2.0.50 4) Certificate validation: Tumbleweed DV 4.9.2.172 Upgrades 50% Upgrades 75% Crypto Logon w/ SHA256 Upgrades 31DEC2013 Email Upgrade: 1) Email software to MS Outlook 2003, 2007, or 2010 2) Workstation O/S w/vista SP2 or WIN7 2a) Workstations to MS XP SP3 w/hotfix 3) Card reader middleware: Active Client 6.2.0.50 4) Certificate validation: Tumbleweed DV 4.9.2.172 W/S reads email signed w/sha-256 Certs 50% of Email upgrades Upgrades 75% Full Email capability w/ SHA256 Upgrades Digital Signing Web AuthN w/pki Upgrade: 1) Workstation O/S w/vista SP2 or WIN7 2) Card reader middleware: Active Client 6.2.0.50 3) **Digital Signing software to support SHA256 4) Certificate validation: Tumbleweed DV 4.9.2.172 Upgrade: 1) Server O/S w/ms Server 2003 & hotfix, MS 2008, Apache 2.2.3-31-mod_ssl 2.2.3-31 or Apache 2.2.3-31 mod_nss 2.2.3-31 2) Workstation O/S w/vista SP2 or WIN7; IE 7, IE 8, Firefox 3.0.11, Firefox 3.6.6, Firefox 3.6.8 3) Card reader middleware: Active Client 6.2.0.50 4) Certificate validation: Tumbleweed DV 4.9.2.172 Digital signing is product dependent ** Critical Apps Servers Sign w/sha256 (Bi-modal) User AuthN to servers is product dependent Critical Apps Servers AuthN w/sha256 (Bi-modal) Upgrades 50% 50% of Web AuthN upgraded Upgrades 75% Upgrades 75% Web AuthN: Servers & Workstations use SHA-256 Certs Upgrades Example system applications: - DTS - ATAAPS - DoD Employee Appraisals - Army OERs

Current Migration Efforts DoD Task Force: DRAFT DoD Guidance with Roadmap and Milestones DoD Coordination Cell: meets every Tuesday @1130 Crypto Migration Team: Identify; Anecdotal Test ing Commonly-used applications supporting internal Fns Critical applications for external customers DoD PKE team post results and guidance on PKE website Vendor Engagement Contact primary application manufacturers and vendors regarding SHA-256 compliance developments Include as a requirement in all contracts 11

Next Steps Issue DoD Guidance w/roadmap Services and agencies Develop POAMs o Where are they today o Plans for upgrade o Resource requirements DoD CIO monitors progress and challenges 12

What can you do? 1. What will be the Vendor concept for support during SHA-256 transition? (Also address initial support for RSA 2048 certificates and long-term plans for ECC support.) 2. Does your current product suite support SHA-256? If so, is the support version specific -- explain. If not, what is the projected timeframe for support? Do you anticipate having beta test suites available for customers prior to general public release and configuration guides? 3. How will the Vendor address COTS product minimum required versions for SHA-256 support, with backward compatibility for SHA-1? 4. What capability will the Vendor have to conduct product testing, evaluation and acceptance procedures to ensure complete compatibility? 5. How will the Vendor transition their products from SHA-1 to SHA-256 RSA 2048 and eventually to ECC (ie., general plan and milestones)? 6. How will the Vendor address validating product claims of compatibility? (ie., certification) 7. What are the vendor s anticipated impacts to their current DoD customers? 8. How can the vendor or manufacturer s product transition minimize the impact to the DoD s transition? 9. How will system integrators address these same questions? 13

Questions? Tim Fong Deputy Director, IdA/PKI DoD-CIO/DASD IIA 703-604-3156 Timothy.Fong@osd.mil 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information