LandWarNet 2011 Army Identity Management (IdM) PKI Initiatives Tracy Traylor, CIO/G6, Cyber Dir, IdM Div Chief
SIPRNet Tokens Tactical PKI SHA-256 Questions/POC s 2011-08-23T08:00Z // SIPRNet Token Implementation 2 2
What it is: Token (smart card) for strong authentication and logon to the SIPRNet, signing & encrypting email, and connecting to secure websites Replacement for current logon that requires user names and 15-character recommended passwords that are: Lengthy and difficult to remember Must frequently change Easier for adversaries to exploit Initially funded by DoD PKI PMO National Security System (NSS) Certificate Authority (vs. DoD) Why it is being implemented: Follows Department of Defense (DoD) Instruction 8520.2 procedures to implement PKI on DoD classified networks Makes it more difficult for adversaries to compromise SIPRNet 2011-08-23T08:00Z // SIPRNet Token Implementation 3 3
Army G3/5/7 EXORD 074-11 (14 Jan 11) tasked commands and staffs to participate in IOT&E and FOC USCYBERCOM Coordination Alert Message (26 Jan 11) required SIPRNet token implementation for IOT&E and preparation for full implementation Army Cyber Command EXORD 2011-018 (4 Mar 11) provided technical information and direction to Signal Commands Army Initial Operational Test and Evaluation (IOT&E) Implementation Plan Addresses preparation for and participation in DoD IOT&E Includes Army issuance of up to 2000 SIPRNet tokens to various Army organizations and commands tokens are issued with a three (3) year certificate life span and can remain in use through Full Operational Capability (FOC) 2011-08-DDT08:00Z // SIPRNet Token Implementation 4
Configure the Infrastructure Distribute token readers provided by Army CIO/G6 Install device certificates and Tumbleweed Enterprise on domain controllers and web servers Configure SIPRNet workstations with 90Meter middleware (similar in function to ActivClient for DoD CACs) and Tumbleweed desktop validation application Establish a Chain of trust Identify locations of Local Registration Authorities (LRAs) and Trusted Agents (TAs) Establish and train LRAs and TAs with CIO/G6 support Get SIPRNet tokens into the hands of SIPRNet users Require SIPRNet users to obtain SIPRNet tokens TAs forward completed DoD PKI Certificate of Acceptance and Acknowledgement of Responsibilities (DD Form 2842) to LRAs Conduct face-to-face identity verification between TAs and users 2011-08-DDT08:00Z // SIPRNet Token Implementation 5
1. Army CIO/G6 Cyber CAC/PKI Division RA prepositions formatted tokens, inactive tokens with LRA at decentralized issuance locations. 1: RA sends formatted tokens to LRA 2. Command/SIPRNet user submits request for SIPRNet PKI token to LRA or remote TA to validate. 3. On a SIPRNet workstation, LRA accesses TMS to register user and get a temporary pin. LRA enrolls user and places certs on token. 4. LRA sends enrolled token to remote TA1 and sends temporary pin to remote TA2 via NSSencrypted email. 5. TA receives token, conducts a face-to-face validation of identity of user, completes DD Form 2842, and issues token to user. User changes token PIN on a SIPRNet workstation in the presence of TA and becomes a SIPRNet PKI token subscriber. 6. TA sends signed DD Form 2842 to LRA. Army CIO/G6 RA SIPRNet User Remote TA 5: TA/User Validation & Token Issuance to User Decentralized LRA For Example: #1: FT Belvoir- refine process & expand to include MDW; #2: FT Gordon- mix of CONUS, tactical, & MI users Remote TA & User Attempt to leverage existing TAs distributed across Army installations at startup 6: Signed DD Form 2842 to LRA 2011-08-DDT08:00Z // SIPRNet Token Implementation 6
Command/Organization Token Issuance to Users CIO/G-6 USAREUR AFRICOM EUCOM 106th Signal Brigade ATEC ATEC OTC INSCOM/513th DA Chief of Engineers 335th Signal 52nd ID NTC 7th SC USARPAC TRADOC IOT&E token Issuance requirement 2,000 Tokens Issued 2,403 as of 12 Aug 2011 2011-03-23T08:00Z // Presentation Title Goes Here 7
IOT&E Observations Senior leadership awareness and support are needed Network support organizations must take advantage of available accreditation and test documentation and eliminate or reduce local testing Users still need to update SIPRNet passwords to prevent account lockout until User Based Enforcement (UBE), using SIPRNet token only, is implemented Thin client workstations generally not included in IOT&E due to interoperability issues with token readers and middleware IOT&E Successes Army Theater Network Operations and Security Centers (TNOSCs) have already configured most domain controllers needed for full implementation in several theaters Positive feedback received on use of token and PIN vs. user ID and password Weekly teleconferences support knowledge sharing and progress reporting 2011-08-DDT08:00Z // SIPRNet Token Implementation 8
Post-IOT&E Implementation Strategy SIPRNet tokens will continue to be issued to Army organizations that are prepared to accept them Revisions being made to AR 25-2 (Information Assurance) and Standard Operating Procedures, based on National Security Systems (NSS) Registration Practice Statement (RPS) Full Fielding Strategy Army will field up to 300,000 tokens from FY12 to FY16 Draft Implementation and EXORD for FOC, suspense 31 Aug 2011 Initial rollout of tokens, readers, and middleware funded by DoD PKI PMO Army has requested LRAs beginning in FY12 Army organizations must plan and budget for sustainment beginning in FY14 2011-08-DDT08:00Z // SIPRNet Token Implementation 9
The Army is leading the DoD Tactical Technical Interchange Meeting (TIM) under the direction of the DoD PKI PMO Tactical TIM oversees Pilot Activities The pilot approach is to evaluate alternative certificate validation (CV) approaches suited to bandwidth challenged environments, e.g., delta CRL, mini-crl Develop notional joint PKI operational architecture to support planning and implementation of the Tactical PKI Pilot Coordinates Service and Agency planning and participation in the DoD PKI Tactical Pilot Coordinates functional requirements, test plans and policy changes to use in the Tactical Pilot Implementation at tactical level presents unique challenges PKI Integration with Battle Command and Warfighter s Information Network-Tactical (WIN-T) programs and systems IdM is coordinating and working closely with Program Executive Office for Command, Control and Communications-Tactical (PEO-C3T) 10 10
Army CIO/G6 IdM funded TRADOC Capability Manager (TCM) Global Network Enterprise (GNE) and CERDEC to conduct testing and validation of Tactical PKI (TPKI). SIPR Token DEERS Rapids SHA-256 NPE IPv6 Validating the TPKI CONOPS on tactical systems will provide valuable information to develop Tactics, Techniques, Procedures (TTP s), identify gaps, and provide a basis for assessing Doctrine, organization, training, material, leadership, personnel and facilities (DOTMLPF) Potential follow on operational testing to take place at the Network Integration Rehearsal / Network Integration Exercise (NIR/NIE) in Fort Bliss, TX. 11 11
The Common Access Card (CAC) uses a Secure Hash Algorithm (SHA-1) to authenticate and be granted access to networks, web applications and to digitally sign documents which provides authentication and non-repudiation. SHA protects information by detecting data tampering. The National Institute of Standards and Technology (NIST) determined SHA-1 has come to the end of its security lifecycle and SHA 256 (a stronger algorithm allowing for better security) will be its replacement. The Federal government has mandated the use of SHA-256 as of 01 JAN 11 with an exemption that allows Agencies/Departments/Services to use SHA 1 at their own risk until 31 DEC 13. SHA-1 impacts the Army s capability to interoperate with other Federal organizations (Department of Homeland Security, Department of State, Department of Justice, Veterans Affairs, Center for Disease Control, Federal Bureau of Investigation,..) that utilize or are migrating to SHA-256. The Army will transition the NIPRNET (Infrastructure, Servers, Web Applications, Workstations) from SHA-1 to SHA-256 over the next two years with a proposed completion date of 31 DEC 13. This migration provides a standard SHA across the Federal Government for interoperability. 12 12
The Army s SHA 256 Working Group is producing FRAGO 1 for the Army s Data Center Consolidation Plan (ADCCP) EXORD to implement SHA 256 throughout the Army s NIPRNet. The Army s plan is to fully support SHA 256 NLT 31 DEC 13. Transition Plan for Infrastructure, servers, applications and desktops 25% by 01 FEB 13, 50% by 1 MAY 13, 75% by 1 AUG and 100% completed by 01 NOV 13. The Army will conduct remediation and final verification from 1 NOV- 31 DEC 13. Army ceases issuing tokens with SHA-1, 31 Dec 2013 Army starts issuing tokens with SHA-256, 1 Jan 2014 13 13
? Tracy Traylor, CIO/G6 Cyber Directorate, IdM Division Chief, 703-545-1732, tracy.n.traylor.civ@mail.mil Mark Dickson, CIO/G6 Cyber Directorate, PKI SIPR/Tactical Lead, 703-545-1736, mark.a.dickson2civ@mail.mil Dennis Nalli, CIO/G6 Cyber Directorate, PKI SIPR/Tactical, 703-545-1746, dennis.p.nalli.ctr@mail.mil Phil Juchem, CIO/G6 Cyber Directorate, PKI Tactical/SIPR, 703-545-1740, philip.e.juchem.ctr@mail.mil Tim Hiligh, CIO/G6 Cyber Directorate, PKI SHA-256/Wireless, 703 545-1741, timothy.r.hiligh.ctr@mail.mil Army SIPRNet PKI Token AKO Site: https://www.us.army.mil/suite/page/636329 14 14