Department of Defense PKI Use Case/Experiences



Similar documents
The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Test Plan for Department of Defense (DoD) Public Key Infrastructure (PKI) Interagency/Partner Interoperability. Version 1.0.3

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

Frequently Asked Questions (FAQs) SIPRNet Hardware Token

Department of Defense INSTRUCTION. SUBJECT: Public Key Infrastructure (PKI) and Public Key (PK) Enabling

Certification Path Processing in the Tumbleweed Validation Authority Product Line Federal Bridge CA Meeting 10/14/2004

Department of Defense INSTRUCTION. Public Key Infrastructure (PKI) and Public Key (PK) Enabling

Department of Defense External Interoperability Plan Version 1.0

Department of Defense SHA-256 Migration Overview

Federal PKI (FPKI) Community Transition to SHA-256 Frequently Asked Questions (FAQ)

Agenda. DoD PKI Operational Status DoD PKI SIPRNET Token. Interoperability Public Key Enablement. Dynamic Access

Utilizing the DoD PKI to Provide Certificates for Unified Capabilities (UC) Components. DISA NS2 Capabilities Center November 3, 2011 Revision 1.

DEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0

CERTIFICATION PRACTICE STATEMENT UPDATE

Deploying and Managing a Public Key Infrastructure

RAPIDS Self Service User Guide

An Operational Architecture for Federated Identity Management

Public Key Infrastructure

SAFE Digital Signatures in PDF

SYMANTEC NON-FEDERAL SHARED SERVICE PROVIDER PKI SERVICE DESCRIPTION

Axway Validation Authority Suite

Identity & Privacy Protection

Page 1. Smart Card Applications. Lecture 7: Prof. Sead Muftic Matei Ciobanu Morogan. Lecture 7 : Lecture 7 : Smart Card Applications

PKI Made Easy: Managing Certificates with Dogtag. Ade Lee Sr. Software Engineer Red Hat, Inc

Public Key Infrastructure for a Higher Education Environment

Government Smart Card Interagency Advisory Board Moving to SHA-2: Overview and Treasury Activities October 27, 2010

ESnet SSL CA service Certificate Policy And Certification Practice Statement Version 1.0

DEPARTMENT OF DEFENSE ONLINE CERTIFICATE STATUS PROTOCOL RESPONDER INTEROPERABILITY MASTER TEST PLAN VERSION 1.0

HIPAA Security Regulations: Assessing Vendor Capabilities and Negotiating Agreements re: PKI and Security

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

Intelligence Community Public Key Infrastructure (IC PKI)

Issuance and use of PIV at FAA

Airbus Group Public Key Infrastructure. Certificate Policy. Version 4.6

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, DC

apple WWDR Certification Practice Statement Version 1.8 June 11, 2012 Apple Inc.

Implementing Federal Personal Identity Verification for VMware View. By Bryan Salek, Federal Desktop Systems Engineer, VMware

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

The Convergence of IT Security and Physical Access Control

Understanding the differences in PIV, PIV-I, PIV-C August 23, 2010

Frequently Asked Questions

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015

Part III-a. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

CoSign by ARX for PIV Cards

AD CS.

PKI NBP Certification Policy for ESCB Signature Certificates. OID: version 1.5

An introduction to EJBCA and SignServer

NOAA HSPD-12 PIV-II Implementation October 23, Who is responsible for implementation of HSPD-12 PIV-II?

CMS Illinois Department of Central Management Services

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

StartCom Certification Authority

TELSTRA RSS CA Subscriber Agreement (SA)

CCEB Publication 1010

Network Automation 9.22 Features: RIM and PKI Authentication July 31, 2013

Administration Guide ActivClient for Windows 6.2

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

Office of the Chief Information Officer Department of Energy Identity, Credential, and Access Management (ICAM)

X.509 Certificate Policy For The Federal Bridge Certification Authority (FBCA) Version 2.24

Operational Research Consultants, Inc. Non Federal Issuer. Certificate Policy. Version 1.0.1

Configuring and Troubleshooting Identity and Access Solutions with Windows Server 2008 Active Directory

Entrust Managed Services PKI

Certificate Policy for the United States Patent and Trademark Office November 26, 2013 Version 2.5

White Paper. The risks of authenticating with digital certificates exposed

EXPLORING SMARTCARDS: AN INDEPENDENT LOOK TO TECHNOLOGIES AND MARKET

Chapter 7 Managing Users, Authentication, and Certificates

The IDA Catalogue. of GENERIC SERVICES. Interchange of Data between Administrations

CS 356 Lecture 28 Internet Authentication. Spring 2013

Microsoft Trusted Root Certificate: Program Requirements

ENTRUST CLOUD. SSL Digital Certificates, Discovery & Management entrust@entrust.com entrust.com

NIST Test Personal Identity Verification (PIV) Cards

Certificate technology on Pulse Secure Access

Lecture VII : Public Key Infrastructure (PKI)

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Danske Bank Group Certificate Policy

Certificate technology on Junos Pulse Secure Access

Federal Identity, Credentialing, and Access Management. Personal Identity Verification Interoperable (PIV-I) Test Plan. Version 1.1.

Class 3 Registration Authority Charter

PKI NBP Certification Policy for ESCB Encryption Certificates. OID: version 1.2

CMS Operational Policy for VPN Access to 3-Zone Admin and Development /Validation Segments

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

Integration of Access Security with Cloud- Based Credentialing Services

Websense Content Gateway HTTPS Configuration

Alliance Key Manager A Solution Brief for Technical Implementers

NIST ITL July 2012 CA Compromise

Smart Card Certificate Authentication with VMware View 4.5 and Above WHITE PAPER

INFORMATION TECHNOLOGY CERES DEPARTMENT

The Costs of Managed PKI:

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Optimized Certificates A New Proposal for Efficient Electronic Document Signature Validation

Federal Public Key Infrastructure (FPKI) Compliance Audit Requirements

Citizen CA Certification Practice statement

Use of Common Access Cards (CACs) from Home on Windows 7 without Middleware

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

Schlumberger PKI /Corporate Badge Deployment. Neville Pattinson Director of Business Development & Technology IT & Public Sector

Tactics, Techniques, & Procedures (TTP) Dual Persona Personal Identity Verification (PIV) Authorization Certificate

Government CA Government AA. Certification Practice Statement

phicert Direct Certificate Policy and Certification Practices Statement

Trusting the ECA Certificate Authority in Microsoft Internet Explorer

Transcription:

UNCLASSIFIED//FOR OFFICIAL USE ONLY Department of Defense PKI Use Case/Experiences PKI IMPLEMENTATION WORKSHOP Debbie Mitchell DoD PKI PMO dmmitc3@missi.ncsc.mil UNCLASSIFIED//FOR OFFICIAL USE ONLY

Current Statistics Agenda Program Enhancements (Otherwise knows as lessons learned ) New Milestones for PK-Enabling FIPS 201 Challenges UNCLASSIFIED//FOR OFFICIAL USE ONLY 2

Current Statistics Common Access Cards (CAC) Issued 10 M More than 90% of target population has a CAC 500,000 software certificates being used 98% of DoD web servers have certificates PKI Certificates issued on NIPRNet 22M+ PKI Certificates issued on SIPRNet - 10000 All Software certificates NSA is currently working on enhancements to the CAC for its use on SIPRNET Other holders of DoD PKI Certificates Intelligence Community CCEB Nations (5-Eyes) Typical CAC issuing time with PKI Certificates 12-15 minutes As many as 20,000 in a day UNCLASSIFIED//FOR OFFICIAL USE ONLY 3

Program Enhancements UNCLASSIFIED//FOR OFFICIAL USE ONLY 4

Robust Certificate Validation Service Issue: Real-time certificate validation needed to minimize bandwidth impact Field RCVS Nodes Mechanicsburg San Antonio EUCOM PACOM CONUS (2-TBD) SIPRNet Operational Issues CRL Size Rollout of OCSP Plugins UNCLASSIFIED//FOR OFFICIAL USE ONLY 5

Non-person Entity Certificates (i.e., Device). Issue: Need to Extend PKI to support a net-centric environment by enabling recognition and authentication of those entities that operate on/within our networks. Currently Developing System Requirements Spec Concept of Operation (CONOP) Authoritative Naming Spec Develop Authoritative Naming System Develop Registration Processes & Controls Certificate Expiration Notification Determine Types of Devices To Be Supported Develop Device Certificate Profiles Implement Support for Certificate Request Protocols (HW & SW) Field CAs for NIPRNet and SIPRNet Continue To Evolve PKI to Support Future Devices UNCLASSIFIED//FOR OFFICIAL USE ONLY 6

Windows Domain Controller Certificates Issue: Need to support smart card logon (with CACs) in a Microsoft Network Environment Develop Policy Design Certificate Issuance Process and Profiles Establish Subordinate CA for Domain Controller Certificates Support for SIPRNet UNCLASSIFIED//FOR OFFICIAL USE ONLY 7

Automated PKI Monitoring Issue: Need capability to remotely monitor performance of key infrastructure components Develop Base Monitoring Functions Add Monitoring of Red Hat CMS Add Monitoring of Auto Key Recovery Auto Local Registration Authority Application Field at JITC Field at Chambersburg Field at Denver UNCLASSIFIED//FOR OFFICIAL USE ONLY 8

Government Control of PKI Applets (aka HAPKI) Issue: Need for the DoD to acquire control of the PKI Java applets that are downloaded to the CAC for performing PKI functions Develop CONOP Develop System Requirements Specification Design CAC To Support Multiple Global Platform Security Domains Design CAC To Only Accept Government Signed Applets Develop Applets Under Government Control and/or Review Establish Mechanism To Sign Government Applets and Load CACs Develop CAC Proof-of-Possession for IP Issued Certificates Relocate PKI Sensitive Functions From CAC To The PKI UNCLASSIFIED//FOR OFFICIAL USE ONLY 9

Bulk Revocation by Components Issue: DoD Components require a capability to efficiently revoke large numbers of certificates Develop Prototype Deploy in Operational Environment Develop Federated Database Deploy in SIPRNet UNCLASSIFIED//FOR OFFICIAL USE ONLY 10

Citizenship Information Issue: DoD relying parties have a requirement for citizenship information in certificates Determine Owner of Citizenship Information Determine Source of Citizenship Information Determine Usage Requirements for Citizenship Information Design System for Hosting Citizenship Information Implement Citizenship Information Develop Training for Collecting Citizenship Information UNCLASSIFIED//FOR OFFICIAL USE ONLY 11

Architecture Improvements Design and Implement Improvements To The Overall Architecture of The DoD PKI Architecture Improvements include: Second Source Certification Authorities Second Source Certification Authorities implement CA software from a second vendor to remove the dependency that the DoD currently has on a single vendor to support the DoD PKI Automated Load Balancing for Issuance Portals (IP) and LRAs Automated Load Balancing provides a load balancer between the CAs and the LRAs and CAC Issuance. By implementing a load balancing capability, LRA workstations and IPs could all be configured to access the load balancer, which would automatically route the request to an available CA UNCLASSIFIED//FOR OFFICIAL USE ONLY 12

Other Slated Enhancements Trust Relationships with External PKIs Group/role certificates Distribution of the DoD Root CA certificate to all subscribers and relying parties in a trusted manor Improvements of compliance audits Enhance archival process of DoD PKI objects Access to encrypted data Trusted Timestamp UNCLASSIFIED//FOR OFFICIAL USE ONLY 13

New Milestones for PK-Enabling UNCLASSIFIED//FOR OFFICIAL USE ONLY 14

Past PK-Enabling Guidance August 12, 2000 Updated DoD policies for development and implementation of a Department-wide PKI Aligned PKI activities and milestones with those of the DoD CAC program May 17, 2001 Provided specific guidelines for the Public Key Enabling of Applications, Web Servers, and Networks for DoD May 21, 2002 Mandated CAC as primary token platform for PKI certificates Adjusted milestone dates of two earlier memorandum UNCLASSIFIED//FOR OFFICIAL USE ONLY 15

UNCLASSIFIED//FOR OFFICIAL USE ONLY 16

New Milestones Set for PK-Enabling Within the DoD Community The DRIVING FORCE: JOINT TASK FORCE - GLOBAL NETWORK OPERATIONS (JTF-GNO) - Responsible for operation and defense of the Global Information Grid (GIG) framework for DoD JTF-GNO Actions: Issued a WARNING ORDER (WARNORD) Issued a COMMUNICATIONS TASKING ORDER (CTO) Directed compliance with specified tasks Provided dates for compliance, options for waivers, and percentages for completion within tasks by various deadlines UNCLASSIFIED//FOR OFFICIAL USE ONLY 17

All DoD Components Directed To: Provide lessons learned from CAC/PKI implementation efforts Complete PKI training for all System Admins Implement SCL to the NIPRNet Develop an initial plan for email encryption and digital signature using DoD PKI Allow only certificate-based client authentication to private DoD web-servers using certificates issued by the DoD PKI Verify CAC readers, middleware, and ensure CAC users required information and certificates are correct UNCLASSIFIED//FOR OFFICIAL USE ONLY 18

UNCLASSIFIED//FOR OFFICIAL USE ONLY 19

Comparison of CAC and PIV Certificate Usage CAC User Certificates Identity Web client authentication Document Signing Digital Signature Email signatures Smartcard Login Encryption Encrypted email PIV User Certificates PIV Authentication Web client authentication Smartcard Login Digital Signature Email signatures Document Signing Key Management Email encryption Card Authentication Physical access control Card Management Personalization Post Issuance UNCLASSIFIED//FOR OFFICIAL USE ONLY 20

Alignment with Common Policy Requirement: January 1, 2008 - Legacy PKIs cross certified with the Federal Bridge have to assert common policy oids in certs Aug 2005 - Established team to look at differences between DoD Certificate Policy and Federal Common Policy Sep 2005 - Briefed Federal Bridge Policy Authority Oct 2005 - Briefed Federal Certificate Policy Working Group Even though we are compliant with the Federal Bridge policy we aren t compliant with the Federal Common Policy There are some Significant care-abouts We re working with Judy Spencer and the federal community to harmonize policies and try to come to some mutual agreement for a way forward. Federal entities operating legacy PKIs need to perform a similar analysis UNCLASSIFIED//FOR OFFICIAL USE ONLY 21

Other PIV Challenges Certificate Profiles changes to our existing ones Issuer Signature Algorithm Phased approach for changes CRL Distribution Point Subject Public Key Information AIA Need additional certificate profile Card Issuer Certificate Foreign National Identity Proofing Within the US OCONUS Ties into our Citizenship initiative UNCLASSIFIED//FOR OFFICIAL USE ONLY 22

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information