colleen carboni disa d25 703 681 6139 carbonic@ncr disa mil l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Colleen Carboni DISA D25 (703) 681-6139 carbonic@ncr.disa.mil PowerPoint Presentation
Download Presentation
Colleen Carboni DISA D25 (703) 681-6139 carbonic@ncr.disa.mil

Loading in 2 Seconds...

play fullscreen
1 / 26

Colleen Carboni DISA D25 (703) 681-6139 carbonic@ncr.disa.mil - PowerPoint PPT Presentation


  • 494 Views
  • Uploaded on

Colleen Carboni DISA D25 (703) 681-6139 carbonic@ncr.disa.mil. Department of Defense (DOD) Class 3 Medium Assurance Public Key Infrastructure (PKI) Status 21 September 2000. Gilda McKinnon DISA D25 (703) 681-9024 mckinnog@ncr.disa.mil. Agenda. DoD Class 3 PKI

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Colleen Carboni DISA D25 (703) 681-6139 carbonic@ncr.disa.mil' - salena


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
colleen carboni disa d25 703 681 6139 carbonic@ncr disa mil
Colleen Carboni

DISA D25

(703) 681-6139

carbonic@ncr.disa.mil

Department of Defense (DOD) Class 3 Medium Assurance Public Key Infrastructure (PKI) Status

21 September 2000

Gilda McKinnon

DISA D25

(703) 681-9024

mckinnog@ncr.disa.mil

agenda
Agenda
  • DoD Class 3 PKI
      • Medium Assurance Pilot, Release 1.0
      • Class 3 PKI Release 2.0
      • Class 3 PKI Release 3.0
        • Common Access Card (CAC) Beta
  • Registration
  • Training
  • Application Support
  • External Certification Authorities and Interim External Certification Authorities
  • Using the DoD PKI - An Example
  • Way Ahead
dod class 3 pki components and statistics
DoD Class 3 PKIComponents and Statistics

NSA

  • Operational on
    • NIPRNET
      • 41,402 identity
      • 26,494 email
      • 2,906 servers
      • 646 LRAs
      • 107 RAs
    • SIPRNET
      • 117 identity
      • 51 servers
      • 3 RAs
      • 2 LRAs

Certificate

Authority (CA)

RootServer

Directory

DECC Detatchment

Chambersburg, PA and

DECC Detatchment

Denver, CO

Local RegistrationAuthority (LRA)

Registration Authority (RA)

  • CA Architecture is highly centralized
  • LRAs highly decentralized

24 X 7 Help Desk

1-800-582-4764

weblog@chamb.disa.mil

Users

medium assurance pki pilot release 1 0
Medium Assurance PKI Pilot, Release 1.0
  • Operational on -
    • NIPRNET since April 1998
    • SIPRNET since September 1999
  • Certificates are valid until their expiration date
  • Interoperable with Class 3 PKI Release 2.0
  • NIPRNET user registration should transition to Class 3 PKI - 31 Dec 00
    • Exceptions will be made on a case by case basis by the PKI PMO
class 3 pki release 2 0 enhancements
Class 3 PKI Release 2.0Enhancements
  • Operational July 31, 2000
  • Asserts Class 3 level of assurance
  • Enhancements
    • Key Escrow/Key Recovery
    • FIPS 140-1 level 2 hardware signing of certificates
    • Added Policy Object Identifiers to differentiate between HW/SW certificates
    • FIPS 140-1 level 2 smart cards for registration personnel
    • Larger capacity infrastructure
    • Improved firewall protection of the enclaves
  • Training
    • RA/LRA training started in May 00 will continue through FY01

RAISING THE BAR

slide6
RA and LRA Workstation Requirement:

Pentium or higher, 64MB RAM

Windows NT 4.0 OS (Service Pack 4)

Netscape Communicator 4.73 or higher (US Version - non-export) with Personal Security Manager (PSM) 1.1

FIPS 140-1 level 2 Hardware token

Dedicated printer (non-networked)

NIPRNET/INTERNET connectivity

LRA application 2.1

Use Windows NT lockdown procedure

User

Netscape Communicator 4.73 with PSM 1.1

Transitioning Registration Authorities (RAs), Local Registration Authorities (LRAs), and Users to Class 3 PKI

Instructions for establishing an RA/LRA workstation are at

http://iase.disa.mil/documentlib.html#PKIDOCS

class 3 pki release 3 0 enhancements
Class 3 PKI Release 3.0Enhancements
  • Establishes connection to Defense Enrollment Eligibility Reporting System (DEERS), DEERS provides the PKI Unique Identification Number
  • Enables Real-time Automated Personnel Identification System (RAPIDS) Verification Officers (VOs) to issue

PKI certificates on Common Access Card (CAC)

  • Schedule:
    • CAC BETA 1st QTR FY01
    • System Security Assessment 1st QTR FY01
    • Release 3.0 2nd QTR FY01
common access card cac beta id certificate issuance

Inquiry

DEERS

Data Base

Person

Authentication&

Data Update

1

Demographic and Personnelinformation

ID Card, Picture and Fingerprint

2

Establish User

Generate Keys

Obtain

Certificates

Load Keys

Certificate Authority

8

3

Establish Updates to

Directory from DEERS

ID and Demographic

Information

5

Public Key

7

4

6

Private Key

generation

on the card.

Directory

Services

Smart

Card

CERT

CERT

Common Access Card (CAC) BETAID Certificate Issuance

VO \ LRA

common access card cac beta email certificate issuance
Common Access Card (CAC) BETAEmail Certificate Issuance
  • If you know your e-mail address at initial issuance of CAC
    • VO/LRA will issue both identity and email certificates on your CAC
  • If not, once you do know your email address
    • You can return to the VO/LRA at a later date to obtain your email certificates;

or

    • You can go to your CINC/Service/Agency LRA for your certificates on a software token.
pki integration with cac
PKI Integration with CAC
  • Teaming with DMDC
  • PKI registration built into RAPIDS terminal
    • Process is transparent
    • When card issued, private key and certificate placed on card
    • Floppy containing same keys may also be provided
      • Applications still mostly required this form of certificate
  • Identification information for certificate and directory from DEERS
    • For both RAPIDS registration and native PKI LRA registration
  • Unique user id from DEERS
    • Needed to sync directories across DoD
registration authorities and local registration authorities
Registration Authorities and Local Registration Authorities
  • Registration Authorities (RAs)
    • List of RAs can be found at

http://iase.disa.mil/PKI/RA/ra.html

  • Local Registration Authorities (LRAs)
    • List of LRAs can be found at
  • http://iase.disa.mil/PKI/RA/lra.html
training information
Training Information
  • Training will be provided monthly throughout FY01
    • 4 days Local Registration Authority (LRA) Training
    • 1 day Registration Authority (RA) Training
  • An additional 16 hours of LRA training at Defense Security Service Academy (DSSA) each quarter
  • Three (3) 1 week on-site training sessions are planned for C/S/As
  • Attendees must coordinate registration for RA/LRA class with their respective C/S/A PKI representative

http://iase.disa.mil/PKI/PKITrain.html

application support
Application Support
  • Requirement Documentation:
    • Department of Defense Class 3 Public Key Infrastructure Interface Specification, Version 1.2, dated August 10, 2000, draft
    • Department of Defense CLASS 3 PKI Public Infrastructure Public Key-Enabled of Application Requirements, dated July 31, 2000
    • Documents are available at http://iase.disa.mil/documentlib.html#PKIDOCS
  • Class 3 PKI Testbed
    • Mirrors DoD PKI Class 3 operational environment
    • Resides at the DISA Joint Interoperability Test Command (JITC)
    • Additional information at http://jitc/fhu.disa.mil
  • Working with Defense Information Assurance Program on process for PK-enabling applications
slide14

Application SupportSome Examples

Planned Initial

App. Status Users Capability

Army Chief of Staff AC Issuing Certs 5K Oct 98

DISA AC Reg. Complete 8K Nov 98

Electronic Document AC, I&A C/S/A’s Issuing 6K Dec 98

Access (EDA) Certs

Wide Area Workflow AC, I&A C/S/A’s Issuing 6K Feb 99

Prototype DDForm 250 DS Certs

Navy AC, DS Issuing Certs 100K Feb 99

Defense Security AC, DS Reg. Complete 300 to May 99

Service 2.5K

Defense Travel AC, I&A, DS C/S/A’s working 400K 2Q FY00

System process

Defense Message System DS, Encryption C/S/A’s Issuing 5K Sep 99

Medium Grade Service Certs next 6 mos.

Access Control = AC

Digital Signature = DS

Identification and Authentication = I&A

external certificate authority eca interim external certificate authority ieca
External Certificate Authority (ECA) &Interim External Certificate Authority (IECA)
  • An ECA is an entity authorized to issue certificates interoperable with the DoD PKI to non-DoD personnel
  • What is an IECA?
    • Entity authorized to issue certificates interoperable with the DoD PKI to non-DoD personnel, for a period of one year
  • Why an Interim ECA?
    • Need to work out best practices, understand technical and process issues, understand and resolve legal concerns before finalizing ECA approach and processes.
  • IECA Help Desk and Website
    • E-mail: pkieca@ncr.disa.mil
    • Phone: (703) 681-6139
    • http://www.disa.mil/infosec/pkieca
ieca web site
IECA Web Site

http://www.disa.mil/infosec/pkieca

dod pki trust model in ieca environment

Harris 9234567890

Smith.John.C.1234567890

Lambert 9934567890

Jones.Alice.B.0987654321

Gilbert.Sally.K. 6789012345

DOD PKI Trust Model in IECA Environment

DOD PKI

Med

Root CA

Level 1

...

IECA 1

IECA 2

IECA m

Med

CA-1

Med

CA-2

Med

CA-n

Level 2

…..

Level 3

  • Certificates signed by Commercial Root
  • DOD applications will need to trust multiple roots
  • Minimizes liability risks for DOD
  • Separate Certification Authority for DOD
  • Certificates have predetermined expiration
dod pki trust model in eca environment draft

Harris 9234567890

Smith.John.C.1234567890

Lambert 9934567890

Jones.Alice.B.0987654321

Gilbert.Sally.K. 6789012345

DOD PKI Trust Model in ECA Environment (DRAFT)

DOD PKI

Med

Root CA

Level 1

...

ECA 1

ECA 2

ECA m

Med

CA-1

Med

CA-2

Med

CA-n

Level 2

…..

Level 3

  • Certificates signed by Commercial CA
  • ECA may be certified by DOD root
  • Applications will not have to handle multiple roots
ieca vendors
IECA Vendors
  • Operational Research Consultants (ORC): Daniel Turissini; (703) 535-5301; turissd@orc.com
  • Digital Signature Trust (DST): Keren Cummins; (301) 379-2493; kcummins@digsigtrust.com
  • VeriSign: James Brandt; (410) 691-2100; jbrandt@verisign.com
  • General Dynamics: Sandra Wheeler; (781) 455-5958; sandra.wheeler@gd-cs.com
ieca status update
IECA Status Update
  • IECA Pilot has been extended for one more year (until September 2001)
  • All four IECAs are currently signing new MOAs
  • DoD contributed to four programs/organizations for the purchase of IECA certificates
    • Medium Grade Services (MGS)
    • Joint Electronic Commerce Program Office (JECPO)
    • Defense Technical Information Center (DTIC)
    • Military Traffic Management Command (MTMC)
  • As demand/activity increases expect certificate cost to substantially decrease
the i assure advantage http www disa mil d4 diioss iachar html

Most of the work awarded under this contract will be professional services, however,

…. the contract is structured to permit purchase of a full range of Information Assurance (IA) solutions, including the hardware, software and enabling products necessary to implement these solutions.

The I Assure Advantagehttp://www.disa.mil/D4/diioss/iachar.html
  • Key Points:
  • Contract supports up to TS / SCIsecurity requirements
  • 7 year multi-award contract
  • All tasks MUST BE competed, no follow-on work from previous contracts

Solutions-based: Contractors can tailor services and products for each task order proposal; Complements Enterprise Software Initiative: I Assure vendors can provide integration services for ESI products

  • Task Areas:
  • Policy, planning, process, program and project management support
  • Standards, Architecture, Engineering and Integration support
  • Solution Fielding / Implementation and operations
  • Education, training, and awareness; certification and accreditation; and IA support
disa i assure employed the dod pki in the paperless pre award of contract process

IDS HQ Chantilly, VA

38.249.212.xx

3

DISA ‘I ASSURE’ - Employed the DoD PKI in the Paperless “Pre-Award” of Contract Process

DITCO

1

DOD CA

DISN

4

TDY

‘1-800’

Skyline 6 Room 513

164.117.75.xx

4

INTERNET

x1df4MS@

(Evaluators)

2

x1df4MS@

Vendors

Encrypted

Text

IDS

PKI

FW

(Used ICEA certificates)

the way ahead
The Way Ahead
  • Provide support to Common Access Card (CAC) Beta and Release 3.0
  • Expand use of SIPRNET PKI
  • Continue development of application enabling guidance and enabling templates
  • Continue incremental releases of DOD PKI to improve product, service, and availability
  • Envision seamless transition to Target PKI

Continue Satisfying The Warfighter Requirements!

dod pki working groups
DOD PKI Working Groups
  • DOD PKI Certificate Policy Management Working Group:
    • co-chair - NSA - Mr. Gary Dahlquist gndahlq@missi.ncsc.mil
    • co-chair - DOD GC - Ms. Shauna Russell - russels@osdgc.osd.mil
  • DOD PKI Business Working Group (BWG):
    • co-chair - NSA - Ms. Debra Grempler - DAGremp@missi.ncsc.mil
    • co-chair - DISA - Ms. Gilda McKinnon - McKinnog@ncr.disa.mil
  • DOD PKI Technical Working Group (TWG):
    • co-chair - DISA - Mr. Adam Britt - britta@ncr.disa.mil
    • co-chair - NSA - Mr. Dave Fillingham dwfilli@missi.ncsc.mil
pki website information
PKI Website Information
  • http://iase.disa.mil
    • Information Assurance Support Environment
      • available to .mil; and .gov
  • http://www.disa.mil/infosec/pkieca
    • External Certification Authorities
  • http://www.disa.mil/infosec/pki-int.html
    • DOD PKI Medium Assurance Interoperability
      • DOD PKI Medium Assurance X.509 v3 certificate standard profiles (formats and examples)