army pki slides on cac cards
TRANSCRIPT
UNCLASSIFIED
UNCLASSIFIED Track #. Session #
LandWarNet 2009LandWarNet 2009 UNCLASSIFIED // FOUO
Army Identity Protection & Management Initiatives
Session 3August 19, 2009/0945-1100
Ms. Tracy Traylor, NETC-ES-IA Director, IA Programs/CAC PKI - [email protected], 703-602-7496
Track 2 –
Information Assurance: The Defenders’ Challenge
UNCLASSIFIED
UNCLASSIFIED Track #. Session #
LandWarNet 2009 LandWarNet 2009
• Purpose – to provide Current and Future Initiative of the Army’s CAC/PKI program
• OBJECTIVES: By the end of this presentation you will be able to: (List of take-aways from this session)– A. Know where the Army is headed in CAC/PKI– B. Discuss logical access ID for volunteers– C. Know the Army status of JTF-GNO CTO 07-015– D. Discuss Army TPKI and SIPRNet Pilots
UNCLASSIFIED
UNCLASSIFIED Track #. Session #3
• CAC/PKI Division Overview• Alternate Smartcard for System Administrators• Smartcard for “Volunteers”• Italian Foreign Nationals• Certificate Validation• DoD Approved Certificate Authorities• Army HSPD-12• Army Pilots
– Tactical – SIPRNET
• JTF-GNO CTO 07-015– Accelerated PKI Implementation Phase 2
• Reporting
3
LandWarNet 2009 LandWarNet 2009
Agenda
UNCLASSIFIED
UNCLASSIFIED Track #. Session #4
• CAC/PKI Policy and Guidance– Army – DoD– Other Federal Agencies
• Test and Evaluation – Public Key Enabling Technology
• Registration Authority– SIPRNET Certificates– Key Recovery– Alternative Smart Card Logon Token
• Help Desk - (866) 738-3222
CAC/PKI Division OverviewCAC/PKI Division Overview
4
UNCLASSIFIED
UNCLASSIFIED Track #. Session #5
• Alternative Smart Card Logon Token (ASCL)– Originally developed for Systems Administrators – Extended for Italian Foreign Nationals
• Must be Department of Army Civilian or contractor with logical access requirements
• Memorandum pending to allow email signing and encryption certificates
• Stats– ≈ 729 ASCL Trusted Agents appointed– ≈ 17,746 ASCL tokens processed– ≈ 16,000 tokens in use
Alternative Smart Card Logon TokenAlternative Smart Card Logon Token
5
UNCLASSIFIED
UNCLASSIFIED Track #. Session #
6
Logical Access ID for Volunteers
• Three-year pilot to issue logical access credentials to DoD volunteers
• Eligible population includes all volunteers as outlined in DoDI 1100.21
– Unpaid Red Cross volunteers
– Boy & Girl Scout Volunteers
– Civil Air Patrol (CAP)
– YMCA/YWCA Volunteers
– Volunteers at Military Treatment Facilities
• Issued only to U.S. citizens
• Not to be used for physical access to military installations
• Smartcard holds standard 3 DoD PKI certificates
• Requires submission of NAC paperwork and favorable completion of automated FBI National Criminal History (fingerprint) check
– G2 is responsible for cost
UNCLASSIFIED
UNCLASSIFIED Track #. Session #
7
Parameters for the Volunteer Smartcard
• Volunteers must be registered in DEERS via the Contractor Verification System (CVS)
• CVS Trusted Agents must re-verify volunteer sponsorship just like contractors
• AHRC will provide Army procedures/controls for issuance and lifecycle management for the Volunteer Smartcard
• Volunteers must be sponsored by DoD military or civilian employee– Sponsors follows AHRC-designed process
– Sponsor collects card when volunteer is no longer eligible or associated with organization
UNCLASSIFIED
UNCLASSIFIED Track #. Session #8
VISUAL: Volunteer (Network Access) Card
1. Seal of sponsoring agency 2. No photograph or barcodes for physical access 3. Authorized for network access only4. Volunteer status must be entered & verified by CVS
1
2
3
4
UNCLASSIFIED
UNCLASSIFIED Track #. Session #
9
General OutlineUNCLASSIFIED
In order to facilitate the operational requirement for CAC like functionality to be provided to Local Foreign Nationals, the following process has been adjusted to create and issue ASCL tokens with three certificates.
This ASCL token will have the following certificates installed:1. Alternate Logon Certificate 2. Digital Signing Certificate3. Digital Encryption Certificate
The issuance process will be split into two phases.Phase 1: Standard ASCL token issuance
Phase 2: Generation and installation of signing and encryption certificates
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED Track #. Session #
Phase 1 1UNCLASSIFIED // FOUO
Phase 1 will be the current ASCL token issuance process1. Nomination of a Trusted Agent
• Europe already has Trusted Agents in place2. Trusted Agent requests ASCL tokens3. Army Registration Authority (RA) issues ASCL
tokens and ships them to Trusted Agent4. Trusted Agent gives ASCL tokens to their users
• DD2842s are signed and sent to the Army RA5. Users request PINs 6. Users begin using ASCL token once PIN is
received w/logon certificate
UNCLASSIFIED
UNCLASSIFIED Track #. Session #
11
Phase 2UNCLASSIFIED
Phase 2 of the process will be the issuance and installation of the digital signing and encryption certificates to the ASCL token. Phase 2 can begin once the user has received their PIN.
1. User logs into workstation using ASCL token2. User navigates to one of the following links:
• https://email-ca-17.c3pki.chamb.disa.mil/ca/emailauth.html
• https://email-ca-18.c3pki.den.disa.mil/ca/emailauth.html
3. User chooses the “Both Signing and Encryption Certificate” option on the first line
4. User types their AKO email address on the lines requesting their email address
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED Track #. Session #
12
Certificate Request PageUNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED Track #. Session #
13
Phase 2 cont.UNCLASSIFIED
5. User then clicks “Get Certificate” and the certificates are generated and installed on the ASCL token
• User will be prompted for their PIN in order for the process to complete
6. User now has 3 certificates on their ASCL token7. User can now digitally sign and encrypt emails as if the ASCL
token was a CAC
– Important: The Army RA office has produced a guide covering this process. The guide has been sent to Trusted Agents in Europe requiring this functionality.
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED Track #. Session #
14
Army Certificate Validation
• Tumbleweed Desktop Validator (DV) OCSP client – Army end user computers
• Distributed through the Army Golden Master
• Supports email signatures
– Army Domain Controllers• Support CCL throughout the Army’s Enterprise
– Private Web Servers• Authentication to private web servers as directed by JFT-GNO (Task 12)
• Defense Information Security Agency (DISA) Robust Certificate Validation Service (RCVS) – 4 CONUS Nodes
– 2 OCONUS (EUCOM, PAC)
• Army OSCP Responders– National Guard, Reserve Command, Accessions Command, Corp of
Engineers, MEDCOM, USAREUR, USAPAC, 8th Army Korea
– 7th Signal Command – Enterprise management of OCSP
UNCLASSIFIED
UNCLASSIFIED Track #. Session #
DoD Approved PKI’s
JTF-GNO-CTO 07-015 states all web servers that host sensitive information will be configured to only trust DoD PKI approved certificate authorities (CA’s)
• DoD PKI
• DoD External CA (ECA)
• Federal Bridge Certificate Authority (FBCA) an members
• https://informationassurance.us.army.mil/cacpki/default.htm
UNCLASSIFIED
UNCLASSIFIED Track #. Session #
• HSPD-12 Purpose – Enhance security– Reduce identity fraud– Increase Government efficiency– Protect personal privacy
• Army HSPD-12 Working Group– Co-led by G-2 and G-6 (NETCOM CAC/PKI)– Formal participation from G-1, G-2, G-3/5/7, G-4, G-6, OPMG, ASA(ALT)– Currently developing Army HSPD-12 Implementation Plan
• CAC is the DoD’s HSPD-12 Personal Identity Verification (PIV) credential
• HSPD-12 vetting requirements apply to all PIV cardholders– National Agency Check with Written Inquiries (NAC-I)
Army HSPD-12 ImplementationArmy HSPD-12 Implementation
16
UNCLASSIFIED
UNCLASSIFIED Track #. Session #
DoD Tactical PKI Process Action Team
• Army CAC PKI is the TPKI PAT Lead– Review and Integrate DoD PKI/Service PKI Architecture
• Review and Integrate DoD PKI/Service Schedules
– Determine Joint and service operational requirements• Develop Joint Tactical Pilot Test Plan
• Develop Service level Tactical Pilot Test Plans
– Prepare for DoD PKI Tactical PKI Pilot• Pre-Pilot Activities Began 1ST QTR FY09
• Phase I – JITC Lab Environment 3RD QTR FY09
• Phase II – Joint Tactical Testing Facility 2ND QTR FY10
• Phase III – Limited / Controlled COCOM Operational Environment 3RD QTR FY10
17
UNCLASSIFIED
UNCLASSIFIED Track #. Session #
• Two Locations
– 200 Tokens
– Fort Meade
• Evaluating the issuance process
– Centralized
– De-centralized
– Kiosk
– FT Belvoir
• Evaluating the issuance process
• Login
• Web server authentication
• Email signing and encrypting
– RA training Sept 09
– Oct - Dec 09
18
SIPRNet Card Management Pilot
UNCLASSIFIED
UNCLASSIFIED Track #. Session #19
PKI Phase 2 Overview
• JTF-GNO CTO 07-015, Public Key Infrastructure (PKI) Implementation, Phase 2
• Background:
– The 12 tasks in JTF-GNO CTO 07-015 address the common attack vectors used by our adversaries to include socially engineered emails, traditional username and password vulnerabilities, and improper installation of PKI software certificates.
• Goals:
– Improve overall network defense
– Limit phishing attacks
– Reduce username and password vulnerability on NIPRNet
UNCLASSIFIED
UNCLASSIFIED Track #. Session #20
Task 1: Implement Digital Signature Policy
Task 3: Implement Increased Password Security Measures
Task 4: Removal of Software Certificate Installation Files
Task 5: Identification of Non-PKI based Authentication Methods
Task 6: Identify Username/Password Accounts
Task 7: Execute Enhanced Security Awareness Training
Task 8: Identify Non-Windows Operating Systems in Usage
Task 11: Activate CRL web caching capabilities at Base/Post/Camp/Station Level
Task 12: Adjust Online Certificate Status Protocol (OCSP) Configurations to Increase Reliability
Completed Tasks
UNCLASSIFIED
UNCLASSIFIED Track #. Session #
JTF-GNO CTO 07-015 Status
• Task 2 UBE of CAC Cryptographic Logon– 97% Non-Privilege Accounts
– 28% System Administrator Accounts• Retina, SMS, Hercules…require username and passwords
• Tasks 9 and 10 Public Key Enabling Web Servers– Web Servers that host Sensitive Information
• configured to utilize ONLY certificate-based client authentication
• Trust ONLY DoD PKI approved certificates
• Validate certificates at the time of authentication
– 74% Complete• Non CAC Holders
– Commercial, Federal, and State partners
• Legacy Systems
21
UNCLASSIFIED
UNCLASSIFIED Track #. Session #
22
Questions??
UNCLASSIFIED
Army CAC/PKI
[email protected]: 866-738-3222
US Army Registration Authority
(703) 602-7527 (Desk)Email: [email protected]
UNCLASSIFIED
UNCLASSIFIED
LandWarNet 2009
UNCLASSIFIED
UNCLASSIFIED Track #. Session #23
Back up Slides
23
UNCLASSIFIED
UNCLASSIFIED Track #. Session #
Italian Foreign NationalsItalian Foreign Nationals
24
• DoD memo, “Common Access Card (CAC) Eligibility for Foreign National Personnel”, signed by USD(P&R) on 9 MAR 2007:
– … expanding CAC eligibility to include foreign national partners who have been properly vetted and who require access to a DoD facility or network to meet a DoD mission, ...
• Fingerprints must be collected to obtain a CAC. Italian government will not allow citizens’ biometric information to be
hosted outside EU/Italy. no CAC for them.
• CIO/G-6 approved use of Alternative Smart Card Logon token for Italian Foreign Nationals (FNs)
• Local Army security office responsible for ensuring that FN– Is not a known or suspected terrorist
– Has had his/her true identity verified
– Has undergone an appropriate background investigation that has been favorably adjudicated.
• Token allows logical access only
UNCLASSIFIED
UNCLASSIFIED Track #. Session #
25
Army Certificate Validation Locations
• Theaters– USAREUR operating 2 repeaters– US Eighth Army, Korea 2 responders– USARPAC plans to install 10 responders at strategic locations– SWA has implemented a CRL Web Caching infrastructure
• Army Commands– The ARNG plans to operate a repeater in each state and territory and one
central responder. – The USAR is operating 2 responders and 4 repeaters (1 responder and 2
repeaters at 2 locations). – The US Army Accessions Command is operating OCSP responders in
Indianapolis, IN and Fort Knox, KY. – The US Army Corps of Engineers is operating OCSP responders at Vicksburg,
MS and Portland, OR.– The US Medical Command has purchased 13 OCSP responders
• Installations– Several CONUS installations have purchased OCSP responders and/or
repeaters
UNCLASSIFIED
UNCLASSIFIED Track #. Session #
Tactical PKI Pilot Testing Plan
Pre-Pilot ActivitiesBegan
1ST QTR FY09
• Develop baseline of business processes
and policies• Develop bandwidth
test activities• Develop test plan for
JTRE and COCOM• Develop Tactical
Registration Authority (TRA) interface
• Coordinate with COCOMs in support of Tactical Pilot testing
Phase I – JITC Lab Environment3RD QTR FY09
• Testing activities using non-operational CAs
and certificates• Test the TRA in various
architectural and operational
environments• Evaluate the TRA
capabilities and identify any deficiencies and
modifications required• Conduct and Evaluate
issuance/revocation bandwidth utilization test focusing on mini-
CRLs, delta CRLs, OCSP, and other
potential reach back solutions
Phase II – Joint Tactical Testing
Facility Environment2ND QTR FY10
• Testing at JITC PKI lab and in yet TBD
Joint Tactical Testing Facility.
• Test proposed tactical enterprise
solution over simulated strategic
and tactical communication
networks• Test Token issuance
and Perform a revocation bandwidth
utilization test focusing on Mini-CRLs, delta CRLs, OCSP, and other
reach back solutions
Phase III – Limited / Controlled COCOM
Operational Environment3RD QTR FY10
• Sub CAs deployed to COCOM’s •Controlled
operational testing, with operational
certificates conducted at a yet TBD OCONUS
COCOM and associated DCSF -
• Test tactical enterprise solution
over operational strategic and tactical
communication networks
TACTICAL PKI – PILOT TESTING PLAN
•Initiate Pilot Testing – 3Qtr, FY09 Human Element
26