army pki slides on cac cards

UNCLASSIFIED

UNCLASSIFIED Track #. Session #

LandWarNet 2009LandWarNet 2009 UNCLASSIFIED // FOUO

Army Identity Protection & Management Initiatives

Session 3August 19, 2009/0945-1100

Ms. Tracy Traylor, NETC-ES-IA Director, IA Programs/CAC PKI - [email protected], 703-602-7496

Track 2 –

Information Assurance: The Defenders’ Challenge

UNCLASSIFIED


LandWarNet 2009 LandWarNet 2009

• Purpose – to provide Current and Future Initiative of the Army’s CAC/PKI program

• OBJECTIVES: By the end of this presentation you will be able to: (List of take-aways from this session)– A. Know where the Army is headed in CAC/PKI– B. Discuss logical access ID for volunteers– C. Know the Army status of JTF-GNO CTO 07-015– D. Discuss Army TPKI and SIPRNet Pilots

UNCLASSIFIED

UNCLASSIFIED Track #. Session #3

• CAC/PKI Division Overview• Alternate Smartcard for System Administrators• Smartcard for “Volunteers”• Italian Foreign Nationals• Certificate Validation• DoD Approved Certificate Authorities• Army HSPD-12• Army Pilots

– Tactical – SIPRNET

• JTF-GNO CTO 07-015– Accelerated PKI Implementation Phase 2

• Reporting

3

LandWarNet 2009 LandWarNet 2009

Agenda

UNCLASSIFIED


• CAC/PKI Policy and Guidance– Army – DoD– Other Federal Agencies

• Test and Evaluation – Public Key Enabling Technology

• Registration Authority– SIPRNET Certificates– Key Recovery– Alternative Smart Card Logon Token

• Help Desk - (866) 738-3222

CAC/PKI Division OverviewCAC/PKI Division Overview

4

UNCLASSIFIED


• Alternative Smart Card Logon Token (ASCL)– Originally developed for Systems Administrators – Extended for Italian Foreign Nationals

• Must be Department of Army Civilian or contractor with logical access requirements

• Memorandum pending to allow email signing and encryption certificates

• Stats– ≈ 729 ASCL Trusted Agents appointed– ≈ 17,746 ASCL tokens processed– ≈ 16,000 tokens in use

Alternative Smart Card Logon TokenAlternative Smart Card Logon Token

5

UNCLASSIFIED


6

Logical Access ID for Volunteers

• Three-year pilot to issue logical access credentials to DoD volunteers

• Eligible population includes all volunteers as outlined in DoDI 1100.21

– Unpaid Red Cross volunteers

– Boy & Girl Scout Volunteers

– Civil Air Patrol (CAP)

– YMCA/YWCA Volunteers

– Volunteers at Military Treatment Facilities

• Issued only to U.S. citizens

• Not to be used for physical access to military installations

• Smartcard holds standard 3 DoD PKI certificates

• Requires submission of NAC paperwork and favorable completion of automated FBI National Criminal History (fingerprint) check

– G2 is responsible for cost

UNCLASSIFIED


7

Parameters for the Volunteer Smartcard

• Volunteers must be registered in DEERS via the Contractor Verification System (CVS)

• CVS Trusted Agents must re-verify volunteer sponsorship just like contractors

• AHRC will provide Army procedures/controls for issuance and lifecycle management for the Volunteer Smartcard

• Volunteers must be sponsored by DoD military or civilian employee– Sponsors follows AHRC-designed process

– Sponsor collects card when volunteer is no longer eligible or associated with organization

UNCLASSIFIED


VISUAL: Volunteer (Network Access) Card

1. Seal of sponsoring agency 2. No photograph or barcodes for physical access 3. Authorized for network access only4. Volunteer status must be entered & verified by CVS

1

2

3

4

UNCLASSIFIED


9

General OutlineUNCLASSIFIED

In order to facilitate the operational requirement for CAC like functionality to be provided to Local Foreign Nationals, the following process has been adjusted to create and issue ASCL tokens with three certificates.

This ASCL token will have the following certificates installed:1. Alternate Logon Certificate 2. Digital Signing Certificate3. Digital Encryption Certificate

The issuance process will be split into two phases.Phase 1: Standard ASCL token issuance

Phase 2: Generation and installation of signing and encryption certificates

UNCLASSIFIED

UNCLASSIFIED

UNCLASSIFIED


Phase 1 1UNCLASSIFIED // FOUO

Phase 1 will be the current ASCL token issuance process1. Nomination of a Trusted Agent

• Europe already has Trusted Agents in place2. Trusted Agent requests ASCL tokens3. Army Registration Authority (RA) issues ASCL

tokens and ships them to Trusted Agent4. Trusted Agent gives ASCL tokens to their users

• DD2842s are signed and sent to the Army RA5. Users request PINs 6. Users begin using ASCL token once PIN is

received w/logon certificate

UNCLASSIFIED


11

Phase 2UNCLASSIFIED

Phase 2 of the process will be the issuance and installation of the digital signing and encryption certificates to the ASCL token. Phase 2 can begin once the user has received their PIN.

1. User logs into workstation using ASCL token2. User navigates to one of the following links:

• https://email-ca-17.c3pki.chamb.disa.mil/ca/emailauth.html

• https://email-ca-18.c3pki.den.disa.mil/ca/emailauth.html

3. User chooses the “Both Signing and Encryption Certificate” option on the first line

4. User types their AKO email address on the lines requesting their email address

UNCLASSIFIED

UNCLASSIFIED

UNCLASSIFIED


12

Certificate Request PageUNCLASSIFIEDUNCLASSIFIED

UNCLASSIFIED

UNCLASSIFIED


13

Phase 2 cont.UNCLASSIFIED

5. User then clicks “Get Certificate” and the certificates are generated and installed on the ASCL token

• User will be prompted for their PIN in order for the process to complete

6. User now has 3 certificates on their ASCL token7. User can now digitally sign and encrypt emails as if the ASCL

token was a CAC

– Important: The Army RA office has produced a guide covering this process. The guide has been sent to Trusted Agents in Europe requiring this functionality.

UNCLASSIFIED

UNCLASSIFIED

UNCLASSIFIED


14

Army Certificate Validation

• Tumbleweed Desktop Validator (DV) OCSP client – Army end user computers

• Distributed through the Army Golden Master

• Supports email signatures

– Army Domain Controllers• Support CCL throughout the Army’s Enterprise

– Private Web Servers• Authentication to private web servers as directed by JFT-GNO (Task 12)

• Defense Information Security Agency (DISA) Robust Certificate Validation Service (RCVS) – 4 CONUS Nodes

– 2 OCONUS (EUCOM, PAC)

• Army OSCP Responders– National Guard, Reserve Command, Accessions Command, Corp of

Engineers, MEDCOM, USAREUR, USAPAC, 8th Army Korea

– 7th Signal Command – Enterprise management of OCSP

UNCLASSIFIED


DoD Approved PKI’s

JTF-GNO-CTO 07-015 states all web servers that host sensitive information will be configured to only trust DoD PKI approved certificate authorities (CA’s)

• DoD PKI

• DoD External CA (ECA)

• Federal Bridge Certificate Authority (FBCA) an members

• https://informationassurance.us.army.mil/cacpki/default.htm

UNCLASSIFIED


• HSPD-12 Purpose – Enhance security– Reduce identity fraud– Increase Government efficiency– Protect personal privacy

• Army HSPD-12 Working Group– Co-led by G-2 and G-6 (NETCOM CAC/PKI)– Formal participation from G-1, G-2, G-3/5/7, G-4, G-6, OPMG, ASA(ALT)– Currently developing Army HSPD-12 Implementation Plan

• CAC is the DoD’s HSPD-12 Personal Identity Verification (PIV) credential

• HSPD-12 vetting requirements apply to all PIV cardholders– National Agency Check with Written Inquiries (NAC-I)

Army HSPD-12 ImplementationArmy HSPD-12 Implementation

16

UNCLASSIFIED


DoD Tactical PKI Process Action Team

• Army CAC PKI is the TPKI PAT Lead– Review and Integrate DoD PKI/Service PKI Architecture

• Review and Integrate DoD PKI/Service Schedules

– Determine Joint and service operational requirements• Develop Joint Tactical Pilot Test Plan

• Develop Service level Tactical Pilot Test Plans

– Prepare for DoD PKI Tactical PKI Pilot• Pre-Pilot Activities Began 1ST QTR FY09

• Phase I – JITC Lab Environment 3RD QTR FY09

• Phase II – Joint Tactical Testing Facility 2ND QTR FY10

• Phase III – Limited / Controlled COCOM Operational Environment 3RD QTR FY10

17

UNCLASSIFIED


• Two Locations

– 200 Tokens

– Fort Meade

• Evaluating the issuance process

– Centralized

– De-centralized

– Kiosk

– FT Belvoir

• Evaluating the issuance process

• Login

• Web server authentication

• Email signing and encrypting

– RA training Sept 09

– Oct - Dec 09

18

SIPRNet Card Management Pilot

UNCLASSIFIED


PKI Phase 2 Overview

• JTF-GNO CTO 07-015, Public Key Infrastructure (PKI) Implementation, Phase 2

• Background:

– The 12 tasks in JTF-GNO CTO 07-015 address the common attack vectors used by our adversaries to include socially engineered emails, traditional username and password vulnerabilities, and improper installation of PKI software certificates.

• Goals:

– Improve overall network defense

– Limit phishing attacks

– Reduce username and password vulnerability on NIPRNet

UNCLASSIFIED


Task 1: Implement Digital Signature Policy

Task 3: Implement Increased Password Security Measures

Task 4: Removal of Software Certificate Installation Files

Task 5: Identification of Non-PKI based Authentication Methods

Task 6: Identify Username/Password Accounts

Task 7: Execute Enhanced Security Awareness Training

Task 8: Identify Non-Windows Operating Systems in Usage

Task 11: Activate CRL web caching capabilities at Base/Post/Camp/Station Level

Task 12: Adjust Online Certificate Status Protocol (OCSP) Configurations to Increase Reliability

Completed Tasks

UNCLASSIFIED


JTF-GNO CTO 07-015 Status

• Task 2 UBE of CAC Cryptographic Logon– 97% Non-Privilege Accounts

– 28% System Administrator Accounts• Retina, SMS, Hercules…require username and passwords

• Tasks 9 and 10 Public Key Enabling Web Servers– Web Servers that host Sensitive Information

• configured to utilize ONLY certificate-based client authentication

• Trust ONLY DoD PKI approved certificates

• Validate certificates at the time of authentication

– 74% Complete• Non CAC Holders

– Commercial, Federal, and State partners

• Legacy Systems

21

UNCLASSIFIED


22

Questions??

UNCLASSIFIED

Army CAC/PKI

[email protected]: 866-738-3222

US Army Registration Authority

(703) 602-7527 (Desk)Email: [email protected]

UNCLASSIFIED

UNCLASSIFIED

LandWarNet 2009

UNCLASSIFIED


Back up Slides

23

UNCLASSIFIED


Italian Foreign NationalsItalian Foreign Nationals

24

• DoD memo, “Common Access Card (CAC) Eligibility for Foreign National Personnel”, signed by USD(P&R) on 9 MAR 2007:

– … expanding CAC eligibility to include foreign national partners who have been properly vetted and who require access to a DoD facility or network to meet a DoD mission, ...

• Fingerprints must be collected to obtain a CAC. Italian government will not allow citizens’ biometric information to be

hosted outside EU/Italy. no CAC for them.

• CIO/G-6 approved use of Alternative Smart Card Logon token for Italian Foreign Nationals (FNs)

• Local Army security office responsible for ensuring that FN– Is not a known or suspected terrorist

– Has had his/her true identity verified

– Has undergone an appropriate background investigation that has been favorably adjudicated.

• Token allows logical access only

UNCLASSIFIED


25

Army Certificate Validation Locations

• Theaters– USAREUR operating 2 repeaters– US Eighth Army, Korea 2 responders– USARPAC plans to install 10 responders at strategic locations– SWA has implemented a CRL Web Caching infrastructure

• Army Commands– The ARNG plans to operate a repeater in each state and territory and one

central responder. – The USAR is operating 2 responders and 4 repeaters (1 responder and 2

repeaters at 2 locations). – The US Army Accessions Command is operating OCSP responders in

Indianapolis, IN and Fort Knox, KY. – The US Army Corps of Engineers is operating OCSP responders at Vicksburg,

MS and Portland, OR.– The US Medical Command has purchased 13 OCSP responders

• Installations– Several CONUS installations have purchased OCSP responders and/or

repeaters

UNCLASSIFIED


Tactical PKI Pilot Testing Plan

Pre-Pilot ActivitiesBegan

1ST QTR FY09

• Develop baseline of business processes

and policies• Develop bandwidth

test activities• Develop test plan for

JTRE and COCOM• Develop Tactical

Registration Authority (TRA) interface

• Coordinate with COCOMs in support of Tactical Pilot testing

Phase I – JITC Lab Environment3RD QTR FY09

• Testing activities using non-operational CAs

and certificates• Test the TRA in various

architectural and operational

environments• Evaluate the TRA

capabilities and identify any deficiencies and

modifications required• Conduct and Evaluate

issuance/revocation bandwidth utilization test focusing on mini-

CRLs, delta CRLs, OCSP, and other

potential reach back solutions

Phase II – Joint Tactical Testing

Facility Environment2ND QTR FY10

• Testing at JITC PKI lab and in yet TBD

Joint Tactical Testing Facility.

• Test proposed tactical enterprise

solution over simulated strategic

and tactical communication

networks• Test Token issuance

and Perform a revocation bandwidth

utilization test focusing on Mini-CRLs, delta CRLs, OCSP, and other

reach back solutions

Phase III – Limited / Controlled COCOM

Operational Environment3RD QTR FY10

• Sub CAs deployed to COCOM’s •Controlled

operational testing, with operational

certificates conducted at a yet TBD OCONUS

COCOM and associated DCSF -

• Test tactical enterprise solution

over operational strategic and tactical

communication networks

TACTICAL PKI – PILOT TESTING PLAN

•Initiate Pilot Testing – 3Qtr, FY09 Human Element

26

army pki slides on cac cards

Documents

italian foreign

army registration

unclassified

operating

trusted agents

army hspd

encryption

ascl token