Public Key Mandate

THE PUSH IS ON TO DEPLOY PKI SECURITY
TECHNOLOGY ON ALL OF DOD’S
DESKTOPS, SERVERS AND LAPTOPS.

Defense agencies and security companies are pushing hard to prepare for looming deadlines on installation of public key infrastructure (PKI) technology.

To fight the growing number of attacks on Department of Defense networks, a mandate issued in January set deadlines that accelerate the implementation of PKI this year. The Joint Task Force-Global Network Operations (JTF-GNO) communication tasking order (CTO) requires the rapid, aggressive deployment of PKI and public key enabling for authentication, digital signatures and encryption on all of DoD’s desktops, servers and laptops. The order also establishes deadlines for training, verification, installation and progress reporting.

All of the services and agencies must install PKI, a term that covers a combination of software, encryption technologies and services that protects communications and networks. They also must establish full use of smart card or Common Access Card (CAC) cryptographic log-on to the NIPRNet. This will also comply with Homeland Security Presidential Directive 12 (HSPD 12) for identity protection.

“When the CTO put a DoD-wide timeline on implementing areas of PKI, the common security thread was the CAC. One area is CAC log-on to access the network. A second is digitally signing e-mail using the certificate on the CAC, and the third area is the encryption of e-mail using the encryption certificate on the CAC,” said Lieutenant Colonel Jerry Bastian, U.S. Strategic Command, Offutt AFB, Neb.

The certificate on the CAC is an electronic key, which will be used both to sign and encrypt e-mail digitally and to open doors in buildings.

To comply with a July 31 deadline for use of the certificate in full production PKI, the Army contracted in January with TKCIS, an Alaskan Native 8(a) corporation, to procure from Tumbleweed Communications a vendorneutral framework called Validation Authority (VA), which checks the validity of certificates within PKI environments. The client component of the VA server is called Desktop Validator (DV).

Tumbleweed worked with the Army in February to install VA and DV. To ease the process of installing the software on 800,000 desktops and laptops, the Army used Microsoft’s System Management Server (SMS) for configuration, inventory and asset management and application installation. “They were able to roll out DV to 100,000 users in February integrated with SMS,” said Hari Nair, a Tumbleweed product manager.

While the Army requires installation of about 30 VA servers, DV will take up the lion’s share of installation activities. “To install DV on 800,000 desktops, it has to be done remotely and be non-disruptive to the users. So we use Microsoft SMS and CA Unicenter from Computer Associates for deployment monitoring and maintenance, as well as Microsoft Active Directory with group policies to manage desktop software,” said Nair.

USSTRATCOM, which includes the JTF-GNO, has been using the CAC to access the network since November 2005. “USSTRATCOM took the lead in PKI implementation with CAC log-on and the disabling of ID and password log-on features,” Bastian said. “If you move to smart card logon without disabling the user ID and password, then you have not increased security.”

INCREASED SECURITY

A user ID and password are low-level security measures since they are based solely on individual knowledge, whereas the increased security of a CAC is based both on knowledge and on a thing the individual owns. “Not only do you have to steal the knowledge, but also the smart card itself,” Bastian pointed out.

Raising security levels has required long preparation, given the massive scale of the DoD and the fact that readiness often takes longer than deployment when it comes to big platform changes. USSTRATCOM is one of nine combatant commands within the DoD, which has about five million desktops and laptops.

In addition, PKI technology took time to mature. “Great strides have been made in the past 10 years in smart card technology, making it much more secure and flexible. As the amount of chip memory on the smart card has risen, so has the number of things that can be stored on the card, such as biometrics,” said Annie Smith, vice president of federal sales at Tumbleweed Communications.

In recent years, DoD has grappled with numerous challenges while laying the ground work for PKI. One of the most significant was capturing the resources to execute details. “It takes time and money to buy and install a CAC reader on every single desktop. And you need software, or middleware, that goes along with it to read the smart card once you insert the CAC into the reader,” Bastian said.

“One challenge was the middleware. Before last year, the middleware was cumbersome, not user friendly and difficult for common users to use. But about a year ago, we upgraded to the next version of middleware and that solved most of the complicated procedures the users had to go through to log onto the network. That is when USSTRATCOM grabbed hold of it and said it was user friendly enough to implement smart card logon and develop policy for signing and encrypting e-mail. That was probably the biggest hurdle before we could implement it,” he said.

Vendors who make smart card readers also tend to make the middleware that goes with them. The Army uses ActivCard Middleware version 3.0 or greater, developed by Actividentity (formerly ActivCard), and Litronic NetSign Version 5.5, developed by Saflink Corp.

To address a perceived lack of user friendliness, recent releases of these vendors’ middleware have focused on enhancing usability both for users and administrators. Actividentity is one example. “ActivClient extended the user’s computing look and feel paradigm to their PKI usage, providing a common look and feel to the products. We also extended the user console features, which simplified the viewing of contents on the CAC,” said Bill Morrow, federal account manager at Actividentity.

Additionally, the company enabled PKI login features for applications that are not yet PKI-enabled. This is possible through the Secure Login single sign-on products. “The key is to add security to the access of data without adding complexity to the user experience,” Morrow said.

CERTIFICATION AUTHORITY

Another DoD scalability hurdle has focused on giving desktop and network administrators the ability to configure validation on a certification authority (CA), which is the label on the software used to mint PKI credentials installed on the smart card. “In the DoD, there is not a single issuer. There are 24 different CAs issuing CACs and services,” said John Thielens, Tumbleweed’s chief technology officer.

A certification revocation list (CRL) is similar to a telephone directory listing all those whose digital certificates have been revoked due to lost or stolen CACs. To provide real-time validation of certificates in an online automated check (much like checking for credit card validation), DoD must use Online Certificate Status Protocol (OCSP), an Internet Engineering Task Force-approved-approved standard for certificate validation and a recent addition to standard PKI suites.

Prior to OCSP, PKI used a CRL in a slow publication model that required downloading a list to check to see if an access card was no longer valid. “The revocation lag time could be days,” said Tom Gilbert, CTO of Blue Ridge Networks.

With its ability to speed the logon authentication process, OCSP is a vital improvement to PKI technology. “When you’re a warfighter in a tactical situation, you can’t wait even for 10 minutes to have your CAC logon authenticated,” Smith said.

Blue Ridge provides virtual private networks (VPN) that are PKI-ready out of the box to the intelligence community and other government agencies. “Given the new threats like dictionary attacks, passwords are useless and now obsolete for authentication, but unfortunately, passwords represent the largest market share of authentication,” Gilbert said. “A password of eight to 10 characters can easily be attacked via a common computer program called a dictionary attack.”

Using a dictionary of likely passwords, hackers can discover passwords with mixed alphanumerics in only 10 seconds using a home PC. Complex passwords with more than 10 characters are slightly more secure.

By contrast, PKI is a major security improvement. “Mutual public key authentication is the strongest authentication out there,” said Gilbert. “When I look at the DoD’s PKI initiative from an information security point of view, I see nothing but the upside. This means that every government employee and contractor who has to access the government infrastructure will have a unique public key identity and smart cards. It’s not just about the digital certificate but also about the smart card on which the digital certificate is stored, which means it’s portable,” he said.

USSTRATCOM concurs. “Any time you can do away with user IDs and passwords and go with a hard token like CAC for authentication, you’ve increased security,” Bastian said. Tumbleweed’s Smith also feels more secure with the new technology. “PKI does not contain anything that can be stolen or sold to anybody else, unlike driver’s licenses, Social Security numbers or even tax information,” she said.

SMART CARDS

To use PKI and the CAC, users first insert the CAC into a smart card reader. Typing in a PIN unlocks the smart card, which then performs the authentication handshake with the other end of the network, where public key authentication takes place. “It’s just as important that they prove their authenticity to me as I prove it to them,” Gilbert explained.

With PKI and the CAC, the private key is on the smart card, while the public key is in the certificate. There is a mutual exchange, with both parties proving that they each possess the one and only copy of their private key, using their public key to do that with the third-party CA. “Passwords rely on shared secret authentication, whereas in the case of PKI authentication, you do not share the secret,” Gilbert pointed out. “Both have to complete successfully or the connection will not be made,” he noted.

Blue Ridge has made a business out of providing a secure solution to demanding customers such as the DoD Intelligence Information System. Gilbert says Blue Ridge has the most secure VPN in the world, partly because it utilizes hardware-based random number generation for security rather than software, which can be cracked more easily.

“In 10 years, we have had zero reported vulnerabilities in the National Vulnerability database run by NIST and DHS, which catalogs security vulnerabilities in information technology products,” he said. By comparison, the majority of security companies have three to five high-risk vulnerabilities per year, Gilbert indicated.

Another challenge for USSTRATCOM was training at the user level, which was time consuming. “We were teaching them a new way to log onto the network,” Bastian said.

But PKI also clearly delivers benefits to the user. “If I access 10 different Web sites, then I have to remember 10 different user IDs and 10 different passwords. With PKI, you have one token (smart card) and one PIN to access all 10 Web sites,” Bastian said.

Mobilizing the PKI environment to meet the needs of DoD users on the go is perhaps one of the greatest challenges, said Scott Totzke, director of the Global Security Group at BlackBerry maker Research In Motion.

“Ensuring that the DoD customer can work with a BlackBerry and still maintain the PKI paradigm that exists at the desktop has been something that we have invested in heavily over the last six years,” Totzke said. “Supporting standards such as the Common Access Card, S/MIME, OCSP, LDAP and CRLs in a user-friendly mobile environment is critical. Customers don’t want to compromise their security model for the sake of mobility.”

As PKI grows, the software will accommodate it. “The next versions of software will be PKI-enabling,” said Chris Voice, CTO of Entrust, whose products include toolkits that let users PKI-enable their legacy applications. Thirteen of 15 cabinet-level departments and more than 70 government agencies use the company’s products, including the Department of State and the intelligence community, Voice said.

PKI will be assigned not only to people but also to things. “More and more, PKI will be used by devices as network routers authenticate to other routers and boxes and hardware protect information that they pass to each other,” Voice said.

Analysts expect PKI to grow by leaps and bounds in the upcoming years. “PKI is in its infancy right now. There are only a few sites that are PK-enabled, but we’re going to PK-enable more Web sites and programs,” Bastian said. ♦