1 / 14

NASA PKI for PKI FORUM Presenters: Paul Ma, NASA-Ames Research Center

NASA PKI for PKI FORUM Presenters: Paul Ma, NASA-Ames Research Center pma@mail.arc.nasa.gov 650-604-3586. Outline. Background Information on Information Technology Security Development Group (ITSDG) NASA PKI Deployment Plan Objectives and Scope

nate
Download Presentation

NASA PKI for PKI FORUM Presenters: Paul Ma, NASA-Ames Research Center

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NASA PKI for PKI FORUM Presenters: Paul Ma, NASA-Ames Research Center pma@mail.arc.nasa.gov 650-604-3586

  2. Outline • Background Information on Information Technology Security Development Group (ITSDG) • NASA PKI Deployment Plan • Objectives and Scope • NASA Public Key Infrastructure (PKI) • PKI Components • NASA PKI Components and Architecture • NASA Issues • Issues for the PKI Forum

  3. NASA • NASA has 11 major Centers distributed all over United States: • Ames Research Center (ARC) at Moffett Field, CA • Dryden Flight Research Center (DFRC) at Southern CA • Glenn Space Flight Center (GRC) at Cleveland, OH • Goddard Space Flight Center (GSFC) at Greenbelt, MD • Jet Propulsion Laboratory (JPL) at Pasadena, CA • Johnson Space Center (JSC) at Houston, TX • Kennedy Space Center (KSC) at Cape Canaveral, FL • Langley Research Center (LaRC) at Hampton, VA • Marshall Space Flight Center (MSFC) at Huntsville, AL • Stennis Space Center (SSC) at Bay St. Louis, MI

  4. IT Security Notifications, Incident Coordination & Response Expert Center IT Security Training and Awareness IT Security Networks & Communications Expert Center IT Security Systems & Applications Expert Center IT Security Development Expert Center (ITSDG) Principal Center for IT Security Principal Center IT Security GSFC GRC MSFC JPL ARC Incident(s) Identification Curriculum Requirements Network Audit Tools Audit Tools Architecture Planning Intrusion Tracking IT Security Workshops Firewalls Application Security Enabling Applications Response Teams IT Security Awareness Internet Security Req. Virus Detection Secure Video Conferences Threat Evaluate On-Line Courses Incident Tracking Tools WWW Secure Applications Crypto-Technology Demonstrations Threat Resolution Secure O/S Configurations ITS Technical Training Monitoring & Testing IT Security Tools WorkFlow Secure Processes Liaison System Testing Tools

  5. NASA PKI Deployment Plan • Objectives • To implement a public key infrastructure contains the following components: • A common NASA directory or repository for certificates • A certificate authority (CA) • Agents of the CA, registration authorities (RA) • Policies to guide the operation of the PKI

  6. PKI Deployment Plan • Scope • Establishing one central CA located at ARC and RA at ARC • Assist the setup of RAs at other Centers • Providing PKI services to secure sensitive but unclassified electronic information • Creating documents for CA operation; Certificate Policy Statement, Certificate Practice Statement, and Security Plan • Implementing security mechanisms and procedures for secure CA operation • Establishing a disaster recovery plan • Establishing a technical support service

  7. NASA PKI Components • The NASA PKI services are provided by: • Certification Authority (CA) • Ames manages the NASA CA. The software used is Entrust Technologies’ Entrust Infrastructure version 4.0. • Registration Authority (RA) • Each NASA Center manages its own RA operation using Entrust Technologies’ Administration Software. • Certificate Repository • Certificates are stored in the existing NASA X.500 infrastructure. • Policy • NASA’s policies are defined in the X.509 Certificate Policy for NASA PKI and the NASA Certification Authority Certification Practice Statement.

  8. Entrust Authority (Entrust CA) Backup System MSFC Entrust Authority (Entrust CA) Main System Ames NASA PKI Architecture X500 Certificates are stored here NASA Center RAs sends requests for certificates to the CA Certificates are managed by the CA Center RA Backup Data

  9. ARC Entrust Authority (Entrust CA) Main System Ames User Access End users retrieve certificates from the distributed directories for use by their PKI-enabled applications. X500 NASA MSFC DFRC JSC GSC GSFC KSC JPL LaRC HQ SSC USER COMMUNITY End users access the CA During certificate creation/ recovery/update operations.

  10. PKI Status • Secure CA at ARC and backup CA at MSFC have been tested and have been operational. • Seven Centers have been passed through the ORR Audit. • 2 Centers need more documentation before the final ORR approval. • 2 more Centers are preparing for the ORR. • Currently we are hoping to finish the ORR by the end of March providing the Centers are ready.

  11. Secure Web Secure Desktop Secure E-Mail Secure E-Grant NASA PKI Secure E-Forms Secure Remote Access Secure Networking Secure File Transfer NASA Applications

  12. 010101011100111 010101001110011100111001010111101101 0101010011100111001110 010101001110011100111001010111 010101001110011100 0101010011100111001110 0101010011100 10011100 0101010 010101001 Information Integrity: Key To A Safe Free-Flight Airspace System

  13. NASA Issues • Interoperability between CAs, e-mail applications (Eudora and MS Exchange/Outlook) • Directory Service was a major problem internally • Policy issues gave us more troubles or as much troubles as technically issues • export, auditing, archiving, license tracking, etc • how to deal with external partners

  14. Issues for PKI Forum • PKI Forum needs to deal with scalability issues as well as interoperability issues • Heavy client • Directory lookup • CRL distribution • How is PKI is going to deal with all the millions of IPSec devices that are coming that require security?

More Related