1 / 16

LandWarNet 2008

UNCLASSIFIED. . PURPOSE: To present and discuss: Road Ahead of the Army's Identity Protection

oriole
Download Presentation

LandWarNet 2008

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. LandWarNet 2008

    2. PURPOSE: To present and discuss: Road Ahead of the Army’s Identity Protection & Management OBJECTIVES: By the end of this presentation you will be able to learn about the: Roles and responsibilities of the Army’s CAC-PKI program Current and future initiatives Next generation CAC and other alternate smart card technology

    3. 3 Agenda CAC/PKI Division Overview Army HSPD-12 Alternate Smartcard for System Administrators Smartcard for “Volunteers” Next Generation CAC Take your CAC with you JTF-GNO CTO 07-015 Accelerated PKI Implementation Phase 2 Army ALARACT Reporting

    4. 4 Overview Policy and Guidance Test and Evaluation Public Key Enabling Technology Registration Authority SIPRNET Certificates Key Recovery Alternative Smart Card Logon Token Training CAC PIN Reset Help Desk (866) 738-3222 Policy, Guidance, and Programmatic Support Engineering, Testing, and Technical Support Army HSPD-12/FIPS 201 Implementation Represent Army at DoD PKI and OSD Defense Manpower Data Center working groups Public Key Enabling Desktop Computers JTF-GNO Accelerated PKI Phase 2 Army Alternative Smart Card Logon Token CAC Enabling Two-Way Wireless Email Devices Army CAC PIN Reset (CPR) Tier 2 CAC PKI Technical Support Policy, Guidance, and Programmatic Support Engineering, Testing, and Technical Support Army HSPD-12/FIPS 201 Implementation Represent Army at DoD PKI and OSD Defense Manpower Data Center working groups Public Key Enabling Desktop Computers JTF-GNO Accelerated PKI Phase 2 Army Alternative Smart Card Logon Token CAC Enabling Two-Way Wireless Email Devices Army CAC PIN Reset (CPR) Tier 2 CAC PKI Technical Support

    5. 5 Army Implementation of HSPD-12 HSPD-12 (Aug 2004) — Purpose Enhance security Increase Government efficiency Reduce identity fraud Protect personal privacy -by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractor employees Leading the Army HSPD-12 Implementation Working Group Formal participation from G-1, G-2, G-3/5/7, G-4, G-6, OPMG, ASA(ALT) CAC is transitioning to HSPD-12 Personal Identity Verification (PIV) credential HSPD-12 vetting requirements apply to all PIV cardholders National Agency Check with Written Inquiries (NAC-I)

    6. 6 Alternative Smart Card Logon Token System Administrators CAC used for user accounts Alternative Smart Card Logon Token (ASCL) for SA account Smartcard: Has printed serial number and nothing else Contains DoD PKI ID cert with a variant User Principal Name (UPN) to circumvent name-uniqueness within AD forest Stats ˜ 700 ASCL Trusted Agents appointed ˜ 15,000 ASCL tokens processed ˜ 11,000 tokens in use

    7. 7 Next Generation CAC USD(P&R) Directive Memo 08-003 out for comment Army HSPD-12 Implementation WG prepared and staffed the Army comments CAC has to converge to PIV credential Transitional PIV ? Endpoint PIV RAPIDS currently issuing PIV-like CACs Look just like a PIV card Has the ISO 14443 contactless antenna ICC holds 2 fingerprint minutia templates + digital photo Contains the standard 3 DoD PKI certs Does not yet contain a PIV authentication cert http://www.cac.mil/

    8. 8 JTF-GNO CTO 07-015 Accelerated PKI Implementation Phase 2 Digital Signature Policy Sign any email containing attachment or live URL link Do not sign to recipients outside DoD Do not use automated solution that always applies digital signature CCL User Based Enforcement (UBE) Smart card w/certs required for interactive logon Public Key Enable Private Web Servers All web servers hosting sensitive information End user’s certificate must be validated Task 1: Implement Digital Signature policy Task 2: Implement UBE Task 3: Implement Increased Password Security Measures Task 4: Removal of Software Certificate Installation Files Task 5: Identification of Non-PKI Based Authentication Methods Task 6: Identify Username/Password Accounts Task 7: Execute Enhanced Security Awareness Training Task 8: Conduct data call on non-Windows OS's Task 9: Validate Configurations of All DoD Private Web Servers Task 10: Implement PKI-based Client Authentication for all DoD Private Web Servers Task 11: Activate CRL web caching capabilities at Base/Post/Camp/Station Task 12: Adjust Online Certificate Status Protocol (OCSP) configurations to increase reliability Task 13: Implement Machine-Based Enforcement (Army requirement only) Task 1: Implement Digital Signature policy Task 2: Implement UBE Task 3: Implement Increased Password Security Measures Task 4: Removal of Software Certificate Installation Files Task 5: Identification of Non-PKI Based Authentication Methods Task 6: Identify Username/Password Accounts Task 7: Execute Enhanced Security Awareness Training Task 8: Conduct data call on non-Windows OS's Task 9: Validate Configurations of All DoD Private Web Servers Task 10: Implement PKI-based Client Authentication for all DoD Private Web Servers Task 11: Activate CRL web caching capabilities at Base/Post/Camp/Station Task 12: Adjust Online Certificate Status Protocol (OCSP) configurations to increase reliability Task 13: Implement Machine-Based Enforcement (Army requirement only)

    9. Initiatives SIPRNET Token Prototype 3rd Q 2009 Multi Domain Single CAC 3rd Q 2012 Non Person Entity (NPE) Certificates Challenges Validated Requirements? Infrastructure Requirements Integrated Service CA’s vs Proxy NPE Registry Personnel Requirements 9

    10. 10 Questions? Contact Information: Jude A. Roeger NETCOM/ESTA Information Assurance CAC/PKI Division jude.roeger1@us.army.mil Phone: 703-602-7525 DSN: 332-7525 Fax: 703-602-7235 https://informationassurance.us.army.mil/cacpki/

    11. 11 Back up Slides

    12. 12 PKI Implementation Phase 2 Tasks Task 1: Implement Digital Signature policy Task 2: Implement UBE Task 3: Implement Increased Password Security Measures Task 4: Removal of Software Certificate Installation Files Task 5: Identification of Non-PKI Based Authentication Methods Task 6: Identify Username/Password Accounts Task 7: Execute Enhanced Security Awareness Training Task 8: Conduct data call on non-Windows OS's Task 9: Validate Configurations of All DoD Private Web Servers Task 10: Implement PKI-based Client Authentication for all DoD Private Web Servers Task 11: Activate CRL web caching capabilities at Base/Post/Camp/Station Task 12: Adjust Online Certificate Status Protocol (OCSP) configurations to increase reliability Task 13: Implement Machine-Based Enforcement (Army requirement only)

    13. 13 Overview of HSPD-12 PIV Process & Credential Is issued based on sound criteria for verifying an employee’s identity Is strongly resistant to identity, fraud, tampering, counterfeiting, and terrorist exploitation; Can be rapidly authenticated electronically; and Is issued only by providers whose reliability has been established by an official accreditation process.

    14. 14 PIV Credential Inspired by CAC Governed by FIPS 201-1 and NIST SP800-xx docs Has contact ICC (ISO 7816) and contactless antenna (ISO 14443) To be used for physical and logical access across Executive Branch ICC contains PIV PKI authentication cert 2 fingerprint minutia templates Digital photo Freely readable Cardholder Unique ID (CHUID)

    15. 15 HSPD-12 Issues So Far Reciprocity for suitability determinations Faster, cheaper NAC-I or equivalent Who needs a new investigation? Status unknown for 100,000s of DoD personnel Integrated business process Sponsoring of military, civil servants, contractors Automated query of NAC, NAC-I status Adjudication standards Adjudication notification ? sponsor ? applicant Appeals process Adjudication outcome checked before issuance Requirements for middleware & applications to perform fingerprint match

    16. 16 Influencing the Future of Army IA HSPD-12 Next Generation CAC Biometrics Who gets which token following what background check?

    17. 17 Digital Signing of Email Policy and BBP coming soon. Major points: Emails from an Army-owned system or account containing an attachment or active URL hyperlink must be digitally signed. Do not digitally sign personal or routine email messages. Do not digitally sign emails sent to non .mil addresses. Pure text references to URLs or email addresses do not require digital signature. A v-card is transmitted as an email attachment, which necessitates using a digital signature. Senders: determine case-by-case whether worthwhile. System administrators cannot use an Active Directory group policy to automate 100% enforcement for digitally signing email. This does not preclude the use of Group Policy Object (GPO) or third party software (e.g., CAC middleware) to set the default policy to digitally sign all email, provided the user has the ability to send an unsigned email on a per email basis. Assess the attached digital signature's level of assurance. Validate unexpected unsigned email contents: place the mouse pointer over an embedded URL to display the actual link. Do not use the link to access the site; navigate to the correct site manually. As stated in reference E, local Army digital signature policy requires all emails sent from an Army-owned system or account that contain an active (embedded) hyperlink (Uniform Resource Locator [URL] web address or email address) and/or attachment must be digitally signed with an approved DoD PKI certificate. Users should not use digital signatures for personal or routine email messages which contain office announcements and generic administrative messages. The addition of a digital signature can significantly increase the file size of an email message. Also, users should not digitally sign emails sent to non .mil addresses. Pure text references to web addresses, URLs, or email addresses do not require digital signature, only those with active content. Some email editors automatically generate an active hyperlink when a user types in a web address or email address. For example, if the user’s email editor is Microsoft Word, typing an email address or web site address will cause an active hyperlink to be generated automatically even if the default email message format is “Plain Text”. The user would need to remove the hyperlink manually if they want to send the email unsigned. Users should remove all active hyperlinks within their e-mail signatures that are automatically added to the end of an outgoing email message. This can be done by changing the email signature from HyperText Markup Language (HTML) format to a pure text format or use an HTML editor and remove the hyperlink manually. By doing this, the user will not have to sign the email solely on the basis of the hyperlink(s) in their email signature. A v-card (containing the sender's contact information) will be transmitted as an email attachment, which necessitates using a digital signature. Senders should determine case-by-case whether it is worthwhile to include a v-card. In accordance with (IAW) reference D, system administrators cannot use an Active Directory (AD) group policy to automate 100% enforcement for digitally signing email. This does not preclude the use of Group Policy Object (GPO), or third party software (e.g., Common Access Card (CAC) middleware) to set the default policy to digitally sign all email, provided the user has the ability to send an unsigned email on a per email basis. Users should contact their system administrators or Information Technology staff prior to changing any policy or software settings. Army email users should assess the attached digital signature's level of assurance. Due to the implementation of Suppression of Name Checking (SNC) on Microsoft Outlook email clients, per reference F, the email address in the sender’s certificate will not necessarily match the sender’s default return address. Emails signed using revoked certificates should be treated as not having originated from the indicated sender. However, users should not be overly concerned when opening an archived signed email that was previously opened without issue (certificates good) and now gets a “revoked certificates” warning because it is likely that the originating sender has received new certificates (expired/lost CAC) which causes the messages signed with old certificates to show up as “revoked certificates”. The signature was valid at the time the email was sent. Valid PKI digital signatures originating outside DoD PKI domains must be generated by a DoD approved PKI certificate source (e.g., Federal Bridge Certification Authority [FBCA], External Certificate Authority [ECA]). Emails that are digitally signed by unapproved sources or with revoked certificates should be opened, read, and acted upon with caution. Army email users should validate unexpected unsigned email contents. Validation of embedded links in HTML or Rich Text format emails can be done by placing the mouse pointer over the embedded URL to display the actual link. Emails in plain text format can be checked by manual entry into the user’s web browser. All attachments should be scanned for malware and viruses prior to being opened as directed in reference G. Automated email implementations such as list servers and notification systems through which current configuration/architecture does not allow for immediate implementation of digital signatures are not required to use digital signature. If an Army user receives an unexpected unsigned notification email from an external site requiring log in to the site, the user should not use the links in the email to access the site. The user should open their web browser, go to the web site and log in using their credentials. Then, the user can check to determine if the notification email actually originated from the site. It is important to remember that financial institutions, payment services and other organizations do not place links in emails requesting a user to update their account information. As stated in reference E, local Army digital signature policy requires all emails sent from an Army-owned system or account that contain an active (embedded) hyperlink (Uniform Resource Locator [URL] web address or email address) and/or attachment must be digitally signed with an approved DoD PKI certificate. Users should not use digital signatures for personal or routine email messages which contain office announcements and generic administrative messages. The addition of a digital signature can significantly increase the file size of an email message. Also, users should not digitally sign emails sent to non .mil addresses. Pure text references to web addresses, URLs, or email addresses do not require digital signature, only those with active content. Some email editors automatically generate an active hyperlink when a user types in a web address or email address. For example, if the user’s email editor is Microsoft Word, typing an email address or web site address will cause an active hyperlink to be generated automatically even if the default email message format is “Plain Text”. The user would need to remove the hyperlink manually if they want to send the email unsigned. Users should remove all active hyperlinks within their e-mail signatures that are automatically added to the end of an outgoing email message. This can be done by changing the email signature from HyperText Markup Language (HTML) format to a pure text format or use an HTML editor and remove the hyperlink manually. By doing this, the user will not have to sign the email solely on the basis of the hyperlink(s) in their email signature. A v-card (containing the sender's contact information) will be transmitted as an email attachment, which necessitates using a digital signature. Senders should determine case-by-case whether it is worthwhile to include a v-card. In accordance with (IAW) reference D, system administrators cannot use an Active Directory (AD) group policy to automate 100% enforcement for digitally signing email. This does not preclude the use of Group Policy Object (GPO), or third party software (e.g., Common Access Card (CAC) middleware) to set the default policy to digitally sign all email, provided the user has the ability to send an unsigned email on a per email basis. Users should contact their system administrators or Information Technology staff prior to changing any policy or software settings. Army email users should assess the attached digital signature's level of assurance. Due to the implementation of Suppression of Name Checking (SNC) on Microsoft Outlook email clients, per reference F, the email address in the sender’s certificate will not necessarily match the sender’s default return address. Emails signed using revoked certificates should be treated as not having originated from the indicated sender. However, users should not be overly concerned when opening an archived signed email that was previously opened without issue (certificates good) and now gets a “revoked certificates” warning because it is likely that the originating sender has received new certificates (expired/lost CAC) which causes the messages signed with old certificates to show up as “revoked certificates”. The signature was valid at the time the email was sent. Valid PKI digital signatures originating outside DoD PKI domains must be generated by a DoD approved PKI certificate source (e.g., Federal Bridge Certification Authority [FBCA], External Certificate Authority [ECA]). Emails that are digitally signed by unapproved sources or with revoked certificates should be opened, read, and acted upon with caution. Army email users should validate unexpected unsigned email contents. Validation of embedded links in HTML or Rich Text format emails can be done by placing the mouse pointer over the embedded URL to display the actual link. Emails in plain text format can be checked by manual entry into the user’s web browser. All attachments should be scanned for malware and viruses prior to being opened as directed in reference G. Automated email implementations such as list servers and notification systems through which current configuration/architecture does not allow for immediate implementation of digital signatures are not required to use digital signature. If an Army user receives an unexpected unsigned notification email from an external site requiring log in to the site, the user should not use the links in the email to access the site. The user should open their web browser, go to the web site and log in using their credentials. Then, the user can check to determine if the notification email actually originated from the site. It is important to remember that financial institutions, payment services and other organizations do not place links in emails requesting a user to update their account information.

More Related