160 likes | 618 Views
UNCLASSIFIED. . PURPOSE: To present and discuss: Road Ahead of the Army's Identity Protection
E N D
1. LandWarNet 2008
2. PURPOSE: To present and discuss: Road Ahead of the Army’s Identity Protection & Management
OBJECTIVES: By the end of this presentation you will be able to learn about the:
Roles and responsibilities of the Army’s CAC-PKI program
Current and future initiatives
Next generation CAC and other alternate smart card technology
3. 3 Agenda CAC/PKI Division Overview
Army HSPD-12
Alternate Smartcard for System Administrators
Smartcard for “Volunteers”
Next Generation CAC
Take your CAC with you
JTF-GNO CTO 07-015
Accelerated PKI Implementation Phase 2
Army ALARACT
Reporting
4. 4 Overview Policy and Guidance
Test and Evaluation
Public Key Enabling Technology
Registration Authority
SIPRNET Certificates
Key Recovery
Alternative Smart Card Logon Token
Training
CAC PIN Reset
Help Desk (866) 738-3222 Policy, Guidance, and Programmatic Support
Engineering, Testing, and Technical Support
Army HSPD-12/FIPS 201 Implementation
Represent Army at DoD PKI and OSD Defense Manpower Data Center working groups
Public Key Enabling Desktop Computers
JTF-GNO Accelerated PKI Phase 2
Army Alternative Smart Card Logon Token
CAC Enabling Two-Way Wireless Email Devices
Army CAC PIN Reset (CPR)
Tier 2 CAC PKI Technical Support
Policy, Guidance, and Programmatic Support
Engineering, Testing, and Technical Support
Army HSPD-12/FIPS 201 Implementation
Represent Army at DoD PKI and OSD Defense Manpower Data Center working groups
Public Key Enabling Desktop Computers
JTF-GNO Accelerated PKI Phase 2
Army Alternative Smart Card Logon Token
CAC Enabling Two-Way Wireless Email Devices
Army CAC PIN Reset (CPR)
Tier 2 CAC PKI Technical Support
5. 5 Army Implementation of HSPD-12 HSPD-12 (Aug 2004) — Purpose
Enhance security
Increase Government efficiency
Reduce identity fraud
Protect personal privacy -by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractor employees
Leading the Army HSPD-12 Implementation Working Group
Formal participation from G-1, G-2, G-3/5/7, G-4, G-6, OPMG, ASA(ALT)
CAC is transitioning to HSPD-12 Personal Identity Verification (PIV) credential
HSPD-12 vetting requirements apply to all PIV cardholders
National Agency Check with Written Inquiries (NAC-I)
6. 6 Alternative Smart Card Logon Token System Administrators
CAC used for user accounts
Alternative Smart Card Logon Token (ASCL) for SA account
Smartcard:
Has printed serial number and nothing else
Contains DoD PKI ID cert with a variant User Principal Name (UPN) to circumvent name-uniqueness within AD forest
Stats
˜ 700 ASCL Trusted Agents appointed
˜ 15,000 ASCL tokens processed
˜ 11,000 tokens in use
7. 7 Next Generation CAC USD(P&R) Directive Memo 08-003 out for comment
Army HSPD-12 Implementation WG prepared and staffed the Army comments
CAC has to converge to PIV credential
Transitional PIV ? Endpoint PIV
RAPIDS currently issuing PIV-like CACs
Look just like a PIV card
Has the ISO 14443 contactless antenna
ICC holds 2 fingerprint minutia templates + digital photo
Contains the standard 3 DoD PKI certs
Does not yet contain a PIV authentication cert
http://www.cac.mil/
8. 8 JTF-GNO CTO 07-015 Accelerated PKI Implementation Phase 2
Digital Signature Policy
Sign any email containing attachment or live URL link
Do not sign to recipients outside DoD
Do not use automated solution that always applies digital signature
CCL User Based Enforcement (UBE)
Smart card w/certs required for interactive logon
Public Key Enable Private Web Servers
All web servers hosting sensitive information
End user’s certificate must be validated Task 1: Implement Digital Signature policy
Task 2: Implement UBE
Task 3: Implement Increased Password Security Measures
Task 4: Removal of Software Certificate Installation Files
Task 5: Identification of Non-PKI Based Authentication Methods
Task 6: Identify Username/Password Accounts
Task 7: Execute Enhanced Security Awareness Training
Task 8: Conduct data call on non-Windows OS's
Task 9: Validate Configurations of All DoD Private Web Servers
Task 10: Implement PKI-based Client Authentication for all DoD Private Web Servers
Task 11: Activate CRL web caching capabilities at Base/Post/Camp/Station
Task 12: Adjust Online Certificate Status Protocol (OCSP) configurations to increase reliability
Task 13: Implement Machine-Based Enforcement (Army requirement only)
Task 1: Implement Digital Signature policy
Task 2: Implement UBE
Task 3: Implement Increased Password Security Measures
Task 4: Removal of Software Certificate Installation Files
Task 5: Identification of Non-PKI Based Authentication Methods
Task 6: Identify Username/Password Accounts
Task 7: Execute Enhanced Security Awareness Training
Task 8: Conduct data call on non-Windows OS's
Task 9: Validate Configurations of All DoD Private Web Servers
Task 10: Implement PKI-based Client Authentication for all DoD Private Web Servers
Task 11: Activate CRL web caching capabilities at Base/Post/Camp/Station
Task 12: Adjust Online Certificate Status Protocol (OCSP) configurations to increase reliability
Task 13: Implement Machine-Based Enforcement (Army requirement only)
9. Initiatives SIPRNET Token
Prototype 3rd Q 2009
Multi Domain Single CAC 3rd Q 2012
Non Person Entity (NPE) Certificates
Challenges
Validated Requirements?
Infrastructure Requirements
Integrated Service CA’s vs Proxy
NPE Registry
Personnel Requirements 9
10. 10 Questions? Contact Information:
Jude A. Roeger
NETCOM/ESTA Information Assurance CAC/PKI Division
jude.roeger1@us.army.mil
Phone: 703-602-7525
DSN: 332-7525
Fax: 703-602-7235
https://informationassurance.us.army.mil/cacpki/
11. 11 Back up Slides
12. 12 PKI Implementation Phase 2 Tasks Task 1: Implement Digital Signature policy
Task 2: Implement UBE
Task 3: Implement Increased Password Security Measures
Task 4: Removal of Software Certificate Installation Files
Task 5: Identification of Non-PKI Based Authentication Methods
Task 6: Identify Username/Password Accounts
Task 7: Execute Enhanced Security Awareness Training
Task 8: Conduct data call on non-Windows OS's
Task 9: Validate Configurations of All DoD Private Web Servers
Task 10: Implement PKI-based Client Authentication for all DoD Private Web Servers
Task 11: Activate CRL web caching capabilities at Base/Post/Camp/Station
Task 12: Adjust Online Certificate Status Protocol (OCSP) configurations to increase reliability
Task 13: Implement Machine-Based Enforcement (Army requirement only)
13. 13 Overview of HSPD-12PIV Process & Credential Is issued based on sound criteria for verifying an employee’s identity
Is strongly resistant to identity, fraud, tampering, counterfeiting, and terrorist exploitation;
Can be rapidly authenticated electronically; and
Is issued only by providers whose reliability has been established by an official accreditation process.
14. 14 PIV Credential Inspired by CAC
Governed by FIPS 201-1 and NIST SP800-xx docs
Has contact ICC (ISO 7816) and contactless antenna (ISO 14443)
To be used for physical and logical access across Executive Branch
ICC contains
PIV PKI authentication cert
2 fingerprint minutia templates
Digital photo
Freely readable Cardholder Unique ID (CHUID)
15. 15 HSPD-12 Issues So Far Reciprocity for suitability determinations
Faster, cheaper NAC-I or equivalent
Who needs a new investigation?
Status unknown for 100,000s of DoD personnel
Integrated business process
Sponsoring of military, civil servants, contractors
Automated query of NAC, NAC-I status
Adjudication standards
Adjudication notification ? sponsor ? applicant
Appeals process
Adjudication outcome checked before issuance
Requirements for middleware & applications to perform fingerprint match
16. 16 Influencing the Future of Army IA
HSPD-12
Next Generation CAC
Biometrics
Who gets which token following what background check?
17. 17 Digital Signing of Email Policy and BBP coming soon. Major points:
Emails from an Army-owned system or account containing an attachment or active URL hyperlink must be digitally signed.
Do not digitally sign personal or routine email messages.
Do not digitally sign emails sent to non .mil addresses.
Pure text references to URLs or email addresses do not require digital signature.
A v-card is transmitted as an email attachment, which necessitates using a digital signature. Senders: determine case-by-case whether worthwhile.
System administrators cannot use an Active Directory group policy to automate 100% enforcement for digitally signing email. This does not preclude the use of Group Policy Object (GPO) or third party software (e.g., CAC middleware) to set the default policy to digitally sign all email, provided the user has the ability to send an unsigned email on a per email basis.
Assess the attached digital signature's level of assurance.
Validate unexpected unsigned email contents: place the mouse pointer over an embedded URL to display the actual link. Do not use the link to access the site; navigate to the correct site manually. As stated in reference E, local Army digital signature policy requires all emails sent from an Army-owned system or account that contain an active (embedded) hyperlink (Uniform Resource Locator [URL] web address or email address) and/or attachment must be digitally signed with an approved DoD PKI certificate.
Users should not use digital signatures for personal or routine email messages which contain office announcements and generic administrative messages. The addition of a digital signature can significantly increase the file size of an email message. Also, users should not digitally sign emails sent to non .mil addresses.
Pure text references to web addresses, URLs, or email addresses do not require digital signature, only those with active content. Some email editors automatically generate an active hyperlink when a user types in a web address or email address. For example, if the user’s email editor is Microsoft Word, typing an email address or web site address will cause an active hyperlink to be generated automatically even if the default email message format is “Plain Text”. The user would need to remove the hyperlink manually if they want to send the email unsigned.
Users should remove all active hyperlinks within their e-mail signatures that are automatically added to the end of an outgoing email message. This can be done by changing the email signature from HyperText Markup Language (HTML) format to a pure text format or use an HTML editor and remove the hyperlink manually. By doing this, the user will not have to sign the email solely on the basis of the hyperlink(s) in their email signature.
A v-card (containing the sender's contact information) will be transmitted as an email attachment, which necessitates using a digital signature. Senders should determine case-by-case whether it is worthwhile to include a v-card.
In accordance with (IAW) reference D, system administrators cannot use an Active Directory (AD) group policy to automate 100% enforcement for digitally signing email. This does not preclude the use of Group Policy Object (GPO), or third party software (e.g., Common Access Card (CAC) middleware) to set the default policy to digitally sign all email, provided the user has the ability to send an unsigned email on a per email basis. Users should contact their system administrators or Information Technology staff prior to changing any policy or software settings.
Army email users should assess the attached digital signature's level of assurance.
Due to the implementation of Suppression of Name Checking (SNC) on Microsoft Outlook email clients, per reference F, the email address in the sender’s certificate will not necessarily match the sender’s default return address.
Emails signed using revoked certificates should be treated as not having originated from the indicated sender. However, users should not be overly concerned when opening an archived signed email that was previously opened without issue (certificates good) and now gets a “revoked certificates” warning because it is likely that the originating sender has received new certificates (expired/lost CAC) which causes the messages signed with old certificates to show up as “revoked certificates”. The signature was valid at the time the email was sent.
Valid PKI digital signatures originating outside DoD PKI domains must be generated by a DoD approved PKI certificate source (e.g., Federal Bridge Certification Authority [FBCA], External Certificate Authority [ECA]). Emails that are digitally signed by unapproved sources or with revoked certificates should be opened, read, and acted upon with caution.
Army email users should validate unexpected unsigned email contents. Validation of embedded links in HTML or Rich Text format emails can be done by placing the mouse pointer over the embedded URL to display the actual link. Emails in plain text format can be checked by manual entry into the user’s web browser. All attachments should be scanned for malware and viruses prior to being opened as directed in reference G.
Automated email implementations such as list servers and notification systems through which current configuration/architecture does not allow for immediate implementation of digital signatures are not required to use digital signature.
If an Army user receives an unexpected unsigned notification email from an external site requiring log in to the site, the user should not use the links in the email to access the site. The user should open their web browser, go to the web site and log in using their credentials. Then, the user can check to determine if the notification email actually originated from the site. It is important to remember that financial institutions, payment services and other organizations do not place links in emails requesting a user to update their account information. As stated in reference E, local Army digital signature policy requires all emails sent from an Army-owned system or account that contain an active (embedded) hyperlink (Uniform Resource Locator [URL] web address or email address) and/or attachment must be digitally signed with an approved DoD PKI certificate.
Users should not use digital signatures for personal or routine email messages which contain office announcements and generic administrative messages. The addition of a digital signature can significantly increase the file size of an email message. Also, users should not digitally sign emails sent to non .mil addresses.
Pure text references to web addresses, URLs, or email addresses do not require digital signature, only those with active content. Some email editors automatically generate an active hyperlink when a user types in a web address or email address. For example, if the user’s email editor is Microsoft Word, typing an email address or web site address will cause an active hyperlink to be generated automatically even if the default email message format is “Plain Text”. The user would need to remove the hyperlink manually if they want to send the email unsigned.
Users should remove all active hyperlinks within their e-mail signatures that are automatically added to the end of an outgoing email message. This can be done by changing the email signature from HyperText Markup Language (HTML) format to a pure text format or use an HTML editor and remove the hyperlink manually. By doing this, the user will not have to sign the email solely on the basis of the hyperlink(s) in their email signature.
A v-card (containing the sender's contact information) will be transmitted as an email attachment, which necessitates using a digital signature. Senders should determine case-by-case whether it is worthwhile to include a v-card.
In accordance with (IAW) reference D, system administrators cannot use an Active Directory (AD) group policy to automate 100% enforcement for digitally signing email. This does not preclude the use of Group Policy Object (GPO), or third party software (e.g., Common Access Card (CAC) middleware) to set the default policy to digitally sign all email, provided the user has the ability to send an unsigned email on a per email basis. Users should contact their system administrators or Information Technology staff prior to changing any policy or software settings.
Army email users should assess the attached digital signature's level of assurance.
Due to the implementation of Suppression of Name Checking (SNC) on Microsoft Outlook email clients, per reference F, the email address in the sender’s certificate will not necessarily match the sender’s default return address.
Emails signed using revoked certificates should be treated as not having originated from the indicated sender. However, users should not be overly concerned when opening an archived signed email that was previously opened without issue (certificates good) and now gets a “revoked certificates” warning because it is likely that the originating sender has received new certificates (expired/lost CAC) which causes the messages signed with old certificates to show up as “revoked certificates”. The signature was valid at the time the email was sent.
Valid PKI digital signatures originating outside DoD PKI domains must be generated by a DoD approved PKI certificate source (e.g., Federal Bridge Certification Authority [FBCA], External Certificate Authority [ECA]). Emails that are digitally signed by unapproved sources or with revoked certificates should be opened, read, and acted upon with caution.
Army email users should validate unexpected unsigned email contents. Validation of embedded links in HTML or Rich Text format emails can be done by placing the mouse pointer over the embedded URL to display the actual link. Emails in plain text format can be checked by manual entry into the user’s web browser. All attachments should be scanned for malware and viruses prior to being opened as directed in reference G.
Automated email implementations such as list servers and notification systems through which current configuration/architecture does not allow for immediate implementation of digital signatures are not required to use digital signature.
If an Army user receives an unexpected unsigned notification email from an external site requiring log in to the site, the user should not use the links in the email to access the site. The user should open their web browser, go to the web site and log in using their credentials. Then, the user can check to determine if the notification email actually originated from the site. It is important to remember that financial institutions, payment services and other organizations do not place links in emails requesting a user to update their account information.