Embed Size (px)
Citation preview
LANDWARNET 2011 UNCLASSIFIED
UNCLASSIFIED
LandWarNet 2011 Army Identity Management (IdM)
PKI Initiatives
Tracy Traylor, CIO/G6, Cyber Dir, IdM Div Chief
LANDWARNET 2011 UNCLASSIFIED
UNCLASSIFIED
SIPRNet Tokens
Tactical PKI
SHA-256
Questions/POC’s
2 LANDWARNET 2011 2011-08-23T08:00Z // SIPRNet Token Implementation 2
LANDWARNET 2011 UNCLASSIFIED
UNCLASSIFIED
What it is: • Token (smart card) for strong authentication and logon to the SIPRNet,
signing & encrypting email, and connecting to secure websites
• Replacement for current logon that requires user names and 15-character recommended passwords that are:
Lengthy and difficult to remember
Must frequently change
Easier for adversaries to exploit
• Initially funded by DoD PKI PMO
• National Security System (NSS) Certificate Authority (vs. DoD)
Why it is being implemented: • Follows Department of Defense (DoD) Instruction 8520.2 procedures to
implement PKI on DoD classified networks
• Makes it more difficult for adversaries to compromise SIPRNet
3 LANDWARNET 2011 2011-08-23T08:00Z // SIPRNet Token Implementation 3
LANDWARNET 2011 UNCLASSIFIED
UNCLASSIFIED
Army G3/5/7 EXORD 074-11 (14 Jan 11) tasked commands and staffs to participate in IOT&E and FOC
USCYBERCOM Coordination Alert Message (26 Jan 11) required SIPRNet token implementation for IOT&E and preparation for full implementation
Army Cyber Command EXORD 2011-018 (4 Mar 11) provided technical information and direction to Signal Commands
Army Initial Operational Test and Evaluation (IOT&E) Implementation Plan • Addresses preparation for and participation in DoD IOT&E
• Includes Army issuance of up to 2000 SIPRNet tokens to various Army organizations and commands – tokens are issued with a three (3) year certificate life span and can remain in use through Full Operational Capability (FOC)
LANDWARNET 2011 2011-08-DDT08:00Z // SIPRNet Token Implementation 4
LANDWARNET 2011 UNCLASSIFIED
UNCLASSIFIED 5
Configure the Infrastructure • Distribute token readers provided by Army CIO/G6
• Install device certificates and Tumbleweed Enterprise on domain controllers and web servers
• Configure SIPRNet workstations with 90Meter middleware (similar in function to ActivClient for DoD CACs) and Tumbleweed desktop validation application
Establish a Chain of trust • Identify locations of Local Registration Authorities (LRAs) and Trusted
Agents (TAs)
• Establish and train LRAs and TAs with CIO/G6 support
Get SIPRNet tokens into the hands of SIPRNet users • Require SIPRNet users to obtain SIPRNet tokens
• TAs forward completed DoD PKI Certificate of Acceptance and Acknowledgement of Responsibilities (DD Form 2842) to LRAs
• Conduct face-to-face identity verification between TAs and users
LANDWARNET 2011 2011-08-DDT08:00Z // SIPRNet Token Implementation
LANDWARNET 2011 UNCLASSIFIED
UNCLASSIFIED
1. Army CIO/G6 Cyber CAC/PKI Division RA
prepositions formatted tokens, inactive tokens
with LRA at decentralized issuance locations.
2. Command/SIPRNet user submits request for
SIPRNet PKI token to LRA or remote TA to
validate.
3. On a SIPRNet workstation, LRA accesses
TMS to register user and get a temporary pin.
LRA enrolls user and places certs on token.
4. LRA sends enrolled token to remote TA1 and
sends temporary pin to remote TA2 via NSS-
encrypted email.
5. TA receives token, conducts a face-to-face
validation of identity of user, completes DD
Form 2842, and issues token to user. User
changes token PIN on a SIPRNet workstation
in the presence of TA and becomes a SIPRNet
PKI token subscriber.
6. TA sends signed DD Form 2842 to LRA.
6: S
ign
ed
DD
Fo
rm 2
84
2 to
LR
A
1: RA sends formatted
tokens to LRA
Army CIO/G6 RA Decentralized LRA
For Example: #1: FT
Belvoir- refine
process & expand
to include MDW;
#2: FT Gordon- mix
of CONUS, tactical,
& MI users
Remote TA
SIPRNet User
5: TA/User Validation &
Token Issuance to User
Remote TA & User
Attempt to leverage
existing TAs distrib-
uted across Army
installations at start-
up
LANDWARNET 2011 2011-08-DDT08:00Z // SIPRNet Token Implementation 6
LANDWARNET 2011 UNCLASSIFIED
UNCLASSIFIED
Command/Organization Token Issuance to Users
IOT&E token Issuance requirement 2,000
Tokens Issued 2,403 as of 12 Aug 2011
LANDWARNET 2011 2011-03-23T08:00Z // Presentation Title Goes Here 7
• CIO/G-6
• USAREUR
• AFRICOM
• EUCOM
• 106th Signal Brigade
• ATEC
• ATEC OTC
• INSCOM/513th
• DA Chief of Engineers
• 335th Signal
• 52nd ID NTC
• 7th SC
• USARPAC
• TRADOC
LANDWARNET 2011 UNCLASSIFIED
UNCLASSIFIED
IOT&E Observations • Senior leadership awareness and support are needed
• Network support organizations must take advantage of available accreditation and test documentation and eliminate or reduce local testing
• Users still need to update SIPRNet passwords to prevent account lockout until User Based Enforcement (UBE), using SIPRNet token only, is implemented
• Thin client workstations generally not included in IOT&E due to interoperability issues with token readers and middleware
IOT&E Successes • Army Theater Network Operations and Security Centers (TNOSCs) have
already configured most domain controllers needed for full implementation in several theaters
• Positive feedback received on use of token and PIN vs. user ID and password
•Weekly teleconferences support knowledge sharing and progress reporting
LANDWARNET 2011 2011-08-DDT08:00Z // SIPRNet Token Implementation 8
LANDWARNET 2011 UNCLASSIFIED
UNCLASSIFIED
Post-IOT&E Implementation Strategy • SIPRNet tokens will continue to be issued to Army organizations that are
prepared to accept them
• Revisions being made to AR 25-2 (Information Assurance) and Standard Operating Procedures, based on National Security Systems (NSS) Registration Practice Statement (RPS)
Full Fielding Strategy • Army will field up to 300,000 tokens from FY12 to FY16
• Draft Implementation and EXORD for FOC, suspense 31 Aug 2011
• Initial rollout of tokens, readers, and middleware funded by DoD PKI PMO
• Army has requested LRAs beginning in FY12
• Army organizations must plan and budget for sustainment beginning in FY14
LANDWARNET 2011 2011-08-DDT08:00Z // SIPRNet Token Implementation 9
LANDWARNET 2011 UNCLASSIFIED
UNCLASSIFIED
The Army is leading the DoD Tactical Technical Interchange Meeting (TIM) under the direction of the DoD PKI PMO
Tactical TIM oversees Pilot Activities • The pilot approach is to evaluate alternative certificate validation (CV)
approaches suited to bandwidth challenged environments, e.g., delta CRL, mini-CRL
• Develop notional joint PKI operational architecture to support planning and implementation of the Tactical PKI Pilot
• Coordinates Service and Agency planning and participation in the DoD PKI Tactical Pilot
• Coordinates functional requirements, test plans and policy changes to use in the Tactical Pilot
Implementation at tactical level presents unique challenges • PKI Integration with Battle Command and Warfighter’s Information
Network-Tactical (WIN-T) programs and systems
• IdM is coordinating and working closely with Program Executive Office for Command, Control and Communications-Tactical (PEO-C3T)
10 10
LANDWARNET 2011 UNCLASSIFIED
UNCLASSIFIED
Army CIO/G6 IdM funded TRADOC Capability Manager (TCM) Global Network Enterprise (GNE) and CERDEC to conduct testing and validation of Tactical PKI (TPKI). • SIPR Token
• DEERS Rapids
• SHA-256
• NPE
• IPv6
Validating the TPKI CONOPS on tactical systems will provide valuable information to develop Tactics, Techniques, Procedures (TTP’s), identify gaps, and provide a basis for assessing Doctrine, organization, training, material, leadership, personnel and facilities (DOTMLPF)
Potential follow on operational testing to take place at the Network Integration Rehearsal / Network Integration Exercise (NIR/NIE) in Fort Bliss, TX.
11 11
LANDWARNET 2011 UNCLASSIFIED
UNCLASSIFIED
The Common Access Card (CAC) uses a Secure Hash Algorithm (SHA-1) to authenticate and be granted access to networks, web applications and to digitally sign documents which provides authentication and non-repudiation. SHA protects information by detecting data tampering.
The National Institute of Standards and Technology (NIST) determined SHA-1 has come to the end of its security lifecycle and SHA 256 (a stronger algorithm allowing for better security) will be its replacement.
The Federal government has mandated the use of SHA-256 as of 01 JAN 11 with an exemption that allows Agencies/Departments/Services to use SHA 1 at their own risk until 31 DEC 13.
SHA-1 impacts the Army’s capability to interoperate with other Federal organizations (Department of Homeland Security, Department of State, Department of Justice, Veterans Affairs, Center for Disease Control, Federal Bureau of Investigation,…..) that utilize or are migrating to SHA-256.
The Army will transition the NIPRNET (Infrastructure, Servers, Web Applications, Workstations) from SHA-1 to SHA-256 over the next two years with a proposed completion date of 31 DEC 13. This migration provides a standard SHA across the Federal Government for interoperability.
12 12
LANDWARNET 2011 UNCLASSIFIED
UNCLASSIFIED
The Army’s SHA 256 Working Group is producing FRAGO 1 for the Army’s Data Center Consolidation Plan (ADCCP) EXORD to implement SHA 256 throughout the Army’s NIPRNet.
The Army’s plan is to fully support SHA 256 NLT 31 DEC 13.
• Transition Plan for Infrastructure, servers, applications and desktops
25% by 01 FEB 13,
50% by 1 MAY 13,
75% by 1 AUG and
100% completed by 01 NOV 13.
The Army will conduct remediation and final verification from 1 NOV- 31 DEC 13.
Army ceases issuing tokens with SHA-1, 31 Dec 2013
Army starts issuing tokens with SHA-256, 1 Jan 2014
13 13
LANDWARNET 2011 UNCLASSIFIED
UNCLASSIFIED
?
14 14
Tracy Traylor, CIO/G6 Cyber Directorate, IdM Division Chief, 703-545-1732,
Mark Dickson, CIO/G6 Cyber Directorate, PKI SIPR/Tactical Lead, 703-545-1736,
Dennis Nalli, CIO/G6 Cyber Directorate, PKI SIPR/Tactical, 703-545-1746,
Phil Juchem, CIO/G6 Cyber Directorate, PKI Tactical/SIPR, 703-545-1740,
Tim Hiligh, CIO/G6 Cyber Directorate, PKI SHA-256/Wireless, 703 545-1741,
Army SIPRNet PKI Token AKO Site: https://www.us.army.mil/suite/page/636329
