Tactical public key infrastructure concept of operations published.
The CONOP is designed to outline the Army's concept for employing PKI in tactical environments, to include Secret Internet Protocol Router Network and Non-classified Internet Protocol Router Network for tactical elements operating at any location from home station to deployment in support of Combatant Commands. The TPKI CONOPS documents the concept for TPKI as an extension of the existing Department of Defense and Federal PKI services to meet Army operating forces' cryptographic security needs.
The extension of these services provides the Warfighter with the ability to securely authenticate to and securely communicate with tactical resources as well as other resources across the Department of Defense Information Networks. TPKI will support registration of tactical subscribers (i.e. users), issuance of NIPRNet Common Access Cards, SIPRNet Tokens and Non-Person Entity or "device" certificates.
In conjunction with directory services, tokens and PK-enabled applications, TPKI will provide the framework and systems required to perform cryptographically based data integrity, authentication for network access control, data confidentiality and non-repudiation services. The TPKI CONOPS, which you can download at https://tiny.army.mil/R/VQMS/, describes the roles, responsibilities and relationships of systems and personnel and how the Army plans to implement PKI in tactical units.
The DoD Chief Information Officer has mandated the use of a PKI hardware token on both the NIPRNet and SIPRNet to eliminate anonymity and improve the security of these networks.
This provides greater security over username and password. With network access based on a PKI hardware token, it will be much harder for adversaries to access the DoDIN and the information and resources contained on it.
NIPRNet Common Access Card
As you probably know, the DoD-issued CAC is the primary identification card for Army Soldiers, Department of the Army Civilians, and contractors, and is the primary DoD PKI hardware token used on the NIPRNet.
The principal mechanism for CAC issuance is the deployable Real-time Automated Personnel Identification System workstation, which queries the Defense Enrollment Eligibility Reporting System database to verify the intended cardholder's identity. The tactical NIPRNet token (i.e. CAC) issuance process is managed by G-1/S-1 sections. Soldiers assigned to the Corps G-1, Division G-1, and Brigade Combat Team or Multifunctional Brigade S-1, serving as Verifying Officials, manage CAC issuance utilizing the RAPIDS Workstation to issue, reissue, and revoke NIPRNet CACs and perform Personal Identification Number resets. None of these functions can be performed in a disconnected environment--they require connection to the NIPRNet.
While in Garrison, the deployable RAPIDS workstation located at the Brigade S1 connects to the installation NIPRNet to access the Certificate Authorities in the Contiguous United States. While deployed, it typically connects over a "stove pipe" commercial Very Small Aperture Terminal satellite terminal issued with each deployable RAPIDS workstation. This system carries with it a huge monetary burden for lease of the equipment, satellite airtime, maintenance and customer support. SIGCoE TRADOC Capability Manager for the Global Network Enterprise, along with the Communications-Electronics Research, Development and Engineering Center, and the 35th Signal Brigade's 63rd Expeditionary Signal Battalion, have conducted DEERS/RAPIDS CAC PKI operations testing over a NIPRNet connection provided by a WIN-T tactical network. The results of this testing showed that the DEERS/ RAPIDS tasks and activities worked successfully over WIN-T. We were able to issue CACs and reset CAC PINs via the tactical network connection over the course of several test events. With these positive results, current budget constraints, and the Army's "Single Network Concept," removing the VSAT system from the Brigade S1 is being considered.
The primary DoD PKI hardware token used on the SIPRNet is the SIPRNet Token. Similar to the CAC, the SIPRNet Token contains certificates used only for logical network access, digitally signing, and encryption.
Unlike the multi-purpose CAC, the SIPRNet Token is not an identification card; it does not bear a photo of the subscriber, fingerprint or other personal information. Because the SIPRNet Token is not an ID card, the issuance process will be different from that for the CAC. The issuance procedures for SIPRNet Tokens are performed on a Certificate Issuance Workstation, also called a Local Registration Authority workstation, and managed by the Corps G6, Division G6, and the Brigade S6, not the G-1/S-1.
Signal Soldiers assigned to the BCT or Multifunctional Brigade S-6, serving as LRAs, Trusted Agents, or Enhanced Trusted Agents, will manage SIPRNet Token issuance utilizing the LRA workstation. TCM GNE, along with the Communications-Electronics Research, Development and Engineering Center Space & Terrestrial Communications Directorate Cyber Security Information Assurance Division, has tested the ability to issue SIPRNet Tokens on a tactical, bandwidth-constrained WIN-T network and successfully issued SIPRNet hardware tokens without any significant issues.
The CIW interacts and talks with the Web-based Token Management System in CONUS, which manages the SIPRNet Token issuance process. The CIW is used to perform the following functions: 1) Formatting "New" cards for first time use, 2) Reformatting a used card for a new user, 3) Resetting PINs, when forgotten and/ or blocked for too many PIN entry attempts, 4) Re-enrolling the card when changing users, and 5) Displaying information about the card and certificates on the card.
Similar in many ways to Communications Security key management, Signal Soldiers assigned to the Brigade S-6 Information Assurance/Computer Network Defense Section will likely manage certificate issuance at the BCT brigade and battalion level. At the company level, where there is only one Signal Soldier currently authorized, the Signal Support Systems Specialist will perform TA duties. Note: The use of a TA or ETA at the battalion and company level are dependent upon the type of unit, the unit's staffing and the corresponding density of Soldiers that require use of a SIPRNet Token. Some units may elect to not use either position at the company level and only conduct SIPRNet Token issuance and sustainment operations from the brigade or battalion level.
Tactical SIPRNet Token Issuance
A user (i.e. Soldier) in a deployed BCT who needs a SIPRNet Token issued will go to their local company or battalion ETA/TA, or an LRA at brigade, division, or corps, and submit a request for SIPRNet access. As shown by the dotted arrows between the S6/G6 and the S2/G2 in the above figure, the company or battalion ETA/TA will submit the request to the brigade S6 LRA or ETA, who will submit it to the brigade S2 or commander for approval. The TPKI CONOPS provides more detail.
In addition to enabling secure authentication for person entities, TPKI will provide software certificates for authentication of Non-Person Entities. NPEs are non-humans, such as computers, operating systems, applications, services and devices like routers and switches. The Corps G6, Division G6, and Brigade S6 will be responsible for NPE certificate management. Signal Soldiers assigned to the BCT or Multifunctional Brigade S-6, serving as NPE Sponsors and NPE Verifying Officials, will manage NPE certificate issuance at the brigade utilizing a forthcoming NPE management solution.
Since the NPE Sponsor acts on behalf of the NPE in order to obtain a PKI certificate, this role should probably be filled by the S-6 Soldier(s) responsible for the administration, configuration, and operation of the NPE devices, services or applications. The DoD is currently working to select an NPE management solution for DoD Services and Agencies that will support auto-enrollment and auto-renewal to make the management of these certificates easier.
In order to provide software certificates to NPEs, two independent TPKIs will be established. The first is a Medium Assurance NPE, which utilizes the DoD PKI root with strict policy requirements and, therefore, a higher trust between devices, but is more difficult to implement in a tactical environment.
The second will be the Less Than Medium Assurance NPE, which will utilize a Serviceoriented (Army) root to establish a Deployed CA. The LTMANPE is less secure, but easier to implement (i.e. less restrictions), and will allow computers, applications and devices to be dynamically issued credentials that will enable secure connections to the tactical network and between tactical entities in the unit, creating a secure Network Operations environment.
This allows the NPE to auto-enroll or obtain its own certificates, which helps reduce the manual labor needed to manage the millions of devices within the Army.
TPKI and the Network
A critical component of PKI is the necessity to check to see if a certificate has been revoked. A Certificate Revocation List is a file, published by the CAs, which contains the lists of revoked certificates. DoD CRLs are hosted on the Global Directory Service and are available on NIPRNet and SIPRNet. A complete CRL contains the entire list of revoked certificates for all certificates issued by that CA. In tactical, bandwidth-constrained environments, a full CRL can take an excessive amount of time to download. The ability to distribute CRLs throughout the DoD environment is increasingly being challenged because the size of the CRL affects the ability of relying parties (persons or NPEs using the certificate) to download the CRLs, typically due to clogging of available resource bandwidth. Implementation of TPKI over WIN-T introduces technical challenges for PKI certificate validation due to lower bandwidth and higher latency than on strategic networks.
To overcome these challenges, CERDEC S&TCD CSIAD engineers have been testing possible solutions for increasing performance of PKI certificate validation services over WIN-T at the brigade and battalion level. These solutions include using alternate formats for the revocation lists and placing PKI infrastructure, such as OCSP repeaters and responders, at the brigade level. Testing results influenced development of the TPKI CONOPS and will help identify an optimal solution for distributing certificate revocation information to tactical systems, as well as to inform Army policy, requirements, Tactics, Techniques and Procedures, and configuration Best Business Practices for the implementation and deployment of PKI validation services within the Army tactical environment.
Looking ahead, TCM GNE, along with our SIGCoE and Army partners, will continue capabilities development and planning efforts towards implementation of TPKI.
Analysis is ongoing to determine potential impacts and actions necessary in the areas of doctrine, organization, training, materiel, leadership, personnel, and facilities. This analysis will address some details of TPKI implementation that were outside the scope of the CONOPS.
Testing of TPKI certificate validation alternatives is ongoing and the results will help determine the solution chosen for implementation.
Regardless of the specific solution chosen, one thing is certain: TPKI will enhance the security and safety of Army computer networks by establishing an integrated capability that provides network access control, minimizes insider threats, and audits user activities across the cyber domains.
BCT--Brigade Combat Team
CAC--Common Access Card
CERDEC--Communications-Electronics Research, Development and Engineering Center
CIO--Chief Information Officer
CIW--Certificate Issuance Workstation
CONOPS--Concept of Operations
CONUS--Contiguous United States
CRL--Certificate Revocation List
CSIAD--Cyber Security Information Assurance Division
DAC--Department of the Army Civilians
DEERS--Defense Enrollment Eligibility Reporting System
DoD--Department of Defense
DoDIN--Department of Defense Information Networks
DOTMLPF--Doctrine, Organization, Training,
Materiel, Leadership, Personnel, and Facilities
ETA--Enhanced Trusted Agent
IA/CND--Information Assurance/Computer Network Defense
LRA--Local Registration Authority
LTMANPE--Less Than Medium Assurance NPE
NIPRNet--Non-classified Internet Protocol Router Network
NSA--National Security Agency
OCSP--Online Certificate Status Protocol
PIN--Personal Identification Number
PKI--Public Key Infrastructure
RAPIDS--Real-time Automated Personnel Identification System
S&TCD--Space & Terrestrial Communications Directorate
SIGCoE--Signal Center of Excellence
SIPRNet--Secret Internet Protocol Router Network
TCM GNE--TRADOC Capability Manager for the Global Network Enterprise
TMS--Token Management System
TPKI--Tactical Public Key Infrastructure
VSAT--Very Small Aperture Terminal
WIN-T--Warfighter Information Network-Tactical
Michael A. Jones presently works as an Army contractor in support of the TCM GNE Network Assurance Section, U.S. Army Signal Center of Excellence at Fort Gordon, Ga. He is a retired Information Technology Specialist (MOS 25B) Signal Soldier with five years' experience as an Army Network Assurance capabilities developer.
Jimmy L. Kilgore presently works as an Army contractor in support of the TCM GNE Network Assurance Section, U.S. Army Signal Center of Excellence at Fort Gordon. He is a retired Signal Support Systems Specialist (MOS 25U) Signal Soldier with three years' experience as an Army Network Assurance capabilities developer.
|Printer friendly Cite/link Email Feedback|
|Author:||Jones, Michael; Kilgore, Jimmy|
|Date:||Jan 1, 2013|
|Previous Article:||1st Cyber Network Defender specialists graduate.|
|Next Article:||Active shooter architecture approach offers joint operations protection.|