11 May 1999. Thanks to Dan Dupont.

Inside the Army, 10 May 1999

Hamre pushes ahead with infosec effort


By Jeremy Singer

Copyright Inside the Army

A new public key infrastructure policy signed by Deputy Defense Secretary John Hamre last week will have a "huge impact" on the way the Army and other services conduct military and business affairs, a service official told Inside the Army last week.

"As far as electronic commerce goes, this is a watershed event," he said.

In many cases, the new policy will reduce the number of intermediaries handling documents, and greatly expedite the process of approving travel orders, for example, he said.

PKI is one element of the layered strategy information assurance officials are working on this year. A department-wide PKI will allow DOD to communicate securely and help eliminate paper from the military's operations, two major priorities for Hamre. Public key cryptography involves two related keys, one public and one private, and an infrastructure of people and systems is required in order to manage the keys and the services they provide, which include data integrity, user identification and authentication, encryption and digital signature.

"The DOD PKI, in the context of the Defense-in-Depth strategy, will provide a solid foundation for IA capabilities across the Department," Hamre wrote in the memo, obtained by Inside the Army.

"The goal of this DOD-wide infrastructure is to provide general-purpose PKI services (e.g. issuance and management of certificates and revocation lists in support of digital signature and encryption services) to a broad range of applications, at levels of assurance consistent with operational imperatives," he continued.

"Implementation of these policies will ensure that DOD components are using the infrastructure, and that future uses of public key cryptography as part of the Department's Defense-in-Depth strategy are consistent with threat and risk tolerance," Hamre concluded.

Hamre first outlined his plans for a defense-wide PKI in August 1997. The going has been slow, however, due to the complexities involved in implementing such an intricate system in such a large community. Just a few weeks ago, DOD released its PKI Roadmap, which begins to spell out in detail how the department will establish a PKI.

Key elements of the PKI are the issuance and revocation of digital certificates, which are electronic proofs of identity. According to Hamre's memo, Class 5 assurance certificates should be used for the sending of classified information over unencrypted networks. Class 4 certificates will be used for sending unclassified, mission critical information over unencrypted networks, and for protection information crossing classification boundaries.

Category one mission-critical systems, which the Clinger-Cohen Act says must be related to command and control of military forces, integral to a weapon or weapons system or critical to direct fulfillment of military or intelligence missions, must begin migrating to Class 4 certificates and tokens and achieve full implementation by June 2000, the memo states.

When operating over unencrypted networks, category two systems, which operate in direct support of systems identified by commander-in-chiefs as mission critical, and category three systems, which are required to perform department level and component level core functions, must use a Class 3 certificates. "These systems, that employ public key cryptography, must migrate to the use of Class 4 certificates and tokens by December 31, 2002," the memo states. "All other applications that employ public key technology (e.g. mission critical information on encrypted networks using [National Security Agency] Type 1 approved encryption, and mission support/administrative information on any networks) must use Class 3 certificates. All DOD users, at a minimum, will be issued a Class 3 certificate by October 2001."

The Defense Department plans to leverage two ongoing PKI efforts for the target PKI defined in the DOD road map: Fortezza (the near-term solution for Class 4) and Class 3, formerly known as medium assurance PKI. The memo directs DOD organizations to deploy trained personnel and installed software and hardware for registration operations for the efforts, as well as infrastructure with the capability to issue certificates from the Class 3 PKI to each member of the organization, by October 2000.

All certificates will evolve to Class 4 certificates with the target PKI, the memo states. As hardware token technology becomes more mature and ubiquitous, DOD will move from Class 3 to Class 4 certificates for all applications, the memo states. Components will begin to issue the Class 4 certificates by January 2002. The planned architecture for the Class 4 certificate will draw on the features of an identification card, building access token and workstation access token, on a single token.

By issuing a memo to get all DOD components on the same page, the overall effort will be more cost-effective, the service source told ITA. "You need to engage the buying power of DOD," he said. "When you're talking about buying cards in the tens of thousands, it's very expensive, but when you start talking about ordering in the hundreds of thousands, the price begins to look quite reasonable."

The memo is also intended to make sure the services are on the same page to ensure interoperability, he continued, and difficulties could result if any of the components are lagging behind.

DOD plans to use external certificate authorities to ensure secure interoperability between the department and its vendors and contractors, according to the memo. "ECAs will operate under a process that delivers the level of assurance that is required to meet business and legal requirements," the document states.

By June 2000, DOD webservers that are not publicly accessible will need to have a minimum of Class 3 certificates, and will use these certificates for server authentication via Secure Sockets Layer protocol or higher, the memo states; by October 2001, all private DOD and DOD-interest web servers will require client identification and authentication using Class 3 user certificates.

Incorporating the PKI policy in the tactical arena may present difficulties, the source said. Officials will need to decide "who has the authority to do what," he said. If an intelligence officer with access to restricted information is killed or otherwise incapacitated, the person stepping into his position must have the same attributes on his electronic identification to be able to access the same information, he said, and it is difficult to plan ahead for that type of contingency.