Are you ready to PK-enable?

CHIPS, Winter, 2004 by Rebecca Nielsen, Kenya Spinks

Wouldn't it be so much simpler if Department of Defense (DoD) personnel had to remember only one simple Personal Identification Number (PIN) to carry out their daily responsibilities, no matter where they worked or traveled in an official capacity? As a result of new technology, this possibility will soon become a reality because all DoD members will rely on digital credentials to authenticate (i.e., verify their identity) to their private Web servers and applications, in lieu of conventional usernames and passwords.

Two memos from the Assistant Secretary of Defense (ASD), dated May 17, 20011 and May 21, 2002 (2), set forth the importance of Public Key Infrastructure (PKI) in the DoD Information Assurance (IA) technical strategy. The earlier memo, "Public Key Enabling (PKE) of Applications, Web Servers, and Networks for the DoD," states, "e-mail in all operating environments and Web applications in unclassified environments shall be PK-enabled." The later memo, "Public Key Infrastructure (PKI) Policy Update" provided implementation dates of October 2003. However, the Department of the Navy Chief Information Officer (DON CIO) is aware that not all Navy Marine Corps Intranet (NMCI) eligible sites will have transitioned by the October 2003 deadline, and released a Naval message (3) granting the Department a six-month grace period. The Department's new implementation date for meeting the three PKE milestones, identified in the May 21, 2002 memo, is April 1, 2004, as shown in the chart below.

The plan is to meet the milestones via enterprise solutions within the DON. For example, the rollout of the NMCI includes the public key-enabled Microsoft Outlook e-mail client and Microsoft Windows 2000, which are capable of certificate-based logon. Sites that have already transitioned to NMCI should be on their way toward meeting the first two milestones.

The Navy Marine Corps Portal (NMCP) will support applications requiring PK-enabling. If the application requires only authentication, then integrating the application with the NMCP single sign on (SSO) solution meets the PK-enabling requirement. This article focuses on how to meet the third milestone, PK-enabling Web applications in unclassified environments.

What Is PK-Enabling?

PK-enabling is the process of using Public Key Infrastructure to provide solutions for some IA requirements. PKI itself is a framework established to issue, maintain and revoke public key certificates. (4) A certificate is a digital representation of information that at least:

[check] identifies the certification authority issuing it

[check] identifies or names its subscriber

[check] contains the subscriber's public key

[check] identifies its operational period

[check] is digitally signed by the certification authority issuing it (5)

The DoD has established a PKI to issue certificates to all DoD military and civilian employees and to other individuals who work fulltime on-site at DoD facilities. DoD PKI certificates are issued primarily on Common Access Cards (CAC). Eligible personnel, known as subscribers to the PKI, who receive their CAC, hold three digital credentials: an identity certificate, an e-mail signing certificate and an e-mail encryption certificate.

PK-enabling provides applications with the capability to rely on digital certificates, either in lieu of existing technologies such as usernames and passwords or to enhance functionality such as incorporating digital signatures. Because PKI is based on cryptography, PK-enabling can also provide encryption services such as creating an encrypted channel through an untrusted network or encrypting a file or message so that only the intended recipient can read it.

PK-enabling not only enhances the overall security of the application, but also provides user and administrator benefits by reducing the requirement for both individual and application password management. Users will no longer be required to remember usernames and passwords for each system they are authorized to access. Instead, users need only remember the single password that unlocks the private key on their CAC. Administrators, while still required to manage who is authorized to access system resources, can map access rights to certificate identities and do not have to develop methods for transmitting initial passwords or managing password reset requests.

How to PK-Enable Web Applications

The primary requirement for PK-enabling Web-based applications is to authenticate users based on their digital certificate and associated private key. Certificate-based authentication consists of three steps: (1) establishing an encrypted communication channel, (2) validating the subscriber's certificate, and (3) performing a challenge-response between the server and the client to ensure that the user is the subscriber named in the certificate.

* Step 1: Establishing an encrypted communication channel. This step uses a protocol known as Secure Sockets Layer (SSL), or its successor, Transport Layer Security (TLS). This protocol requires that the application server send its public key certificate to the client. The client then generates the shared secret that will be used for the encrypted channel, encrypts it with the public key in the server's certificate and sends it to the server. The server's private key is required to decrypt the shared secret, so the client and server have now exchanged a key that is used for all further communications.