DOD hands over PKI responsibility to NSA

The Defense Department this month officially transferred to the National Security Agency responsibility for the department's program overseeing the use of public-key encryption technology to secure internal and external DOD communications.

DOD plans to release April 19 two documents that lay out the department's public-key infrastructure (PKI) road map as well as the departmentwide use of digital certificates, said Richard Schaeffer Jr., director of information assurance within the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence. The documents will be released to DOD organizations and industry for feedback, which DOD will use to develop a final PKI road map. NSA must complete a plan to install PKI by mid-June, Schaeffer said.

"This will be the last opportunity for everyone involved to comment and [suggest changes]" to the documents, he said. The road map will provide the "ultimate vision" of DOD's PKI initiative, while NSA is responsible for drafting a plan for how "we will get there," Schaeffer said.

Gen. David J. Kelley, director of the Defense Information Systems Agency, said DISA will be involved in the development, procurement and operational aspects of carrying out the DOD PKI initiative.

"Some of these responsibilities include leading integration and operations of the centralized certificate management and directory services and developing [with NSA] the acquisition strategy," he said. "Our focus is on integrating PKI into the overall Information Assurance Defense-in-Depth strategy."

Government agencies are using PKI technology in pilot projects combining encryption, digital certificates and other technologies to authenticate a user's identity and to ensure that data and transactions are not tampered with during transmission over the Internet. PKI is considered one of the keys to the digital government of the future.

According to Schaeffer, who outlined DOD's PKI plan at the symposium "Information Assurance in the Information Age," the road map calls for the availability of a final external certificate authority, which will be used to secure electronic commerce transactions between DOD and industry, by June.

The road map also calls for the use of medium-assurance certificates, known as Class 3 certificates, on all DOD World Wide Web servers by June 2000. DOD has set the departmentwide encryption standard at Class 3 certificates, which are used to encrypt unclassified information, such as organizational e-mail transmitted over public unencrypted networks, and which provide what Schaeffer described as "face to face" authentication of users.

Class 2 certificates are used to encrypt unclassified information, but DOD does not plan to use them, Schaeffer said. Class 4 certificates - which are harder to break because they are contained in a hardware token, such as Fortezza PC Cards or smart cards - are used to encrypt what

Schaeffer called "mission critical" information on public networks. Class 5 certificates also use hardware tokens but are used to encrypt classified information transmitted on public networks.

In addition, DOD organizations have until October 2000 to install the infrastructure to support Class 3 medium-assurance certificates, which DOD will require all users to employ starting October 2001, Schaeffer said. DOD currently plans to begin migrating to Class 4 certificates by December 2002, he said; however, DOD still must work out the legal and liability issues of relying on a private-sector or DOD-developed digital signature for the external certificate authority, Schaeffer said.

"The department's [plan] is based on a very sound road map," Schaeffer said. "Every element of the [DOD] network will have a certificate."

DOD also may have a new hardware token available this summer, which Schaeffer called the "token of the future." It will provide all of the functionality of a Fortezza card without requiring a special reader device. The Fortezza PC Card is a credit card-size security device that authenticates users and encrypts e-mail; it has been one of the core components of NSA's Multilevel Information Systems Security Initiative. MISSI is an NSA-managed program designed to identify a broad range of security products and standards capable of providing security to systems across DOD - systems that require various levels of protection.

"The Fortezza cards give us a capability today to secure e-mail and organizational messages," Kelley said. "As new technologies evolve, they will be considered for integration into the program."

However, the new product, in development by a number of commercial companies, including Rainbow Technologies Inc., uses a Universal Serial Bus port interface, which makes it compatible with all modern desktop computers. Because the new USB-based token will be compatible with and available on all standard desktop systems purchased by DOD, it "has a tremendous amount of promise" to help DOD meet the security requirements for all of its users, according to Schaeffer.

Victor Wheatman, vice president of the Information Security Strategy Group at Gartner Group, San Jose, Calif., said that although not all DOD desktop computers currently have USB ports, the use of USB-capable hardware certificates provides a "better form factor for information security than smart cards and Fortezza cards." According to Wheatman, the form factor, or the shape and size of the device, is such that it can be worn around the neck and provides a "constant presence" in the minds of users.

Schaeffer also said DOD must develop an acquisition strategy that spurs industry to develop the products that DOD needs to make the PKI initiative work.

Richard Guida, chairman of the Federal PKI Steering Committee, said DOD continues to set the standard in PKI. "There's no question that DOD is ahead of all other agencies in thinking through PKI issues," he said. "What you see happening is a very large organization trying to bring an ordered approach to a very complex problem. But they're ahead of the power curve."