24 October 2016

Improvements to public key infrastructure help soldiers at the tactical edge

By: Adam Stone, October 12, 2016
The Army says it’s moving closer to implementing new technologies that would make its baseline network security infrastructure easier to operate on the tactical edge. 
Public key infrastructure (PKI) enables human users as well as devices to verify each other’s identity and securely exchange data over networks. But implementing PKI in tactical settings remains a challenge. 
Given recent progress in Public Key Infrastructure in a Tactical Environment (PKITE) Army planners said soldiers could see improvements in usability starting sometime in 2017. PKITE saw major progress this spring, when it transitioned from the U.S. Army Materiel Command’s Communications-Electronics Research, Development and Engineering Center (CERDEC) into Program Executive Office Command, Control, Communications-Tactical (PEO C3T). This marked a new level of field readiness. 
“We feel the R&D solution has been matured enough to now begin transitioning over for actual fielding to the soldier,” said Bob Fedorchak, CERDEC Space and Terrestrial Communications Directorate (S&TCD) tactical public key infrastructure technical lead. 

 
The Defense Department has lined up behind PKI as its go-to implementation in matters of identity and user authentication. In March, DoD CIO Terry Halvorsen told a House Armed Services subcommittee that by migrating from weak password-based authentication to PKI, DoD would “reduce the ability of adversaries to use stolen credentials to obtain access to DoD networks and systems.” 
CERDEC officials say the equation becomes somewhat more complex when PKI is implemented in a tactical environment, largely because soldiers must keep PKI certificates timely. This is something that is relatively easy to achieve for an individual’s credentials, but it gets more complicated when it comes to validating devices. 
Virtually anyone within the DoD enterprise has a PKI credential attached to a Common Access Card, or CAC, which allows access to DoD’s unclassified networks and information-sharing capabilities. In the case of a CAC, a printed expiration date makes it clear when the time is drawing near to renew the PKI, noted Rocio Bauer, chief of the Tactical Network Protection Branch in the CERDEC S&TCD Cyber Security/Information Assurance Division. 

Because networking devices don’t come with any such visible reminder, it can be hard for a user to know when a refresh is coming due, Bauer noted. The end result can be a sudden loss of functionality, which could be catastrophic in a tactical situation. 

Tactical PKI is further complicated by the vast array of devices, networks and applications that make up the military communications landscape. The disconnected nature of many military networks compounds the problem. 

“PKI was created with an always-connected network in mind,” Fedorchak said. “With Army networks, they may be deployed to locations that don’t have an infrastructure, where things are not as robust as what you might encounter on the commercial side. ” 

PKITE addresses these challenges through automated reminders, giving network administrators an early heads-up when certificates are coming due to expire. Fedorchak envisions this becoming a critical systems management capability across the Army. 

“There are tens of thousands of systems out there and a very small staff of people who have to maintain those, and they are mostly just worried about keeping those systems up and running every day,” he said. “By automating this and by issuing that notification before that certificate expires, we can get to that soldier early and hopefully prevent that system from breaking in the future.” 

No comments: