Sample U S Government Cryptography and Key Management

Sample U. S. Government Cryptography and Key Management Methods and Policies Information Security Management Spring 2005 Presented by Ling Wang

Presentation Agenda n Crypto & Key Management Overview n n Do. D/NSA Cryptography Policy n n Evolving Direction Current Status Caveat Do. D/NSA Approved Cryptography Do. D PKI Roadmap 2000 CAW & Fortezza® Card Usage Policy X. 509 Certificate Policy for Federal PKI

Direction of Government Cryptography & Key Management Policies n n n Evolving, particularly for classified information Trying to move from all expensive custom equipment to leverage off COTS products and standards where feasible Trying to move from point to point encrypted links to more modern and dynamic environments (e. g. Secure. XML) Complicated by new types of foreign military coalitions Complicated by new types of domestic “coalitions” (local law enforcement, fire departments. , etc. ) in homeland security

Status of Government Cryptography & Key Management Policies n n n Changes still being made Recent “roadmaps” are being changed Major problems still unsolved, especially for coalitions n n Patriot Act supposedly removed the “coalition” data sharing issue between FBI law enforcement and intelligence But lots of very expensive old crypto gear is still used by military and intelligence (legacy problem)

CAVEAT n n This talk has the most recent information released on the web (and even pre-web info) Some of it is already out of date for new deployments But a most of is still currently in use in places When you start your federal job, find out what is in place for your organization

Do. D/NSA Approved Cryptography - 1. Certified Components & Policies n An NSA-approved cryptography consists of 3 certified components: n n An approved algorithm An implementation that as been approved for the protection of classified information in a particular environment; nearly always a dedicated device A supporting key management infrastructure Plus: Appropriate Cryptography Policies!!!

Do. D/NSA Approved Cryptography - 2. Background Documents n n Privacy Act (1974): requires government to safeguard personal data on government systems Do. D Directive C-5200. 5 (1982) (revised 1990) defined basic crypto for classified data National Security Decision Directive 145 (1984): Mandates protection of both classified and sensitive (SBU) data. Guidance to come from NSA. (Revised by NSD 42, 1996) OMB Circular A-130 (1985) “Management of Federal Information Resources”: All federal IT systems required to provide a level of security against unauthorized access, commensurate with sensitivity, risk, and harm that could result from such access.

Do. D/NSA Approved Cryptography - 3. Background Documents (continued) n n n Computer Security Act of 1987 (1988): updates the Privacy Act of 1974. Standards and guidance for “non Warner Amendment” unclassified intelligence related data to come from NIST (then called the National Bureau of Standards) National Security Directive 42 (1990): Limits NSA involvement to classified and Warner Amendment unclassified data … Note that these relate primarily to confidentiality. NSA, Do. D, NIST all have policies based on these and other basic laws/directives.

Do. D/NSA Approved Cryptography - 4. Four (4) Encryption Levels n n Type 1 - U. S. Classified Type 2 - U. S. Federal Inter-Agency n n Type 3 - Interoperable Inter-Agency (Federal, State and Local) & Commercial Use n n For Sensitive but Unclassified (SBU) government communications; “Warner Amendment” unclassified data NIST-approved data encryption standards (DES, AES, etc. ) Type 4 - Proprietary n n Not a federal standard, not used for federal info Exportable, for Commercial & International use NSA is responsible for Type I, II; NIST for Type III standards

Do. D/NSA Approved Cryptography - 5. Type I devices n Algorithms n n Last 2 decades: Baton (crypto), Skipjack (crypto), Firefly (Key exchange) originally classified; now declassified Since 2003, AES is also allowed n n n 128 bit and higher for Secret 192 bit and higher for TS and above Keys n n n True random numbers needed Generation based on physical phenomena Historic: centrally generated and tested by NSA n n n Difficult distribution problem Now used for special purpose keys Session keys generated by NSA approved embedded hardware (e. g. , leaky resistor for random noise generation)

Do. D/NSA Approved Cryptography - 6. Type I devices (continued) n n n Hardware design approved by NSA Usually a separate hardware device (box, card) is required Careful attention to “red-black” separation n n Orange Book B 2 equivalent or better Check for covert channels, “sneak circuits” Check for cross-talk (EMSEC) Failure modes cannot allow for red to black link to open

Do. D/NSA Approved Cryptography - 7. Sample Type I devices n Historic: link encryptors; e. g. KG-84, KG-192, KIV… n n n Recent n n n Still lots in use New technology used to emulate old devices for compatibility KG 175 Taclane “classic” IP (7 Mb/sec) and ATM KG 75 Fastlane Asynchronous Transfer Mode (ATM) virtual circuit encryptor KG 189 SONET backbone encryptor STE encrypting phone Current and projected n High Assurance IP Encryption (HAIPE) program n n Multiple products now and in development NSA adaptation of IPSEC protocol for session setup, mutual authentication, key exchange, and headers

Do. D/NSA Approved Cryptography - 8. 2003 Type I High Speed Products

Secure Terminal Equipment (STE) n n n Key materials on Fortezza Smart Card/Crypto Engine Approved for Classified use Phone not classified when card is removed

Do. D/NSA Approved Cryptography - 9. Classification & Crypto Usage Class User Token Identification Algorithms 2 (Basic) Not in person Software Type 2 3 (Medium) In person Software Type 2 4 (High) In person 5 (Classified) In person Hardware (Smart. Cards/ Fortezza) Hardware (STE Fortezza Plus card ) Type 2 Type 1

Do. D/NSA Approved Cryptography - 10. Cryptography Usage Policies n n For Encryption: key & device must have classification & assurance level not lower than contents encrypted For Key Management: key issuer must have classification & assurance level not lower than key user; issuer may invalidate keys n n For PKI: PKI & CA must have classification & assurance level not lower than certificates it issues Two communication endpoints must have same classification & assurance level

Do. D/NSA Approved Cryptography - 11. Government AES Usage Policy n n NIST/FIPS approved for protecting sensitive (SBU) electronic data Reviewed & analyzed by NSA for classified data n n Algorithm allowed for classified, unclassified, & commercial use Crypto device needs NSA approval for classified Government agencies may send system specification to NSA for an NSA-developed implementation NSA approves AES for classified info: n n 128 -bit key & above are suitable for SECRET info TOP SECRET info requires 192 or 256 bits

Key Management - 1. Keys for Classified Information n Keys and “key material” (e. g. , hardware tokens) have a classification level (S, TS, SBU, etc. ) n n Key classification level must be >= information classification Keys are handled the same as any other information at that level n n n Identify and labels Access control, with storage in approved containers Inventory Possible compromises reported to ISSO Approved destruction When a secure communication link is set up using PKI, endpoints make sure that the other end is using a key of the right classification level.

Key Management - 2. Key Transfer n Key material: n n Paper (not used any more) Physical data storage examples n n DS 101 Fill Device CIK--Crypto Ignition Key Fortezza PCMCIA card OTAR (Over the Air Rekeying) n Sending new keys to a remote device over the communications link (keys are encrypted) & automatically loading the crypto devices

NSA KMI/PKI Today DISA Root Physical Root EKMS KMI PRSN Pilot Commercial Operations Current Do. D Class 3 PKI Current Class 4 PKI (DMS) Manual Systems High Grade Electronic Applications X. 509 Certificate Based Applications Class 3 and below PKI

Do. D PKI Roadmap 2000 - 1. Overview n Part of Do. D Key Management Infrastructure (KMI) n n A framework for generation, production, distribution, control, revocation, recovery, & tracking of public keys (certificates) & their corresponding private keys n n Uses CAW & Fortezza® cards for a X. 509 -based PKI Specially designed to suit Do. D needs, maintained by Do. D n n being a Critical Defense in Depth (Do. D multi-layer defense system) Layer Has a modular design, conforms to federal standards, being an integral component of Do. D KMI, focuses on a single (Class 4) assurance level, evolves in phases Implemented in phases: n n Existing: Class 3 PKI: Releases 1. 0, 2. 0, 3. 0 (Do. D PKI 1999) Underway: Class 4 PKI: Releases 4. 0, 5. 0, 6. 0 (Do. D PKI 2000)

Do. D PKI Roadmap 2000 - 2. PKI System Context in Do. D

Do. D PKI Roadmap 2000 - 3. PKI System Elements

Do. D PKI Roadmap 2000 - 4. PKI Functional Units (Elements) n The Users: Subscribers (direct users) & Relying Parties (indirect users) n n Registration (by Registration Authorities, RAs) n n n Uses the certificates (encryption & signing) Binds user to public key pair Level of trust determined by level of info verification Certificate Management (by Certificate Authorities, CAs; hierarchical & centralized) n generate, produce, distribute, control, track & destroy public/private key pairs & associated PK certificates

Do. D PKI Roadmap 2000 - 5. Do. D PKI Architecture

Do. D PKI Roadmap 2000 - 6. Do. D PKI Deployment

Do. D PKI Roadmap 2000 - 7. Do. D PKI Risk Management n n Funding/Resources (managed by NSA/DISA & relevant agencies) Scheduling (uses project management strategies) Application Development Risks (availability & interoperability of PKI implementations) Technical Risks (managed by technical strategies) n Scalability, interoperability, transparency, security. Directories, transition, support for tactical operations, support to OCONUS/Theater Operations, communication capabilities, etc.

Do. D PKI Roadmap 2000 - 8. Do. D PKI Roles User Registration Local Registration Authority Password LRA 2 Web-based 1 Public Key 3 ey K Web-Based Cert Auth (CA) Cert d se -ba b 4 Auto We Cert Private Key User 5 Relying Party Pull DOD Directory Services DOD PKI

Certificate Authority Workstation (CAW) & Fortezza® Cards n n CAW is a trusted hardware platform used to create certificates & place X. 509 certificates on Fortezza® cards CAW is operated by a certificate authoring team n n n Certificate Authority (CA): certification work System Security Officer/System Administrator (ISSO/SA): hardware operator Fortezza® cards are tamper-resistant PCMCIAcompliant devices (“portable hardware tokens”) used to store Do. D-issued X. 509 certificates & private keys, trademarked by NSA

Fortezza® Cards n n PCMCIA (“card bus”)-compliant hardware Implements NSA/NIST-compliant crypto standards for network security Used by Do. D organizations & individuals “tamper-resistant” = destroy key on malicious attempts

Fortezza® Card Usage Policies n Classifications & Labeling: n n n PIN-protected: n n SECRET Classified: Fortezza for Classified (FFC) [Red label] Unclassified: Sensitive but Unclassified (SBU) [White label] Unclassified when locked with owner’s PIN Classified as same level as its highest-level certificate (if multiple certificates present) 3 consecutive failed PIN checks disables card; only CAW can re -enable card and/or change PIN Security breaches & policy violations associated with a Fortezza® card must be reported n E. g. card loss/misuse/tampering/duplication, PIN compromise, user info changes/user leaves, certificate misuse, unattended terminals, etc.

user must sign & return the User Advisory Statement (UAS) within (up to) 60 days of delivery or the certificate will be considered compromised

X. 509 Certificate Policy for the U. S. Federal PKI Common Policy Framework n 3 certificate policies for different entities: n n n n Users w/ software crypto modules (class 2/3) Users w/ hardware crypto modules (class 4/5) Policy for devices Mandates 2048 -bit RSA or 224 -bit elliptic curves & SHA 224 or SHA-256 hashing Consistent with RFC-2527 X. 509 certificate format, with only the certificate management policies, identity verification methods, various certificate field formats (unique name formats, revocation list formats, etc. ), and key archival policies being specified for usage in governmental programs / Do. D Includes a guideline for operational security (physical / procedural / personnel) & technical security controls Used in the civilian side of the government

References n n n Public Key Infrastructure Roadmap for the Department of Defense, Version 5. 0, 18 December 2000 X. 509 Certificate Policy for the U. S. Federal PKI Common Policy Framework, Version 2. 2, 29 March 2005 The Certificate Authority Workstation white paper CNSS 15 FS – CNSS Policy No. 15, Fact Sheet No. 1, National Policy on the Use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information, June 2003 Do. D Public Key Infrastructure Tutorial http: //www. e-publishing. af. mil/contentmgmt/PKI%20 Tutorial. ppt