INTERVIEW: R. Michael Green, Defense PKI chief
DOD tackles PKI challenges head-on
As director of the Defense Department's Public-Key Infrastructure Program Management Office, R. Michael Green helps set and implement PKI policy for use across Defense.
R. Michael Green
Previously, Green was chief of the Customer Support Services Office with the National Security Agency's Information Systems Security Organization. In that job, he assisted with information security within NSA and supported military and national security organizations throughout DOD.
Green also served as chief of the agency's National Information Infrastructure Program Management Office, which supported the Clinton administration's information technology initiatives.
In previous management positions, Green has directed the development of technology and standards for automated, secure electronic-key management techniques; led development of new digital secure voice applications; and led teams fielding microwave protection methods for commercial switched networks.
He also assisted research and development groups in creating special mathematical tools.
Green represents NSA on the Council of Representatives to the National Communications Systems, the Security Working Group of the Chief Information Officers Council and the State Department's Overseas Security Advisory Council.'
Green, a Washington native, received a bachelor's degree in mathematics from the University of Maryland.GCN:'What's the status of deploying Class 4 certificates for the transmission of unclassified, mission-critical but high-level information over unencrypted lines? Will Class 4 certificates be used as the baseline for sensitive-but-unclassified messaging, or will you stick with Class 3 certificates, a slightly less-secure level?
GREEN: We plan to initiate the acquisition for the Defense Department's target Class 4 architecture early in the first quarter of fiscal 2001. The implementation strategy for the DOD Public-Key Infrastructure is practical and based on an evolution toward higher levels of assurance.
The Class 3 PKI, employing some of the best currently available commercial PKI standards and technology, will transition over time to the next generation of PKI represented by the Class 4 architecture. The objective baseline certificate level for DOD sensitive-but-unclassified messaging will be at the Class 4 level of assurance. That is not to say that there won't be some unique DOD requirements that will continue to best be met by the Class 3 PKI. I'm thinking of possibly the tactical user.GCN:'Explain the difference between hardware and software encryption?
GREEN: Simply put, the difference between a hardware-based solution and a software-based solution comes down to a question of assurance. Hardware can be more readily verified than software, can be made more resistant to tampering and can afford greater protection to the PKI users' private keys.GCN:'Some vendors have complained that the department is too reliant on Netscape Communications Corp. through Defense Information Systems Agency site licensing agreements. What's your view?
GREEN: There have been some misconceptions floating around about DOD's use of the Netscape components. First, DOD is not issuing Netscape certificates. The DOD certificates are completely standards-compliant and can move between a variety of applications from a variety of vendors.
There is nothing unique about the certificates that would prohibit other vendors from creating compatible certificates. In fact, we have already approved four interim external certificate authorities'Digital Signature Trust Co. of Salt Lake City, General Dynamics Corp., Operational Research Consultants Inc. of Alexandria, Va., and VeriSign Inc. of Mountain View, Calif.'that have produced DOD-compliant certificates. DOD trading partners and vendors use these certificates today.
DOD's objective is to field a PKI that is based on standards and employs appropriate commercial components. Unfortunately, in some cases there is no widely accepted industry standard. A prime example is the registration interface between the end entity and the certificate authority. No matter which certificate authority products are chosen, some number of vendor-specific or de facto standards must be selected.
During the inception of the DOD PKI, the Netscape Certificate Authority was a component that DOD already had in place and that we had tested. An existing licensing agreement that DOD had with Netscape gave us the ability to provide Netscape clients at no additional cost to DOD.
The Netscape products address a number of DOD requirements, namely the crypto-module meets the Federal Information Processing Standard 140-1. They provided a recovery mechanism for the confidentiality key. And, the Netscape client provided a native capability for subscriber-to-certificate-authority registration.
Although it is currently fielded, we are in no way tied to or committed to it in the future. It is fully our intent to use other vendors and products in future DOD PKI implementations. Keep in mind that until July, the DOD PKI was still in the pilot phase.GCN:'What are some of the technical challenges you are facing in making certificates available? What are some of the early adopters saying about how the technology is working?
- Family: Wife, Marjory; three sons
- Car: Toyota Camry
- Last movie seen: "The Green Mile"
- Favorite Web site: www.iatf.net
- Motto: "Be on time, play hard, play smart, have fun."
- Dream job: Professional golfer
GREEN: I'd say that the DOD PKI faces challenges in the areas of ensuring interoperability between vendor components and establishing DOD's directory infrastructure.
With respect to interoperability, we have established an effort with DISA to test PKI components at the Joint Interoperability Test Command at Fort Huachuca, Ariz. Initially our focus at JITC will be on testing cards and readers to support the fielding of smart cards as PKI tokens. Using smart cards as an example, our vision for interoperability would be for DOD users to be able to use their access card with PKI credentials installed across any number of off-the-shelf smart-card readers. Today a lack of standardization does not make this a given.
The DOD directories will perform a critical role in certificate validation and distribution of public-key certificates. Our identification of the PKI-specific directory requirements and their integration in the larger DOD directory structure is a significant challenge.GCN:'What are some of the lessons DOD learned from the Defense Message System deployment?
GREEN: Our experience with DMS has given us some very valuable lessons. Primary among them is that there is a great risk venturing out too far in front of the pack with a new technology.
When DMS development began in the early 1990s, the commercial PKI industry was not yet in its infancy, so DOD, by necessity, developed its own. When the marketplace realized the huge commercial potential of electronic commerce and PKI, and developed a commercial PKI and chose different algorithms, protocols, standards and architecture in their PKIs than did DOD, we could not keep up with the pace of innovation. Commercial industry is good at determining the business case, and they picked up quickly on the schism between what DOD was doing and what was going on in the marketplace.
The DOD PKI Program Management Office has a commitment to minimize the use of custom products as we migrate away from the current Class 4 PKI. For example, we have deployed the current Class 3 DOD PKI using mostly commercial, off-the-shelf technology. As I mentioned earlier, we have established a test center at JITC to test commercial PKI applications and products to see if they are interoperable with the DOD PKI, what we call public-key enabled or PKE.
We've also learned some valuable lessons about our technological architecture choices. Decentralizing the certificate authority function proved to be too expensive to support. While it does offer the user community some degree of flexibility, the difficulty in maintaining several hundred'or thousands in the original architecture'certificate authorities at an adequate security level is too resource-intensive.
Similarly, the use of a relatively expensive end-user token became unsupportable. We've learned that it is not practical to go for the armor-plated Rolls-Royce solution for every application. Our new philosophy is to gain widespread use of PKE applications by first fielding technology that is easy to use while providing tangible security benefits.