Although PIV cards are intended to be a standard source for PKI certificates, legacy hardware and software and the emergence of mobile devices have led DOE to adopt a gateway encryption appliance for secure e-mail.
Public-key infrastructure, or PKI, has emerged as a common tool for encrypting communications, and government has developed a federated infrastructure to create chains of trust to verify credentials, enabling the exchange of encrypted data between organizations.
“DOE has been doing PKI for more than a decade,” said Michele J. Thomas, the Energy Department’s PKI program manager.
The primary uses have been securing websites using Secure Sockets Layer and for exchanging unclassified e-mails. Over the years these needs have grown, particularly the need to communicate outside the department, she said. “We needed to be able to do it with our business partners.
Initially, DOE handled its own infrastructure. “We started out running our own PKI,” Thomas said. But issuing and managing the digital certificates used for encryption can be complex and expensive. “We decided that offering PKI services with a [General Services Administration]-approved cloud-based provider would be more cost-effective.”
The department is adopting the Entelligence Messaging Server from Entrust, an appliance that sits with the e-mail server and encrypts outgoing e-mail at the edge of the enterprise. “It gives us the ability to invoke PKI to encrypt and sign messages at the border rather than the desktop,” Thomas explained. “The increased demand for mobility is part of what is driving this.”
Moving computationally intensive cryptography off the desktop simplifies the process for the end user — encryption happens transparently — and for administrators because there is no additional desktop software to manage. It also accommodates the growing use of mobile devices and remote connections without jeopardizing security, because mobile and remote users typically already have a secure connection to the cloud, Thomas said. “It’s not in the clear,” she said. “You have a secure connection between the device and the mail server, and the mail server works with EMS to meet encryption policy.”
One tool in the encryption process is the Personal Identity Verification card, the interoperable electronic card mandated in Homeland Security Presidential Directive 12 that contains biometric data and digital certificates for authentication and for digital signatures and cryptography. The intent of the PIV card — and its Defense Department equivalent, the Common Access Card — is to provide a standard system for ID and access management for both logical and physical resources. But the card is not yet ready to support all of the department’s needs.
To enable secure communications “we use a combination of certificates on the PIV card and soft certs on the end devices,” Thomas said.
Although the cards have been issued and the standards and specification for using them are in place, implementing them in the real world is complicated by legacy technology that remains in place longer than expected and emerging technologies that are adopted more quickly than anticipated.
At the front end, “there are still a ton of one-time tokens sitting around government,” that are being used for authentication, said Bill Conner, Entrust president and CEO. They still work and are unlikely to be replaced with new schemes until the systems supporting them are upgraded.
On the back end, applications also have to be enabled to use PIV credentials for authentication and authorization. “There are a lot of legacy systems out there” that have not been upgraded, said Isadore Schoen, Entrust’s vice president of federal services. “Many agencies are not in a hurry to replace them.”
PIV cards require smart-card readers for authentication and access control. They are being put into use for desktop computers and laptops in the government workplace, but are less likely to be found on home PCs used for remote access and are comparatively rare on mobile devices such as BlackBerrys, iPhones, Android phones and others that are being used for e-mail and other tasks.
“The cost of the reader is pretty high,” Conner said. “You’ve got to overcome that bottleneck.”
Until the bottleneck is overcome there are some ways around it. The National Institute of Standards and Technology is updating Federal Information Processing Standard 201, which contains PIV card specifications. Proposed changes allow the use of electronic credentials derived from PIV cards in a variety of form factors for use with mobile devices, although the PIV card itself would continue to be in the standard smart-card format.
The requirements for PIV-derived credentials are specified in NIST Special Publication 800-157, Guidelines for Personal Identity Verification Derived Credentials.
Putting electronic credentials on the devices allow them to be used for virtual private networks and other connections that can establish secure links with the agency enterprise. Once in the enterprise, tools such as Entrust’s EMS can encrypt communications throughout the enterprise and with other organizations.
Adoption of virtual certificates along with technologies such as Near Field Communication to exchange the certificates is coming slowly in North America, and even more slowly in government, said Entrust’s Conner. “We’re seeing more of it in the private side rather than in the public side.” But he sees the adoption as inevitable and says it will help to drive down both the cost and the need for hardware readers for PIV cards.
Whatever means are used to log onto a government system, the EMS appliance is “becoming very popular with our federal customers,” Schoen said.
The EMS appliance can be set in the agency network or in a cloud and is transparent to the sender. It supports a variety of delivery options, including S/MIME, OpenPGP, AdobePDF and secure webmail standards, with a variety of encryption algorithms. An important feature for government users is the ability to do content scanning on encrypted outbound e-mails, either in the EMS appliance itself or through third-party scanners.
Encryption schemes on the desktop can enable outbound e-mails to pass without being scanned, creating a hole in data security. “That made a lot of agencies nervous,” Schoen said. Using the EMS appliance allows e-mails to be decrypted for scanning as well as for archiving in the clear if needed.
Although DOE began using EMS boundary encryption more than a year ago, it has not yet been adopted throughout the department. To date, four national labs and headquarters are using it, Thomas said. “We have some others that are considering it.”
The PIV card is a key component of the Federal CIO Council’s Identity, Credential and Access Management framework. And although the basic elements of a standards-based system are in place, the technology still is evolving and not yet ready for blanket implementation for all types of access and use of digital certificates, Thomas said.
“The PIV card needs to mature before it can be used for these things,” she said. “If you are going to use the certs on the PIV card to encrypt e-mail, it has to support key history,” which the most recent generations of the card now do.
And many of the systems the cards interface with must also change before they can be used as intended, she added. “Agencies are working diligently to redesign these. We are all in transition on this.”