Energy adapts its PKI to handle old and new technologies

Although PIV cards are intended to be a standard source for PKI certificates, legacy hardware and software and the emergence of mobile devices have led DOE to adopt a gateway encryption appliance for secure e-mail.

Public-key infrastructure, or PKI, has emerged as a common tool for encrypting communications, and government has developed a federated infrastructure to create chains of trust to verify credentials, enabling the exchange of encrypted data between organizations.

“DOE has been doing PKI for more than a decade,” said Michele J. Thomas, the Energy Department’s PKI program manager.

The primary uses have been securing websites using Secure Sockets Layer and for exchanging unclassified e-mails. Over the years these needs have grown, particularly the need to communicate outside the department, she said. “We needed to be able to do it with our business partners.

Initially, DOE handled its own infrastructure. “We started out running our own PKI,” Thomas said. But issuing and managing the digital certificates used for encryption can be complex and expensive. “We decided that offering PKI services with a [General Services Administration]-approved cloud-based provider would be more cost-effective.”

The department is adopting the Entelligence Messaging Server from Entrust, an appliance that sits with the e-mail server and encrypts outgoing e-mail at the edge of the enterprise. “It gives us the ability to invoke PKI to encrypt and sign messages at the border rather than the desktop,” Thomas explained. “The increased demand for mobility is part of what is driving this.”

Moving computationally intensive cryptography off the desktop simplifies the process for the end user — encryption happens transparently — and for administrators because there is no additional desktop software to manage. It also accommodates the growing use of mobile devices and remote connections without jeopardizing security, because mobile and remote users typically already have a secure connection to the cloud, Thomas said. “It’s not in the clear,” she said. “You have a secure connection between the device and the mail server, and the mail server works with EMS to meet encryption policy.”

One tool in the encryption process is the Personal Identity Verification card, the interoperable electronic card mandated in Homeland Security Presidential Directive 12 that contains biometric data and digital certificates for authentication and for digital signatures and cryptography. The intent of the PIV card — and its Defense Department equivalent, the Common Access Card — is to provide a standard system for ID and access management for both logical and physical resources. But the card is not yet ready to support all of the department’s needs.

To enable secure communications “we use a combination of certificates on the PIV card and soft certs on the end devices,” Thomas said.

Although the cards have been issued and the standards and specification for using them are in place, implementing them in the real world is complicated by legacy technology that remains in place longer than expected and emerging technologies that are adopted more quickly than anticipated.

At the front end, “there are still a ton of one-time tokens sitting around government,” that are being used for authentication, said Bill Conner, Entrust president and CEO. They still work and are unlikely to be replaced with new schemes until the systems supporting them are upgraded.

On the back end, applications also have to be enabled to use PIV credentials for authentication and authorization. “There are a lot of legacy systems out there” that have not been upgraded, said Isadore Schoen, Entrust’s vice president of federal services. “Many agencies are not in a hurry to replace them.”

PIV cards require smart-card readers for authentication and access control. They are being put into use for desktop computers and laptops in the government workplace, but are less likely to be found on home PCs used for remote access and are comparatively rare on mobile devices such as BlackBerrys, iPhones, Android phones and others that are being used for e-mail and other tasks.

“The cost of the reader is pretty high,” Conner said. “You’ve got to overcome that bottleneck.”

Until the bottleneck is overcome there are some ways around it. The National Institute of Standards and Technology is updating Federal Information Processing Standard 201, which contains PIV card specifications. Proposed changes allow the use of electronic credentials derived from PIV cards in a variety of form factors for use with mobile devices, although the PIV card itself would continue to be in the standard smart-card format.

The requirements for PIV-derived credentials are specified in NIST Special Publication 800-157, Guidelines for Personal Identity Verification Derived Credentials.

Putting electronic credentials on the devices allow them to be used for virtual private networks and other connections that can establish secure links with the agency enterprise. Once in the enterprise, tools such as Entrust’s EMS can encrypt communications throughout the enterprise and with other organizations.

Adoption of virtual certificates along with technologies such as Near Field Communication to exchange the certificates is coming slowly in North America, and even more slowly in government, said Entrust’s Conner. “We’re seeing more of it in the private side rather than in the public side.” But he sees the adoption as inevitable and says it will help to drive down both the cost and the need for hardware readers for PIV cards.

Whatever means are used to log onto a government system, the EMS appliance is “becoming very popular with our federal customers,” Schoen said.

The EMS appliance can be set in the agency network or in a cloud and is transparent to the sender. It supports a variety of delivery options, including S/MIME, OpenPGP, AdobePDF and secure webmail standards, with a variety of encryption algorithms. An important feature for government users is the ability to do content scanning on encrypted outbound e-mails, either in the EMS appliance itself or through third-party scanners.

Encryption schemes on the desktop can enable outbound e-mails to pass without being scanned, creating a hole in data security. “That made a lot of agencies nervous,” Schoen said. Using the EMS appliance allows e-mails to be decrypted for scanning as well as for archiving in the clear if needed.

Although DOE began using EMS boundary encryption more than a year ago, it has not yet been adopted throughout the department. To date, four national labs and headquarters are using it, Thomas said. “We have some others that are considering it.”

The PIV card is a key component of the Federal CIO Council’s Identity, Credential and Access Management framework. And although the basic elements of a standards-based system are in place, the technology still is evolving and not yet ready for blanket implementation for all types of access and use of digital certificates, Thomas said.

“The PIV card needs to mature before it can be used for these things,” she said. “If you are going to use the certs on the PIV card to encrypt e-mail, it has to support key history,” which the most recent generations of the card now do.

And many of the systems the cards interface with must also change before they can be used as intended, she added. “Agencies are working diligently to redesign these. We are all in transition on this.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.