AgendaAgenda

The ThreatThe Threat

The AnswerThe Answer

What is PKIWhat is PKI

What is PKEWhat is PKE

PKE ServicesPKE Services

WhoWho Needs PKE Services Needs PKE Services

WhatWhat can be PK Enabled can be PK Enabled

WhenWhen do you PK Enable an Application do you PK Enable an Application

WhyWhy Implement PKE Implement PKE

WhereWhere can I find more PKE Information can I find more PKE Information

HowHow do you PK Enable an Application do you PK Enable an Application

CostCost of PK Enabling an Application of PK Enabling an Application

ROI ROI for PK Enablingfor PK Enabling

ConclusionConclusion

The ThreatThe Threat

The Spread of the Code-Red Worm (CRv2) An analysis by David Moore (dmoore@caida.org) on the spread of the Code-Red (CRv2) Worm.

Source: Computer Security Institute/FBI Computer Intrusion Squad, Washington; survey of 538 IT security professionals

Analysis By Incident2001 Economic Impact of Malicious Code Attacks

YearCode  Name

Worldwide Economic Impact 

($ U.S.)

Cyber  Attack Index

2001 Nimda $635 Million 0.73

2001 Code Red(s) $2.62 Billion 2.99

2001 SirCam $1.15 Billion 1.31

2000 Love Bug $8.75 Billion 10.00

1999 Melissa $1.10 Billion 1.26

1999 Explorer $1.02 Billion 1.17

Michael Erbschloe, vice president of research at Computer Economics and author of Information Warfare: How to Survive Cyber Attacks.

359,000 servers in less than 14 hours

The AnswerThe Answer

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Virus

Laptop Theft

Unauthorized Access by Insider

Denial of Service

Unauthorized Access by Outsider

Theft of Proprietary Info

Sabotage of Data/Network

Financial Fraud

2001 2000

1999 1998

Source: CSI/FBI Computer Crime and Security Survey, 1998-2001)

Non-Repudiation

Authentication

Integrity

Confidentiality

Encryption

Digital Signature

Audit trail

Security in Depth

Key Escrow

Validation

High & Medium Assurance

Code Signing

Public Key Enabling (PKE)

Public Key Infrastructure (PKI)

CAPABILITIES

What is PKI ?What is PKI ?

PKI is the PKI is the frameworkframework and and services that provide the services that provide the following:following:

Digital Key Generation

Digital Key Distribution

Digital Key Revocation

Digital Key archiving

Digital Key tracking

Digital Key Destruction

Digital Key Certificate policyPublic Key Infrastructure Roadmap for the Department of Defense, 29 October 1999 Version 3.0

CERTIFICATE MANAGEMENT

POLICy

PEOPLEHouse without Furniture

Plane without an Engine

Car without Wheels

FACILIT

IES PROCEDURES

What is PKE ?What is PKE ?

Public Key Infrastructure (PKI) Public Key Infrastructure (PKI) alone is not sufficient to meet alone is not sufficient to meet DoD mission requirementsDoD mission requirements

A Public Key Enabled A Public Key Enabled application, Server or Network application, Server or Network is one that can accept and is one that can accept and process a DoD X.509 certificate process a DoD X.509 certificate to support one or more specific to support one or more specific functions:functions:

Digital SignatureDigital Signature

Data EncryptionData Encryption

User AuthenticationUser Authentication

Date IntegrityDate Integrity

Non-RepudiationNon-Repudiation

PKE ServicesPKE Services

AuthenticationAuthentication

Access control Access control

Data confidentialityData confidentiality

Data integrityData integrity

Non-repudiation:Non-repudiation:

Ascertaining that an entity is who Ascertaining that an entity is who or what he/she/it claims to beor what he/she/it claims to be

Authorization determining what Authorization determining what resources an authenticated resources an authenticated identity can access and what identity can access and what actions he/she/it can performactions he/she/it can perform

Preventing data interception by Preventing data interception by using encryptionusing encryption

Ensuring that the information has Ensuring that the information has not been changed or tampered not been changed or tampered with in any waywith in any way

Ensuring that authenticated Ensuring that authenticated identities cannot deny performing identities cannot deny performing actions that he/she/it performedactions that he/she/it performed

33728Alice

TO: BOB

FROM:ALICE

TO: BOB

999081Bob

TO:BOB

Dear Bob,

Please use PKI next time.

Love, Alice

Who Needs PKE Services ?Who Needs PKE Services ?

Application Developers and AnalystsApplication Developers and Analysts

Web MastersWeb Masters

Systems AdministratorsSystems Administrators

Security ManagersSecurity Managers

CommandersCommanders

Senior StaffSenior Staff

Crisis Action TeamsCrisis Action Teams

Network ManagersNetwork Managers

Systems integratorsSystems integrators

Application program ManagersApplication program Managers

End users of End users of Command and Control applicationsCommand and Control applications

Sensitive applicationsSensitive applications

Financial or high dollar applicationsFinancial or high dollar applications

Sensitive or privacy informationSensitive or privacy information

• Encrypt web traffic over the Encrypt web traffic over the InternetInternet

• Sign and encrypt electronic Sign and encrypt electronic mailmail

• Authenticate users for access Authenticate users for access managementmanagement

• Digitally sign documents for Digitally sign documents for non-repudiationnon-repudiation

• Manage network accessManage network access

• Virtual Private Network (VPN)Virtual Private Network (VPN)

RequirementRequirement What do You NeedWhat do You Need

What can be PK Enabled ?What can be PK Enabled ?

• 128-Bit web browser128-Bit web browser

• S/MIME compatible email S/MIME compatible email clientclient

• PKE client tool (such as PKE client tool (such as web browser)web browser)

• PKE signature client toolPKE signature client tool

• PKE networkPKE network

• PKE firewall or VPN toolPKE firewall or VPN tool

           

When do you PK Enable an Application?When do you PK Enable an Application?

1. All DoD unclassified networks that authenticate users

2. Unclassified DoD networks hosting Mission Category I systems

3. All unclassified private DoD Web Servers4. E-mail in all operating environments5. Web applications in unclassified

environments6. Legacy, Mission Category I applications

that use or require the use of public key cryptography shall be PK enabled to interoperate with the DoD PKI.

7. Sensitive unclassified systems handling high value (both dollar and mission value)

8. Applications processing classified information in a high-risk environment (over an unprotected network)

Why Implement PKE ?Why Implement PKE ?

• AuthenticationAuthentication

• Access control Access control

• Data confidentialityData confidentiality

• Data integrityData integrity

• Non-repudiationNon-repudiation

• Digital EncryptionDigital Encryption

• Digital SignatureDigital Signature

Risk Management

Risk Avoidance

New Technology

Online banking

Online payment of bills

E-Signing law

Legally, binding mechanism

Verify identity of customer

Sign online transactions

Promotes the electronic delivery of services

Secure infrastructure

Federal and StateInteroperability

43 countries have Digital Certificate laws

DoD MandateEase of use

Increase SecurityCost Reduction

Espionage

Privacy

NATO & Coalition Partners

WhereWhere can I find more can I find more PKEPKE Information?Information?

https://itac.lackland.af.mil/product.asp?prod=58

                 

http://jitc.fhu.disa.mil/pki/index.html

http://www.digsigtrust.com/

http://www.verisign.com/

http://csrc.nist.gov/encryption/kms/

http://web.mit.edu/network/ietf/sa/

  U.S. Department of Health and Human Services

http://aspe.os.dhhs.gov/admnsimp/https://warlord.spawar.navy.mil/PKI/

http://eca.orc.com/

http://iase.disa.mil/

Defense Information Systems Agency

http://www.c3i.osd.mil/org/sio/ia/pki/index.html

http://www.defenselink.mil/acq/ebusiness/projects/proj_pki.htm

https://afpki.lackland.af.mil/

https://www.noc.usmc.mil/secure/PKI/default.htm

       

HowHow do you PK Enable an Application? do you PK Enable an Application?

There are many approaches to PKI enabling an There are many approaches to PKI enabling an application; which one is best?application; which one is best?

– Direct modification of applicationDirect modification of application

– MiddlewareMiddleware

• Web-based front endWeb-based front end

• Proxy type applicationProxy type application

– EncapsulationEncapsulation

• VPNVPN

• IPSecIPSec             

PK Enabling ImplementationsPK Enabling Implementations

– Single sign onSingle sign on

– Wireless applicationsWireless applications

– Virtual private networksVirtual private networks

– Web authenticationWeb authentication

– Content managementContent management

– Intrusion detectionIntrusion detection

– Network managementNetwork management

– Secure e-mail (S/MIME)Secure e-mail (S/MIME)

– Database Access ControlDatabase Access Control

Native APIs (OS- or Product-Specific)

NewPKI-EnabledApplications

Shims

LegacyApplications

Plug-Ins

PKI-AwareApplications

Best practices

• Requirements Analysis• Mission Linkage• Cost Analysis• Risk Analysis• Pilot Testing• Program Evaluation• Implementation• Re-Evaluation

The principle factors that must be considered when Cost Estimating the PK Enabling of an application are as follows:

• The present Architecture of the system

• Method of PK Enabling

• Hardware

• Software

• Training

• Manpower

• Travel

• Testing

CostCost of PK Enabling an Application? of PK Enabling an Application?

The first step in Public Key Enabling an application is to perform a requirements assessment. Generally, this involves understanding exactly what functions the application is required to accomplish.

ProcessImprovement

Costs

ComplianceRisk

Total Cost of InvestmentTCO

Return on InvestmentROI

ROI ROI for PK Enabling?for PK Enabling?

ROI Factors

– Compliance with Policy

– Risk Reduction

– Process improvements

– Overall Cost reduction

– Less errors, downtime, or lost productivity

Option-Based Pricing

Treats the outcome of investing one stage/phase of a project as a pre-requisite for the next

Valuation is more complex

Useful for justifying pilot projects

Pay-Back Analysis

Looks at the time required to recoup investment (also called breakeven time)

Helps to quantify risk exposure

Undercounts upside project benefits

6-9 month payback is a good rule of thumb

Purchase Justification: Calculations

TCO = Total Costs of Ownership

NPV = PV (Benefits) – PV (Costs)

Payback Time = T where Σ(Benefits)t = Σ(Costs)t

ROI = Benefits - Costs

Costs

ROO = Benefits to Business Growth - Costs

Costs

Different MethodologiesDifferent Factors

Different Cost basis

ConclusionConclusion

Call us (210) 925-2562, DSN Prefix 945

Fax us (210) 925-2641/2644, DSN Prefix 945

Visit us on the Web https://afpki.lackland.af.mil/

Visit us 4241 E. Piedras Dr., Suite 210, San Antonio, TX

Write us 4241 E. Piedras Dr., Suite 210, San Antonio, TX

Benefits of PKI/PKE Stronger authentication than userid/password

Easier management and administration of

devices

Investment in secure infrastructure can be

leveraged for additional applications Reduced risk of data loss / theft Privacy and integrity of data Authentication of user User accountability to data Centralized control of trust policies and

parameters Provable chain of evidence as to the authenticity

of documents Authorization to access documents based on

user authentication