PKI familiarization continues at Combined Endeavor 2008

Story by U.S. Army National Guard Spc. Melissa Shaw, Combined Endeavor 2008 Public Affairs

BAUMHOLDER, Germany (May 11, 2008) - Nations participating in Combined Endeavor 2008 continue their efforts to master Coalition Public Key Infrastructure (PKI) with the countries participating jumping from 16 in 2007 to 30 this year.

More than 40 participating nations use CE 08 to plan, prepare and practice a full range of communications, equipment, policies and procedures prior to deploying for NATO missions and emerging real-world crises.

The expedient set up of secure, electronic communications is a key component to success of these missions. To address this, CE  coalition nations have been working at CE and throughout the year to develop coalition PKI, making further strides toward success with each year.

"There is a delicate balance between sharing information and protecting sensitive material when coalition forces come together in times of need. CE training missions are the perfect environment for increasing familiarity with the PKI process to reduce the amount of time it can take to establish and maintain interoperability," said Dan Jeffers, a civilian PKI network engineer with Booz Allen Hamilton, an IT consultation group working with the Department of Defense.

PI cryptography, also known as asymmetric cryptography, is a form of cryptography in which a user has a pair of cryptographic keys-a public key and a private key. The private key is kept secret, while the public key may be widely distributed. The keys are related mathematically, but the private key cannot be derived from the public key. A message encrypted with the public key can be decrypted only with the corresponding private key.

Public key encryption is where a message encrypted with a recipient's public key cannot be decrypted by anyone except the recipient possessing the corresponding private key. This is used to ensure confidentiality.

A digital signature is where a message signed with a sender's private key can be verified by anyone who has access to the sender's public key, proving that the sender signed it and that the message has not been tampered with. This is used to ensure authenticity.

A central problem for public-key cryptography is proving that a public key is authentic, has not been tampered with nor replaced by a malicious third party. The usual approach to this problem is to use a public-key infrastructure (PKI), in which one or more third parties, known as certificate authorities, certify ownership of key pairs, said Jeffers.

Public key techniques are much more complex than purely symmetric algorithms. For encryption, the sender encrypts the message with a secret-key algorithm using a randomly generated key, and that random key is then encrypted with the recipient's public key.

The public key infrastructure provides for digital certificates that can identify an individual or an organization and allow signing and encrypting of email as well as directory services to allow the sharing of individuals and organizations public keys as well as certificate revocation lists.  The PKI infrastructure also supports the revocation of certificates as needed and their inclusion in regular published certificate revocation lists.

"Although the components of a PKI are standard, each nation can have its own implementation making testing sessions a slow process for the PKI team members" said Patricia Janssen, PKI deputy program manager.

Irish PKI manager, Staff Sgt. Sean Hennessey, said personnel training is the most important aspect of the preparation prior to CE 08. Several nations have individuals heading up their PKI task forces who have never worked with Internet development or certification authorities before.

During last year's training mission, Ireland had the opportunity to fill in as the leaders for its regions' PKI training, said Hennessey.

Often, the PKI managers are starting from scratch and spend considerable personal time developing their skill levels.           

"When we returned home, I and the other four members of my team continued our education on our own time and have developed training slides specifically addressing the needs of those in Region A, on top of our full time jobs," said Henessey.

Additionally, "the U.S. Department of Defense is working on a generic training module for PKI so that all nations involved in coalition operations will hopefully be on the same level of skill," said Janssen.

While technical difficulties can slow progress at the CE training mission down to a snail's pace, often it is the training an individual is willing to put after hours in that makes the difference between successful communication and frustration.

To help countries wishing to use PKI understand it better, the network team puts in many hours talking with each nation's Internet specialist.

"PKI consists of four things. First, a certificate authority issues the certificate and maintains the revocation lists used to verify digital certificates," said Kit Howell, infrastructure engineer and team member. "A certificate includes the public key or information about the public key. Second, a registration authority acts as the verifier for the individual and/or organization requesting a certificate before a digital certificate is issued to a requestor. Third, one or more directories are needed where the public keys of the certificates are held. And last, there is a certificate management system."

Howell works with MITRE, a federally funded research and development corporation supporting the Air Force PKI development and the Defense Information Sytems Agency.

In public key cryptography, a public and private key are created simultaneously using the same algorithm by a certificate authority. The private key is given only to the requesting party and the public key is made publicly available via a directory that all parties can access.

The public and private key pairs are used to protect e-mail messages.  A user signs the message using their private, which the recipients verify using the public key.  The reverse is true for encryption where the sender uses the recipient's public key to encrypt the messages and the recipient then uses their private key to decrypt the message.

There are three aspects of PKI that include the certificate authority, website set up and the use of certificates by the end user.

This PKI certificate authority set up can be complicated and the individuals involved in the development, training and end user explanations are the life blood that keeps PKI going through its many evolutions.

The opportunity for face time with the team members during CE is invaluable when it comes to trouble shooting a system that many are unfamiliar with, especially as much of the equipment is brand new and unknown to many, said Hennessey.

"The training for the end user is not hard, but it is important to revisit many of the concepts often before they become familiar enough to be comfortable," said Ukrainian army Maj. Oleksandr Korkin, Region B PKI certification head.

Testing for PKI stability includes each regional CA or countries with their national PKI issue certificates for the end users to add to their trusted list. Then "coalition" certificates are requested and issued by end users.  They are then tested by exchanging signed and encrypted email and by visiting secure web sites using both server-side and client-side authentication. They also test using the certificates that are revoked and entrusted to ensure access is denied in the last to test, said Janssen.

The lesson's learned at CE 08 include the need for stable network, that training is critical-basic understanding of PKI, network design exchange and Web-site establishment and times must be agreed upon. The expected end result for the intensive two weeks spent testing, training and networking during CE 08 a more efficient set up of secure electronic communications where a swift response can save lives.

- CE 08 -

Location(s)

• email this page
• login to post comments