Scale is Everything for Pentagon’s Digital Security

The Department of Defense adopts new certification verification processes

When it comes to digital certificates, scale is everything. At least, that’s what the U.S. Department of Defense found when it attempted to roll out secure e-mail and document signing.

The DoD maintains digital certificate validation for about 13.5 million users worldwide as part of the Common Access Card program. The card not only authenticates users to government networks, but also digitally signs documents and e-mail.

Except there was a wrinkle: users had to download a Certificate Revocation List (CRL) before they could send e-mail. The CRL list helps guarantee the sender’s identity, and that messages aren’t tampered with in transit. So far so good, except for the CRL file’s size: 30 MB and growing. Downloading the file could take an hour.

“People waited so long for CRLs to download that it cost us tremendously in productivity and drove people to circumvent the security built into our systems,” says Gil Nolte, director of the DoD’s PKI Program Management Office, part of the Identity Protection and Management Program, which manages access to both physical and IT resources.

As a public key infrastructure (PKI) FAQ on the DoD’s Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics Web site says, “the magnitude of the DoD PKI has presented some challenges.” For example, common, off-the-shelf technology wouldn’t always accept PKI certificates—even those based on accepted standards. In addition, it notes the CRL “has grown to a massive unusable size,” thus driving the DoD to implement new ways of verifying and revoking digital certificates.

To lower the cost of using certificates, and to improve performance and availability, the DoD recently conducted a global pilot program with next-generation certificate technology from nine vendors, using it to issue over 13.5 million certificates. It then selected two pieces of technology to help: Real Time Credential Validation Authority from CoreStreet Ltd. in Cambridge, Mass., and Valicert Validation Authority from Tumbleweed Communications Corp. in Redwood City, Calif.

The technology will be used to secure about 1.3 million users—validating digital certificates in real time—as part of the DoD’s Identity Protection and Management Program, which also includes the well-known Common Access Card. The DoD has the world’s largest PKI deployment, with over 3.5 million PKI users.

To reduce validation time, CoreStreet created a new architecture, Distributed Online Certificate Status Protocol, to reduce the validation file’s size—to about 300 bytes, versus 30 MB—and thus shorten the time needed for validation to about 65 milliseconds. The approach also keeps implementation costs down because unlike many other PKI approaches, it doesn’t require secured responders to verify digital-certificate authenticity. In addition, these non-secured responders can be placed at various points in the network to increase response time. The DoD notably used Akamai to push responders to the edge of the network, increasing response time.

In other words, PKI is overcoming the noticeable failures of its over-promised beginning. “The year-long DoD pilot was the most demanding test of an advanced credential-validation program ever completed,” says Phil Libin, president of CoreStreet. “For the entire duration of the pilot, CoreStreet validated all 13.5 million issued certificates in real time, proving that the limitations digital certificates faced in the past have been overcome.”

The key, of course, is working in real time. Users don’t want to know there’s a digital certificate system in place. Indeed, using this new technology, “the process is so quick that it is transparent to the user, and we’re now able to ensure the security and validity of digitally signed communications,” says Nolte.

Related Articles:

Putting Next-Generation Smart Cards to Work
http://www.esj.com/Security/article.aspx?EditorialsID=1263

Smart Cards Gear Up For Biometrics
http://esj.com/enterprise/article.aspx?EditorialsID=1135

Digital Certificates Get Pentagon, Regulatory Boost
http://esj.com/enterprise/article.aspx?EditorialsID=1111

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.