Public Key Infrastructure (PKI) is a framework established to issue, maintain, and revoke public key certificates, including systems, processes and people. Public key certificates provide digital signature and encryption capabilities, which can be used to implement the following security services:
- Identification and Authentication: PKI provides for identification and authentication through digital signature. If the signature is valid, then the Relying Party (the person or system relying on the presented certificate for authentication or other security services) has assurance that the entity participating in the transaction is the Subscriber (the identity asserted by the certificate).
- Data Integrity: PKI provides for data integrity through digital signature of information. If the recipient of digitally signed information is able to verify the signature on the information using the public key of the certificate used to generate the signature, then the recipient knows that the content has not changed since it was signed.
- Confidentiality: PKI provides confidentiality through encryption. If the public key in a certificate is used to encrypt information, only the associated private key, held (and kept secret) by the entity named in the certificate, can decrypt that information.
- Technical Non-Repudiation: PKI assists with technical non-repudiation through digital signatures. Technical non-repudiation can be considered a form of attribution, namely that the digitally signed information can be attributed to the entity identified in the certificate used to generate the signature.
Public Key Enablement (PKE) is the process of ensuring that applications can use certificates issued by a PKI to support identification and authentication, data integrity, confidentiality and/or technical non-repudiation. Common use cases include enabling:
- Smart card logon to DoD networks and certificate-based authentication to systems
- Secure connections (SSL/TLS) to DoD servers
- Digital signature and encryption of emails from desktop, web, and mobile clients
- Digital signature of forms
The DoD issues certificates to people and non-person entities (e.g., web servers, network devices, routers, applications) to support DoD missions and business operations. On the Sensitive but Unclassified Internet Protocol Network (NIPRNet), the DoD PKI is a hierarchical system with a Root Certification Authority (CA) at the top of the hierarchy, and a number of issuing CAs that support scalability and provide disaster recovery capabilities. This PKI issues certificates on Common Access Cards (CACs) as well as software certificates to support application needs.
On the Secret Internet Protocol Network (SIPRNet), the DoD operates CAs under the National Security System (NSS) PKI Root CA, which supports all federal agencies that have users or systems on secret networks. The NSS PKI issues certificates on the SIPRNet hardware token as well as software certificates to support application needs.
The DoD PKI and DoD portion of the NSS PKI are centralized infrastructures for the management of keys and certificates throughout their lifecycle (issuance through certificate revocation or expiration). These infrastructures support directory services which provide CA certificates, certificate revocation information, and user encryption certificates.
External Certification Authority (ECA) PKI
The DoD has established the External Certification Authority (ECA) program to support the issuance of DoD-approved certificates to industry partners and other external entities and organizations who do not otherwise have access to DoD-approved PKI credentials. PKI certificates issued under the ECA program provide a mechanism for these entities to securely communicate with the DoD and authenticate to DoD Information Systems. The ECA PKI consists of a root CA maintained at the same facility that operates the DoD PKI Root CA, and subordinate CAs maintained by authorized vendors. More information on the ECA program can be found on the ECA Program page.
DoD-Approved External PKIs
Current policy requires that all federal agencies issue Personal Identity Verification (PIV) cards to their employees and affiliates. Some of DoD’s industry partners have implemented internal PKIs, and others have obtained certificates from commercial PKIs. In addition, some of DoD’s international allied and coalition partners have established PKIs to issue certificates to their personnel. As a result, the DoD has implemented an external interoperability strategy for leveraging certificates issued by external PKIs that meet DoD’s requirements to support secure information sharing with external partners.
On the NIPRNet, DoD-approved external PKIs include the following:
- DoD-sponsored External Certification Authority (ECA)
- Federal agency PIV certificate issuers
- Commercial PKIs that have been certified by the Federal PKI Policy Authority as meeting their Medium Hardware requirements, that have been tested for interoperability by the DoD Joint Interoperability Test Command (JITC), and whose operating organizations have signed Memorandums of Agreement with the DoD
- Other partner PKIs, such as Combined Communications Electronics Board (CCEB) member nation PKIs, that have been specifically approved by the DoD
On the SIPRNet, DoD-approved external PKIs include the following:
- Federal agency CAs that are operated under the NSS PKI Root CA as part of the NSS PKI
- Other partner PKIs, such as CCEB member nation PKIs, that have been specifically approved by the DoD for interoperability on secret level networks
All NIPRNet DoD-approved external PKIs can be found on the IASE site on the External and Federal PKI Interoperability page. There you can find additional information for each external PKI including certificate trust chains, acceptable certificate assurance levels, and other useful information.
For an overview of the Federal PKI/Bridge and to learn more about the usage of External PKIs within the DoD, please read our Working with External PKIs slick sheet.
DoD Instruction 8520.02, Public Key Infrastructure (PKI) and Public Key (PK) Enabling, provides the overarching policy requirements for the implementation and use of PKI for the DoD, including processes for approving external PKIs. Requirements for using PKI to authenticate for accessing DoD resources can be found in DoD Instruction 8520.03, Identity Authentication for Information Systems. More specific guidance on requirements for the operations of the DoD PKI are described in the United States Department of Defense X.509 Certificate Policy.
PKI also addresses a number of policies external to the DoD. For unclassified systems on the NIPRNet, CACs are issued in accordance with Homeland Security Presidential Directive (HSPD) 12 and Federal Information Processing Standard (FIPS) 201, which is published by the National Institute of Standards and Technology (NIST). PKI interoperability is an essential component of secure information sharing between DoD and its partners within the federal government and industry, and DoD requirements align with larger federal government initiatives around the implementation and use of federated credentials including Office of Management and Budget (OMB) M-04-04 and M-11-11. Leveraging approved externally issued credentials can reduce overall cost to the DoD and increase information assurance by limiting the number and scope of Common Access Cards issued and managed by the Department.
For SIPRNet systems, specific requirements for the implementation and use of PKI can be found in Committee for National Security Systems (CNSS) Policy 25, National Policy For Public Key Infrastructure in National Security Systems, CNSS Directive 506, National Directive to Implement Public Key Infrastructure for the Protection of Systems Operating on Secret Level Networks, and CNSS Instruction 1300, National Instruction On Public Key Infrastructure X.509 Certificate Policy, Under CNSS Policy No. 25.
More information on PKI-related policies can be found on the Policies page.
Other PKI Services
The Global Directory Service (GDS)
The Global Directory Service (GDS) is an enterprise directory service available on both NIPRNet and SIPRNet that supports the DOD PKI Program. GDS is responsible for hosting DoD PKI and ECA certificate revocation lists (CRLs) and intermediate Certification Authority (CA) certificates. All DoD PKI certificates point to the GDS in their certificate revocation list distribution point (CRLDP) extension. GDS also provides an enterprise user directory called DoD 411 where users may search and download contact records that include the contact’s public encryption certificate. This allows users to encrypt email to DoD recipients who do not exist in their local email directory. DoD 411 is available via both HTTP (web browser) and LDAP interfaces and can be configured as an address book within Microsoft Outlook.
Robust Certificate Validation Service (RCVS)
The Robust Certificate Validation Service (RCVS) is the DoD PKI’s Online Certificate Status Protocol (OCSP) responder infrastructure. OCSP is a mechanism for determining the revocation status of X.509 certificates. OCSP, as defined by RFC 2560 and 5019, uses a request-response paradigm in which an OCSP client submits a certificate status request to an OCSP responder and the responder, in turn, returns an OCSP response indicating whether the certificate status is good, revoked or unknown. DoD OCSP responses are generated from data contained within DoD PKI certificate revocation lists (CRLs); however, since an OCSP response contains status for only one or a small number of certificates, it is a much lighter-weight way to obtain certificate status than downloading a full CRL. For more information on OCSP including OCSP trust models, please read our slick sheet on OCSP. For more information on when to use OCSP versus CRLs, please read our Certificate Revocation Checking slick sheet. Both slick sheets can be found in the PKE Downloads Library under the Slick Sheets and White Papers category.
NSS PKI Common Service Provider (CSP)
The Committee on National Security Systems (CNSS) Policy No. 25 laid the foundation for a Public Key Infrastructure (PKI) to support National Security Systems (NSS) on Secret networks across the Federal Government. The CNSS Directive #506 establishes the requirement for all federal agencies to implement the NSS-PKI to promote interoperability and secure information sharing and to use PKI to provide strong authentication on Secret level networks. The DoD PKI PMO, using previous NIPRNet and SIPRNet PKI experience, responded and built an NSS PKI infrastructure for the DoD. The DoD is currently issuing SIPRNet hardware tokens from this infrastructure to personnel throughout the department.
The CNSS recognized that it was not cost-effective for each Federal Agency to establish and operate a separate PKI. As a result, CNSS Policy No. 25 created a Common Service Provider (CSP), which would operate the NSS PKI and provide certificate management services for Participating Agencies (PAs). The DoD PKI PMO was chosen to build and operate the NSS PKI CSP. The DoD PKI PMO, under the guidance of the CNSS and primary management of DISA, has been working with the CNSS PKI Member Governing Body (MGB) to incorporate the capabilities needed by the CSP into the NSS PKI. The CSP began issuing certificates on hardware tokens in June 2013. DISA manages the certificate life cycle for Participating Agencies. In general, DoD Registration Authorities (RAs) and Trusted Agents (TAs) will not be affected by the implementation of the NSS PKI CSP.
Non-Person Entity (NPE) Certificates
The NPE system provides more streamlined issuance of PKI certificates to devices (e.g., workstations, web servers, network equipment) and services on both the NIPRNET and SIPRNET. Certificates for NPEs increase security by enhancing the identity and authentication of devices to DOD networks, as well as supporting SSL/TLS encryption to maintain data confidentiality.
The Purebred system provides a secure, scalable method of distributing software certificates for DoD PKI subscribers ‘ use on commercial mobile devices. The system first establishes trust in device certificates used to encrypt configuration data bound for a device and then permits a subscriber to demonstrate possession and usage of their CAC to generate two new derived credentials and recover existing email encryption keys.
NIPRNet Enterprise Alternate Token System (NEATS)
NEATS is a centralized token management system for medium assurance DoD PKI certificates on NEATS tokens, also known as Alternate Logon Tokens (ALTs), for use cases to include administrators, groups, roles, code signing and individuals not authorized to receive a CAC.