With the advent of the Trusted Platform Module (TPM) we can now leverage standard mature Commercial Off-The-Shelf (COTS) components that have been proven in the technology market place that will drive the Medium Hardware Assurance authentication to the workstation. By applying fully programmable Application-Specific Integrated Circuit (ASIC) technology (developed for use in peripherals, such as smart card readers and/or keyboards, for authentication to trusted systems or applications) a “smart reader” can be used to perform dual authentication and validation between a Medium Hardware Assurance identity certificated and a devices certificate protected by the TPM.
Today the TPM is managed via a robust WAVE Cryptographic Service Provider (CSP) and Government approved SmartCards [such as the Common Access Card (CAC) and Personal Identification Verification (PIV)] via MicroSoft Cryptographic Application Program Interface (MSCAPI). Currently the MS operating system only supports digital certificate logon with the use of a MS domain controller, off-line workstation digital certificate logon is not supported.
To support off-line workstation digital certificate logon the WAVE CSP will be extended to act as a workstation authentication device. The first step in this process has been accomplished (i.e., the WAVE CSP has been updated to generate a Federally compliant key pair and digital certificate request). ORC proposes to update the WAVE CSP to perform the mutual authentication function between the workstation certificate (protected by a TPM) and the user identity certificate (protected by a Government approved SmartCard.
The TPM can also be used to protect multiple attribute certificates assigned to a single users (as may be the case where a single user requires multiple access identities for separate domain controller servers). The user authenticating to the workstation with a Government approved digital certificate (on a SmartCard) would gain access to their key store protected by the TPM – the private keys associated with various certificates containing the attributes required to access particular domain controllers. When the user attempts to access the administration of a domain controller, the user presents the certificate with the appropriate attributes for access to that particular controller.
To support multiple attribute certificates the WAVE CSP will be extended to act as a hardware security module that may be accessed via standard MSCAPI functionality. Since certain TPM devices have a FIPS 140-2 Level 2 or higher certification the attribute certificates protected by the TPM could be evaluated to meet the DoD Medium Hardware Assurance level and /or E-Authentication Level 4 assurance equivalent to the CAC and PIV protected certificates levels of assurance.
The digital certificates used to accomplish can be issued from any DoD compliant PKI (the DoD PKI or ECA) or other Federal PKI, maintaining interoperability with any other agency or organization choosing to accept the Federal Root Certificates, within an established risk sharing environment that enforces accountability , providing the following advantage:
- With each Trusted Third Party (“CAs”) that its procedures are implemented in accordance with a Government approved Certificate Policy and Certificate Practice Statement, and that any issued certificates that assert the policy OIDs and associated CRLs, are issued in accordance with the stipulations of these documents.
- With each Subscriber and the Subscriber’s sponsoring organization to accurately represent themselves in all communications with the PKI and to properly handle and protect the certificates issued to them.
- With each relying party to determine that the level of assurance provided by the certificate is adequate to protect the application based upon the intended use and to check for certificate revocation prior to reliance.
By hosting the PKI authenticated workstations in a network-level Common IA Enabling Infrastructure (CIEI), that includes a directory and a validator, each workstation can be configured to trust multiple PKIs.
To deploy digital certificates, ORC can assist with the processes required to issue DoD PKI to internal DoD employees and External Certificate Authority certificates to contractors and trading partner. With either the DoD or ECA PKIs ORC can assist you with establishing your own internal registration capability, leveraging an existing capability, or in the case of ECA, provide an temporary, onsite registration capability.