Tech Success: SRA gets to core of PKI challenges
- By Brad Grimes
- Jun 18, 2004
Authentication technology speeds verification
Bob Dulude, CoreStreet's chief security officer: "Revocation lists are one barrier to PKI that will now be solved."
Lost in the hoopla over the Defense Department issuing 4 million common access cards is the fact that the cards can be difficult to use, especially when cardholders access secure applications.
Besides personal identification, common access cards hold a digital authentication token for use in the department's public key infrastructure. Through PKI, personnel can digitally sign and encrypt documents and e-mail to secure them as they travel across defense networks.
But because the database of current and revoked PKI certificates is so big -- the Defense Department's PKI system is considered the largest in the world --verifying a certificate can take as long as 14 minutes.
Paring this verification time is one of the Defense Department's highest IT priorities, said Kevin Heald, technical lead at SRA International Inc. of Fairfax, Va. Failure to do so would put the agency at risk of opening holes in its secure networks because users will avoid validating certificates.
"Most of the DOD is not checking revocation on signed e-mail," Heald said. This means users don't know for sure if messages are moving to and from other trusted users.
Last October, under a contract with the Defense Information Systems Agency, SRA launched a pilot using technology from CoreStreet Ltd. of Cambridge, Mass., to speed the process of checking common access card users against the Defense Department's certificate revocation list.
The list has grown to about 30 megabytes of certificate information. In the system, that 30-megabyte list must be downloaded from a central server to as many as 4 million computing devices, depending on how many common access card users are logged on.
Factor in the slow network connections at many Defense Department locations -- as low as 56 Kbps on the Defense Information System Network's two main IP networks -- and you have the 14-minute waits that many users endure to access the PKI system.
"If you're rolling out a PKI-enabled application of any kind, you must focus on end-user experience. At the DOD, doing certificate validation was hindering that experience," said Bob Dulude, CoreStreet's chief security officer.
"Until the DOD has everyone attached to a fast pipe, there needs to be an alternative" for handling revocation lists.
CoreStreet's technology is based on the Online Certificate Status Protocol (OCSP), an industry standard for distributing the certificate revocation list to many servers and allowing clients to authenticate without downloading the entire list.
The potential problem with typical OCSP implementations is that the distributed servers, or responders, must be secure, which can be an expensive proposition.
CoreStreet's Real Time Credentials Validation Authority uses distributed OCSP, a technology significantly more scalable and less expensive than OCSP.
With distributed OCSP, a validation authority server takes the certificate revocation list from the organization's certificate authority and computes responses for every certificate on the list. The responses are pushed out to servers that, because they contain no secret information, don't have to be secure.
For the pilot, 20 servers from Akamai Technologies Inc.'s global network act as OCSP responders. The responses, which are small and require little bandwidth, are the only data that must travel to the common access card client.
To use the CoreStreet validation system, client software must be installed on any device that will be using the PKI network. Microsoft Windows, for instance, does not support OCSP.
Heald said SRA provided a variety of OCSP clients to Defense Department users, including CoreStreet's, a client SRA wrote itself and a third-party OCSP client from Ottawa-based Alacris Inc. There is even OCSP client software for BlackBerry wireless handheld devices.
Through the client software, common access card users direct their network connection to a URL on Akamai's network, and the certificate is validated automatically.
According to Dulude, the average response time in the DISA pilot is 65 milliseconds. Each responder can handle more than 1,000 validation requests per second.
The pilot spans 29 defense organizations in 11 countries, including the United States. Heald said the project was to end this month but has been extended to allow more users to use the system.
Carl Saenz, information systems manager with Information Operations Directorate at White Sands Missile Range, N.M., said he tried the CoreStreet solution and will likely join the program. "It's incredible how fast it works," he said.
For now, it is not known what solution the Defense Department might ultimately adopt to handle certificate validation, but Heald said he expects it to be a multivendor solution that might eventually bring CoreStreet technology inside the department's firewall and integrate it into NIPRNet and SIPRNet, the Defense Department's unclassified and classified networks.
CoreStreet is piloting its technology at other government agencies, including the Homeland Security Department.
"Revocation lists are one barrier to PKI that will now be solved," Dulude said.
If you have an innovative solution that you recently installed in a government agency, contact Staff Writer Brad Grimes at firstname.lastname@example.org.