ABERDEEN PROVING GROUND, Md. (Aug. 10, 2016) -- The U.S. Army's tactical cyber defense research and development organization transitioned a tool to simplify digital certificate monitoring by Soldiers in the field to a funded program of record June 1.
The U.S. Army Materiel Command's Communications-Electronics Research, Development and Engineering Center, or CERDEC, transitioned a tool called Public Key Infrastructure in a Tactical Environment, or PKITE, to Program Executive Office Command, Control, Communications- Tactical, or PEO C3T, as a program of record for the Warfighter Information Network -- Tactical, or WIN-T, Increment 3.
The Army uses digital Public Key Infrastructure monitoring, or PKI, certificates to ensure authentication, non-repudiation, data integrity and confidentiality of digital information.
"The authentication proves you are who you say you are. Non-repudiation is when you digitally sign a document, we can prove you signed it, and data integrity ensures it hasn't been modified since then. Confidentiality creates an encrypted session between the user and the browser," said Bob Fedorchak, CERDEC Space and Terrestrial Communications Directorate, or S&TCD, tactical public key infrastructure technical lead.
The Army's increased use of digital technology has led to multiple certificate-enabled communications devices per Soldier, and PKITE version 1.0 is a solution to monitoring certificates for these devices.
"One of the major challenges the Army has faced as we start to put certificates on devices is that it is a very manual process for the Soldier to go to each device, look at the certificate, and say 'Oh, it's going to expire in six months.' Right now, it's completely manual, but we have automated that process by providing Soldiers with a web service that allows them to monitor the certificates automatically," Fedorchak said.
PKITE automatically gathers information about specified devices on the system and organizes that data into a dashboard.
"The reason monitoring device certificates is important is because if a certificate expires, the web server or the device that is using it will fail. You can no longer access the server or the function that is using the PKI piece," Fedorchak said.
PKITE alerts the Soldier monitoring certificates that the certificate will expire in a prescribed number of days, so he or she has enough time to obtain new certificates to prevent a system or device failure.
"It's a similar concept to your CAC [Common Access Card]. When your CAC expires, you usually get a little pop-up that says you are going to need a new CAC within X number of days," said Rocio Bauer, chief of the Tactical Network Protection Branch in the CERDEC S&TCD Cyber Security/Information Assurance Division.
The difference between a CAC and a certificate-enabled device is that the CAC certificate expiration date is printed on the card, where the person can see it and take the appropriate actions before it expires. The device certificate is not visible on the hardware, decreasing the likelihood the user will know action needs to be taken to prevent expiration.
"The first time the user often finds out, is when a problem occurs, and they track down the problem to an expired certificate," Fedorchak said.
Soldiers experienced this expired certificate scenario in April during CERDEC's Cyber Blitz, an event that looked at the role cyber plays in a tactical operations center.
Though Cyber Blitz focused on more than PKITE, CERDEC used the event as an opportunity to start familiarizing Soldiers with PKITE on WIN-T Inc. 3.
"During Cyber Blitz, there were two PKI related threads executed - one with PKITE certificate monitoring and one without," Fedorchak said. "When executed without PKITE certificate monitoring, the Soldiers encountered two separate failures related to an expired certificate. The first was easy to identify and work around, but the second took much longer to identify the root cause. When executed with PKITE Certificate Monitoring, the automations officer was informed that a certificate was about to expire within the next two weeks, giving the automations officer time to replace the certificate prior to it expiring and prevented any failures from occurring."
CERDEC will continue to work additional upgrades and maintenance as required, Bauer said.
-----
The U.S. Army Communications-Electronics Research, Development and Engineering Center is part of the U.S. Army Research, Development and Engineering Command, which has the mission to ensure decisive overmatch for unified land operations to empower the Army, the joint warfighter and our nation. RDECOM is a major subordinate command of the U.S. Army Materiel Command.
Related Links:
U.S. Army Program Executive Office Command Control Communications-Tactical
U.S. Army Research, Development and Engineering Command
U.S. Army Communications-Electronics Research, Development and Engineering Center
Social Sharing