“Public Key Infrastructure (PKI) has emerged as the foundation to provide secure data transmission and internet security,” said Donald Parker, chief of the Defense Information Systems Agency’s (DISA) Public Key Infrastructure Branch, during the 2019 AFCEA TechNet Cyber in Baltimore May 16.
“Identification and authentication, data integrity, confidentiality, and technical non-repudiation combined are elements that provide a secure, non-breakable environment for any type of electronic transaction,” he said.
Adversaries, regardless of their origin, are going after credentials, which give them access to key information. Protecting networks largely rests on who is allowed inside the network.
“Whether they gain entry through a phishing attempt, or as an insider, the credentials are the literal key,” said Parker. “Once in, they will move laterally through the networks to seek out stronger credentials for further access.”
DISA is defending against this threat by providing secure credentials not only for the traditional, computer-based network environment, but also for the rapidly growing mobile environment.
Evolving PKI for the mobile environment
“The phone now serves as a computer. We check email on it, we do our homework, we do research, pay our bills, and there is a lot of PII tied into that platform. So when we talk about mobile credentialing, this is an important piece, and DISA ensures that these devices are adequately secure,” said Parker.
“[PKI] capabilities that will get a lot of attention in the upcoming months and throughout the remainder of the year are non-person-entities and mobile credentialing,” said Parker.
Non-person entities are devices with PKI certificates. Purebred is the program DISA uses to provide credentialing for its mobile capabilities.
Purebred enables signed and encrypted email and secure web browsing without continuous need for a smart card reader and user Common Access Card (CAC). Additionally, it supports key issuance and recovery for all DoD CAC holders under DoD PKI through a supervised initial device enrollment.
Devices currently supported by Purebred
“Purebred is doing really well as a capability to support mobile credentialing,” said Parker. “To date, DISA has provided Purebred over-the-air derived credentials to more than 100,000 Department of Defense (DoD) -issued commercial mobile devices and certified more than 4,000 Purebred agents.”
Purebred agents are the individuals authorized to initiate device credentialing.
Currently supported DoD devices include:
• Apple iOS devices (all latest iPhone and iPad models). There are currently 98,537 supported devices.
• Android devices (Android 6/ Marshmallow and above). There are currently 11,133 supported devices.
- Samsung Knox.
- Android for Work.
• Windows 10 tablets with validated TPM 2.0 chipsets. There are currently 57 supported devices.
• Yubikey 4+ security tokens. There are currently 47 devices supported.
Start using Purebred today
DMUC customers should contact to the Tier I service desk to acquire Purebred.
Individuals in DoD interested in using the service should contact their service desk or mobility management service provider to determine if Purebred is offered.
Individuals who manage mobile devices for their DoD organization and do not currently offer Purebred to users can contact the PKI Team to onboard the organization. For more information, email firstname.lastname@example.org or visit the DoD Mobility Purebred Derived Credentials website.
A copy of Parker’s presentation is available at DISA.mil.