IATS-2

IATS-2 Token and Certificate Standards

Overview

Identification and authentication is accomplished using the DoD PKI Class 3 or 4 certificate and hardware security token (when available) or an NSA-certified product.

MAC / CONF	Impact	Subject Area
MACI MACII	Medium	Identification and Authentication

Details

Threat
DoD PKI hardware tokens will be used to support automation and enhance security without jeopardizing user mobility. DoD PKI hardware tokens will provide a “medium” level of robustness and security strength applicable to “unclassified mission critical” operations. There are a number of potential threats and vulnerabilities on the Token, to include the following: · Physical attacks · Logical attacks · Attacks associated with control of access to the Token · Attacks associated with unanticipated interactions with the Token · Attacks associated with the Token’s Cryptographic Functions · Attacks associated with monitoring information of the Token · Attacks associated with miscellaneous threats to the Token; and · Attacks associate with the operating environment of the Token The DoD PKI hardware token should be an enhanced COTS product, based on token standards, and interoperable with any commercial and DoD PKI applications.

Threat

DoD PKI hardware tokens will be used to support automation and enhance security without jeopardizing user mobility. DoD PKI hardware tokens will provide a “medium” level of robustness and security strength applicable to “unclassified mission critical” operations. There are a number of potential threats and vulnerabilities on the Token, to include the following:

  · Physical attacks
  · Logical attacks
  · Attacks associated with control of access to the Token
  · Attacks associated with unanticipated interactions with the Token
  · Attacks associated with the Token’s Cryptographic Functions
  · Attacks associated with monitoring information of the Token
  · Attacks associated with miscellaneous threats to the Token; and
  · Attacks associate with the operating environment of the Token

The DoD PKI hardware token should be an enhanced COTS product, based on token standards, and interoperable with any commercial and DoD PKI applications.

Guidance
1. The DoD will provide for a certificate management infrastructure yielding a capability to verify the identity, authority and integrity involved in each transaction. 2. The system administrators shall protect the workstations and the cryptographic module from unauthorized access or modification via the following at a minimum: · Access control list · Configuration management · Physical protection 3. The system administrators shall ensure that all applications should be Common Criteria evaluated and Joint Interoperability Testing Command certified. 4. The system administrators shall configure workstations with the appropriate security technical implementation guidance and implement the IAVA process into configuration management practices in accordance with the security policy.

Guidance

1. The DoD will provide for a certificate management infrastructure yielding a capability to verify the identity, authority and integrity involved in each transaction.
2.     The system administrators shall protect the workstations and the cryptographic module from unauthorized access or modification via the following at a minimum:
  · Access control list
  · Configuration management
  · Physical protection
3. The system administrators shall ensure that all applications should be Common Criteria evaluated and Joint Interoperability Testing Command certified.
4. The system administrators shall configure workstations with the appropriate security technical implementation guidance and implement the IAVA process into configuration management practices in accordance with the security policy.

References

Department of Defense (DoD) Public Key Infrastructure (PKI) Token Protection Profile (Medium Robustness), Version 2, Release 1 of the “Common Criteria” International Standard 15408
Smart Card Security User Group Smart Card Protection Profile (SCSUG-SCPP) Draft Version 2.0
DISA IAVA Process Handbook, Version 2, Release 1, 11 June 2002
FIPS 140-2 Level 2, FIPS 140-2 Level 3