Halt, Who Goes There?

Feb. 25, 2019

Today’s Common Access Card won’t disappear anytime soon—but the search for a better way to prove your digital identity is underway. Graphic: SrA. Ericha Vuyota

“On the Internet, no one knows you’re a dog!” Twenty-five years ago, when The New Yorker published its iconic cartoon depicting a dog seated at a screen using a keyboard and mouse, it was good for a chuckle. Now that the entire economy, not to mention command and control of the nation’s armed forces, has moved online, it’s not so funny anymore.

The challenges of proving identity in a digital world have been weaponized by America’s enemies, used to worm into military and contractor networks, and to siphon out secrets by the truckload, threaten vital infrastructure such as the power grid, and spread fake news on social networks.

Like a lot of large, global enterprises, the Air Force has been grappling with how to enable the on-the-go access people want and need while protecting the confidentiality, security, and integrity of its data.

USAF Chief Technology Officer Frank Konieczny described a recent technology pilot program where officials sought to tackle complicated and sensitive issues of network and data access by working with lawyers in the military justice system.

It was one of the “more difficult” test cases, Konieczny said. “That’s why we did it there.” Lawyers move on or off cases on short notice—and who is entitled to access files also changes depending on the case’s disposition.

The program successfully demonstrated the transformative power of a new, more agile, and automated approach to identity management, he said. Later this year, when the DOD’s chief information office publishes its long-awaited, departmentwide Identity Credentialing and Access Management (ICAM) strategy, observers hope such approaches will propagate through the entire department, allowing the military to play catch-up.

“It’s a matter of how fast you can incorporate new technologies,” said Konieczny.

Traditionally, computer network security operates like a castle and moat. Data is protected behind a firewall (or moat), and users are admitted over a “drawbridge” only after proving their identities. But as The New Yorker cartoon highlights, that last part is the weak link. Spoofing identity by co-opting someone else’s credentials turns out to be relatively easy, especially when identity is defined by a username and password combination that can often be stolen using malware hidden in carefully crafted emails. Almost all the major breaches suffered by the US government and military began with a phishing attack designed to fool users into giving up their digital identity credentials.

But the Air Force, like the other military services and, indeed, the whole federal government, has access to a very strong identity credential—the Common Access Card. The CACs are issued only after a rigorous in-person identity-proving session. They use a system of encryption that can be traced back to the origins of online security.

To make online computer communications secure, they must be encrypted, which means using a special mathematical code to scramble the message. In classical encryption, the code to scramble the message is the same as the one that unscrambles it. Here’s the problem: To send an encrypted message, I need a key that can let me eavesdrop on all your communications.

Ron Rivest, Adi Shamir, and Leonard Adleman—the three scientists who gave their initials (RSA) to global corporate security—solved this problem in 1977 using something called asymmetric encryption, in which messages are scrambled using a public key that anyone can access, but requiring a private key that the receiver alone possesses to unscramble the message at the other end.

In the CAC, the private key is stored on a secure chip that never leaves the card. Validated by a PIN, the CAC is as secure a cryptographic credential as we can make. Because the card has to be physically present in the reader to present the key, it renders credential theft attacks using stolen usernames and passwords useless.

Staff graphic

“It’s as close to the gold standard as I’ve seen out there,” said Dan Conrad, Federal Chief Technology Officer of One Identity. His company, which has contracts with many DOD agencies, including Air Force elements, has spent a lot of time researching emerging new cryptographic technology such as the open-standard Fast Identity Online (FIDO), but has yet to find anything as secure as the CAC. “Its assurance level has yet to be beaten,” he said.

Even so, Chinese hackers were still able to steal the Office of Personnel Management database just by acquiring a username and password. Even though federal policy required the use of personal identity verification cards for system administrators and other privileged users, that policy wasn’t strictly enforced.

“Leaders simply hadn’t enforced the policy,” said retired USAF Brig. Gen. Greg J. Touhill, who helped lead the Obama administration’s cybersecurity sprint after the massive OPM hack in 2015 and became the nation’s first federal chief information security officer, or CISO, in 2016. Information security is “a leadership and management issue, as much as it is a technology issue,” said Touhill, now president of cybersecurity contractor Cyxtera Federal Group.

According to agencies’ self-reporting in 2015, fewer than 40 percent of privileged users were using CAC/PIV cards to log on, Touhill said. By the end of 2016, that number was above 90 percent, thanks to leadership buy-in at the White House. “We got top cover all the way up,” he explained.

Yet even today, such problems persist. The Air Force enforces CAC log-on for 96 percent of privileged users, according to Konieczny, and has a plan to reach 100 percent. The holdup? Some network equipment isn’t designed to work with a CAC or other cryptographic credentials.

Longer term, however, there’s a bigger problem with the CAC as an identity credential. To go back to the castle analogy, the drawbridge has become more like a highway toll plaza with a dozen lanes of traffic whizzing through at high speed than a one-lane gateway where each user must prove himself to the guard. The growing use of mobile and wireless devices, whether on the flight line or out in the field, is changing the requirement for identifying technologies.

“Traditional identity technologies don’t scale well across a mobile environment,” said Touhill. “The technology has overrun the policy.”

There’s no way for a typical smartphone or tablet to read a CAC. Hardware solutions, similar to a built-in card reader, are impractically bulky and expensive—not to mention annoyingly slow.

Software alternatives, dubbed derived credentials, leverage the security features in modern smartphones. Users enroll their devices at a terminal where they can use their CAC to log on, deriving a cryptographic certificate from the private key stored on the CAC. Validated by a PIN or a biometric identifier, such as a fingerprint or iris scan, a derived credential is theoretically as secure as the CAC itself.

But derived credentials haven’t taken off. “Managing those credentials isn’t easy,” Touhill said, and there are still only a few applications that accept them.DOD’s solution is called Purebred. It’s a management system that issues derived credentials and manages the cryptographic infrastructure they need.

Konieczny said DOD was aiming to increase its use throughout the military services. “There’s a big push to get more Purebred out there,” he said.

Meanwhile, any notion that the CAC will disappear in the foreseeable future is probably sheer fantasy. CAC infrastructure investment was $154.7 million in DOD’s FY18 IT budget, roughly comparable to prior years’ spending, according to Stephanie Meloni, manager of market intelligence for IT consultancy immixGroup. That’s a “significant investment, both in time and money,” and is more than 500 times as much as the $300,000 DOD invested researching alternatives.

“There are a lot of alternative solutions being talked about, piloted, and prototyped,” she said. But the “CAC is not going anywhere anytime soon—these new solutions will be in addition to CAC, for the near-term, at least.”

TSgt. Kyle Hanslovan, a cyber warrior with the Maryland ANG, works at Warfield ANGB, Middle River, Md. Photo: J.M. Eddins Jr./USAF


Meanwhile, the moat-and-drawbridge model of security is rapidly going the way of, well, castles and moats. In the emerging era of cloud computing, the concept of a perimeter protecting all your vital data is disappearing.

Increasingly, vital data is stored on someone else’s computers.

“The perimeter as we knew it is gone,” said Touhill. In its place is a model where the moat is only one security layer of many. In this model, every room in the castle is locked. When users gain permission to cross the drawbridge, they are given keys to only those rooms to which they need access.

As Konieczny puts it, “You need to separate authentication from authorization.” Authentication is proving you are who you claim to be; authorization determines what access you get on the network.

“The CAC tells me who you are,” Konieczny said. It lets you over the drawbridge. But it doesn’t define what data or applications you need to do your job; it doesn’t entitle you to keys for any particular rooms. That’s the authorization piece.

“I have to map—within my system—what access you should have, based on your role,” Konieczny said. This Role-Based Access Control, or RBAC, ties your identity to your job.

Today, most military systems rely on a manual process to define those roles.

It’s a time-consuming, paper-based, and inherently inefficient process, sometimes taking days to grant access to the necessary files and systems.

Removing someone can take just as long—raising potentially serious insider-threat concerns when access for an individual should be quickly denied, such as when they are fired or disciplined.

The pilot program the Air Force ran for military lawyers sought to automate that whole process, Kozieczny said. “To automatically assign authorization to particular people dynamically … based on a data or application owner coming in and saying, ‘Yes, this person needs access to that’.?” Based, in other words, on attributes associated with identity and that would be discoverable in an automated fashion from a range of authoritative databases.

Rather than based on a role or job, this approach is based on attributes identified in the system. The advantage: “If those attributes change, the system automatically deletes their system access” right away, Konieczny said.

“The goal is to do that [authorization piece] faster and eliminate the [system administrator] piece of it and eliminate the paper-based aspect,” he said.

That pilot prgoram successfully dealt with a dynamic environment where access requirements change quickly. Documents had to be tagged so that access could be authorized correctly.

Now follow-up research is focused on automating the tagging process, so when documents are created, it’s already clear who is entitled to see them.

But wider implementation must wait on the new, DOD-wide ICAM strategy. Kozieczny pointed out that the new strategy is replacing a 2014 document titled Identity and Access Management. Bringing credentialing into the title is emphasizing the PKI, he said. “It’s brought [cryptographic] certification into a higher level of visibility.”

Touhill said he hoped the new strategy would be proscriptive only about capabilities. Prescribing specific technologies, he said, was a recipe for being “outdated by the time the policy is out.”