PKI Validation in Large Scale Web Applications — A Case Study

Executive Summary

Over the past decade, technology has enabled government agencies to provide more immediate services to citizens and greater flexibility in meeting their mission objectives. As a result, these agencies have become increasingly dependent on the integrity of their information systems. In recent years, attacks on these systems have grown in size and sophistication, with the Department of Defense (DOD) now suffering more than 5,000 attacks a day on its servers. (1)

Security breaches have plagued nearly every agency, whether through malicious code, stolen data, or compromised IDs and passwords. The government is now fighting back with a renewed focus on cyber security and access control. Chief among these tasks is the move towards a Public Key Infrastructure (PKI) for application and network security. Unlike traditional security models that rely on usernames and passwords, PKI is based on the issuance of public keys that bind digital certificates to a user’s identity and credentials.

Major advantages of PKI include:

  • Centralized x.509 certification – Specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm across government agencies.
  • Elimination of username and password management – Cryptographic public keys preclude problems associated with forgotten or shared login credentials.
  • Revocation of compromised certificates –
  • Certificate Authorities (CA) help agencies to immediately identify and revoke compromised or invalid certificates.

As PKI has matured, so has the application of digital identification cards, known as smart cards. Smart cards store an encrypted digital certificate issued from the CA along with any other relevant information about the card holder. Smart cards are quickly replacing traditional ID badges. A primary mission of PKI is to check whether a user’s digital certificate has been revoked. The certificate-revocation status is what determines whether an application or network grants or denies user access.

Per Joint Task Force Global Network Operations (JTF-GNO) the #1 method of attack on the DoD information network is compromised user IDs and passwords. Homeland Security Presidential Directive (HSPD 1), implemented in the wake of September 11, 2001, mandates a federal standard for secure and reliable forms of identification.

Validating a user’s identity is at the heart of PKI’s effectiveness. Certificate validation software is currently available off-the-shelf from a variety of private companies. These products typically employ a desktop application that transmits HTTP requests to corresponding certificate-status servers whenever a smart card (or other public key) is presented. The server verifies the smart card’s digital certificate against a Certificate Revocation List (CRL)—provided by a principal Certifying Authority—and determines whether the user’s access is granted or denied.

Within a PKI, it is particularly important to ensure certificate validation is performed efficiently to minimize impact to users, networks, and system applications. And while standard off-the-shelf products have proven effective when deployed to smaller systems with relatively limited user volume, larger, more sophisticated systems typically require a more robust solution.

Many large-scale, high-volume systems use sophisticated load-balanced and clustered architectures that deploy applications redundantly across multiple nodes—optimizing availability and failover, while operating as a single virtual machine

Traditional COTS products, however, require a one-to-one connection between the local application and the externally-hosted CRLs, which load-balanced architectures prevent. As a result, traditional COTS solutions cannot be properly configured for most large-scale systems without negatively impacting availability and performance. While sufficient for small systems and applications, these COTS solutions are not well suited for the high volume demands of large-scale web applications.

Partnet eValidate™ is an ideal solution for large-scale web applications with a large number of users and transactions. eValidate protects government enterprises from potential security breaches by verifying the revocation status of digital certificates within a PKI. eValidate provides enterprises with the flexibility of using CRL and Online Certificate Status Protocol (OCSP) for validation as illustrated in this graphic.

OCSP is a fast, lightweight alternative to traditional CRLs that allow applications to query external certification-status servers, or OCSP responders, for the status of a single certificate. OCSP responds much faster than CRL downloads—quickly returning a small, signed message stating the certificate’s revocation status. For large-scale systems, Partnet eValidate provides enterprises with faster, more efficient cert validation processing and greater security protection.

Partnet eValidate Benefits

  • Safeguards applications and networks against potential security breaches from expired or revoked digital certificates.
  • Robust design provides support for backup, load balancing, and failover.
  • Provides agency’s with the flexibility to use CRL- or OCSP based validation based on the particular need.
  • Cost Effective. Designed to efficiently plug in and scale to meet a wide range of deployment requirements.
  • eValidate has been proven in one of the government’s largest and most challenging e-commerce transaction environments.

DOD EMALL is the largest eCommerce site built for the U.S. government. It is a highly-available system that employs best in class practices and utilizes a variety of complex network gear, systems hardware, and software based clustering to enable redundancy, scaling, and load balancing.

Around the globe, DOD EMALL provides a single-entry point for more than 40,000 registered users to search and purchase from a virtual catalog of over 25 million items. For all of the Department of Defense, system performance and IT security have long been at odds. Large-scale web applications must efficiently deliver products, services, and information to end users, while at the same time, restricting unauthorized access. Faced with this dilemma, the Defense Logistics Agency (DLA) turned to Partnet for a PKI validation solution for the DOD EMALL.

Background

The Federal Bridge Certificate Authority (FBCA) was established to help federal agencies better share information and resources through a more secure, interoperable PKI framework. The Federal Bridge enables department-issued public keys to be cross-certified and accepted throughout the community.

This figure illustrates the FBCA trust model:

In response to the FBCA, the DOD developed Instruction 8520.2, mandating a department-wide PKI to enhance security through authentication, digital signatures, and encryption. The first line of defense was the Common Access Card (CAC), a smart card provided to every user in order to access DOD systems, networks, or facilities.

The CAC—a hard-token public key—carries a non-replicable digital certificate providing:

  • Data integrity and confidentiality
  • User identification and authentication.
  • User non-repudiation

The Challenge

Like every other DOD agency, the DOD EMALL Program Office was directed to provide DOD users access through the CAC, but because DOD EMALL also served a robust audience of users from federal agencies and commercial suppliers, the Program Office was faced with a new PKI challenge. DOD EMALL needed a way to verify access both through the CAC and other FBCA-approved public keys.

Faced with the high-performance security demands of its global user base, the DLA selected Partnet eValidate™ as the solution best able to meet this unique challenge. Partnet solved this complex PKI challenges and has successfully bridged the gap between the DOD and Federal Bridge users on DOD EMALL.

Powered by Partnet eValidate, DOD EMALL is now fully CAC-enabled, and public key access is configured for all Federal Bridge customers. This was accomplished with zero impact to system performance and availability, and in accordance with the strict DOD operating standards.

eValidate’s internal CRL application was implemented to validate regular DOD Common Access Cards. The application automatically retrieves, compiles, and indexes CRLs from a host of trusted CAs into a dedicated file system within the DOD EMALL login module. The file system is available throughout the load balanced cluster, allowing user CACs to be checked against the indexed file system from any node within the system. eValidate’s internal server-side CRL application provides virtually seamless login and certificate-revocation processing—transparent to users and without impact to system performance and availability.

While an efficient certificate revocation method for regular DOD users, the internal CRL application was not a practical solution for validating the external certificates (i.e., VeriSign, IdenTrust, etc.) used by DOD’s Federal and commercial partners. Instead, eValidate’s OSCP web service was enabled for these user groups.

Using standard HTTP, the login module transmits an encoded OCSP query to a corresponding OCSP responder for each external public key presented (i.e.,LincPass, HSPD-12 cards). The OCSP responder checks the public key’s digital certificate and returns the revocation status to DOD EMALL in real-time. The Federal Bridge user is then granted or denied access, as appropriate.

Too many simultaneous OCSP queries can undermine network performance, however, which is why Partnet configured this solution for Federal Bridge users—representing only a small fraction of the DOD EMALL user base. As use of PKI broadens and more external partners are brought into DOD EMALL’s user base, eValidate’s OCSP implementation can be scaled using client-side plug-ins (e.g., Tumbleweed) already approved by the Joint Interoperability Test Command (JITC), or by locally caching certification-revocation data.

Partnet eValidate can be applied to any large-scale system using a loadbalanced, clustered architecture. eValidate is also highly configurable to meet the unique system requirements and operating conditions of diverse applications and network environments.

As PKI continues to expand within federal, DOD, and commercial enterprises, the need for large-scale, high-volume web applications to balance the complex security/performance equation will become more acute. eValidate picks up where standard, commercial products fall short—providing optimized performance and networking, while ensuring the robust security environment that federal and DOD agencies depend on to meet their day-to-day needs and fulfill mission objectives.

Simply put, eValidate is the smart PKI-solution for the federal government.

1 Source: “Cyber Insecurity: U.S. Struggles to Confront Threat” by Tom Gijelten, NPR News, April 6, 2010