PKI Security in Large Scale Web Applications – Part 5: The Solution and the Result

This final part of our series on PKI security in large scale web applications looks at how eValidate was able to accommodate the unique, high performance demands of the DOD EMALL.

Powered by Partnet eValidate, DOD EMALL is now fully CAC-enabled, and public key access is configured for all Federal Bridge customers. This was accomplished with zero impact to system performance and availability, and in accordance with the strict DOD operating standards.

eValidate’s internal CRL application was implemented to validate regular DOD Common Access Cards. The application automatically retrieves, compiles, and indexes CRLs from a host of trusted CAs into a dedicated file system within the DOD EMALL login module. The file system is available throughout the load-balanced cluster, allowing user CACs to be checked against the indexed file system from any node within the system. eValidate’s internal server-side CRL application provides virtually seamless login and certificate-revocation processing— transparent to users and without impact to system performance and availability.

While an efficient certificate revocation method for regular DOD users, the internal CRL application was not a practical solution for validating the external certificates (i.e., VeriSign, IdenTrust, etc.) used by DOD’s Federal and commercial partners. Instead, eValidate’s OSCP web service was enabled for these user groups.

Using standard HTTP, the login module transmits an encoded OCSP query to a corresponding OCSP responder for each external public key presented (i.e.,LincPass, HSPD-12 cards). The OCSP responder checks the public key’s digital certificate and returns the revocation status to DOD EMALL in real-time. The Federal Bridge user is then granted or denied access, as appropriate.

Too many simultaneous OCSP queries can undermine network performance, however, which is why Partnet configured this solution for Federal Bridge users—representing only a small fraction of the DOD […]

PKI Security in Large Scale Web Applications – Part 4: Case Study of DOD EMALL

This part of our series on PKI security in large scale web applications examines the challenge the DOD EMALL faced in implementing PKI.

DOD EMALL is the largest eCommerce site operating within the US Government. It is a highly-available system that employs best-in-class practices and utilizes a variety of sophisticated networking and systems hardware, alongside software based clustering to enable redundancy, scaling, and load balancing.

Around the globe, DOD EMALL provides a single-entry point for more than 30,000 registered users to search and purchase from a virtual catalog of over 66 million items.

Within the Department of Defense, system performance and IT security have long been at odds. Large-scale web applications must efficiently deliver products, services, and information to end users, while at the same time, restricting unauthorized access. Faced with this dilemma, the Defense Logistics Agency (DLA) turned to Partnet for a PKI security solution for the DOD EMALL.

Background

The Federal Bridge Certificate Authority (FBCA) was established to help federal agencies better share information and resources through a more secure, interoperable PKI framework. The Federal Bridge enables department-issued public keys to be cross-certified and accepted throughout the community. The following diagram helps illustrate the FBCA trust model.

In response to the FBCA, the DOD developed Instruction 8520.2, mandating a Department-wide PKI policy to enhance security through authentication, digital signatures, and encryption. The first line of defense was the Common Access Card (CAC) — a smart card provided to DOD service members, civilians, and contractors in order to access restricted systems, networks, and facilities.

The CAC—a hard-token public key—carries a non-replicable digital certificate providing:

Data integrity and confidentiality
User identification and authentication.
User non-repudiation

The Challenge

Like every other DOD agency, the DOD EMALL Program Office was directed to provide DOD users access through the CAC, but […]

PKI Security in Large Scale Web Applications – Part 3: Partnet eValidate

This part of our series on PKI security in large scale web applications examines how the new Partnet eValidate solution effectively satisfies the unique PKI demands of large scale web applications.

Partnet eValidate™ is an ideal solution for large-scale web applications with a large number of users and transactions. eValidate protects government enterprises from potential security breaches by verifying the revocation status of digital certificates within a PKI. eValidate provides enterprises with the flexibility of using CRL and Online Certificate Status Protocol (OCSP) for validation as illustrated in this graphic.

OCSP is a fast, lightweight alternative to traditional CRLs that allow applications to query external certification-status servers, or OCSP responders, for the status of a single certificate. OCSP responds much faster than CRL downloads—quickly returning a small, signed message stating the certificate’s revocation status. For large-scale systems, Partnet eValidate provides enterprises with faster, more efficient cert validation processing and greater security protection.

Partnet eValidate Benefits

Security. Safeguards applications and networks against potential security breaches from expired or revoked digital certificates.
Reliability. Robust design provides support for backup, load balancing, and failover.
Versatility. Provides agency’s with the flexibility to use CRL- or OCSP based validation based on the particular need.
Cost Effective. Designed to efficiently plug in and scale to meet a wide range of deployment requirements.
Proven. eValidate has been proven in one of the government’s largest and most challenging e-commerce transaction environments.

The next installment in this series will look at how Partnet eValidate was able to solve the PKI security challenges faced by the DOD EMALL, one of the largest Government eCommerce sites.

Google+