With the advent of the Trusted Platform Module (TPM) we can now leverage standard mature Commercial Off-The-Shelf (COTS) components that have been proven in the technology market place that will drive the Medium Hardware Assurance authentication to the workstation. By applying fully programmable Application-Specific Integrated Circuit (ASIC) technology (developed for use in peripherals, such as smart card readers and/or keyboards, for authentication to trusted systems or applications) a “smart reader” can be used to perform dual authentication and validation between a Medium Hardware Assurance identity certificate and a device’s certificate protected by the TPM.
The TPM can also be used to protect multiple attribute certificates assigned to a single user (as may be the case where a single user requires multiple access identities for separate domain controller servers). The user authenticating to the workstation with a Government approved digital certificate (on a smart card) would gain access to their key store protected by the TPM – the private keys associated with various certificates containing the attributes required to access particular domain controllers. When the user attempts to access the administration of a domain controller, the user presents the certificate with the appropriate attributes for access to that particular controller.
Since certain TPM devices have a FIPS 140-2 Level 2 or higher certification the attribute certificates protected by the TPM could be evaluated to meet the DoD Medium Hardware Assurance level and/or E-Authentication Level 4 assurance equivalent to the CAC and PIV protected certificates levels of assurance.
The digital certificates used to accomplish this can be issued from any DoD compliant PKI (the DoD PKI or ECA) or other Federal PKI, maintaining interoperability with any other agency or organization choosing to accept the Federal Root Certificates, within an established risk sharing environment that enforces accountability, providing the following advantages:
With each Trusted Third Party (“CAs”) that its procedures are implemented in accordance with a Government approved Certificate Policy and Certificate Practice Statement, and that any issued certificates that assert the policy OIDs and associated CRLs, are issued in accordance with the stipulations of these documents.
With each Subscriber and the Subscriber’s sponsoring organization to accurately represent themselves in all communications with the PKI and to properly handle and protect the certificates issued to them.
With each relying party to determine that the level of assurance provided by the certificate is adequate to protect the application based upon the intended use and to check for certificate revocation prior to reliance.
By hosting the PKI authenticated workstations in a network-level Common IA Enabling Infrastructure (CIEI), that includes a directory and a validator, each workstation can be configured to trust multiple PKIs.
To deploy digital certificates, WidePoint can assist with the processes required to issue DoD PKI to internal DoD employees and External Certificate Authority certificates to contractors and trading partners. With either the DoD or ECA PKIs, WidePoint can assist you with establishing your own internal registration capability, leveraging an existing capability, or in the case of ECA, provide a temporary, onsite registration capability.