What is Public Keying Infrastructure?
One of the key components to any of the CSfC capability programs is the use of Public Keying Infrastructure (PKI). You have undoubtedly experienced this when using the web and seeing a ‘pop-up’ about a certificate. Normal government encryption uses symmetric keys, i.e. the same key is used on both sides using a single key for government ‘type’ encryptors. With PKI, an asymmetric key is used with a public key and private keys used. The PKI architecture that a government customer must develop includes root certificate authority which is maintained but is offline from the network and enterprise certificate authorities which provides the keys for servers and clients. Within the government sector, customers use their Common Access Cards (CAC) to access their NIPRnet. The CAC has a ‘certificate’ embedded which is authenticated through enterprise servers on the NIPR network. Within the CSfC capability packages using the dual tunnel architecture, the government customer needs to understand the nuances of a PKI architecture for both tunnels.
Within the CSfC architecture there are always three networks referenced – Black, Gray, and Red. The Red network is the classified network being supported which means it has no encryption, the Black network is the transport which requires both encrypted tunnels, and the Gray network terminates one of the encryption tunnels, therefore only having a single encryption for the data. The take away point is that a customer needs to be away of the additional network ‘Gray’ that must be created and consider the additional management/manpower that may be involved. MAG has identified this and worked with the CSfC on the ‘Enterprise Gray Network’ concept in part working on the overall management of this new network.