The Department of Defense (DoD) may have overcome a major barrier to implementing a secure, government-wide credential for physical and logical access: Validating transactions conducted through a secure public key infrastructure (PKI).

In February, the DoD selected CoreStreet, Cambridge, Mass., and Tumbleweed Communications Corp., Redwood City, Calif., to provide technology to validate digital certificates issued in the PKI component of the DoD's Identity Protection and Management Program, which includes the Common Access Card (CAC) program. The selection capped a 12-month pilot program testing validation technology supplied by 11 vendors.

“DoD has selected these two vendors as part of a Robust Certificate Validation Service, applying to all public key-enabled information transactions,” says Gilbert C. Nolte, director of the DoD-PKI Program Management Office.

Access control systems, whether physical or logical, require authentication and validation. Authentication proves that a credential belongs to the person presenting it. Validation proves that a credential's owner has permission to do something.

In a conventional access control system, a cardholder might authenticate by presenting a card to a reader and tapping in a personal identification number or PIN. The card reader can then check with a local database to validate or prove that the cardholder has permission to enter a department or to use a computer.

As organizations grow larger and security requirements grow stricter, however, conventional systems break down. The DoD, for example, employs 3.5 million people and has extremely sensitive security needs. It might take minutes for a system to search servers containing data on millions of people to authenticate a card swipe and a PIN. Minutes are too much time when an individual simply wants to go through a door or send e-mail. Validation adds more time to these transactions.

The DoD CAC card has adopted public key infrastructure (PKI) to streamline the authentication and validation processes.

PKI systems assign digital certificates to cardholders. Certificates contain two unique, but related, numbers called keys. One number is a public key. The other is a private key. Both reside on a smart card. When an individual presents a card to a reader, the system reads the public key. The private key, embedded in a chip on the credential, remains secret.

Next, the reader generates a random number and encrypts it with the public key. If the card is authentic, the relationship between the public and private keys allows the chip on the card to use the private key to decrypt the number. This is called one-factor authentication. PINs and biometrics can enhance PKI authentication. Because the reader need not access a database to authenticate a card, the process moves swiftly.

“Authorization proves an individual's identity, but that's not good enough,” says Phil Libin, president of CoreStreet. “A PKI system must also validate that a credential holder hasn't been fired or had his or her permission to do something revoked.”

According to Nolte, DoD has been relying on a Certificate Revocation List (CRL) for validation. Under this plan, the access system downloads the CRL and checks it against the credential. Currently, DoD requires that e-mail be digitally signed in order to validate the authenticity of a message. With 3.5 million employees sending e-mail, the CRL has grown to more than 30 megabytes of data stored on a single central secure server. Downloading the CRL can take an hour — too long to send e-mail.

“DoD considered installing hundreds of local secure servers around the world to solve this problem,” Libin says. “But that would have cost over $100 million per year in infrastructure, and no one could guarantee security.”

CoreStreet and Tumbleweed have designed an elegant solution to the problem called Distributed Online Certificate Status Protocol (D-OCSP). Essentially, the system asks a local server connected to the secure CRL server to validate a transaction. The local server queries the main secured server and obtains a simple yes or no. The process takes 65 milliseconds. And since no sensitive data is stored on a local server, expensive security is unnecessary. According to Libin, the cost of D-OCSP is only a few million dollars per year.