Transcription
DoD PKIAutomatic Key RecoveryPhilip Noble(520) 538-7608 or DSN 879-7608,philip.noble@us.army.milU.S. Army Information Systems Engineering CommandFort Huachuca, AZ 85613-5300ISEC: Excellence in Engineering
The Problem:One problem in the past with the DoD PKI infrastructure was the inability torecover Common Access Card (CAC) private encryption keys and certificatesthat were either expired or revoked. This becomes necessary when a CAC islost and its certificates are revoked or when a CAC and the certificates itcontains simply expires and is surrendered to DEERS/RAPIDS before theuser’s encrypted emails have been decrypted.An Auto Key Recovery capability has been fielded by DISA to permit holders ofnew CACs to retrieve encryption keys/certificates from previous cards topermit decryption of old email.ISEC: Excellence in Engineering
The Solution:Steps to RecoverPrivate Encryption KeysThe following slides identify steps to recover privateencryption keys, escrowed by DISA, from CACs thatdo not have the “Auto Key Recovery” functionality.ISEC: Excellence in Engineering
URL for Key Orhttps://ara-2.c3pki.den.disa.mil/ara/KeyThis is the Automatic Key Recovery URL.Note: The URL address shown above is case sensitive.When you go to this link, you must identify yourself with PKIcredentials. Use ONLY your identity certificate!ISEC: Excellence in Engineering
At this time open the ps://ara-2.c3pki.den.disa.mil/ara/KeyISEC: Excellence in Engineering
Choose YourCAC Identity CertificateYou will be prompted to identify yourself.Highlight your Identification Certificate from your CAC. Select it by clicking “ OK”.Note: Do NOT choose any that contain the word “EMAIL” from the Issuer column.ISEC: Excellence in Engineering
Warning BannerDismiss the warning by clicking “OK”.ISEC: Excellence in Engineering
Processing Your RequestThe Automated Key Recovery Agent will compile a list of Recoverable Keys.Please Wait ISEC: Excellence in Engineering
Key SelectionBrowse through the list and locate the appropriate key you want torecover. When located, click the adjacent associated “Recover” button.ISEC: Excellence in Engineering
Acknowledgement ofDoD SubscriberSelect “OK”.ISEC: Excellence in Engineering
Processing RequestThe Automated Key Recovery Agent is processing your request.Please Wait ISEC: Excellence in Engineering
One-time PINThis is your one-time PIN to access your PrivateEncryption Key if it’s saved as a separate file.Also, you will find instructions for both Netscape andInternet Explorer web browsers.ISEC: Excellence in Engineering
Installing the CertificateOpenYou will be given the opportunity toinstall the certificate, click “Open”.ISEC: Excellence in Engineering
Installing the Certificate (Cont’d)Click “Next”.ISEC: Excellence in Engineering
Installing the Certificate (Cont’d)Click “Next”.ISEC: Excellence in Engineering
Installing the Certificate (Cont’d)Leave the check blocks unchecked, enter your Password, and click “ Next”.ISEC: Excellence in Engineering
Installing the Certificate (Cont’d)Ensure that “Automatically select the certificate store based on thetype of certificate” is selected (as shown above) and click “Next”.ISEC: Excellence in Engineering
Installing the Certificate (Cont’d)Click “Finish”.ISEC: Excellence in Engineering
Installing the Certificate (Cont’d)Click “Set Security Level”ISEC: Excellence in Engineering
Installing the Certificate (Cont’d)Select “High” and “Next”ISEC: Excellence in Engineering
Installing the Certificate (Cont’d)Enter Your CAC PIN as a Password andClick “Finish”Note Vista requires a 14 character passwordfor this stepISEC: Excellence in Engineering
Installing the Certificate (Cont’d)Click “OK”ISEC: Excellence in Engineering
Installing the Certificate (Cont’d)Click “OK”.ISEC: Excellence in Engineering
Verifying the DownloadYou can verify the successful download of your recovered PrivateEncryption Key by performing the following; Launch InternetExplorer, select “Tools” from the menu, and then “Internet Options”.ISEC: Excellence in Engineering
Verifying the Download (Cont’d)Certificates Click the “Content” tab. Now, click “Certificates”.ISEC: Excellence in Engineering
Verifying the Download (Cont’d)Select the “Personal” tab and you will see a list of your currently registeredcertificates, including the recovered new key certificate.ISEC: Excellence in Engineering
Verifying the Download (Cont’d)Double-click on the certificate and you can view the specifics ofyour recovered key (or other current keys) as illustrated above.ISEC: Excellence in Engineering
SuccessClose the open window, you may now use therecovered key to access your encrypted email.Last Step: Delete the .P12 filefrom you computer as this is asecurity vulnerability and willbe detected in a Qtip ScanISEC: Excellence in Engineering
Recovery Notification ExampleA user has attempted to recover a key using the Automated KeyRecovery Agent. The ID Certificate used for Authentication was:CN NOBLE.PHILIP.EUGENE.1184204718,OU USA,OU PKI,OU DOD,O U.S. GOVERNMENT,C US, Serial: 0x0B5643, Issuer: DODCLASS 3 CA-5. The key that was recovered was:CN NOBLE.PHILIP.EUGENE.1184204718,OU USA,OU PKI,OU DOD,O U.S. GOVERNMENT,C US, Serial: 0x0C8747, Issuer: DODCLASS 3 EMAIL CA-3.If you did not perform this operation, please contact your local keyrecovery agent and ask that they check the logs for the key recovery atFri Jul 01 16:48:12 GMT 2005 with session ID b9727.You will receive an email fromPKI ChambersburgProcessingElement@csd.disa.mil witha subject “ALERT! Key Recovery Attempt UsingAutomated Key Recovery Agent” similar to the aboveRecovery Notification example notifying you of yourrecovery action.ISEC: Excellence in Engineering
POC for Additional InformationPhilip E. NobleUSAISECInformation Assurance and SecurityEngineering Directorate (IASED)DSN 879-7608CML 520-538-7608FAX DSN 879-8709 CML noble@conus.ds.army.smil.milISEC: Excellence in Engineering
DoD PKI Automatic Key Recovery Philip Noble (520) 538-7608 or DSN 879-7608, philip.noble@us.army.mil U.S. Army Information Systems Engineering Command Fort Huachuca, AZ 85613-5300. ISEC: Excellence in Engineering One problem in the past with the
