What is NATO PKI and what does it do ?
A Public Key Infrastructure is a combination of policies, procedures, and computer hardware and software products providing a controlled framework for managing private and public key pairs. An effective Public Key Infrastructure is primarily focused on management rather than just the technology. A PKI also provides access to identifiers known as Public-Key Certificates.
A Public-Key Certificate is an electronic data structure that binds an entity (e.g. user) to a public key. While public keys must be published and highly available, changes to the public encryption keys must not be allowed, otherwise an attacker could replace a recipient’s public key with his own. The sender would then mistakenly encrypt the message for the attacker instead of for the intended recipient. Many of the regulations, means, and infrastructure installations are established to protect the authenticity and integrity of the public keys.
(The lack of approved) Smart Cards
Since the start of the NATO PKI we are forced to use a non-approved token / smart card for the storage of digital certificates. This is due to the absence of approved smart card and tokens for use within NATO.
Presently there are several large ongoing projects which require smart cards for the storage of digital certificates. Smart cards will be used for physical and logical access.
NCIA NIATC has compiled a list of smart cards which meet the requirements set in NATO and NPKI documents. NATO C3 Board has sent a letter with the list of smart cards attached to the 28 NATO Nations and requested the nations to approve a single (or more) smart card(s) which is (are) on the list and approve it for NATO use. More information is available upon request.
Purpose of NATO PKI
To support Intra-NATO and NATO-To-Nations communications, NATO is developing a Public Key Infrastructure (PKI) called NATO PKI (NPKI). This NPKI will be a framework that will be made up of services that provide for the management of public key certificates, which in turn can enable secure communications based on integrity and authenticity/authentication among NATO organisations and between NATO and other organisations and countries.
NATO PKI Security Audit
The NATO PKI systems (NUNR and NS) have been audited in October 2013. All short comings which were addressed are resolved by NCIA Cyber Security Service Line. The compliance audit has been carried out by the NCI Agency on behalf of the NPMA.
NATO PKI History
The first NATO PKI Ad-hoc working group was hosted in April 1998. The PKI for the NU/NR network is operational since Q4 2006. NCIA is hosting the NPKI for the NS network since 2010.
In 2012 - 2013 NCIA will host the NPKI for the NATO Messaging System (NMS), this specific PKI is dedicated for the NMS and will only provide PKI services during NMS phase 1. All present NPKI systems are considered an interim solution, NCIA is developing a type B Cost Estimate (TBCE) for the definite NPKI. Phase two of the NMS will make use of the new NATO Public Key Infrastructure.
Microsoft Root CA Program
Currently NATO is working on the implementation of the NATO ROOT CA certificate in the Microsoft ROOT CA program. This program automatically inserts the NATO ROOT CA certificate in the appropriate certificate store on an end-users terminal. This delivers users a secure access to NATO web sites (which are secured with a NATO Secure Socket Layer (SSL) certificate).
What is SSL?
SSL provides an encrypted tunnel between the end-users terminal and the web server. In order to provide secure communication between the end-user terminal and a NATO secured web site before the Microsoft ROOT CA program is effective NCIA has come up with an interim solution. Please click on the "Installing NATO ROOT CA Certifcate" button and follow the instructions.
Logical and Physical Access Proof of Concept – Pilot
NCIA NIATC is conducting a relative small (20 users) PoC – Pilot to show case the ability to use a single smart card to access buildings / rooms (physical access) and to access network carriers (WIFI, controlled access based on digital certificates), authenticate to a Virtual Private Network and to use the credentials stored on the smart card for access to the workstation (Windows logon) and for S/MIME (Secure / Multi-Purpose Internet Mail Extensions). For more information click here.