DISA makes strides toward next generation of authentication

The Defense Information Systems Agency’s (DISA) assured identity initiatives seek to establish and continuously validate a digital identity, enabling the Department of Defense to better identify individuals and devices attempting to gain access to its information systems, and to support the move toward a mobile-centric environment.

Jeremy Corey, chief of the agency’s of Cyber Innovation Division, provided an overview of the initiatives during a presentation at the 2018 Armed Forces Communications and Electronics Association’s Defensive Cyber Operations Symposium in Baltimore May 16.

Assured identity assigns strongly associated attributes to an individual or trusted device.

Currently, the Common Access Card (CAC), instituted throughout DOD in 2000, is the primary means to verify an individual’s identity. In recent years, the department determined the CAC may not provide the most optimal performance for authentication and access, particularly in mobile environments.

“Keeping our overall objective in mind, we know that CAC as a form factor doesn’t perform well in the mobile environment,” said Corey. “We want to ensure that we retain the equivalent assurances of the secure elements that are on the card as we begin to potentially use mobile devices for authentication and access.”

Hardware attestation

As a precursor to replacing or augmenting the CAC, DISA began exploring several secured identity initiatives that could ultimately allow users to gain access to DOD networks.

Hardware attestation is a mechanism for providing cryptographically signed and encrypted data that describes the security state of a device that is about to receive security credentials.

“A mechanism in the form of a token will assert various information about the device, whether it’s hardware, firmware, or operations system versions; unique device identifiers; or hashed verification boot keys and trusted location,’ said Corey.

DISA’s Purebred solution replaces the need for smart card readers to send digitally signed and encrypted email, decrypt email, and authenticate to DOD websites when using a DOD mobile device. The solution currently supports iOS, Android, BlackBerry, and Universal Windows Platform devices.

Purebred provides a secure, over-the-air credentialing process through a series of one-time passwords and user demonstrated possession and use of a CAC.

“Instead of relying on the human to validate the serial number, an attestation token will provide verifiable knowledge that the device is genuine and in a secure state to be enrolled,” he said.

DOD currently has more than 32,000 devices enrolled in Purebred.

Continuous multifactor authentication

Another initiative DISA is exploring is mobile and desktop continuous multifactor authentication (CMFA), which uses an algorithm to analyze three biometric factors: face, voice, and gait.

Mobile CMFA can help identify users by utilizing the sensors and resources already present on most modern mobile devices, such as cameras, microphones, accelerometers, gyroscopes, and GPS.

“One of the main reasons we went after gait was (to support) the warfighter in the field who may have gloves on, who may have goggles on, who can’t do fingerprint authentication, who can’t do a face recognition to authenticate. So we said: let’s experiment with users’ gait to make a determination,” said Corey.

To increase assured identity in the office environment, DISA is piloting a solution for desktop CMFA that can prevent, detect, and respond to misuse of a user’s credentials. The solution builds pattern-based user profiles, coupled with machine learning - through an installed software agent - to capture user interaction.

“The CMFA score is checked to ensure it meets the desired threshold. This threshold is predetermined by the organization we are piloting our prototype with,” said Corey. “This could be configured by the application owner, so long as it is within the authorizing official's accepted level of risk.”

Corey emphasized DOD’s intention to augment or replace the CAC as part of the vision for creating a mobile-centric environment.

“We aim to achieve sufficient authentication assurance to facilitate a single platform for use in day-to-day operations, and potentially provide a capability to utilize one device for multiple networks,” Corey said.

Corey’s briefing slides are available for download on www.DISA.mil.

Posted May 31, 2018