Copier User, Please Identify Yourself
A staggering amount of sensitive information, from personnel reviews to contracts and medical records, traverses the federal government’s computer network. Integral to this information-sharing process is a common network on-ramp, the connected digital copier. No longer the slow analog machine of yesteryear, digital copiers are versatile imaging systems that support stand-alone copying and network-based scanning, faxing and printing. Also referred to as a multifunctional product (MFP), digital copiers utilize network resources to enhance workflow and productivity. At the same time, an MFP poses a unique security challenge.
One solution is the Common Access Card (CAC). Developed as an insider threat prevention tool, CAC authentication solutions are marketed by major office equipment manufacturers, including Canon, eCopy, Hewlett-Packard, Lexmark, Ricoh and Xerox. Starting in 2001, the U.S. Defense Department began issuing CACs to all active-duty personnel, civilian employees and eligible contractors. With 3.5 million in circulation today, the credit-card-size CAC is a primary form of identification, allowing physical access to Defense Department buildings as well as logical access to the department’s desktop and laptop computers.
The functions of a CAC-enabled MFP can be unlocked only when users insert their government-issued CAC into a card reader attached to the device. Aboard that card is a wealth of information, such as name, gender, card issue/expiration dates and, most importantly, public key infrastructure (PKI) digital certificates.
“The Department of Defense is focused on using PKI technology,” says Rebecca Nielsen, senior associate for Booz Allen Hamilton, a strategy and technology consulting firm. Nielsen explains that the digital copier with CAC capabilities has a protected area in the firmware where the cryptographic keys can be generated, used and stored. So, the device itself is issued a certificate, which means there are two processes at work. The user must authenticate to the machine, and the machine must authenticate to the network.
During user authentication, cardholders enter their personal identification number (PIN) to unlock the PKI cryptographic functions. The PIN is never sent over the network. The Defense Department’s Online Certificate Status Protocol (OCSP) server validates that a certificate has not been revoked. This enables the department to verify that all connected devices—and the people using those devices—are authorized, preventing adversaries from walking in a door and plugging a device into the network.
After the Defense Department established CAC as the required form of identification, the rest of the federal government followed suit. Homeland Security Presidential Directive-12 (HSPD-12), issued in August 2004, mandated that government employees and contractors must use a common identification credential for physical access to government facilities and logical access to information systems.
According to Frank Jones, director of the Personnel Identity Protection Solutions Division at the Pentagon’s Defense Manpower Data Center, “If a person is a federal civil servant or a member of the military, they have to have the Defense Department Common Access Card as a condition of their employment.”
Working on the CAC front line for Lexmark International Incorporated is Brian Henderson, industry director, federal government. “The Defense Department recognized that our MFPs, being network devices, required information assurance due to the device’s ability to scan data into network-based applications,”
eCopy Incorporated is another provider of CAC solutions, though its implementation approach is being conducted differently. An independent software manufacturer, eCopy specializes in applications that drive scanning operations on capture devices, such as MFPs made by Canon, HP, Konica-Minolta, Océ, Ricoh, Sharp, Toshiba and Xerox. Bill DeStefanis, senior director, business development for eCopy, explains that the company’s eCopy ScanStation is essentially a Windows PC attached to the networked copier. “This enables a seamless integration with the Defense Department’s authentication scheme, essentially replacing the MFP’s out-of-the-box user name and password authentication method with CAC authentication.”
Enrique Barkey, director of worldwide public sector and education for Hewlett-Packard, notes that the important point from a customer perspective is strengthening security around a network’s weakest link, the Scan-to-Email and Scan-to-Folder feature. “Our CAC solution uses PKI encryption and Kerberos authentication to provide users with access to digitally signed e-mail and Scan-to-Folder sessions. After the user enters the PIN, Defense Department certificate validation and Kerberos authentication to the Defense Department network takes place. This provides access to Active Directory using LDAP [Lightweight Directory Access Protocol] to obtain the user’s e-mail attributes and folder permissions. If configured properly, the CAC certificate is used to digitally sign outgoing e-mail," Barkey says.
A digital signature, which authenticates the identity of an e-mail sender and makes online transactions legally binding, is a feature the Defense Department will require for all future MFP/CAC solutions. “Most of the agencies are telling us that digital signature will make it into the requirements, so you better start planning for it,” says Canon’s director and general manager, Dennis Amorosano. “In all likelihood, it will be mandatory in the next 12 to 18 months," he shares.
Lexmark engineers are currently integrating Microsoft SharePoint capabilities into their CAC solution. “SharePoint is a very popular application within the military,”
eCopy also is staying abreast of Defense Department directives as they add more specifications. DeStefanis says the company is working on a more secure encryption algorithm. “Right now, we have 128-bit encryption, which is sufficient for commercial use. The government, however, is moving toward 256-bit encryption. The concern is people sniffing on the network and intercepting sensitive communications," he notes.
Booz Allen Hamilton’s Nielsen notes that the Defense Department has expressed a desire to migrate from the RSA-2048 encryption algorithm to Elliptical Curve Cryptography (ECC). “It has some promise in reducing processing time. Today, it’s largely used in mobile devices. The issue surrounding this migration is that the patent on the RSA bit key has expired; ECC is a newer, patented technology. So, there has been some push back with adoption because you have to manage intellectual property rights when integrating these algorithms," she explains.
One of the most significant trends in CAC technology as a result of HSPD-12 is the move to Personal Identity Verification (PIV) cards. “The Defense Department is migrating CAC to fully comply with the PIV standard, or the Federal Information Processing Standard 201,” Nielsen says. “The PIV card is slightly different than the CAC, as some printed images have different formats and are in different places, but the PKI technology functions for the CAC are essentially the same as for the PIV. In addition, interoperability is across all federal agencies. For example, Defense Department users can use their CAC/PIV to authenticate to a physical access door to the State Department; State Department users can use their PIV to authenticate to a Defense Department network.”
John Thiessen, product manager, secure products for Ricoh Americas Corporation, notes that as centralized document processing hubs, it is critical that network-connected MFPs are capable of supporting security enhancements like CAC authentication. “This ensures that these devices do not become unauthorized entry points to our customers’ network. So, we now have a tool to help safeguard MFP resources and increase accountability across an entire enterprise," he states.
Denine Phillips of Tech-Write LLC is a freelance writer who serves the digital imaging industry.
