Presentation is loading. Please wait.

Presentation is loading. Please wait.

DoD PKI Automatic Key Recovery

Published byArabella Fields Modified over 9 years ago

Similar presentations

Presentation on theme: "DoD PKI Automatic Key Recovery"— Presentation transcript:

1 DoD PKI Automatic Key Recovery
Philip Noble (520) or DSN , U.S. Army Information Systems Engineering Command Fort Huachuca, AZ 16 January 2015 Mike Danberry last reviewed on 13 April 2015 The most current version of this guide can be downloaded from:

2 The Problem: One problem in the past with the DoD PKI infrastructure was the inability to recover Common Access Card (CAC) private encryption keys and certificates that were either expired or revoked. This becomes necessary when a CAC is lost and its certificates are revoked or when a CAC and the certificates it contains simply expires and is surrendered to DEERS/RAPIDS before the user’s encrypted s / files have been decrypted. An Auto Key Recovery capability has been fielded by DISA to permit holders of new CACs to retrieve encryption keys/certificates from previous cards to permit decryption of old and files. NOTE: Please know that in April 2014, DISA changed the links for recovery to ONLY be available from the unclassified Government network. This means home users will have to the address on slide 7.

3 Steps to Recover Private Encryption Keys
The Solution: Steps to Recover Private Encryption Keys The following slides identify steps to recover private encryption keys, escrowed by DISA, from former CACs

4 URLs for Key Recovery The links listed below are ONLY available from the Government UnClassified network, NOT from a personal computer at home Or Note: The links shown above ARE case sensitive. When you go to these links, you must identify yourself with PKI credentials. Use ONLY your IDentity certificate, NOT , or PIV certificate!

5 Choose Your CAC Identity Certificate
You will be prompted to identify yourself. Highlight your Identification Certificate from your CAC. Select it, then click OK. Note: Do NOT choose any that contain the word from the Issuer column.

6 Read the warning message, then click OK
Warning Banner Read the warning message, then click OK

7 Processing Your Request
The Automated Key Recovery Agent will compile a list of Recoverable Keys. If the recovery fails or if the key is unable to be downloaded automatically, contact the Army Key Recovery Agent by sending a digitally signed to: requesting recovery of your private encryption Key. Please Wait…

8 Key Selection Hint: Look for the dates that correspond with your former CAC. They may not be listed in order. Browse through the list and locate the appropriate key you want to recover. When located, click the adjacent associated Recover button.

9 Acknowledgement of DoD Subscriber
Select OK

10 Processing Request The Automated Key Recovery Agent is processing your request Do NOT be tempted to click the Logout button, you Must Wait

11 One-time Password This is your one-time password needed to access your Private Encryption Key

12 Installing the Certificate
Select Open

13 Installing the Certificate (Cont’d)
Click Next

14 Installing the Certificate (Cont’d)
Click Next

15 Installing the Certificate (Cont’d)
Leave the check blocks unchecked, enter the Password shown on your screen, click Next

16 Installing the Certificate (Cont’d)
Leave “Automatically select the certificate store based on the type of certificate” selected (as shown above) click Next

17 Installing the Certificate (Cont’d)
Click Finish

18 Installing the Certificate (Cont’d)
Click OK

19 Installing the Certificate (Cont’d)
Click OK

20 Medium Security is Not a Choice
If Medium Security is blocked and High Security is default, refer to: Use gpedit.msc: - Local computer policy - Windows settings - Security settings - Local policies - Security options Temporarily set - System Cryptography: Force Strong Protection for User Keys Stored on the Computer to User Input is Not Required When New Keys are Stored and Used After the key is imported, change the setting to – User Must Enter a Password Each Time They Use a Key

21 Importing The Recovered Key
From MEPCOM: During the process of importing the certificate, the user receives the following Password Error no matter what password is entered : ‘The password supplied does not meet the minimum complexity requirements’. Almost simultaneously the following error appears: ‘Windows has encountered a critical problem and will restart automatically in one minute’. The error condition has also been encountered during the process of attempting to recover certificates. In many cases, local security policies may not allow the use of ‘Medium Security’ from the previous page.

22 Importing The Recovered Key
Solution: The enpasflt.dll is in use and must be unloaded to correct the issue. Log into the computer using an account with administrative rights to complete the following: Click Start | Type regedit | Press Enter Navigate to HKLM\System\CurrentControlSet\Control\LSA | Navigate to Notification Packages in the right pane Remove the enpasflt entry | Ensure that the scecli entry remains Restart the computer Note: After the certificates have been loaded or recovered, you will need to re-install the EnPasFlt Navigate to C:\Windows\AGMSupport\EnPasFIt Double Click Installer.exe Note: This install is silent and applies immediately Open regedit Navigate to HKLM\System\CurrentControlSet\Control\LSA\Notification Packages Ensure that the enpasflt entry is present Close regedit

23 Verifying the Download
You can verify the successful download of your recovered Private Encryption Key by: Launching Internet Explorer, selecting Tools from the menu, and then Internet Options

24 Verifying the Download (Cont’d)
Click the Content (tab) then Certificates

25 Verifying the Download (Cont’d)
Select the Personal (tab) you’ll see a list of your currently registered certificates, including the recovered key certificate(s).

26 Verifying the Download (Cont’d)
Double-click on the certificate so you can view the specifics of your recovered key (or other current keys) as illustrated above.

27 requesting recovery of your private email encryption key
Success Close the open window, you may now use the recovered key to access your encrypted . Last Step: If you chose to save the recovered key to a file instead of directly installing the key, delete the saved .P12 file from your computer as this is a security vulnerability and will be detected in a Q-tip Scan. Disregard if you did not save the key to a file Should recovery fail, contact the Army Key Recovery Agent by sending a signed to: requesting recovery of your private encryption key

28 Other Services SPAWAR Integrated Support Center Helpdesk
Phone: DSN USMC RA Operations Helpdesk Phone: Air Force PKI Help Desk Phone: (this site is accessible from .mil domains only) Additional Air Force PKI support is available from the Air Force PKI help desk: DISA PKI Help Desk Oklahoma City, OK Support: Phone (Commercial): Phone (DSN):

29 Recovery Notification Example
A user has attempted to recover a key using the Automated Key Recovery Agent. The ID Certificate used for Authentication was: CN=NOBLE.PHILIP.EUGENE ,OU=USA,OU=PKI,OU=DOD,O=U.S. GOVERNMENT,C=US, Serial: 0x0B5643, Issuer: DOD CLASS 3 CA-5. The key that was recovered was: CN=NOBLE.PHILIP.EUGENE ,OU=USA,OU=PKI,OU=DOD,O=U.S. GOVERNMENT,C=US, Serial: 0x0C8747, Issuer: DOD CLASS 3 CA-3. If you did not perform this operation, please contact your local key recovery agent and ask that they check the logs for the key recovery at Fri Jul 01 16:48:12 GMT 2005 with session ID 1.c3pki.chamb.disa.mil-23f%3A42c57335%3A68e46e9395fb9727. You will receive an from with a subject “ALERT! Key Recovery Attempt Using Automated Key Recovery Agent” similar to the above Recovery Notification example notifying you of your recovery action.

30 POC for Additional Information
Philip E. Noble USAISEC Information Assurance and Security Engineering Directorate (IASED) DSN CML FAX DSN CML

Download ppt "DoD PKI Automatic Key Recovery"

Similar presentations

11/2/2013 2:02:38 AM 5864_ER_FED 1 Importing Certificates into Lotus Notes R6.

11/2/2013 2:02:38 AM 5864_ER_FED 1 Importing Certificates into Lotus Notes R6.
ISEC: Excellence in Engineering Encrypted File System Key Recovery Philip Noble (520) 538-7608 or DSN 879-7608, U.S. Army Information.

ISEC: Excellence in Engineering Encrypted File System Key Recovery Philip Noble (520) or DSN , U.S. Army Information.
ISEC: Excellence in Engineering DoD PKI Automatic Key Recovery Philip Noble (520) 538-7608 or DSN 879-7608, U.S. Army Information.

ISEC: Excellence in Engineering DoD PKI Automatic Key Recovery Philip Noble (520) or DSN , U.S. Army Information.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
Welcome to WebCRD.

Welcome to WebCRD.
Web Shift Booking System

Web Shift Booking System
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Student Getting Started Guide *Updated December 2011 to include information on Integrated Digital Book/MindTap Reader.

Student Getting Started Guide *Updated December 2011 to include information on Integrated Digital Book/MindTap Reader.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Student Getting Started Guide Updated June 2011. 1. Ensure that you are connected to the Internet. 2. Launch your web browser (Internet Explorer, Firefox,

Student Getting Started Guide Updated June Ensure that you are connected to the Internet. 2. Launch your web browser (Internet Explorer, Firefox,
Steps to Recover Private Encryption Keys

Steps to Recover Private Encryption Keys
Members Only & Login Modules Members Only works with the Login module to provide password protection to Web pages and files. Login Groups may be created.

Members Only & Login Modules Members Only works with the Login module to provide password protection to Web pages and files. Login Groups may be created.
Login to University Web Site www.tnmgrmu.ac.in. Enter in to login in which click Institution login.

Login to University Web Site Enter in to login in which click Institution login.
NetAcumen ActiveX Download Instructions

NetAcumen ActiveX Download Instructions
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
1 of 6 Parts of Your Notebook Below is a graphic overview of the different parts of a OneNote 2007 notebook. Microsoft ® OneNote ® 2007 notebooks are digital.

1 of 6 Parts of Your Notebook Below is a graphic overview of the different parts of a OneNote 2007 notebook. Microsoft ® OneNote ® 2007 notebooks are digital.
DoD PKI Automatic Key Recovery

DoD PKI Automatic Key Recovery
Start the slide show by clicking on the Slide Show option in the above menu and choose View Show”. or – hit the F5 Key.

Start the slide show by clicking on the "Slide Show" option in the above menu and choose "View Show”. or – hit the F5 Key.
Private Encryption Keys

Private Encryption Keys

Similar presentations

Ads by Google