overview overview links assets/coursemap.swf glossaryBtn Glossary Glossary GlossaryButtonClicked courseMapBtn Course Map Course map CourseMapButtonClicked resourcesBtn Resources Resources ResourcesButtonClicked replayBtn Replay Replay ReplayButtonClicked pauseBtn Pause Pause PauseButtonClicked resumeBtn Resume Resume ResumeButtonClicked mainMenuBtn Exit Exit MainMenuButtonClicked previousPgBtn Previous Previous screen. PreviousButtonClicked nextPgBtn Next Next screen. NextButtonClicked pkiuseb_01 1 Welcome to the Public Key Infrastructure Overview lesson. When you have completed this lesson, you will be able to identify why Public Key Infrastructure, or PKI, is important to the Department of Defense, or DoD, and which guidance documents mandate the use of PKI. You will be able to identify the components that comprise PKI and and how the DoD is implementing PKI. Next, you will be able to identify what the Common Access Card, or CAC, is, what the CAC can be used for, and what information is stored on your CAC. You will also be able to identify how to obtain a CAC and when to return your CAC. Finally, you will be able to identify what you need to use your CAC, including what a CAC personal identification number, or PIN, is and what to do if you forget your CAC PIN. There are seven topics in this lesson. After you have completed this introduction, you will learn why PKI is necessary to protect our national security and to ensure the success of our DoD missions. Next, you will learn about the Federal Government and DoD guidance that require you to use PKI. Then you will learn what comprises PKI, and how the DoD uses PKI to thwart threats against our information systems, networks, and applications. Next, you will learn what the CAC is and why we use it, how to obtain one, and when to return it. Finally, you will learn what you need to use the CAC to ensure our national security by protecting your digital identity, as well as the information and data on the DoD unclassified systems and networks. For each screen you will hear a description. The description is cued by an audio tone. Complex screens are divided into several descriptions. Listen to the description and then select the play audio narration button to continue. Use your arrow keys to cycle through a list of options. Screen 1 of 24. Topic Title: Introduction and Objectives. Screen Title: Objectives. The P K Eye Overview title displays. Bulleted text displays in support of audio. Titles of the topics display. Topics are Introduction and Objectives, Importance of P K Eye, P K Eye Guidance, What is P K Eye, the D O D P K Eye, Common Access Card, and Conclusion. pkiuseb_02 2 In today's military, gathering, moving, and manipulating information electronically is fundamental to almost everything we do. This electronic information exchange and networking facilitates our ability to carry out our missions and makes our lives easier. It also poses many threats to the security of our information. Information sent through a network is not just available to the designated recipient. It is available to anyone who is looking in while the information is en route. Sending and accessing information over networks makes us vulnerable to hostile exploitation, data theft, viruses, and other malicious code, which can compromise user names and passwords. These threats degrade the inherent "trust" we place in networked computers. PKI provides us each with an additional way to secure our networks and regain "trust" in the electronic exchange of data and access of information. Despite countermeasures that are already in place-such as antivirus software, firewalls, and intrusion detection technologies-we all must take greater security measures to protect our networks and data. PKI allows us to take advantage of the speed and immediacy of the Internet while assuring that we will be alerted if sensitive information has been tampered with and preventing unauthorized disclosure. Information security is mission critical and is everyone's responsibility. PKI provides every user with a way to protect DoD information, thereby improving information security and enabling the success of our missions. Screen 2 of 24. Topic Title: Importance of P K Eye. Screen title: Why is P K Eye important? Images display of military man and woman sitting at their desks in front of their computers. Animated line and an email icon scroll between the two computers to represent their communication flow. Text box displays with bullets cued to audio. Image of a hacker in front of another computer displays. Animated line scrolls from first soldiers computer to hackers computer. Intrusion detection warnings flash on the first soldiers computer screen. P K Eye becomes a rollover which states that P K Eye is the framework and services that provide for the generation, production, distribution, control, and accounting and destruction of public key certificates. Source: D O D Eye eighty five twenty dot two, P K Eye and P K E, 1 April 2004. pkiuseb_03 3 Imagine sending a postcard written in pencil through the U.S. Postal Service. Anyone can intercept, read, and even change the postcard without the sender's knowledge or, potentially, detection by the recipient. In a way, that is how we send information through the Internet today....with little protection. PKI, on the other hand, provides significant protection assurances that you are transmitting information securely. These assurances are identification and authentication, integrity, non-repudiation, and confidentiality. Identification and authentication provides verification to systems and other users that you are who you say you are. It is like signing your postcard in ink. It cannot be easily changed without detection, and the recipient has confidence that he or she knows who sent it. Integrity allows recipients to discover if information has been modified during transmission. It is like writing your postcard in ink so that its contents cannot be changed. Non-repudiation assures that a person cannot later deny having conducted the transaction. This is equivalent to you providing a handwriting sample that matches the signature on your postcard. Confidentiality assures that only authorized persons can view the data or e-mail. This is equivalent to sending your postcard in an envelope via certified mail so that it is delivered directly to the recipient. No one can easily intercept or read your postcard during transmission. PKI offers all of these data protection assurances when you use the PKI tools provided to you! For example, when you use your CAC to authenticate yourself to access certain DoD unclassified systems and restricted web sites, those systems and web sites are able to identify and authenticate that you are who you say you are. Similarly, when you apply your digital signature to an e-mail or e-form, you are providing identification, authentication, and non-repudiation that the recipient can trust. When you encrypt your e-mail during transmission, you are ensuring confidentiality of the message. Screen 3 of 24. Screen title: P K Eye Assurances. The following images display: a postcard written in pencil, a postal worker reading a postcard, and a P C with intruder alert flashing on the screen. Bulleted text displays in support of audio. The following images display: a postcard signed in ink, a postcard written in ink, a handwriting sample next to a postcard, a postcard protruding from an envelope with a certified mail label, a common access card or cack, a digitally signed email on a computer screen, image of an encrypted email on a computer screen, image of two computer screens side by side with email icon flowing from one to the other. Digital signature becomes a rollover which states: A digital signature is a cryptographic process used to assure message originator authenticity, integrity, and nonrepudiation. Encryption becomes a rollover which states: Encryption is the process of converting plain text into cipher text by means of a code or cryptographic system. Decryption becomes a rollover which states: Decryption is the process of converting cipher text into plain text by means of a code or cryptographic system. Source: C N S S Instruction Number 4009, Revised June 2006. pkiuseb_04 4 Knowledge Check 2 600 650 Why is PKI important? Select all that apply. When you have finished, select Done. PKI provides all users with a way to protect DoD information PKI prevents the unauthorized disclosure of information PKI protects DoD information from tampering PKI increases information security, facilitating mission success The DoD PKI establishes your digital identity Correct. All of these are the reasons why PKI is important. Incorrect. Some of the reasons you selected may be correct, but you do not yet have all the right choices. Please try again. Incorrect. Some of the reasons you selected may be correct, but you do not yet have all the right choices. Here are the reasons why PKI is important. Check your understanding of why PKI is important. Screen 4 of 24. Screen title: Knowledge Check. This is a multiple choice question. Use your keyboard to cycle through the list of options. pkiuseb_05 5 Knowledge Check 1 600 680 Select the best response; then select Done to submit your answer. Which of the following examples best depicts the PKI assurance of identification and authentication? E-mail was verified not to have been modified during transmission Only intended recipient or sender can view the e-mail Sender cannot deny performing transaction System validated user's identity Correct. Identification and authentication assures system validation of a user's identity. Incorrect. Identification and authentication assures system validation of a user's identity. Which of the following examples best depicts the PKI assurance of confidentiality? E-mail was verified not to have been modified during transmission Only intended recipient or sender can view the e-mail Sender cannot deny performing transaction System validated user's identity Correct. Confidentiality assures that only the intended recipient or sender can view the e-mail. Incorrect. Confidentiality assures that only the intended recipient or sender can view the e-mail. Which of the following examples best depicts the PKI assurance of integrity? E-mail was verified not to have been modified during transmission Only intended recipient or sender can view the e-mail Sender cannot deny performing transaction System validated user's identity Correct. Integrity allows recipients to discover if information has been modified during transmission. Incorrect. Integrity allows recipients to discover if information has been modified during transmission. Which of the following examples best depicts the PKI assurance of non-repudiation? E-mail was verified not to have been modified during transmission Only intended recipient or sender can view the e-mail Sender cannot deny performing transaction System validated user's identity Correct. Non-repudiation assures that a sender cannot later deny having conducted a transaction. Incorrect. Non-repudiation assures that a sender cannot later deny having conducted a transaction. Now, check your knowledge about the assurances PKI provides. Screen 5 of 24. Screen title: Knowledge Check. This is a series of multiple choice questions. Use your keyboard to cycle through the list of options. pkiuseb_06 6 Let's look at a brief overview of the policies that guide your actions as a user of DoD information systems. All policies start at the broad base of our constitution and public law, which is developed by Congress and issued in Congressional acts. The Executive Branch issues policy that guides the entire Federal Government. Government agencies create guidelines, publications, and standards. Some of the guidance, such as the Federal Information Processing Standards, or FIPS, authored by the National Institute of Standards and Technology, or NIST, were formerly considered best practices, but have been made mandatory for Federal agencies by the Federal Information Security Management Act of 2002, or FISMA. Under FISMA, the Secretary of Defense and Director of National Intelligence may make separate, but equally stringent, standards for information systems under their authority. While the DoD issues department-wide guidance, the Army, Navy, Marine Corps, and Air Force, issue specific implementation guidance for their individual service branches. Other DoD components and associated organizations, such as the Defense Agencies and Coast Guard, may issue specific implementation guidance. Screen 6 of 24. Topic Title: P K Eye Guidance. Screen title: Guidance Overview. The following images display: the Capitol, the White House, the National Institute of Standards and Technology office building and the NIST logo, and the Pentagon. Images of seals display for the Army, Navy, Marine Corps and Air Force. pkiuseb_07 7 Congress has enacted a series of laws providing guidance to ensure the security of the information resources that support Federal Government operations and assets. Signed into law in December 2002, FISMA provides overarching requirements for the protection of Federal information and information systems. Screen 7 of 24. Screen title: Congressional Guidance. An image of the Capitol displays. An image of a document displays with the title fizzma and a brief summary of this law. pkiuseb_08 8 In August 2004, the Executive Branch of the Federal Government issued Homeland Security Presidential Directive - 12, or HSPD-12. HSPD-12 mandated a common identification standard for Federal employees and contractors to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy. In the DoD, this common identification standard is currently implemented by the CAC. Screen 8 of 24. Screen title: Federal Guidance. An image of the White House displays. An image of a document displays with the title Homeland Security Presidential Directive twelve and a brief summary of this directive. An image of the cack displays. pkiuseb_09 9 Next, let's look at the Government agency guidance that mandates the use of Personal Identity Verification, or PIV. In response to HSPD-12, NIST issued FIPS Publication 201-1, Personal Identity Verification of Federal Employees and Contractors in March 2006. This publication outlines a standard procedure for PIV that all Federal Departments and Agencies must follow to confirm the identities of their employees and contractors before issuing a credential or identification badge. The PIV process was divided into two phases. The first PIV phase standardized the processes used by Federal Departments and Agencies in issuing existing ID badges to its employees and contractors, but allowed issuing existing credentials using existing methods. The process requires sponsorship of an applicant, separation of duties for those sponsoring from those issuing the ID cards, and a standardized list of acceptable documents an applicant can provide as proof of identity. Applicants must also undergo or already possess a successfully adjudicated minimal background investigation. Departments and Agencies began using this new process to issue ID badges on October 27, 2005. The second PIV phase requires issuance of a common identification card, generically referred to as a PIV card, using the process developed in PIV Phase I and requires a significant technology infrastructure to support issuing the new cards. NIST also developed the standards for the systems. Departments and Agencies were required to have their own operational HSPD-12 systems, or to sign up with an HSPD-12 Shared Service Provider by October 27, 2006. Screen 9 of 24. Screen title: Government Agency Guidance. An image of the NIST building displays. An image of a document displays with the title FIPS Pub two o one dash one and a brief summary of this publication. PIV card becomes a rollover which states that PIV card is the generic name for a common identification card that is produced by an H S P D twelve system. Other generic terms that are interchangeable with PIV card include credential or smart card. Departments and agencies have the option to further brand the PIV card to make it more relevant and recognizable to employees and contractors. An example of PIV card branding will be the D O Deez next generation common access card or cack once it is PIV compliant. pkiuseb_10 10 pkiuseb_10_01 DoDD 8190.3 DoDD 8190.3, Smart Card Technology, issued in August 2002, states that smart card technology be implemented throughout the DoD in the form of a department-wide CAC. The CAC is to be: the standard ID card for active duty uniformed services personnel, selected reserve personnel, DoD civilian employees, eligible contractor personnel, and eligible foreign nationals. The guidance also requires that the CAC be the DoD's primary platform for the PKI authentication token used to authenticate identity access to DoD unclassified computer systems and networks. In addition, the guidance states that the CAC is to be the principal card enabling physical access to buildings, facilities, installations, and controlled spaces. Popup 1 of 5: Popup title: D O D D eighty one ninety dot three. An image of a document displays with the title D O D D eighty one ninety dot three Smart Card Technology and a brief summary of this directive. An image of a cack displays. Smart Card becomes a rollover which states a credit card size device normally for carrying and use by personnel that contains one or more integrated circuit chips or Eye C C and may also employ one or more of the following technologies: magnetic stripe, linear or two dimensional bar codes, non contact and radio frequency transmitters, biometric information, encryption, and authentication, or photo identification. Source: D O D D eighty one ninety dot three Smart Card Technology, 31 August 2002. pkiuseb_10_02 DoDD 8500.01E In October of 2002, the DoD issued DoDD 8500.01E, Information Assurance, which mandated that all DoD information systems maintain an appropriate level of confidentiality, integrity, authentication, and non-repudiation. These are the assurances that PKI provides. DoDD 8500.01E also mandated the use of PKI certificates and biometrics for positive authentication. In February 2003, the DoD issued DoDI 8500.2. This instruction sets forth the procedures for implementing PKI in accordance with DoDD 8500.01E. Popup 2 of 5: Popup title: D O D D eighty five hundred dot o one e. An image of a document displays with the title D O D D eighty five hundred dot o one e Information Assurance and a brief summary of this directive. An image of a computer displays with the words confidentiality, integrity, authentication and non repudiation bulleted on the computer screen. An image of a document displays with the title D O D Eye eighty five hundred dot two Information Assurance Implementation and a brief summary of this instruction. An image of a checklist displays on the computer screen. pkiuseb_10_03 DoDI 8520.2 In April 2004, the DoD issued DoDI 8520.2, Public Key Infrastructure and Public Key Enabling, which implements policy and procedures for developing and implementing a department-wide PKI. This guidance provided instructions for enhancing DoD information systems by enabling these systems to use PKI for authentication, digital signatures, and encryption. In addition, this guidance implemented policy and procedures for aligning DoD PKI and public key enabling, or PKE, activities with DoDD 8500.01E, as implemented by DoDI 8500.2 and with the DoD CAC program. Popup 3 of 5: Popup title: D O D eye eighty five twenty dot two. An image of a document displays with the title D O D eye eighty five twenty dot two P K eye and P K E and a brief summary of this instruction. An image of a cack displays. An image of a digitally signed and encrypted email displays on a computer screen. Images of three other related policy documents display. P K E becomes rollover text which states Public Key Enabling or P K E is the incorporation of the use of certificates for security services such as authentication, confidentiality, data integrity, and non repudiation. Source: D O D eye eighty five twenty dot two, P K eye and P K E, 1 April 2004. pkiuseb_10_04 JTF-GNO CTO 06-02 In January 2006, the Joint Task Force, Global Network Operations, or JTF-GNO, issued the Communications Tasking Order, or CTO, 06-02, Tasks for Phase 1 of PKI Implementation. CTO 06-02 assigned the tasks for Phase 1 of PKI implementation and provided new security requirements for DoD information technology systems. This Tasking Order required that all DoD Combatant Commands, Services, and Agencies, except personnel conducting wartime operations, implement a smart card secure log-on to all non-classified DoD networks. The CAC and the Alternate Token with their PKI certificates are the solutions to satisfy the requirements on the Non-Secure Internet Protocol Router Network, or NIPRNet. Popup 4 of 5: Popup title: J T F G N O C T O zero six dash zero two. An image of a document displays with the title J T F G N O C T O zero six dash zero two Tasks for Phase 1 of P K eye implementation and a brief summary of this communications tasking order. An image of a computer displays. The word Unclassified appears above the computer. An image of a cack displays on the computer screen. pkiuseb_10_05 JTF-GNO CTO 07-15 In December 2007, the Joint Task Force, Global Network Operations, or JTF-GNO, issued CTO 07-15, Public Key Infrastructure, or PKI, Implementation, Phase 2. CTO 07-15 followed CTO 06-02 and assigned 12 measurable tasks to implement the next phase of DoD PKI required in DoDI 8520.2, Public Key Infrastructure, or PKI, and Public Key, or PK, Enabling. Popup 5 of 5: Popup title: J T F G N O C T O zero seven dash fifteen. An image of a document displays with the title J T F G N O C T O zero seven dash fifteen Public Key Infrastructure or P K eye implementation phase 2 and a brief summary of this communications tasking order. An image of a checklist displays. The DoD has issued several PKI guidance documents. There are three DoD policy documents that mandate the use of PKI. In addition, there are two communication tasking orders, or CTOs, that implement these policies. Select each document to learn its purpose. Screen 10 of 24. Screen title: D O D Guidance. An image of the Pentagon displays. Five D O D policy documents display on each of the five corners of the Pentagon. The five policy documents are D O D D eighty five hundred dot o one e, D O D eye eighty five twenty dot two, D o D D eighty one ninety dot three, J T F G N O C T O zero six dash zero two and J T F G N O C T O zero seven dash fifteen. Each document becomes selectable as a pop-up. pkiuseb_11 11 Knowledge Check 1 600 680 Select the best response; then select Done to submit your answer. Which of the following best describes JTF-GNO CTO 06-02? Mandates Federal ID card for all Federal employees All CC/S/As implement a smart card secure log-on to non-classified DoD networks Information systems must maintain confidentiality, integrity, authentication, and non-repudiation Mandates DoD systems be enabled to use PKI for authentication, digital signatures, and encryption Assigns tasks to implement Phase 2 of DoD PKI implementation required in DoDI 8520.2 Correct. JTF-GNO CTO 06-02 mandated that all CC/S/As implement a smart card secure log-on to non-classified DoD systems. Incorrect. JTF-GNO CTO 06-02 mandated that all CC/S/As implement a smart card secure log-on to non-classified DoD systems. Which of the following best describes JTF-GNO CTO 07-15? Mandates Federal ID card for all Federal employees All CC/S/As implement a smart card secure log-on to non-classified DoD networks Information systems must maintain confidentiality, integrity, authentication, and non-repudiation Mandates DoD systems be enabled to use PKI for authentication, digital signatures, and encryption Assigns tasks to implement Phase 2 of DoD PKI implementation required in DoDI 8520.2 Correct. JTF-GNO CTO 07-15 assigns tasks to implement the next phase of DoD PKI implementation required in DoDI 8520.2. Incorrect. JTF-GNO CTO 07-15 assigns tasks to implement the next phase of DoD PKI implementation required in DoDI 8520.2. Which of the following best describes HSPD-12? Mandates Federal ID card for all Federal employees All CC/S/As implement a smart card secure log-on to non-classified DoD networks Information systems must maintain confidentiality, integrity, authentication, and non-repudiation Mandates DoD systems be enabled to use PKI for authentication, digital signatures, and encryption Assigns tasks to implement Phase 2 of DoD PKI implementation required in DoDI 8520.2 Correct. HSPD-12 mandates a Federal ID card for all Federal employees. Incorrect. HSPD-12 mandates a Federal ID card for all Federal employees. Which of the following best describes DoDD 8500.01E? Mandates Federal ID card for all Federal employees All CC/S/As implement a smart card secure log-on to non-classified DoD networks Information systems must maintain confidentiality, integrity, authentication, and non-repudiation Mandates DoD systems be enabled to use PKI for authentication, digital signatures, and encryption Assigns tasks to implement Phase 2 of DoD PKI implementation required in DoDI 8520.2 Correct. DoDD 8500.01E mandates that information systems must maintain confidentiality, integrity, authentication, and non-repudiation. Incorrect. DoDD 8500.01E mandates that information systems must maintain confidentiality, integrity, authentication, and non-repudiation. Which of the following best describes DoDI 8520.2? Mandates Federal ID card for all Federal employees All CC/S/As implement a smart card secure log-on to non-classified DoD networks Information systems must maintain confidentiality, integrity, authentication, and non-repudiation Mandates DoD systems be enabled to use PKI for authentication, digital signatures, and encryption Assigns tasks to implement Phase 2 of DoD PKI implementation required in DoDI 8520.2 Correct. DoDI 8520.2 mandates that DoD systems be enabled to use PKI for authentication, digital signatures, and encryption. Incorrect. DoDI 8520.2 mandates that DoD systems be enabled to use PKI for authentication, digital signatures, and encryption. Now check your understanding of PKI guidance. Screen 11 of 24. Screen title: Knowledge Check. This is a series of multiple choice questions. Use your keyboard to cycle through the list of options. pkiuseb_12 12 pkiuseb_12_01 Tokens The DoD uses tokens as the means for issuing PKI credentials, or certificates, to individuals. There are Hardware tokens and Software tokens. Hardware tokens are physical, portable devices on which PKI credentials are stored and may not be copied. Two examples of hardware tokens, in use by the DoD, are the Common Access Card and Alternate Tokens. The CAC is used by DoD members to authenticate their identity to access unclassified DoD systems, as well as digitally sign and encrypt e-mail. In addition, a goal of the smart card program is to use the CAC to provide physical and electronic access to DoD installations and facilities. Implementation of this goal is currently in process. Note the Integrated Circuit Chip, or ICC, on the front of the CAC. The ICC is the piece that appears to be metallic. Alternate Tokens are PKI credentials also stored in an ICC and issued on a smart card. Alternate Tokens allow users to authenticate their identity to log on to accounts other than their primary account on an unclassified network, to which they already have access. For example, system administrators requiring network access via an account other than their personal account and personnel who are not eligible for a CAC, such as volunteer workers, may use Alternate Tokens. However, unlike the CAC, Alternate Tokens may not be used for e-mail signing or e-mail encryption. Software tokens are general purpose electronic devices used to store and secure personal PKI credentials. Examples of software tokens are desktop computers, laptops, thumb drives, and floppy diskettes. In the DoD, PKI credentials are created using Firefox in the form of P12 files and are stored on software tokens. P12 files may not be stored on hard drives or any other online storage devices. For use, PKI credentials are installed from the software token to a certificate store, for example, the Microsoft Certificate Store, also known as MS CAPI. Software tokens may be used to allow individuals to authenticate their identity to access classified systems, and, when appropriate, unclassified systems, as well as to digitally sign and encrypt e-mail. Popup 1 of 3: Popup title: Tokens. Bulleted text displays in support of audio. An image of a cack displays. The integrated circuit chip or eye c c on the cack is enlarged and then brought back to its original size. An image of an alternate token displays. An alternate token looks similar to a cack but it does not contain a photograph of the owner. Images of a laptop, a thumb drive and a diskette display. An image of the Firefox logo displays. P K eye credentials becomes rollover text which states that a P K eye credential is a private key paired with a certificate that can be used for digital signatures and encryption and for outbound Secure Socket Layer or S S L authentication. Hardware tokens becomes rollover text which states that hardware tokens are physical portable devices on which P K eye credentials are stored and may not be copied. The cack is an example of a hardware token. Integrated Circuit Chip or eye C C becomes rollover text which states that an integrated circuit chip or eye C C stores and protects your P K eye credentials on a hardware token. Alternate tokens becomes rollover text which states that alternate tokens are P K eye credentials stored in an eye C C and issued on a smart card. Alternate tokens allow users to authenticate their identity to log on to accounts other than their primary account on an unclassified network to which they already have access. Alternate tokens may not be used for email signing and email encryption. Software tokens becomes rollover text which states that software tokens are general purpose electronic devices used to store and secure personal P K eye credentials. Examples of software tokens are desktop computers, laptops, thumb drives, and floppy diskettes. Certificate store becomes rollover text which states a certificate store is a storage location for certificates stored locally on a computer or device that the user used to request it. A certificate store will often have numerous certificates, possibly issued from a number of different certification authorities. P twelve files becomes rollover text which states that in the D O D Firefox is the approved browser used to create user software certificates and their corresponding keys into P twelve files and stored on software tokens. P twelve files are portable password protected files with dot p twelve extensions. For example, software certificates must be installed into the Microsoft Certificate Store so that the user's certificates will be available for use with Microsoft products such as Internet Explorer and Outlook. pkiuseb_12_02 Certificates PKI certificates are electronic documents issued by a trusted entity. This trusted entity is known as a Certification Authority, or CA. PKI certificates are the mechanism for binding a public key to a user and are the standard means for delivering the user's public key to people and applications. The DoD, through the National Security Agency, or NSA, and the Defense Information Systems Agency, or DISA, creates, authorizes, and maintains its own PKI, which provides certificate services for its authorized users. NSA maintains the PKI roots and DISA operates the certification authorities. For users of DoD information systems, the DoD issues end-user certificates. Each end-user certificate contains your personal identity information and a public key. The public key on each certificate is unique. There are three types of end user certificates, also referred to as PKI certificates or PKI credentials. These PKI certificates are called the identity certificate, the e-mail signing certificate, and the e-mail encryption certificate. The identity certificate allows you to apply your digital signature to e-forms and documents. It also authenticates your identity when accessing DoD PK-enabled web servers or portals. The e-mail signing certificate allows you to digitally sign e-mail and to authenticate your identity to access DoD information systems. The e-mail encryption certificate allows you to decrypt encrypted e-mail messages other people have sent to you. These three PKI certificates are stored in your CAC. External trusted users of DoD systems, who otherwise do not qualify to receive certificates issued by the DoD PKI, such as DoD contractors, may be issued a certificate by an External Certification Authority, or ECA. This certificate is called an ECA certificate. An ECA certificate is issued based on required evidence of identity and nationality presented to an agent trusted by the ECA. An ECA certificate is like an end user certificate in that it identifies trusted users of DoD systems and networks. Possession or use of an ECA does not, however, provide any warranty as to the existence of an ECA user's security clearance or completeness of an ECA user's background investigation. Currently, there are two other types of certificates being issued in the DoD environment: server certificates and code signing certificates. The DoD issues server certificates to identify machines or websites on a network which may allow the machines or websites to be trusted and code signing certificates to identify software which may allow that software to be trusted. Popup 2 of 3: Popup title: Certificates. Bulleted text displays in support of audio. The D O D logo displays. Under this logo a computer labeled certification authority displays. A paper certificate labeled end user certificate displays. On this certificate there is an image of a soldier, a key and the words personal information. An arrow points from the certification authority computer to the end user certificate and then more arrows point from this certificate to 3 text boxes labeled identity certificate, email signing certificate and email encryption certificate. Each box displays bulleted text in support of audio. An image of another computer labeled external certification authority displays with an arrow pointing to another paper certificate labeled E C Ay certificate. Two more certificates displays with arrow pointing from the original certification authority and they are labeled server certificates and code signing certificates. Certification authority becomes rollover text which states that a certification authority creates, signs, issues and revokes public key certificates. Server certificate becomes rollover text which states that server certificates identify machines or websites on a network which may allow the machines or websites to be trusted. Code signing certificates become rollover text which states that code signing certificates identify software which may allow that software to be trusted. End user certificates become rollover text which states that end user certificates identify users on a network which may allow the users to be trusted. External certification authority becomes rollover text which states that the E C Ay is a program sponsored by the D O D P K Eye. It consists of a Root Certification Authority or Root C Ay maintained at the same facility that operates the D O D P K Eye Root C A, and Subordinate C Ays maintained by vendors. Vendors wishing to become E C Ays must pass a rigorous process that ensures their certificates are interoperable with the D O D P K eye and that the policies and procedures they use to issue certificates are sufficient to meet requirements specified in the E C Ay Certificate Policy or C P which has been approved by the D O D Certificate Policy Management Working Group or C P M W G. Once a vendor has been approved to operate as an E C Ay the vendor is issued a Subordinate C Ay certificate from the E C Ay Root C Ay. If an E C Ay vendor leaves the E C Ay program, the subordinate C Ay certificate for that vendor is revoked. E C Ay vendors recoup the cost of managing their E C Ays by charging fees to issue certificates. Source: I Ay S E Website. E C Ay certificate becomes a rollover which states that E C Ay certificates identify trusted external users of D O D networks and systems. pkiuseb_12_03 Keys PKI is technology based on public key cryptography, also known as asymmetric cryptography. In public key cryptography, each user gets two keys on each of their PKI certificates: a private key that is kept secret and secured by the user, and a public key that the user can make available on the public directory or by sending a digitally signed e-mail. Two primary e-mail uses of PKI are for digital signature and for encryption. A digital signature is applied using the sender's private key and is verified with the sender's corresponding public key. A message is encrypted using the recipient's public key. This message can only be decrypted with the recipient's corresponding private key. Let's look at an example of how this works when Alice sends a digitally signed e-mail to Bob. First, Alice uses her Private Key to digitally sign her e-mail. Then Bob uses Alice's Public Key to verify that the e-mail is really from Alice. Now let's look at an example of how the process works when Alice sends an encrypted e-mail to Bob. Alice uses Bob's e-mail encryption Public Key to encrypt her e-mail to Bob. Then Bob uses his own e-mail encryption Private Key to decrypt the e-mail from Alice. Popup 3 of 3: Popup title: Keys. The words asymmetric cryptography displays and remains on the screen throughout. An image of a soldier displays. A key labeled private displays on one side of the soldier and another key labeled public displays on the other side. The public key shrinks and fades onto the screen of a computer that displays with several keys on its screen. This computer image with the keys on its screen represents the public directory. These images fade from the screen. The words digital signature and encryption display. Under digital signature a certificate displays with two keys on top labeled Uses sender’s keys. Under Encryption an email message displays inside a circle with a key on top to represent encryption. Characters that represent an encrypted message flow from the circle on the left to a circle on the right. Another key displays on top of the right circle. The two keys join together to represent decryption and then the same message appears in the right circle. A label displays under the joined keys that says Uses recipient’s keys. All images on screen fade from the screen. The words digital signature appear. An image of a woman displays. An email icon flows across from the woman at her computer and to a man at his computer. A brown key labeled Alice’s private key displays next to the image of the woman at her computer and an image of a digitally signed email displays. An image of a computer screen filled with keys displays and then a brown key moves from that computer next to the image of the man working at his computer and that key is labeled Alice’s public key. A message appears on top of the image of the man that says this email is signed by Alice. These images shrink and gray out but remain on the screen. The word Encryption displays and the images of the man and the woman working at their computers reappear underneath. The computer with the keys on its screen also reappears and a purple key labeled Bob’s public key displays next to the image of the woman. An image of an encrypted email displays and the email icon flows from the woman’s computer to the man’s computer. A purple key labeled Bob’s private key displays next to the image of the man. An image of a decrypted email displays. PKI consists of five components that work together to ensure information security. These components are systems, software, tokens, certificates, and keys. Systems must be public key enabled to interface with PKI. This involves replacing existing authentication systems or creating new user authentication systems using PKI certificates, instead of previous technologies, such as user ID and password. For example, applications such as the one you use to log your working and leave time, may have controlled access through PKI, which would require you to use your PKI certificates on your CAC and your CAC PIN to authenticate your identity to access those applications. Software, too, must be public key enabled to realize the securities that PKI provides. For example, Microsoft Outlook is public key enabled so that you may digitally sign and encrypt e-mail and attached documents. As a user, though, you will be most concerned with the last three components of PKI because that is where your personal information for PKI resides. These components are tokens, certificates, and keys. Select each of these three components to learn more. Screen 12 of 24. Topic Title: What is P K Eye? Screen title: PKI Components. An image of spinning globe displays with two computers communicating with each other on top of it and the whole image is labeled Systems. An image of a box of software and a C D displays and are labeled software. An image of a cack displays and is labeled tokens. An image of a paper certificate displays and is labeled certificates. An image of two keys displays. The images of the tokens, certificates and keys become selectable as pop ups for more information on each of these three components. pkiuseb_13 13 Knowledge Check 1 600 680 Select True or False for each statement. Select Done when you have finished. With PKI a user can: 570 570 570 Intercept another user's e-mail True for Intercept another user's e-mail False for Intercept another user's e-mail Correct. A user cannot use PKI to intercept e-mail encrypted to another user. Incorrect. A user cannot use PKI to intercept e-mail encrypted to another user. 570 Digitally sign e-mail True for Digitally sign e-mail False for Digitally sign e-mail Correct. With PKI, a user can digitally sign e-mail. Incorrect. With PKI, a user can digitally sign e-mail. 570 Access unclassified networks True for Access unclassified networks False for Access unclassified networks Correct. With PKI, a user can authenticate their identity to access unclassified networks. Incorrect. With PKI, a user can authenticate their identity to access unclassified networks. 570 Send postcards from abroad on the Internet True for Send postcards from abroad on the Internet False for Send postcards from abroad on the Internet Correct. A user cannot use PKI to send postcards on the Internet. Incorrect. A user cannot use PKI to send postcards on the Internet. 570 Encrypt e-mail True for Encrypt e-mail False for Encrypt e-mail Correct. With PKI, a user can encrypt e-mail. Incorrect. With PKI, a user can encrypt e-mail. Now check your knowledge. Screen 13 of 24. Screen title: Knowledge Check. This is a series of true or false questions. Use your keyboard to cycle through the list of options. pkiuseb_14 14 The fundamental principle of PKI is the concept of the "Chain of Trust". For PKI to be a viable enabler of increased information security, the DoD must maintain the "Chain of Trust". The three components that comprise the "Chain of Trust" are Certificate Lifecycle Management, the Registration Process, and PK-Enabled Applications. Certificate Lifecycle Management is responsible for issuing, maintaining, and revoking all of the DoD PKI Certificates. This also includes regularly publishing a certificate revocation list, or CRL, of all certificates that have been revoked. CRLs are used by Public Key enabled applications to verify if a certificate is still valid. The Registration Process must verify the user's identity prior to allowing the user to obtain a DoD PKI Certificate. Applications should be configured to use DoD PKI Certificates. Screen 14 of 24. Topic Title: The D O D P K Eye. Screen title. Chain of Trust. Three links of a chain display connected together and labeled the P K Eye Chain of Trust. The three links are labeled Certificate Lifecycle Management, registration process, P K enabled applications. In the first link an image of a computer, a paper certificate and a piece of paper label C R L display. In the second link an image of a man working at his desk in front of his computer with a line of people at his desk displays. In the third link a list of software applications displays. pkiuseb_15 15 Certificate Lifecycle Management, which issues, maintains, and revokes all DoD PKI certificates, consists of Certification Authorities, or CAs, and Directories that are maintained by the National Security Agency, or NSA, and the Defense Information Systems Agency, or DISA. CAs are trusted computers that are authorized to create, sign, issue, and revoke public key certificates to individuals or other devices, such as servers and routers. By digitally signing each certificate issued, the user's identity is certified, and the association of the certified identity with a public key is validated. There are two types of CAs. There are the DoD Root CA and the Intermediate, or Subordinate, CAs. The DoD Root CA issues certificates to the Intermediate CAs, then, in turn, Intermediate CAs, also known as "issuers", issue certificates to DoD members through the registration process. Directories are repositories for all E-mail Encryption Certificates issued by the DoD CAs. The principal directory for DoD PKI is called Global Directory Service, or GDS. GDS includes both the public e-mail encryption keys and the latest certificate revocations lists. Screen 15 of 24. Screen title: Certificate Lifecycle Management. All of the images in the links in the chain from the previous screen display. The images inside the links fade from the screen and the first link in the chain is highlighted. Images of three paper certificates display. A computer hard drive labeled D O D Root C Ay displays. Images of two computer hard drives each labeled Intermediate C Ay display. Another computer hard drive displays labeled Global Directory Service. Logos from DISA, the D O D, and N S Ay display with arrows pointing to the Global Directory Service computer. Bullets display in support of audio. The paper certificates flow from the D O D Root C Ay to through the Intermediate C Ays and an arrow forms from there to a paper labeled Registration Process and on to a group of people. The certificates then follow the arrow through the registration process to the people. An arrow forms from the Intermediate C Ays to the Global Directory Service. A paper labeled email encryption and another paper label C R L move from the Intermediate C Ay to the Global Directory Service. D O D Root C Ay becomes rollover text which states that a Root C Ay or a Trusted Root is a certification authority that signs its own certificates. Source: The D O D Public Key Infrastructure and Public Key Enabled Frequently Asked Questions, 3 May 2004. Intermediate C Ay becomes rollover text which states that an intermediate C Ay or subordinate C Ay is a certification authority that has certificates issued by a root C Ay. Source: The D O D Public Key Infrastructure and Public Key Enabled Frequently Asked Questions, 3 May 2004. Global Directory Service becomes rollover text which states that the global directory service or G D S is an enterprise wide directory service that supports the D O D P K Eye program. G D S currently provides a D O D wide search capability for information such as names, email addresses and public keys regarding D O D personnel with a D O D P K Eye certificate on the nippernet and the sippernet. G D S includes both the public email encryption keys and the certificate revocation lists. pkiuseb_16 16 pkiuseb_16_01 Registration Authority The primary responsibilities for the DoD PKI RA are approving DoD Server PKI Certificates, revoking DoD PKI Certificates and managing Local Registration Authorities. Popup 1 of 4: Popup title: Registration Authority. Bullets display in support of audio. pkiuseb_16_02 Local Registration Authority The primary responsibilities for the DoD PKI LRA are registering users for DoD PKI Software Certificates and assisting the RA. Popup 2 of 4: Popup title: Local Registration Authority. Bullets display in support of audio. pkiuseb_16_03 Trusted Agent The primary responsibilities for the Trusted Agent are assisting users with obtaining certificates and verifying users' identities in a face-to-face environment for the RA or the LRA. Popup 3 of 4: Popup title: Trusted Agent. Bullets display in support of audio. pkiuseb_16_04 Verifying Official The primary responsibility for the VO is issuing CACs to DoD members using DEERS/RAPIDS workstations at DoD posts and installations. Popup 4 of 4: Popup title: Verifying Official. Bullets display in support of audio. In the Registration Process, the DoD PKI relies on key Trusted Roles within the Services and Agencies to verify a user's identity prior to allowing a user to obtain a DoD PKI Certificate. DoD PKI Certificates are issued after an individual's identity has been verified in a face-to-face meeting with a DoD PKI Registration Authority, or RA, a Local Registration Authority, or LRA, a Trusted Agent, or TA, or a Verifying Official, or VO. Select each of these roles to learn their primary responsibilities. Screen 16 of 24. Screen title: Registration Process. All of the images in the links in the chain from the previous screen display. The images inside the links fade from the screen and the second link in the chain is highlighted. Bullets display in support of audio. In the second link an image of a man working at his desk in front of his computer with a line of people at his desk displays. The four trusted roles become selectable as pop-ups for more information on each role. pkiuseb_17 17 An additional component of the PKI Chain of trust is use of applications that are PK-enabled. Some examples of applications that are PK-enabled are Microsoft Outlook, web browsers such as Internet Explorer and Firefox, and Defense Travel System, or DTS. Microsoft Outlook is enabled with the functionality that allows you to digitally sign and encrypt or decrypt e-mail. You will also need to install your certificates in your web browsers to authenticate your identity to be able to access certain web sites. The approved DoD web browsers are Internet Explorer, or IE, and Mozilla Firefox. Firefox has replaced Netscape as the major alternative browser to IE in the DoD. DTS is an example of a DoD application that contains personally identifiable information and is PK-enabled. DTS will recognize your CAC and prompt you for your CAC PIN to authenticate you and digitally sign travel documents. In addition to these examples, you may encounter other DoD applications and websites that are PK-enabled that will require you to use your authorized PKI credentials and PIN for authentication, once access is granted. Screen 17 of 24. Screen title: P K Enabled Applications. All of the images in the links in the chain from the previous screen display. The images inside the links fade from the screen and the third link in the chain is highlighted. Bullets display in support of audio. The Microsoft Outlook logo displays. The logos for Firefox and Internet Explorer display. The logo for Defense Travel System displays. P K enabled becomes rollover text which states that Public Key Enabling or P K E is the incorporation of the use of certificates for security services such as authentication, confidentiality, data integrity and non repudiation. Source: D O D Eye eighty five twenty dot two, P K Eye and P K E, 1 April 2004. pkiuseb_18 18 The Common Access Card, commonly referred to as the CAC, is a smart card which is the standard ID card for DoD military, civilian, and eligible contractor personnel. It is also considered the DoD PIV card for compliance with HSPD-12. The CAC is the token that contains your PKI certificates which establish your digital identity. Your digital identity is stored in the Integrated Circuit Chip on your CAC. With the CAC, you can authenticate your identity in order to access the DoD's unclassified computer networks, applications, and restricted Web sites, as well as to digitally sign, encrypt, and decrypt unclassified e-mail messages and forms. While your CAC may allow you to access DoD installations and facilities, those that require physical access may require an additional badge. It is a goal of the smart card program to allow wider physical and logical access to DoD installations and facilities using the CAC. It is important for you to note that the CAC for unclassified systems may only be used to authenticate your identity in order to access the NIPRNet and may not be used to access the Secret Internet Protocol Router Network, or SIPRNet. In addition, you may NOT use your CAC to encrypt classified data and then transmit or store that data on the NIPRNet. Screen 18 of 24. Topic Title: Common Access Card. Screen title: What is the cack? Bullets display in support of audio. An image of the cack displays. A callout box displays which points to the Eye C C on the cack. An image of a cack being inserted into a cack reader displays. An image of someone entering their pin on a keypad displays. A computer displays. Three messages flash on the computer screen. The first message says nippernet only. The second message says no sippernet. The third message says no classified data. Digital identity becomes rollover text which states that when combined the P K Eye certificate, public key and private key become your digital identity. Your digital identity proves to web sites and applications that you are who you say you are. Nippernet becomes rollover text which states that the non secure internet protocol router network or nippernet is a global long haul internet protocol or Eye P based network to support unclassified Eye P data communications services for combat support applications to the Department of Defense. Sippernet becomes rollover text which states that the secret Eye P router network or sippernet is the D O Deez largest interoperable command and control data network supporting the Global Command and Control System or G C C S, the Defense Message System or D M S, collaborative planning, and numerous other classified war fighter applications. pkiuseb_19 19 Your CAC contains your digital identity and sensitive information. The CAC should not be treated solely as a picture ID, and should not be used in temporary badge exchanges. You must protect your CAC and keep it in your possession at all times. You should not leave your CAC unattended, not even in your workstation. There are five categories of elements that may be encoded on your CAC, depending on your status as a DoD military or civilian member or contractor. The potential categories of elements are identification elements, organization elements, card management elements, benefit elements, and PKI elements. Roll over each type to see a list of elements that may be included in each. Screen 19 of 24. Screen title: Elements of the cack. An image of the cack displays. A message displays on top of the cack that says protect your cack! Bullets display in support of audio. Identification elements becomes rollover text which states that identification elements may include first, middle and last name, gender, person identifier and other privacy data. Organization elements becomes rollover text which states that organization elements may include service branch, personnel category, government and non government agency, rank, pay grade and pay category. Card management elements becomes rollover text which states that card management elements may include card issue date, card expiration date and other card management data. Benefits elements becomes rollover text which states that on military and or overseas personnel cards only benefit elements may include birth date, contractor code, meal entitlement code, commissary or exchange code, M W R code, entitlement code, entitlement condition, medical benefits end date and type code. P K Eye elements becomes rollover text which states that P K eye elements may include an identity certificate, an email signing certificate, an email encryption certificate or a piv certificate on newer cards. pkiuseb_20 20 pkiuseb_20_01 Forms of Identification Popup 1 of 1: Popup title: Forms of identification. The following bullets display after the bullet stem forms of identification. Bullet one says you must present two forms of identification. Bullet two says at least one of your forms of eye d must contain your picture. Bullet three says one eye d must be from list ay or list b. Bullet four says one eye d must be from list c. List ay becomes rollover text which states that List ay contains documents that establish both identity and employment eligibility. These documents are an unexpired or expired u s passport, a permanent resident card or alien registration receipt card which is form eye five fifty one, an unexpired foreign passport with a temporary eye five fifty one stamp, and an unexpired employment authorization document that contains a photograph which is form eye seven sixty six, form eye six eighty eight, form eye six eighty eight ay, and form eye six eighty eight b. List b becomes rollover text which states that list b contains documents that establish identity. They are a drivers license or eye d card issued by a state or outlying possession of the United States provided it contains a photograph or information such as name, date of birth, gender, height, eye color and address, an eye d card issued by federal, state or local government agencies or entities, provided it contains a photograph or information such as name, date of birth, gender, height, eye color and address, a school eye d with a photograph, a voters registration card, a u s military card or draft record, a military dependents eye d card, a u s coast guard merchant mariner card, a native American tribunal document, and a drivers license issued by a Canadian government authority. For persons under age 18 who are unable to present one of the preceeding documents from list ay or list b, they can provide a school record or report card, a clinic, doctor or hospital record, or a day care or nursery school record. List c becomes rollover text which states that list c contains documents that establish employment eligibility. These documents are a u s social security card issued by the social security administration other than a card stating it is not valid for employment, a certification of birth abroad issued by the Department of State which is form f s five forty five or form d s thirteen fifty, an original or certified copy of a birth certificate issued by a state, county, municipal authority or outlying possession of the United States bearing an official seal, a Native American tribunal document, a u s citizen eye d card which is form eye one ninety seven, an eye d card for use of Resident Citizen in the United States which is form eye one seventy nine or an unexpired employment authorization document issued by D H S other than those listed under list ay. You can obtain your CAC at any DoD card issuance office equipped with a RAPIDS workstation. You can locate where to obtain your CAC by using the RAPIDS Site Locator, or RSL, at the web address provided on the screen. RAPIDS workstations interface with the DEERS repository, which is the DoD personnel database. Once at the card issuance office, you must present two forms of identification from specific authorized lists. At least one of your forms of identification must be a picture ID. Note that a government sponsor must first authorize contractors in the Contractor Verification System, or CVS, before a CAC can be issued to them. After verifying your identity, you will have your fingerprint taken. It will be stored in your DEERS record for future use. Also, your photo will be taken and printed on your CAC. In addition, you will input a Personal Identification Number, or PIN, that you will use to protect your CAC. Finally, you will sign a form acknowledging your receipt of the CAC with DoD PKI certificates and your understanding of your obligations. The whole process normally takes about 15 to 20 minutes. At one or more points in your career, you will need to return your CAC. The guidelines for when to do this are different based on what type of DoD member you are. If you are military, you must renew your CAC prior to the expiration date of the card or return it to your Security Officer when you leave or retire from your Branch of Service. You will also receive a new CAC each time your rank changes. If you are civilian, you must renew your CAC prior to the expiration date of the card or return it to your Security Officer upon leaving your Agency or the DoD. If you are transferring to a new Agency, you will obtain a new CAC at that Agency. If you are a contractor, you must return your CAC to your Security Officer or your DoD Contracting Officer Technical Representative, or COTR, upon termination of your contract or upon leaving the Agency or DoD. Select "forms of identification" to view the lists of acceptable forms of ID. Screen 20 of 24. Screen title: Obtaining and returning a cack. A computer screen displays. Bullets display in support of audio. The rapidz site locator welcome screen displays on the computer. The u r l address of the rapidz site locator displays on the computer screen. A drivers license and a social security card display. A computer displays with C V S on the screen. An image of a fingerprint displays. An image of a camera on a tripod displays. An image displays of someone pressing buttons on keypad. An image displays of someone signing a form. A cack redisplays. Forms of identification becomes selectable as a pop up so that you can learn more about the acceptable forms of identification. pkiuseb_21 21 To use your CAC to log on to the DoD unclassified systems and networks, you will need hardware and software on your workstation and you will need your CAC Personal Identification Number, or PIN. First, you must ensure that a Smart Card reader is attached to your workstation. A Smart Card reader is the device that reads the information on your CAC. If you do not have a Smart Card reader on your workstation, contact your Help Desk. Second, your workstation should be configured with Smart Card Middleware, certificate validation software, the Smart Card Reader driver, and DoD authorized PKI Trusted Root CA certificates and Intermediate, or Subordinate, certificates. If you are missing any of these items, please contact your Help Desk. Smart Card Middleware is software that is required for applications to interface with the CAC. In the DoD, the most common Smart Card Middleware is ActivClient. Certificate validation software validates that a certificate is valid and has not expired, nor been revoked. The Smart Card reader driver software is necessary for your workstation to recognize and interface with your Smart Card reader. The DoD-authorized Trusted Roots and Intermediate Certificates are installed on the workstation so that applications can validate that a PKI certificate it uses or encounters is a valid DoD certificate. Your system administrator will continue to provide regular updates for these components, as necessary. Lastly, you will need your CAC PIN. Your CAC PIN is the 6 to 8 digit PIN you create at the time you receive your CAC. The CAC PIN protects data that is on the CAC, including your PKI certificates. It is important to safeguard your CAC and keep your CAC PIN private. If someone has your CAC and knows your CAC PIN, they can impersonate you and transact official DoD business as though they are you. If you forget your CAC PIN or if you lock your CAC because you had 3 consecutive unsuccessful attempts at entering your PIN, you can reset your CAC PIN at a CAC PIN Reset, or CPR, workstation or at a RAPIDS workstation. To locate a CPR workstation near you, contact your Help Desk. Screen 21 of 24. Screen title: What you need to use your cack. Bullets display in support of audio. An image of a cack inserted into a smart card reader displays. Eight digits of a cack pin display. An image of a woman displays with an image of her cack next to her. An image of another woman displays in the first womans place as the identity thief with the first womans cack next to her. An image of the first woman replaces the image of the identity thief. An image of a computer displays with the words smart card locked and a picture of a lock on the computer screen. pkiuseb_22 22 Knowledge Check 1 500 425 If you need to leave your workstation to get a cup of coffee down the hall, what should you do with your CAC? Select the best response and then select Done. Leave the CAC in your workstation since you will be back in a few minutes. Remove your CAC from your workstation and take it with you. Leave your CAC in your workstation, but ask a co-worker to keep an eye on your workstation while you are gone. Correct. You must keep your CAC in your possession at all times. Incorrect. You must keep your CAC in your possession at all times. Now, check your understanding. Screen 22 of 24. Screen title: Knowledge check. This is a multiple choice question. Use your keyboard to cycle through the list of options. pkiuseb_23 23 Knowledge Check 2 600 650 Select the functions from the list that you can perform with your CAC. Select all that apply. When you have finished, select Done. Encrypt e-mail Authenticate to DoD classified systems Digitally sign e-mail Authenticate your digital identity to the recipient of your email Authenticate to DoD unclassified systems Access DoD buildings Correct. These are the functions you can perform with your CAC. Incorrect. Some of the functions you selected may be correct, but you do not yet have all the right choices in combination. Please try again. Incorrect. Some of the functions you selected may be correct, but you do not yet have all the right choices in combination. Here are the functions from the list that you can perform with your CAC. Now, check your knowledge of the functions you can perform with your CAC. Screen 23 of 24. Screen title: Knowledge check. This is a multiple choice question. Use your keyboard to cycle through the list of options. pkiuseb_24 24 Congratulations! You have completed the PKI Overview lesson. You should now be able to identify why PKI is important to the Department of Defense and which pieces of guidance mandate the use of PKI. You should be able to identify the components that comprise PKI and how the DoD implements PKI to protect our networks, systems, and applications thereby enhancing our national security. In addition, you should now be able to identify what the CAC is, what it can be used for, and what pieces of information are stored on your CAC. You should also be able to identify how to obtain a CAC and when to return your CAC. Finally, you should be able to identify what you need to use your CAC including what a CAC PIN is and what to do if you forget your CAC PIN. Screen 24 of 24. Topic Title: Conclusion. Screen title: Conclusion. The word Congratulations displays then fades and is replaced by a list of the objectives for the lesson. Each objective is checked off as it is reviewed.