Product Manager, Keon PKI ecarboni@rsasecurity Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI 781-301-5323 ecarboni@rsasecurity
RSA Keon® Robust, flexible Certification Authority Enhanced PKI Services Interoperable across multiple certificate authorities, directory servers and applications Powerful desktop with common credential store, two-factor authentication and file encryption Security server providing policy management, trust management and credential mobility Application Integration RSA BSAFE® Cert tools natively PKI-enabling applications RSA Keon Agent toolkit for integrating existing non-PKI applications (SSO)
RSA Keon Enhanced Services RSA Keon Advanced PKI Web App RSA SecurID Authenticator RSA Keon Security Server RSA Keon Desktop RSA Keon Agent Application server (e.g.SAP) E-mail RSA Keon Certificate Server RSA BSAFE PKI-enabled app.
RSA Keon Security Server Extend the use of digital certificates across organizations and applications Keon Credential Store management and delivery for mobile users Focal point for CA interoperability within Keon Automated certificate validation Centralized management for private key access policy Centralized logging depot for Keon components Replication for scalability Simplified Administration
RSA Keon Desktop Providing the critical requirements for desktop e-Security File Encryption Protection of Credentials PKI Credential Interoperability Smart Card Support Reduced Logon Ease of Deployment
Security Non-repudiation requires trust in certificates Certificates & Cryptography bind digital identities to the data and transactions they manipulate Authenticators bind people to their digital identities
How Secure is the Private Key? Password Hard Drive Where is it stored? How user authenticates to the store? Virtual Smart Card Crypto Operation Smart Card PIN
Local PKI Credential Storage Password Password PKCS #12 export
PKCS #12 Issues PKCS #12 implementations hard to use Requires manual intervention No life cycle support Inconsistent update of credentials Limited security for private key Password based Allows replication of identity
Smart Cards and Authentication Smart Cards are ideal for PPK Authentication The Private Key lives in secure tamper resistant storage “2 factor” authentication is re-introduced since you need both the Smart Card and a PIN to unlock it The crypto happens on the Smart Card with the help of a crypto accelerator They fit into your wallet, and they scrape frost off car windows nicely!
The Benefits of Smart Cards They are secure They are portable They can perform operations other than authentication signatures, encryption They can support other applications E-cash, Loyalty, ... They can be used as Employee badges
RSA SecurID 3100 Smart Card Highest security On-card digital signatures Supports latest application features Dual keys and certificates Mobility Credential store on-card with keys, certificates, login information and RSA SecurID seed Versatile Supports RSA Keon Desktop for PKI applications and classic RSA SecurID-protected systems
RSA SecurID 3100 Smart Card Smart Card Readers Smart Cards PC/SC Setec SetCad 203N Philips PE112/PE122 Smart Cards Philips DX Setec 8k Setec 16k GemPlus GPK8000
Smart Card-Reader Interface There are actually two standardization issues to be dealt with The electrical interface between the reader hardware and the PC Fortunately standards exist here RS232 and USB More problematic is the interface between the reader hardware and the smart card Two classes of interface were needed here: Electrical Interface Standards Command Interface Standards ISO 7816 addresses these issues
Smart Card Reader Interface The next level of problem is the API between the smart card reader, and the host PC software Until recently, each reader manufacturer had a proprietary API which was used to talk to the reader driver This was an effort by the smart card reader manufacturers to lock applications into a particular reader Several years ago a consortia headed by Microsoft defined the PC/SC interface It was intended to be use by systems other than Windows (Unix, PDAs, …) In reality, it is primarily a Microsoft Windows standard
Smart Card Formatting There are two major ways of dealing with this formatting problem: One solution is to develop a standardized way to layout the card directory, and name the files PKCS15 developed by RSA Labs is an example The other solution is to abstract the interface to the card so that you no longer deal with directories and files JavaCard is an example
PKI Credential Interoperability Sharing credentials across multiple applications Netscape Communicator Microsoft apps CAPI/CSP PKCS#11 RSA Keon Credential Store
The Barriers to Smart Cards They need a reader This will be an issue until these become embedded in keyboards and notebooks They cost money But prices are getting pretty reasonable Not all applications support PPK and Smart Cards But many of today’s applications are Web based, and the browsers do support them Industry compatibility PC/SC Readers now available PKCS #15 from RSA Labs
PKCS15 What is it? People frequently confuse PKCS11 and PKCS15 It is a specification for organizing cryptographic data onto an authentication objects (e.g. card, other devices) Allows multiple PKCS15 applications to live on same card People frequently confuse PKCS11 and PKCS15 PKCS11 is a standard which defines how to plug cryptographic tokens into a crypto solution These tokens could be smart cards or crypto accelerators for example PKSC15 is a standard which defines the layout of a smart card format, and the naming standard for common files The application developers who use smart cards are focusing on PKCS15
RC4 128-bit Private Area Key Encryption Private Key RSA Keon Advanced PKI Credential Store Format Keon Credential Store Private Area Public Area Symmetric File Encryption Key NT/NetWare Credentials RC4 128-bit Private Area Key User’s Encryption X.509 Certificate Public Key User’s Signing Signing Private Key Encryption Private Key Virtual Smart & Physical Smart Card
Unique PKI Issues for B2B & Extended Enterprises Partners wishing to use PKI to protect transactions over the Internet. Must support the “Big 2” web browsers and mail clients Must be secure over a public network Must be unobtrusive to partners’ PCs Must be easy to use Solution must be secure, scalable, and manageable Users credentials must be mobile
Unique PKI Issues for B2B & Extended Enterprises Large enterprise deployments wanting to use PKI for a variety of functions Browser, S/MIME, IPSec The enterprise requires unobtrusive software Must be easy to use The solution must be secure and be run over a public network
RSA Keon Advanced PKI Ease of Use: Credential Mobility Security Server RSA Keon Advanced PKI takes the concept of the Credential Store one step further, by providing user credential mobility. A user can move from RSA Keon Desktop to Desktop with confidence their credentials will follow them to each secured work environment. Today’s PKI deployments offer mobility with physical smart cards only. If an organization deploys a software-based PKI implementation, end users are tied to a physical device, their workstation. RSA Keon Advanced PKI supports physical and virtual smart cards to provide customers the flexibility needed for secure e-business. RSA Keon Advanced PKI, with the concept of a virtual smart card offers organizations the benefits of a physical smart card without the additional costs associated with readers and deployment of hardware.
Downloadable Desktop Architecture PKCS #11 Browsers and Mail Clients Microsoft Browsers and Mail Clients IPSec and Other Applications PKCS #11 CSP PKCS #11 or CSP RSA Security Cryptographic Services Logoff Service COM server Local Security Service
Downloadable Desktop Credential mobility Multiple user credentials Certificate auto-enrollment Keon Certificate Server Support Optional SecurID authentication Standards-based repository
Downloadable Desktop Unobtrusive software Reduced sign-on/web SSO Small footprint No device drivers Installed by a normal user No reboot Reduced sign-on/web SSO Interoperability with client PKI applications Microsoft Internet Explorer, Outlook Express, Outlook 2000 Netscape Navigator, Messenger Other “CSP” Applications Compatibility with authorization products Public APIs and CLIs for integration and customization
Authentication Options Physical Smart Card Virtual Smart Card PKCS #5 Password Enhancement SecurID
The Most Trusted Name in e-Security WWW.RSASECURITY.COM