Enterprise Key Management Infrastructure (EKMI) Arshad Noor CTO, StrongAuth, Inc. Chair, EKMI TC – OASIS

Slides:



Advertisements
Similar presentations
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Advertisements

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Introduction to z/OS Security Lesson 4: There’s more to it than RACF
Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.
Lecture 23 Internet Authentication Applications
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
The OASIS IDtrust (I M The OASIS IDtrust (Identity and Trusted Infrastructure ) Member Section For more information please see:
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.
Enterprise Key Management Infrastructures: Understanding them before auditing them Arshad Noor CTO, StrongAuth, Inc. Chair, OASIS EKMI-TC.
An In-Depth Examination of PKI Strengths, Weaknesses and Recommendations.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Enterprise Key Management Infrastructure: Understanding them before auditing them Arshad Noor CTO, StrongAuth, Inc. Chair, OASIS EKMI-TC.
Core Web Service Security Patterns
Real-Time Authentication Using Digital Signature Schema Marissa Hollingsworth BOISECRYPT ‘09.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Dr. Sarbari Gupta Electrosoft Services Tel: (703) Security Characteristics of Cryptographic.
Security and Policy Enforcement Mark Gibson Dave Northey
Pre-adoption concern 60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control.
Securing Information Transfer in Distributed Computing Environments AbdulRahman A. Namankani.
Web services security I
Copyright © 2015 Pearson Education, Inc. Confidentiality and Privacy Controls Chapter
Public Key Infrastructure from the Most Trusted Name in e-Security.
JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Chapter 10: Authentication Guide to Computer Network Security.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
Scalable Security and Accounting Services for Content-based Publish/Subscribe Systems Himanshu Khurana NCSA, University of Illinois.
Enterprise Privacy Architectures Leveraging Encryption to Keep Data Private Karim Toubba VP of Product Management Ingrian Networks.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner Clifford Neuman Jeffrey I. Schiller.
Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
Enterprise Key Management Infrastructure: Understanding them before auditing them Arshad Noor, CTO, StrongAuth, Inc. Chair,
Symmetric versus Asymmetric Cryptography. Why is it worth presenting cryptography? Top concern in security Fundamental knowledge in computer security.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Cryptography Encryption/Decryption Franci Tajnik CISA Franci Tajnik.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Unit 1: Protection and Security for Grid Computing Part 2
Cryptography Chapter 14. Learning Objectives Understand the basics of algorithms and how they are used in modern cryptography Identify the differences.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
What is EKMI? Enterprise Key Management Infrastructure Take the tour.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Securing Data in Transit and Storage Sanjay Beri Co-Founder & Senior Director of Product Management Ingrian Networks.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.
Biometric Encryption Base RSA Algorithm Supervisor: Ass. Prof. Dr. Dang Tran Khanh Student: Dung Ngo Dinh.
Security Policy and Key Management Centrally Manage Encryption Keys - Oracle TDE, SQL Server TDE and Vormetric. Tina Stewart, Vice President.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
1© Copyright 2012 EMC Corporation. All rights reserved. Next Generation Authentication Bring Your Own security impact Tim Dumas – Technology Consultant.
OASIS IDtrust Member Section June Leung Chair, OASIS IDtrust Member Section Steering Committee
Enterprise Key Management Infrastructure (EKMI) Securing data for e-Business and e-Government Arshad Noor, Co-Chair, EKMI-TC
Enterprise Key Management Infrastructure (EKMI) Arshad Noor, Chair, EKMI TC OASIS IDtrust Workshop Barcelona, Spain October.
CS691 M2009 Semester Project PHILIP HUYNH
KMIP Key Management with Vormetric Data Security Manager
Enterprise Key Management with OASIS KMIP
Enabling Encryption for Data at Rest
Introduction to z/OS Security Lesson 4: There’s more to it than RACF
Enabling Encryption for Data at Rest
CS691 M2009 Semester Project PHILIP HUYNH
Organization for the Advancement of Structured Information Standards
NAAS 2.0 Features and Enhancements
Public Key Infrastructure from the Most Trusted Name in e-Security
RSA Digital Certificate Solutions RSA Solutions for PKI David Mateju RSA Sales Consultant
Presentation transcript:

Enterprise Key Management Infrastructure (EKMI) Arshad Noor CTO, StrongAuth, Inc. Chair, EKMI TC – OASIS

Business Challenge Regulatory Compliance –PCI-DSS, PCSA, HIPAA, FISMA, EU Directive Avoiding Fines –ChoicePoint ($15M), Nationwide Building Society ($2M), University of California – LLNL ($4M) Avoiding Lawsuits –TJX (multiple), Bank of America Avoiding costs due to security breaches –TJX ($150M)

The Encryption Problem ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy and on and on

Key Management Silos

What is an EKMI? An Enterprise Key Management Infrastructure is: “A collection of technology, policies and procedures for managing all cryptographic keys in the enterprise.”

Characteristics of an EKMI ● A single place to define EKM policy ● A single place to manage all keys ● Standard protocols for EKM services ● Platform and Application-independent ● Scalable to service millions of clients ● Available even when network fails ● Extremely secure

EKMI Harmony

The Encryption Solution WAN SKS Server Generate Protect Escrow Authorize Recover Destroy Encrypt Decrypt PKI Server Issue & Manage Credentials Encrypt Decrypt Encrypt Decrypt Encrypt Decrypt Encrypt Decrypt Encrypt Decrypt

EKMI Components ● Public Key Infrastructure ● For digital certificate management; used for strong- authentication, and secure storage & transport of symmetric encryption keys ● Symmetric Key Management System ● SKS Server for symmetric key management ● SKCL for client interactions with SKS Server ● EKMI = PKI + SKMS

SKMS – SKS Server Contains all symmetric encryption keys – Generates, escrows and retrieves keys – ACLs authorizing access to encryption keys – Central policy for symmetric keys: Key-size, key-type, key-lifetime, etc. – Accepts SKSML protocol requests – Functions like a DNS-server

SKMS - SKCL Symmetric Key Client Library – Communicates with SKS Server – Requests (new or old) symmetric keys – Caches keys locally (KeyCachePolicy) – Encrypts & Decrypts data (KeyUsePolicy) Supports 3DES, AES-128, AES-192 & AES-256 – Makes SKSML requests – Functions like DNS-client library

SKMS - SKSML Symmetric Key Services Markup Language – Request new symmetric key(s) from SKS server, when Encrypting new information, or Rotating symmetric keys – Request existing symmetric key(s) from SKS server for decrypting previously encrypted ciphertext – Request key-cache-policy information for client

SKMS Big Picture DB Server Crypto Module Application Server Crypto Module SKCL C/C++ Application RPG Application Java Application Key Cache JNIRPGNI Server Client Network Client Application makes a request for a symmetric key 2. SKCL makes a digitally signed request to the SKS 3. SKS verifies SKCL request, generates, encrypts, digitally signs & escrows key in DB 4. Crypto HSM provides security for RSA Signing & Encryption keys of SKS 5. SKS responds to SKCL with signed and encrypted symmetric key 6. SKCL verifies response, decrypts key and hands it to the Client Application 7. Native (non-Java) applications make requests through Java Native Interface 77

SKMS Security Symmetric keys are encrypted with SKS server's RSA public-key for secure storage Client requests are digitally signed (RSA) Server responses are digitally signed (RSA) and encrypted (RSA) All database records are digitally signed (RSA) when stored, and verified when accessed – including history logs – for message integrity

Common KM Problems Using proprietary encryption algorithm “Hiding” encryption key on the machine Embedding encryption key in software Encrypting symmetric key with another Using a single key across the enterprise Backing up key with data on the same tape Using weak passwords for Password-Based- Encryption (PBE) No key-rotation or key-compromise plan

OASIS Idtrust Member Section Identity and Trusted infrastructure components Identity & Trust Policies; Enforcement, Education and Outreach Identify barriers and emerging issues Current Technical Committees – Enterprise Key Management Infrastructure TC – Public Key Infrastructure Adoption TC – Digital Signature Services TC

OASIS EKMI TC Four (4) objectives & Sub-Committees: – Standardize on Symmetric Key Services Markup Language (SKSML) – Create Implementation & Operations Guidelines – Create Audit Guidelines – Create Interoperability Test-Suite

Burton Group on EKMI "The life cycle of encryption keys is incredibly important. As enterprises deploy ever-increasing numbers of encryption solutions, they often find themselves managing silos with inconsistent policies, availability, and strength of protection. Enterprises need to maintain keys in a consistent way across various applications and business units," said Trent Henry, senior analyst, Burton Group. "EKMI will be an important step in addressing this problem in an open, cross-vendor manner."

Current EKMI TC Members FundServ (Canada) MISMO (USA) NuParadigm Government Systems, Inc. (USA) PA Consulting (UK) PrimeKey (Sweden) Red Hat (USA) StrongAuth (USA) US Department of Defense (USA) Visa International (USA) Wave Systems (USA) Wells Fargo (USA) Many security and audit focused individuals

Current EKMI TC Observers 3 Global Security Companies (Canada, US) Global Software Company (US) Global Database Company (US) 2 Large Consulting Companies (US) Government Agency (New Zealand)

ISACA & OASIS Many ISACA members from San Francisco are EKMI TC (AGSC) members Planning underway for a full-day workshop in October-November 2007 in SFO – Setting up an SKMS – Operating an SKMS – Auditing an SKMS – Attacking an SKMS Potential for many ISACA workshops

Conclusion “Securing the Core” should have been Plan-A from the beginning; but its not too late to remediate OASIS EKMI TC is driving new standards in key-management that cuts across platforms, applications and industries Building, securing and auditing EKMI requires new levels of knowledge and understanding Get involved!

EKMI Resources Policy template, Use Cases, SKSML Schema, Presentations, White Papers, Implementation Guidelines, etc. - Open-source SKMSwww.strongkey.org - Article on SKMS in February 2007 issuewww.issa.org