Enterprise Key Management Infrastructure: Understanding them before auditing them Arshad Noor CTO, StrongAuth, Inc. Chair, OASIS EKMI-TC.

Slides:



Advertisements
Similar presentations
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Advertisements

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Mutual OATH HOTP Variants 65th IETF - Dallas, TX March 2006.
SPD1 Improving Security and Access to Network with Smart Badge Eril Pasaribu CISA,CISSP Security Consultant.
The Hardware Security Module. Agenda MAHOhard members To give background Project details Design and implementation.
1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.
Authentication & Kerberos
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
The OASIS IDtrust (I M The OASIS IDtrust (Identity and Trusted Infrastructure ) Member Section For more information please see:
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.
Enterprise Key Management Infrastructures: Understanding them before auditing them Arshad Noor CTO, StrongAuth, Inc. Chair, OASIS EKMI-TC.
An In-Depth Examination of PKI Strengths, Weaknesses and Recommendations.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Enterprise Key Management Infrastructure (EKMI) Arshad Noor CTO, StrongAuth, Inc. Chair, EKMI TC – OASIS
Core Web Service Security Patterns
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Security and Policy Enforcement Mark Gibson Dave Northey
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Web services security I
TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.
Copyright © 2015 Pearson Education, Inc. Confidentiality and Privacy Controls Chapter
Public Key Infrastructure from the Most Trusted Name in e-Security.
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
Secure Online USB Login System. Everything is going online Social Interactions Banking Transactions Meetings Businesses... including all sorts of crimes.
Data Center Infrastructure
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
Enterprise Key Management Infrastructure: Understanding them before auditing them Arshad Noor, CTO, StrongAuth, Inc. Chair,
Cryptography Chapter 14. Learning Objectives Understand the basics of algorithms and how they are used in modern cryptography Identify the differences.
© Oxford University Press 2011 DISTRIBUTED COMPUTING Sunita Mahajan Sunita Mahajan, Principal, Institute of Computer Science, MET League of Colleges, Mumbai.
Chapter 18: Doing Business on the Internet Business Data Communications, 4e.
What is EKMI? Enterprise Key Management Infrastructure Take the tour.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Securing Data in Transit and Storage Sanjay Beri Co-Founder & Senior Director of Product Management Ingrian Networks.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
IEEE P Architecture Subcommittee Model Update and Discussion November 1, 2007.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Security Policy and Key Management Centrally Manage Encryption Keys - Oracle TDE, SQL Server TDE and Vormetric. Tina Stewart, Vice President.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
1© Copyright 2012 EMC Corporation. All rights reserved. Next Generation Authentication Bring Your Own security impact Tim Dumas – Technology Consultant.
OASIS IDtrust Member Section June Leung Chair, OASIS IDtrust Member Section Steering Committee
Enterprise Key Management Infrastructure (EKMI) Securing data for e-Business and e-Government Arshad Noor, Co-Chair, EKMI-TC
Enterprise Key Management Infrastructure (EKMI) Arshad Noor, Chair, EKMI TC OASIS IDtrust Workshop Barcelona, Spain October.
CS691 M2009 Semester Project PHILIP HUYNH
KMIP Key Management with Vormetric Data Security Manager
Enterprise Key Management with OASIS KMIP
CompTIA Security+ Study Guide (SY0-501)
Enabling Encryption for Data at Rest
Enabling Encryption for Data at Rest
CS691 M2009 Semester Project PHILIP HUYNH
Organization for the Advancement of Structured Information Standards
Public Key Infrastructure from the Most Trusted Name in e-Security
RSA Digital Certificate Solutions RSA Solutions for PKI David Mateju RSA Sales Consultant
Presentation transcript:

Enterprise Key Management Infrastructure: Understanding them before auditing them Arshad Noor CTO, StrongAuth, Inc. Chair, OASIS EKMI-TC

Agenda What is an EKMI? Components of an EKMI Auditing an EKMI ISACA members at OASIS EKMI Summary

Business Challenges Regulatory compliance – PCI-DSS, FISMA, HIPAA, SB-1386, etc. Avoiding fines – ChoicePoint: $15M, Nationwide: $2M Avoiding lawsuits – TJX (multiple), Bank of America Avoiding negative publicity to the brand – TJ Maxx, Ralph Lauren, Citibank, Wells Fargo, IBM, Ernst & Young, Fidelity, etc.

The Encryption Problem ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy....and so on

Key-management silos

What is an EKMI? ● An Enterprise Key Management Infrastructure is: “A collection of technology, policies and procedures for managing all cryptographic keys in the enterprise.”

EKMI Characteristics ● A single place to define EKM policy ● A single place to manage all keys ● Standard protocols for EKM services ● Platform and Application-independent ● Scalable to service millions of clients ● Available even when network fails ● Extremely secure

EKM Harmony

The Encryption Solution WAN SKS Server Generate Protect Escrow Authorize Recover Destroy Encrypt Decrypt SKS Server Encrypt Decrypt Encrypt Decrypt Encrypt Decrypt Encrypt Decrypt Encrypt Decrypt

EKMI Components ● Public Key Infrastructure ● For digital certificate management; for strong-authentication, secure storage & transport of symmetric encryption keys ● Symmetric Key Management System ● SKS Server for symmetric key management ● SKCL for client interaction with SKS Server ● SKSML for SKCL-SKS communication ● EKMI = PKI + SKMS

PKI Well known, but not well understood Reputation for being costly and complex BUT – Used in every e-commerce solution – Used by DOD of most democratic nations – Citizen cards, e-Passports – Corporate Access Cards – US Personal Identity Verification (PIV) – IETF PKIX standards

SKMS: SKS Server Symmetric Key Services Server – Contains all symmetric encryption keys – Generates, escrows and retrieves keys – ACLs authorizing access to encryption keys – Central policy for symmetric keys: Key-size, key-type, key-lifetime, etc. – Accepts SKSML protocol requests – Functions like a DNS-server

SKMS: SKCL Symmetric Key Client Library – Communicates with SKS Server – Requests (new or old) symmetric keys – Caches keys locally (KeyCachePolicy) – Encrypts & Decrypts data (KeyUsePolicy) Currently supports 3DES, AES-128, AES-192 & AES-256 – Makes SKSML requests – Functions like DNS-client library

SKMS: SKSML Symmetric Key Services Markup Language – Request new symmetric key(s) from SKS server, when Encrypting new information, or Rotating symmetric keys – Request existing symmetric key(s) from SKS server for decrypting previously encrypted ciphertext – Request key-cache-policy information for client

The Big Picture DB Server Crypto Module Application Server Crypto Module SKCL C/C++ Application RPG Application Java Application Key Cache JNIRPGNI Server Client Network Client Application makes a request for a symmetric key 2. SKCL makes a digitally signed request to the SKS 3. SKS verifies SKCL request, generates, encrypts, digitally signs & escrows key in DB 4. Crypto HSM provides security for RSA Signing & Encryption keys of SKS 5. SKS responds to SKCL with signed and encrypted symmetric key 6. SKCL verifies response, decrypts key and hands it to the Client Application 7. Native (non-Java) applications make requests through Java Native Interface 77

Security in an SKMS Symmetric keys are encrypted with SKS server's RSA public-key for secure storage Client requests are digitally signed (RSA) Server responses are digitally signed (RSA) and encrypted (RSA) All database records are digitally signed (RSA) when stored, and verified when accessed – including history logs – for message integrity

Common KM problems Using proprietary encryption algorithm “Hiding” encryption key on the machine Embedding encryption key in software Encrypting symmetric key with another Using a single key across the enterprise Backing up key with data on the same tape Using weak passwords for Password-Based- Encryption (PBE) No key-rotation or key-compromise plan

Auditing an EKMI Key-management policy Prerequisite controls: – Physical access control to EKMI machines – Logical & network access control to EKMI – Standard security controls Firewall Minimal attack-surface (minimal services) Security patches Security logging

Auditing an SKMS Client Is a hardware token being used? How many people are required to log into the token to activate it? How many people have access to token? How often is the token PIN changed? How much data is encrypted with 1 key? SHA-1 hash of client library? Is the token backed up and how is it protected?

Auditing an SKMS Server Is a hardware token being used? How many people are required to log into the token to activate it? How many people have access to token? How often is token PIN changed? SHA-1 hashes of server jar files? Is the token backed up and how is it protected?

OASIS IDTrust Member Section ● Identity & Trusted infrastructure components ● Identity & Trust Policies, Enforcement, Education & Outreach ● Identify barriers and emerging issues ● Current Technical Committees: – Enterprise Key Management Infrastructure TC – Public Key Infrastructure Adoption TC

OASIS EKMI-TC ● Four (4) objectives & Sub-Committees: – Standardize on Symmetric Key Services Markup Language (SKSML) – Create Implementation & Operations Guidelines – Create Audit Guidelines – Create Interoperability Test-Suite

Current EKMI-TC Members ● FundServ (Canada) ● PA Consulting (UK) ● PrimeKey (Sweden) ● Red Hat (USA) ● StrongAuth (USA) ● US Department of Defense (USA) ● Visa International (USA) ● Wave Systems (USA) ● Many security/audit focused individuals

ISACA – OASIS Many ISACA members from San Francisco are EKMI-TC (AGSC) members Full-day workshop scheduled for October- November 2007 – Setting up an SKMS – Operating an SKMS – Auditing an SKMS – Attacking an SKMS

Conclusion ● “Securing the Core” should have been Plan A from the beginning... but its not too late to remediate. ● OASIS EKMI-TC is driving new key- management standards that cuts across platforms, applications and industries. ● Auditing EKMIs requires new levels of knowledge and understanding. ● Get involved!

Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.