Certification Path Processing in the Tumbleweed Validation Authority Product Line Federal Bridge CA Meeting 10/14/2004 Stefan Kotes, Engineering Manager.

Slides:



Advertisements
Similar presentations
Chapter 14 – Authentication Applications
Advertisements

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn
Deploying and Managing Active Directory Certificate Services
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
SAFE BioPharma Association CONFIDENTIAL1 SAFE Public Key Infrastructure (PKI) 2005 EDUCAUSE/Dartmouth PKI Deployment Summit.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Lecture 23 Internet Authentication Applications
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
EDUCAUSE Fed/Higher ED PKI Coordination Meeting
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Understanding Active Directory
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Chapter 11: Active Directory Certificate Services
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Configuring Active Directory Certificate Services Lesson 13.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.
1 Lecture 11 Public Key Infrastructure (PKI) CIS CIS 5357 Network Security.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Configuring Directory Certificate Services Lesson 13.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
OFC290 Information Rights Management in Microsoft Office 2003 Lauren Antonoff Group Program Manager.
Certificate revocation list
1 June Richard Guida Stephanie Evans Johnson & Johnson Director, WWIS WWIS SAFE Infrastructure Overview.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
Bridge Certification Architecture A Brief Demo by Tim Sigmon and Yuji Shinozaki June, 2000.
Digital Signatures A Brief Overview by Tim Sigmon April, 2001.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
Module 9: Fundamentals of Securing Network Communication.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
1 Vigil : Enforcing Security in Ubiquitous Environments Authors : Lalana Kagal, Jeffrey Undercoffer, Anupam Joshi, Tim Finin Presented by : Amit Choudhri.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
Security in ebXML Messaging CPP/CPA Elements. Elements of Security P rivacy –Protect against information being disclosed or revealed to any entity not.
Module 7 Planning and Deploying Messaging Compliance.
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
Building trust on the internet Extending Attribute Protocols for Status Management and “Other Things” Patrick Richard, Xcert International.
PKI Future Directions 29 November 2001 Russ Housley RSA Laboratories CS – Class of 1981.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Creating and Managing Digital Certificates Chapter Eleven.
Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.
Maintaining Network Health Lesson 10. Active Directory Certificates Services 2 A component of Microsoft Identity Lifecycle Management (ILM) ILM allow.
Cryptography and Network Security
Security in ebXML Messaging
RSA Digital Certificate Solutions RSA Solutions for PKI David Mateju RSA Sales Consultant
Presentation transcript:

Certification Path Processing in the Tumbleweed Validation Authority Product Line Federal Bridge CA Meeting 10/14/2004 Stefan Kotes, Engineering Manager

Agenda Tumbleweed company overview Certification path processing Basics PKI Structures Path Processing – Tumbleweed Client PKI Applications Desktop Validator, Server Validator Path Processing – Tumbleweed Validation Authority Overview, VA Distributed Model Delegated Path Validation, Delegated Path Discovery Case Study – Bridge VA Bridge VA Properties, Central & Distributed Model, Bridge VA Benefits Tumbleweed Solutions Recap Questions ?

Company Overview Founded in 1993 Headquartered in Redwood City, CA Currently over 250 employees worldwide IPO in 1999 (NASDAQ:TMWD) Tumbleweed and Valicert merged in June 2003 Global Presence 700+ Commercial and Federal Customers Technology innovators Identity Management Solution (Valicert Validation Authority) Secure, Automated, Guaranteed Data Transfers (SecureTransport) Secure Messaging & Content Filtering (MMS & SecureRedirect)

Tumbleweed Enterprise Solutions Tumbleweed Offers PKI Validation Authority Secure Transport Secure Transport Secure/Automated Data Exchange E-Mail Firewall Tumbleweed eliminates complexity, risk, & cost associated with multiple point solutions. Org Policy Based Protection A user via PC goes to the Internet (cloud). Behind the internet is a firewall (brick wall) that protects an organizations’ internal network (PCs and Server). Spam Protection In-Depth Reporting

Certification Path Processing Basics: Digital Certificates – securely binding the identity of a person/device to a public key. Core responsibility of an application - verify the authenticity and validity of certificate. Certification Path Processing Functions Step 1: Creating chain of trust (establishing a certification path) Step 2: Validating the created certification path

Hierarchical Structure Hierarchical PKI: Relying parties trust single “root” CA Root CA certifies public keys of intermediate CAs Certificates are issued only in one direction ( a CA never certifies superior CA ) Certification path building – simple typically forward build direction is used Compromise of trust root may compromise entire system Root CA and underneath it is intermediate CA’s that contain CA certificates and user certificate.

Bi-lateral Cross-Certified Structure Cross-Certification: Root CA is issuing a certificate for the other PKI’s root CA Relying parties of each PKIs can verify and accept certificates issued by other PKI Multiple cross-certified PKIs create mesh PKI Number of relationships grows exponentially with number of PKIs Mesh PKI - creation of unintended certification paths Lack of commercial adoption Cross certification between two root CA’s that contain CA certificates and user certificate.

Cross-Certification with a Bridge CA Role of Bridge CA: Bridge multiple existing PKIs Reduce number of trust relationships between CAs Equate different PKI policies How it works: Bridge CA cross-certifies with “principal” CA in each participating PKI. Each participating CA needs to cross-certify with only one other CA Number of certified relationships grows linearly Bridge CA Deployment Issues: Complex certification path building traversing multiple PKI directories following AIA extension supporting multiple validation mechanisms (CRLs, CRLdp, OCSP) building paths in forward and reverse directions Cross certification of Root CA with multiple CA’s that contain CA certificates and user certificate. Source: NIST Recommendation for X.509 Path Validation Version 0.5 May 3, 2004 and Internet X.509 Public Key Infrastructure Certification Path Building (DRAFT RFC)

Desktop Validator Architecture Desktop Validator (Standard) is used to enable certificate status checking for Windows client applications, such as Microsoft IE, Outlook, Outlook Express, Office (for signed word and Excel documents), and other client applications that use CAPI. Microsoft Outlook, Microsoft IE 4.X + Browser, Microsoft Outlook Express, Adobe Acrobat Reader 7.x, and PureEdge Viewer make calls to Crypto API (CAPI). CAPI makes call to CAPI Trust provider (Tumbleweed Desktop Validator 4.x Standard Edition). Tumbleweed DV makes calls to Tumbleweed Valicert Validation Authority 4.x and LDAP directory.

Desktop Validator Architecture Desktop Validator (Enterprise) is used to enable certificate status checking for Windows server applications, such as IIS, Exchange 2003 (for OWA), Domain Controllers (for smart card login), IAS (for wireless authentication), and other evolving secure servers using CAPI (e.g. Voice-over-IP) Microsoft IIS, Microsoft Exchange Server 2003, Microsoft Domain Controller, VoIP Servers, Microsoft IAS, and Microsoft Windows VPN make calls to Crypto API (CAPI). CAPI makes call to CAPI Trust provider (Tumbleweed Desktop Validator 4.x Enterprise Edition). Tumbleweed DV makes calls to Tumbleweed Valicert Validation Authority 4.x and LDAP directory.

Server Validator Architecture Server Validator (SV) is used to enable certificate status checking for secure web servers. Server Validator is invoked during the SSL/TLS handshake when a client authenticates to a web server using an X509v3 certificate. SV is responsible for ensuring that the certificates in the certificate chain are valid (not revoked) Tumbleweed Server Validator (SV) 4.x works with the following: Oracle App. Server, Redhat Stronghold, Mac OS X, Apache, Netscape/Sun, Microsoft ISA, IBM Lotus Domino, BEA Weblogic, modSSL, NSAPI, ISAPI, DSAPI, Identity Asserter. Tumbleweed Valicert Validation Authority 4.x works with PKC#11 2.01 and CAPI. Server Validator works with a wide range of secure servers, and runs on Windows 2000/2003 and UNIX/Linux

DV/SV Path Processing Path Building in MS CAPI and Web Servers MS CAPI and Web Servers currently do not allow path building to be delegated to trust providers or web server APIs Default path discovery must succeed before validation plugins are executed Path Validation in MS CAPI and Web Servers Not complete Default process differs among different Windows system (NT, 2000, XP, 2003) No certificate policy processing in Windows 2000 DV/SV Path Validation Follows RFC 3280 Provides the same functionality across al supported platforms Can refine and enforce stricter validation rules Based on C/C++ and Java Valicert Validator Toolkit

DV/SV Path Validation Steps Completeness of mandatory Certificate Information Certificate Time Validity Name Chaining (Subject Name, Issuer Name) Key Identifier Chaining (Authority Key Identifier, Subject Key Identifier (SKID)) Certificate Integrity Check (valid signature) Critical Extensions Check Basic Constraints Validation Is certificate a CA or end-entity Certificate Chain Length (path length = 0 allows only end entity certificates) Name Constraints Validation Certificate Policy Validation (policy oid assertions)

Path Processing Standards Desktop Validator and Server Validator have been tested by DoD Joint Interoperability Test Command (JITC) using the NIST test suite. http://jitc.fhu.disa.mil/pki/ - For DOD JITC site http://www.tumbleweed.com/products/validationauthority/compliance.html -- includes DoD JITC issued certificates of compliance Testing of DV/SV in 2003 utilized the ‘Conformance Testing of Relying Party Client Certificate Path Processing Logic 1.07 documents, which is the basis for the JITC application testing suite. Public Key Interoperability Test Suite (PKITS) Certification Path Validation Version 1.0 9/2/04 will be the basis of our future testing efforts for DV/SV. See http://csrc.nist.gov/pki/testing/PKITS.pdf for latest PKITS

VA Server Architecture VA aggregates revocation data (CRLs) from multiple certification authorities (CA). VA-to-VA mirroring allows for efficient revocation data transfer between VA’s (especially useful for low bandwidth environments) VA can integrate with a variety of hardware signing module (HSM) vendors for secure signing of the OCSP response VA supports direct, VA delegated, and CA delegated trust models CA Vendor (AOL CMS, Baltimore Unicert, VeriSign Onsite, Netscape CMS, Microsoft CA, Entrust PKI, Sun CMS, Computer Associates, Cylink, RSA Security Keon, Open CA) publishes CRL on LDAP Server (Netscape Directory Server, Microsoft Active Directory, Critical Path Directory), pushes CRL over HTTPS via Tumbleweed Validation Authority 4.x and fetches CRL from Tumbleweed Publisher 4.x For VA white papers, see http://www.tumbleweed.com/products/validationauthority.html

VA Repeater Architecture “Distributed” HTTP Client interfaces with the Validation Authority Repeater, the VA Repeater interfaces with the Internet, the Internet interfaces with a Validation Authority Repeater, the VA Repeater interfaces with the Validation Authority Responder (OCSP Server) via firewall or air gap. VA Responder interfaces with an LDAP Server (for CRL), a CA (for CRL), and a Hardware Signing Module (for signing). HTTP proxy caching is described in RFC 2616 (and the earlier RFC 1945) Online Certificate Status Protocol (OCSP) (RFC 2560) is used to check status of a certificate issued by a CA without requiring a client to obtain the CRL issued by that CA. OCSP uses HTTP as its transport protocol. By excluding the nonce from OCSP requests, OCSP queries over HTTP are cacheable. A Responder can pre-produce signed OCSP responses (section 2.5 of RFC 2560) A Repeater can accept pre-produced OCSP responses published by a Responder. A Repeater can forward OCSP queries to a Responder on-demand or a repeater can mirror pre-computed OCSP caches periodically from the responder.

Path Processing in Validation Authority VA Path Processing Path Processing in Validation Authority All previous examples show "fat" PKI client application What about "thin" clients like phones, PDAs working in constrained execution environments ? Solution is the Simple Certificate Validation Protocol (SCVP) which offers server assisted path discovery and validation. Clients have two options: Delegated Path Validation (DPV) DOD’s DMS using SCVP CAM (http://cam.mitretek.org/cam/) use of SCVP Delegated Path Discovery (DPD)

Delegated Path Processing Delegated Path Discovery (DPD): Getting certificate chain and revocation information (CRLs, OCSP responses) in single request Client performs path validation Authenticated DPD response is optional Certificate Sources for Delegated Path Discovery: Local certificate stores (files, CAPI stores) LDAPv3 Directory Authority Information Access extension Validation Authority Server

Delegated Path Processing Delegated Path Validation: Verifies is requested certificate is valid according to specified validation policy DPV response must be authenticated Revocation Info Sources for Delegated Path Validation: CRLs from Certification Authorities OCSP responses from Tumbleweed Validation Authority, or other OCSP responder Real-Time or Pre-Computed

Bridge VA Bridge Bridge CA VA Phone Wireless Gateway 3. Chain Building, Policy Processing, Status Checking Bridge CA Bridge VA 0. Load Local Policies 2. Certificate Validation Request (using SCVP) 4. Certificate Validity (after applying the Bridge CA’s policies) Bridge CA interfaces with the Bridge VA. Bridge VA interfaces with the Wireless Gateway (Relying Party). Phone (Cert Holder) interfaces with the Wireless Gateway. Wireless Gateway (Relying Party) Phone (Cert Holder) 1. Send Data with Certificate 5. Accept/Reject Transaction

Properties of Good Bridge VA Bridge VA Requirements Ability to deal with multiple CAs and Directories Flexible search mechanisms (when looking for certificates) Support for multiple certificate validation mechanisms: OCSP (Real-Time, Pre-Computed, Identrus model, …) CRL, CRLdp Ability to enforce Bridge CA Policies Flexibility in its ability to handle local policies High performance with high security

Deployment Model: Central Bridge VA A single Bridge VA running next to Bridge CA Implements Bridge CA policies Common service for all relying party applications Bridge CA CA1 Domain Bridge CA CA1 Root 2. Validation Request (Root = CA1) Bridge VA Relying Party 3. Validation Response 1. Transaction + Certificates CA2 Domain CA2 Root CA1 Domain contains the CA1 Root, and the Relying Party (trust path between the Bridge CA and the Bridge VA). Bridge CA contains the Bridge CA and the Bridge VA (trust path between the Relying Party and the CA2 Root). CA2 Domain contains the CA2 Root and the Client Application (trust path between the Relying Party). Client Application 0. Issues Certificate Trust Path

Deployment Model: Distributed Bridge VA An organization can decide to run its own Bridge VA to overwrite the rules and policies of the Bridge CA Local Bridge VA can trust other CAs, not trust some central ones Domains that follow Bridge CA policies completely do not need their own Bridge VA Bridge CA CA1 Domain CA1 Root Bridge CA CA1 Bridge VA Bridge VA 2a. Consultation 3. Validation Response 2. Validation Request (Root Unspecified) CA2 Domain CA2 Root Client Application 1. Transaction + Certificates 0. Issues Cert. CA1 Domain contains the CA1 Bridge VA, the CA1 Root, and the Client Application (trust path with the Bridge CA & the Bridge VA). Bridge CA contains the Bridge CA and the Bridge VA. CA2 Domain contains the CA2 Root and the Client Application (trust path with the CA1 Domain). Client Application Trust Path

Easier interoperability across CAs Benefits of a Bridge VA Simplifies client application path processing Gives more control over path discovery and path validation through centralized policy enforcement Easier interoperability across CAs Performance benefits for client applications Future-proofing of applications

Tumbleweed Validation Solution Recap Our Validation Authority solution offers a variety of validation protocols (OCSP, SCVP, CRL, CRL DP, CMP, etc.) to choose from, allowing maximum flexibility in customer deployments Open standards based (IETF RFC 2560, 3280, NIST FIPS 140-1) Desktop Validator and Server Validator available for multiple platforms and applications Validator Toolkit available for Win32, Solaris, HP-UX, AIX, MacOS, Linux DOD JITC Tested & FIPS 140-1 Certified NIAP Common Criteria (EAL3) underway

Resources Contact information: Stefan Kotes Validation Authority, Client Applications - Engineering Manager 650-216-2082 stefan.kotes@tumbleweed.com Product Information and White Papers http://www.tumbleweed.com/products/validationauthority.html – Main Product web page http://www.tumbleweed.com/products/validationauthority/compliance.html - Security Compliance Information

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.