Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI"— Presentation transcript:

1 Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI 781-301-5323ecarboni@rsasecurity

2 RSA Keon ® Robust, flexible Certification Authority Enhanced PKI Services –Interoperable across multiple certificate authorities, directory servers and applications –Powerful desktop with common credential store, two-factor authentication and file encryption –Security server providing policy management, trust management and credential mobility Application Integration –RSA BSAFE ® Cert tools natively PKI-enabling applications –RSA Keon Agent toolkit for integrating existing non-PKI applications (SSO)

3 RSA Keon Agent RSA Keon Enhanced Services RSA Keon Advanced PKI RSA Keon Certificate Server Web App E-mail Application server (e.g.SAP) RSA BSAFE PKI - enabled app. RSA Keon Security Server RSA SecurID Authenticator RSA Keon Desktop

4 RSA Keon Security Server Keon Credential Store management and delivery for mobile users Focal point for CA interoperability within Keon Automated certificate validation Centralized management for private key access policy Centralized logging depot for Keon components Replication for scalability Simplified Administration Extend the use of digital certificates across organizations and applications

5 RSA Keon Desktop File Encryption Protection of Credentials PKI Credential Interoperability Smart Card Support Reduced Logon Ease of Deployment Providing the critical requirements for desktop e-Security

6 Certificates & Cryptography bind digital identities to the data and transactions they manipulate Authenticators bind people to their digital identities Security Non-repudiation requires trust in certificates

7 How Secure is the Private Key? Crypto Operation Where is it stored? Hard Drive Smart Card How user authenticates to the store? Virtual Smart Card

8 PKCS #12 export Password Local PKI Credential Storage Password

9 PKCS #12 Issues PKCS #12 implementations hard to use Requires manual intervention No life cycle support Inconsistent update of credentials Limited security for private key –Password based Allows replication of identity

10 Smart Cards and Authentication Smart Cards are ideal for PPK Authentication –The Private Key lives in secure tamper resistant storage –“2 factor” authentication is re-introduced since you need both the Smart Card and a PIN to unlock it –The crypto happens on the Smart Card with the help of a crypto accelerator –They fit into your wallet, and they scrape frost off car windows nicely!

11 The Benefits of Smart Cards They are secure They are portable They can perform operations other than authentication –signatures, encryption They can support other applications –E-cash, Loyalty,... They can be used as Employee badges

12 RSA SecurID 3100 Smart Card Highest security –On-card digital signatures Supports latest application features –Dual keys and certificates Mobility –Credential store on-card with keys, certificates, login information and RSA SecurID seed Versatile –Supports RSA Keon Desktop for PKI applications and classic RSA SecurID-protected systems

13 RSA SecurID 3100 Smart Card Smart Card Readers –PC/SC –Setec SetCad 203N –Philips PE112/PE122 Smart Cards –Philips DX –Setec 8k –Setec 16k –GemPlus GPK8000

14 Smart Card-Reader Interface There are actually two standardization issues to be dealt with –The electrical interface between the reader hardware and the PC Fortunately standards exist here RS232 and USB –More problematic is the interface between the reader hardware and the smart card Two classes of interface were needed here: –Electrical Interface Standards –Command Interface Standards ISO 7816 addresses these issues

15 Smart Card Reader Interface The next level of problem is the API between the smart card reader, and the host PC software –Until recently, each reader manufacturer had a proprietary API which was used to talk to the reader driver This was an effort by the smart card reader manufacturers to lock applications into a particular reader Several years ago a consortia headed by Microsoft defined the PC/SC interface –It was intended to be use by systems other than Windows (Unix, PDAs, …) –In reality, it is primarily a Microsoft Windows standard

16 Smart Card Formatting There are two major ways of dealing with this formatting problem: –One solution is to develop a standardized way to layout the card directory, and name the files PKCS15 developed by RSA Labs is an example –The other solution is to abstract the interface to the card so that you no longer deal with directories and files JavaCard is an example

17 Netscape Communicator Microsoft apps RSA Keon Credential Store CAPI/CSP PKCS#11 PKI Credential Interoperability Sharing credentials across multiple applications

18 The Barriers to Smart Cards They need a reader –This will be an issue until these become embedded in keyboards and notebooks They cost money –But prices are getting pretty reasonable Not all applications support PPK and Smart Cards –But many of today’s applications are Web based, and the browsers do support them Industry compatibility –PC/SC Readers now available –PKCS #15 from RSA Labs

19 PKCS15 What is it? –It is a specification for organizing cryptographic data onto an authentication objects (e.g. card, other devices) –Allows multiple PKCS15 applications to live on same card People frequently confuse PKCS11 and PKCS15 –PKCS11 is a standard which defines how to plug cryptographic tokens into a crypto solution These tokens could be smart cards or crypto accelerators for example –PKSC15 is a standard which defines the layout of a smart card format, and the naming standard for common files The application developers who use smart cards are focusing on PKCS15

20 Virtual Smart & Physical Smart Card RSA Keon Advanced PKI Credential Store Format Keon Credential Store Private Area Public Area Symmetric File Encryption Key NT/NetWare Credentials RC4 128-bit Private Area Key User’s Encryption X.509 Certificate Public Key User’s Signing X.509 Certificate Public Key RC4 128-bit Private Area Key Signing Private Key Encryption Private Key

21 Unique PKI Issues for B2B & Extended Enterprises Partners wishing to use PKI to protect transactions over the Internet. –Must support the “Big 2” web browsers and mail clients –Must be secure over a public network –Must be unobtrusive to partners’ PCs –Must be easy to use –Solution must be secure, scalable, and manageable –Users credentials must be mobile

22 Large enterprise deployments wanting to use PKI for a variety of functions –Browser, S/MIME, IPSec –The enterprise requires unobtrusive software –Must be easy to use –The solution must be secure and be run over a public network Unique PKI Issues for B2B & Extended Enterprises

23 RSA Keon Advanced PKI Ease of Use: Credential Mobility RSA Keon Security Server

24 Downloadable Desktop Architecture COM server Local Security Service RSA Security Cryptographic Services PKCS #11 Browsers and Mail Clients Microsoft Browsers and Mail Clients IPSec and Other Applications PKCS #11 PKCS #11 or CSPCSP Logoff Service

25 Downloadable Desktop Credential mobility Multiple user credentials Certificate auto-enrollment –Keon Certificate Server Support Optional SecurID authentication Standards-based repository

26 Downloadable Desktop Unobtrusive software –Small footprint –No device drivers –Installed by a normal user –No reboot Reduced sign-on/web SSO Interoperability with client PKI applications –Microsoft Internet Explorer, Outlook Express, Outlook 2000 –Netscape Navigator, Messenger –Other “CSP” Applications Compatibility with authorization products Public APIs and CLIs for integration and customization

27 Authentication Options Physical Smart Card Virtual Smart Card –PKCS #5 Password Enhancement –SecurID

28 The Most Trusted Name in e-Security WWW.RSASECURITY.COM

Download ppt "Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI"

Similar presentations

Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
POC Security System High security system combining PIN-on-Card, information security, physical access, control and alarm – all in one system.

POC Security System High security system combining PIN-on-Card, information security, physical access, control and alarm – all in one system.
Identity and Access IDPrime MD 8840 and IDCore 8030 MicroSD cards

Identity and Access IDPrime MD 8840 and IDCore 8030 MicroSD cards
SPD1 Improving Security and Access to Network with Smart Badge Eril Pasaribu CISA,CISSP Security Consultant.

SPD1 Improving Security and Access to Network with Smart Badge Eril Pasaribu CISA,CISSP Security Consultant.
 1997 Entrust Technologies Orchestrating Enterprise Security Entrust Public Key Infrastructure Erik Schetina Chief Technology Officer IFsec, LLC

 1997 Entrust Technologies Orchestrating Enterprise Security Entrust Public Key Infrastructure Erik Schetina Chief Technology Officer IFsec, LLC
 Physical Logical Access  Physical and Logical Access  Total SSO and Password Automation  Disk/Data Encryption  Centralized management system  Biometric.

 Physical Logical Access  Physical and Logical Access  Total SSO and Password Automation  Disk/Data Encryption  Centralized management system  Biometric.
Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.

Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.
Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.

Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
PKI Implementation in the Real World

PKI Implementation in the Real World
eToken PKI Client Overview

eToken PKI Client Overview
Trusted Identity & Access Management The Next Critical Step

Trusted Identity & Access Management The Next Critical Step
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer

Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
Authentication choices! Vincent van Kooten: Business Sales Manager Benelux Distributed by -

Authentication choices! Vincent van Kooten: Business Sales Manager Benelux Distributed by -

Similar presentations

Ads by Google