Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKI Technology & Interoperability Lisa Pretty Executive Director.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "PKI Technology & Interoperability Lisa Pretty Executive Director."— Presentation transcript:

1 PKI Technology & Interoperability Lisa Pretty Executive Director

2 Speakers u Overview & Interoperability – Lisa Pretty, PKI Forum u Hardware Security Modules – Bill Franklin, nCipher u Tokens – Bill Wehrmacher, DataKey

3 CA RA End Entity Directory Services Verification of Applicant Certificate Archiving Certificate Expiration Certificate Revocation Certificate Publication Certificate Generation Certificate Lifecycle

4 PKI Interoperability u Three different aspects to PKI interoperability –Component interoperability –Enterprise interoperability –Application interoperability

5 PKI Component Interoperability u Ability to mix and match COTS PKI products u Depends upon specification-based messages exchanged between components to support: –Certificate requests –Certificate renewal –Certificate revocation CA RA Client Repository

6 Factors For Component Interoperability u Algorithm suite u Certificate management protocols –Certificate issuance –Certificate revocation u Transport mechanisms

7 Enterprise Interoperability u The ability to connect two enterprise PKIs into a larger functional PKI –More than just cross- certification –Clients must be able to find and validate meaningful certification paths Enterprise A PKI CARA Client Repository A Enterprise B PKI CARA Client Repository B

8 Factors for Enterprise Interoperability u Algorithm suite u Certificate format and extension set u Certificate policies u Certificate status information formats u Path building and validation across PKIs

9 Application Interoperability u The ability of PKI-aware applications to: –Share PKI certificates, key-pairs, and processing modules –Rely on different PKI environments to implement security services Enterprise A PKI CARA Client Repository A Enterprise B PKI CARA Client Repository B

10 Factors for Application Interoperability u Ability to share cryptographic modules OR export/import cryptographic materials –Cryptographic application programming interfaces (APIs) u Access to path validation and path building utilities u Consistency of processing u Feature sets

11 Hardware Security Modules (HSM) and PKI Bill Franklin Dir. of Technology, nCipher

12 Hardware Security Modules  Hardware security modules (HSM) perform cryptographic operations, protected by hardware (PCI boards, SCSI boxes, smart cards, etc.)  These operations include: –Random number generation –Key generation (asymmetric and symmetric) –Private key hiding (security) from attack (no unencrypted private keys in software or memory) Private keys used for signing and decryption Private keys used in PKI for storing Root Keys

13 About Public Key, ---? u We assume you understand something about public key technology: –Public-private key pairs; generation and life cycle –Asymmetric encryption –Symmetric encryption –Use of asymmetric encryption to establish keys for subsequent symmetric encryption –Criticality of private keys (and root keys)

14 Why Use HSMs?  A number of public key operations require the use of private keys as part of various processes: –Cryptographically or digitally signing an object, a file, etc. –Decrypting an encrypted object or file u These processes happen in active memory, which is vulnerable to attack and copying of a private key in open use, unencrypted

15 HSM – Immediate Needs  SSL predominates in e-commerce: –Allows secure electronic transactions  Effect on servers: –SSL negotiation (asymmetric) creates heavy overhead – increasingly a bottleneck –Private keys have to be brought into decryption and signing processes, interactively  So, SSL can drive: –Insecurity if private keys not protected fully –Bottlenecks in processing, even bringing servers down

16 HSM Basics u HSMs generally hook directly to the server, providing a protected area for the private key to be generated and reside, as well as to participate in a protected manner in critical processes, such as signing and decryption -- such that the private key is never in active memory or software in an unencrypted state.

17 PKI Implications  If you have just spent $15M implementing a global PKI – and your root is compromised, or some other important signing key…  What will it cost you to refit all new certificates – as well as inspecting and changing all the operations associate with the compromised key(s)?  It will be more than you spent setting up initially!  Or, transactions are suddenly 8000% over design expectations – how will you scale?

18 Desirable Characteristics  HSMs should: –Resist physical and programming attacks of all types (our catechism is: NO Private keys unencrypted in software or memory – any time); generate random numbers and keys in HSM –Make private keys securely available to transaction processes in real time, securely – particularly CAs –Allow “k of n” security for access to HSMs with security “in depth” –Accelerate cryptographic processing –Be scalable and support failover –Operate with load balancing schemas –Work with PKCS#11, MS CAPI and other APIs

19 Need Further Information u Check with the PKI Forum site for members which have HSMs (www.pkiforum.org) u Work with your integrator or consultants to identify the best solutions for your implementations and operations u Work with your PKI vendor concerning solutions for HSM u But: Use HSM to assure your security!

20 slide 20 HSM Example: nCipher HW PCI SCSI

21 Example: nCipher Hardware Each CPU can perform - 37 1/2 1024 bit decryptions per second RISC Processor Array Secure Memory

22 Example: nCipher Hardware slide 22 The master processor performs crypto operations and parsing to other chips “Master” Processor Other CPU’s perform only crypto operations

23 The smart token’s role in PKI interoperability. W.H.(Bill) Wehrmacher Datakey, Inc.

24 1st: Do no harm! Then help if you can!

25 Just what is a Smart Token? u Physical Device –Potential for two Factor Authentication –Potential for secure portable Credentials u Computing Device –Potential for Strong Authentication –Potential for Non Repudiation u Convenient Form Factors –Potential for regular use

26 What do you mean by interoperate? u The definitions for tokens are the same definitions about PKI in general. –I want my PKI trust system interoperate with others’ PKI trust systems –I want my PKI credentials to work across applications u There is more with Tokens –“OK, now I have have keys and Certificates on my token, I should be able to plug it into any PKI enabled application, in any workstation and have it just work.”

27 What does the user mean by interoperate? u “OK, you’ve convinced me, I need tokens. –Now I can work anywhere, –any time, –on any computer, –with any application, –and on and on and on…” “OK, now I have have keys and Certificates on my token, I should be able to plug it into any PKI enabled application, in any workstation and just have it work… Right?”

28 Define where you want interoperability u At card edge... u At Card Operating System... u At card terminal... u At connection API... u At Cryptographic API... u Across desktop platforms... u Across PKI Systems...

29 Token Interoperability Stack Applications: Secure and non-secure Security Mechanisms and protocols Security Support Services Crypto Modules and Algorithms Token Connectivity APIs Token Connectivity hardware PKI functions: Key & Certificate Management Auditing etc. CAPI/CSP, Cryptoki PC/SC, OCF etc. ISO 7816 Tokens

30 At Card Edge with ISO 7816? A little like saying RS232 Compatible –Card will fit in slot –Contacts will line up –Power and signals will go to right place –Card will identify itself with Answer To Reset –Many low level commands will work –Most functional commands won’t Probably not core definition of interoperability, but will be part of the equation

31 Token Interoperability Stack Applications: Secure and non-secure Security Mechanisms and protocols Security Support Services Crypto Modules and Algorithms Token Connectivity APIs Token Connectivity hardware PKI functions: Key & Certificate Management Auditing etc. CAPI/CSP, Cryptoki PC/SC, OCF etc. ISO 7816 Tokens

32 At Card Edge Operating System: u CARDOS u DKCCOS u EMV u JavaCard u Multos u SEIS u SpyCOS u Windows for Smart Cards Not really practical to interoperate here…

33 At Operating System Algorithm Suite: u RSA u DSA u ECC u PGP u Others, new and old u DES and derivatives u RCx u IDEA u CAST u Others, new and old Necessary to support wide range of applications

34 Token Interoperability Stack Applications: Secure and non-secure Security Mechanisms and protocols Security Support Services Crypto Modules and Algorithms Token Connectivity APIs Token Connectivity hardware PKI functions: Key & Certificate Management Auditing etc. CAPI/CSP, Cryptoki PC/SC, OCF etc. ISO 7816 Tokens

35 At Token Terminal u Platform Dependent –PC/SC WinTel 32 Platforms only Limited performance with Cryptographic Smart Cards –OpenCardFramework Java oriented

36 Token Interoperability Stack Applications: Secure and non-secure Security Mechanisms and protocols Security Support Services Crypto Modules and Algorithms Token Connectivity APIs Token Connectivity hardware PKI functions: Key & Certificate Management Auditing etc. CAPI/CSP, Cryptoki PC/SC, OCF etc. ISO 7816 Tokens

37 At Cryptographic or other API u Cryptoki (PKCS#11): Lowest Level of popular APIs u CAPI (Microsoft Cryptographic API) u Both supported by existing products ActivCard: ActivCard GoldLitronic: NetSign Datakey: SignaSURE CIPSchlumberger GemPLUS: GemSafeOthers u Both Supported by PKI products For a list, see the PKI Forum Member list and there are others

38 Token Interoperability Stack Applications: Secure and non-secure Security Mechanisms and protocols Security Support Services Crypto Modules and Algorithms Token Connectivity APIs Token Connectivity hardware PKI functions: Key & Certificate Management Auditing etc. CAPI/CSP, Cryptoki PC/SC, OCF etc. ISO 7816 Tokens

39 Perhaps now you have token hooked up. What next? u Share PKI data across platforms –If PKI can operate in multiple environments, a smart token should not prevent it u All Cryptoki applications are not created equal –Cryptoki recommends, does not specify. –Applications can store data on tokens in incompatible formats. –PKI data can be PKI specific or PKI general Rule #1: Do no harm

40 Token Vendors u Smart Card tokens –ActivCard –Bull –Datakey –GemPlus –Giesecke & Devrient –Litronic –Oberthur –Schlumberger –Many others u Other Smart Tokens –ActivCard –CryptoCard –Security Dynamics –Many others These are not “recommended” vendors, just those who came to mind. There are many others and you should search out the ones that best fit your needs.

41 Please feel free to contact me W.H.(Bill) Wehrmacher Director of Technical Services Datakey, Inc. bill.wehrmacher@datakey.com +1 952 808-2337 407 West travelers Trail Burnsville Minnesota 55337

42 www.PKIForum.org

Download ppt "PKI Technology & Interoperability Lisa Pretty Executive Director."

Similar presentations

Public Key Infrastructure and Applications

Public Key Infrastructure and Applications
Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.

Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
A l a d d i n. c o m eToken NG-OTP Combined PKI - OTP Authentication Solution November, 2008.

A l a d d i n. c o m eToken NG-OTP Combined PKI - OTP Authentication Solution November, 2008.
SPD1 Improving Security and Access to Network with Smart Badge Eril Pasaribu CISA,CISSP Security Consultant.

SPD1 Improving Security and Access to Network with Smart Badge Eril Pasaribu CISA,CISSP Security Consultant.
1 PK-Enabling Toolkits August 27, 2001. 2 CSOS Interfaces STATUS CHECKING Network Interface: HTTP Port 80 PKI Interface: PKCS 10 Request PKCS 7 Response.

1 PK-Enabling Toolkits August 27, CSOS Interfaces STATUS CHECKING Network Interface: HTTP Port 80 PKI Interface: PKCS 10 Request PKCS 7 Response.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
SafeNet Luna XML Hardware Security Module

SafeNet Luna XML Hardware Security Module
PKI -An Industry Perspective Lisa Pretty Executive Director.

PKI -An Industry Perspective Lisa Pretty Executive Director.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation 23-25 May 2012, Kish Island, I.R.IRAN.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI

Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI

Similar presentations

Ads by Google