Presentation is loading. Please wait.

Presentation is loading. Please wait.

Key Management with the Voltage Data Protection Server Luther Martin IEEE P1619.3 May 7, 2007.

Published byPatrick Freeman Modified over 9 years ago

Similar presentations

Presentation on theme: "Key Management with the Voltage Data Protection Server Luther Martin IEEE P1619.3 May 7, 2007."— Presentation transcript:

1 Key Management with the Voltage Data Protection Server Luther Martin IEEE P1619.3 May 7, 2007

2 2 Overview  Key management with the Voltage Data Protection Server is motivated by the typical customer uses  An administrator defines policies at a central management console that pushes configuration and policy data to individual key servers  Management of symmetric keys is integrated with management of asymmetric keys (identity-based encryption)  Not really an API  Data is either Base64-encoded PKCS#7 or XML and is transported over HTTPS

3 3 Typical use of the Voltage Data Protection System - 1  Used to encrypt sensitive information in a database  Typically for PCI DSS compliance  In this case, encryption and decryption are both automated

4 4 Typical use of the Voltage Data Protection System - 2  Encrypting unstructured data in storage according to a security policy  Documents  Spreadsheets  Etc.  In this case, encryption may be automated but a human user may decrypt the data  May even be in a different security domain  “Federation”

5 5 Design goals  Must support multiple cryptographic algorithms  Must support multiple authentication methods for each algorithm  Must work across multiple security domains  May require user interaction  Could be an application

6 6 Components  Management console  Creates policies and pushes to key servers  Creates configuration data and pushes to key servers  Logs events and allows an authorized admin to review logs  Pulls logs from key servers  Key servers  Create and grant keys  Enforce policy  Log events  Users  Request keys  Request policy  Authenticate as needed

7 7 The world according to Voltage (simplified)

8 8 Downloading policy  Clients download policy from key server over HTTPS  A policy URL  Policy defines what keys a key server can create  Stored in a Base64-encoded PKCS#7 on the key server  Gives URL of where to request keys  Other administrative information Validity period of the policy How often clients should check for new policy Etc.  Knowing the policy URL is all that a client needs to start encrypting

9 9 Example policy – not very enlightening  -----BEGIN PKCS7-----  MIIKKgYJKoZIhvcNAQcCoIIKGzCCChcCAQExCzAJBgUrDgMCGgUAMIIGfgYJKoZI hvcNAQcBoIIGbwSCBmswggZnAgEBBEECjrk1vLeEyC1gbZBiII8GpSNU7hVZeGEA aCwkaTUA8e6G3Rtynz2GFiHrrrLTu6h9IKeaM1ZhuShK+CTMdiVrEjCCAT8CAQEw TAYHKoZIzj0BAQJBAJ8H1gR9xlCYucz2uTzLayuTJi7AILgeRz4Lp6rEpy0j9eGO wBieiN8DvimMxmoEtNs4FfZRAxbHx7VVIcwKoPMwgZEGC2CGSAGG/R4BAQEBBEAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBEECAmm7c2jAousQfwT1 myPOGhnHopYNvmRjaXs13efxL08k79KfSX/IEgcoRsnvbhRkfQDW30x85Om701UG W8vGjwIVAP/////////////v////////////MVIwUAYLYIZIAYb9HgEDAQIEQQKX 4RZI3e9oC3X/iuSx5i1NnbTW2Kq4yQ+jW9h7XtTGTfZ4rMlytgSsl1VpaWUXT7m4 Yhd7EgQtBP4SvELey3U4MB4XDTA0MDQyMjE4MDYwN1oXDTI5MDQxNjE4MDYwN1ox ggRmMBIGC2CGSAGG/R4BAwIKBAMCAQMwIAYLYIZIAYb9HgEDAgEBAf8EDhMMMDQw MjAzMjExNjE2MCAGC2CGSAGG/R4BAwIFAQH/BA4wDAYKYIZIAYb9HgIBATAsBgtg hkgBhv0eAQMCBgEB/wQaDBh2b2x0YWdlLmNvbSMwNDAyMDMyMTE2MTYwLwYLYIZI AYb9HgEDAgIBAf8EHRMbdm9sdGFnZS1wcy0wMDAwLnZvbHRhZ2UuY29tMC8GC2CG SAGG/R4BAwIHAQH/BB0MG3ZvbHRhZ2UtcHMtMDAwMC52b2x0YWdlLmNvbTBVBgtg hkgBhv0eAQMCAwEB/wRDE0FodHRwczovL3ZvbHRhZ2UtcHMtMDAwMC52b2x0YWdl LmNvbS9mb3JtcG9zdGRpci9zYWZlZm9ybXBvc3QuYXNweDBVBgtghkgBhv0eAQMC CAEB/wRDDEFodHRwczovL3ZvbHRhZ2UtcHMtMDAwMC52b2x0YWdlLmNvbS9mb3Jt cG9zdGRpci9zYWZlZm9ybXBvc3QuYXNweDCCAswGC2CGSAGG/R4BAwIEAQH/BIIC uDCCArQwggKwMIICcKADAgECAgEBMAkGByqGSM44BAMwFjEUMBIGA1UEAxMLdm9s dGFnZS5jb20wHhcNMDQwNDIyMTgwNjA1WhcNMjkwNDE2MTgwNjA1WjAlMSMwIQYD VQQDFBp2b2x0YWdlLmNvbSMwNDAyMDMyMTE2MTY6UzCCAbYwggErBgcqhkjOOAQB MIIBHgKBgQD2N0O2t9OUCRm+APvgYO1tEAPD1+heyLVFp5TgVABryChuhhtWdqXv cUCT6uA7+8pth2KWB6zvMR1FsBHHFb0Du2S3HvgaBqqhNRr+t1GvvP1/hfXyqhdL sAXKJNRntnbA4Srkkl4TfiGMWEidE+67k2aFLeTggTDn90hEqHHitQIVAO6MTSFm MJ777vg9hR76QUuHPqcjAoGAf+DTTEL/iLZwPHg2dAW7NQmHoEuaJZgVCtXVzrI6 C8axkSSEjgfxI0QPhnjgfAiPgnsWmJooxHvB62/kARCX6zFt5jjcr2gM7EnlYcwA Bw+PH8dWrQuGMQohwvUML2k/hEzhU+78p6J9h1hdWsoIR7yewuxiBWD+NpPn9UU2 3dQDgYQAAoGAG8tLodfqJNcquJfjpvXu7X/3hf7cnz+xNHEdEqMqTJOO5PVk9Ere nu0Aj50l84z+rJiGQvoXXtdeRVTxgqAgzlGXs/7FluF8cK2lpwBj5m1vQ3cAHzDA 8B1Rjr3qYGDdd8PkkOpxrJsNwArlKQidZZ2pRs+54ySwXRF9oVzKNUejQjBAMA8G A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRDGs9zRYnj 2a4128+czLGaCsi3aDAJBgcqhkjOOAQDAy8AMCwCFDJB6Vsqx1HxT6CzXWxCPMJA SEfhAhQ3BIm2DH2m8MrGiNl4JMlB66hwNKCCArYwggKyMIICcaADAgECAgEBMAkG ByqGSM44BAMwFjEUMBIGA1UEAxMLdm9sdGFnZS5jb20wHhcNMDQwNDIyMTgwNjA3 WhcNMjkwNDE2MTgwNjA3WjAlMSMwIQYDVQQDFBp2b2x0YWdlLmNvbSMwNDAyMDMy MTE2MTY6UDCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQCcmUTb9u179pw8RQn27eEi 4Mc1RY2JWl/wRwYE+F3ruAmBmo4m6gMmI5pvj4MtGfU+3ipPbugOAOB3DLu5w9R5 ejY+xpys0RK4iFfJ7NLZz7eAMQwbkidzBGBibWNQsxdmsvvSJLc+26g54pa8Crj8 gNO6H4LkgtHE4rpUO63Z5wIVAITwIvRyibeCMuBHjdsL6C7g9Jy/AoGBAJnU/8K+ NipTQ0TX+1Dx9+mWdHhjMLfTessLdC47kFmwYepxBz/ZKu4ZG9+wtpqu5Rod0340 Q3Jd4YcmtTKtMTiLp/Pm6QQn6bKchxJqjS27wVe7Ig4G3Z4zXc0Yie18vTPDpD1l oNy1KML+n8kTAJp1elpT/0CySeph7KVjgutHA4GEAAKBgBvVSd19wQhGwXGr7zvb jLi8wKRFvveo8PPlfSfHJgzNZrMvBK4HlcK/KsTx/6BxSlLf8E2Uaax8JGArhPuW K+RoTFURqe82/1bfE1tnNnVE1jUEcFJodEpN1zQRQ6i1TOMV+0nVpJlb9ylOp9E1 3kVY5+huCZM4MqbQQvDd/ExIo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB /wQEAwIBBjAdBgNVHQ4EFgQU160Me2kzzl3w1cvJhf81RERMGVgwCQYHKoZIzjgE AwMwADAtAhUAgfWYot9R24alb8wuPD/2oWpA6ogCFEv9xddpdK78OLyOjHdMtFBl 8ipxMYHIMIHFAgEBMBswFjEUMBIGA1UEAxMLdm9sdGFnZS5jb20CAQEwCQYFKw4D AhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X DTA2MTIwODAyMTYzM1owIwYJKoZIhvcNAQkEMRYEFBtovu1emwW496eAicS53o+Z dFXbMAkGByqGSM44BAEELjAsAhQoLURHiNst/mwFz7Fm+q31GDopDgIUXOGILtqM  YG2ajZgKJ/AGFeYkG7s=  -----END PKCS7-----

10 10 Getting keys  Clients request keys from key server and use to encrypt/decrypt data  Key identifier can be stored as an Attribute in a PKCS#7 encrypted- data content type  As defined in RFC 3852/CMS  Identifier includes information about key  OID of algorithm  Key length  URL of policy  Application (can’t enforce, but useful for licensing)  Recipient identifier (device, user, etc.)  Identifier is a Base64-encoded DER-encoded block that can be used for multiple purposes

11 11 Authentication  Authentication data can be passed with a key request  Optional  If a valid auth token is not present in a key request, the key server performs whatever auth is required by the security policy  May query user  May also query other data sources  Returns auth token to user upon success  User then requests the key using the valid auth token

12 12 Key request MHIwDAYKYIZIAYb9HgIBAQwgZGV2ZWxvcGVyLnZvbHRhZ2UuY29 tIzEwODjQwQDAaS6XQmLnZvbHRhZ2UuY29tNC26BBEAhzRCZWZv cmUEDL5lquI0eALv8A1JsnC4BOpwDAlub3RCZWZvcmUEDTA1MDg wODAwMDAwMFowIgwCaWQEHHNlbmRlckBkZjb20=

13 13 Server response  Response from server includes the key plus an identifier for the key  Identifier includes information about key  OID of algorithm  Key length  URL of policy  Application (can’t enforce, but useful for licensing)  Recipient identifier (device, user, etc.)

14 14 Key server response <vs:response xmlns:vs="http://www.voltage.com/xmlns/vspv1" code="100" message="Symmetric Key Follows"> kMDkxODM0OWNudmtpdzR1MDkxdTJwdTE5OC0xOC0xMjc4MGhkeX b3VpeXNoMW5scmgxbmw0cnUxZm40ZjFucmo0bjRpdTs1aXUxNGk S1vNHU5MzQ4c3UxMDNqNC5kMWo0LmozNGtqMTNsazRqMWwzNGpo NHAxdTRwMWk0cGQxaXUzNHAxaXUzNHAxaXUzcDQxaXVwNG91MXA Gl1MXAzNHUxcDM0dXAxb3U0cDFpdTM0cDF1MzQxdTNwNDF1cDR1 A0dTFwMzR1MXAzNGl1cDEzaTR1cDF1NHAxdTM0cG8xdXA0dXA4d waWMxLmpsajE0cmxsY2kxdW5wMWNyaTFqcmkxamMuag==

15 15 User authentication  User identifier and key identifier are in the key request  Key server requires authentication per its security policy before granting keys  Configurable per user/device or group of users/devices  Shared secret  Active Directory  E-mail answerback  Q&A  X.509 client certificates  SecureID  Others

16 16 Summary  The key management capabilities of the Voltage Data Protection Server includes features that make it useful in a wide range of applications  Encryption and decryption may be automated but it is also easy for a human user to perform the same operations  Users/devices may even be in a different security domain  Wide range of authentication options  Same framework applies to asymmetric key management

Download ppt "Key Management with the Voltage Data Protection Server Luther Martin IEEE P1619.3 May 7, 2007."

Similar presentations

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.

Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Product and Technology News Georg Bommer, Inter-Networking AG (Switzerland)

Product and Technology News Georg Bommer, Inter-Networking AG (Switzerland)
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
Key Management in Cryptography

Key Management in Cryptography
Public Key Infrastructure from the Most Trusted Name in e-Security.

Public Key Infrastructure from the Most Trusted Name in e-Security.
Virtual techdays INDIA │ 18-20 august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)

Virtual techdays INDIA │ august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.

Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.
Clinton Ho Program Manager Microsoft Corporation SESSION CODE: SIA311.

Clinton Ho Program Manager Microsoft Corporation SESSION CODE: SIA311.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Similar presentations

Ads by Google