Upload
others
View
6
Download
1
Embed Size (px)
Citation preview
Enterprise Key Management Infrastructure: Understanding them before auditing themArshad NoorCTO, StrongAuth, Inc.Chair, OASIS EKMI-TC
Agenda
• What is an EKMI?• Components of an EKMI• Auditing an EKMI• ISACA members at OASIS EKMI• Summary
Business Challenges
• Regulatory compliance–PCI-DSS, FISMA, HIPAA, SB-1386, etc.
• Avoiding fines–ChoicePoint: $15M, Nationwide: $2M
• Avoiding lawsuits–TJX (multiple), Bank of America
• Avoiding negative publicity to the brand–TJ Maxx, Ralph Lauren, Citibank, Wells
Fargo, IBM, Ernst & Young, Fidelity, etc.
The Encryption Problem
● Generate● Encrypt● Decrypt● Escrow● Authorize● Recover● Destroy
● Generate● Encrypt● Decrypt● Escrow● Authorize● Recover● Destroy
● Generate● Encrypt● Decrypt● Escrow● Authorize● Recover● Destroy
● Generate● Encrypt● Decrypt● Escrow● Authorize● Recover● Destroy
● Generate● Encrypt● Decrypt● Escrow● Authorize● Recover● Destroy
● Generate● Encrypt● Decrypt● Escrow● Authorize● Recover● Destroy
....and so on
Key-management silos
Application Application Application Application Application Application
Database or DB Driver
KM
Database or DB Driver
KM
Database or DB Driver
KM
Database or DB Driver
KM
Database or DB Driver
KM
Database or DB Driver
KM
Database or DB Driver
KM
Database or DB Driver
KM
Database or DB Driver
KM
Database or DB Driver
KM
OS or its Drivers
KM
OS or its Drivers
KM
OS or its Drivers
KM
OS or its Drivers
KM
OS or its Drivers
KM
OS or its Drivers
KM
OS or its Drivers
KM
OS or its Drivers
KM
OS or its Drivers
KM
Key Management Connections NetworkPKI
What is an EKMI?● An Enterprise Key Management Infrastructure is:
“A collection of technology, policies and procedures for managing all cryptographic keys in the enterprise.”
EKMI Characteristics● A single place to define EKM policy● A single place to manage all keys● Standard protocols for EKM services● Platform and Application-independent● Scalable to service millions of clients● Available even when network fails● Extremely secure
EKM Harmony
PKI SKMS
Application
Database or DB Driver
Database or DB Driver
Database or DB Driver
OS or its Drivers
Application Application Application Application Application
OS or its Drivers
OS or its Drivers
NetworkKey Management Connections
EKMI
The Encryption Solution
WAN
SKS Server
• Generate• Protect• Escrow• Authorize• Recover• Destroy
• Encrypt• Decrypt
SKS Server
• Encrypt• Decrypt
• Encrypt• Decrypt
• Encrypt• Decrypt
• Encrypt• Decrypt
• Encrypt• Decrypt
EKMI Components● Public Key Infrastructure
● For digital certificate management; for strong-authentication, secure storage & transport of symmetric encryption keys
● Symmetric Key Management System● SKS Server for symmetric key management● SKCL for client interaction with SKS Server● SKSML for SKCL-SKS communication
● EKMI = PKI + SKMS
PKI
• Well known, but not well understood• Reputation for being costly and complex• BUT.......–Used in every e-commerce solution–Used by DOD of most democratic nations–Citizen cards, e-Passports–Corporate Access Cards–US Personal Identity Verification (PIV) – IETF PKIX standards
SKMS: SKS Server
• Symmetric Key Services Server–Contains all symmetric encryption keys –Generates, escrows and retrieves keys–ACLs authorizing access to encryption
keys–Central policy for symmetric keys: • Key-size, key-type, key-lifetime, etc.
–Accepts SKSML protocol requests–Functions like a DNS-server
SKMS: SKCL
• Symmetric Key Client Library–Communicates with SKS Server–Requests (new or old) symmetric keys–Caches keys locally (KeyCachePolicy)–Encrypts & Decrypts data (KeyUsePolicy)• Currently supports 3DES, AES-128, AES-192 & AES-256
–Makes SKSML requests–Functions like DNS-client library
SKMS: SKSML• Symmetric Key Services Markup Language–Request new symmetric key(s) from SKS
server, when• Encrypting new information, or • Rotating symmetric keys
–Request existing symmetric key(s) from SKS server for decrypting previously encrypted ciphertext–Request key-cache-policy information
for client
The Big Picture
DB Server
Crypto Module
ApplicationServer
Crypto Module
SKCL
C/C++Application
RPGApplication
JavaApplication
Key Cache
JNIRPGNI
ServerClient
Network1
2
3
4
5
6
1. Client Application makes a request for a symmetric key2. SKCL makes a digitally signed request to the SKS3. SKS verifies SKCL request, generates, encrypts, digitally signs & escrows key in DB4. Crypto HSM provides security for RSA Signing & Encryption keys of SKS5. SKS responds to SKCL with signed and encrypted symmetric key6. SKCL verifies response, decrypts key and hands it to the Client Application7. Native (non-Java) applications make requests through Java Native Interface
7 7
Security in an SKMS
• Symmetric keys are encrypted with SKS server's RSA public-key for secure storage
• Client requests are digitally signed (RSA)• Server responses are digitally signed (RSA)
and encrypted (RSA)• All database records are digitally signed
(RSA) when stored, and verified when accessed – including history logs – for message integrity
Common KM problems
• Using proprietary encryption algorithm• “Hiding” encryption key on the machine• Embedding encryption key in software• Encrypting symmetric key with another• Using a single key across the enterprise• Backing up key with data on the same tape• Using weak passwords for Password-Based-
Encryption (PBE)• No key-rotation or key-compromise plan
Auditing an EKMI
• Key-management policy• Prerequisite controls:–Physical access control to EKMI machines–Logical & network access control to EKMI–Standard security controls• Firewall• Minimal attack-surface (minimal services)• Security patches• Security logging
Auditing an SKMS Client
• Is a hardware token being used? • How many people are required to log into
the token to activate it?• How many people have access to token?• How often is the token PIN changed?• How much data is encrypted with 1 key?• SHA-1 hash of client library?• Is the token backed up and how is it
protected?
Auditing an SKMS Server
• Is a hardware token being used? • How many people are required to log into
the token to activate it?• How many people have access to token?• How often is token PIN changed?• SHA-1 hashes of server jar files?• Is the token backed up and how is it
protected?
OASIS IDTrust Member Section● Identity & Trusted infrastructure components● Identity & Trust Policies, Enforcement, Education & Outreach● Identify barriers and emerging issues● Current Technical Committees:–Enterprise Key Management
Infrastructure TC–Public Key Infrastructure Adoption TC
OASIS EKMI-TC● Four (4) objectives & Sub-Committees:– Standardize on Symmetric Key Services Markup
Language (SKSML)– Create Implementation & Operations
Guidelines– Create Audit Guidelines– Create Interoperability Test-Suite
Current EKMI-TC Members● FundServ (Canada)● PA Consulting (UK)● PrimeKey (Sweden)● Red Hat (USA)● StrongAuth (USA)● US Department of Defense (USA)● Visa International (USA)● Wave Systems (USA)● Many security/audit focused individuals
ISACA – OASIS
• Many ISACA members from San Francisco are EKMI-TC (AGSC) members
• Full-day workshop scheduled for October-November 2007–Setting up an SKMS–Operating an SKMS–Auditing an SKMS–Attacking an SKMS
Conclusion●“Securing the Core” should have been Plan A from the beginning ... but its not too late to remediate.● OASIS EKMI-TC is driving new key-management standards that cuts across platforms, applications and industries.● Auditing EKMIs requires new levels of knowledge and understanding.● Get involved!
Thank you!