Upload
duongtuyen
View
217
Download
1
Embed Size (px)
Citation preview
© 2014 Entrust Datacard Corporation. All rights reserved. © 2014 Entrust Datacard Corporation. All rights reserved.
Entrust DataCard Securing Digital Transactions and Identities
Presenter : Debs F Debs VP Professional Services Amercias
© 2014 Entrust Datacard Corporation. All rights reserved.
AGENDA
About Entrust DataCard Digital Transactions Role of PKI in securing Digital Transactions PKI Integrations PKI and Internet of Things (IoT) Crypto Summary.
© 2014 Entrust Datacard Corporation. All rights reserved. © 2014 Entrust Datacard Corporation. All rights reserved.
Entrust DataCard Overview
3
© 2014 Entrust Datacard Corporation. All rights reserved.
Driving innovation in issuance, authentication, PKI and SSL technologies
$600M+ in annual revenue
2,000+ employees in 34 worldwide locations
Sales, service and support covering 150+ countries
Headquartered in Minneapolis, Minnesota USA
Privately held, founded in 1969
© 2014 Entrust Datacard Corporation. All rights reserved.
Financial Instant Issuance
Authentication Bureau Services
PKI Basic Access Control
SSL Certificates
SOLUTION AREAS
© 2014 Entrust Datacard Corporation. All rights reserved. © 2014 Entrust Datacard Corporation. All rights reserved.
Digital Transactions
6
© 2014 Entrust Datacard Corporation. All rights reserved.
DIGITAL TRANSACTIONS
7
We transact daily when we generate , post, search and retrieve data • Website, and Forms ( Gov employee, ministries, public, partners) • Emails, Files ( classified content, judicial , PII, etc..)
• Sensitive changes( Changes to our system, processes, IT & security
notifications)
• Financial data and transactions
• Access to Resources ( Sharepoint, VPN, Wirelss,building access, record access...)
© 2014 Entrust Datacard Corporation. All rights reserved.
VALUE OF TRANSACTED DATA
8
The value of transacted data is not just monetary!! • Advantage • Access to personal records, espionage • May be used to breach • Ransom • Reputation and brand tarnish • Other
© 2014 Entrust Datacard Corporation. All rights reserved.
ATTACK VECTORS
9
Attack vectors vary depending on how the transactions are carried • Masquerading • Fishing and spearfishing • Un-protected websites ( non SSL enabled, DNS poisoning) • Malware ( downloaded, or installed, Key loggers, Scripts part of
forms, Adobe, non signed drivers, applications, etc...) • Password-less & Password only access to resources ( Wireless,
VPN) • Un-authorized devices ( BYOD, Laptops, tablets) gaining access
Many forms to list, however all of the attacks are after your Identity. Once the identity is stolen, data follow.
© 2014 Entrust Datacard Corporation. All rights reserved. © 2014 Entrust Datacard Corporation. All rights reserved.
Public Key Infrastructure Role
In securing the Digital World
10
© 2014 Entrust Datacard Corporation. All rights reserved.
TRANSACTIONS – THINGS TO CONSIDER
? ?
? ? ?
? ? ?
?
? ?
?
© 2014 Entrust Datacard Corporation. All rights reserved.
WHAT IS THE END GAME?
• Connect – Anyone or Anything ANYWHERE
• …and Trust – it is or they are who they say they are
• …and Enable to transact securely
Company X PKI Company Y PKI
© 2014 Entrust Datacard Corporation. All rights reserved.
Document Encryption
Secure Email
Secure File Transfer
Custom Applications
Encryption
Document Signatures
B2B Data Exchange Web Form Signatures Credential Integrity
Digital Signature
Auth to PC & Apps VPN Auth Device Auth Website Auth & Apps ID Cards
Authentication
THE ACTUAL END GAME..
Smart Card Mobile Smart Credential
USB Token
Desktop ID
Device Certificates
Credential
Enab
lem
ent
© 2014 Entrust Datacard Corporation. All rights reserved.
ENABLING PKI SIGNATURES
14
Document Signatures
B2B Data Exchange Web Form Signatures Credential Integrity
Digital Signature
Smart Card Mobile Smart Credential
USB Token
Desktop ID
Device Certificates
Credential
Enab
lem
ent
Leveraging built-in capability
Right-click files in folders
Interoperable
Inside the enterprise
Transaction integrity
Standards compliant
Toolkits
Transparent
Provable, signs & stores whole
page
Signed data on RFID chip
© 2014 Entrust Datacard Corporation. All rights reserved.
STRONG AUTHENTICATION
15
Auth to PC & Apps VPN Auth Device Auth Website Auth & Apps ID Cards
Authentication
Smart Card Mobile Smart Credential
USB Token
Desktop ID
Device Certificates
Credential
Enab
lem
ent
Windows Smart Card Login
IPsec VPN
SSL VPN
Domain controller
certificates for smart card login
802.1x
Server Authentication
Automated Teller Machines
SSL Server Certificates
SSL EV
SSL client certificates
Enterprise portal authentication
Consumer/Citizen Web Auth (+ Sign)
Citizen Identity Card
Employee ID
Physical & Logical Access
© 2014 Entrust Datacard Corporation. All rights reserved.
ENABLING PKI ENCRYPTION
16
Smart Card Mobile Smart Credential
USB Token
Desktop ID
Device Certificates
Credential
Document Encryption
Secure Email
Secure File Transfer
Custom Applications
Encryption
Enab
lem
ent
Right-click files in folders
Adobe Acrobat
Windows EFS
End to End Email
Complementary to EMS
Packaged Tools
Custom Apps
WebMethods
Tibco
Axway/Cyclone
Standards-based
Standards compliant
Java or C++ Toolkits
© 2014 Entrust Datacard Corporation. All rights reserved.
HOW IS IT DONE?
A digital certificate is an object that contains • Holders Identity/Name • Valid from to date • Valid to date • Issuer (Organization/Issuer Name) • Public key used to communicate with you • Private key the owner keeps to themselves
6/17/2016
Name: Mike Hathaway Issued By: Entrust Expires: 31 Jan 2018 Usage: Digital Signature
© 2014 Entrust Datacard Corporation. All rights reserved.
WHAT DOES A PKI LOOK LIKE
Root CA Directory
HSM
Issuing CA Directory
HSM Administration
Administration Services
Smart Cards Desktops & Users USB Tokens Devices
Email Notification
Browser Credentials
© 2014 Entrust Datacard Corporation. All rights reserved. © 2016 Entrust Datacard Corporation. All rights reserved.
Using PKI
© 2014 Entrust Datacard Corporation. All rights reserved.
Uniqueness of PKI
Authentication Encryption Digital Signatures Authenticity
Leverage Trusted Identities for Multiple Purposes
Secrecy & confidentiality
Accuracy & Integrity
© 2014 Entrust Datacard Corporation. All rights reserved.
PKI End-Entities
Servers People Machines Devices Apps
Trusted Identities
© 2014 Entrust Datacard Corporation. All rights reserved.
ENABLING TRANSACTIONS
Infrastructure Control
Building Access
Border Crossing
Network Access
Financial Transactions
Secure Transactions
© 2014 Entrust Datacard Corporation. All rights reserved.
ENTERPRISE APPLICATIONS
Web Form Signatures
VPN Auth
Network Auth
Secure Email
Auth to PC & Apps
Enterprise Use Cases
© 2014 Entrust Datacard Corporation. All rights reserved.
PKI FOR ENTERPRISE AND BEYOND
© 2014 Entrust Datacard Corporation. All rights reserved. © 2014 Entrust Datacard Corporation. All rights reserved.
PKI Integrations
26
© 2014 Entrust Datacard Corporation. All rights reserved.
ENTELLIGENCE AUTO-ENROLLMENT
27
• Entrust Auto-Enrollment Service – Supports Auto-enrolment for:
• Entrust Entelligence for Windows • Entrust Entelligence Secure Desktop for Mac (Coming in SDM 8.1 SP1)
Desktop or Server with ESP/SDM installed.
Admin Services Auto Enrollment Service
Admin Services configured to talk to
Managed CA.
© 2014 Entrust Datacard Corporation. All rights reserved.
ENTELLIGENCE AUTO-ENROLLMENT
28
1. User boots up computer and logs onto
the network.
2. ESP for Windows authenticates user to
Administration Services Auto-Enrollment Server
Users will be prompted to enter a PIN or password if the private keys are configured to be stored on smart cards/tokens or in an Entrust EPF file
3. User entry is automatically generated
in the CA
4. Activation Codes transparently
transmitted to ESP
5. User is automatically enrolled for an Entrust
Digital ID
© 2014 Entrust Datacard Corporation. All rights reserved.
WINDOWS NATIVE ENROLLMENT
29
• Entrust Windows Network Enrollment Service – Provides client-less PKI enrolment for the Windows OS – Single Admin Services install can support multiple WNES / AD Domains
• Supports • Self-Enrollment • Queued Enrollment • Renewals • Enroll On Behalf Of
• Self Enrollment with Key Archive • Enroll On Behalf Of with key archive
Microsoft Desktop or Server
Microsoft Domain with Entrust WNES
component installed
Admin Services configured to talk to
Managed CA.
© 2014 Entrust Datacard Corporation. All rights reserved.
MDM INTEGRATION
30
WEB
SER
VIC
ES A
PI
• Allows MDMs to issue Entrust digital IDs to mobile devices • Unified WS Interface to both IDG and Admin Services
• IdentityGuard SSM has native capability to enroll Mobile Devices for certificates without MDM
MDM
Entrust IdentityGuard Self-Service Module
Entrust IdentityGuard
Administration Services
© 2014 Entrust Datacard Corporation. All rights reserved.
CSR ENROLLMENT
31
• Web Application for summation and approval of PKCS#10 CSR • Supports
• Client Auth / AD auth of submitters and approvers • Queued Operations • CSR rules / validation • Multiple Managed CAs
CSR Submitters and Approvers
CSR validated against rules in Digital ID
Configuration.
Admin Services sends P10 CSR to managed
CA.
CSR
© 2014 Entrust Datacard Corporation. All rights reserved.
SCEP ENROLLMENT
32
• Entrust SCEP Implementation offers RSA and ECC enrollment • Static SCEP Password defined for enrollment / renewal operations
1. Device contacts Entrust SCEP Server.
2. Entrust SCEP Server validates SCEP password and CSR against Digital
ID Configuration.
3. Device Added to Managed CA and Certificate issued.
© 2014 Entrust Datacard Corporation. All rights reserved.
CMPV2 ENROLLMENT
33
• Entrust CMPv2 Implementation offers RSA and ECC enrollment • Static Password or Vendor Certificate authentication enrollment / renewal
operations • IP Address or DNS whitelist validation
1. Device contacts Entrust CMPv2 Server.
2. Entrust CMPv2 Server validates
password/vendor cert and CSR against Digital
ID Configuration.
3. Device Added to Managed CA and Certificate issued.
© 2014 Entrust Datacard Corporation. All rights reserved.
EST ENROLLMENT
34
• Entrust EST Implementation offers RSA and ECC enrollment • Vendor Certificate authentication enrollment / renewal operations
1. Device contacts Entrust EST Server.
2. Entrust EST Server validates vendor cert
and CSR against Digital ID Configuration.
3. Device Added to Managed CA and Certificate issued.
© 2014 Entrust Datacard Corporation. All rights reserved. © 2014 Entrust Datacard Corporation. All rights reserved.
PKI And
Internet of Things (IoT)
35
© 2014 Entrust Datacard Corporation. All rights reserved.
PKI MARKET TRENDS
• Internet of things – Wearables – Smart Traffic Systems – Automotive – Appliances – Smart Meters – Audio Visual Set-top Boxes – Vending machines – Toys
• IoT Challenges – Speed – Scale – Device heterogeneity, issuance
and attributes – Assurance requirements and
transaction types: – Closed usage model – Revocation and validation – Life cycle and renewal
“Forecast: The Internet of Things, Worldwide, 2013” - Gartner
The installed base of “things,” excluding PCs, tablets and smartphones, will grow to 26 billion units in 2020, which is almost 30-fold increase from 0.9 billion units in 2009
© 2014 Entrust Datacard Corporation. All rights reserved. © 2014 Entrust Datacard Corporation. All rights reserved.
Latest Crypto
37
© 2014 Entrust Datacard Corporation. All rights reserved. 38
Summary • RSA, ECC are still the crypto of choice • Winternitz One Time Signagture (WOTS), Merklee Hash Tree(MHT),
Extended Merklee Signature Scheme(XMSS) • Quantum computers
• Not just massively-parallel classical computers • Large-scale quantum computers are coming • This will result in the need for new cipher suites
• But, not for several years • 2025 minus the algorithm security lifetime
• It can take several years to roll out a new cipher suite • Even if the new cipher suite has similar characteristics to those of
the old one • How long will it take if the new cipher suite has different
characteristics? Such as:- • Upper limit on the number of signatures per key • The need to maintain state
• Not too early to be thinking about this
© 2014 Entrust Datacard Corporation. All rights reserved.
BIBLIOGRAPHY
Quantum computers: "The quest for the quantum computer", Julian Brown, Touchstone, 2001 "Quantum Computing Lecture Notes", Ronald de Wolf, 2011, http://homepages.cwi.nl/~rdewolf/qcnotes.pdf Post-Quantum Cryptography: "NSA Suite B Cryptography", NSA, 2015-08-19, https://www.nsa.gov/ia/programs/suiteb_cryptography/ Commercial National Security Algorithm Suite and Quantum Computing, NSA, Jan 2016, https://www.iad.gov/iad/customcf/openAttachment.cfm?FilePath=/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/assets/public/upload/Commercial-National-Security-Algorithm-CNSA-Suite-Factsheet.pdf&WpKes=aF6woL7fQp3dJirQ4SVyNDqjbSJ9a88xZcnLAL "A riddle wrapped in an enigma", Koblitz, Menezes, 2015-12-03, http://eprint.iacr.org/2015/1018.pdf "Post-Quantum Cryptography for Long-Term Security", PQCrypto, September 2015, http://pqcrypto.eu.org/docs/initial-recommendations.pdf Hash-based signatures: "Hash based signatures", Imperial Violet, 18 Jul 2013, https://www.imperialviolet.org/2013/07/18/hashsig.html XMSS – A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions, Buchmann et al, November 2011, https://eprint.iacr.org/2011/484.pdf XMSS: Extended Hash-Based Signatures draft-irtf-cfrg-xmss-hash-based-signatures-03, Huelsing et al, Feb 2016, https://www.ietf.org/id/draft-irtf-cfrg-xmss-hash-based-signatures-03.pdf Lattice-based cryptography: "Lattice-based Cryptography", Daniele Micciancio, Oded Regev, July 22, 2008, http://www.cims.nyu.edu/~regev/papers/pqc.pdf Code-based cryptography: "McBits: fast constant-time code-based cryptography", Bernstein et al, 2013, http://binary.cr.yp.to/mcbits-20130616.pdf Wikipedia article on McEliece Cryptosystem
39
© 2014 Entrust Datacard Corporation. All rights reserved. © 2016 Entrust Datacard Corporation. All rights reserved.
Questions?
40