Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
globalglobale-securitye-security
1
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
Baltimore Presents:Baltimore Presents:
ABN AMRO Bank’s CorporateABN AMRO Bank’s CorporateCryptographic InfrastructureCryptographic Infrastructure
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
2
Baltimore TechnologiesBaltimore Technologies
n 20 years experience in cryptography and PKIn 20 years experience in design and deployment
of e-security solutionsn World class PKI technologyn Breadth of product offering
u Certificate Authorityu Toolkits
n Commitment to open standards
Market-leading innovation, features and flexibilityMarket-leading innovation, features and flexibility
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
3
ABN ABN Amro Amro BankBank
n One of the leading universal network banksn Headquartered in the Netherlandsn Locations in 76 different countries and
territoriesn More than 3,500 officesn Total assets exceed 464 billion Euron Ranked the world’s sixth largest bank (based on
total assets)n Over 105,000 full time employees
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
4
ABN ABN Amro Amro IT InfrastructureIT Infrastructure
n Global and distributed infrastructuren Great variety in platformsn Multi-vendor environmentn Complex systemsn Growing integrationn External connectionsn Use of public networksn High value payment transactions
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
5
What Is The CCI Project?What Is The CCI Project?
n Corporate Cryptographic Infrastructuren Security system based on secret and public key
cryptography that provides security to ABNAMRO banking activities around the world
n Objective of CCI is to deliver cryptographicservices to any user of ABN AMRO applicationthat needs it, on any platform, anywhere in theworld in a common and consistent way
n Project delivers a full operational PKI combinedwith a standard set of cryptographic services
n Partnership with Baltimore and IBM (SolutionProvider)
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
6
Why Does ABN AMRO NeedWhy Does ABN AMRO NeedCCI?CCI?
n Need for secure storage and transport of datawith bank’s infrastructure
n Need for secure communications withcustomers, partners, and other banks
n Cryptography can make security independent ofthe complexity of the banks IT infrastructure
n Cryptography is the only known practicalmethod for delivering end to end security
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
7
Banking Costs Per TransactionBanking Costs Per Transaction
0
0,2
0,4
0,6
0,8
1
1,2
Bra
nch
e
Ph
on
e
PC
Ban
kin
g
Inte
rnet
US$
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
8
Situation Before CCISituation Before CCI
n Different security solutions for basically thesame security requirements
n Security solutions integrated into theapplications, which makes re-use of solutions aproblem
n Variety of different tools is inefficient to managen Integration of partial solutions is difficult and
parts of the infrastructure are not protected
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
9
CCI – Security ServicesCCI – Security Services
n Peer Entity Authenticationn Data Integrityn Origin Authenticationn Data Confidentialityn Software Integrityn Message Sequence Integrityn Non-repudiation with proof of Originn Non-repudiation with proof of Delivery
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
10
CCI – RequirementsCCI – Requirements
n Secure implementationn Standards based/ Interoperabilityn Multi-platform supportn Performance scalabilityn Hardware independentn Highly automated key managementn Proven technologyn Selectable level of securityn Ease of usen High availability
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
11
CCI – Architectural OverviewCCI – Architectural Overview
CCI Servers
CCI Servers
CCIClient
AS
400
4
7
C
1
5
8
D
2
6
9
E
3
4
7
C
1
5
8
D
2
6
9
E
3
4
7
C
1
5
8
D
2
6
9
E
3
4
7
C
1
5
8
D
2
6
9
E
3CCI Desktop
Unix
CCIClient
4
7
C
1
5
8
D
2
6
9
E
3
4
7
C
1
5
8
D
2
6
9
E
3
RAO
ABN AMROCorporateNetwork
OS/390 Parallel Sysplex
CCI Servers
CCI Client CM
OS
Certification Authorities
Registration Authorities
CCI NT ApplicationServers
4
7
C
1
5
8
D
2
6
9
E
3 PolicyManager
User Workstations
Directory Services
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
12
CCI – ComponentsCCI – Components
n Smart Cards as personalized tokens for userauthentication and for generation of digitalsignatures
n PC-software modules for workstationsn Cryptographic Adapters (IBM 4758, nCipher) for
servers and critical workstationsn Security servers and CMOS technology (on-
board crypto) on IBM mainframes
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
13
CCI Security ArchitectureCCI Security Architecture
A Range of Options:
• Software only
• SmartCard
• SmartCard Reader
• PCMCIA
• PC Cryptoboard
• Host Security Module
Security API
Application
SecurityProcessors
SecurityServices • Smart Disk
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
14
The Extended NetworkThe Extended Network
6
9
3
7
5
8
2
6
9
3
CCI Servers
CCI Servers
CCIClient
AS
400
4
7
C
1
5
8
D
2
6
9
E
3
4
7
C
1
5
8
D
2
6
9
E
3
4
7
C
1
5
8
D
2
6
9
E
3
4
7
C
1
5
8
D
2
6
9
E
3CCI Desktop
Unix
CCIClient
4
7
C
1
5
8
D
2
6
9
E
3
4
7
C
1
5
8
D
2
6
9
E
3
RAO
ABN AMROCorporateNetwork
OS/390 Parallel Sysplex
CCI Servers
CCI Client CM
OS
Certification Authorities
Registration Authorities
CCI NT ApplicationServers
4
7
C
1
5
8
D
2
6
9
E
3 PolicyManager
User Workstations
Directory Services
Internet
CorporateClients
Partners
Suppliers
Offices RegistrationAuthorities
Users
Firewall
InformationServers
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
15
n Cryptographic algorithms (DES, triple-DES, RSA, SHA-1,ANSI X9.9, etc)
n ISO 9796 format (SHA-1 and RSA) digital signatures
n ISO/IEC CD 11770-3 key management mechanismsusing asymmetric techniques
n ISO/IEC 9798-3 entity authentication using a public keyalgorithm
n X.509 v3 Public Key Certificates with extensions
n CRL v2 Revocation Lists
n X.500 Directory Services
n PKIX standards (RA/CA & CA/CA)
n GSS-API, IDUP GSS-API, LDAP v2, PKCS, OCSP
Summary of StandardsSummary of Standards
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
16
CCI PKI Architecture
End Entity
Face-to-face
RAO RAO
CAO
RAHSM
D/BRA
HSM
D/BRA
HSM
D/B
Gate-ways
E-mailBrowser
VPN
CAHSM
D/B
CAHSM
D/B
CA
CrossCertification CA
HSM
D/B
DirectoryServices
LDAP, DAPLDAP, DAP
End UserEnd UserDomainDomain
PKI enabledapplications
LDAPLDAP
RAO
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
17
Who is IDENTRUS?
IDENTRUS
Sanwa BankCIBC
(Situation early 1999)
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
18
Strategy Of IDENTRUSStrategy Of IDENTRUS
n Facilitate electronic commerce through theestablishment of trusted certificate authoritiesowned and operated by leading global banks
n Bank certificate authorities to be independentbut interoperable
n Standards-based, vendor neutral, global scope,legal framework
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
19
IDENTRUS Four Corner ModelIDENTRUS Four Corner Model
Buyer’s Bank
Buyer Seller
Seller’s Bank
NO Trust
TRUST TRUST
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
20
Trust enables E-Commerce
Buyer’s BankCertificate Authority
Buyer Seller
Seller’s BankCertificate Authority
On-Line CertificateValidation / Warranty
Request
Certificate Validation/Warranty
Request and Reply
I N T E R N E T
ABN AMRO
Identrus
Legal/Contract FrameworkDefine standard operating and liability rules for corporations
Other Bank
IDENTRUSRoot CA
Smart Cardswith certificates purchase order (Signed Data)
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
21
Value Throughout TheValue Throughout TheTransaction Life CycleTransaction Life Cycle
Buyer Purchasing Process
Selling Process
Bank
Bank
Trading PartyIdentificationProvided by
IdentrusMember Banks
Seller
Select Supplier
Source Suppliers
NegotiateSales Terms
Create & Send Purchase Order
ReceiveGoods &Invoice
MakePayment
Cash &Accounting
Credit Application
Source Customers
NegotiateTerms
ReceivePayment
Cash &Accounting
Ship Goods &Send Invoice
Quotation CreditRating
ReceivePO/OrderEntry &AllocateInventory
SellerID
SellerID
SellerID
SellerID
SellerID
SellerID
BuyerID
BuyerID
BuyerID
BuyerID
BuyerID
BuyerID
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
22
CCI Public Key InfrastructureCCI Public Key Infrastructure
n PKI will be based on UNICERT (Baltimore)
n PKI supports all ABN AMRO public key based
solutions
n Key generation is responsibility of applications
n Secure transport of public key certificate
requests via public networks using smart cards
n Generation of smart card keys during
personalisation
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
23
CCI Future DirectionsCCI Future Directions
n More focus on Internet/Intranet
n Automatic certificate renewal
n Bulk certificate issuing
n Encryption of stored data
n Key recovery
n Attribute certificates
n Time stamping
n Secure Single Sign-on
n New algorithms and Protocols
n More use of products on the market(instead of own developments)
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
24
PKI At The Heart Of ABN AMROPKI At The Heart Of ABN AMROSecuritySecurity
ww
w.b
alti
mo
re.c
om
ww
w.b
alti
mo
re.c
om
globalglobale-securitye-security
25
ABN AMRO and BaltimoreABN AMRO and Baltimore
Eric KoopVP, IT Solutions Division - ABN AMRO Bank
We selected Baltimore because ofWe selected Baltimore because oftheir understanding of the securitytheir understanding of the securityneeds of the banking sector. Weneeds of the banking sector. We
expect their PKI and their systemsexpect their PKI and their systemsintegration capability will give usintegration capability will give usexactly the solution we require.exactly the solution we require.