mobilepki

8/2/2019 mobilepki

1/48

The World Internet Security Company

Practical Experiences of

PKI-enabled Applications and

Implications for Mass Deployment of e-IDs

Conference on

Cryptology and digital Content Security

An activity of MATHESS, a NEST coordination activity of the EC

CRM, Bellaterra, 15 de mayo 2007

Victor Canivell, CEO, Wisekey ELA

8/2/2019 mobilepki

2/48


Agenda

On Wisekey

PKI today:- challenges

- PKI & PKO- DNI-e

Mass deployments tools:

- Wisekey CertfyID Blackbox Wisekey references

Conclusions

8/2/2019 mobilepki

3/48


Intelligentcities

DestiNY USA

Biometrics, PKI, DRM,Physical & Logical

Secuirty

e-Voting

first ever binding

Internet Vote

Biometric enabledPKI evoting for

Blind

DevelopingCountries

Deploying infrastructures withthe ITU

Digital TV AppsProtection

Securing the Digital Video

BroadcastingInfrastructure

Object eIDs

Securing objects(silicon, luxury

goods, materials)

NISpartnership

Microsoft, HP,WISeKey

ID cards, driverspermits,

passports...

Wisekeys development

1999

2001

2003

2005

2007

TechnologyPlatform

UnicertGold CA Platform

(HP)

Bronze Box(RA System)

eVoting Solutions

CustomisedIdentity &

Secuity Solutions

Birth of CertifyIDPlatform

Trust Service

Blackbox forEnterprise

Validation Solutions

Signing Solutions

TrustEcoSystem

Device &Content

Protection

Secure Video ProcessorAlliance

8/2/2019 mobilepki

4/48


Wisekey SA

Geneva, Switzerland, 1999

e-ID specialization

Our vision is to enable the volume deployment of e-IDs in a way that is cost effective and easy to

integrate with existing IT backbones From supplier of digital certificates to supplier of

certificate-enabled solutions and services

On site, hosted, managed and/or ASP models

Signs a strategic e-ID partnership with Microsoft(Brussels, June 2006)

M.DeSmedt ex SrVP MSFT EMEA becomes aninvestor and Board Member in 2007

8/2/2019 mobilepki

5/48


Wisekey ELA

Joint venture of Wisekey SA and Veliba-Sectecfor the development of the business model inSpain and LatinAmerica

Initiates operations as of 2007 in Madrid,Barcelona, Bilbao

Secure facility under construction in Bilbao

2008 Initiates operations in LatinAmerica for local

joint ventures

8/2/2019 mobilepki

6/48


Agenda

On Wisekey


- PKI & PKO- DNI-e

Mass deployments tools:

- Wisekey CertfyID Blackbox Wisekey references

Conclusions

8/2/2019 mobilepki

7/48


Internet:(great) success with (some) challenges

Internet has scaled over four decades- showing exponential growth- and becoming mission critical

Internet continues to augment its bandwidth- Internet2- IPv6

But Internet suffers from architecture constraints

related to some of its founding assumptions:- principle of trust- computers always in fixed locationsand always connected

8/2/2019 mobilepki

8/48


An old problem

The New Yorker,1993

On the Internet,

nobody knows youre a dog!

8/2/2019 mobilepki

9/48


Exponential growth in e-IDs

Pre 1980s 1980s 1990s 2000s

No. of e-IDs

TimeMainframe

Client Server

Internet

BusinessAutomation

Company(B2E)

Partners(B2B)

Customers(B2C)

Mobility

plus all devices

to be tracked!!

8/2/2019 mobilepki

10/48


Employees

Suppliers

PartnersRemote employees

Customers

Customer satisfaction & customer intimacyCost competitiveness

Reach, personalization

CollaborationOutsourcingFaster business cycles;process automationValue chain

M&AMobile/global workforceFlexible/temp workforce

Supply chain openness= more e-IDs

8/2/2019 mobilepki

11/48


Demand vectors

27.000 phishing sites (RSA Jan. 07)

Malware in 40% of systems (Panda)

8/2/2019 mobilepki

12/48


The best antidote

8/2/2019 mobilepki

13/48


Note to The best antidote

Yes, PKI

but we must not forget* that security

(1) is a chain;

its only as secure as its weakest link

(2) is a process, not a product

* Bruce Schneier

8/2/2019 mobilepki

14/48

The World Internet Security CompanyUsage

Data Encryption

Intranet/ExtranetAccess Management

Mobile Data Encryption

Digital Identity

Digital Signature

Email encryptionAnd signatureAccess Control

Usermanagement

Applicability

8/2/2019 mobilepki

15/48


The PKI components

Technology platform

Policies and procedures Trust model

8/2/2019 mobilepki

16/48


The perception of PKI success

No and/or limited volume PKI deployments

but

In fact they now exist (DNI-e et al.)

The above refers to authenticating individuals in themeantime there is an explosion of authenticationrequirements for servers, devices, digital content, etc

And, in fact, PKI-enabled solutions for addressingindividuals are now becoming economically attractive

The first issue to recognize is that we are dealing with aninfrastructure element, and its attractiveness is afunction of the ROI for the first solution it supports (e-invoicing, email encryption, SSO, etc)

8/2/2019 mobilepki

17/48


The classical barriers to PKI

Complexity

Cost Lack of applications

Lack of integration

8/2/2019 mobilepki

18/48


PKI technology acceptance

PKIs ROI- Tangible & intangible- Current and future (perceptions)

- Comparative to alternatives(incl. do-nothing)

- Direct economic returns- Legislative drivers related to traceability

McKinsey-Gartners new technology acceptancecurve:

- PKI is emerging embedded in many apps

8/2/2019 mobilepki

19/48


PKI & PKO

Open PKI (Public Key Infrastructure)Integrated use of certificates to authenticateindividuals across disparate public- and private-sector applications

Closed PKI (Public Key Infrastructure)Use of broader PKI services but limited to use byone enterprise or a closed community of businesspartners, users or devices

PKO (Public Key Operations)Integrated use of certificates within one applicationor service for limited key management uses

8/2/2019 mobilepki

20/48


Uses of PKI technologies today

DRIVERS SCOPE SIZE NO. EXAMPLES

IN EU

OPEN PKI e-GOVERMENT RECOGNIZED Millions Tens DNI-e

G2C

CLOSED PKI B2B, B2C ADVANCED Thousands Thousands SSO

PKO INTERNAL STANDARD Tens Millions em encryption

OPERATIONS

8/2/2019 mobilepki

21/48

8/2/2019 mobilepki

22/48


DNI-e impact

Infrastructures (keyboards et al.), publictransactions and both individual and privatesector awareness

DNI-e as the registration facilitator for theobtention of other credentials

Immediate complementary needs to surface:

- other CAs- signature platforms- identity management across systems

8/2/2019 mobilepki

23/48


What is now required

Solutions to emit and manage certificate lifecycles- in an economic manner- and easily integrateable (SOA)

Value added services- time stamping- OCSP

- secure vault- etc

International interoperability schemes

8/2/2019 mobilepki

24/48


Agenda

On Wisekey


- PKI & PKO- DNI-e

Mass deployments tools:- Wisekey CertfyID Blackbox

Wisekey references

Conclusions

8/2/2019 mobilepki

25/48


8/2/2019 mobilepki

26/48


Vision: Mass Deployment

Microsoft Platform provides:- Commercially widespread platform- Globally available support and training- Certifications and accreditations (CC EAL4)- Widespread knowledgeable & technical resources

- Strong security program & update/patch cycle- Certificate support in base engineering specs- Common interface and usage across product families

WISeKey :- Trust model international, neutral, commerciallyacceptable, policy and governance structure- Full technology stack with tested and certifiedcomponents- Secure infrastructure hosting, and operations- Affiliate and partner network support

Delivery through:- Local partners- Affiliates

8/2/2019 mobilepki

27/48


CertifyID Platform

ConsistentInterfaces

SingleSign-On

Windows Server

MSMQ

.Net Framework

Windows Media Services

CommonMgmt Infra

SQL Server

RMS

Distributed File Service

VPN

RAS

Active Dicrectory

Transaction Service

APS .NET

IIS PKI

SmartCard

WMI

Kerberos

Windows KernelVisualS

tudio.NET

Exchange

SPS

MMS,

ISA,AD

BizTalk

CS2002

Office

2003

Mobile

Info

Server

3rdParty

Product

SMS20

03,MOM

Exchange, SPS, BizTalk, MMS, ISA

Microsoft Platform provides:- CC EAL4 certification- Industrial class millions of certificates

- Strong security program & update/patch cycle- Common interface and usage across product families- Long term platform base

Trust Service

MS CA Web Svc API

Guardian Timestamp

Universal RA (URA)

OCSP

ARMCRL | Directory Svcs

8/2/2019 mobilepki

28/48


OISTE Trust Service


SingleSign-On

Windows Server

MSMQ

.Net Framework


CommonMgmt Infra

SQL Server

RMS


VPN

RAS

Active Dicrectory

Transaction Service

APS .NET

IIS PKI

SmartCard

WMI

Kerberos


tudio.NET

SMS20

03,MOM


Trust Service

MS CA Web Svc API

Guardian Timestamp

Universal RA (URA)

OCSP


Trust Service :

WISeKey verifies and certifies your organisations identity so that your usersand devices electronic identities can be trusted and recognised globally.

- Self or 3rd party audit depending on Trust Class- Global multilateral and commercial acceptability of eIDs- Microsoft Root Certificate Progam- Apple Leopard OS X 10.5

- Mozilla, Nokia, etc. pending

8/2/2019 mobilepki

29/48


CA Web Service SOA


SingleSign-On

Windows Server

MSMQ

.Net Framework


CommonMgmt Infra

SQL Server

RMS


VPN

RAS

Active Dicrectory

Transaction Service

APS .NET

IIS PKI

SmartCard

WMI

Kerberos


tudio.NET

SMS20

03,MOM


Trust Service

MS CA Web Svc API

Guardian Timestamp

Universal RA (URA)

OCSP


CerifyID MS CA Web Services API (C#,C++) :

- SOAP/XML Layer- Enterprise SOA integration- Default interface for URA, ARM etc.

ESB - SOA

Other Apps

CA

Guardian

8/2/2019 mobilepki

30/48


GuardianCA Disaster Recovery /BC


SingleSign-On

Windows Server

MSMQ

.Net Framework


CommonMgmt Infra

SQL Server

RMS


VPN

RAS

Active Dicrectory

Transaction Service

APS .NET

IIS PKI

SmartCard

WMI

Kerberos


tudio.NET

SMS20

03,MOM


Trust Service

MS CA Web Svc API

Guardian Timestamp

Universal RA (URA)

OCSP


Guardian (C++) :

Guardian XM provides professional grade database redundancy and datapersistency services for Certification Authorities on the Microsoft WindowsServer platform.

- Certificate Service Exit Module- Saves all certificates, status, history to MS SQL DB- Disaster recovery from MS SQL DB to MS SQL DB

CA MS SQL DB

Recoveryconsole

8/2/2019 mobilepki

31/48


CRL Manager


SingleSign-On

Windows Server

MSMQ

.Net Framework


CommonMgmt Infra

SQL Server

RMS


VPN

RAS

Active Dicrectory

Transaction Service

APS .NET

IIS PKI

SmartCard

WMI

Kerberos


tudio.NET

SMS20

03,MOM


Trust Service

MS CA Web Svc API

Guardian Timestamp

Universal RA (URA)

OCSP


CRL Manager (C#) :

Reliably publish and monitor certficate revocation lists.

- Monitor and replicate revocation information- Detect fault conditions and alert operators

CA Public WebCRL Manager

(Replicate/Int. Monitor)

CRL Manager(Ext. Monitor)

8/2/2019 mobilepki

32/48


OCSP Server (C/C++):

Provides real time validation of certificates. Can interface directly with the Certificate ServicesDB, or via Guardian SQL DB for more efficient performance. Supports pre-built responses anddistributed OCSP for large scale scenarios.

- IETF RFC 2560 compliant- use CRLs, or provides real time responses- Pre-built responses for distributed OCSP, using

SQL 2005 DB replication- Integrated with IIS ISAPI extension

OCSP Server

Trust Service

MS CA Web Svc API

Guardian Timestamp

Universal RA (URA)

OCSP


CA OCSP

Clients

OCSP DB

8/2/2019 mobilepki

33/48


Directory Service / Publishing


SingleSign-On

Windows Server

MSMQ

.Net Framework


CommonMgmt Infra

SQL Server

RMS


VPN

RAS

Active Dicrectory

Transaction Service

APS .NET

IIS PKI

SmartCard

WMI

Kerberos


tudio.NET

SMS20

03,MOM


Trust Service

MS CA Web Svc API

Guardian Timestamp

Universal RA (URA)

OCSP


Directory Server (ADAM) / Certificate Publisher (C++/C# ) :

Provides a highly available and reliable directory service (LDAP), with flexible certificatepublishing whose schema can conform to be compliant the ISIS-MTT PKI managementspecification, and other government specifications.

- Publish to WISeKey Global Directory Service (GDS) for universal accessibility- Reliably publish certificates to local and/or external Directory instances- Multi-master replication and directory scaling

- Optionally remove revoked and/or expired certificates- Schema conformance to ISI-MTT, Federal Govt,and others on demand

CA CID Services

Publisher Module

Directory Srv(ADAM)

8/2/2019 mobilepki

34/48


URA

Trust Service

MS CA Web Svc API

Guardian Timestamp

Universal RA (URA)

OCSP


Universal Registration Authority (C++/C# ) :

Provides a registration authority interface and certificate lifecycle manager that interfaces withmultiple load balanced CAs in the backend, designed for scalability to millions of users andcertificates. ASP .Net application that is network load balanced across several servers usingMS SQL 2005 as data store. Configuration data, user account, authentication, templates,certificates, requests etc. are stored in SQL 2005 database.Authentication can be done against LDAP.

Used in CertifyID Trust Center Managed PKI services,and with Stand-alone CAs at customer sites.

CA URA Web

Clients

URA DB

CertifyID Black Box

8/2/2019 mobilepki

35/48


35

CertifyID Black BoxEnterprise Offering

The CertifyID Blackbox offers a complete andaffordable out-of-the-box solution for establishing aTrusted Identity Infrastructure dedicated to yourorganization.

8/2/2019 mobilepki

36/48


Partners

Athena SCS Aladdin

Gemalto

HP

IBM

idQuantique

MCI Microsoft

NCP

NDS

Novell

OASIS

Omnikey

Precise Biometrics

SafeNet

Secure VideoProcessor Alliance
http://www.oasis-open.org/home/index.phphttp://welcome.hp.com/country/us/en/welcome.html

8/2/2019 mobilepki

37/48


Agenda

On Wisekey PKI today:

- challenges

- PKI & PKO- DNI-e


Wisekey references

Conclusions

R f

8/2/2019 mobilepki

38/48


Executive

Summary

Business

Challenge

Value

Delivered & Benefitfor the client

To move to a secure,

interoperable web based

system that enforces

mandatory strong

authentication access control

and encryption of information

and data.

Customization of CPS and

policy sets, lightly to meet

client needs.

Reviewing the entire

certificate lifecycle, system

design, auditability, security inconjunction with KPMG as a

trusted neutral party.

Hosting of a custom portal

solution based on the WISeKey

Universal Registration

Authority.

Delivered a neutral Swiss

Trust Root PKI system, specific

custom development,

application and PKI hosting, for

the certificate issuance and

management of certificates that

protect the clients information

systems end-to-end, which

include sensitive financial and

consumer data.

Support of a Swiss based

company compliant with strict

the Swiss Banking regulation

on outsourcing.

The client was able to

incorporate a highly secure

logical access control system

protecting sensitive business

information on time and on

budget.

FinanceOrganisation of cooperating

Financial Institutions.Switzerland

References

R f

8/2/2019 mobilepki

39/48


Executive

Summary

Business

Challenge

Value


The financial sector of this

retail company needed to use

digital certificates for their

internal financial system and

for email exchange.

Implementation of a dedicated

CA for our client, for the usage

of certificates within their

financial system, defined the

type of certificates to be

issued.

Dedicated CA managed by

WISeKey staff and client

certificates issued by WISeKey

staff

Customization of CPS and

policy sets, lightly to meetclient needs.

Reviewing the entire

certificate lifecycle, system

design.

Hosting of the CA

Benefit

Greater data confidentiality

No technical knowledge for the

client

No cost for technical

maintenance

Low cost

RetailPrivately-held, international,

low-cost home productsretailer

Switzerland, Sweden and Belgium

References

R f

8/2/2019 mobilepki

40/48


ExecutiveSummary

BusinessChallenge

ValueDelivered & Benefit

for the client

The Client PKI is designed to

ensure secure

communications and system

access to protect confidential

information between

departments within the

organizations and most

importantly from external

parties.

The Client chose WISeKeys

CertifyID Solution as the basis

of their PKI, because of its

Trust Framework, its tight

integration with the Microsoft

Windows Platform and the

essential enhancing elements

that it adds to Windows

Certificate Services.

Implementation of the core

infrastructure used to protect

the Clients systems and data.

This core infrastructure is

based on WISeKeys CertifyID

Solution and Trust

Infrastructure.

Customization of operational

procedures; technical design,

implementation; legal

documents and agreements;

and service operation.

Project Management.

Implementation of Client PKI,

legal, technical, security and

operational infrastructure.

Legal consulting includingorganization structure,

production certificate practice

statement, certificate policies,

and end user agreements.

The customer can safely rely

on WISeKey expertise and

experience to provide the

delivery of a world class

certification service that

ensures the security, and

availability of its core PKI

infrastructure that is essential

to the safety and security of its

internal community and

collaborators.

InternationalOrganization

IO dedicated to pursuingjustice and prosecuting

international crimes that fall

within their mandate,namely genocide, war

crimes, and crimes againsthumanity.

References

R f

8/2/2019 mobilepki

41/48


Executive

Summary

Business

Challenge

Value

Delivered & Benefit forthe client

The DVB Multimedia Home

Platform (MHP) is the software

interface between interactive

digital TV applications and the

terminals on which those

applications execute. Such

terminals are typically set-top-

boxes or integrated digital TVs,

both of which are also known as

MHP receivers, platforms, hosts

or clients.

The DVB Project Office chose

WISeKey to design, implement,

host and manage the Public Key

Infrastructure that is used to

secure MHP applications.

WISeKey is the designatedCertificate Services Provider and

Operator for the DVB MHP PKI.

Multimedia Home Platform is

the open standard platform for

interactive TV and multimedia

services. MHP is based on

Internet and web standards, so it

offers compatibility and

convergence between TV and the

Internet.

DVB thus needed to implement

a MHP security mechanism that

defines the security requirements

for the consumer, the service

provider and the broadcaster,

using a security mechanism that

provides confidentiality, integrity,

availability, privacy and non-

reputability.

WISeKey implemented the core

infrastructure that is used to

protect the MHP security

mechanism and thus implement

the security for the consumer,

the service provider and the

broadcaster. This core

infrastructure is the DVB MHP

Public Key Infrastructure,

including the operational

procedures; technical design,

implementation; legal documents

and agreements; and service

operation.

Project Management.

Implementation of DVB MHP

PKI, legal, technical, security and

operational infrastructure.

Provide DVB MHP Operator

functions and services.

Legal consulting including

organization structure,

production certificate practice

statement, certificate policies,

and end user agreements.

Outsourced service operation.

DVB

The Digital VideoBroadcasting - DVB

Industry consortiumdedicated to authoring

international DTV

standards.

Switzerland

References

R f

8/2/2019 mobilepki

42/48


Executive

Summary

Business

Challenge

Value


SVP is an open technology

specification for protecting

digital video content. Applying

the SVP specification to any

standard video processor turns

it into an SVP-compliant video

processor that can protect

digital content end-to-end.

To move to a secure,

interoperable web based

system that enforces

mandatory strong

authentication access control

and encryption of information

and data.

The SVP Alliance Licensing

Authority chose WISeKey

securely host Trusted SVP

Roots that are at the heart of

the SVP Security Infrastructure,

based on a WISeKey designed

secure SVP Root software and

hardware security platform.

Solution delivers an

extremely low total cost of

ownership for the client, and

also provides extremely

increased security via the

Hardware Security Module, and

use of key shares for role

segregation.

The advantages of using

WISeKey professional services:

Leverage on expertise of PKIleaders

Lower total cost of ownership

Less effort for planning anddesign

Much more cost effective for

a small enterprise; thebusiness with the externalpartner can be extended asneed for crypto-enabledapplications grows

Requires less in-houseexpertise

Leverage liability rules,policies and procedures ofWISeKey

Can be operational in a shortperiod of time using theWISeKey Key Step deployment

approach

SVP

The Secure Video ProcessorAlliance is a group of media

and technology leaderspromoting the broad adoption of

SVP content protectiontechnology in digital home

networks and portable devices.

USA

References

R f

8/2/2019 mobilepki

43/48


Executive

Summary

Business

Challenge

ValueDelivered &

Benefit for theclient

The Client wanted to

implement an extranet

portal communication

system, featuring

knowledge bases,electronic mail and

correspondence tools to

provide better service and

support to their partners,

including their very

important dealer

community.

Because of the sensitive

nature of the information

stored on the portal, the

client needed to implement

a highly secure accesssolution, and after

extensive analysis decided

to use Digital Certificates

and secure devices

provided by a highly

trusted provider.

The Client chose WISeKey

to provide and host a

managed dedicated PublicKey Infrastructure to

provide digital identity

services for their extranet

portal, with strict

confidentiality and quality

of service requirements.

As part of the project

WISeKey delivered a

turnkey system for the

certificate issuance and

management, integratingcustom CA development

with the Clients backend

systems.

Exists a Development,

Quality and Production

environment. WISeKey

maintains a Quality MPKI

CA for testing and the

Production MPKI CA.

Access is controlled via

two-factor authentication

control; (certificate based

SSL client authentication

and a password).

IndustryLeading Swiss Watch

Maker.

Switzerland

References

R f

8/2/2019 mobilepki

44/48


ExecutiveSummary

BusinessChallenge


for the client

The canton of Geneva was

chosen by the Confederation

for a pilot experiment of vote by

Internet, from the point of view

of its introduction at the

national level, by way ofadditional possibility to vote, to

current methods, votes by

correspondence and polling

station. During its official

introduction, voting by Internet

will have to guarantee a similar

safety even higher than these

two modes of poll.

WISeKey has taken part in the

concept drafting. WISeKey has

taken care of the of the system

security, the server side

development, the physical

architecture, the installationand of the solution

presentation and promotion.

The system was developed

and subjected to thorough

testing and controlled hacking

by the University of Geneva

and CERN. It underwent

significant load testing, andwas utilized by over 20,000

voters over the course of

several alpha an beta tests.

Since its outset the e-Voting

system has been subjected to

various tests and security

reviews, to collect the

observations of the users

under the angle of user-

friendliness, the facility and the

safety of the system.

Various trials were run

throughout the pilot project,

including a test involving over

20,000 students across the

SWISS educational system,

generating enthusiasm and

constructive feedback from the

voters of tomorrow.

State of Geneva

e-VOTING INITIATIVE

Switzerland

References

R f

8/2/2019 mobilepki

45/48


ExecutiveSummary

BusinessChallenge


for the client

Gemini Observatory needed to

increase their network, systems

and communication security.

Assisting the Gemini technical

administrator to implement the

BB and configuring the PKI

infrastructure.

Fast PKI implementation

Greater data confidentiality

Ease of use

Gemini Observatory

Gemini is an internationalpartnership managed by the

Association of Universities forResearch in Astronomy under acooperative agreement with theNational Science Foundation.

USA - Hawaii

References

8/2/2019 mobilepki

46/48


Agenda

On Wisekey PKI today:

- challenges

- PKI & PKO- DNI-e


Wisekey references

Conclusions

8/2/2019 mobilepki

47/48


Conclusions

Both PKO and classical PKI solutions willbecome prevalent in our communications andcomputing infrastructures

Tools such as Wisekey CertifyID Blackbox will

contribute to this deployment by offeringeconomical and easy-to-integrate PKI basedsolutions

Whats next?

Watch out for quantum computing schemes!

And very interested in learning from advances atforums such as this Conference!!

8/2/2019 mobilepki

48/48


WISeKey S.A.

WISeKey S.A - World Trade Center II - 29, route de Pr-Bois CP 885 1215 Geneva, Switzerland

Tel: +41 22 594 30 00

WISeKey ELA S.L.

Avda. Txorierri,9, 48160 Derio & P Castellana 135, 28046 Madrid

Tel: +34 944 545 071 & +34 917 906 868

e-mail: [email protected] - www.wisekey.com

Documents

mobilepki