Technology OverviewTechnology Overviewforfor

FPKI TWGFPKI TWGMay 2, 2002May 2, 2002

2NOVOMODO Inc.

AgendaAgenda Company Introduction

NOVOMODO Basics

Advanced Features

Application Examples

Summary

3NOVOMODO Inc.

About NOVOMODOAbout NOVOMODO

Software product company focused on validation

security and privilege management

Founded by Dr. Silvio Micali in 2001 to bring

about a “new way” of approaching business

problems associated with validation & privileges

Validation technology in production use at MIT –

160,000 certs issued over 18 months

“Alpha” product release available for evaluation

4NOVOMODO Inc.

NOVOMODONOVOMODO Executive Team

Silvio Micali – Founder and Chief ScientistProfessor of Computer Science at MIT

Peter Hussey – CEOFormer President of CyberTrust and Baltimore Americas

Robert Dulude – SVP and Chief Security OfficerFormer VP at CyberTrust and Baltimore

William Ang – VP EngineeringPartner at TechSquare, Inc.

TBA – CFOCo-founder of two successful financial services firms, COO and EVP of several firms

TBA - VP Sales and MarketingVP sales positions at Lotus and others

5NOVOMODO Inc.

NOVOMODO AdvisorsNOVOMODO AdvisorsAllan Borodin, University of Toronto

Manuel Blum, Carnegie Mellon University

Mihir Bellare, University of California - San Diego

David Campbell, Director, Innovation Advisors

Steve Cohn, COO Nevo Technologies

Shafi Goldwasser, MIT

Mike Kaplan, CTO SafeNet

Charles Rackoff, University of Toronto

Ronald Rivest, MIT

Phil Rogaway, University of California – Davis

Jeff Schiller, MIT & IETF

6NOVOMODO Inc.

NOVOMODO Missionbecome the global leader in

Certificate Validationand

Dynamic Privilege Management

7NOVOMODO Inc.

Some DefinitionsSome Definitions

Authentication is proving your claimed identity

The picture on your driver’s license

Authorization is granting privileges (user/process)

Privilege to drive

Validation is verifying your privileges and attributes

Your privilege to drive has not been revoked

Your address on your license is current

8NOVOMODO Inc.

eSecurity SolutioneSecurity Solution

NOVOMODO technology provides:

Validation that is simple, secure, cost effective and truly scales Scalable = no degradation in performance or cost

effectiveness as move to 10s millions

Two-party validation for off-line situations Dynamic privilege management

Multiple privileges using a single certificate

Expires7/31/2002

Sally Student

909090909VALID4.26.02

20-byte

Validation

Token• Unforgeable

– Works only with proper document and date• Simple

– 20 bytes• Fast

– A few hashes (10,000 times faster than one digital signature)• Public

– Can post on the Web!

PROOF

NOVOMODO Validation

NOVOMODO Validation

Expires7/31/2002

Sally Student

909090909VALID4.26.02

20-byte

Validation

Token PROOF

Validation Authority

909090909VALID4.27.02

day 2 909090909VALID4.28.02

day 3909090909REVOKED

day 4 909090909VALID4.26.02

day 1

Basics

NOVOMODO Basics

ValidationAuthority

Single Vault

NO Vaults!

Validation Responders

*** PCCell phoneSmartcardPDALaptop

Web MerchantFinancial Service ProviderCorporate NetworkHealth Care Data RecordsGovernmental IDs/Access802.11 “hot-spots”

SubscriberRelying Party

OKS #

OCSP

SecureScalableCost effectiveEasily managed

NOVOMODO Basics

ValidationAuthority

Single Vault

NO Vaults!

Validation Responders

*** PCCell phoneSmartcardPDALaptop

Web MerchantFinancial Service ProviderCorporate NetworkHealth Care Data RecordsGovernmental IDs/Access802.11 “hot-spots”

SubscriberRelying Party

OKS #

SecureScalableCost effectiveEasily managed

No connecting infrastructure required!

NOVOMODO 2-PARTY Validation

Network Gateway & Responder

ValidationAuthority

Cell PhonePDABluetooth deviceSmartcardSubway ticketsTollbooth

Wireless Platform

Val. Token “Push”(e.g., silent SMS)

OKOK

Wireless,

Physical Access Control,

…

Offline Validation!NO 3rd Party Call!

Unique to NOVOMODO Relying PartyLogical or Physical Access

Dynamic Privilege Management

NOVOMODO

Low-levelclearance

Medium-levelclearance

High-levelclearance

PurchasingPower

Database Access

Dynamic Privilege Management: Example

909090909VALID4.26.02

909090909VALID4.26.02

On The CertOn The Cert

PKI EnabledApplication

Access

Low-levelclearance

Medium-levelclearance

High-levelclearance

PurchasingPower

Database Access

PKI EnabledApplication

Access

Dynamic Privilege Management

909090909VALID4.26.02

909090909VALID4.26.02

On The CertOn The Cert

Low-levelclearance

Medium-levelclearance

High-levelclearance

PurchasingPower

Database Access

Dynamic Privilege Management

On The CertOn The Cert

909090909VALID4.27.02

909090909VALID4.27.02

PKI EnabledApplication

Access

Low-levelclearance

Medium-levelclearance

High-levelclearance

PurchasingPower

Database Access

Dynamic Privilege Management

On The CertOn The Cert

909090909VALID4.27.02

909090909VALID4.27.02

PKI EnabledApplication

Access

Low-levelclearance

Medium-levelclearance

High-levelclearance

PurchasingPower

Database Access

Dynamic Privilege Management

On The CertOn The Cert

909090909VALID4.28.02

909090909VALID4.28.02

909090909VALID4.28.02

PKI EnabledApplication

Access

Dynamic Privilege Management

Unique ToUnique ToNOVOMODO !NOVOMODO !

• Revocation + Reissuance

• Same Certificate, multiple privileges, multiple authorities

• Low-cost independent control

Tenants

Dynamic Privilege Management

Unique ToUnique ToNOVOMODO !NOVOMODO !

• Revocation + Reissuance

• Same Certificate, multiple privileges, multiple authorities

• Low-cost independent control

Smart Access Card

Validation Responders

***

IndependentValidation Authorities

Smart Card with Single Certificate but

Dynamic Cert Management

Share Card, Cert, Infrastructure, …

RETAIN CONTROL !

NAVY

ROOSEVELT

NAVY

Department of Defense

RSVT

OK

OK

Donald Rumsfeld

Secretary of Defense

Pentagon

Washington, DC

#1234567

Department of Defense

NAVY

Department of Defense

RSVT

24

Simple DeploymentFunctional Block Diagram

NovomodoValidationAuthority

SUBSCRIBER

NovomodoResponders

CA

RADPM

Relying PartyApplication

LDAP

25NOVOMODO Inc.

Enabling FlexibilityEnabling FlexibilityArchitecture OptionsArchitecture Options

VA VA VA

CA

Rsp Rsp

Rsp Rsp

CA

VA

CA CA

Rsp Rsp

Rsp Rsp

VA VA VA

CA

Rsp Rsp

Rsp Rsp

CA CA

26NOVOMODO Inc.

SummarySummary Technology is simple, secure and scales

Attractive alternative to OCSP Near real time off-line validation

Ideal for wireless platforms Ideal for physical access via smartcards & biometrics

Dynamic privilege management – for 1st time: Multiple privileges on single certificate Multiple privileges independently controlled Privileges can be pre-positioned for future use Replaces unworkable attribute certificates

Unique to Novomodo

Bob Dulude

Chief Security Officer

bob@novomodo.com

28

Background on one-way hashing• H is easy to compute (10,000 times faster than signature)• H is hard to invert (e.g., SHA-1)

• If X is 20 bytes = 160 bits, then there are 2160 possible X’s– even at 1 trillion hashes/sec, it takes 1028 years to try them all

>> than the lifetime of the universe

X H(X)

EASY

HARD

29

NOVOMODO Validation

VA generates a secret random 20-byte value X0

VA computes X1 = H(X0) X1

H

X364

X365

VA computes X364 = H(X363)H

H

VA computes X365 = H(X364)

...

VA computes X363 = H(X362) X363

H

H...

30X0

X1

X364

...

X365

X363

H

H

H

H

H

secr

et

added to certificate

NOVOMODO Validation

31X0

X1

...

X365

X363

H

H

H

H

H

X364

C =SIGCA(serial number,PKU, U, issue date, exp. date, , ...)

if C is valid the next day, VA reveals X364

if C is valid 1 day after next, VA reveals X363

if C is valid D days before expiration,VA reveals XD

Cost of validity proof to VA: table lookup

Cost of verification: a few hashes

X364

X363

C is valid on issue dateNOVOMODO Validation

32

NOVOMODO Revocation

C =SIGCA(serial number,PKU, U, issue date, exp. date,

VA generates a secret random 20-byte value Y0

VA computes Y1 = H(Y0) H

To prove that C is revoked: reveal Y0

,.)

NOVOMODO: definitive, fast proofs of either validity or revocation!

Token

X0

X1

...

X363

H

H

H

H

H

X364X364

X363Y0

Y0

Y0

Y1X365 ,

33

Separation of CA from VAC =SIGCA

, ...)

CA

Makes Cert

VA Manages the Cert

VA

(serial number,PKU, , issue date, exp. date,

X0

X1

X364

...

X363

H

H

H

H

H

X365

Authenticates User

RA

Only VA can release tokens! X100

Signs Cert

U

34

(sn, PKU, U, i.d., e.d., , ,…, )

Multiple Privileges in One Cert

C =SIGCA

Z1

HA1

H

B1

H

...H

...H

...H

Z365

H

A365

H

B365

HZ364

HA364

H

B364

HZ363

HA363

H

B363

H

Z0B0A0 …

CA

VASecLev 1 SecLev 2 SecLev n

RA

A364

A362

B363

Validator releases the 20-byte proof for the right Sec Lev for that day KEEP SAME CERT!!

35

(sn, PKU, U, i.d., e.d., , ,…, )

NOVOMODO: Independent Validators

C =SIGCAZ365A365 B365

Z1

Z364

...

Z363

H

H

H

H

H

A1

A364

...

A363

H

H

H

H

H

B1

B364

...

B363

H

H

H

H

H

Z0B0A0 …VA VB

VZ

CA

“Landlord” CA

Independent VAs:

Each VA manages

“own privileges”!

A364

Return

B363

Z364

Z271

OCSPOCSP

serial #

SubscriberE-BusinessRelying Party

Dig. Sig.

yes/noSK

***

SK

Secure Vaults(to protect secret signing key SK)

digital signature

costly to compute

costly to check

OC

SP

Single privilege

Doesn’t scale

Vaults vulnerable

Costly deployment

Return