Upload
antony-melton
View
238
Download
1
Tags:
Embed Size (px)
Citation preview
Time/DateStamp
Time/DateStamp
AuthorizationAuthorizationSecureNon-
repudiation
SecureNon-
repudiation
KeyRecovery
KeyRecovery
MessageConfidentiality
MessageConfidentiality
(S/MIME)(S/MIME)
SessionConfidence
SessionConfidence
(SSL)(SSL)
AccessControlAccessControl
(SSO/CSO)(SSO/CSO)
Non-repudiation
Non-repudiation
(SET)(SET)
IntegrityIntegrity
(Signature)(Signature)
1. Certificate Granting Agent1. Certificate Granting Agent2. Trusted Third Party2. Trusted Third Party3. Security Servers and Agents3. Security Servers and Agents4. Certified Delivery System4. Certified Delivery System5. Digital Notary Server5. Digital Notary Server
6. Digital Signature Generation6. Digital Signature Generation7. Digital Signature Verification7. Digital Signature Verification8. Confidentiality Key Exchange8. Confidentiality Key Exchange9. Key Pair Generation9. Key Pair Generation
PKICertificate
Management
PKICertificate
ManagementPolicy ApprovalPolicy Approval
CertificateRevocationCertificateRevocation
CertificationArchiving
CertificationArchiving
RepositoryRepository Naming and Naming and RecognitionRecognition
44
55 11
22
33
88
99
66
77
Data ArchivesData Archives
SupplierSupplier CustomerCustomer
Collaborative CommerceCollaborative CommerceIntellectual PropertyIntellectual Property
Search, Discovery, OfferingSearch, Discovery, OfferingReputationReputation
EFTEFTValueValue
Logistics/SCMLogistics/SCMTheftTheft
Trusted TransactionsTrusted TransactionsIntegrityIntegrity
CRM — Intimate KnowledgeCRM — Intimate KnowledgePrivacyPrivacy
MarketingMarketing
SellingSelling
Shipping Shipping
Service andService andSupportSupport
DesignDesign
ReceivablesReceivables
ShoppingShopping
PurchasingPurchasing
Using, MaintainingUsing, Maintaining
DevelopmentDevelopment
PayablesPayables
ReceivingReceiving
E-Business Information Security Vulnerabilities
Prioritizing PKI Applications
Application PrioritySecure VPN
Secure Web Access High
Secure E-mail
Overall Risk Reduction High
New Business Opportunity High
Digital SignatureServer IDs
Desk/LapTop Encryption Medium
Consolidated Sign-On
SET Low
SSL - A No Brainer
Cyber-browser visits a secure site.
Web Server
Server
Server’s public key
The Web server submits its site/server public key certificate to the browser. The channel is encrypted, the Web server identified.
The Primary PKI App today
Signing and Sealing the E-Mail Envelope
X.400X.400PEMPEM
PGPPGP
MOSSMOSS
S/MIME S/MIME V.3V.3
OpenPGPOpenPGP
SignatureDMS/MSPDMS/MSP
Being Being DeployedDeployed
Not Being Not Being DeployedDeployed
Web Access: Portals Through the Firewall
Public Web site
Customer extranetSupplier extranetEmployee intranet
Channels extranet
EDI Transactions Require Digital Signatures and Encryption
Transaction Type
Invoice
Application Advise
Price Sales Catalog
Contract Award Summary
Trading Partner Profile
Request for Quote
Response to Request for Quote
Purchase Order, Delivery Order
Purchase Simple Contracts
Purchase Order Change
Text Message
Order Status Report
Functional Acknowledgment
DigitalSignatureRequired
Yes
No
No
No
Yes
Yes
Yes
Yes
Yes
Yes
No
No
No
EncryptionCapability
Needed
No
No
No
No
No
No
Yes
Yes
Yes
No
No
No
No
California Independent Systems Operator PKI Architecture
Master Directory Server
(LDAP/X.500)
Network
Policy Creation Authority
CA Signing Certificates
Medium AssuranceMedium Assurance
Medium CA
High AssuranceHigh Assurance
High CA
Basic AssuranceBasic Assurance
Basic CA
Register UsersRevoke Certs
Registration Authority WorkstationRegistration Authority Workstation
Policy Approval Authority
Client ApplicationsClient ApplicationsPKI Mail ServerPKI Mail Server
ACES ArchitectureSubscriber
App1 CAM
Browser
CA1CertCA2CertCANCert
App1PrivateKeyApp1Cert(FIPS 140-1)
SubscrbrPrivateKey
Subscrbr Cert
(HW Token Opt’l)
Agency
List of Invalid
Cert IDsAudit Log
CA1CertCA2CertCANCert
CAM:- Parse Cert- Verify SubscrbrCert Issuer as an ACES
CA- Verify SubscrbrCert Issuer’s signature- Verify SubscrbrCert’s operational
period- Check cached Invalid Cert IDs- Get route to Issuer- Send signed Status Request & Cert
data to Issuer- Receive signed Status Response- Verify Status Response signature- Pass status & cert data to App- Log audit data
AppAPI
CAM
ACESCAN
(FIPS 140-1)
CANPrivateKey
ACESCA2
(FIPS 140-1)
CA2PrivateKey
ACESCA1
(FIPS 140-1)
CA1PrivateKey
RSA DSA ECDSACrypto API
CAAPIcert
status +cert fields
RSA,DSA
DSA,ECDSA
RSA
RSA
RSA
CA1SubscrbrCerts
CA1CertCA2CertCANCert
RSA
CA2SubscrbrCerts
CA1CertCA2CertCANCert
RSA
CANSubscrbrCerts
CA1CertCA2CertCANCert
“Brand B” CA
Private KeyToken Digital ID
“Four Corner Transaction”
ManufacturerTrading Partner
Place Order Receive Order
Digital Order10 18975BBE E41675DE 6F4593D8 71D2BDA720 D519E511 6B7824C5 0B70E1E7 40C1BC3630 C2AD5ACD 80CB4616 419D066A E707418C40 C08BACF5 1A172119 ED2BF17 2E55DBF250 F657EE32 27A84F70 51A2FB63
Digitally Signed
Private KeyToken Digital ID
• Provides verification of identities & signatures and assurance (“TRUST”)
• Facilitate interbank certificate checking• Utilize tools to allow interoperability
across CA’s and supplies software developers toolkit with standard functionality to member banks
Private KeyToken Digital ID
BANK ABANK B
“Brand A” CA
Private KeyToken Digital ID
Source: Entegrity Solutions
European Private Banking (Anon)
• Private, personal, retail banking & brokerage services
• Operation in fiscal haven with strict bank secrecy laws
• Worldwide Customer Base• Smartcards with certificate client credentials• SSL, User ID, password model was not
appropriate• Transparent certificate management• Initial smartcard/certificate issuance
Bolero
directoryservices
registrationauthority
sends publickey
certification ofpublic key
registry
certificationauthority
identification
exchange of EDI messages
exporter
carrier
bank
private key sent byregistration authority
PKI Case Studies
Nuclear Waste Facility Document Management, DigitalSignatures
Law Enforcement Consortium Secure Email
Retail Bank Consumer E-Banking
State Government Funds Transfer Authorization, EForms
Utility Independent SystemsOperator
Secure Communications, Controls,Business Services
Insurance Company Browser based field agent access;encrypted files
PKI Integration Scorecard
Comments
Web BrowsersWeb Browsers AA SSL --> TLS and WirelessSSL --> TLS and Wireless
E-MailE-Mail AA S/MIME;PGP -->OpenPGPS/MIME;PGP -->OpenPGP
VPNsVPNs B+B+ IPSec, IPV6IPSec, IPV6
E-FormsE-Forms B+B+ Signing, EncryptingSigning, Encrypting
PackagedPackaged DD Driven by Webification, ASPsDriven by Webification, ASPsApplicationsApplications
Legacy/CustomLegacy/Custom FF Bridging RACF, DCE/KerberosBridging RACF, DCE/KerberosApplicationsApplications