Enabling Trusted B2B Transactions with PKI

1
Enabling Trusted B2B Transactions with PKI
BONUS OFFER a look at some commercial solutions
Tim McLaren
McMaster University, Hamilton University, Canada
2
Agenda

• The nature of B2B
• How PKI can help
• Trust
• Working with Certificates
• Evaluating commercial PKI software

3
E-biz Security Requirements

• access control
• authentication
• confidentiality
• integrity
• non-repudiation

4
Why B2B is different

• ongoing trusted relationships critical
• identification (not just authentication)
• many-to-many relationships
• high volume, low margin

5
B2B Requirements

• trusting identity of party very important
• keys need to be validated
• key identification certificate
• many-to-many relationships result in plethora of
  certificates

6
How PKI can help

• authentication of both parties
• encryption
• digital receipts (timestamped,notarized) for
  audit
• management of certificates
• trusted transactions independent of platform,
  application

7
Trust Models

• hierarchical
• top-down
• distributed
• web of trust
• all use third-party trust

8
Third-party Trust

• CA

TRUSTS
TRUSTS
Therefore Bob trusts Bill

• Bill

• Bob

9
Cross Certification

• CA

• CA

TRUSTS
TRUSTS
TRUSTS
Therefore Bob trusts Jane

• Bob

• Jane

10
Direct Trust

• CA

• CA

In PersonKey Exchange
TRUSTS
TRUSTS
Bob directly trusts Guido

• Bob

• Guido

11
Another Solution

• CA

• CA

• CA

TRUSTS
TRUSTS
Now Bob can trust Guido thru the 3rd-party

• Bob

• Guido

12
Trust is Communicated with Certificates

• CA

CERTS
CERTS

• CA

• CA

CERTS
CERTS
Key Identification Certificate

• Bob

• Guido

13
Certificate Example
14
Certificate
15
Details
16
Trust Path
17
InheritedTrust
18
Certificate Tampering
19
Email Warning
20
Checking Revocation List
21
SampleRevocation List
22
ChangingTrust
23
PKI Requirements

• certificate repository
• certificate revocation
• key backup, recovery, and history
• automatic update of certificates
• cross certification
• non-repudiation of signatures
• application integration

24
Evaluating a PKI solution

• vendor reliability / references
• open, accepted standards and certification
• certificate management
• trust models supported
• trusted time stamping
• transparent integration with applications

25
PKI Creates aTransparent Security Layer
26
RSAs Keon PKI
27
Entrusts PKI
28
Summary of PKI Benefits

• authentication of both parties
• encryption
• digital receipts (timestamped, notarized) for
  audit
• management of certificates
• trusted transactions independent of platform,
  application

29
Acceptance of PKI

• PKI use has more than doubled from 6 to 13 in a
  year -PriceWaterhouseCoopers, 2000
• "A central services approach where the PKI
  provides keys and key management for multiple
  applications is expensive, complicated, and if
  not done well, career limiting, - Gartner Group,
  2000
• Windows 2000 includes PKI
• and costs are coming down 40 in few years - Meta
  Group, 2000