VeriSign Security Solutions Authentication and Encryption

1
VeriSign Security SolutionsAuthentication and
Encryption

• May 2004

2
MPKI Security Solutions Levels of
Authentication Demonstration QA
3
VeriSign Overview
Provide the critical infrastructure services that
make the Internet and telecommunications networks
more reliable, intelligent and secure
Naming Directory
Security
Telecom
Payment
Atlas

• Presence in 45 countries
• 5,000 enterprises and carriers
• 400,000 e-commerce sites
• 100,000 merchants
• 2,500 employees

• 15 data centers and NOCs
• Largest ind. SS7 network - 2B messages
• Exclusive registry for .com, .net 10B
  resolutions
• 28 of N. America e-commerce

4
MPKI Security Solutions

• Government Security Solutions
• MPKI for Email/eForms
• MPKI for SSL (servers)
• Secure VPN for Checkpoint/Nortel/Cisco
• Secure Web Applications
• Security Consulting Services
• Value to Customers
• Comply with Security Regulation requirements (ex
  HIPAA)
• Highest level of authentication, plus
  cryptography
• Full control over issuance and management of
  certificates
• 40-60 lower cost than in-house implementation
• Easy to manage large deployments
• Easy integration with enterprise and partner
  applications (e.g, smart cards)

5
Levels of Authentication
Various levels of customer authentication
Certificate Class Structure

• Class 1
• Based on email address with no cross-reference to
  any external databases
• Retail only not business or government
• Class 2
• Authenticates identify based on third party
  database information
• For commercial business and government
• Certificates are issued only to persons
  identified by Registration Authority (RA) ex
  known employee of company
• Optional Name, Email, Department, Phone number
• Password or better authentication required
• Class 3
• Personal presence or rigorous manual
  authentication
• For Defense and high-security customers

Rudimentary
High Assurance
6
MPKI Digital CertificatesPublic or Private
Hierarchies
VeriSigns Public Model is compliant with Federal
Bridge allows States to do business with
Federal Govt securely online.

• Public Model
• Open community
• Secure Email
• VeriSign root keys embedded in applications
• Must meet minimal VeriSign CPS/CP
• Private Model
• Self-Signed CA
• Closed community
• Network Access/VPN
• Not dependant on VeriSign CPS/CP

7
State of California PKI Structure

• Public Structure use VeriSigns FBCA compliant
  Certificate Policy Practice Statement (CP/CPS)
• Leverages Enterprise pricing for all customers of
  state
• MSA is with State of CA
• Each customer (counties, cities and state
  agencies) sign a sales order with State Data
  Center and provide PO to buy certificates
• Business Partners (Accenture, IBM, Kaiser, etc.)
  of state or counties can also buy certificates at
  same Enterprise price through State Data Center

VeriSign Public Class 2 Root CA
State of California Intermediate CA
County of LA Public RA
Business Partners Public RA
County of Ventura Public RA
State Agency Public RA
Company 1 Public LRA
Company 2 Public LRA
Dept of Health Public LRA
8
MPKI Digital CertificatesSecure Email

• Signs and Encrypts
• Validates Signature and Encryption
• Encrypts email message and attachments
• Key Management and Storage
• NO SCARY WARNINGS!

Sign
Encrypt
9
Secure Forms using Digital Certificate

• DEMO

10
Todays Demonstration Architecture - Smartcard
Email
Nevada CA
Registration Pages Key Management Service Auto
Administrator
End User registers for Smartcard and Certificates
OCSP/CRL Check
Application Server w/client auth and email
11
MPKI for SSL
Nevada is currently a VeriSign SSL customer

• MPKI for SSL provides customers with the
  ability to manage the lifecycle of SSL digital
  certificates. This includes issue, revoke, renew
  and audit certificates.
• Proof of Identity IDs enable web site
  authentication (Amazon.com or Amazan.com?)
• Strong Security allow communications to be
  encrypted
• Compatibility Recognized by all major browsers,
  and supported by all SSL-capable server software
• Customers control the speed of issuing new SSL
  certificates, renewing and billing.
• Significant discount versus buying retail
  certificates.

12
MPKI Digital Certificates Secure VPN

• Provides customers with the ability managed
  digital certificates to enable strong VPN
  authentication.
• Supports Checkpoint, Nortel and Cisco VPN.
  (supports all VPNs)
• Requires the customer has PKI enabled version of
  their VPN client.
• VeriSign offers VPN Architecture and Design
• Recommend Online Certificate Status Protocol

13
Todays Demonstration Architecture VPN,
Authentication
Nevada CA
OCSP/CRL Check
Nevada Internal Resources
Checkpoint Firewall Cisco Concentrator
VPN User Authenticates
14
MPKI Digital Certificates Secure Web
Transactions

• Secure Web Transactions provides customers with
  the ability managed digital certificates to
  enable strong authentication or digital signing
  of HTML, plain text and XML.
• The following tools are offered for Secure Web
  Transactions
• Personal Trust Agent (client and server
  components)
• Digital Signature Platform
• Certificate Parsing Module
• Certificate Validation Module
• File Encryption Tool
• PKI Toolkits
• Customers who deploy Secure Web solutions are not
  required to implement all above components.
• Recommend Online Certificate Status Protocol
  (OCSP)
• Optional Roaming

15
MPKI - Digital CertificatesWeb Services/Access

• Common user interface for both Netscape Navigator
  and Microsoft IE
• Brand-able uses membership card metaphor can
  be localized
• PTA operations are scriptable from web pages
• Easy Select Automatically search through certs
  for application/company identifiers
• Configure a certificate for an application
  (select only once)
• Supports mandatory password criteria and can
  integrate with other forms of authenticaiton

16
Web Access using Digital Certificate

• DEMO

17
Network Security MSS
Service Offerings and Key Features

• Managed Security Services
• Managed/monitored Firewall, Intrusion Detection
  Systems, Vulnerability Management
• Network Security Consulting services
• 24x7 Security Operations Centers staffed with
  security experts
• Early warning system leveraging VeriSigns
  Internet security intelligence
• Vendor-neutral support for all best-of-breed
  security platforms

Value to Customers

• Minimize security intrusions/breaches through
  proactive, 24x7 management
• Cost reduction of up to 60 by leveraging
  VeriSigns infrastructure
• Reallocate resources to higher value-added
  activities and business priorities
• Achieve compliance with government regulations
  and audit requirements

18
Security Consulting Services

• All VeriSign Core MPKI and complimenting
  solutions include Security Consulting Service
  during install.
• PKI Design and Analysis
• CPS and CP Development Services
• PKI Enablement Services
• Archival Services
• Disaster Recovery
• Network Optimization
• Security Assessments
• Vulnerability Testing
• Audit Services

19
Sample Public Sector Customers

• Veterans Affairs
• Center for Disease Control
• US Dept. of Labor
• Securities Exchange Comm.
• US Dept. of Interior
• US Office of the Courts
• Department of Energy
• Multi-State Tax Comm.
• Department of Defense - SERVE

• State of PA J-Net
• State of PA Education
• State of New Jersey
• Kern County, CA
• Federal Home Loan Banks of
• Pittsburg, Dallas, Chicago
• Exostar (DoD Exchange)
• State of Kansas
• County of Los Angeles, CA
• County of San Mateo, CA
• State of California

20
Government Scaling to Millions of Users
We chose VeriSign managed security services
because of reliability and capacity to scale to
millions of users.
21
Creating a Connected, Secure Government
We wouldn't be able to put a service like this
online and have the levels of security necessary
without VeriSign. It is extremely important to
us that our digital certificates have the
inherent trust that comes with using the VeriSign
solutions
22
Government Efficiency at Department of Interior
VeriSign delivered a performance-based
implementation we couldnt have afforded it
without that kind of approach. A VeriSign
solution is kind of like a Piece of a Rock
scenario.
23
State of Pennsylvania