PKI - PowerPoint PPT Presentation

1 / 13

About This Presentation

Title:

PKI

Description:

LDAP, DAP. End User. Domain. LDAP. UniCert. Certificate Authority. Registration authority ... Supports many different Directories (DAP/LDAP) Policy Driven System ... – PowerPoint PPT presentation

Number of Views:318

Avg rating:3.0/5.0

Slides: 14

Provided by: rado53

Category:

Tags: pki | dap

more less

Transcript and Presenter's Notes

Title: PKI

1
(No Transcript)
2

hp PKI
Radostin Stoyanov April 17th 2001
3

pki is a combination of technology and processes
that
permits users who do not know each other to
communicate securely.
provides the level of trust required by
business to rely on electronic transactions.

4

examples

customer files
employee/patient records
contracts agreements
intellectual property

business need transmit highly confidential
information
5

examples

customer files
employee/patient records
contracts agreements
intellectual property

business need transmit highly confidential
information
protection needed

strong authentication
confidentiality
data integrity

6

examples

ordering systems
inventory systems
procurement
customer data bases

business need allow web access to
business-critical applications
protection needed

strong authentication
single sign-on
non-repudiation

7

examples

ordering systems
inventory systems
procurement
customer data bases

business need allow web access to
business-critical applications
protection needed

strong authentication
single sign-on
non-repudiation

8

examples

purchases
payments
fund transfers
contract signing

business need supporthigh-value transactions
protection needed

strong authentication
digital signatures
non-repudiation
time stamping

Source Frans Hesp ABN-AMRO 11/99e
9

examples

purchases
payments
fund transfers
contract signing

business need supporthigh-value transactions
protection needed

strong authentication
digital signatures
non-repudiation
time stamping

pki technology ensures that
data is not manipulated (integrity)
information is kept private (confidentiality)
a transaction was accepted (non-repudiation)
pki policies, procedures, and organization
ensure that
a certificate is associated with a unique
physical entity

technology and processes

11
the basic idea
Mike Graves keys
Public key
Private key
Certificate
12
digital certificates
CERTIFICATE

Issuer (CA) Distinguished Name (DN) e.g.CDE,
OUTest CA, OXXXX Corp.
Serial number (allocated by CA)
Validity period (typically a year)
User (Subject) Distinguished Name
User Public Key parameters e.g. RSA
User Public Key
Extensions e.g.
Alternative user name (e.g. e-mail address)
Key usage e.g. digital signature, key
encipherment
Signing algorithm parameters e.g. SHA-1, RSA
CA Signature

13
lifecycle of certificates
CA - Certification Authority Controls
policy Generates certificate Manages revocation
lists Updates directory Protects issuer (CA) keys
RA - Registration Authority Identifies end
entity Allocates to roles Interface to end
entities
DS - Directory Services Publishes end entity
information
End Entities (users, apps, etc.)
14

leading technology
strong consulting and integration services
integration with virtualvault and webenforcer
will provide highest level of pki server security
integration with openview vantagepoint operations
for 24x7 pki service offering

hp PKI solution
15
what technology do you need to implement PKI
Baltimore
UniCert Certificate Authority Registration
authority Advanced Technology Attribute
Certificate Server Timestamp Server PKI enabled
applications PKI Implementation Prepackages
HP value add
16
(No Transcript)
17
UniCert - Certificate Management System
Baltimore

FEATURES
Modular hierarchical CA structures with multiple
RA systems - highly scalable
Flexible Security Policy Editor
Hardware Security Modules (HSMs) smart cards
Standards-based issuance management of X.509
certificates
Supports multiple Keys/Certificates for each user
Supports many different Directories (DAP/LDAP)

Flexibility
Multiple registration methods
Face to face
Gateway for web, email VPN requests
Optional Registration Engine for custom
integration or bulk-loading
Multiple certificate distribution methods
Algorithm flexibility
Policies
Choice of directory
Choice of cryptographic hardware

Scalability
Scales from the smallest PKI to large Trusted
Third Party systems
Modular design
Hierarchical CA structures
Up to 255 RAs per CA
Unlimited RAOs
Unlimited certificate registration policies
Theoretically no limits

Policy Driven System
Multi-purpose Certificate Authority (CA)
Issues and manages certificates for the web,
e-mail, payments and virtual private networks
(VPN)
Highly flexible and scaleable deployment
configuration options
Ideal for intranet, extranet and Internet
applications

Open Standards Based 1. Implementation of all
relevant industry standards 2. Implementation of
commercially viable company-specific protocols
(Netscape Ciscos SCEP) 3. Support of
commercially prevalent applications 4. Provides
wide open interface to third party products

Security
Supports wide range of HSMs smartcards
Use of PKIX for inter-module communications
Full strength encryption digital signing
Unique tracking number attached to each message
message log
All data digitally signed
Optional key archival of encryption keys
Accepted for certification to ITSEC E3

UniCert Certificate Authority Registration
Authority Key Archive Server Attribute
Certificate Server Timestamp Server Certificate
revocation Secure key storage PKI enabled
applications Validation Authority KeySteps Directo
ry services Secure administration Operational
management
HP value add
18
UniCert - SCALABILITY
19
Core products CA/CAO
Baltimore

The Certificate Authority (CA) signs and
publishes certificates and Certificate Revocation
Lists (CRLs)
The CA operates according to its own flexible
policy, which is controlled by the Certification
Authority Operator (CAO)

UniCert Certificate Authority Registration
Authority Key Archive Server Attribute
Certificate Server Timestamp Server Certificate
revocation Secure key storage PKI enabled
applications Validation Authority KeySteps Direct
ory services Secure administration Operational
management

The security officer of the PKI
Controls all administration functions
Grants privileges to other UniCERT modules and
operators
There can be several CAOs, with reduced rights if
required

HP value add
20
Core products RA/RAO/WebRAO
Baltimore

Router between Registration Authority Operators
(RAOs), Gateways and the CA
Divide the PKI into operational domains
Each operational domain is a separate structure
Intra-domain confidentiality maintained
Obeys its own operational policy, centrally
maintained

Approves certificate requests to be certified by
the CA
Rights directed by policies pushed out by the CAO
Receives certificate requests from remote devices
and distributes certificates
Gateways Web Gateway Email Gateway VPN
Gateway

Allows operators to approve requests using a
standard Web browser
Can communicate with the WebRAO Server securely
over the Internet

HP value add
21
Advanced Technology
Baltimore

Key Archive Server
Securely backs up and recovers end-user private
encryption keys
Does not impact upon non-repudiation

Advanced Registration Module
Enables automated, integrated, and high-volume
branded certificate issuance, providing
enforcement of centrally-generated security
policies

WebRAO
Enables simple, secure approval of certificates
using a standard Web browser

WebRAO Server
Enables registration operators to connect to a
remote Registration Authority using the Internet

HP value add
22
Extended Technology Attribute Certificate Server
Baltimore

Allows for roles and privileges to be
cryptographically linked to any standard
certificate
Potential to substantially increase the power,
sophistication and flexibility of a PKI.

Supplies non-repudiation services
Cryptographically links an imprint of a document
with a timestamp

UniCert Certificate Authority Registration
authority Key Archive Server Attribute
Certificate Server Timestamp Server Certificate
revocation Secure key storage PKI enabled
applications Validation Authority KeySteps Directo
ry services Secure administration Operational
management
HP value add
24
Enabled Applications
Baltimore
UniCert Certificate Authority Registration
authority Key Archive Server Attribute
Certificate Server Timestamp Server Certificate
revocation Secure key storage PKI enabled
applications Validation Authority KeySteps Directo
ry services Secure administration Operational
management
hp trust centre
HP PKI Certificate Authority/ Registration
Authority
Web server MailSecure FormSecure
High availability configurations
OpenView VantagePoint Operations
Virtualvault components
HP value add
25
KeySteps
Baltimore
Months
UniCert Certificate Authority Registration
authority Key Archive Server Attribute
Certificate Server Timestamp Server Certificate
revocation Secure key storage PKI enabled
applications Validation Authority KeySteps Directo
ry services Secure administration Operational
management
Awareness
2
1- Requirements
Business case
3
Technical evaluation
2 - Architecture
Blueprint
5
3 - Operations
CONOPS, Policies
4
Prototype
4 - Security review
Move forward
6
5 - Integration
Pilot system
8
Limited deployment
10
6 - Deployment
16
Full scale, operational system
7 - Post-deployment
HP value add
26
Overview HP PKI Differentiation