PKI - PowerPoint PPT Presentation

1 / 13
About This Presentation
Title:

PKI

Description:

LDAP, DAP. End User. Domain. LDAP. UniCert. Certificate Authority. Registration authority ... Supports many different Directories (DAP/LDAP) Policy Driven System ... – PowerPoint PPT presentation

Number of Views:318
Avg rating:3.0/5.0
Slides: 14
Provided by: rado53
Category:
Tags: pki | dap

less

Transcript and Presenter's Notes

Title: PKI


1
(No Transcript)
2

hp PKI
Radostin Stoyanov April 17th 2001
3
  • pki is a combination of technology and processes
    that
  • permits users who do not know each other to
    communicate securely.
  • provides the level of trust required by
    business to rely on electronic transactions.

4

examples
  • customer files
  • employee/patient records
  • contracts agreements
  • intellectual property

business need transmit highly confidential
information
5

examples
  • customer files
  • employee/patient records
  • contracts agreements
  • intellectual property

business need transmit highly confidential
information
protection needed
  • strong authentication
  • confidentiality
  • data integrity

6

examples
  • ordering systems
  • inventory systems
  • procurement
  • customer data bases

business need allow web access to
business-critical applications
protection needed
  • strong authentication
  • single sign-on
  • non-repudiation

7

examples
  • ordering systems
  • inventory systems
  • procurement
  • customer data bases

business need allow web access to
business-critical applications
protection needed
  • strong authentication
  • single sign-on
  • non-repudiation

8

examples
  • purchases
  • payments
  • fund transfers
  • contract signing

business need supporthigh-value transactions
protection needed
  • strong authentication
  • digital signatures
  • non-repudiation
  • time stamping

Source Frans Hesp ABN-AMRO 11/99e
9

examples
  • purchases
  • payments
  • fund transfers
  • contract signing

business need supporthigh-value transactions
protection needed
  • strong authentication
  • digital signatures
  • non-repudiation
  • time stamping

10
  • pki technology ensures that
  • data is not manipulated (integrity)
  • information is kept private (confidentiality)
  • a transaction was accepted (non-repudiation)
  • pki policies, procedures, and organization
    ensure that
  • a certificate is associated with a unique
    physical entity
  • technology and processes

11
the basic idea
Mike Graves keys
Public key
Private key
Certificate
12
digital certificates
CERTIFICATE
  • Issuer (CA) Distinguished Name (DN) e.g.CDE,
    OUTest CA, OXXXX Corp.
  • Serial number (allocated by CA)
  • Validity period (typically a year)
  • User (Subject) Distinguished Name
  • User Public Key parameters e.g. RSA
  • User Public Key
  • Extensions e.g.
  • Alternative user name (e.g. e-mail address)
  • Key usage e.g. digital signature, key
    encipherment
  • Signing algorithm parameters e.g. SHA-1, RSA
  • CA Signature

13
lifecycle of certificates
CA - Certification Authority Controls
policy Generates certificate Manages revocation
lists Updates directory Protects issuer (CA) keys
RA - Registration Authority Identifies end
entity Allocates to roles Interface to end
entities
DS - Directory Services Publishes end entity
information
End Entities (users, apps, etc.)
14
  • leading technology
  • strong consulting and integration services
  • integration with virtualvault and webenforcer
    will provide highest level of pki server security
  • integration with openview vantagepoint operations
    for 24x7 pki service offering

hp PKI solution
15
what technology do you need to implement PKI
Baltimore
UniCert Certificate Authority Registration
authority Advanced Technology Attribute
Certificate Server Timestamp Server PKI enabled
applications PKI Implementation Prepackages
HP value add
16
(No Transcript)
17
UniCert - Certificate Management System
Baltimore
  • FEATURES
  • Modular hierarchical CA structures with multiple
    RA systems - highly scalable
  • Flexible Security Policy Editor
  • Hardware Security Modules (HSMs) smart cards
  • Standards-based issuance management of X.509
    certificates
  • Supports multiple Keys/Certificates for each user
  • Supports many different Directories (DAP/LDAP)
  • Flexibility
  • Multiple registration methods
  • Face to face
  • Gateway for web, email VPN requests
  • Optional Registration Engine for custom
    integration or bulk-loading
  • Multiple certificate distribution methods
  • Algorithm flexibility
  • Policies
  • Choice of directory
  • Choice of cryptographic hardware
  • Scalability
  • Scales from the smallest PKI to large Trusted
    Third Party systems
  • Modular design
  • Hierarchical CA structures
  • Up to 255 RAs per CA
  • Unlimited RAOs
  • Unlimited certificate registration policies
  • Theoretically no limits
  • Policy Driven System
  • Multi-purpose Certificate Authority (CA)
  • Issues and manages certificates for the web,
    e-mail, payments and virtual private networks
    (VPN)
  • Highly flexible and scaleable deployment
    configuration options
  • Ideal for intranet, extranet and Internet
    applications

Open Standards Based 1. Implementation of all
relevant industry standards 2. Implementation of
commercially viable company-specific protocols
(Netscape Ciscos SCEP) 3. Support of
commercially prevalent applications 4. Provides
wide open interface to third party products
  • Security
  • Supports wide range of HSMs smartcards
  • Use of PKIX for inter-module communications
  • Full strength encryption digital signing
  • Unique tracking number attached to each message
    message log
  • All data digitally signed
  • Optional key archival of encryption keys
  • Accepted for certification to ITSEC E3

UniCert Certificate Authority Registration
Authority Key Archive Server Attribute
Certificate Server Timestamp Server Certificate
revocation Secure key storage PKI enabled
applications Validation Authority KeySteps Directo
ry services Secure administration Operational
management
HP value add
18
UniCert - SCALABILITY
19
Core products CA/CAO
Baltimore
  • The Certificate Authority (CA) signs and
    publishes certificates and Certificate Revocation
    Lists (CRLs)
  • The CA operates according to its own flexible
    policy, which is controlled by the Certification
    Authority Operator (CAO)

UniCert Certificate Authority Registration
Authority Key Archive Server Attribute
Certificate Server Timestamp Server Certificate
revocation Secure key storage PKI enabled
applications Validation Authority KeySteps Direct
ory services Secure administration Operational
management
  • The security officer of the PKI
  • Controls all administration functions
  • Grants privileges to other UniCERT modules and
    operators
  • There can be several CAOs, with reduced rights if
    required

HP value add
20
Core products RA/RAO/WebRAO
Baltimore
  • Router between Registration Authority Operators
    (RAOs), Gateways and the CA
  • Divide the PKI into operational domains
  • Each operational domain is a separate structure
  • Intra-domain confidentiality maintained
  • Obeys its own operational policy, centrally
    maintained

UniCert Certificate Authority Registration
authority Key Archive Server Attribute
Certificate Server Timestamp Server Certificate
revocation Secure key storage PKI enabled
applications Validation Authority KeySteps Directo
ry services Secure administration Operational
management
  • Approves certificate requests to be certified by
    the CA
  • Rights directed by policies pushed out by the CAO
  • Receives certificate requests from remote devices
    and distributes certificates
  • Gateways Web Gateway Email Gateway VPN
    Gateway
  • Allows operators to approve requests using a
    standard Web browser
  • Can communicate with the WebRAO Server securely
    over the Internet

HP value add
21
Advanced Technology
Baltimore
  • Key Archive Server
  • Securely backs up and recovers end-user private
    encryption keys
  • Does not impact upon non-repudiation

UniCert Certificate Authority Registration
authority Key Archive Server Attribute
Certificate Server Timestamp Server Certificate
revocation Secure key storage PKI enabled
applications Validation Authority KeySteps Directo
ry services Secure administration Operational
management
  • Advanced Registration Module
  • Enables automated, integrated, and high-volume
    branded certificate issuance, providing
    enforcement of centrally-generated security
    policies
  • WebRAO
  • Enables simple, secure approval of certificates
    using a standard Web browser
  • WebRAO Server
  • Enables registration operators to connect to a
    remote Registration Authority using the Internet

HP value add
22
Extended Technology Attribute Certificate Server
Baltimore
  • Allows for roles and privileges to be
    cryptographically linked to any standard
    certificate
  • Potential to substantially increase the power,
    sophistication and flexibility of a PKI.

UniCert Certificate Authority Registration
authority Key Archive Server Attribute
Certificate Server Timestamp Server Certificate
revocation Secure key storage PKI enabled
applications Validation Authority KeySteps Directo
ry services Secure administration Operational
management
HP value add
23
Extended Technology Timestamp Server
Baltimore
  • Supplies non-repudiation services
  • Cryptographically links an imprint of a document
    with a timestamp

UniCert Certificate Authority Registration
authority Key Archive Server Attribute
Certificate Server Timestamp Server Certificate
revocation Secure key storage PKI enabled
applications Validation Authority KeySteps Directo
ry services Secure administration Operational
management
HP value add
24
Enabled Applications
Baltimore
UniCert Certificate Authority Registration
authority Key Archive Server Attribute
Certificate Server Timestamp Server Certificate
revocation Secure key storage PKI enabled
applications Validation Authority KeySteps Directo
ry services Secure administration Operational
management
hp trust centre
HP PKI Certificate Authority/ Registration
Authority
Web server MailSecure FormSecure
High availability configurations
OpenView VantagePoint Operations
Virtualvault components
HP value add
25
KeySteps
Baltimore
Months
UniCert Certificate Authority Registration
authority Key Archive Server Attribute
Certificate Server Timestamp Server Certificate
revocation Secure key storage PKI enabled
applications Validation Authority KeySteps Directo
ry services Secure administration Operational
management
Awareness
2
1- Requirements
Business case
3
Technical evaluation
2 - Architecture
Blueprint
5
3 - Operations
CONOPS, Policies
4
Prototype
4 - Security review
Move forward
6
5 - Integration
Pilot system
8
Limited deployment
10
6 - Deployment
16
Full scale, operational system
7 - Post-deployment
HP value add
26
Overview HP PKI Differentiation
  • Worldwide coverage
  • Pre-integrated solutionsPKI ProtectionPKI
    ManagementPKI Availability
Write a Comment
User Comments (0)
About PowerShow.com