Title: PKI
1(No Transcript)
2 hp PKI
Radostin Stoyanov April 17th 2001
3- pki is a combination of technology and processes
that -
- permits users who do not know each other to
communicate securely. - provides the level of trust required by
business to rely on electronic transactions.
4examples
- customer files
- employee/patient records
- contracts agreements
- intellectual property
business need transmit highly confidential
information
5examples
- customer files
- employee/patient records
- contracts agreements
- intellectual property
business need transmit highly confidential
information
protection needed
- strong authentication
- confidentiality
- data integrity
6examples
- ordering systems
- inventory systems
- procurement
- customer data bases
business need allow web access to
business-critical applications
protection needed
- strong authentication
- single sign-on
- non-repudiation
7examples
- ordering systems
- inventory systems
- procurement
- customer data bases
business need allow web access to
business-critical applications
protection needed
- strong authentication
- single sign-on
- non-repudiation
8examples
- purchases
- payments
- fund transfers
- contract signing
business need supporthigh-value transactions
protection needed
- strong authentication
- digital signatures
- non-repudiation
- time stamping
Source Frans Hesp ABN-AMRO 11/99e
9examples
- purchases
- payments
- fund transfers
- contract signing
business need supporthigh-value transactions
protection needed
- strong authentication
- digital signatures
- non-repudiation
- time stamping
10- pki technology ensures that
- data is not manipulated (integrity)
- information is kept private (confidentiality)
- a transaction was accepted (non-repudiation)
- pki policies, procedures, and organization
ensure that - a certificate is associated with a unique
physical entity
11the basic idea
Mike Graves keys
Public key
Private key
Certificate
12digital certificates
CERTIFICATE
- Issuer (CA) Distinguished Name (DN) e.g.CDE,
OUTest CA, OXXXX Corp. - Serial number (allocated by CA)
- Validity period (typically a year)
- User (Subject) Distinguished Name
- User Public Key parameters e.g. RSA
- User Public Key
- Extensions e.g.
- Alternative user name (e.g. e-mail address)
- Key usage e.g. digital signature, key
encipherment - Signing algorithm parameters e.g. SHA-1, RSA
- CA Signature
13lifecycle of certificates
CA - Certification Authority Controls
policy Generates certificate Manages revocation
lists Updates directory Protects issuer (CA) keys
RA - Registration Authority Identifies end
entity Allocates to roles Interface to end
entities
DS - Directory Services Publishes end entity
information
End Entities (users, apps, etc.)
14- leading technology
- strong consulting and integration services
- integration with virtualvault and webenforcer
will provide highest level of pki server security - integration with openview vantagepoint operations
for 24x7 pki service offering
hp PKI solution
15what technology do you need to implement PKI
Baltimore
UniCert Certificate Authority Registration
authority Advanced Technology Attribute
Certificate Server Timestamp Server PKI enabled
applications PKI Implementation Prepackages
HP value add
16(No Transcript)
17UniCert - Certificate Management System
Baltimore
- FEATURES
- Modular hierarchical CA structures with multiple
RA systems - highly scalable - Flexible Security Policy Editor
- Hardware Security Modules (HSMs) smart cards
- Standards-based issuance management of X.509
certificates - Supports multiple Keys/Certificates for each user
- Supports many different Directories (DAP/LDAP)
- Flexibility
- Multiple registration methods
- Face to face
- Gateway for web, email VPN requests
- Optional Registration Engine for custom
integration or bulk-loading - Multiple certificate distribution methods
- Algorithm flexibility
- Policies
- Choice of directory
- Choice of cryptographic hardware
- Scalability
- Scales from the smallest PKI to large Trusted
Third Party systems - Modular design
- Hierarchical CA structures
- Up to 255 RAs per CA
- Unlimited RAOs
- Unlimited certificate registration policies
- Theoretically no limits
- Policy Driven System
- Multi-purpose Certificate Authority (CA)
- Issues and manages certificates for the web,
e-mail, payments and virtual private networks
(VPN) - Highly flexible and scaleable deployment
configuration options - Ideal for intranet, extranet and Internet
applications
Open Standards Based 1. Implementation of all
relevant industry standards 2. Implementation of
commercially viable company-specific protocols
(Netscape Ciscos SCEP) 3. Support of
commercially prevalent applications 4. Provides
wide open interface to third party products
- Security
- Supports wide range of HSMs smartcards
- Use of PKIX for inter-module communications
- Full strength encryption digital signing
- Unique tracking number attached to each message
message log - All data digitally signed
- Optional key archival of encryption keys
- Accepted for certification to ITSEC E3
UniCert Certificate Authority Registration
Authority Key Archive Server Attribute
Certificate Server Timestamp Server Certificate
revocation Secure key storage PKI enabled
applications Validation Authority KeySteps Directo
ry services Secure administration Operational
management
HP value add
18UniCert - SCALABILITY
19 Core products CA/CAO
Baltimore
- The Certificate Authority (CA) signs and
publishes certificates and Certificate Revocation
Lists (CRLs) - The CA operates according to its own flexible
policy, which is controlled by the Certification
Authority Operator (CAO)
UniCert Certificate Authority Registration
Authority Key Archive Server Attribute
Certificate Server Timestamp Server Certificate
revocation Secure key storage PKI enabled
applications Validation Authority KeySteps Direct
ory services Secure administration Operational
management
- The security officer of the PKI
- Controls all administration functions
- Grants privileges to other UniCERT modules and
operators - There can be several CAOs, with reduced rights if
required
HP value add
20 Core products RA/RAO/WebRAO
Baltimore
- Router between Registration Authority Operators
(RAOs), Gateways and the CA - Divide the PKI into operational domains
- Each operational domain is a separate structure
- Intra-domain confidentiality maintained
- Obeys its own operational policy, centrally
maintained
UniCert Certificate Authority Registration
authority Key Archive Server Attribute
Certificate Server Timestamp Server Certificate
revocation Secure key storage PKI enabled
applications Validation Authority KeySteps Directo
ry services Secure administration Operational
management
- Approves certificate requests to be certified by
the CA - Rights directed by policies pushed out by the CAO
- Receives certificate requests from remote devices
and distributes certificates - Gateways Web Gateway Email Gateway VPN
Gateway
- Allows operators to approve requests using a
standard Web browser - Can communicate with the WebRAO Server securely
over the Internet
HP value add
21Advanced Technology
Baltimore
- Key Archive Server
- Securely backs up and recovers end-user private
encryption keys - Does not impact upon non-repudiation
UniCert Certificate Authority Registration
authority Key Archive Server Attribute
Certificate Server Timestamp Server Certificate
revocation Secure key storage PKI enabled
applications Validation Authority KeySteps Directo
ry services Secure administration Operational
management
- Advanced Registration Module
- Enables automated, integrated, and high-volume
branded certificate issuance, providing
enforcement of centrally-generated security
policies
- WebRAO
- Enables simple, secure approval of certificates
using a standard Web browser
- WebRAO Server
- Enables registration operators to connect to a
remote Registration Authority using the Internet
HP value add
22Extended Technology Attribute Certificate Server
Baltimore
- Allows for roles and privileges to be
cryptographically linked to any standard
certificate - Potential to substantially increase the power,
sophistication and flexibility of a PKI.
UniCert Certificate Authority Registration
authority Key Archive Server Attribute
Certificate Server Timestamp Server Certificate
revocation Secure key storage PKI enabled
applications Validation Authority KeySteps Directo
ry services Secure administration Operational
management
HP value add
23Extended Technology Timestamp Server
Baltimore
- Supplies non-repudiation services
- Cryptographically links an imprint of a document
with a timestamp
UniCert Certificate Authority Registration
authority Key Archive Server Attribute
Certificate Server Timestamp Server Certificate
revocation Secure key storage PKI enabled
applications Validation Authority KeySteps Directo
ry services Secure administration Operational
management
HP value add
24Enabled Applications
Baltimore
UniCert Certificate Authority Registration
authority Key Archive Server Attribute
Certificate Server Timestamp Server Certificate
revocation Secure key storage PKI enabled
applications Validation Authority KeySteps Directo
ry services Secure administration Operational
management
hp trust centre
HP PKI Certificate Authority/ Registration
Authority
Web server MailSecure FormSecure
High availability configurations
OpenView VantagePoint Operations
Virtualvault components
HP value add
25KeySteps
Baltimore
Months
UniCert Certificate Authority Registration
authority Key Archive Server Attribute
Certificate Server Timestamp Server Certificate
revocation Secure key storage PKI enabled
applications Validation Authority KeySteps Directo
ry services Secure administration Operational
management
Awareness
2
1- Requirements
Business case
3
Technical evaluation
2 - Architecture
Blueprint
5
3 - Operations
CONOPS, Policies
4
Prototype
4 - Security review
Move forward
6
5 - Integration
Pilot system
8
Limited deployment
10
6 - Deployment
16
Full scale, operational system
7 - Post-deployment
HP value add
26Overview HP PKI Differentiation
- Worldwide coverage
- Pre-integrated solutionsPKI ProtectionPKI
ManagementPKI Availability