Title: PKI
1PKI Mobile Commerce
- Lisa Pretty, PKI Forum
- Philip Berton, Baltimore
2Overview
- m-Commerce needs for security
- PKI Tutorial
- Current Advancements in PKI
- QA
3Intro to PKI Forum
- The PKI Forum is an international,
not-for-profit, multi-vendor and end-user
alliance whose purpose is to accelerate the
adoption and use of Public-Key Infrastructure
(PKI). The PKI Forum advocates industry
cooperation and market awareness to enable
organizations to understand and exploit the value
of PKI in their e-business applications.
4State of Digital Mobile Telephony
- Global System for Mobile Communications (GSM)
has over 215 million subscribers - GSM alone has more subscribers than the Internet
has users (210)
5Examples of Wireless Applications
- Top three uses of Internet enabled mobile phones
- Travel related uses
- Online banking
- Email
6Trust in The Wireless World
Who are you?
Can you pay?
Can you prove it?
Authentication
Payment
Validation
7What is Public Key Infrastructure
- Public Key Infrastructure (PKI) is a combination
of enabling technologies and practices which
offer organizations and individual users ways to
significantly enhance their security as well as
protecting, identities, transactions and privacy
on internal and public networks - It is essential for successfully deploying
- e-business applications
8PKI lets applications use public key cryptography
9What PKI Provides
- Authentication to ensure parties are who they
say they are - Confidentiality to protect sensitive information
- Integrity to guarantee a transaction is not
altered - Non-repudiation to prove the transaction
occurred to prevent any of the parties from
reneging on a transaction
10Business
11Technology
- PKI technologically rests on
- Cryptographysymmetric, asymmetric and hash
- Directories and data bases
- IT security protocols (SSL, SMIME, IPSEC, etc.)
- Communications/network substrate (TCP/IP,
networking, telephony, etc.) - Certificate interoperability, management
- V509 V3, DCE, etc.
- CRL, OCSP, ASN1
12Cryptography Is THE Basis for PKI
- There are three types of Cryptosystems
- Symmetric Key (sometimes called Secret Key)
- Asymmetric Key (Public Private Key Pairs)
- Message digests
- The best systems use all 3 cryptosystems
13Symmetric Key
The same key is used to encrypt and decrypt the
data. DES is one example, RC4 is another.
14Symmetric Key
- The Advantages
- Secure
- Widely Used
- The encrypted text is compact
- Fast
- The Disadvantages
- Complex Admin
- Requires Secret Key Sharing
- Large Number of Keys
- No non-repudiation
- Subject to interception
15Asymmetric or Public/Private Key
What is encrypted with one key, can only be
decrypted with the other key. RSA is one example,
Elliptic Curve is another.
16Asymmetric or Public/Private Key
- The Advantages
- Secure
- No secret sharing
- No prior relationship
- Easier Admin
- Many fewer keys
- Supports non-repudiation
- The Disadvantages
- Slower than symmetric key
- The encrypted text is larger than a symmetric
version
17Message Digest Algorithms
- Hashes are also widely used in cryptography, but
crypto hashes have some special properties - They cannot be run backwards to learn something
about the original plain text - The resulting hash does not tell you anything
about the original plain text - You cannot easily identify a plain text which
will hash to a specific hash value - SHA1 and MD5 are examples of crypto hashes
18One Way Hash Function
- Cryptographic function that receives a variable
length message as input and generates a fixed
size message-digest (or hash) - Easy to compute and irreversible
- Also used for providing data integrity
MD5
5d41402abc4b2a76b9719d911017c592
9bcfacf49c4636ee69e6ca22aae984c6
HashingAlgorithm
19Digital Signatures
20Digital Signatures
21Cryptosystems
22PKI Components
- Public/private key pair
- Digital certificate
- Certificate authority
- Repository
- PKI Enabled Client
- POLICY
23Digital Certificates
- X.509 Standard Digital Certificate
- - generally used in ASN1 format in binary
- - can be represented in ASCII text
- (add a sample digital certificate)
24Trusting the Public Key
X.509 Digital Certificate I officially
notarize the association between this
particular user and this particular Public
Key
25X.509 What????
The International Telecommunications Union,
ITU-T (formerly know as CCITT), is a
multinational union that provides standards for
telecommunication equipment and systems. ITU-T
possesses a particular fashion for naming an
ITU-T X.500 directory CCI88b, X.509
certificates and Distinguished Names.
Distinguished names are the standard form of
naming ITU-T Recommendation X.509 CCI88c
specifies the authentication service for X.500
directories, as well as the widely adopted X.509
certificate syntax. in other words, a
standards body
26Standards
27Public Key Cryptography Standards (PKCS)-1
PKCS1 - Encrypting and signing using RSA
public-key cryptosystems PKCS3 - Key agreement
with Diffie-Hellman key exchange PKCS5 -
Encrypting with a secret key derived from a
password PKCS7 - Syntax for messages with
digital signatures and encryption PKCS8 - Format
for private key information PKCS9 - Attribute
types for use in other PKCS standards
28Public Key Cryptography Standards (PKCS)-2
PKCS10 - Syntax for certification
requests PKCS11 - Defines the Cryptoki
programming interface PKCS12 - Portable format
for storing or transporting private keys PKCS13
- Encrypting and signing data using elliptic
curve cryptography PKCS14 - Gives a standard for
pseudo-random number generation PKCS15 - This
standard is under development it proposes a
standardized way of storing credentials on tokens
(smart cards)
29PKIX
- A working group of the IETF
- RFC 2459 Certificate and CRL profile
- RFC 2510 CMP Operational Protocols
- RFC 2527 Cert Policy and Certification
Practices Framework - RFC 2559 LDAP
- RFC 2560 OCSP
- PKIX documents and related RFCs can be found at
the following URLhttp//www.ietf.org/html.chart
ers/pkix-charter.html
30Certification Authority (CA)
- An Entity Whose Public Key You Trust
- Can be a Trusted Third Party
- The CA Issues Credentials
- Digital certificates is a form of credential
- Types of Digital Certificates
- Identity
- Attribute
- Role
- Permission
31What is a Registration Authority?
- Definition
- Entity that typically operates locally to
collect validated subject information and perform
subject/key binding for a certification
authority. - Functions
- Validate subjects identity
- Generate and submit validated certification
request to CA - Provide local certificate life-cycle management
support - Optionally supports distribution of certificate
to subject
32What is a Directory/Repository?
- Definition
- Data structure associated with a Certification
Authority(s) which hosts public key certificates
for use by PKI population. - Functions
- Support publication of certificates from CA(s)
- Support publication of certificate revocation
lists from CA(s) - Service subscriber/relying party requests for
cert and CRL info - High availability application transactional
services - Trusted operations, high integrity
33Security Policies
- Corporate/business practices
- General security policies and practices
- Security policies and practices
- Specific IT security policies
- Cryptographic policies and practices
- Uses of cryptography for authentication,
authorization, signing, non-repudiation, etc. - Certificates policies and practices
- Certification Practices Statement (CPS
- Characteristics of policies
- Pertinent
- Actionable
- Enforceable
- Auditable
34Legal Considerations
- US
- Electronic Signatures in Global and National
Commerce (E-SIGN) US law, June 2000 - National Conference of Commissioners on Uniform
State Laws (NCUSL)Uniform Commercial Code - Government Paperwork Elimination Act 1998(GPEA)
Title XVII of Public Law 105-2 - EU
- EU Directive on Electronic Signature
- Directs all member states to establish laws
following EU Directive by end of 2001. - Member states previous and current positions on
cryptography, privacy and electronic signatures - Asia and Others In development
35Practical Steps for PKI Implementation
- A PKI solution should consist of
- A Security Policy
- Certificate Practice Statement (CPS)
- Certificate Authority (CA)
- Registration Authority (RA)
- Certificate Distribution System
- PKI-enabled Applications
36Practical Steps for PKI Implementation
- There are several questions that need to be asked
before starting - What are you using PKI for?
- There are a rush of people wanting to use PKI
- People just dont understand PKI...
- Most people who don't fully understand the
technology, will not understand why major,
complex issues still exist
37Practical Steps for PKI Implementation
- What goals do you hope to achieve with it?
- Focus on defining the business requirements and
the value that PKI will add to your business. - One of the largest issues in implementing PKI
It is how PKI affects the business practice and
models in use today at their firms.
38Practical Steps for PKI Implementation
- Does scalability matter to you?
- If you are only going to issue a small number of
certificates - no problems - If you want to do tens of millions then you need
to thoroughly investigate the options - Think about manageability, security and policies
issues.
39Practical Steps for PKI Implementation
- Basic Steps for Implementing a Secure Application
- in an Internet Environment
- Identify the issues
- Define your requirements - short and longer term!
- Evaluate the security of your current application
- Establish security policies and procedures
- Define your Certification Practice Statement
- Select your security officers and administrators
- PKI-enable your applications
- Integrate your Directory
- Set up a Certification Authority
- Secure your CA facilities
- Run a preliminary test
- Launch your solution
40Practical Steps for PKI Implementation
- Areas to think about
- I) Primary functional components
- Certificate application requests
- Identity verification
- Certificate issuance
- Revocation and renewal
- Interfaces
- Standards support
41Practical Steps for PKI Implementation
- Areas to think about
- II) Certificate management support
- Certificate Revocation Lists (CRL) vs
OnlineCertificate Status Protocol (OCSP) - Key escrow/recovery
- Archiving
- Logging
- Directory services
42Practical Steps for PKI Implementation
- Areas to think about
- III) Operational considerations
- Availability
- Performance and capacity
- Security policies and procedures
- Insurance and bonding
- Reporting and alarms
- Customer service
- Product service and support
- Training and documentation
- Cross-certification and interoperability
43Public Key Lifecycle
44M-Commerce Needs for Security
- Intra-domain and end-to-end
- Authentication
- Data integrity
- Data confidentiality
- Wireless Networking Constraints
- Handheld device size and processing power
- Carrier network bandwidth
- Carrier network reliability
- Network discontinuities
- Between different wireless carriers
- Between wireless and wired networks
45Current Advancements in PKI
- Philip Berton
- Director Market Development
- Baltimore Technologies
46Agenda
- Whos Baltimore
- PKI Uptake Integral for E/commerce
- Catalysts
- Example Applications
- Seamless Security Integration
- Wireless
- Advancements
- Smartcards Over The Air Registration
- Roaming Enterprise Solutions
- Hybrid PKI/Biometric Models
- Embedded PKI technology
47Baltimore Technologies
- Global Company based in Dublin Ireland
- Over 1100 employees in 40 countries
- FY 2000 revenue 106M
- Philosophy Open protocols, standards based,
create a foundation for widespread E/commerce - What Baltimore Does
- PKI Unicert-- Hardware/Software, Hosting,
Consulting - Content Security-- MIME/Sweeper product family
- Access Control and Authorization -- Select
Access announced best in class by E-Week -
48PKI Uptake
- 98 of Global 2000 Enterprises using PKI by
2003 - Data monitor 1999. - 280M in 99 and Expected to be 3B by 2004
- Australian Taxation Office (ATO)
- More digital certificates in 6 months than the
entire existing certificate industry - Being found in most Industries and applications
Banking, Govt, Enterprise, Technology,
Communications, HealthCare, B2B, etc.
49Catalysts
- Growing Acceptance (Digital Signature laws)
- Analysts Technologists
- Large Scale Business Deployments
- Internet
- Business Philosophy Shift (share vs. concealment)
- Business Opportunities (HIPPA, E-Tax, E-Vote,
etc.) - Revolutionary
- Increased Efficiency
- Technology (Applications)
50Legally Binding Digital Signatures
- 50 US States now have enacted laws regarding the
scope of digital signatures - http//www.mbc.com/ecommerce/legis/table01.html
- Germany, Italy, UK, EU and US Governments have
enacted legislation - Security continues to enable, more
sophisticated, more valuable, more channels of
electronic commerce
51Change in Corporate Thinking
Identity/Signatures
Managing Business Relationships Online
- Secure Documents
- Personal Records
- Business trading distribution
- Affinity
- Information Access
Integration
Offense
Certificates
Smart Cards
Access
Assessment/Policy
Treating Large Groups Internally
Intrusion/Anti Virus
Password/PIN
Defense
- Email
- File access/share
- Directory lookup
Yellow Stickies
Firewalls
52Todays Tomorrows PKI Incorporates
53PKI Enabling
- Developer tools used to enable and create all
kinds of - Applications.
- XML (sign or verify)
- SSL (secure http, ftp, telnet)
- IP/Sec (VPN)
- WAP (authenticating and digital signing)
- S/MIME (email, EDI, legacy systems, storage)
- Java
- PKI enabled E/commerce w/o client via applets
54The Identrus System
- An International trust infrastructure
- Identrus provides a technology and legal
infrastructure to enable secure business to
business e-commerce for member bank clients on a
global basis by providing strong authentication
and real time validation services. - Business processes
- Legal Policies
- Risk Management
- Standards-based PKI
- Applications
55Business Applications
Electronic Commerce
Financial Services
- Online Auction Markets
- Electronic Content Delivery
- Insurance Sales Contract
- Securities Trading
- Government Filings, Procurement, etc.
- ACH Payments
- Corporate Purchasing
- International Trade
- Letter of Credit
- Bill Presentation
- Statement Delivery
Identrus Certificate
7
56Global Legal Framework
57Seamless Security Integration
58Defining policy based esecurity
POLICY
PKI
ACCESSCONTROL
CONTENTSECURITY
PKI as high security authentication
Content Policy Rules for Access Control
Authorization
59Securing Wireless World
Wireless esecurity will extend Public Key
Infrastructures to mobile users
users
60WTLS Authentication Levels
- All have privacy and integrity
- Class I- Anonymous (No authentication)
- Class II (Server authentication only)
- Class III (Client and server authentication)
X.509
X.509
WTLS
WAP Gateway
Web Server
Mobile User
61Wireless Application Protocol (WAP)and WPKI
- WIM (Wireless Identity Module)
- Certificate IDs A reference URL pointing
- to the actual certificate
- It is a simple string requiring minimal
- bandwidth/storage
- No problem sending over the air
- Can store multiple certificates
- But most existing applications dont
- understand CertIDs
URL1
URL2
URL3
URL4
URL5
URLn
62Enterprise - sample model
WTLS CLASS 3
63PDA Market Forecasts
- Within 2-3 years 20-25 of corporate knowledge
workers will obtain a companion computing device
(e.g., PDA)...- META Group Feb, 2000 - Almost a quarter of desktop management spending
in 2003 will be allocated to the control of
mobile and remote PCs and other handheld devices
within the enterprise... - IDC 9/01/99 - Researchers predict global sales of hand-held
computers hitting 7.2B in 2003, with unit sales
increasing to 32.5M from the current 8.2M -
Wall Street Journal April, 2000
64Embedded PKI
- Devices (phones, PDAs, appliances, satellites,
cars, network devices, cable modems, etc. - Increasing Intelligence in these devices
- Looking to include basic crypto and security
functions like PKI which continues to build the
foundation. - TCPA (Trusted Computing Platform Alliance)
- Looking to complement standards such as VPN, IKE,
PKI, SSL, IPSec, S/MIME, etc. by creating basic
security functions into platform hardware, BIOS,
system and operating software. - Moores Law For Another Decade Speed Doubles
Every 18 Months
65SmartCards PKI
- Expand the boundaries of what you can do
- Bulk and Over the Air Registration
- Multiple factor authentication
- Increased Security (secure device)
- Feasibly integrated into any application with
readers - Allows for mobility a personal take it with you
device - Makes a roaming solution for Enterprise
Road-Warriors obsolete the use of kiosks, public
or 3rd party devices.
66Hybrid Models PKI/Biometrics
- Biometrics identifying something unique to the
individual finger print, iris, retina, hand
geometry, voice, handwriting, etc. - Biometrics being used in authentication into
physical areas, onto networks, and onto
personal/work devices. - Many Biometric (Service Providers) companies are
looking to have PKI back-ends and use biometrics
for 2nd/3rd factor authentication. Device or
Server Centric. - There are issues in having the biometric data
being communicated and compatible with PKI
standards.
67Conclusion Where Are We?
Crossing The Chasm by Geoffrey Moore
68Conclusion
- The critical question-- What Needs to Happen for
True - PKI enabled E/Commerce?
-
- The continued convergence of technologies in
communications, affiliated technologies and
simple useful applications to make security easy
invisible. - Continued proof of efficiencies associated with
the technology and the digital revolution.
69Additional Information
- Website www.pkiforum.org
- Email info_at_pkiforum.org
- Phone 781-876-8810