Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hardware Security Modules and Kerberos Asanka Herath Secure Endpoints Inc.

Published byAlonzo Pender Modified over 10 years ago

Similar presentations

Presentation on theme: "Hardware Security Modules and Kerberos Asanka Herath Secure Endpoints Inc."— Presentation transcript:

1 Hardware Security Modules and Kerberos Asanka Herath Secure Endpoints Inc.

2 WHY HSMS? Advantages of integrating HSMs into the Kerberos infrastructure

3 Why HSMs? Compromise containment Reliable Auditing Performance Compliance (FIPS 140)

4 KEY MANAGEMENT WITH AN HSM Changes to key management when integrating an HSM

5 For example…

6 nCipher nShield

7 NCIPHER SECURITY WORLDS

8 Properties of a Security World Key management Managed key usage Key encapsulation Keys generated and live inside the security world and (ideally) never leave Secure code execution Secure Execution Environment (SEE)

9 A Security World Consists of … Hardware modules Administrator card set Operator card sets and/or softcards Encrypted key data or certificate data

10 The Security World Key Contained in … The administrator card set Protects … Key recovery information

11 Module Key Contained in … The hardware module Protects … Application keys

12 Operator Keys Contained in … Operator card sets Protects … Application keys

13 Application Keys Contained in … Key blobs Protects … Other applications keys Data

14 A Security World Consists of … Keys that protect other keys

15 A Hierarchy of Keys Application Key AOperator Key A Operator Card Set Application Key B Data

16 A Hierarchy of Keys Application Key A Module Key Application Key B Data

17 Privilege Separation Ability to use a key gives the ability to use child keys But not vice-versa Facilitates privilege separation

18 Key Tickets Can be issued for any loaded key Can be redeemed for the use of a specific key Necessary for delegating use of keys across application boundaries Transient Per session

19 Working With Key Tickets Application Key AApplication Key B Application Key B Ticket Application Key B Application Key B Ticket Data Process 1Process 2

20 HEIMDAL Integrating HSMs with Kerberos infrastructure

21 Key Usage Model in Heimdal Application has access to plaintext key

22 New Key Usage Model Separate key usage from key material An application doesnt need the plaintext key in order to use it Ability to specify a key without knowing the plaintext key Key tickets Key blobs Key identifiers Ability to load and unload keys Using already loaded keys

23 KERBEROS API AND LIBRARY Whats involved in integrating the use of HSMs into code

24 Key Encoding Current … Assumes knowledge of the physical key Key length is fixed No need to prepare/clean up keys. Stateless. (exceptions: derived keys, key schedules) Need … Backwards compatibility Support key references Key tokens Key blobs Key identifiers

25 Key Blob Contains (encrypted with parent key) Key Access control list Usage constraints Time limits Use limits Issuance certificate Security world and module information Timestamps

26 Key Types and Encryption Types A new Key Type? A new Encryption Type? Must distinguish between a plaintext key and a key reference

27 Something like … Plain text (fixed) Heade r Key blob (variable) Heade r Key reference (variable)

28 Key Lifetimes Loading a key requires a parent/authorization key to be already loaded Lifetime refers to the time between loading and unloading a key

29 Connection to Hardware Devices Connections must be established first Can be somewhat expensive Lazy connections Connections should be avoided if unnecessary Specially for client libraries where we may or may not have access to the security world and access to security world is not necessary

30 Privilege Separated Processes Break into privilege separates processes Move privileged code into SEE

31 Q&S asanka@secure-endpoints.com

Download ppt "Hardware Security Modules and Kerberos Asanka Herath Secure Endpoints Inc."

Similar presentations

PKCS-11 Protocol for Enterprise Key Management

PKCS-11 Protocol for Enterprise Key Management
Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
NETWORK SECURITY.

NETWORK SECURITY.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
SafeNet Luna XML Hardware Security Module

SafeNet Luna XML Hardware Security Module
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.

1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Web Services, SOA and Security May 11, 2009 Michael Burnett.

Web Services, SOA and Security May 11, 2009 Michael Burnett.
Doc.: IEEE 802.11-04/0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.

Doc.: IEEE /0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

Similar presentations

Ads by Google