Presentation is loading. Please wait.

Presentation is loading. Please wait.

MAJ Michael W. Davis, 410-859-6318 13 August 1998SPOCK Demonstration of Entrust PKI SPOCK Demonstration of Entrust PKI SPOCK.

Similar presentations


Presentation on theme: "MAJ Michael W. Davis, 410-859-6318 13 August 1998SPOCK Demonstration of Entrust PKI SPOCK Demonstration of Entrust PKI SPOCK."— Presentation transcript:

1 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI SPOCK Demonstration of Entrust PKI SPOCK NSA ARMY IRSAIR FORCE NAVY

2 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI AGENDA What’s the SPOCK Program Past Accomplishments Who’s in SPOCK What does the SPOCK team do Demonstration Process SPOCK PKI Architecture PKI Claims and Results Lessons Learned Return on Investment Summary

3 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI What’s SPOCK ? “A Consortium of Product Developers and Government System Integrators interested in exploring INFOSEC commercial solutions and Enabling Technologies ”

4 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI PAST ACCOMPLISHMENTS 1995-1998 32 Consortium Meetings - Over 1500 Attendees 96 Emerging Topic Areas Briefed 8 Diverse Solutions Demonstrated Established Zones of Cooperation Over 40 Government System Integration Communities Over 100 Solution Developers Input for the President’s Quality Award Nominated for SECDEF’s Team Excellence Award

5 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI Who’s in SPOCK Army - BCBL-G, LIWA, DISC4 Navy - SPAWAR, NAVSEA, NIA FIWC, NIWA, NRL Air Force - AFIWC, 609 IWS, AFOSI CPSG Joint - J6, DISA Non DoD - NASA, DoJ NSA - V, Y, X, C

6 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI What’s the SPOCK Team do ? Attend monthly briefings on Warfighter Architectures and Solutions Demonstrate Security Claims in Warfighter Architectures Write SPOCK Demonstration Reports Develop Draft Security Targets and Protection Profiles

7 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI DEMONSTRATION PROCESS 1. Solution/Developer Identified. 2. Developer briefs the Solution during meeting. 3. Developer presents Security Claims, Architecture, and Equipment Requirements. 4. SPOCK prepares Scripts to demonstrate Claims. 5. SPOCK demonstrates Security Claims in Government Architectures. 6. SPOCK writes the Demonstration Report, signed by Chief, NSA V2.

8 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI Entrust/Authority Entrust/Admin CERTIFICATE AUTHORITY Directory Users Other CAs ENTRUST CA ARCHITECTURE

9 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI CA User Directory Entrust/Manager & Entrust/Admin iCL i500, X.500 Directory Entrust/Clients SPOCK PKI COMPONENTS

10 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI c=US o=US Gov ou=Navyou=Air Force ou=ITRLabou=NSA ou=Army cn=user1 cn=user2 cn=user3 cn=user4 cn=user1 cn=user2 cn=user3 cn=user4 cn=user1 cn=user2 cn=user3 cn=user4 cn=user1 cn=user2 cn=user3 cn=user4 cn=webserver KEY c=country o=organization ou=organizational unit cn=common name Each Site Contains iCL’s i500, X.500 Directory Each Site Contains 3,000 User Entries Each Site “chained” to all of the others to browse and retrieve certificates o=IITRI cn=user1 cn=user2 cn=user3 cn=user4 SPOCK PKI Directory Schema

11 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI CA4 User Directory CA3 User Directory CA2 User Directory CA5 User Directory CA1 User Directory NSA DECIN Lab - Linthicum, MD IRS IITRI - Lanham, MD Army - DISC4 J.G. Van Dyke - Alexandria, VA Air Force CPSG - San Antonio, TX Navy - NIWA COACT - Columbia, MD User Cross-certified Certificate Authority (Entrust/Manger) CA X.500 Directory (Entrust/Directory) LDAP Connectivity SPOCK PKI ARCHITECTURE

12 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI DECIN Lab ARCHITECTURE

13 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI ENTRUST PKI CLAIMS 1.1 Key Management Transparency 1.2 Secure Key Recovery 1.3 Auto Key Update 1.4 Client Key Initialization 1.5 Certificate Revocation 1.6 Support Cross-certification 1.7 Entrust Scalability 1.8 Hardware Tokens Option 1.9 Support Multiple Algorithms 1.10 Support Multiple Applications

14 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI Users should be able to use security product without understanding cryptography or key management Key Management Transparency E-Mail - Signed and Encrypted E/Express Desktop File Encryption E/ICE Claim: Method: Result: 1. Claim verified. The management of keys is transparent to users. 2. Searching the Directory, is NOT transparent.

15 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI Secure Backup & Key Recovery Claim: Method: Result: 1. Claim verified. Recovered files and email. 2. Entrust Key Recovery solution is best suited for Authorized user that has forgotten their password. Entrust provides the ability to recover keys in cases where a valid user has forgotten their password or an employee has left the company There are three general cases for “key recovery”. Send Authentication Code, Reference Number “out of band” to authorized individual.

16 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI Automatic Key Update Claim: Method: Result: Certificates are updated without user involvement. Set Encryption and Verification period to 2 months Set Signing Private to 10 percent. 1. Claim verified. User informed by message box. 2. If renewal period is missed, key recovery is required.

17 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI Client Key Initialization Claim: Method: Result: Clients are initialized using a secure “pipe”. Clients can be set up remotely over a network. Run installation program over the network. Requires: Authentication Code, Reference Number and access to install program and entrust.ini file. SEP was not verified. Claim verified. Remote install in 20 minutes.

18 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI Certificate Revocation Claim: Method: Result: Entrust provides the ability to revoke certificates. Revoke user. Attempt to send and receive email. Attempt to access web server. Attempt to use ICE. 1. Claim verified after modifications. 2. Express does not verify certificate prior to sending.

19 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI Support Cross-Certification Claim: Method: Result: Certificate Authorities are able to cross-certify. Establish Search base by “chaining” directories Use Entrust Managers to Cross Certify Send encrypted mail/files to another domain. 1. Claim verified. 2. Problems searching the Directory

20 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI Scalability Claim: Method: Result: Quickly add 3,000 users within each domain. “Bulk Load” using a disk loaded with 3,000 names and serial numbers. Real users were loaded individually. Claim verified.

21 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI Hardware Tokens Biometrics Claim: Method: Result: Support Tokens for storing profiles and Biometrics for authentication of users. Use DateKey smart card to store user’s profile. Use Biometrics device instead of a password to authenticate users Hardware Token claim verified. Biometrics device vendor could not provide correct drivers.

22 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI Multiple Algorithms Claim: Method: Result: Entrust supports multiple algorithms for hashing encryption and digital signature. Use Entrust Manager to select hashing and digital signature algorithms. Use Entrust Client and Applications to select different encryption algorithms. Send email and files to other users. 1. Claim verified within the abilities of the SPOCK Team.

23 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI Single Password Many Applications Claim: Method: Result: Entrust uses the single password for a user’s certificate to logon to secure applications. Start Client, enter password. Start ICE, enter same password. Start Express, enter same password. Start Entrust-Ready Netscape, enter same password. Claim verified. Automatic logoff time is set for each application.

24 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI LESSONS LEARNED The significance of the X.500 Directory. “Open” Security Policy. Key Recovery. Significant Firewall configuration issues.

25 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI RETURN ON INVESTMENT SYSTEM INTEGRATOR Quick look at emerging technology Solution strengths and weaknesses are demonstrated in THEIR warfighter configurations GOVERNMENT Learn about and influence emerging solutions Insight into future architectures (requirements) INDUSTRY Better understands Warfighter’s needs Rapid exposure of solution in Warfighter Architecture

26 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI SUMMARY SPOCK focuses on commercial INFOSEC solutions and emerging technologies SPOCK demonstrates security in legacy and contemporary architectures SPOCK “teams” to demonstrate security in operational architectures SPOCK supports development of Protection Profiles and Security Targets

27 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI QUESTIONS & COMMENTS

28 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI SPOCK CONTACTS SPOCK Chairman Louis Giles, Chief V2 (410) 859-6281 SPOCK Program Manager Terry Losonskyterryus@aol.com (410) 859-6318FAX: (410) 859-6897 SPOCK Deputy Program Manager MAJ Michael Davismdavis@gibraltar.ncsc.mil (410) 859-6318FAX: (410) 859-6897 http://spock.v.nsa:12080/ SPOCK Contract Support Larry McGinnessspock@coact.com (301) 498-0150FAX: (301) 498-0855 www.coact.com/spock.html

29 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI Encrypt/Decrypt Sign/Verify Signature E-mailEntrust Client OS Mail Server Entrust CA Directory E-mail Entrust Client OS Mail Server CA Directory E-mail Entrust Client OS Mail Server CA Directory Internet Remote Sites SECURE E-MAIL

30 MAJ Michael W. Davis, 410-859-6318 mdavis@gibraltar.ncsc.mil 13 August 1998SPOCK Demonstration of Entrust PKI Encrypt/Decrypt Sign/Verify Signature BrowserEntrust Client OS Web Server Entrust CA Directory Browser Entrust Client OS Web Server CA Directory Browser Entrust Client OS Web Server CA Directory Internet Remote Sites SECURE WEB BROWZER


Download ppt "MAJ Michael W. Davis, 410-859-6318 13 August 1998SPOCK Demonstration of Entrust PKI SPOCK Demonstration of Entrust PKI SPOCK."

Similar presentations


Ads by Google