Presentation is loading. Please wait.

Presentation is loading. Please wait.

NetHSM Dhiva Muruganantham DOEGrids CA ESnet/LBNL.

Published byMonica Clark Modified over 8 years ago

Similar presentations

Presentation on theme: "NetHSM Dhiva Muruganantham DOEGrids CA ESnet/LBNL."— Presentation transcript:

1 netHSM Dhiva Muruganantham DOEGrids CA ESnet/LBNL

2 Agenda Hardware Security Module Overview –nShield –nToken & netHSM –Security World netHSM Transition

3 HSM: nCipher Security World How the nCipher Security World Works From nCipher Security World whitepaper

4 Hardware Security Modules: Overview Purpose: Defend CA private keys from theft 2001-2002 evaluation: selected nCipher nCipher Security World concept –Ciphertext keys in file system –Plain text keys only in nCipher FIPS-140-3 nShield hardware –Key activities controlled by nCipher OPERATOR card set (eg enabling CA signing activity) –Key management and Security World manged by Administrative card set (ACS) –Operation: Key material is downloaded from file system to device OCS smart card enables key material – plain text signing key is available for operations in device PKCS#12 library calls cause plaintext key to be use Private key in plaintext form never leaves device (PKCS#12 function disabled) 2 Distinct Security Worlds: –Root CA (private) – own ACS, own OCS –All current online CAs – one ACS set, multiple OCS sets, one set for each CA Key – splitting for cards: m of n configuration (eg 3 cards req’d out of 9 total) All ACS sets are m of n configuration OCS cards are single use – Iplanet/SunONE CMS inflexiblity limits our ability to use this technique. (That is, 1 of n).

5 netHSM A Hardware Security Module attached to a network as a shared resource –Remote Operation possible –Can be offline, when it is not in use netHSM components –netHSM –Remote File System –nToken device

6 netHSM objective Transfer the current DOEGrids CA security world in to “netHSM” architecture. Experiment netHSM offerings:- –Multiple netHSM with load balancing –Multiple Remote File System ( RFS) –CA service using netHSM with nTOKEN device –CA service using netHSM but without nTOKEN device –CA service using netHSM with old nShield device

7 Present and Future Present –nShield per CA –Single security world ( 1 set of ACS) for all the online CAs; Root CA excluded –Multiple Operator Card set ( 1 set per CA) Future with netHSM –Multiple netHSM (at least 2 to with stand failure) –Multiple Remote File Server( at least 2 rfs) –Transfer the current Security world into netHSM –Exercise ‘netHSM’ Remote Operation feature –Clone all the online CAs

8 Configuration 1 RFS Client 1 netHSM

9 Configuration 2 RFS Client 1 netHSM

10 Configuration 2 … RFS Client 1 netHSM Client 2

11 Client 2 netHSM with multiple clients RFS Client 1 netHSM Client “n”

12 Client 2 Multiple netHSM RFS 1 Client 1 netHSM 1 Client “n” netHSM 2 RFS 2

13 Findings 1 RFS per netHSM Security world can exists without having an nToken device; i.e client machine can be configured with or without nToken and still can communicate with netHSM Client machine enrollment (mutual authentication) –ipaddress needs to be notified to netHSM before hand –then the client initiates the enrollment request to netHSM After the initial setup netHSM works with out Remote File System Every Client can also act as RFS? Testing in progress

14 Questions? netHSM – RFS – client : Is it necessary to do file system sync between ‘rfs’ and ‘client’? Looks like Yes. Can the client be configured to have multiple HSMs? Multiple netHSM per RFS Multiple netHSM configuration for a client Multiple RFS configuration for a client

Download ppt "NetHSM Dhiva Muruganantham DOEGrids CA ESnet/LBNL."

Similar presentations

Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.

Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.
Hardware Security Modules and Kerberos Asanka Herath Secure Endpoints Inc.

Hardware Security Modules and Kerberos Asanka Herath Secure Endpoints Inc.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.

CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.
SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.

SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer

Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer
Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.

Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Real-Time Authentication Using Digital Signature Schema Marissa Hollingsworth BOISECRYPT ‘09.

Real-Time Authentication Using Digital Signature Schema Marissa Hollingsworth BOISECRYPT ‘09.
IGEL Security Product Marketing Manager October 2011 Florian Spatz Thin computing secures your data.

IGEL Security Product Marketing Manager October 2011 Florian Spatz Thin computing secures your data.
Chapter 11: Active Directory Certificate Services

Chapter 11: Active Directory Certificate Services
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Chapter 12 Reading assignment n From “Running Linux”, on reserve at PSU Main library (2-hour checkout) Chapter 1 (pages 1 through 41)Chapter 1 (pages 1.

Chapter 12 Reading assignment n From “Running Linux”, on reserve at PSU Main library (2-hour checkout) Chapter 1 (pages 1 through 41)Chapter 1 (pages 1.

Similar presentations

Ads by Google