PKI Implementation in the Real World

Slides:

Advertisements

Similar presentations

April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.

Advertisements

Public Key Infrastructure and Applications

Introduction of Grid Security

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

(n)Code Solutions A division of GNFC

1 GPO PKI – Getting Started U.S. Government Printing Office May 20, 2011.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Online Security Tuesday April 8, 2003 Maxence Crossley.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Security Management.

Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Overview of Digital Signatures Introduction To Networks and Communications (CS 555) Presented by Bharath Kongara.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Public Key Infrastructure from the Most Trusted Name in e-Security.

Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

每时每刻可信安全 1The DES algorithm is an example of what type of cryptography? A Secret Key B Two-key C Asymmetric Key D Public Key A.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

Configuring Directory Certificate Services Lesson 13.

U.S. General Services Administration Federal Technology Service November 9, 1999 Judith Spencer Director, Center for Governmentwide Security Office of.

Cryptography Chapter 14. Learning Objectives Understand the basics of algorithms and how they are used in modern cryptography Identify the differences.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Module 9: Fundamentals of Securing Network Communication.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.

1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.

NDSU Lunchbytes "Are They Really Who They Say They Are?" Digital or Electronic Signature Information Rick Johnson, Theresa Semmens, Lorna Olsen April 24,

1 Information Security Practice I Lab 5. 2 Cryptography and security Cryptography is the science of using mathematics to encrypt and decrypt data.

Module 9: Designing Public Key Infrastructure in Windows Server 2008.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.

ELECTROINC COMMERCE TOOLS Chapter 6. Outline 6.0 Introduction 6.1 PUBLIC KEY INFRASTRUCTURE (PKI) AND CERTIFICATE AUTHORITIES (CAs) TRUST

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

DIGITAL SIGNATURE.

Creating and Managing Digital Certificates Chapter Eleven.

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.

The Trusted Network · · · LEFIS PKI · · · 2 nd June, 2006 · Sofia by Leonardo Catalinas · May 2006

SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.

Encryption and Security Tools for IA Management Nick Hornick COSC 481 Spring 2007.

Digital Certificates Presented by: Matt Weaver. What is a digital certificate? Trusted ID cards in electronic format that bind to a public key; ex. Drivers.

IS3230 Access Security Unit 9 PKI and Encryption

NAAS 2.0 Features and Enhancements

Install AD Certificate Services

PKI (Public Key Infrastructure)

RSA Digital Certificate Solutions RSA Solutions for PKI David Mateju RSA Sales Consultant

National Trust Platform

Presentation transcript:

PKI Implementation in the Real World Lessons Learned

Client CA Implementation One of our current Government clients has implemented a Certificate Authority to issue PKI certificates for Federal Employees at participating Agencies. Recently, they asked us to help them document and update their processes, and help to expand their business. We can use their example to understand a real world implementation and gather some lessons learned. We will call this client “US Certificate Authority,” or USCA.

Glossary Public Key Crypto – key pairs used to encrypt/decrypt or sign/verify Certificate – a digital method of binding a key pair or pairs to a specific identity Certificate Authority – the system that securely creates the certificates Public Key Infrastructure – the whole system of creating, issuing, managing, utilizing and revoking certificates

USCA’s CA USCA has implemented a private Certificate Authority based on Entrust software. It was built and is operated by USCA employees, at a local datacenter with remote failover. The Certificate Authority’s primary responsibility is to ensure the validity of each certificate and key pair that is issued. Secure architecture to generate keys and certificates Secure, enforceable processes to verify the users or systems to whom it issues the certificates Unlike the Verisign model, each private Certificate Authority is part of a closed system that is not automatically trusted by other systems or external users. In order to trust the Certificates issued by the USCA, the end user has to explicitly import and trust the Public Key of the CA or the system or application has to trust the Public Key.

USCA’s Certificates Each USCA User Certificate is issued with 2 key pairs and can be used for: Authentication, Cryptography: Encryption / Decryption. Digital Signatures Enable Virtual Private Network using Checkpoint Firewalls, Encrypted/Digital Signature E-Mail, Encrypted E-Mail, Application Encryption and/or Digital Signature (non Web), and Desktop Encryption. There have been about 5000 user certificates issued so far. In addition, USCA can issue SSL certificates.

Overall Certificate Issuance Process

Lessons Learned from this Implementation The technology is NOT the problem. Once the technologies are successfully implemented, the biggest problems are user issues and process issues. User registration LRA identity proofing User training Use of certificates within applications

Identity Proofing Once a new client group has been added to the closed Certificate Authority, the CA is set up to issue certificates for authorized members of the new group. The first step is to validate who is requesting the new certificate by identity-proofing. This is performed by a Local Registration Authority from the client group. Need to verify the identity of the new user. This is hard! Must be in person, which is hard for distributed organizations. What documents can a user present to prove they are John Doe? How much trust can you place on State Driver’s License and other “breeder” documents?

User Registration The next step is to collect information about the user and verify that they have the approval of the client group to receive a certificate. The user information must match the information given to the Local Registration Authority – this means that you can’t just ask the user to type in their information, you have to build in a process to double-check it. The user registration process is also typically used to help deliver the actual certificate, often by giving the user one of multiple “tokens” that they will need to download the certificate. Since the certificates cost the client group $$$, the approval is important. How is this verified?

User Training Another big problem is training the end user on how to use their certificate. Training is needed for end users, LRAs, RAs and Help Desk; generally the people who actually run the system know how things work, but using the PKI system interfaces is usually confusing. Users also need help actually using their certificate within their PKI-enabled applications.

PKI Integration Clients need to decide what are certificates used for within the organization prior to purchasing services: Often they get sold on the idea of PKI without a clear business reason. Applications must be modified in order to use certificates for signing, encryption etc. Or, if the PKI system client is used, the client must be embedded into the standard desktop build.

Contact Info Dan Mellen Daniel.W.Mellen@accenture.com 703 947 2226 Jennifer Combs Jennifer.L.Combs@accenture.com 703 947 4093 Treb Farrales Treb.S.Farrales@accenture.com 703 947 1942