Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer Sept 2000
Overview State of Digital Mobile Telephony Examples of Wireless Applications PKI Architecture Scalability Extensibility Scalable Solutions Sample Architectures
State of Digital Mobile Telephony Global System for Mobile Communications (GSM) has over 215 million subscribers GSM alone has more subscribers than the Internet has users (210) Paradigm shift in mobile telephony 3G, –Sprint 1st cellular provider to offer service in US
Examples of Wireless Applications Top three uses of Internet enabled mobile phones: –Travel related uses –Online banking – Wireless scale = Internet Scale x 100 = Enterprise x 1,000
PKI Architecture Requirements: –Multi- Functional –Extensible –Support mass-market network devices embedded in: mobile phones: pagers PDAs “smart phones”
Extensibility Ration of device size to certificate size X.509 certificate format too complex Elliptic curve keys in certificates WTLS certificate format Ability to support new certificate formats
Proven Scalable Solutions 8 Million Certificates on a single server Individual and batch certificate issuance and revocation Remote publishing of user certificates Locating and retrieving user certificates Concurrent signing operations Concurrent real time online certificate status checking
Xcert Sample Architecture
Trust Model with External CAs
WebSentry
Sentry Product Suite Unique ‘rapid deploy’ PKI platform for Internet and e-commerce applications that scales to a million users & manages security for corporations that use the Internet to conduct business
Sentry Product Suite Sentry CA - Issue & manage certificates WebSentry - PKI enable your servers Sentry RA - Provide remote enrollment Xcert Development Kit - PKI enable your apps Professional Services & Training - Achieving ROI Support - Reliable customer service
Xcert PKI Overview Internet based Customizable Simple Scalable Lightweight Secure Non-proprietary PKI enables the application service User authorization Non-repudiation of transactions (digital signatures) Remote user enrollment Minimizes enrollment bottlenecks Industrial strength CA Issues certificates Manages certificates Manages Access Control Lists Supports PKI enabled applications
Platforms –NT & Solaris Certificates & CRLs –X509 v3 (all standard extensions) Application Support –Web – –VPN –ERP –SSO –Document security Directories –LDAP, X500 Protocols –HTTP, SSL, LDAP, SMTP, PKCS Crypto –DSA, RSA, ECC Crypto Hardware –All PKCS #11 High Assurance –FIPS-140 level 3 hardware –Real time revocation Sentry CA Specifications
Basic Components: Directory Server Signing Engine Administration Server Enrollment Server Logging Server Sentry CA Architecture
Basic Components: Directory Server Signing Engine Administration Server Enrollment Server Logging Server Sentry CA Architecture
Basic Components: Directory Server Signing Engine Administration Server Enrollment Server Logging Server Sentry CA Architecture
Basic Components: Directory Server Signing Engine Administration Server Enrollment Server Logging Server
Sentry CA Architecture Add-on Components: Publishing Backend Alternate SQL data stores
Sentry CA Features Enrollment –Interfaces Vetting –Notification –Examination –Auto vetting Extensions –Profiles Storage –Interfaces Suspension & revocation –Status checking Renewal Certificate lifecycle management
Sentry CA Features Creating CAs Managing CAs –User maintenance CA security & practices Exporting CAs Importing CAs Cloning Subordination CRLs External CAs CA lifecycle management
External CAs
Sentry CA Features System administration –Work benches –ACL management Admin, vettors, end users –Logging –Backing up –Upgrading Extending the back-end –Publishing –Data stores
Sentry RA Industrial strength enrollment solution –Accepts certificate requests –Verifies credentials –Supports CA signing process –Revokes certificates Streamlined configuration –auto notification –auto enrollment –auto renewal –application specific profiles Distributed component / Stand-alone server Offloads enrollment bottlenecks from CA Flexible scalability
Sentry RA
WebSentry High assurance PKI for web servers –Plugs into standard web servers –User authorization –Controls access to web pages –Queries Sentry CA certificate status ACL rules Zero tolerance security
Wrap Up Wireless devices large part of the future, The best way to bring these devices into the network in a secure fashion is with certificates. We expect to see significant PKI and WAP development over the next 18 months.