1.  1997 Entrust Technologies Orchestrating Enterprise Security Entrust Public Key Infrastructure Erik Schetina Chief Technology Officer IFsec, LLC eriks@ifsec.com www.ifsec.com

2.  1997 Entrust Technologies Agenda F Introduction to Entrust F What is a PKI F Entrust Product Line F Piloting and Rolling out a PKI F Questions

3. Certification Authority Certificate Repository Certificate Revocation Key Backup & Recovery Support for non-repudiation Automatic Key Update Key Histories Cross-certification What is a PKI? Timestamping

4.  1997 Entrust Technologies p. 4 PKI Requirements F Certification Authority F Certificate repository F Revocation system F Key backup and recovery system F Support for non-repudiation F Automatic key update F Management of key histories F Cross-certification F Timestamping services F Client-side software

5.  1997 Entrust Technologies PKI with Entrust F Consistent security and trust F Single password and keys secure all applications F Automated key management Key backup/recovery Certificate issuance, storage and revocation Key distribution, rollover and expiry F Low administrative cost/burden

6.  1997 Entrust Technologies PKI without Entrust F Inconsistent security and trust Fragmented or non-existent policies and key management functions F Security “silos” Each application performs its own security Multiple key pairs and certificates Multiple passwords Costly, burdensome administration

7.  1997 Entrust Technologies p. 7 Entrust Components F Certificate Authority F Directory F Client Software (Certificate Store) E-Mail Web VPN Any Entrust-Ready Application F Applications

8.  1997 Entrust Technologies p. 8 What is Key Management? F Issues: generating keys keeping backup keys dealing with compromised keys changing keys restoring keys F Key and certificate management is difficult

9.  1997 Entrust Technologies p. 9 Why is Key Management Important? F User Enrollment F Key Renewal F Restoration of Lost Keys F Automated functionality

10.  1997 Entrust Technologies p. 10 Certificate-Issuing Services (CA) F What they provide:  Issue certificates for a fee (per cert/per year) F What you don’t get:  Little control over certificate issuance policies  No key recovery (forgotten password = lost data)  No key history (what happens when certificates expire?)  Liability issues  No control over trust model and root keys  No automatic and transparent certificate revocation checking  No client capabilities

11. Entrust Architecture Security Officers Entrust Administrators Directory Administrators Entrust-Ready  applications and Entrust/Engine desktop crypto software Entrust Users Entrust/Manager Entrust/Admin …… …… Directory

12.  1997 Entrust Technologies The Directory F Stores certificates, CRLs, cross- certificates,... F Interoperates with numerous LDAP- compliant directories ICL, Control Data, Digital, Netscape, Unisys,... supports Directory distribution F Supports redundancy

13.  1997 Entrust Technologies p. 13 Entrust Products F Entrust/Entelligence Stores and Manages Certificates F Entrust/Express - Email plug-in F Entrust/Direct - Web, Extranet F Entrust/Unity - SSL & S/MIME F Entrust/Access - VPN F Entrust/Toolkit - Enable applications F Entrust/TimeStamp

14.  1997 Entrust Technologies Entelligence on the Desktop F Tight integration into Entrust-Ready applications F Secure key storage options smart cards, PC cards, biometric devices, and secure software profiles F Secure single log on F Consistent, trustworthy key lifecycle management across applications minimizes administrative costs

15. ‘Entrust-Ready’ Desktop Architecture to Entrust/Manager and Directory Entrust User... “Entrust-Ready” applications Entrust/Engine Communications Services Tokens... Security Kernel User profile Personal address book PKCS #11

16.  1997 Entrust Technologies p. 16

17. Secure e-mail made easy

18. What is Entrust/Express? F Secure e-mail plug-in for users of Microsoft Exchange and Microsoft Outlook F Encrypt and/or digitally sign message text and attachments F Provides message confidentiality and integrity F For Windows 95 and Windows-NT 4.0

19.  1997 Entrust Technologies Orchestrating Enterprise Security Secure VPNs/Remote Access Entrust/Access

20.  1997 Entrust Technologies Virtual Private Networks F What is a VPN? A private and secure network carved out of a public or insecure network F Relevant Standards IPSec - interoperable packet-layer encryption ISAKMP Oakley - users are authenticated with digital signatures and X.509 certificates

21.  1997 Entrust Technologies VPN Partners F Remote Access, Firewall, VPN Gateways u Milkyway -SecurIT u Raptor - EagleMobile Pro u Timestep- PERMIT Product Suite u Stac - ReachOut u Sagus - Defensor u KyberPASS u Check Point - FireWall-1

22.  1997 Entrust Technologies Secure Remote Access F provides significant cost savings over dial-up (phone lines, maintenance, ID cards) F scalable - able to grow as the demand for remote access increases. Internet VPN Gateway Entrust Manager Human Resources Server Finance Server Mobile User

23.  1997 Entrust Technologies Orchestrating Enterprise Security Secure Extranet Applications TM

24.  1997 Entrust Technologies Intra/Extra Net Solution Target Solution Provides Entrust Enterprise Solution PKI capabilities to off- the-shelf Web browsers and servers Thin client software on user desktop Extranet applications Internet, Intranet, or Extranet Web Browser

25. Security you set and forget

26. F Desktop/laptop encryption software F Easy-to-use F Works with any desktop application F Automatic encryption F Security on-line or off-line F Windows 95 and Windows-NT 4.0 Entrust/ICE Orchestrating Enterprise Security  1997 Entrust Technologies p. 26

27. Entrust-Ready Applications F Web Browser F Email F Workgroup F Smart Cards and Biometrics F VPN F Forms F Human Resources

28.  1997 Entrust Technologies p. 28 Deploying a PKI F Begin with a pilot Pick a single application Evaluate the technology Prove the utility F Currently piloting Entrust CA, X.500, Secure E-Mail Lotus Notes Short time to deploy (weeks)

29.  1997 Entrust Technologies p. 29 Deploying a PKI (cont.) F Rolling out an Operational PKI Planning and Goals Acceptable Usage (CPS) Disaster Recovery Applications  Access to records  E-commerce with State contractors  Remote access to internal resources

30.  1997 Entrust Technologies p. 30 Summary F Automates user administration F Integration across many applications (single sign-on) F Enables trustworthy business over the web F Growing collection of Entrust-enabled applications