350 likes | 843 Views
Entrust Public Key Infrastructure. Erik Schetina Chief Technology Officer IFsec, LLC eriks@ifsec.com www.ifsec.com. Agenda. Introduction to Entrust What is a PKI Entrust Product Line Piloting and Rolling out a PKI Questions. Certification Authority. Cross-certification.
E N D
Entrust Public Key Infrastructure Erik Schetina Chief Technology Officer IFsec, LLC eriks@ifsec.com www.ifsec.com Orchestrating Enterprise Security
Agenda • Introduction to Entrust • What is a PKI • Entrust Product Line • Piloting and Rolling out a PKI • Questions
Certification Authority Cross-certification Key Histories Key Backup & Recovery Support for non-repudiation Certificate Repository Certificate Revocation Automatic Key Update Timestamping What is a PKI?
PKI Requirements • Certification Authority • Certificate repository • Revocation system • Key backup and recovery system • Support for non-repudiation • Automatic key update • Management of key histories • Cross-certification • Timestamping services • Client-side software
PKI with Entrust • Consistent security and trust • Single password and keys secure all applications • Automated key management • Key backup/recovery • Certificate issuance, storage and revocation • Key distribution, rollover and expiry • Low administrative cost/burden
PKI without Entrust • Inconsistent security and trust • Fragmented or non-existent policies and key management functions • Security “silos” • Each application performs its own security • Multiple key pairs and certificates • Multiple passwords • Costly, burdensome administration
Entrust Components • Certificate Authority • Directory • Client Software (Certificate Store) • E-Mail • Web • VPN • Any Entrust-Ready Application • Applications
What is Key Management? • Issues: • generating keys • keeping backup keys • dealing with compromised keys • changing keys • restoring keys • Key and certificate management is difficult
Why is Key Management Important? • User Enrollment • Key Renewal • Restoration of Lost Keys • Automated functionality
Certificate-Issuing Services (CA) • What they provide: • Issue certificates for a fee (per cert/per year) • What you don’t get: • Little control over certificate issuance policies • No key recovery (forgotten password = lost data) • No key history (what happens when certificates expire?) • Liability issues • No control over trust model and root keys • No automatic and transparent certificate revocation checking • No client capabilities
Security Officers Entrust Administrators Directory Administrators Entrust/Admin … … Directory Entrust/Manager … … Entrust Users Entrust-ReadyÔ applications and Entrust/Engine desktop crypto software Entrust Architecture
The Directory • Stores certificates, CRLs, cross-certificates, ... • Interoperates with numerous LDAP-compliant directories • ICL, Control Data, Digital, Netscape, Unisys, ... • supports Directory distribution • Supports redundancy
Entrust Products • Entrust/Entelligence • Stores and Manages Certificates • Entrust/Express - Email plug-in • Entrust/Direct - Web, Extranet • Entrust/Unity - SSL & S/MIME • Entrust/Access - VPN • Entrust/Toolkit - Enable applications • Entrust/TimeStamp
Entelligence on the Desktop • Tight integration into Entrust-Ready applications • Secure key storage options • smart cards, PC cards, biometric devices, and secure software profiles • Secure single log on • Consistent, trustworthy key lifecycle management across applications • minimizes administrative costs
User profile ‘Entrust-Ready’ Desktop Architecture “Entrust-Ready” applications ... Entrust User Entrust/Engine Communications Services Security Kernel ... PKCS #11 to Entrust/Manager and Directory Tokens Personal address book
What is Entrust/Express? • Secure e-mail plug-in for users of Microsoft Exchange and Microsoft Outlook • Encrypt and/or digitally sign message text and attachments • Provides message confidentiality and integrity • For Windows 95 and Windows-NT 4.0
Secure VPNs/Remote AccessEntrust/Access Orchestrating Enterprise Security
Virtual Private Networks • What is a VPN? • A private and secure network carved out of a public or insecure network • Relevant Standards • IPSec - interoperable packet-layer encryption • ISAKMP Oakley - users are authenticated with digital signatures and X.509 certificates
VPN Partners • Remote Access, Firewall, VPN Gateways • Milkyway -SecurIT • Raptor - EagleMobile Pro • Timestep- PERMIT Product Suite • Stac - ReachOut • Sagus - Defensor • KyberPASS • Check Point - FireWall-1
Secure Remote Access • provides significant cost savings over dial-up (phone lines, maintenance, ID cards) • scalable - able to grow as the demand for remote access increases. Entrust Manager Mobile User Human Resources Server VPN Gateway Internet Finance Server
TM Secure Extranet Applications Orchestrating Enterprise Security
Internet, Intranet, or Extranet Web Browser Intra/Extra Net Solution Target Solution • Provides Entrust Enterprise Solution PKI capabilities to off-the-shelf Web browsers and servers • Thin client software on user desktop • Extranet applications
Entrust/ICE • Desktop/laptop encryption software • Easy-to-use • Works with any desktop application • Automatic encryption • Security on-line or off-line • Windows 95 and Windows-NT 4.0 Orchestrating Enterprise Security ã1997 Entrust Technologies p. 26
Entrust-Ready Applications • Web Browser • Email • Workgroup • Smart Cards and Biometrics • VPN • Forms • Human Resources
Deploying a PKI • Begin with a pilot • Pick a single application • Evaluate the technology • Prove the utility • Currently piloting Entrust • CA, X.500, Secure E-Mail • Lotus Notes • Short time to deploy (weeks)
Deploying a PKI (cont.) • Rolling out an Operational PKI • Planning and Goals • Acceptable Usage (CPS) • Disaster Recovery • Applications • Access to records • E-commerce with State contractors • Remote access to internal resources
Summary • Automates user administration • Integration across many applications (single sign-on) • Enables trustworthy business over the web • Growing collection of Entrust-enabled applications