1 / 30

SPOCK Demonstration of Entrust PKI

SPOCK Demonstration of Entrust PKI. NSA. NAVY. ARMY. SPOCK. AIR FORCE. IRS. AGENDA. What’s the SPOCK Program Past Accomplishments Who’s in SPOCK What does the SPOCK team do Demonstration Process SPOCK PKI Architecture PKI Claims and Results Lessons Learned

libra
Download Presentation

SPOCK Demonstration of Entrust PKI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SPOCK Demonstration of Entrust PKI NSA NAVY ARMY SPOCK AIR FORCE IRS

  2. AGENDA • What’s the SPOCK Program • Past Accomplishments • Who’s in SPOCK • What does the SPOCK team do • Demonstration Process • SPOCK PKI Architecture • PKI Claims and Results • Lessons Learned • Return on Investment • Summary

  3. What’s SPOCK ? “A Consortium of Product Developers and Government System Integrators interested in exploring INFOSEC commercial solutions and Enabling Technologies”

  4. PAST ACCOMPLISHMENTS 1995-1998 • 32 Consortium Meetings - Over 1500 Attendees • 96 Emerging Topic Areas Briefed • 8 Diverse Solutions Demonstrated • Established Zones of Cooperation • Over 40 Government System Integration Communities • Over 100 Solution Developers • Input for the President’s Quality Award • Nominated for SECDEF’s Team Excellence Award

  5. Who’s in SPOCK • Army - BCBL-G, LIWA, DISC4 • Navy - SPAWAR, NAVSEA, NIA • FIWC, NIWA, NRL • Air Force - AFIWC, 609 IWS, AFOSI • CPSG • Joint - J6, DISA • Non DoD - NASA, DoJ • NSA - V, Y, X, C

  6. What’s the SPOCK Team do ? • Attend monthly briefings on Warfighter • Architectures and Solutions • Demonstrate Security Claims in • Warfighter Architectures • Write SPOCK Demonstration Reports • Develop Draft Security Targets and • Protection Profiles

  7. DEMONSTRATION PROCESS 1. Solution/Developer Identified. 2. Developer briefs the Solution during meeting. 3. Developer presents Security Claims, Architecture, and Equipment Requirements. 4. SPOCK prepares Scripts to demonstrate Claims. 5. SPOCK demonstrates Security Claims in Government Architectures. 6. SPOCK writes the Demonstration Report, signed by Chief, NSA V2.

  8. ENTRUST CA ARCHITECTURE Directory Users Entrust/Admin Entrust/Authority CERTIFICATE AUTHORITY Other CAs

  9. SPOCK PKI COMPONENTS Entrust/Manager & Entrust/Admin CA iCL i500, X.500 Directory Directory User User Entrust/Clients

  10. ou=ITRLab ou=NSA SPOCK PKI Directory Schema c=US • Each Site Contains iCL’s i500, X.500 • Directory • Each Site Contains 3,000 User Entries • Each Site “chained” to all of the others • to browse and retrieve certificates o=US Gov o=IITRI cn=user1 cn=user2 cn=user3 cn=user4 cn=webserver ou=Army ou=Navy ou=Air Force cn=user1 cn=user2 cn=user3 cn=user4 cn=user1 cn=user2 cn=user3 cn=user4 cn=user1 cn=user2 cn=user3 cn=user4 cn=user1 cn=user2 cn=user3 cn=user4 KEY c=country o=organization ou=organizational unit cn=common name

  11. SPOCK PKI ARCHITECTURE NSA DECIN Lab - Linthicum, MD CA1 Directory User User Air Force CPSG - San Antonio, TX Army - DISC4 J.G. Van Dyke - Alexandria, VA CA2 CA5 Cross-certified Directory Directory User User User User Navy - NIWA COACT - Columbia, MD IRS IITRI - Lanham, MD CA4 CA3 Certificate Authority (Entrust/Manger) CA X.500 Directory (Entrust/Directory) Directory Directory User User User User LDAP Connectivity

  12. DECIN Lab ARCHITECTURE

  13. ENTRUST PKI CLAIMS 1.6 Support Cross-certification 1.7 Entrust Scalability 1.8 Hardware Tokens Option 1.9 Support Multiple Algorithms 1.10 Support Multiple Applications 1.1 Key Management Transparency 1.2 Secure Key Recovery 1.3 Auto Key Update 1.4 Client Key Initialization 1.5 Certificate Revocation

  14. Users should be able to use security product without understanding cryptography or key management Claim: Method: Result: Key Management Transparency E-Mail - Signed and Encrypted E/Express Desktop File Encryption E/ICE 1. Claim verified. The management of keys is transparent to users. 2. Searching the Directory, is NOT transparent.

  15. Claim: Method: Result: Secure Backup & Key Recovery Entrust provides the ability to recover keys in cases where a valid user has forgotten their password or an employee has left the company There are three general cases for “key recovery”. Send Authentication Code, Reference Number “out of band” to authorized individual. 1. Claim verified. Recovered files and email. 2. Entrust Key Recovery solution is best suited for Authorized user that has forgotten their password.

  16. Claim: Method: Result: Automatic Key Update Certificates are updated without user involvement. Set Encryption and Verification period to 2 months Set Signing Private to 10 percent. 1. Claim verified. User informed by message box. 2. If renewal period is missed, key recovery is required.

  17. Claim: Method: Result: Client Key Initialization Clients are initialized using a secure “pipe”. Clients can be set up remotely over a network. Run installation program over the network. Requires: Authentication Code, Reference Number and access to install program and entrust.ini file. SEP was not verified. Claim verified. Remote install in 20 minutes.

  18. Claim: Method: Result: Certificate Revocation Entrust provides the ability to revoke certificates. Revoke user. Attempt to send and receive email. Attempt to access web server. Attempt to use ICE. 1. Claim verified after modifications. 2. Express does not verify certificate prior to sending.

  19. Claim: Method: Result: Support Cross-Certification Certificate Authorities are able to cross-certify. Establish Search base by “chaining” directories Use Entrust Managers to Cross Certify Send encrypted mail/files to another domain. 1. Claim verified. 2. Problems searching the Directory

  20. Claim: Method: Result: Scalability Quickly add 3,000 users within each domain. “Bulk Load” using a disk loaded with 3,000 names and serial numbers. Real users were loaded individually. Claim verified.

  21. Claim: Method: Result: Hardware Tokens Biometrics Support Tokens for storing profiles and Biometrics for authentication of users. Use DateKey smart card to store user’s profile. Use Biometrics device instead of a password to authenticate users Hardware Token claim verified. Biometrics device vendor could not provide correct drivers.

  22. Claim: Method: Result: Multiple Algorithms Entrust supports multiple algorithms for hashing encryption and digital signature. Use Entrust Manager to select hashing and digital signature algorithms. Use Entrust Client and Applications to select different encryption algorithms. Send email and files to other users. 1. Claim verified within the abilities of the SPOCK Team.

  23. Claim: Method: Result: Single Password Many Applications Entrust uses the single password for a user’s certificate to logon to secure applications. Start Client, enter password. Start ICE, enter same password. Start Express, enter same password. Start Entrust-Ready Netscape, enter same password. Claim verified. Automatic logoff time is set for each application.

  24. LESSONS LEARNED • The significance of the X.500 Directory. • “Open” Security Policy. • Key Recovery. • Significant Firewall configuration issues.

  25. RETURN ON INVESTMENT • SYSTEM INTEGRATOR • Quick look at emerging technology • Solution strengths and weaknesses are demonstrated • in THEIR warfighter configurations • GOVERNMENT • Learn about and influence emerging solutions • Insight into future architectures (requirements) • INDUSTRY • Better understands Warfighter’s needs • Rapid exposure of solution in Warfighter Architecture

  26. SUMMARY • SPOCK focuses on commercial INFOSEC • solutions and emerging technologies • SPOCK demonstrates security in legacy and • contemporary architectures • SPOCK “teams” to demonstrate security in • operational architectures • SPOCK supports development of Protection • Profiles and Security Targets

  27. QUESTIONS & COMMENTS

  28. SPOCK CONTACTS • SPOCK Chairman • Louis Giles, Chief V2 • (410) 859-6281 • SPOCK Program Manager • Terry Losonsky terryus@aol.com • (410) 859-6318 FAX: (410) 859-6897 • SPOCK Deputy Program Manager • MAJ Michael Davis mdavis@gibraltar.ncsc.mil • (410) 859-6318 FAX: (410) 859-6897 • http://spock.v.nsa:12080/ • SPOCK Contract Support • Larry McGinness spock@coact.com • (301) 498-0150 FAX: (301) 498-0855 • www.coact.com/spock.html

  29. SECURE E-MAIL Directory Mail Server CA Directory Entrust CA Mail Server OS Client E-mail Entrust Remote Sites Internet OS Directory Mail Server CA Encrypt/Decrypt Sign/Verify Signature Client E-mail Entrust OS Client E-mail Entrust

  30. SECURE WEB BROWZER Directory Web Server CA Directory Entrust CA Web Server OS Client Browser Entrust Internet Remote Sites OS Directory Web Server CA Encrypt/Decrypt Sign/Verify Signature Client Browser Entrust OS Client Browser Entrust

More Related