Why use PKI? Effective security has become crucial to extend electronic communication and business processes beyond the current state of the art. Legislative mandates.
Direct Trust Infrastructure : The Technical Details Presented by: Scott Rea 02/23/2012DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.
ContentsSlide Title 3 Direct Trust Framework 4 Public Key Infrastructure (PKI) 7 Public & Private Keys 9 Digital Certificates 10 Encryption 11 Digital Signatures 12 Authentication 13 Certification Authority 14 Registration Authority 15 Issuance Process 16 CA – RA Relationship 17 Transactions
Direct Trust Framework• The Direct Trust Framework is built on a set of standards that combines technology with policies on how and when the technology is utilized/applied, who the participants are, and what their roles and responsibilities are in the system• Technology by itself is not sufficient to solve “Trust” issues• The technology utilized in this case is Public Key Infrastructure (PKI)
What is PKI?• Public Key Infrastructure• Comprehensive security technology and policies using cryptography and standards to enable users to: – Identify (authenticate) themselves to network services, access policies, and each other to prove source of origin and destination. – Digitally sign electronic documents, email and other data to provide authorization and prove integrity. – Encrypt email, data, and other documents to prevent unauthorized access.
Why PKI?• Uniform way to address securing many different types of applications• Enables reliable authentication, digital signing and encryption• Overcomes many weaknesses of using password based protocols on open networks• Facilitates easy setup of shared secrets between previously unknown parties• Strong and proven underlying security technology• Widely included in technology products
Underlying Key Technology• A pair of asymmetric keys is used, one to encrypt, the other to decrypt.• Each key can only decrypt data encrypted with the other. • Invented in 1976 by Whit Diffie and Martin Hellman • Commercialized by RSA Security • Recently other more efficient schemes emerging e.g. ECC Encrypt (anyone with public key) Plain Text Encrypted Text Decrypt (possessor of private key only)
Public and Private Keys• PKI is based on the use of a pair of related numbers called “keys”• They are generated in such a way that knowing one, does not give you any knowledge of the other, but using one requires the other to complete a transaction• The "public" key is placed into a certificate which published far and wide for all to use.• The "private" key is only used by its owner and MUST be kept a secret.• No need to exchange a secret "key" ahead of time by some other channel.
Applications of PKI• Authentication and Authorization of end points in an internet transaction – e.g. users and servers, server to server, user to user – This is the basis for the SSL protocol used to secure web connections using https.• Secure Messaging – e-mail (signed and encrypted) – Secure instant messaging• Electronic signatures – Documents, data, agreements – Prescriptions, Insurance authorizations, case notes• Data encryption – Medical records, Diagnostic datasets, Business documents, Financial data, databases, executable code• Network data protection (VPN, wireless)
What is a certificate?• Signed data structure (x.509 standard) binds some information to a public key.• Trusted entity, called a Certification Authority (CA) asserts validity of information in the certificate, enforces policies for issuing certificates.• Certificate information is usually a personal identity, a server name, or a service identifier, with authorizations for how the keys should be used.• Think of a certificate with its keys as an electronic: – ID card, – encoder/decoder device, and – official seal or notary-style stamp.
Encryption• Asymmetric encryption prevents need for shared secrets.• Anyone encrypts with public key of recipient.• Requires some mechanism for discovering intended recipient’s public key• Only the recipient can decrypt with their private key.• Private key is secret, so “bad guys” can’t read encrypted data. Encrypt (anyone with public key) Plain Text Encrypted Text Decrypt (possessor of private key only)
Digital Signatures• Compute message digest, encrypt with your private key.• Reader decrypts with your public key.• Re-compute the digest and verify match with original – guarantees no one has modified signed data.• Only signer has private key, so no one else can spoof their digital signature. Compute digest, sign & date, encrypt (possessor of private key only) Plain Text Encrypted Text Verify signature, check digest (anyone with public key)
Authentication• A CA - Certification Authority, signs a certificate attesting that the public key belongs to the entity named in the certificate• Certificate Policy indicates what steps are taken to verify identity and how the CA systems operate to ensure security and integrity• CA is a Trusted Third Party providing a seal of authenticity• Use of certificate provides reliability and non-repudiation in the identity of the source or destination of a transaction public p u bl ic
What is a certificate authority?• An organization that creates, publishes, and revokes certificates.• Verifies the information in the certificate.• Protects general security and policies of the system and its records.• Allows you to check certificates so you can decide whether to use them in business transactions.• Has one or more trusted Roots, called a trust anchor embedded in applications
What is a Registration Authority?• An organization that collects and verifies the identity information that will be used in a certificate based on published standards.• Represents a Certification Authority for any face- to-face validation of identity• Must be authorized by the relevant Certification Authority for this purpose – Audit of processes required – Archival of evidence data required
Issuance Process Certificate Authority (CA) Identity/Trust Certificate Verification Validation Service Certificate Signing Revocation Services Services The CA and RA enforce 6. Certificate Signing 7. Direct Organization Request Certificate the policies specified in the DirectTrust.org and FBCA 2. Request Direct Certificate Policies (CPs). Organization Assume hasDigital Identity Certificate Registration Authority (RA) Certificate 3. Credentials and Documentation Compile/Validate Identity and Trust HCO Documentation Representative Representative FBCA Credentials Representative Healthcare AuthorizationOrganization (HCO) Legal Entity 4. Direct 8. Direct Organization Documents Organization 5. Public Domain Key Certificate Membership/Trust Agreement HIPAA status Domain Name System (DNS) 1. Enroll with HISP 9. Direct Address/ Org Certificate Health Information Service Provider (HISP) LDAP Name System Source: DirectTrust.org February, 2012
CA – RA Relationship DirectTrust.org FBCA Certificate Policy Certificate PolicyCertificate Authority (CA) Audit Identity/Trust Certificate Verification Validation Service Certification Practices StatementCertificate Signing Revocation Services Services Audit Registration Practices Audit Statement RA Agreement Registration Authority (RA) Compile/Validate Identity and Trust Documentation Source: DirectTrust.org February, 2012
TransactionsCertificates vetted to FBCA HIPAA Covered Entity Medium LoA standard Assertion governed byensures strongest binding DirectTrust CP between PKI keys and identity listed in the cert PKI Encryption ensures confidentiality in messages PKI Digital Signatures ensures integrity and reliability of messages PKI Authentication provides authenticity and trust of message reaching intended recipients
Questions?• Scott Rea, CISSP VP GOV/EDU Relations and Sr. PKI Architect DigiCert, Inc. Lindon UT 84042• Scott@DigiCert.com• (801) 701-9636• http://www.digicert.com/news/bios-scott-rea.htm• http://www.directtrust.wikispaces.com• http://www.DigiCert.com/