FIST Conference September/Madrid 2005     PKI Interoperability            Raúl Guerra Jiménez
About the AuthorRaúl Guerra Jiménez CISSP, CISA Technical consultantGrupo SIA 1989 www.siainternational.com               ...
IndexCryptographyPublic Key Infrastructure (PKI)ApplicationsIntegratione-DNI                                  3
Security RequirementsConfidentiality.  Ensure confidentiality of data.Integrity.  The original data has not been changed.A...
Paradigm SolutionCONFIDENTIALITY         INTEGRITY     AUTHENTICATION      NON-REPUDIATION                          HASH  ...
PKIs are not CAs…                       PKI:                       • Issue certificates                       • Revoke cer...
Third-party trust       Certification Authority       Trust                 TrustRaúl                                     ...
Cross-Certification                  Cross-CertificationCertificaction Authority           Certification Authority        ...
Subordinate CA                          CA1 (“Root”)              CA2                    CA3       CA4          CA5       ...
The certificate             Version: 3             Serial Number: 8391037             Signature: RSA             Issuer: o...
Certificate Revocation List                                                        Unique name of CRL                 DN: ...
Keys in the clientKey generation      Issue certificates                                 o                       Certifica...
PKI           WebE-mail                          Applicati                          Applicati        ERP’s,               ...
Architecture: ExampleClient                                  CA         PKIX-CMP                      Firewall            ...
ApplicationInternete-CommerceRemote AccessEDIVPN (Virtual Private Network)ERPsSecurity in IntranetSecure Single-Sign On   ...
Internet ApplicationSecure WebCommunications•Netscape/Microsoft Browsers Netscape/Microsoft•Netscape/Microsoft Servers Net...
Secure Remote Acess                            Remote Access                            Authentication                    ...
VPNs                                IntranetVirtual Private Networks                          Extranet•Firewall Vendors (E...
Security in the Intranet                                    Application SpecificNetwork Security                    Securi...
Desktop security                 File Security                 •Norton Your Eyes Only                 •PGP for Personal Pr...
Enterprise Resource Planning (ERPs)                               Business-to-Business                 ERP                ...
PKI: Homogeneous solutionSpecific systems                                     Web Server Security                         ...
PKIs Success (I)Integration with the softwareapplications.Practical solutions--> Bye, bye SET.Users recognition.Trust. Do ...
PKIs Success (II)Are the certification practicessecure(CPS)?The CA must guarantee that the signeddata (certificate) is cor...
e-DNISmart Card  Polycarbonate card with high security  from FNMTCertificates  Identity (authentication) and signature  (n...
e-DNI. Questions (I)Are other certificates necessary?Certificate status validation methods.Cross-Certification with commer...
e-DNI. Questions (II)Other certificates? YES, because  No encryption certificate. So, to support  business protection, whe...
e-DNI. Questions (III)Certificate status validationmethods  The system should ensure that the  verification certificate is...
e-DNI. Questions (IV)Certificate status validationmethods  Different validation entities    Public: relations of citizens ...
e-DNI. Questions (V)Cross-Certification with otherCAs? NO, because  The same as the traditional national  DNI.(ID Card)  I...
Creative Commons                                              Attribution-NoDerivs 2.0You are free:•to copy, distribute, d...
@FIST Conference         Raúl Guerra         Madrid, September 2005www.fistconference.org
Upcoming SlideShare
Loading in …5
×

PKI Interoperability

843 views
665 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
843
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
25
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

PKI Interoperability

  1. 1. FIST Conference September/Madrid 2005 PKI Interoperability Raúl Guerra Jiménez
  2. 2. About the AuthorRaúl Guerra Jiménez CISSP, CISA Technical consultantGrupo SIA 1989 www.siainternational.com 2
  3. 3. IndexCryptographyPublic Key Infrastructure (PKI)ApplicationsIntegratione-DNI 3
  4. 4. Security RequirementsConfidentiality. Ensure confidentiality of data.Integrity. The original data has not been changed.Authentication. Proof of identity.Non Repudiation. Prevent denial of transaction. The originator cannot deny it. 4
  5. 5. Paradigm SolutionCONFIDENTIALITY INTEGRITY AUTHENTICATION NON-REPUDIATION HASH ENCRYPTION DIGITAL SIGNATURE PUBLIC KEY ENCRIPTION DIGITAL CERTIFICATE CERTIFICATION AUTHORITY PUBLIC KEY INFRASTRUCTURE (PKI) 5
  6. 6. PKIs are not CAs… PKI: • Issue certificates • Revoke certificates • Key management – CreationCA: – store• Issue certificates – Update• Revoke certificate – backup/recovery • Cross-certification • Certificate Repository (Directory) • Application software • RA (Registration Authority) • Client • etc
  7. 7. Third-party trust Certification Authority Trust TrustRaúl Raquel “third-party trust” 7
  8. 8. Cross-Certification Cross-CertificationCertificaction Authority Certification Authority third-party trustAlicia Juan Elena Pedro AC “A” AC “B” 8
  9. 9. Subordinate CA CA1 (“Root”) CA2 CA3 CA4 CA5 CA6 CA7U1 U2 U3 U4 U5 U6 U7 U8 U9 Classical trust-model has no end root
  10. 10. The certificate Version: 3 Serial Number: 8391037 Signature: RSA Issuer: o=SIA, c=ES Validity: 1/5/97 1:02 - 7/5/98 1:02 Subject: cn=Raúl Guerra, o=SIA, c=ES Subject Public Key Info: ----------------------------------------------------Extensions SubjectAltName: rguerra@sia.es CRL DP:cn=CRL2, o=SIA, c=ES The CA signs the certificate 10
  11. 11. Certificate Revocation List Unique name of CRL DN: cn=CRL2, o=SIA, c=ES Period of validity Start: 1/5/97 1:02 End: 1/6/97 1:02 Revoked:Serial number 191231 4/24/96 10:20 Cessation ofof OperationRevoked 123832 4/25/ 16:20 Key Compromisecertificates 923756 4/25 16:30 Affiliation Changeand reason CA DN: o=SIA, c=ES CA’s digital signature on the CRL 11
  12. 12. Keys in the clientKey generation Issue certificates o Certificate validation Key usage Expired Key update 12
  13. 13. PKI WebE-mail Applicati Applicati ERP’s, ERP’s, Legacy Legacy Application Application on on SSO, ... SSO, ... app. app. without PKI- without PKI- PKI-enabled PKI-enabled GSS-API, GSS-API, Enabled module Enabled module Application CAPI, ... Toolkits Toolkits PKI-Enable PKI-Enable Application CAPI, ... PKI PKI module module PKI client PKCS#11 BAPI ID in disk (MemoryCard (Biometric LDAP PKIX-CMP s, API) SmartCards, SmartCards, .ep PC/SC) Biometric Biometric f devices devices Directorio PKI 13
  14. 14. Architecture: ExampleClient CA PKIX-CMP Firewall LDAPRA Directory 14
  15. 15. ApplicationInternete-CommerceRemote AccessEDIVPN (Virtual Private Network)ERPsSecurity in IntranetSecure Single-Sign On 15
  16. 16. Internet ApplicationSecure WebCommunications•Netscape/Microsoft Browsers Netscape/Microsoft•Netscape/Microsoft Servers Netscape/Microsoft•muchos mas ...Secure e-mail•Novel GroupWise•Lotus Notes•Netscape Messenger•Microsoft Outlook•cc:Mail 16
  17. 17. Secure Remote Acess Remote Access Authentication •Security Dynamics •LeeMah DataComm •CryptoCard •Secure Computing (SafeWord) SafeWord) Remote Access •Digital Pathways (Defendor) Defendor) AuthenticationFirewalls •Application specificCheckPoint (Firewall-1) Firewall- implementationsRaptor Systems (Eagle) Eagle)MilkyWay (Blackhole) Blackhole)TIS (Gauntlet) (Gauntlet)ANS (Interlock) (Interlock)Secure Computing FireWalls(Sidewinder) Sidewinder) & RoutersBorder Network(Borderware) Borderware)IBM (NetSP) (NetSP)Harris Systems Systems(CyberGuard) CyberGuard) Remote userSagus Security (Defensor)Routers•Cisco•Ascend•Bay Networks•BBN 17
  18. 18. VPNs IntranetVirtual Private Networks Extranet•Firewall Vendors (Ej. FW-1) FW-•Link Encryptors•Security Dynamics SecurVPN•Entrust/Access Entrust/Access•KyberPass End Users 18
  19. 19. Security in the Intranet Application SpecificNetwork Security Security•McAfee Network Security Suite •RACF, ACF2, TopSecret•NetLock •Application level passwords•Cygnus (KerbNet) KerbNet) •Proprietary data security (Notes) •Other (via RSA toolkits) toolkits) Network Security •Encrypt the traffic •Secure access to resources Application Specific Security •Databases (Oracle…) Oracle… •Heritage applications (Mainframe...) Mainframe...) •GroupWare (Notes…) (Notes… 19
  20. 20. Desktop security File Security •Norton Your Eyes Only •PGP for Personal Privacy •Querisoft SecureFILE •McAfee VirusScan Security Suite •RSA SecurPC •AT&T SecretAgent •Entrust ICE•Email •Entrust Entelligence•Files•Client/Server Client/Serverapps•E-forms•BrowsersY más... má
  21. 21. Enterprise Resource Planning (ERPs) Business-to-Business ERP •SAP/R3 •PeopleSoft Client/Server •Oracle services •...Client to server security Web services 21
  22. 22. PKI: Homogeneous solutionSpecific systems Web Server Security •E-Commerceespecifica •Internet Banking•Databases (Oracle, ...) Oracle, •Secure Web Sites s•Mainframe•GroupWare Network Security •Traffic cyphering •Secure Access Firewalls & Routers Remote PKI ERP Authentication •SAP/R3 VPN’s VPN’ •PeopleSoft •Oracle •... Internet Users Desktop Security •Secure Web •Email •Secure Mail •Files •E-Commerce (SET) •Client/Server apps Client/Server •E-forms •Browsers And more...
  23. 23. PKIs Success (I)Integration with the softwareapplications.Practical solutions--> Bye, bye SET.Users recognition.Trust. Do you trust CA?What or who used my private key? Ismy PC safe? Security issues in theOS or the browser (crypto Software)Is your private key in a smart card? 23
  24. 24. PKIs Success (II)Are the certification practicessecure(CPS)?The CA must guarantee that the signeddata (certificate) is correct.There is a risk if you trust the user. Do youverify the certificate from the web server ina SSL connection?To learn more: “Ten risks of PKIs: Whatyou´re not being told about Public keyInfrastructure” by Bruce Schneier and CarlEllison 24
  25. 25. e-DNISmart Card Polycarbonate card with high security from FNMTCertificates Identity (authentication) and signature (non-repudiation) certificates No encryption certificatePKI Providers: Entrust, SafelayerHierarchy of CAs (root andSubordinate CAs) 25
  26. 26. e-DNI. Questions (I)Are other certificates necessary?Certificate status validation methods.Cross-Certification with commercialCAs? 26
  27. 27. e-DNI. Questions (II)Other certificates? YES, because No encryption certificate. So, to support business protection, where there is encrypted data, a decryption is necessary(private) key backed up---> Encryption certificate Physical identity. What about legal entities? Use of certificate with other information. For example, medical data (medical smartacard) Use in private sector: home-banking, corporate Enterprise smartcard, etc 27
  28. 28. e-DNI. Questions (III)Certificate status validationmethods The system should ensure that the verification certificate is valid (and not on CRL) If an entity would like technical interoperability with e-DNI system, it is necessary to know the certificate status. 28
  29. 29. e-DNI. Questions (IV)Certificate status validationmethods Different validation entities Public: relations of citizens with the Administration ---> free?? Private sector: Bank, insurance, etc. Money, money...$$?? Cost of the validation: free, by price (and how much?) 29
  30. 30. e-DNI. Questions (V)Cross-Certification with otherCAs? NO, because The same as the traditional national DNI.(ID Card) Issued by DGP (Ministry of Interior). It is a legal document in Spain If you just accept it will happen. Do you give state and private organization sectors the same level of trust? 30
  31. 31. Creative Commons Attribution-NoDerivs 2.0You are free:•to copy, distribute, display, and perform this work•to make commercial use of this workUnder the following conditions: Attribution. You must give the original author credit. No Derivative Works. You may not alter, transform, or build upon this work.For any reuse or distribution, you must make the license terms of this workclear to others.Any of these conditions can be waived if you get permission from the author.Your fair use and other rights are in no way affected by the above.This work is licensed under the Creative Commons Attribution-NoDerivsLicense. To view a copy of this license, visithttp://creativecommons.org/licenses/by-nd/2.0/ or send a letter to CreativeCommons, 559 Nathan Abbott Way, Stanford, California 94305, USA. 31
  32. 32. @FIST Conference Raúl Guerra Madrid, September 2005www.fistconference.org

×