Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
 Developing your corporate PKI
Strategy
 Gil Mulin, Airbus
 Julien Holstein, Aerospace Vision on behalf of Airbus
May 2010 Page 2
Prologue
With cyber security as one of the top priorities of the President, the federal government has
ini...
May 2010 Page 3
Agenda
Introduction
A reminder
Companies’ needs
Possible implementations
Conclusion
1
3
4
2
5
May 2010 Page 4
1 - Introduction
 Information security is a key topic in the industry
Deals with confidentiality, integr...
May 2010 Page 5
Agenda
Introduction
Reminders
Companies’ needs
Possible implementation
Conclusion
1
3
4
2
5
May 2010 Page 6
 What are digital certificates ?
Digital certificates are the digital keys which allow to encrypt data (...
May 2010 Page 7
 What is a Public Key Infrastructure (PKI) ?
A PKI is the addition of physical Information System means ...
May 2010 Page 8
 What is a cross certification bridge ?
A cross certification bridge is a set of rules PKI can fulfill t...
May 2010 Page 9
 What is a cross certification bridge ?
A cross certification bridge is a set of rules PKI can fulfill t...
May 2010 Page 10
 What is a cross certification bridge ?
A cross certification bridge is a set of rules PKI can fulfill ...
May 2010 Page 11
 What collaboration WITHOUT a cross certification bridge looks like
2 - Reminders
May 2010 Page 12
2 - Reminders
 What collaboration WITH a cross certification bridge looks like
PKI Bridge
May 2010 Page 13
2 - Reminders
 Trust fabric
CertiPath Bridge CA
(CBCA)
Federal Bridge CA
(FBCA)
Boeing CA
CertiPath Root...
May 2010 Page 14
Agenda
Introduction
Reminders
Companies’ needs
Possible implementation
Conclusion
1
3
4
2
5
May 2010 Page 15
 Aeronautical functional needs
Loadable software parts code signing
FAA form 8130-3 and EASA form1 dig...
May 2010 Page 16
 Interoperability
Maybe I will have to digitally sign a piece of software which will be loaded in an ai...
May 2010 Page 17
Agenda
Introduction
Reminders
Companies’ needs
Possible implementation
Conclusion
1
3
4
2
5
May 2010 Page 18
What are your choices in terms of use?
To consolidate on as few digital certificates as possible, all i...
May 2010 Page 19
What are your drivers?
Cost (implementing your own PKI is very expensive)
Economies of scale
Availabi...
May 2010 Page 20
4 - Possible implementation
Federal
Bridge
(FBCA)
Raytheon
The Boeing Company
Citibank
Northrop Grumman
L...
May 2010 Page 21
Epilogue
With cyber security as one of the top priorities of the President, the federal government has
in...
May 2010 Page 22
Agenda
Introduction
Reminders
Companies’ needs
Possible implementation
Conclusion
1
3
4
2
5
May 2010 Page 23
What do I need to implement?
Should I make or should I buy?
In order to help you in front of those two...
May 2010 Page 24
Any questions?
Gil Mulin, Airbus
gil.mulin@airbus.com
Julien Holstein, Aerospace Vision on behalf of Ai...
Upcoming SlideShare
Loading in …5
×

Mulin Holstein PKI-strategy

536 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Mulin Holstein PKI-strategy

  1. 1.  Developing your corporate PKI Strategy  Gil Mulin, Airbus  Julien Holstein, Aerospace Vision on behalf of Airbus
  2. 2. May 2010 Page 2 Prologue With cyber security as one of the top priorities of the President, the federal government has initiated a significant overhaul of its information security standards, guidance, and risk management activities. The National Institute of Standards and Technology (NIST) in partnership with the Department of Defense and the Intelligence Community, is developing a unified information security and risk management framework for federal agencies and their support contractors including those organizations in the A&D industries. Many state and local governments as well as private sector entities are adopting the security standards and guidelines on a voluntary basis. Applying information security best practices and effectively managing risk associated with the operation and use of information systems will help ensure that the operations, assets, and individuals within the United States critical infrastructure are well protected against an increasingly sophisticated and dangerous set of cyber threats. Dr. Ronald Ross, Project Lead for FISMA Implementation Project, National Institute of Standards and Technology (NIST)
  3. 3. May 2010 Page 3 Agenda Introduction A reminder Companies’ needs Possible implementations Conclusion 1 3 4 2 5
  4. 4. May 2010 Page 4 1 - Introduction  Information security is a key topic in the industry Deals with confidentiality, integrity (and non repudiation) and availability of data Data digital security is widely handled with digital certificates Aeronautical actors have to implement information security all over their activities In domains where aircrafts are impacted In all their other domains (finance, strategy, HR, technical design…) DSWG sets the standard concerning the usage of digital certificates around the aircrafts  Impact various contributors (manufacturers, system providers, airlines, airports…)  Defines processes and technical requirements around digital certificates in order to provide a good level of trust
  5. 5. May 2010 Page 5 Agenda Introduction Reminders Companies’ needs Possible implementation Conclusion 1 3 4 2 5
  6. 6. May 2010 Page 6  What are digital certificates ? Digital certificates are the digital keys which allow to encrypt data (protect the confidentiality) and to digitally sign data (provide assurance on integrity, identity and non repudiation). They are provided by Certificates Authorities (CA) 2 - Reminders Mr Blue signs a document with his certificate And send it to Mr Green Mr Green recognizes Mr Blue signature This provides assurance on : •The identity of the sender •The integrity of the data since it has been signed •The fact the message has been sent (non repudiation) Mr Blue encrypt a document for Mr green And send it to Mr Green Mr Green decrypt the document with his certificate This provides assurance on : •The confidentiality of the data
  7. 7. May 2010 Page 7  What is a Public Key Infrastructure (PKI) ? A PKI is the addition of physical Information System means (servers, specialized software,…) and processes in order to manage digital certificates lifecycle (certificates generation, revocation, renewal, user registration, revocation lists managements, public information publication, trust anchor…) It is important to notice that a PKI is split in 20% of technology and 80% of processes and management 2 - Reminders PKI publication of public information and trust anchor
  8. 8. May 2010 Page 8  What is a cross certification bridge ? A cross certification bridge is a set of rules PKI can fulfill to enlarge their circle of trust. All the PKI cross certified toward the same bridge trust and are trusted by all the others 2 - Reminders PKI publication of public information and trust anchor Company B PKI publication of public information and trust anchor Company A
  9. 9. May 2010 Page 9  What is a cross certification bridge ? A cross certification bridge is a set of rules PKI can fulfill to enlarge their circle of trust. All the PKI cross certified toward the same bridge trust and are trusted by all the others 2 - Reminders PKI publication of public information and trust anchor Company B PKI publication of public information and trust anchor Company A Cross certification bridge
  10. 10. May 2010 Page 10  What is a cross certification bridge ? A cross certification bridge is a set of rules PKI can fulfill to enlarge their circle of trust. All the PKI cross certified toward the same bridge trust and are trusted by all the others A cross certification bridge requires a Trust anchor. A Trust anchor is the foundation upon which the trust chain rests. A trust anchor is an unequivocal authority, usually governmental. For example , in the case of Certipath (jointly owned by ARINC,SITA and Exostar) the trust anchor is the U.S Federal PKI Authority. The trust anchor determines the criteria for cross-certification as well as the governance regime. 2 - Reminders
  11. 11. May 2010 Page 11  What collaboration WITHOUT a cross certification bridge looks like 2 - Reminders
  12. 12. May 2010 Page 12 2 - Reminders  What collaboration WITH a cross certification bridge looks like PKI Bridge
  13. 13. May 2010 Page 13 2 - Reminders  Trust fabric CertiPath Bridge CA (CBCA) Federal Bridge CA (FBCA) Boeing CA CertiPath Root CA (CBCA) Exostar FIS CA (Subordinate) ARINC CA (Subordinate) Lockheed Martin CA Federal Shared Service Provider CAs (Subordinate) Raytheon CA Northrop Grumman CA Exostar CA SITA CA Federal Agency CAs CertiPath Operational Authority (OA) Federal Agency CAs Federal Agency CAs Federal Agency CAs Federal Shared Service Provider CAs (Subordinate) Cross-Cert Cross-Cert Cross-Cert Subordinates (SSP) Subordinates (SSP) EADS CA
  14. 14. May 2010 Page 14 Agenda Introduction Reminders Companies’ needs Possible implementation Conclusion 1 3 4 2 5
  15. 15. May 2010 Page 15  Aeronautical functional needs Loadable software parts code signing FAA form 8130-3 and EASA form1 digital signature XML crate digital signature ACARS messages encryption Industrial “ground” functional needs Encryption of sensitive data (files, e-mails, laptops hard drive) Digital signature of files and e-mails “Qualified” digital signature Strong authentication 3 – Companies’ needs
  16. 16. May 2010 Page 16  Interoperability Maybe I will have to digitally sign a piece of software which will be loaded in an aircraft? (DSWG guidelines) Maybe I will have to digitally sign some official documents (DSWG-spec 2000 guidelines)? Maybe I will have to implement an “Extended Enterprise” business model which is going to require identity federation? (the foundation of which should rely on PKI) Practical Operations Minimal variation Fit within existing responsibilities Predictable Re-usable Economy Minimum new investment as operations evolve 3 – Companies’ needs
  17. 17. May 2010 Page 17 Agenda Introduction Reminders Companies’ needs Possible implementation Conclusion 1 3 4 2 5
  18. 18. May 2010 Page 18 What are your choices in terms of use? To consolidate on as few digital certificates as possible, all issued from a single PKI or to use different digital certificates for each activity, possibly issued by different PKI What are your choices in terms of implementation? You can choose to buy your certificates Why would you choose to buy your certificates? You have a choice of providers You can choose to implement your own PKI You will need external expertise to provide specialist knowledge Why would you choose to implement your own PKI? Why would you want to have certificates that are cross-certified? 4 - Possible implementation
  19. 19. May 2010 Page 19 What are your drivers? Cost (implementing your own PKI is very expensive) Economies of scale Availability of resources Management focus Strategy : do you want to wait for regulation to enforce you or do you want to or to anticipate the best you can? Why would you wait for regulation? Why would you anticipate? In either case (make or buy) it is fundamental that the company has processes in place that provide a unique identity for each employee together with the respective vetting actions which the law of the country allows. ( for example is should be based on FIPS 201 /HSPD 12 in the US ) There are certain roles that have to be created e.g. the Registration Authorities. These RAs register the future subscriber. There are also the Trusted Agents. They are responsible for issuing the certificates and therefore for ensuring the binding of the identity of the subscriber to the certificate itself 4 - Possible implementation
  20. 20. May 2010 Page 20 4 - Possible implementation Federal Bridge (FBCA) Raytheon The Boeing Company Citibank Northrop Grumman Lockheed Martin Cybertrust Entrust Exostar ORC Treasury VeriSign USPTO NASAGPODOJDOS Other Federal Agency Sponsored DoD Sponsored DoD Other Federal Agency Commercial State Government Shared Service Provider DHS EADS SITA Exostar CertiPath Root ORC VeriSign IdentTrust DoD ECA Root 1 DoD iRoot UK CCEB RootDoD Root 2 DoD Root 1 DoD Subordinate CA’s UK MOD CCEB Root Common Policy Root CertiPath Bridge ORC VeriSign IdentTrust DoD ECA Root 2 USPS DEA CSOS GSA ACES IdentTrust GSA ACES VeriSign DOEDOE
  21. 21. May 2010 Page 21 Epilogue With cyber security as one of the top priorities of the President, the federal government has initiated a significant overhaul of its information security standards, guidance, and risk management activities. The National Institute of Standards and Technology (NIST) in partnership with the Department of Defense and the Intelligence Community, is developing a unified information security and risk management framework for federal agencies and their support contractors including those organizations in the A&D industries. Many state and local governments as well as private sector entities are adopting the security standards and guidelines on a voluntary basis. Applying information security best practices and effectively managing risk associated with the operation and use of information systems will help ensure that the operations, assets, and individuals within the United States critical infrastructure are well protected against an increasingly sophisticated and dangerous set of cyber threats. Dr. Ronald Ross, Project Lead for FISMA Implementation Project, National Institute of Standards and Technology (NIST)
  22. 22. May 2010 Page 22 Agenda Introduction Reminders Companies’ needs Possible implementation Conclusion 1 3 4 2 5
  23. 23. May 2010 Page 23 What do I need to implement? Should I make or should I buy? In order to help you in front of those two questions, we advise you have a clear vision on your immediate and midterm needs through several axis : Identity and non repudiation, integrity and confidentiality needs Regulated needs versus “free” corporate needs Pure internal needs versus shared needs with partners/customers/suppliers Strategy of my company towards the Extended Enterprise model The interoperability you expect between all these needs The agility you expect your solution to have 5 - Conclusion
  24. 24. May 2010 Page 24 Any questions? Gil Mulin, Airbus gil.mulin@airbus.com Julien Holstein, Aerospace Vision on behalf of Airbus julien.holstein@aerospace-vision.com 5 - Conclusion

×