PKI Interoperability

FIST Conference September/Madrid 2005

PKI Interoperability
Raúl Guerra Jiménez

About the Author

Raúl Guerra Jiménez
CISSP, CISA
Technical consultant
Grupo SIA
1989
www.siainternational.com

2

Index

Cryptography
Public Key Infrastructure (PKI)
Applications
Integration
e-DNI

3

Security Requirements

Confidentiality.
Ensure confidentiality of data.
Integrity.
The original data has not been changed.
Authentication.
Proof of identity.
Non Repudiation.
Prevent denial of transaction. The
originator cannot deny it.

4

Paradigm Solution

CONFIDENTIALITY INTEGRITY AUTHENTICATION NON-REPUDIATION

HASH
ENCRYPTION DIGITAL SIGNATURE

PUBLIC KEY ENCRIPTION

DIGITAL CERTIFICATE

CERTIFICATION AUTHORITY

PUBLIC KEY INFRASTRUCTURE (PKI)

5

PKIs are not CAs…

PKI:
• Issue certificates
• Revoke certificates
• Key management
– Creation
CA:
– store
• Issue certificates – Update
• Revoke certificate – backup/recovery
• Cross-certification
• Certificate Repository (Directory)
• Application software
• RA (Registration Authority)
• Client
• etc

Third-party trust

Certification Authority
Trust Trust

Raúl Raquel
“third-party trust”

7

Cross-Certification

Cross-Certification

Certificaction Authority Certification Authority

third-party trust
Alicia Juan Elena Pedro

AC “A” AC “B”

8

Subordinate CA

CA1 (“Root”)

CA2 CA3

CA4 CA5 CA6 CA7

U1 U2 U3 U4 U5 U6 U7 U8 U9

Classical trust-model has no end root

The certificate

Version: 3
Serial Number: 8391037
Signature: RSA
Issuer: o=SIA, c=ES
Validity: 1/5/97 1:02 - 7/5/98 1:02
Subject: cn=Raúl Guerra, o=SIA, c=ES
Subject Public Key Info:
----------------------------------------------------
Extensions SubjectAltName: rguerra@sia.es
CRL DP:cn=CRL2, o=SIA, c=ES

The CA signs the certificate
10

Certificate Revocation List
Unique name of CRL
DN: cn=CRL2, o=SIA, c=ES
Period of validity
Start: 1/5/97 1:02
End: 1/6/97 1:02
Revoked:
Serial number 191231 4/24/96 10:20 Cessation of
of Operation
Revoked 123832 4/25/ 16:20 Key Compromise
certificates 923756 4/25 16:30 Affiliation Change
and reason CA DN: o=SIA, c=ES

CA’s digital signature on the CRL
11

Keys in the client

Key generation

Issue certificates
o

Certificate validation
Key usage
Expired

Key update

12

PKI

Web
E-mail
Applicati
Applicati ERP’s,
ERP’s, Legacy
Legacy Application
Application
on
on SSO, ...
SSO, ... app.
app. without PKI-
without PKI-
PKI-enabled
PKI-enabled GSS-API,
GSS-API, Enabled module
Enabled module
Application CAPI, ... Toolkits
Toolkits PKI-Enable
PKI-Enable
Application CAPI, ...
PKI
PKI module
module

PKI client
PKCS#11 BAPI
ID in
disk
(MemoryCard (Biometric LDAP PKIX-CMP
s, API)
SmartCards,
SmartCards,
.ep PC/SC) Biometric
Biometric
f devices
devices
Directorio PKI
13

Architecture: Example

Client CA

PKIX-CMP

Firewall
LDAP

RA Directory

14

Application

Internet
e-Commerce
Remote Access
EDI
VPN (Virtual Private Network)
ERPs
Security in Intranet
Secure Single-Sign On
15

Internet Application
Secure Web
Communications
•Netscape/Microsoft Browsers
Netscape/Microsoft
•Netscape/Microsoft Servers
Netscape/Microsoft
•muchos mas ...

Secure e-mail
•Novel GroupWise
•Lotus Notes
•Netscape Messenger
•Microsoft Outlook
•cc:Mail

16

Secure Remote Acess
Remote Access
Authentication
•Security Dynamics
•LeeMah DataComm
•CryptoCard
•Secure Computing (SafeWord)
SafeWord) Remote Access
•Digital Pathways (Defendor)
Defendor) Authentication
Firewalls •Application specific
CheckPoint (Firewall-1)
Firewall- implementations
Raptor Systems (Eagle)
Eagle)
MilkyWay (Blackhole)
Blackhole)
TIS (Gauntlet)
(Gauntlet)
ANS (Interlock)
(Interlock)
Secure Computing
FireWalls
(Sidewinder)
Sidewinder) & Routers
Border Network
(Borderware)
Borderware)
IBM (NetSP)
(NetSP)
Harris Systems'
Systems'
(CyberGuard)
CyberGuard) Remote user
Sagus Security (Defensor)

Routers
•Cisco
•Ascend
•Bay Networks
•BBN
17

VPNs

Intranet

Virtual Private Networks Extranet
•Firewall Vendors (Ej. FW-1)
FW-
•Link Encryptors
•Security Dynamics SecurVPN
•Entrust/Access
Entrust/Access
•KyberPass

End Users
18

Security in the Intranet
Application Specific
Network Security Security
•McAfee Network Security Suite •RACF, ACF2, TopSecret
•NetLock •Application level passwords
•Cygnus (KerbNet)
KerbNet) •Proprietary data security (Notes)
•Other (via RSA toolkits)
toolkits)

Network Security
•Encrypt the traffic
•Secure access to resources

Application Specific Security
•Databases (Oracle…)
Oracle…
•Heritage applications (Mainframe...)
Mainframe...)
•GroupWare (Notes…)
(Notes…

19

Desktop security

File Security
•Norton Your Eyes Only
•PGP for Personal Privacy
•Querisoft SecureFILE
•McAfee VirusScan Security Suite
•RSA SecurPC
•AT&T SecretAgent

•Entrust ICE
•Email •Entrust Entelligence
•Files
•Client/Server
Client/Server
apps
•E-forms
•Browsers
Y más...
má

Enterprise Resource Planning (ERPs)
Business-to-Business

ERP
•SAP/R3
•PeopleSoft Client/Server
•Oracle services
•...

Client to server security

Web services

21

PKI: Homogeneous solution

Specific systems Web Server Security
•E-Commerce
especifica •Internet Banking
•Databases (Oracle, ...)
Oracle, •Secure Web Sites s
•Mainframe
•GroupWare
Network Security
•Traffic cyphering
•Secure Access
Firewalls & Routers
Remote

PKI
ERP Authentication
•SAP/R3 VPN’s
VPN’
•PeopleSoft
•Oracle
•...
Internet Users Desktop Security
•Secure Web •Email
•Secure Mail •Files
•E-Commerce (SET) •Client/Server apps
Client/Server
•E-forms
•Browsers
And more...

PKIs Success (I)

Integration with the software
applications.
Practical solutions--> Bye, bye SET.
Users recognition.
Trust. Do you trust CA?
What or who used my private key? Is
my PC safe? Security issues in the
OS or the browser (crypto Software)
Is your private key in a smart card?
23

PKIs Success (II)

Are the certification practices
secure(CPS)?
The CA must guarantee that the signed
data (certificate) is correct.
There is a risk if you trust the user. Do you
verify the certificate from the web server in
a SSL connection?
To learn more: “Ten risks of PKIs: What
you´re not being told about Public key
Infrastructure” by Bruce Schneier and Carl
Ellison

24

e-DNI

Smart Card
Polycarbonate card with high security
from FNMT
Certificates
Identity (authentication) and signature
(non-repudiation) certificates
No encryption certificate
PKI Providers: Entrust, Safelayer
Hierarchy of CAs (root and
Subordinate CAs)
25

e-DNI. Questions (I)

Are other certificates necessary?

Certificate status validation methods.

Cross-Certification with commercial
CAs?

26

e-DNI. Questions (II)

Other certificates? YES, because
No encryption certificate. So, to support
business protection, where there is encrypted
data, a decryption is necessary(private) key
backed up---> Encryption certificate
Physical identity. What about legal entities?
Use of certificate with other information. For
example, medical data (medical smartacard)
Use in private sector: home-banking, corporate
Enterprise smartcard, etc

27

e-DNI. Questions (III)

Certificate status validation
methods
The system should ensure that the
verification certificate is valid (and not
on CRL)
If an entity would like technical
interoperability with e-DNI system, it is
necessary to know the certificate status.

28

e-DNI. Questions (IV)

Certificate status validation
methods
Different validation entities
Public: relations of citizens with the
Administration ---> free??
Private sector: Bank, insurance, etc. Money,
money...$$??
Cost of the validation: free, by price
(and how much?)

29

e-DNI. Questions (V)

Cross-Certification with other
CAs? NO, because
The same as the traditional national
DNI.(ID Card)
Issued by DGP (Ministry of Interior). It is
a legal document in Spain
If you just accept it will happen. Do you
give state and private organization
sectors the same level of trust?

30

Creative Commons
Attribution-NoDerivs 2.0
You are free:
•to copy, distribute, display, and perform this work
•to make commercial use of this work
Under the following conditions:

Attribution. You must give the original author
credit.

No Derivative Works. You may not alter, transform, or
build upon this work.

For any reuse or distribution, you must make the license terms of this work
clear to others.
Any of these conditions can be waived if you get permission from the author.

Your fair use and other rights are in no way affected by the above.

This work is licensed under the Creative Commons Attribution-NoDerivs
License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-nd/2.0/ or send a letter to Creative
Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
31

@

FIST Conference
Raúl Guerra
Madrid, September 2005
www.fistconference.org

PKI Interoperability

More Related Content

What's hot

Similar to PKI Interoperability

More from Conferencias FIST

Recently uploaded

PKI Interoperability