Entrust - CT.gov Portal
Download
Report
Transcript Entrust - CT.gov Portal
Entrust Public Key Infrastructure
Erik Schetina
Chief Technology Officer
IFsec, LLC
[email protected] www.ifsec.com
Orchestrating Enterprise Security
1997 Entrust Technologies
Agenda
Introduction
to Entrust
What is a PKI
Entrust Product Line
Piloting and Rolling out a PKI
Questions
1997 Entrust Technologies
What is a PKI?
Cross-certification
Certification
Authority
Key Histories
Key Backup
& Recovery
Support for
non-repudiation
Certificate
Repository
Automatic
Key Update
Timestamping
Certificate
Revocation
PKI Requirements
Certification Authority
Certificate
repository
Revocation system
Key backup and recovery system
Support for non-repudiation
Automatic key update
Management of key histories
Cross-certification
Timestamping services
Client-side software
1997 Entrust Technologies
p. 4
PKI with Entrust
Consistent
security and trust
Single password and keys secure all
applications
Automated key management
• Key backup/recovery
• Certificate issuance, storage and
revocation
• Key distribution, rollover and expiry
Low
administrative cost/burden
1997 Entrust Technologies
PKI without Entrust
Inconsistent
security and trust
• Fragmented or non-existent policies and
key management functions
Security
“silos”
• Each application performs its own security
• Multiple key pairs and certificates
• Multiple passwords
• Costly, burdensome administration
1997 Entrust Technologies
Entrust Components
Certificate Authority
Directory
Client
Software (Certificate Store)
• E-Mail
• Web
• VPN
• Any Entrust-Ready Application
Applications
1997 Entrust Technologies
p. 7
What is Key Management?
Issues:
• generating keys
• keeping backup keys
• dealing with compromised keys
• changing keys
• restoring keys
Key and certificate management is
difficult
1997 Entrust Technologies
p. 8
Why is Key Management
Important?
User
Enrollment
Key Renewal
Restoration of Lost Keys
Automated functionality
1997 Entrust Technologies
p. 9
Certificate-Issuing Services (CA)
What
they provide:
Issue certificates for a fee (per cert/per year)
What
you don’t get:
Little control over certificate issuance policies
No key recovery (forgotten password = lost data)
No key history (what happens when certificates expire?)
Liability issues
No control over trust model and root keys
No automatic and transparent certificate revocation
checking
No client capabilities
1997 Entrust Technologies
p. 10
Entrust Architecture
Security Officers
Entrust Administrators
Directory Administrators
Entrust/Admin
…
…
Directory
Entrust/Manager
…
…
Entrust Users
Entrust-Ready applications
and Entrust/Engine desktop crypto software
The Directory
Stores
certificates, CRLs, crosscertificates, ...
Interoperates with numerous LDAPcompliant directories
• ICL, Control Data, Digital, Netscape,
Unisys, ...
• supports Directory distribution
Supports
redundancy
1997 Entrust Technologies
Entrust Products
Entrust/Entelligence
• Stores and Manages Certificates
Entrust/Express - Email plug-in
Entrust/Direct - Web, Extranet
Entrust/Unity - SSL & S/MIME
Entrust/Access - VPN
Entrust/Toolkit - Enable applications
Entrust/TimeStamp
1997 Entrust Technologies
p. 13
Entelligence on the Desktop
Tight
integration into Entrust-Ready
applications
Secure key storage options
• smart cards, PC cards, biometric devices,
and secure software profiles
Secure
single log on
Consistent, trustworthy key lifecycle
management across applications
• minimizes administrative costs
1997 Entrust Technologies
‘Entrust-Ready’ Desktop Architecture
“Entrust-Ready” applications
...
Entrust
User
Entrust/Engine
...
to Entrust/Manager
and Directory
Communications
Services
Security
Kernel
PKCS #11
Personal
address
book
Tokens
User
profile
Entrust/Toolkit Integration
™
Toolkit
Entrust
becomes the
security
management
point for all
EntrustReady
applications
and services
Entrust-Ready Remote Access
Orchestrating Enterprise Security
Entrust-Ready E-mail
Entrust-Ready E-forms
Entrust-Ready
Browser
1998
Entrust
Technologies
1997
Entrust
Technologiesp.
1p. 16
Secure e-mail made easy
What is Entrust/Express?
Secure
e-mail plug-in for users of
Microsoft Exchange and Microsoft
Outlook
Encrypt and/or digitally sign message
text and attachments
Provides message confidentiality and
integrity
For Windows 95 and Windows-NT 4.0
Secure VPNs/Remote Access
Entrust/Access
Orchestrating Enterprise Security
1997 Entrust Technologies
Virtual Private Networks
What
is a VPN?
• A private and secure network carved out of
a public or insecure network
Relevant Standards
• IPSec - interoperable packet-layer
encryption
• ISAKMP Oakley - users are authenticated
with digital signatures and X.509 certificates
1997 Entrust Technologies
VPN Partners
Remote
Access, Firewall, VPN Gateways
Milkyway -SecurIT
Raptor - EagleMobile Pro
Timestep- PERMIT Product Suite
Stac - ReachOut
Sagus - Defensor
KyberPASS
Check Point - FireWall-1
KyberPASS
1997 Entrust Technologies
Secure Remote Access
provides
significant cost savings over
dial-up (phone lines, maintenance, ID
cards)
scalable - able to grow as the demand
for remote access increases.
Entrust Manager
Mobile User
Human Resources Server
Internet
VPN
Gateway
Finance Server
1997 Entrust Technologies
TM
Secure Extranet Applications
Orchestrating Enterprise Security
1997 Entrust Technologies
Intra/Extra Net Solution
Target Solution
b
wser
R
Server
Internet, Intranet,
or Extranet
Web Browser
• Provides Entrust Enterprise Solution PKI capabilities to offthe-shelf Web browsers and servers
• Thin client software on user desktop
• Extranet applications
1997 Entrust Technologies
Security you set and forget
Entrust/ICE
Desktop/laptop
encryption software
Easy-to-use
Works
with any desktop application
Automatic encryption
Security on-line or off-line
Windows 95 and Windows-NT 4.0
Orchestrating Enterprise Security
1997 Entrust Technologies
p. 26
Entrust-Ready Applications
Web
Browser
Email
Workgroup
Smart Cards and Biometrics
VPN
Forms
Human Resources
Deploying a PKI
Begin
with a pilot
• Pick a single application
• Evaluate the technology
• Prove the utility
Currently piloting Entrust
• CA, X.500, Secure E-Mail
• Lotus Notes
• Short time to deploy (weeks)
1997 Entrust Technologies
p. 28
Deploying a PKI (cont.)
Rolling
out an Operational PKI
• Planning and Goals
• Acceptable Usage (CPS)
• Disaster Recovery
• Applications
Access to records
E-commerce with State contractors
Remote access to internal resources
1997 Entrust Technologies
p. 29
Summary
Automates
user administration
Integration across many applications
(single sign-on)
Enables trustworthy business over the
web
Growing collection of Entrust-enabled
applications
1997 Entrust Technologies
p. 30