Entrust - CT.gov Portal

Download Report

Transcript Entrust - CT.gov Portal 

Entrust Public Key Infrastructure
Erik Schetina
Chief Technology Officer
IFsec, LLC
[email protected] www.ifsec.com
Orchestrating Enterprise Security
1997 Entrust Technologies
Agenda
Introduction
to Entrust
What is a PKI
Entrust Product Line
Piloting and Rolling out a PKI
Questions
1997 Entrust Technologies
What is a PKI?
Cross-certification
Certification
Authority
Key Histories
Key Backup
& Recovery
Support for
non-repudiation
Certificate
Repository
Automatic
Key Update
Timestamping
Certificate
Revocation
PKI Requirements
 Certification Authority
 Certificate
repository
 Revocation system
 Key backup and recovery system
 Support for non-repudiation
 Automatic key update
 Management of key histories
 Cross-certification
 Timestamping services
 Client-side software
1997 Entrust Technologies
p. 4
PKI with Entrust
Consistent
security and trust
Single password and keys secure all
applications
Automated key management
• Key backup/recovery
• Certificate issuance, storage and
revocation
• Key distribution, rollover and expiry
Low
administrative cost/burden
1997 Entrust Technologies
PKI without Entrust
Inconsistent
security and trust
• Fragmented or non-existent policies and
key management functions
Security
“silos”
• Each application performs its own security
• Multiple key pairs and certificates
• Multiple passwords
• Costly, burdensome administration
1997 Entrust Technologies
Entrust Components
Certificate Authority
Directory
Client
Software (Certificate Store)
• E-Mail
• Web
• VPN
• Any Entrust-Ready Application
Applications
1997 Entrust Technologies
p. 7
What is Key Management?
Issues:
• generating keys
• keeping backup keys
• dealing with compromised keys
• changing keys
• restoring keys
Key and certificate management is
difficult
1997 Entrust Technologies
p. 8
Why is Key Management
Important?
User
Enrollment
Key Renewal
Restoration of Lost Keys
Automated functionality
1997 Entrust Technologies
p. 9
Certificate-Issuing Services (CA)
What
they provide:
 Issue certificates for a fee (per cert/per year)
What
you don’t get:
 Little control over certificate issuance policies
 No key recovery (forgotten password = lost data)
 No key history (what happens when certificates expire?)
 Liability issues
 No control over trust model and root keys
 No automatic and transparent certificate revocation
checking
 No client capabilities
1997 Entrust Technologies
p. 10
Entrust Architecture
Security Officers
Entrust Administrators
Directory Administrators
Entrust/Admin
…
…
Directory
Entrust/Manager
…
…
Entrust Users
Entrust-Ready applications
and Entrust/Engine desktop crypto software
The Directory
Stores
certificates, CRLs, crosscertificates, ...
Interoperates with numerous LDAPcompliant directories
• ICL, Control Data, Digital, Netscape,
Unisys, ...
• supports Directory distribution
Supports
redundancy
1997 Entrust Technologies
Entrust Products
Entrust/Entelligence
• Stores and Manages Certificates
Entrust/Express - Email plug-in
Entrust/Direct - Web, Extranet
Entrust/Unity - SSL & S/MIME
Entrust/Access - VPN
Entrust/Toolkit - Enable applications
Entrust/TimeStamp
1997 Entrust Technologies
p. 13
Entelligence on the Desktop
Tight
integration into Entrust-Ready
applications
Secure key storage options
• smart cards, PC cards, biometric devices,
and secure software profiles
Secure
single log on
Consistent, trustworthy key lifecycle
management across applications
• minimizes administrative costs
1997 Entrust Technologies
‘Entrust-Ready’ Desktop Architecture
“Entrust-Ready” applications
...
Entrust
User
Entrust/Engine
...
to Entrust/Manager
and Directory
Communications
Services
Security
Kernel
PKCS #11
Personal
address
book
Tokens
User
profile
Entrust/Toolkit Integration
™
Toolkit
Entrust
becomes the
security
management
point for all
EntrustReady
applications
and services
Entrust-Ready Remote Access
Orchestrating Enterprise Security
Entrust-Ready E-mail
Entrust-Ready E-forms
Entrust-Ready
Browser
1998
Entrust
Technologies
1997
Entrust
Technologiesp.
1p. 16
Secure e-mail made easy
What is Entrust/Express?
Secure
e-mail plug-in for users of
Microsoft Exchange and Microsoft
Outlook
Encrypt and/or digitally sign message
text and attachments
Provides message confidentiality and
integrity
For Windows 95 and Windows-NT 4.0
Secure VPNs/Remote Access
Entrust/Access
Orchestrating Enterprise Security
1997 Entrust Technologies
Virtual Private Networks
What
is a VPN?
• A private and secure network carved out of
a public or insecure network
 Relevant Standards
• IPSec - interoperable packet-layer
encryption
• ISAKMP Oakley - users are authenticated
with digital signatures and X.509 certificates
1997 Entrust Technologies
VPN Partners
 Remote
Access, Firewall, VPN Gateways
Milkyway -SecurIT
Raptor - EagleMobile Pro
Timestep- PERMIT Product Suite
Stac - ReachOut
Sagus - Defensor
KyberPASS
Check Point - FireWall-1
KyberPASS
1997 Entrust Technologies
Secure Remote Access
provides
significant cost savings over
dial-up (phone lines, maintenance, ID
cards)
scalable - able to grow as the demand
for remote access increases.
Entrust Manager
Mobile User
Human Resources Server
Internet
VPN
Gateway
Finance Server
1997 Entrust Technologies
TM
Secure Extranet Applications
Orchestrating Enterprise Security
1997 Entrust Technologies
Intra/Extra Net Solution
Target Solution
b
wser
R
Server
Internet, Intranet,
or Extranet
Web Browser
• Provides Entrust Enterprise Solution PKI capabilities to offthe-shelf Web browsers and servers
• Thin client software on user desktop
• Extranet applications
1997 Entrust Technologies
Security you set and forget
Entrust/ICE
Desktop/laptop
encryption software
Easy-to-use
Works
with any desktop application
Automatic encryption
Security on-line or off-line
Windows 95 and Windows-NT 4.0
Orchestrating Enterprise Security
1997 Entrust Technologies
p. 26
Entrust-Ready Applications
Web
Browser
Email
Workgroup
Smart Cards and Biometrics
VPN
Forms
Human Resources
Deploying a PKI
Begin
with a pilot
• Pick a single application
• Evaluate the technology
• Prove the utility
Currently piloting Entrust
• CA, X.500, Secure E-Mail
• Lotus Notes
• Short time to deploy (weeks)
1997 Entrust Technologies
p. 28
Deploying a PKI (cont.)
Rolling
out an Operational PKI
• Planning and Goals
• Acceptable Usage (CPS)
• Disaster Recovery
• Applications
 Access to records
 E-commerce with State contractors
 Remote access to internal resources
1997 Entrust Technologies
p. 29
Summary
Automates
user administration
Integration across many applications
(single sign-on)
Enables trustworthy business over the
web
Growing collection of Entrust-enabled
applications
1997 Entrust Technologies
p. 30