Symantec Corporate Template
Download
Report
Transcript Symantec Corporate Template
PKI Services
for CYPRUS STOCK EXCHANGE
Kostas Nousias
AGENDA
• ADACOM Profile
• Introduction to PKI
• Certificate and Key Storage
2
ADACOM Profile
• Founded in 1999
Adacom
• 80 employees (Commercial, Engineering, R&D,
Consultants)
• 12 million USD turnover
• Subsidiaries in Israel, Germany, Greece Bulgaria.
• Activities in 28 countries through own operations and
through partners.
• ISO 27001:2005 & ISO 9001:2008
• Active in IT Security and Enterprise Software
• Operating the only two Symantec (ex. VeriSign) PKI
Data Centers (main & DR) covering Eastern Europe (16
countries)
• Symantec Affiliate & Platinum Security partner
• CheckPoint Platinum Partner
4
ADACOM IT Security Partnerships
5
ADACOM IT Security Portfolio
Network
Application
E-Commerce
Regulatory
Compliance
PKI & Authentication
Information Security Solutions
CA & RA services
Client Certificates
SSL Certificates
Qualified
Certificates
Timestamping
E-Invoices
Data Loss Prevention Solutions
Control Compliance Solutions
Vulnerability Solutions
Online Anti-Fraud Solutions
Network & Endpoint Security
Solutions
Intrusion Prevention Solutions
Card Management System
HSM & SSCD
Consulting Services
Compliance
Vulnerability Assessment /
Penetration Testing
Managed Security Services
CP & CPS Consulting
Online Brand Management
gTLD
VIP
PKI
E-Invoices
Government
Financial
MSS
Security as a Service
Carriers
MDM Solutions
Asset Management
Device/Network
Information
Security & Compliance
OTA Configuration
In-premise / cloud
TimeStamping
6
ADACOM IT Security References
7
Introduction to PKI
What is PKI?
• A community of interest with a defined set of policy rules (“Certificate Policy”) and a set of
operating procedures (“Certificate Practices Statement”) for the management of user identities
and public keys.
• A PKI provides digital certificates that can identify an individual, organization or device and
directory services that can store the certificates.
• A combination of standards, protocol and software that creates, edits and revokes digital
public key certificates.
• PKI enable trust between two or more parties without prior knowledge of each other.
• A PKI binds public keys to entities (Subscriber), enables other entities (“Rely Party”) to verify
public key bindings, and provides the services needed for ongoing management of keys in a
distributed system.
FSI Event, May 24th, 2012, Athens
9
What PKI provides?
Authentication
to ensure parties are who
they say they are.
Verification that the
people with whom we
are corresponding
actually are who they
claim to be.
Integrity
Confidentiality
to protect sensitive
information. Means that
the information
contained in the message
is kept private and only
the sender and the
intended recipient will be
able to read it.
FSI Event, May 24th, 2012, Athens
Authorization
to ensure parties can
access specific
information.
to guarantee the
transaction is not altered.
Verification that the
information contained in
the message is not
tampered with,
accidentally or
deliberately, during
transmission.
Non-repudiation
to prove the transaction
occurred. There can be
no denial on the part of
the sender of having sent
a message that is digitally
signed.
10
How does PKI accomplish all of these things?
Data Encryption
• Encryption refers to the conversion of a message into an unintelligible form of data, with the aim of ensuring
confidentiality.
• Decryption is the reversal of encryption; it is the process of transforming encrypted data back into an intelligible
message.
• In public key cryptography, encryption and decryption are performed with the use of a pair of public and private keys.
Digital Signature
• Addresses the issues of authenticity, integrity and non-repudiation. Like its hand-written counterpart, a digital
signature proves authorship of a particular message. Technically, a digital signature is derived from the content of the
sender's message in combination with his private key, and can be verified by the recipient using the sender's public
key to perform a verification operation.
Digital Certificates
• A digital certificate is a digital document that proves the relationship between the identity of the holder of the digital
certificate and the public key contained in the digital certificate. It is issued by a trusted third party called a Certificate
Authority (CA.) Our digital certificate contains our public key and other attributes that can identify us.
FSI Event, May 24th, 2012, Athens
11
Hash Functions
It was the best of times,
it was the worst of times
It was the best of thymes,
it was the worst of times
Small Difference
Hash Function
Hash Function
Large Difference
3au8 e43j jm8x g84w
FSI Event, May 24th, 2012, Athens
b6hy 8dhy w72k 5pqd
12
Public Key – Signature & Verification
Hashing + Encryption = Signature Creation
Receiver
Transmitted Message
Bob
Signature
Decrypt
Hash Function
Message
Digest
Hash Function
Signature
Message
Digest
Expected
Digest
Encrypt
Sender
Alice
If these are the same,
then the message
has not changed
Hashing + Decryption = Signature Verification
13
Where can I use it?
• Applications/protocols enabled for digital signature/encryption and compatible with
X.509 v3 digital certificates:
– Secure Mail (S/Mime), Web Access (SSL)
– Virtual Private Networking, E-Forms, File/Media Encryption
• Electronic Commerce: On-line banking
– On-line banking
– On-line purchasing
– On-line payments
• E-Government:
– On-line benefits
– On-line taxes
– On-line licenses
– On-line filings
• Most paper-based applications can be securely transition to on-line using PKI
14
PKI – Basic Components
“Provider”
Side
“Consumer”
Side
FSI Event, May 24th, 2012, Athens
• Certificate Authority (CA)
• Registration Authority (RA)
• Certificate Distribution System
• PKI enabled applications
15
Certificate Authority
(CA)
• Key Generation
• Digital Certificate
Generation
• Certificate Issuance
and Distribution
• Revocation
• Key Backup and
Recovery System
• Cross-Certification
Registration Authority
(RA)
• Registration of
Certificate
Information
• Face-to-Face
Registration
• Remote Registration
• Automatic
Registration
• Revocation
procedures
• Certificate
Distribution System
Repository for
• Digital Certificates
• Certificate Revocation
Lists (CRLs)
• Online Certificate
Status Protocol
PKI-enabled
Applications –
Required functionality
• Cryptographic
functionality
• Secure storage of
Personal Information
• Digital Certificate
Handling
• Directory Access
• Communication
Facilities
16
PKI Trust and Legal Issues
• Why should I Trust a certificate?
– Certificate Hierarchies, Cross-Certification
• How can I determine the liability of a CA?
– Certificate Policies (CP)
– A document that sets out the rights, duties and obligations of each party in a Public Key Infrastructure
– The Certificate Policy (CP) is a document which usually has legal effect
– A CP is usually publicly exposed by CAs, for example on a Web Site (VeriSign, etc.)
– Certificate Practice Statement (CPS)
– A document that sets out what happens in practice to support the policy statements made in the CP in a PKI
– The Certificate Practice Statement (CPS) is a document which may have legal effect
17
PKI Standards
• X.509 Certificate and CRL Profiles
• PKI Management Protocols
• Certificate Request Formats
• CP/CPS Framework
• LDAP, OCSP, etc.
FSI Event, May 24th, 2012, Athens
18
Public or Private CA Hierarchy?
• “Public” vs. “Private” Certification Authority
– Has nothing to do with public vs. private keys
– Refers to where the chain of trust terminates for certificates you will be issuing
• Hierarchy Chain= chain of certificate Authorities from a root CA down through X number of
intermediate CAs, to the CA that issued your certificate
Root: Adacom Class 2 Primary CA
MPKI: Adacom Class 2 MPKI Individual CA
Client: Alice B. Toklas
• If you trust a given root CA, you should also trust all subsidiary CAs, and therefore all
certificates issued by any of the CAs, in the hierarchy.
• A compromise at one “link” of the chain compromises every thing below it in the hierarchy.
• All certificates in a given hierarchy must reference the same Certification Policies.
FSI Event, May 24th, 2012, Athens
19
Public or Private CA Hierarchy?
• Public Hierarchy – certificate parentage can be traced back to a public root
certificate, such as a VeriSign public root key embedded in most browsers.
• Private Hierarchy – certificates parentage belongs to a private organization that
has complete control over the Certification Practices Statement for every certificate in
that hierarchy To use certificates in a private hierarchy, you must install the root
certificate of that hierarchy into the browsers of all users.
VeriSign
Public Class 2
• Public Model
–
Open community
–
Secure Email
–
VeriSign root keys embedded in applications
–
Must meet minimal Root CA CPS/CP
Company
Public Root
Company
Public CA A
• Private Model
–
Self-Signed CA
–
Closed community
–
Network Access/VPN
–
Not dependant on Root CA CPS/CP
Company
Public CA B
Company
Public CA C
Company
Private Root
Company
Private CA A
Company
Private CA B
Company
Private CA C
20
X.509 Certificate
• X.509 version 3 certificate standard
• Certificate is a digitally signed document issued by a Certification Authority
• Through the cryptographic algorithm, certificate can not be altered after it’s issued
• Certificate Filename extensions
– CER - CER encoded certificate
– DER - DER encoded certificate
– PEM - (Privacy Enhanced Mail) Base64 encoded DER certificate
– P7B /P7C - PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)
– PFX /P12 - PKCS#12, contain certificate(s), public and private keys (password protected)
FSI Event, May 24th, 2012, Athens
21
X.509 Certificate Profile
The X.509 certificate format has the following fields:
•
Required fields
–
Version
–
Serial Number
–
Algorithm ID
–
Certificate Signature
–
Certificate Signature Algorithm
–
Issuer
–
Validity
•
Not Before
–
• Not After
Subject
–
Subject Public key info
•
Public Key Algorithm
• Subject Public Key
•
•
Optional Fields
–
issuerUniqueIdentifier
–
subjectUniqueIdentifier
–
Extensions
Issuer and subject unique identifiers were introduced in
Version 2, Extensions in Version 3.
FSI Event, May 24th, 2012, Athens
22
X.509 Subject DN Fields
• The Subject DN has the following fields:
– Common Name
– Given Name
– Sure Name
– Country
– Pseudonym
– Organization Name
– Organizational Unit Name
– State
– Locality
– Email
– Title
– Address
– ….
FSI Event, May 24th, 2012, Athens
23
X.509 Optional Fields
Basic Constrains
NULL
Key Usage
digitalSignature
keyEncipherment
Certificate Policies
id-vtn-cp-class2 2.16.840.1.113733.1.7.23.2
qcp-public-with-sscd - 0.4.0.1456.1.1
EDSP DL 2 - 2.16.840.1.113733.1.7.44.2
Authority Key Identifier
keyIdentifier value (hash of authorities key)
Note: Issuing CA must have SKI for this option
Subject Key Identifier
keyIdentifier
Subject Alt Name
directoryString
domainName
CRL Distribution Points
URL
Authority Info Access
OCSP
Extended Key Usage
clientAuth
fileRecovery
QC Statement
id-etsi-qcs-QcCompliance (0.4.0.1862.1.1)
id-etsi-qcs-QcLimitValue (0.4.0.1862.1.2)
FSI Event, May 24th, 2012, Athens
nonRepudiation
dataEncipherment
rfc822Name
registeredID
ipAddress
otherName
LDAP
emailProtection
smartCardLogon
encryptedFileSystem
ipsecUser
24
Digital Certificates in Use
• Secure e-mail
• Virtual Private Network (VPN)
• Wireless (Wi-Fi)
• Web Servers (SSL/TLS)
• Network Authentication
• Code Signing
• Server to Server
25
Certificate and Key Storage
Key Storage Considerations
• Many different ways to store a certificate and private key.
• Application will usually dictate the appropriate method.
• Concerns include:
– Security
– Portability
– Functionality
– Usability
– Manageability
– Expense
FSI Event, May 24th, 2012, Athens
27
Software-Based Certificates
• Several different software stores
–
Microsoft CAPI
–
Netscape certificate database
–
Macintosh keyring
–
Java keystores
–
Vendor specific
• VeriSign Personal Trust Agent
• Pros
–
Browser based, so easy to use
–
Inexpensive
• no new infrastructure
• easy distribution
• Cons
–
Locks user to desktop
–
Desktop management
–
Cannot control password use
28
PKI Smart Cards / USB Tokens
Generally provide greater security than software certificates
•
•
•
•
Can require PINs or passwords, even biometric authentication
Keys usually cannot be exported
Tokens can be locked in a safe when not in use
FIPS (Federal Information Protection Standard) 140 rated
Provide better portability than software certificates
• Can be used on multiple machines while maintaining only one copy of the private key
• Have the capacity to hold multiple keys and certificates
Challenges
•
•
•
•
•
Typically require installation of drivers
May require a separate reader
End user acceptance
Token lifecycle management: distribution, forgotten/lost/broken tokens
Cost
29
QA
FSI Event, May 24th, 2012, Athens
30