1997 entrust technologies orchestrating enterprise security entrust public key infrastructure erik...
TRANSCRIPT
1997 Entrust Technologies Orchestrating Enterprise Security
Entrust Public Key InfrastructureEntrust Public Key Infrastructure
Erik SchetinaChief Technology Officer
IFsec, [email protected] www.ifsec.com
1997 Entrust Technologies
AgendaAgenda
Introduction to EntrustWhat is a PKIEntrust Product LinePiloting and Rolling out a PKIQuestions
Certification
Authority
Certificate
RepositoryCertificate
Revocation
Key Backup
& RecoverySupport for
non-repudiation
Automatic
Key Update
Key HistoriesCross-certification
What is a PKI?What is a PKI?
Timestamping
1997 Entrust Technologies
p. 4
PKI RequirementsPKI RequirementsCertification AuthorityCertificate repositoryRevocation systemKey backup and recovery systemSupport for non-repudiationAutomatic key updateManagement of key historiesCross-certificationTimestamping servicesClient-side software
1997 Entrust Technologies
PKI with EntrustPKI with Entrust
Consistent security and trustSingle password and keys secure all
applicationsAutomated key management
• Key backup/recovery• Certificate issuance, storage and revocation• Key distribution, rollover and expiry
Low administrative cost/burden
1997 Entrust Technologies
PKI without EntrustPKI without Entrust
Inconsistent security and trust• Fragmented or non-existent policies and
key management functionsSecurity “silos”
• Each application performs its own security• Multiple key pairs and certificates• Multiple passwords• Costly, burdensome administration
1997 Entrust Technologies
p. 7
Entrust ComponentsEntrust Components
Certificate AuthorityDirectoryClient Software (Certificate Store)
• E-Mail • Web• VPN• Any Entrust-Ready Application
Applications
1997 Entrust Technologies
p. 8
What is Key Management?What is Key Management?
Issues:• generating keys• keeping backup keys• dealing with compromised keys• changing keys• restoring keys
Key and certificate management is difficult
1997 Entrust Technologies
p. 9
Why is Key Management Important?Why is Key Management Important?
User EnrollmentKey RenewalRestoration of Lost KeysAutomated functionality
1997 Entrust Technologies
p.
10
Certificate-Issuing Services (CA)Certificate-Issuing Services (CA)What they provide:
Issue certificates for a fee (per cert/per year)
What you don’t get: Little control over certificate issuance policies No key recovery (forgotten password = lost data) No key history (what happens when certificates expire?) Liability issues No control over trust model and root keys No automatic and transparent certificate revocation
checking No client capabilities
Entrust ArchitectureEntrust ArchitectureSecurity Officers
Entrust AdministratorsDirectory Administrators
Entrust-Ready applicationsand Entrust/Engine desktop crypto software
Entrust Users
Entrust/Manager
Entrust/Admin
… …
… …
Directory
1997 Entrust Technologies
The DirectoryThe Directory
Stores certificates, CRLs, cross-certificates, ...
Interoperates with numerous LDAP-compliant directories• ICL, Control Data, Digital, Netscape,
Unisys, ...• supports Directory distribution
Supports redundancy
1997 Entrust Technologies
p.
13
Entrust ProductsEntrust Products
Entrust/Entelligence• Stores and Manages Certificates
Entrust/Express - Email plug-inEntrust/Direct - Web, ExtranetEntrust/Unity - SSL & S/MIMEEntrust/Access - VPNEntrust/Toolkit - Enable applicationsEntrust/TimeStamp
1997 Entrust Technologies
Entelligence on the DesktopEntelligence on the Desktop
Tight integration into Entrust-Ready applications
Secure key storage options• smart cards, PC cards, biometric devices,
and secure software profilesSecure single log onConsistent, trustworthy key lifecycle
management across applications• minimizes administrative costs
‘Entrust-Ready’ Desktop Architecture
to Entrust/Manager and Directory
EntrustUser
...
“Entrust-Ready” applications
Entrust/Engine
Communications Services
Tokens
...
SecurityKernel
Userprofile
Personaladdressbook
PKCS #11
1997 Entrust Technologies
p.
16
Orchestrating Enterprise Security 1998 Entrust Technologies p. 1
Too lk it™Entrust/Toolkit Integration
Entrust-Ready Remote Access
Entrust-Ready E-mail
Entrust-Ready E-forms
Entrust-ReadyBrowser
Entrustbecomes the
securitymanagementpoint for all
Entrust-Ready
applicationsand services
Secure e-mail made easySecure e-mail made easy
What is Entrust/Express?What is Entrust/Express?
Secure e-mail plug-in for users of Microsoft Exchange and Microsoft Outlook
Encrypt and/or digitally sign message text and attachments
Provides message confidentiality and integrity
For Windows 95 and Windows-NT 4.0
1997 Entrust Technologies Orchestrating Enterprise Security
Secure VPNs/Remote Access
Entrust/Access
Secure VPNs/Remote Access
Entrust/Access
1997 Entrust Technologies
Virtual Private NetworksVirtual Private Networks
What is a VPN?• A private and secure network carved out of
a public or insecure networkRelevant Standards
• IPSec - interoperable packet-layer encryption
• ISAKMP Oakley - users are authenticated with digital signatures and X.509 certificates
1997 Entrust Technologies
VPN PartnersVPN Partners
Remote Access, Firewall, VPN GatewaysMilkyway -SecurITRaptor - EagleMobile ProTimestep- PERMIT Product SuiteStac - ReachOutSagus - DefensorKyberPASS Check Point - FireWall-1
PASSKyber
1997 Entrust Technologies
Secure Remote AccessSecure Remote Accessprovides significant cost savings over
dial-up (phone lines, maintenance, ID cards)
scalable - able to grow as the demand for remote access increases.
InternetVPNGateway
Entrust Manager
Human Resources Server
Finance Server
Mobile User
1997 Entrust Technologies Orchestrating Enterprise Security
Secure Extranet Applications
TM
1997 Entrust Technologies
Intra/Extra Net SolutionIntra/Extra Net Solution
Target Solution
• Provides Entrust Enterprise Solution PKI capabilities to off-the-shelf Web browsers and servers
• Thin client software on user desktop
• Extranet applications
Internet, Intranet,or Extranet
Web Browser
WebBrowser
WebBrowser
ServerWebBrowser
CONNECTORWeb
CONNECTOREnterpri se
CONNECTORSET
CONNECTORVPN
Security you set and forgetSecurity you set and forget
Desktop/laptop encryption softwareEasy-to-useWorks with any desktop applicationAutomatic encryption Security on-line or off-lineWindows 95 and Windows-NT 4.0
Entrust/ICEEntrust/ICE
Orchestrating Enterprise Security1997 Entrust Technologies p. 26
Entrust-Ready ApplicationsEntrust-Ready Applications
Web BrowserEmailWorkgroupSmart Cards and BiometricsVPNFormsHuman Resources
1997 Entrust Technologies
p.
28
Deploying a PKIDeploying a PKI
Begin with a pilot• Pick a single application• Evaluate the technology• Prove the utility
Currently piloting Entrust• CA, X.500, Secure E-Mail• Lotus Notes• Short time to deploy (weeks)
1997 Entrust Technologies
p.
29
Deploying a PKI (cont.)Deploying a PKI (cont.)
Rolling out an Operational PKI• Planning and Goals• Acceptable Usage (CPS)• Disaster Recovery• Applications
Access to records E-commerce with State contractors Remote access to internal resources
1997 Entrust Technologies
p.
30
SummarySummary
Automates user administrationIntegration across many applications
(single sign-on)Enables trustworthy business over the
webGrowing collection of Entrust-enabled
applications