Raúl Guerra Jiménez

FIST Conference September/Madrid 2005

PKI Interoperability

2

About the Author

Raúl Guerra JiménezCISSP, CISATechnical consultant

Grupo SIA1989www.siainternational.com

3

Index

CryptographyPublic Key Infrastructure (PKI)ApplicationsIntegratione-DNI

4

Security Requirements

Confidentiality.Ensure confidentiality of data.

Integrity.The original data has not been changed.

Authentication.Proof of identity.

Non Repudiation.Prevent denial of transaction. The originator cannot deny it.

5

ENCRYPTIONENCRYPTION

CONFIDENTIALITY NON-REPUDIATIONAUTHENTICATIONINTEGRITY

DIGITAL SIGNATUREDIGITAL SIGNATURE

PUBLIC KEY ENCRIPTIONPUBLIC KEY ENCRIPTION

DIGITAL CERTIFICATEDIGITAL CERTIFICATE

PUBLIC KEY INFRASTRUCTURE (PKI)PUBLIC KEY INFRASTRUCTURE (PKI)

CERTIFICATION AUTHORITYCERTIFICATION AUTHORITY

HASHHASH

Paradigm Solution

PKIs are not CAs…

• Issue certificates• Revoke certificate

CA:

• Issue certificates• Revoke certificates• Key management

– Creation– store– Update– backup/recovery

• Cross-certification• Certificate Repository (Directory)• Application software• RA (Registration Authority)• Client• etc

PKI:

7

Third-party trust

CertificationCertification AuthorityAuthorityTrustTrustTrustTrust

RaRaúúll RaquelRaquel““thirdthird--party party trusttrust””

8

Cross-Certification

CrossCross--CertificationCertification

AC AC ““AA”” AC AC ““BB””

CertificactionCertificaction AuthorityAuthority

AliciaAlicia JuanJuan

CertificationCertification AuthorityAuthority

ElenaElena PedroPedrothirdthird--party party trusttrust

ClassicalClassical trusttrust--modelmodel has no has no endend rootroot

CA1 (CA1 (““RootRoot””))

CA2CA2 CA3CA3

CA5CA5CA4CA4 CA6CA6 CA7CA7

U1U1 U2U2 U3U3 U4U4 U5U5 U6U6 U7U7 U8U8 U9U9

Subordinate CA

10

The certificate

Version: 3Serial Number: 8391037Signature: RSAIssuer: o=SIA, c=ESValidity: 1/5/97 1:02 - 7/5/98 1:02Subject: cn=Raúl Guerra, o=SIA, c=ESSubject Public Key Info:----------------------------------------------------SubjectAltName: rguerra@sia.esCRL DP:cn=CRL2, o=SIA, c=ES

TheThe CA CA signssigns thethe certificatecertificate

Extensions

11

Certificate Revocation List

DN: cn=CRL2, o=SIA, c=ESStart: 1/5/97 1:02End: 1/6/97 1:02Revoked:191231 4/24/96 10:20 Cessation of Operation123832 4/25/ 16:20 Key Compromise923756 4/25 16:30 Affiliation ChangeCA DN: o=SIA, c=ES

CA’s digital signature on the CRL

Unique name of CRL

Period of validity

Serial numberofRevokedcertificatesand reason

12

Keys in the client

Key generation

Issue certificates

Key usage

o

Certificate validation

Expired

Key update

13

PKI

Application

GSS-API, CAPI, ...

Application

GSS-API, CAPI, ...

PKI-enabledApplication

PKI-enabledApplication

E-mail

PKI clientPKI client

Applicationwithout PKI-

Enabled module

Applicationwithout PKI-

Enabled module

Web

ERP’s, SSO, ...ERP’s, SSO, ...

PKI-Enablemodule

PKI-Enablemodule

Legacyapp.

Legacyapp.

ToolkitsPKI

ToolkitsPKI

.epf

ID in disk

PKCS#11 (MemoryCardMemoryCardss, , SmartCardsSmartCards, , PC/SC)PC/SC)

BAPI (Biometric

API)

Biometricdevices

Biometricdevices

LDAP PKIX-CMP

Directorio PKI

14

Architecture: Example

Directory

Fire

wal

l

Client CA

RA

PKIX-CMP

LDAP

15

Application

Internete-CommerceRemote AccessEDIVPN (Virtual Private Network)ERPsSecurity in IntranetSecure Single-Sign On

16

SecureSecure ee--mailmail••Novel Novel GroupWiseGroupWise••LotusLotus NotesNotes••NetscapeNetscape MessengerMessenger••Microsoft OutlookMicrosoft Outlook••cc:Mailcc:Mail

SecureSecure Web Web CommunicationsCommunications••NetscapeNetscape/Microsoft /Microsoft BrowsersBrowsers••NetscapeNetscape/Microsoft /Microsoft ServersServers••muchos mas ...muchos mas ...

Internet Application

17

FireWallsFireWalls& & RoutersRouters

Remote Access Remote Access AuthenticationAuthenticationFirewallsFirewalls

CheckPointCheckPoint ((FirewallFirewall--1)1)Raptor Raptor SystemsSystems ((EagleEagle))MilkyWayMilkyWay ((BlackholeBlackhole))TIS (TIS (GauntletGauntlet))ANS (ANS (InterlockInterlock))SecureSecure ComputingComputing((SidewinderSidewinder))BorderBorder NetworkNetwork((BorderwareBorderware))IBM (IBM (NetSPNetSP))HarrisHarris SystemsSystems' ' ((CyberGuardCyberGuard))SagusSagus SecuritySecurity (Defensor)(Defensor)

RoutersRouters••CiscoCisco••AscendAscend••Bay Bay NetworksNetworks••BBNBBN

Remote Access Remote Access AuthenticationAuthentication••SecuritySecurity DynamicsDynamics••LeeMahLeeMah DataCommDataComm••CryptoCardCryptoCard••SecureSecure ComputingComputing ((SafeWordSafeWord))••Digital Digital PathwaysPathways ((DefendorDefendor))••ApplicationApplication specificspecificimplementationsimplementations

Remote Remote useruser

Secure Remote Acess

18

Virtual Virtual PrivatePrivate NetworksNetworks••FirewallFirewall VendorsVendors (Ej. FW(Ej. FW--1)1)••Link Link EncryptorsEncryptors••SecuritySecurity DynamicsDynamics SecurVPNSecurVPN••EntrustEntrust/Access/Access••KyberPassKyberPass

ExtranetExtranet

EndEnd UsersUsers

IntranetIntranet

VPNs

19

NetworkNetwork SecuritySecurity••EncryptEncrypt thethe traffictraffic••SecureSecure accessaccess toto resourcesresources

NetworkNetwork SecuritySecurity••McAfeeMcAfee NetworkNetwork SecuritySecurity SuiteSuite••NetLockNetLock••CygnusCygnus ((KerbNetKerbNet))

ApplicationApplication SpecificSpecific SecuritySecurity••DatabasesDatabases ((OracleOracle……))••HeritageHeritage applicationsapplications ((MainframeMainframe...)...)••GroupWareGroupWare (Notes(Notes……))

ApplicationApplication SpecificSpecificSecuritySecurity••RACF, ACF2, RACF, ACF2, TopSecretTopSecret••ApplicationApplication levellevel passwordspasswords••ProprietaryProprietary data data securitysecurity (Notes)(Notes)••OtherOther ((viavia RSA RSA toolkitstoolkits))

Security in the Intranet

••EmailEmail••FilesFiles••ClientClient/Server /Server appsapps••EE--formsforms••BrowsersBrowsersY mY máás...s...

File File SecuritySecurity••NortonNorton YourYour EyesEyes OnlyOnly••PGP PGP forfor Personal Personal PrivacyPrivacy••QuerisoftQuerisoft SecureFILESecureFILE••McAfeeMcAfee VirusScanVirusScan SecuritySecurity SuiteSuite••RSA RSA SecurPCSecurPC••AT&T AT&T SecretAgentSecretAgent

••EntrustEntrust ICEICE••EntrustEntrust EntelligenceEntelligence

Desktop security

21

ERPERP••SAP/R3SAP/R3••PeopleSoftPeopleSoft••OracleOracle••......

ClientClient toto serverserver securitysecurity

Web Web servicesservices

ClientClient/Server /Server servicesservices

BusinessBusiness--toto--BusinessBusiness

Enterprise Resource Planning (ERPs)

SpecificSpecific systemssystemsespecifica especifica ••DatabasesDatabases ((OracleOracle, ...), ...)••MainframeMainframe••GroupWareGroupWare

NetworkNetwork SecuritySecurity••TrafficTraffic cypheringcyphering••SecureSecure AccessAccess

DesktopDesktop SecuritySecurity••EmailEmail••FilesFiles••ClientClient/Server /Server appsapps••EE--formsforms••BrowsersBrowsersAndAnd more...more...

Internet Internet UsersUsers••SecureSecure WebWeb••SecureSecure MailMail••EE--CommerceCommerce (SET)(SET)

FirewallsFirewalls & & RoutersRoutersRemote Remote AuthenticationAuthenticationVPNVPN’’ss

Web Server Web Server SecuritySecurity••EE--CommerceCommerce••Internet Internet BankingBanking••SecureSecure Web Web SitesSites ss

PKIPKIERPERP••SAP/R3SAP/R3••PeopleSoftPeopleSoft••OracleOracle••......

PKI: Homogeneous solution

23

PKIs Success (I)

Integration with the software applications.Practical solutions--> Bye, bye SET.Users recognition.Trust. Do you trust CA?What or who used my private key? Is my PC safe? Security issues in the OS or the browser (crypto Software) Is your private key in a smart card?

24

PKIs Success (II)

Are the certification practices secure(CPS)? The CA must guarantee that the signed data (certificate) is correct.There is a risk if you trust the user. Do you verify the certificate from the web server in a SSL connection?To learn more: “Ten risks of PKIs: What you´re not being told about Public key Infrastructure” by Bruce Schneier and Carl Ellison

25

e-DNI

Smart CardPolycarbonate card with high securityfrom FNMT

CertificatesIdentity (authentication) and signature (non-repudiation) certificatesNo encryption certificate

PKI Providers: Entrust, SafelayerHierarchy of CAs (root and Subordinate CAs)

26

e-DNI. Questions (I)

Are other certificates necessary?

Certificate status validation methods.

Cross-Certification with commercial CAs?

27

e-DNI. Questions (II)

Other certificates? YES, becauseNo encryption certificate. So, to support business protection, where there is encrypted data, a decryption is necessary(private) key backed up---> Encryption certificatePhysical identity. What about legal entities?Use of certificate with other information. For example, medical data (medical smartacard)Use in private sector: home-banking, corporate Enterprise smartcard, etc

28

e-DNI. Questions (III)

Certificate status validation methods

The system should ensure that the verification certificate is valid (and not on CRL)If an entity would like technical interoperability with e-DNI system, it is necessary to know the certificate status.

29

e-DNI. Questions (IV)

Certificate status validation methods

Different validation entitiesPublic: relations of citizens with the Administration ---> free??Private sector: Bank, insurance, etc. Money, money...$$??

Cost of the validation: free, by price (and how much?)

30

e-DNI. Questions (V)

Cross-Certification with other CAs? NO, because

The same as the traditional national DNI.(ID Card)Issued by DGP (Ministry of Interior). It is a legal document in SpainIf you just accept it will happen. Do you give state and private organization sectors the same level of trust?

31

Attribution. You must give the original author credit.

For any reuse or distribution, you must make the license terms of this workclear to others.

Any of these conditions can be waived if you get permission from the author.

Your fair use and other rights are in no way affected by the above.

This work is licensed under the Creative Commons Attribution-NoDerivs License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Creative CommonsAttribution-NoDerivs 2.0

You are free:

•to copy, distribute, display, and perform this work

•to make commercial use of this work

Under the following conditions:

No Derivative Works. You may not alter, transform, or build upon this work.

Raúl GuerraMadrid, September 2005

FIST Conference

www.fistconference.org

@