1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your...

© Cooley Godward 2001 1

PKI ASSESSMENTThe process of evaluating, verifying, and certifying

your PKI

PKI ASSESSMENTThe process of evaluating, verifying, and certifying

your PKI

Presented by:Randy V. Sabett

Vanguard Enterprise Security Expo 2001June 5, 2001


IntroductionIntroduction

Dichotomy Challenges Models Mechanisms and criteria Path forward


Dichotomy Dichotomy

“UBIQUITOUS PKI!!!!!” …but many barriers

Need: common recognition mechanism


Challenges - traditional

technology vs. PKI

Challenges - traditional

technology vs. PKI

Traditional technology "Traditional"

projects

Business

Technology

Legal


Challenges - traditional technology

vs. PKI

Challenges - traditional technology

vs. PKI Public key

infrastructure CP and CPS Complicated by

varied requirements of particular sectors (verticals)

Business Legal

Technology


Challenges - recognitionChallenges - recognition

No universally acceptable mechanism for recognizing the sufficiency of a PKI deployment

Uncharted legal waters Several efforts and proposals - most

focus on technical and business General model


Models - Simple assessment modelModels - Simple

assessment model

AssessmentCriteria

Assessor

PKI Systemor Component

assesses

develops

influences

Key

Subject

Object


Mechanisms and criteria

Mechanisms and criteria

PAG RFC 2527 WebTrust Common

Criteria

BS7799 FIPS 140-2 Gatekeeper Others


PKI Assessment Guidelines (PAG)PKI Assessment Guidelines (PAG)

Five year project of the Information Security Committee of the American Bar Association

Follow up work to the Digital Signature Guidelines (1996)

Participation by over 400 legal, technical, and business people


PAG (cont’d)PAG (cont’d)

D.2.1.4.1 The Effect of Contractual Privity Upon Relying Party’s Responsibilities Expressed as Covenants or Imposed by Law

Issue Summary. This section discusses the issue of whether the relying party is in privity of contract with the other PKI participants…

Relevant Considerations. Threshold question is whether the PKI attempts to create contractual privity between the CA and the relying party…

Appropriate Requirements and Practices. It is necessary for the PKI to decide how to present relying party covenants; unlike other participants, however, relying party covenants tend to be small enough in number to make it feasible to list in this section, or perhaps cross reference.


Detailed

model

Detailed

modelNote Vanguard advice: “avoid complicated charts…”

Assessment ProcessPolicy Adopting

Body

Assessor AccreditationBody

KeySubject

Object

adopts

accreditsinfluences

Information

Technology

Subscriber RelyingParty

Procedures & Operations

CPS

PKI

CA System

Assessor

assesses

producesAssessment

Report

approves

influences

may approvePKIStds

may specify

PKIAccreditation

Body

AssessmentCriteria

CertificatePolicy

SA RPA

Trustworthy System


RFC 2527RFC 2527

Framework for PKI policy documents

Certificate Policies Certification Practice

Statements


RFC 2527 (cont’d)RFC 2527 (cont’d)

1. INTRODUCTION 2. GENERAL PROVISIONS 3. IDENTIFICATION AND AUTHENTICATION 4. OPERATIONAL REQUIREMENTS 5. PHYSICAL, PROCEDURAL, AND PERSONNEL

SECURITY CONTROLS 6. TECHNICAL SECURITY CONTROLS 7. CERTIFICATE AND CRL PROFILES 8. SPECIFICATION ADMINISTRATION


WebTrustWebTrust

Framework to assess adequacy and effectiveness of controls employed by CAs

Designed specifically for the examinations of CA business activities

Builds on X9.79 work of the American Banker’s Association


WebTrust (cont’d)WebTrust (cont’d)2.1.1 CA Key Generation Such controls generally include but are not limited to the

following:The Certification Authoritymaintains controls to providereasonable assurance that CAkey pairs are generated inaccordance with industrystandards.

1 CA key generation occurs within a secure cryptographic devicemeeting the appropriate ISO 15782-1/FIPS 140-1/ANSI X9.66level requirement as disclosed in the CA’s business practices(See Principle 1, item 18).

2 CA key generation by the CA requires dual control by properlyauthorized personnel.

3 The CA generates its own key pair in the same cryptographicdevice in which it will be used or the key pair is injected directlyfrom the device where it was generated into the device in whichit will be used.

4 Key generation uses a random number generator (RNG) orpseudo random number generator (PRNG) as specified in anANSI X9 or ISO standard.

5 Key generation uses a prime number generator as specified in anANSI X9 or ISO standard.

6 Key generation uses a key generation algorithm as specified inan ANSI X9 or ISO standard as disclosed in the CA’s businesspractices (Principle 1, item 18).


X9.79 - CA Control ObjectivesX9.79 - CA Control Objectives

National standard - approved by ABA (the other ABA - American Banker’s Association) and ANSI

Being proposed to ISO TC68 as an international work item


X9.79 (cont’d)X9.79 (cont’d)


Common CriteriaCommon Criteria

Some view as replacement for the Orange Book, ITSEC, etc.

International acceptance Focus on protection profile


BS7799 - Code of Practice for Information Security

Management

BS7799 - Code of Practice for Information Security

Management British Standard being used in

several other European countries General Information Security

standard, not focussed on PKI Certification scheme called c:cure

similar to ISO 9000 Now ISO/IEC 17799:2000


FIPS 140-2FIPS 140-2

Security requirements of a cryptographic module utilized for protecting sensitive information

Four increasing levels of security Covers areas such as roles and authentication;

physical security; OS security; cryptographic key management; EMI/EMC; self-tests; design assurance; and mitigation of other attacks


FIPS 140-2 (cont’d)FIPS 140-2 (cont’d)

4.5.2 Single-Chip Cryptographic Modules SECURITY LEVEL 2 - All Level 1 requirements plus:

chip covered with tamper-evident coating or contained in a tamper-evident enclosure

coating or enclosure shall be opaque within the visible spectrum. SECURITY LEVEL 3 - All Level 2 requirements plus:

Either: chip covered with hard opaque tamper-evident coating, or the chip shall be contained within a strong enclosure. The enclosure shall be such that attempts at removal or

penetration shall have a high probability of causing serious damage to the cryptographic module (i.e., the module will not function).


GatekeeperGatekeeper

Australian PKI strategy and enabler for the delivery of Government online

Accreditation Criteria published Covers procurement, security

policy/planning, physical security, technology evaluation, personnel vetting, legal issues, and privacy considerations


Path forwardPath forward

Development of internationally acceptable suite of criteria, NOT development of an international approach to PKI

Common Criteria, WebTrust, & PAG promising Common Criteria

Industry specific protection profiles Global recognition

WebTrust PKI-specific set of criteria


On going activitiesOn going activities

Update to RFC 2527 Industry specific protection

profiles Other industry and

governmental activities PAG out for public comment X9.79 into ISO


Resources for more infoResources for more info

ABA - http://www.abanet.org/scitech/ec/isc/ RFC 2527 - http://www.ietf.org/rfc.html WebTrust -

http://www.aicpa.org/webtrust/princrit.htm X9.79 - http://webstore.ansi.org/ansidocstore/ Common Criteria - http://www.commoncriteria.org/ FIPS 140 - http://csrc.nist.gov/cryptval/140-1.htm Gatekeeper -

http://www.govonline.gov.au/projects/publickey/


Questions?Questions?


PKI ASSESSMENT

The process of evaluating, verifying,

and certifying your PKI

PKI ASSESSMENT

The process of evaluating, verifying,

and certifying your PKIPresented by:

Randy V. SabettCooley Godward LLP

703.456.8137 (phone) - 703.456.8100 (fax)[email protected]

www.cooley.com

1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your...

Documents

Transcript of 1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your...