Entrust DataCard - British Columbia · • Masquerading • Fishing and spearfishing •...

© 2014 Entrust Datacard Corporation. All rights reserved. © 2014 Entrust Datacard Corporation. All rights reserved.

Entrust DataCard Securing Digital Transactions and Identities

Presenter : Debs F Debs VP Professional Services Amercias

© 2014 Entrust Datacard Corporation. All rights reserved.

AGENDA

About Entrust DataCard Digital Transactions Role of PKI in securing Digital Transactions PKI Integrations PKI and Internet of Things (IoT) Crypto Summary.


Entrust DataCard Overview

3


Driving innovation in issuance, authentication, PKI and SSL technologies

$600M+ in annual revenue

2,000+ employees in 34 worldwide locations

Sales, service and support covering 150+ countries

Headquartered in Minneapolis, Minnesota USA

Privately held, founded in 1969


Financial Instant Issuance

Authentication Bureau Services

PKI Basic Access Control

SSL Certificates

SOLUTION AREAS


Digital Transactions

6


DIGITAL TRANSACTIONS

7

We transact daily when we generate , post, search and retrieve data • Website, and Forms ( Gov employee, ministries, public, partners) • Emails, Files ( classified content, judicial , PII, etc..)

• Sensitive changes( Changes to our system, processes, IT & security

notifications)

• Financial data and transactions

• Access to Resources ( Sharepoint, VPN, Wirelss,building access, record access...)


VALUE OF TRANSACTED DATA

8

The value of transacted data is not just monetary!! • Advantage • Access to personal records, espionage • May be used to breach • Ransom • Reputation and brand tarnish • Other


ATTACK VECTORS

9

Attack vectors vary depending on how the transactions are carried • Masquerading • Fishing and spearfishing • Un-protected websites ( non SSL enabled, DNS poisoning) • Malware ( downloaded, or installed, Key loggers, Scripts part of

forms, Adobe, non signed drivers, applications, etc...) • Password-less & Password only access to resources ( Wireless,

VPN) • Un-authorized devices ( BYOD, Laptops, tablets) gaining access

Many forms to list, however all of the attacks are after your Identity. Once the identity is stolen, data follow.


Public Key Infrastructure Role

In securing the Digital World

10


TRANSACTIONS – THINGS TO CONSIDER

? ?

? ? ?

? ? ?

?

? ?

?


WHAT IS THE END GAME?

• Connect – Anyone or Anything ANYWHERE

• …and Trust – it is or they are who they say they are

• …and Enable to transact securely

Company X PKI Company Y PKI


Document Encryption

Secure Email

Secure File Transfer

Custom Applications

Encryption

Document Signatures

B2B Data Exchange Web Form Signatures Credential Integrity

Digital Signature

Auth to PC & Apps VPN Auth Device Auth Website Auth & Apps ID Cards

Authentication

THE ACTUAL END GAME..

Smart Card Mobile Smart Credential

USB Token

Desktop ID

Device Certificates

Credential

Enab

lem

ent


ENABLING PKI SIGNATURES

14

Document Signatures

B2B Data Exchange Web Form Signatures Credential Integrity

Digital Signature


USB Token

Desktop ID

Device Certificates

Credential

Enab

lem

ent

Leveraging built-in capability

Right-click files in folders

Interoperable

Inside the enterprise

Transaction integrity

Standards compliant

Toolkits

Transparent

Provable, signs & stores whole

page

Signed data on RFID chip


STRONG AUTHENTICATION

15

Auth to PC & Apps VPN Auth Device Auth Website Auth & Apps ID Cards

Authentication


USB Token

Desktop ID

Device Certificates

Credential

Enab

lem

ent

Windows Smart Card Login

IPsec VPN

SSL VPN

Domain controller

certificates for smart card login

802.1x

Server Authentication

Automated Teller Machines

SSL Server Certificates

SSL EV

SSL client certificates

Enterprise portal authentication

Consumer/Citizen Web Auth (+ Sign)

Citizen Identity Card

Employee ID

Physical & Logical Access


ENABLING PKI ENCRYPTION

16


USB Token

Desktop ID

Device Certificates

Credential

Document Encryption

Secure Email

Secure File Transfer

Custom Applications

Encryption

Enab

lem

ent

Right-click files in folders

Adobe Acrobat

Windows EFS

End to End Email

Complementary to EMS

Packaged Tools

Custom Apps

WebMethods

Tibco

Axway/Cyclone

Standards-based

Standards compliant

Java or C++ Toolkits


HOW IS IT DONE?

A digital certificate is an object that contains • Holders Identity/Name • Valid from to date • Valid to date • Issuer (Organization/Issuer Name) • Public key used to communicate with you • Private key the owner keeps to themselves

6/17/2016

Name: Mike Hathaway Issued By: Entrust Expires: 31 Jan 2018 Usage: Digital Signature


WHAT DOES A PKI LOOK LIKE

Root CA Directory

HSM

Issuing CA Directory

HSM Administration

Administration Services

Smart Cards Desktops & Users USB Tokens Devices

Email Notification

Browser Credentials


Using PKI


Uniqueness of PKI

Authentication Encryption Digital Signatures Authenticity

Leverage Trusted Identities for Multiple Purposes

Secrecy & confidentiality

Accuracy & Integrity


PKI End-Entities

Servers People Machines Devices Apps

Trusted Identities


ENABLING TRANSACTIONS

Infrastructure Control

Building Access

Border Crossing

Network Access

Financial Transactions

Secure Transactions


ENTERPRISE APPLICATIONS

Web Form Signatures

VPN Auth

Network Auth

Secure Email

Auth to PC & Apps

Enterprise Use Cases


PKI FOR ENTERPRISE AND BEYOND


PKI Integrations

26


ENTELLIGENCE AUTO-ENROLLMENT

27

• Entrust Auto-Enrollment Service – Supports Auto-enrolment for:

• Entrust Entelligence for Windows • Entrust Entelligence Secure Desktop for Mac (Coming in SDM 8.1 SP1)

Desktop or Server with ESP/SDM installed.

Admin Services Auto Enrollment Service

Admin Services configured to talk to

Managed CA.


ENTELLIGENCE AUTO-ENROLLMENT

28

1. User boots up computer and logs onto

the network.

2. ESP for Windows authenticates user to

Administration Services Auto-Enrollment Server

Users will be prompted to enter a PIN or password if the private keys are configured to be stored on smart cards/tokens or in an Entrust EPF file

3. User entry is automatically generated

in the CA

4. Activation Codes transparently

transmitted to ESP

5. User is automatically enrolled for an Entrust

Digital ID


WINDOWS NATIVE ENROLLMENT

29

• Entrust Windows Network Enrollment Service – Provides client-less PKI enrolment for the Windows OS – Single Admin Services install can support multiple WNES / AD Domains

• Supports • Self-Enrollment • Queued Enrollment • Renewals • Enroll On Behalf Of

• Self Enrollment with Key Archive • Enroll On Behalf Of with key archive

Microsoft Desktop or Server

Microsoft Domain with Entrust WNES

component installed

Admin Services configured to talk to

Managed CA.


MDM INTEGRATION

30

WEB

SER

VIC

ES A

PI

• Allows MDMs to issue Entrust digital IDs to mobile devices • Unified WS Interface to both IDG and Admin Services

• IdentityGuard SSM has native capability to enroll Mobile Devices for certificates without MDM

MDM

Entrust IdentityGuard Self-Service Module

Entrust IdentityGuard

Administration Services


CSR ENROLLMENT

31

• Web Application for summation and approval of PKCS#10 CSR • Supports

• Client Auth / AD auth of submitters and approvers • Queued Operations • CSR rules / validation • Multiple Managed CAs

CSR Submitters and Approvers

CSR validated against rules in Digital ID

Configuration.

Admin Services sends P10 CSR to managed

CA.

CSR


SCEP ENROLLMENT

32

• Entrust SCEP Implementation offers RSA and ECC enrollment • Static SCEP Password defined for enrollment / renewal operations

1. Device contacts Entrust SCEP Server.

2. Entrust SCEP Server validates SCEP password and CSR against Digital

ID Configuration.

3. Device Added to Managed CA and Certificate issued.


CMPV2 ENROLLMENT

33

• Entrust CMPv2 Implementation offers RSA and ECC enrollment • Static Password or Vendor Certificate authentication enrollment / renewal

operations • IP Address or DNS whitelist validation

1. Device contacts Entrust CMPv2 Server.

2. Entrust CMPv2 Server validates

password/vendor cert and CSR against Digital

ID Configuration.



EST ENROLLMENT

34

• Entrust EST Implementation offers RSA and ECC enrollment • Vendor Certificate authentication enrollment / renewal operations

1. Device contacts Entrust EST Server.

2. Entrust EST Server validates vendor cert

and CSR against Digital ID Configuration.



PKI And

Internet of Things (IoT)

35


PKI MARKET TRENDS

• Internet of things – Wearables – Smart Traffic Systems – Automotive – Appliances – Smart Meters – Audio Visual Set-top Boxes – Vending machines – Toys

• IoT Challenges – Speed – Scale – Device heterogeneity, issuance

and attributes – Assurance requirements and

transaction types: – Closed usage model – Revocation and validation – Life cycle and renewal

“Forecast: The Internet of Things, Worldwide, 2013” - Gartner

The installed base of “things,” excluding PCs, tablets and smartphones, will grow to 26 billion units in 2020, which is almost 30-fold increase from 0.9 billion units in 2009


Latest Crypto

37

© 2014 Entrust Datacard Corporation. All rights reserved. 38

Summary • RSA, ECC are still the crypto of choice • Winternitz One Time Signagture (WOTS), Merklee Hash Tree(MHT),

Extended Merklee Signature Scheme(XMSS) • Quantum computers

• Not just massively-parallel classical computers • Large-scale quantum computers are coming • This will result in the need for new cipher suites

• But, not for several years • 2025 minus the algorithm security lifetime

• It can take several years to roll out a new cipher suite • Even if the new cipher suite has similar characteristics to those of

the old one • How long will it take if the new cipher suite has different

characteristics? Such as:- • Upper limit on the number of signatures per key • The need to maintain state

• Not too early to be thinking about this


BIBLIOGRAPHY

Quantum computers: "The quest for the quantum computer", Julian Brown, Touchstone, 2001 "Quantum Computing Lecture Notes", Ronald de Wolf, 2011, http://homepages.cwi.nl/~rdewolf/qcnotes.pdf Post-Quantum Cryptography: "NSA Suite B Cryptography", NSA, 2015-08-19, https://www.nsa.gov/ia/programs/suiteb_cryptography/ Commercial National Security Algorithm Suite and Quantum Computing, NSA, Jan 2016, https://www.iad.gov/iad/customcf/openAttachment.cfm?FilePath=/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/assets/public/upload/Commercial-National-Security-Algorithm-CNSA-Suite-Factsheet.pdf&WpKes=aF6woL7fQp3dJirQ4SVyNDqjbSJ9a88xZcnLAL "A riddle wrapped in an enigma", Koblitz, Menezes, 2015-12-03, http://eprint.iacr.org/2015/1018.pdf "Post-Quantum Cryptography for Long-Term Security", PQCrypto, September 2015, http://pqcrypto.eu.org/docs/initial-recommendations.pdf Hash-based signatures: "Hash based signatures", Imperial Violet, 18 Jul 2013, https://www.imperialviolet.org/2013/07/18/hashsig.html XMSS – A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions, Buchmann et al, November 2011, https://eprint.iacr.org/2011/484.pdf XMSS: Extended Hash-Based Signatures draft-irtf-cfrg-xmss-hash-based-signatures-03, Huelsing et al, Feb 2016, https://www.ietf.org/id/draft-irtf-cfrg-xmss-hash-based-signatures-03.pdf Lattice-based cryptography: "Lattice-based Cryptography", Daniele Micciancio, Oded Regev, July 22, 2008, http://www.cims.nyu.edu/~regev/papers/pqc.pdf Code-based cryptography: "McBits: fast constant-time code-based cryptography", Bernstein et al, 2013, http://binary.cr.yp.to/mcbits-20130616.pdf Wikipedia article on McEliece Cryptosystem

39

https://www.nsa.gov/ia/programs/suiteb_cryptography/

http://eprint.iacr.org/2015/1018.pdf

https://www.imperialviolet.org/2013/07/18/hashsig.html

http://binary.cr.yp.to/mcbits-20130616.pdf





Questions?

40

Entrust DataCard - British Columbia · • Masquerading • Fishing and spearfishing •...

Documents

Transcript of Entrust DataCard - British Columbia · • Masquerading • Fishing and spearfishing •...