RootandIssuingCATechnicalOperationsOverviewAsadoptionofcomputersandtheInternethasmatured,sohaveusers’expectationsforsecurity.Newregulationsandchangingattitudestowardscorporateresponsibilityanddataprotectionaredrivingmostorganizationstodevoteconsiderableattentiontocomputersecurity.HydrantIDprovidesdigitalidentityandadvancedauthenticationservicestohelporganizationssecuredataandsystemsaswellasecommercetransactions.HydrantIDservicesassistorganizationstoachieveindustrybestpracticesrelatedtoencryptionandauthenticationwhilereducingoperatingcomplexityandcosts.Intoday’sworldofeverything-as-a-serviceit’seasytoforgetthatPKIsolutionswereamongthefirst‘cloud’servicesavailableinthemarket,wellbeforethetermCloudexistedinthecontextofcomputerservices.OrganizationsallovertheworldhavebeenbuyingtrustedSSLcertificatesonlinesincethemid-nineties.ArguablythisPKI-basedsolutionwasthefirstsecurityproducttobewidelysoldandadoptedgloballybyorganizationsofallsizes.AsignificantcontributortothissuccessisthenatureofPKIitself.AsthenamePublicKeyInfrastructuresuggests,everydigitalcertificatehasa‘public’anda‘private’component.Whenutilizingcloud-basedPKIsolutionstoprotectserversandothercorporateassetstheonlyinformationthatissentandstoredbyourserversisthe‘public’datacontainedinthecertificate.Ourcustomersretainthe‘private’keyandassociatedsensitivedatawithintheirownenvironments.PKIsecuritywasdesignedtoonlycarry‘public’informationandisthebedrockofthesecureinternet(HTTPS)usedtoprotectmillionsoffinancialtransactionseveryday.TheHydrantIDcloudbased,commercialCertificateAuthority(CA)providesmanagedPKIservicestotheenterpriseandpublicsectorintheAmericasandEurope.ThroughouraffiliatepartnerQuoVadisLTD.,thecompanyhasoperationsinSwitzerland,Holland,theUK,GermanyandBermuda.SecurePKIhostingfacilitiesarelocatedintheUnitedStates,SwitzerlandandBermuda.HydrantIDofferstwoManagedPKImodels:APrivatePKI(PrivateRoot)fororganizationsthatneedfullcontrolovercertificatepoliciesandrootkeydistribution;andtheDedicatedIssuingCA(SharedRoot)thatprovidesalow-costalternativefororganizationsthatjustneeddigitalcertificatestosecureinternalserversandotherresources.
Figure1:PrivatePKIHierarchy Figure2:DedicatedICAHierarchy
2
HydrantIDalsodeliversEnterpriseTrustedCertificateServicesforprovidingSSL,SMIMEandotherpre-trustedcertificates.Youcanfindoutmoreabouteachoftheseservicesathttps://www.hydrantid.com.AllourPKIsolutionsprovidethenecessarydocumentation,set-upandon-goingCAoperationstofreeyourstafftofocusonyourcorebusiness.Weprovidescalable,secureandgeographically-distributedimplementationsforManagedPKI’sandleveragehighlysecureandauditedtechnicalfacilitiesandexpertisetodeliverallourservices.HydrantIDprovidesafixedannualsubscriptionfeefortheoperationofourPKIsolutions,witheachsubscriptiontailoredtocustomerrequirements.Allofourservicescanbeincludedinasinglesubscriptionandnewservicescanbeaddedatanytime.
Functionality,SecurityandUsabilityBoththeDedicatedIssuingCAandPrivatePKIofferingsshareacommonsetoffunctionalitythatonewouldexpectfromourworld-classservice:
• AllIssuingCAprivatekeysaregeneratedandmaintainedinFIPS140-2certifiedHardwareSecurityModules
• AllIssuingCAprivatekeysarereplicatedtoageographically-diversebackupsite• CRLpublishing• OCSPresponderserviceusingsoftware-basedsigningkeys• Trust/Linkcertificatemanagementwebportal• OptionalTrust/LinkEnterpriseWebServiceAPIforautomation• Built-insupportforthird-partykeyandcertificatemanagementsolutionssuchas
VenafiandSecardeo• Includes20SAN’spercertificate,moreavailableonrequest• Supportsmultiplecertificatepolicies/typesforsecuringinternalhosts(SSL/TLS,
wildcard,device,etc.)• SupportsmultipleAdministratorsandrightsdelegation• Nolimitonorganizations/departments• Nolimitonsub-domains• OngoingServiceandIndustryUpdates• 6-monthInternalProgramAssessment• Annualsupportandmaintenance
OurserviceusesPolicyTemplatestocontrolthetypesofcertificatesissuedtoyouraccount.Weprovidepre-configuredtemplatesthatcoverthemorepopulartypesofcertificates.Thesecanbeusedasastartingpointforfurthercustomizationtomeetyourbusinessneeds.MovinguptoourPrivatePKIofferingaddsthefeaturesnecessaryfororganizationsthatwantfullcontroloverbranding,policiesandcertificatehierarchy:
3
• Offlineprivaterootkey(s)andcertificate(s)• Scripted,recordedKeygenerationceremony• Offlinerootstorage-HSM,securityworldandcardsets,safeintwogeographically-
diverselocations• CustomCertificatePolicyandCertificatePracticeStatement(optional)• ExistingCertificatePolicyandCertificatePracticeStatementreviewandmapping• OCSPresponderserviceusingsoftwaresigningkeys(hardware-basedkeysare
optional)WeworkcloselywithourcustomerstodeterminethebestPKIarchitecturefortheirneeds.AspartofourPrivatePKIserviceweofferaworkshopthatisusedtodetermine:
• CANaming• CertificatePolicyrequirements• Scopeofcertificateusage• WebServicesConfiguration• Useracceptancetestingcriteria• Internalauditandreportingrequirements
TheresultsoftheWorkshopareusedtocreateacustomizedPrivateRootHierarchydocumentthatcoversthePKIhierarchydesign,branding,policyidentifiersandcertificatetypesrequiredtodeliverafully-functionalPKIservice.Thisbecomestheblueprintforgeneratingtheprivatekeysandassociatedcertificates.PrivatePKIServiceKeyGenerationandStorageThePrivatePKIRootCAkeysarecreatedduringaCAWebtrust-compliantkeygenerationceremonyattendedbyabusinessandtechnicalrepresentativeofyourcompany.Usingnon-networkeddedicatedequipment,thekeyceremonyisperformedinamaximumsecuritydigitalrecordsandmicrofilmstoragevaultlocatedinasolidgranitemountain.Thisvault,builttoDepartmentofDefensespecifications,isusedtosecurededicatedCustomerandHydrantIDsafescontainingtheHardwareSecurityModulesandassociatedactivationdata.On-goingstorageandmaintenanceactivitieslikeKeyandCertificateRollover,CRLgenerationandOCSPSigningcertificaterenewalareincludedinourserviceoffering.RootandIssuingKeyPortabilityThePrivatePKIRootCAwillbegeneratedonaWindowsServervirtualmachineanddedicatedThalesEdgeHSM.Uponterminationofthecontract,thesecomponentsandany“k-of-n”smartcardsandactivationdatawillbeprovidedtotheCustomerinasecuremanneragreeduponbybothparties.
4
TheIssuingCAprivatekeyswillbehostedonsharedHSM’s.Uponterminationofthecontract,thesekeyblobswillbemergedintoamigrationSecurityWorldandthe“k-of-n”smartcardsandactivationdatawillbeprovidedtotheCustomerinasecuremanneragreeduponbybothparties.KeySizesandAlgorithmSupportAlthoughourDedicatedICAandPrivatePKIofferingsarenotgovernedbyanindustrygroupwedoencourageourcustomerstofollowbestpracticesforkeysizeandhashingalgorithmchoices.Thiscurrentlyisabaselineof2048-bitkeysfordeviceandusercertificatesand4096-bitkeysforIssuingandRootCA’s.Wehavetheabilitytoissueawiderangeofkeysizesandhashalgorithmsforcaseswhereyourorganizationneedsacustomsolution.OurstandardCryptographicproviderisRSA#nCipherSecurityWorldKeyStorageProviderwhichiscompatiblewithSHA-256,SHA-384andSHA-512.Wealsosupport:Symmetricpublickeyalgorithms:RSA(1024,2048,4096),Diffie-Hellman,DSA,El-Gamal,KCDSA,ECDSA,ECDHSymmetricalgorithms:AES,ARIA,Camellia,CAST,DES,RIPEMD160HMAC,SEED,TripleDESHash/messagedigest:SHA-1,SHA-2(224,256,384,512bit)FullSuiteBimplementationwithfullylicensedEllipticCurveCryptography(ECC)includingBrainpoolandcustomcurvesBothPrivateandDedicatedPKIrootkeyswillbegeneratedonaThalesEdgeFIPS140-2Level3validatedHardwareSecurityModule(HSM).ThisHSMhelpstoenforcemultipersoncontrolforsensitiveprocesses,suchasconfiguringanewHSMmoduleoractivatingakeyforuse.Thisiscommonlyknownas“kofn”,orhavinga“quorum.”Thebasicpremiseofkofnistodividetheinteractionsneededtoaccessinformationamongmultipleentities.InthecaseofanHSMconnectedtoaCA,multiplesmartcardsneedtobeconnectedtotheHSMtogenerateoractivatetheuseoftheCAprivatekey.Thecardsortokencanthenbeseparated,distributed,andsecurelystoredtohelpenforcetheseprocesses.TheThalesSecurityWorldallowsforphysicallysplittingkeymanagementresponsibilities.Splitresponsibilityisawidelyacceptedcontrolwithinmostsecuritypolicies.Throughitsmulti-party“k-of-n”controlfunctionality,importantkeyfunctions,proceduresoroperationscanmandatethatmorethanonepersonisrequiredtoperformthesetasks.Instead,aquorumofkeyholders(the“k”inthe“k-of-n”)mustauthorizetheactionsoftheconsoleoperator.
5
Figure2:PrivateKeyProtectionandAccessControl
TheSecurityWorldconstructalsosupportsscalabilitybyprovidingasecureandtightlymanagedprocessforprovisioningidenticalIssuingCAkeystoadditionalThalesHSM’s.BackupsareaccomplishedbymakingcopiesoftheIssuingCAapplication“keyblob”andmovingthemtophysicallyandgeographically-diverselocations.TheSecurityWorldconstructensuresthatthe“keyblob”isworthlesswithoutthe“k-of-n”smartcardsandaproperly-initializedHSM.Thefollowingwasprovidedbythevendorforreference:KeyAccessandStorageAnapplication“keyblob”consistsofthekeymaterial,thekey’sAccessControlList(ACL),andacryptographicallystrongchecksum,allencryptedwitha3DESorAESkey.Inthecaseofacardset-protectedapplicationkey,the3DESorAESwrapperkeyusedisstoredviasecret-sharingacrosstheOperatorCardsetandisknownasaLogicalToken.Inthecaseofamodule-protectedapplicationkey,the3DESorAESkeyusedistheSecurityWorldModuleKey,storedintheHSM’snonvolatilememory.
6
Figure3:KeyStorage
TheSecurityWorldModuleKeyisitselfstoredinablobonthehostfilesystem;thekeydata,ACLandchecksumareencryptedwitha3DESorAESLogicalTokenstoredontheACS.ThisallowstheAdministratorCardHolderstoloadtheSecurityWorldModuleKeyintoadditionalHSMs.ThesecurityworldmodulekeycanbeloadedonbothdedicatedThalesnShieldHSMsandonThalesnetHSMs.ALogicalTokenremainsintheHSMandonthesmartcardsandisneverpassedtothehosteveninencryptedform.AdditionalencryptionoftheSharesofaLogicalTokenensuresthatthepassphrases(ifset)arerequiredtoassembletheSharesintotheoriginal3DESorAESkey,andinthecaseofOperatorCards,toensurethatthecardsetisusedonlyinHSMspossessingtheSecurityWorldModuleKey.OCS-protectedapplicationkeyswithRecoveryenabledarealsostoredinaRecoveryBlobalongsidethemainworkingblob.TheRecoveryBlobisencryptedusinganRSAkeypairknownastheRecoveryEncryptionKey.TheprivatehalfoftheRecoveryEncryptionKeyisagainstoredasablobprotectedbyaLogicalTokenstoredontheACS.ThisallowstheAdministratorCardHolderstoperformtherecoveryfromlostorunusableOperatorCardsetsasshownbelow.
7
Figure4:Accesstocryptographickeys
AccessingYourPKIServicesWeprovidetwoprimarywaystoconsumeourPKIofferings:
o Trust/LinkEnterpriseCertificatePortal-Weprovideaneasy-to-useweb-basedcertificateportalthatprovidesasingleinterfaceforyouraccountsetup,managementandreportingneedsforbothManagedPKIandTrustedSSLcertificatesinoneplace.Theportalisaccessedusinganystandardwebbrowseranddoesnotrequireanyadditionalclient-sidesoftware.Thisalsoprovidescustomerstheabilitytodistributetheadministrationofcertificatelifecyclesacrosstheirorganizationalwithcustomizableadministratorroles.WeprovideanAdministratorguidethatexplainstheaccountsettingsandabilitytodelegatespecificpermissionstootherAdministrators.
o CertificateAPI-ThisisaRESTfulWebServicesAPIforautomatingtherequest,issuanceandrevocationofdigitalcertificates.Thewebserviceconsistsof:
8
ACTION URI DESCRIPTION
POST /api/v1/certs Creates a new request, returning transactionId
PATCH /api/v1/certs/{transactionId} Revokes a given certificate
GET /api/v1/certs/{transactionId} Returns the certificate request details
GET /api/v1/certs/{transactionId}/status Returns the certificate status - Valid/Revoked
GET /api/v1/certs/{transactionId}/certificate Returns the issued certificate
GET /api/v1/certs/{transactionId}/info Returns detailed information about the issued certificate
TheHydrantIDCertificateAPIhasalsobeenintegratedbyothersecurityproductvendors.ThisenablestheircustomerstoaccessHydrantIDserviceswithoutanyadditionaldevelopmentwork.Twofeaturedsolutionsare:VenafiTrustforce-https://www.venafi.com/products/trust-force/trust-force-overviewVenafiastheImmuneSystemfortheInternet™,usesVenafiTrustForce™toautomatetheentirekeyandcertificatelifecycle,determiningwhichkeysandcertificatesareselfandtrusted,protectingthosethatshouldbetrusted,andfixingorblockingthosethatarenotbyblacklistingorautomaticallyreplacingvulnerablekeysorcertificates.Inaddition,organizationscaneliminateblindspotsfromencryptedthreatsbyautomatingthedeliveryoftrustedkeysforSSL/TLSdecryptionandthreatprotection.TrustForcealsoextendsitsautomatedcertificatemanagementandsecuritycapabilitiestoawiderangeofEnterpriseMobilityusecases,includingemailencryption,emailsigning,WiFi,VPN,browser,anddeviceauthentication.SecardeocertEP-https://www.secardeo.com/products/certep
9
TheSecardeocertEPCertificateEnrollmentProxysupportsmanualorautoenrollmentofcertificatestocomputersandusersinaWindowsDomainfromanon-MicrosoftCA.certPushenablestheautomateddistributionofuserkeystoallmobiledevicesinanenterprise.certEPoffersyouthefollowingbenefits:
• usageofaCAsoftwareorSaaSofyourchoice–independencefromMicrosoft
• isolationofCAfromproductionnetwork–protectyourPKIfromadvancedthreats
• highdegreeofautomation–minimizePKIoperationalcosts• useestablishedManagedPKIServices–performPKIdeploymentwithin
hours• manyCAssupportedwithcustomizableinterfaces–keepflexibilityfora
futuremigrationtoanotherCA• localkeyarchivalandrecoverybyKRAs-keepfullcontrolandprivacyfor
yourprivateencryptionkeys• autoenrollmentfromapublicCA–globallyacceptedS/MIMEcertificatesfor
yourusersWealsosupportanumberofcertificate-specificprotocolsforspecializedintegrationandautomationsupport.Theseareoutlinedinthediagrambelow.Pleasecontactyourrepresentativeforavailabilityandadditionalinformation.
10
Performance,AvailabilityandScalabilityCustomersofourPKIofferingsrelyontwoprimaryservicesforday-to-dayoperations:CertificateIssuanceandCertificateValidation.Certificateissuanceisamultithreadedservicewiththreeprimarystages:
• Requestsubmittal:IncomingcertificaterequestsfromourportalorAPIareacceptedbyarequestqueue.Thisprovidesanauto-scalingmethodtohandlehighly-variablepeaksincertificaterequestvolumes.Therequestqueuecanacceptinexcessof300certificaterequestspersecond.
• Requestprocessing:RequestsmaybesubjecttoavarietyofrulesprocessingbeforebeingsignedbytheCA(CertificateAuthority).Examplesarenameconstraints,policyenforcementandexternaldependenciesthatmustbeverifiedpriortothecertificatebeingissuedandreturnedtotherequestingcustomer.Thecomplexityofthecertificatetobegeneratede.g.keysize,numberofSAN(SubjectAlternativeName)fields,etc.,canalsoincreasetheissuancetime.Inpractice,themajorityofthisprocessingoccurswithinsecondsandtherequestisthensignedbytheappropriateCA.
• SignedCertificateReturn:Howthesignedcertificateisreturneddependsontherequestmethod.Forportalusers,anemailisgeneratedbyoursystemandsenttotheRequestorandotheraccountadministrators.Astatusindicatorisalsosetintheportal.ThecertificatemaynowbedownloadedinbothPEMandDERformats,aswellaswithoutorwithoutthefullcertificatechain.ForAPIusers,apollingmechanismisusedforAPI-generatedrequestsandthird-partyintegrations.Theseservicespollatfrequentintervalsanddownloadthecertificateassoonasitisavailable.
CertificatevalidationinformationisprovidedbyCertificateRevocationLists(CRL)andOnlineCertificateStatusProtocol(OCSP)servers.AllDedicatedICA’sandPrivatePKI’sareconfiguredtopublishaCRLeachtimeacertificateisrevokedandataspecifiedinterval.Theyarepublishedtoahostedlocationandcanbedownloadedasneeded.OCSPservicesprovidenearreal-timerevocationstatusinformationandisincludedinbothourserviceofferings.WealsosupportOCSPStaplingwhichallowsaserverprotectedbyacertificatetorequeststatusinformationandpassitontoconnectingclients.ThisgreatlyreducesWANtrafficforbusysitesandreducespageloadtimes. BothCRLandOCSPinformationmayservedoutoftheUnitedStates,Bermudaand/orSwissdatacentersonaround-robinDNSbasiswithmultipleserversineachlocation.Thisloadbalancingmethodensuresthatanyinterruptionatanylocationiscoveredbyanotherdatacenter.AsofDecember2015ouraverageOCSPresponsetimes(inseconds)are:FromPennsylvania-0.095
11
FromLondon-0.050 FromAmsterdam- 0.056 FromSanJose,CA- 0.165 FromPhoenix,AZ- 0.173 FromNewYork- 0.095 FromAruba/Italy-0.088 FromZurich,Switzerland-0.078 Incomingconnectionstotheseservicesareasharedresourceandaresizedtoprovideamplebandwidthforallcustomersonourplatform.CapacityismanagedbyHydrantIDandwillbeaddedasnecessarywithoutourcustomersincurringadditionalbandwidthcharges.WemaintainServiceLevelAgreementswithallourcustomerstoensurethatourIssuanceandValidationsystemsareavailableandresponsivewhenyouneedthem.HydrantIDoperatesamulti-locationSupportdesktoprovide24hour/7daysaweeksupportforsolvingoutagesandotherhigh-priorityissues.Acustomer-specificsupportgroupisestablishedinourticketingsystemandkeyHydrantIDcontactsforsupportissuesandescalationareprovidedatserviceinitiation.WesupporttheuseofS/MIMEforauthenticatedandencryptedcommunications,andmaintainalistofauthorizedcustomerrepresentativestoauthenticateservicerequestsandconfirmations.
Formoreinformationcontactquestions@hydrantid.comorvisitwww.hydrantid.com
Top Related