Intel s Common Data Security Architecture
|
|
- Thomas Richards
- 6 years ago
- Views:
Transcription
1 Intel s Common Data Security Architecture Draft Release 2.0 version 1.0 Presented at TOG Members Meeting PKI-TG Session June 26, 1997 Denise Ecklund, Intel Architecture Labs
2 Today s Agenda History of CDSA and TOG, PKI-TG Certificate and Key Life Cycle Management Key Recovery as an Elective Service Category Portable Credentials CSSM Enhancements Status Update Group Questions and Answers 2
3 History of CDSA, TOG, PKI-WG Intel presented CDSA at PKI Mtg, Dec-96 PKI-TG requested response to PKI Requirements Intel presented PKI-Reqs response, Mar-97 PKI-TG recommended 3 specific extension areas:» Certificate and Key Life Cycle Management» Key Recovery Services» Portable Credentials Support Close review by other TOG members Intel presenting these results today, anticipating PKI-TG recommendation to Technical Managers July-97 TM recommendation to begin Fast Track 3
4 Acknowledgements Intel acknowledges the thorough review and the active contributions of the following companies in evolving CDSA 2.0 Entrust Technologies IBM Netscape Communications Trusted Information Systems Additional, appreciated feedback from Intel Product Groups building appls on CSSM United States NSA 4
5 CDSA - a four layer architecture Supports varied degrees of security-awareness in applications Applications in C++ Applications in C Applications in Java Layered Security Services and Tools Method Wrapper Defines a common API CSSM Security API Common Security Services Manager Service Provider Interfaces Extensible for all types of security services Security Service Add-in Modules 5
6 Summary of Enhancements - 1 Certificate and Key Life Cycle Follows an extended PKIX model» RA, CA, local & remote services New APIs for Trust Policy and Certificate Library operations» create, verify, renew, recover, multisign Supports asynchronous operation completion 6
7 Summary of Enhancements - 2 Key Recovery Defines a secure model for individuals, corporations, and governments to recover encryption keys using a broad range of recovery mechanisms» encapsulation, escrow, hybrid schemes New, independent category of security service Uses new dynamic service manager binding mechanism New APIs and new SPIs Works with any add-in Cryptographic Service Provider 7
8 Summary of Enhancements - 3 Portable Credentials No a priori detailed model from PKI-TG No detailed model defined by working team Intel view includes at least HW tokens Latest evolution of CSSM APIs provide complete support for PKCS#11 and other HW token interfaces 8
9 Summary of Enhancements - 4 Smoothing it out and putting it all together Infrastructure Enhancements Horizontal Extensibility» Dynamic addition of security service categories Multi-service Add-in Modules» Allow add-in vendors to provide any subset of SPIs Support for TOG s PKI Model» Use stronger integrity checks among components» In the specs - clarify required vs optional parameters & behavior 9
10 A Quick Refresher on CDSA Applications in C Applications in C++ Applications in Java System Security Services Layered Services Tools Method Wrapper Middleware Language Interface Adapter CSSM Security API EM-API Common Security Services Manager CSP Manager SPI Integrity Services TP Module Manager TPI CL Module Manager CLI Security Contexts DL Module Manager DLI Elective Module Mgr EMI Security Add-in Modules Cryptographic Service Provider Trust Model Library Certificate Library Data Storage Library New Category of Service Data store 10
11 CSSM Module Managers Define the CSSM APIs and SPIs for a category of security services Base Service Module Managers are always present certificate, trust policy, data store, cryptography Elective Module Managers are transparently loaded on demand key recovery, audit/logging, future services Provide a subset of the CSSM services dispatch APIs to zero, one or more SPIs pre and/or post-process dispatched API calls 11
12 CSSM Core Services Implement architectural extensibility Dynamic attaching of add-in modules (mechanism implementations) Transparent attaching of elective module managers (categories of security service) Standard component management install, register-services, query-registry, etc. Integrity Services Security Context Management parameters required for cryptographic operations 12
13 Certificate and Key Life Cycle Management
14 Supporting Certificate and Key Life Cycle The model is based on PKIX-* and compatible with the PGP keyring model Basic Entities Certification Authority, Client, Registration Authority remote or co-located Basic Services over the life cycle Certificate delivery, verification & mgmt asynchronous operation completion possible 14
15 Certificate and Key Life Cycle Phases Registration of Certificate Bearer Key Generation (and other CA-provided services) Certificate Generation Cert Update Cert Recovery Cert Revocation Active Phase Cert Retrieval Cert Cert Verification MultiSign 15
16 Supporting Certificate Life Cycle in CSSM New APIs for Trust Policy Modules Verification of trust to perform an action (based on certificates) New APIs for Certificate Library Modules Certificate create, renew, recover, multisign 16
17 Trust Policy API - Review Access to certificate-based trust models semantics of trust Generic API supports different trust models from hierarchical to introducer Basic categories of operations: verify application-specific action operates on groups of semantically-related certificates 17
18 TP_CertVerify ( ) Verification is based on chain of certificates a set of trusted certificates (cross-certified) a set of specified policies the action to be performed (if the cert verifies) Outputs Yes or No list of evidence from the verification process automatic initiation of specified action 18
19 Cert Management API - Overview Defines memory-based manipulation of certificates and certificate revocation lists (CRL) Generic API so libraries can support different certificate types CSSM_OIDs name cert and CRL fields CSSM_OID structure holds a generic object identifier Examples: ASCII string, enum value, X.509 OID, S-expression Basic categories of operations: create, sign, verify view, get_field_values life cycle mgmt, type_translations 19
20 APIs support Asynchronous Completion of Operations Some operations invoke remote services that may not complete for days Examples: certificate enrollment Two APIs per asynchronous operation initiator function» returns: estimated time to completion, transactionid result retrieval function» returns: result or new estimated time to completion 20
21 Certificate Creation and Certificate Renewal Set-up and initialize» CL_RegistrationFormRequest; CL_CertCreateTemplate CL_CertRequest keypair generation by client or by CA/RA submit request to CA entity» include authorization info and certificate template request additional CA backend services» key backup, cert renewal notice, white pages listing, etc. CL_CertRetrieve retrieve certificate ( and remote keypair ) RA CA CA 21
22 Certificate Recovery - setup CL_CertRecoveryRequest requires authorization data can request a subset of your certificate history CL_CertRecoveryRetrieve cache retrieves a set of certificates and their associated private keys into a local cache certificates and keys in the cache are protected and ready to be recovered also outputs the number of cached items CA CA 22
23 Certificate Recovery - completion CL_Recover Cert recover/look at each cached certificate determine which keys to recover CL_RecoverCertKey recover the I-th private key into a local CSP provide new passphrase to secure recovered key CL_CertAbortRecovery {cert1, key1} {cert2, key2} {cert3, key3} {cert1, key1} {cert2, key2} {cert3, key3} empty cache scrubs the cache and ends the recovery process CSP secured storage 23
24 Certificate MultiSign CL_CertMultiSignRequest request additional signature on a certificate uses a selectable signing scope does not invalidate earlier signature(s) supports notary public functionality CL_CertMultiSignRetrieve retrieve the multiply-signed certificate CA CA 24
25 Key Recovery
26 The Purpose of Key Recovery The primary purpose of a Key Recovery is to recover a key that has been used to ensure the confidentiality of some data Corporations and governments recover a key to decrypt intercepted, cipher data Individuals and corporations recover a key to decrypt stored, cipher data Encrypted Data Data Source Data to Send Interception Point Data Destination Data Received Other Local, Encrypted Data 26
27 Using Key Recovery Key Recovery is useful when a key is lost, corrupted or unavailable Using KR is voluntary or directed by policy Provided as an explicit service if selected, it must be invoked by an application or a layered service 27
28 The Model for Key Recovery (KR) Participants and their Roles in Key Recovery Recovery Agents: a set of trusted, independent systems that work together to recover keys on demand Participating Parties: users or systems that enable key recovery by generating the key recovery information that is required by their recovery agents Authorized Parties: users or systems that are authorized to recover their keys or someone else s keys from a set of recovery agents 28
29 Key Recovery Concepts (KR) Objects and their Purpose in Key Recovery Key Recovery Fields: information that enables specified key recovery agends to recover a referenced key Key Recovery Policy: a statement defining who must use key recovery, when it must be used, what mechanism must be used, and what KR agents can be used Key Recovery Mechanism: a set of functions that generate and process key recovery fields and recover keys on request 29
30 Phases of the KR Process 0) KR Policy Definition Policy: Encrypt:.. 1) Key Recovery Registration (optional) KR Registration Application Registration Messages Key Recovery Agent(s)/Server 2) Key Recovery Enablement KR-enabled Cryptographic Application A Key_Exch, KRFields, CipherText KR-enabled Cryptographic Application B 3) Key Recovery Request KR Request Application Authorization data, KRFields Key Recovery Server KR Agent-1 KR Agent-2 Decryption Key KR Agent-N 30
31 Key Recovery In CDSA Applications in C Applications in C++ Applications in Java Layered Security Services SSL Method Wrapper Protocol Handlers EDI SMIME IPSEC Common Security Services Manager TPM Mgr CSSM Security API Integrity Context Mgmt CSP Mgr DLM Mgr CLM Mgr KR-API KRM Mgr TPI SPI DLI CLI KR-SPI Security Add-in Modules TP Lib CSP Lib DL Lib CL Lib Key Recovery Service Provider 31
32 Attaching Add-in Modules and Elective Module Managers CSSM Core Service Actions: If cateory is Elective then (1) transparently load module manager (2) perform the attach operation for the add-in module CSP MMgr TP MMgr CSSM CL MMgr Application Hdl = attach( KeyRecov1 ); DL MMgr Mgr for Elective KR Module 1 Mgr for Elective KR Module Installed CSP Modules Installed TP Modules CSP1 TP2 CL1 DL1 Installed CL Modules Installed DL Modules KR Module 2 Installed KR Modules 32
33 Key Recovery APIs - categories Registration - optinal register with KR agents/server Context - create security context for KR enablement Enablement - create KR fields Request - request a recovery by a set of KR agents 33
34 KR and CSP Module Managers Work Together All Module Managers can share state and work together KR Module Manager (KRMM) is a sophisticated module manager understands CSSM security context structure shares state with the Cryptographic MM makes policy decisions 34
35 Portable Credentials One Piece of the Puzzle: PKCS#11 and other HW Tokens
36 Cryptographic Services API APIs appropriate for hardware tokens, software modules, & hybrids CSSM Cryptographic APIs subsume legacy APIs» GCS-API, PKCS#11, Fortezza Cryptoki, etc. Basic Categories of Operations sign/verify digest/hash encrypt/decrypt key operations random number generation GCS-API CSSM API PKCS#11 Help manage parameters and their state 36
37 Enhancements to Fully Support PKCS#11 Service Model New APIs for login/logout, sessions, optional password/pin Extended structures for key formats: reference, wrapped, raw each device slot is one subservice Features Dynamic description of capabilities A-Card B-Card Multi-service add-ins for (CSP + DL) APIs Reader 37
38 Multi-Service Add-in Modules Application Actions: Attach one service module Receive one Handle Use the handle for CSP ops and for DL ops Add-in Module: (1) Implements functions from multiple service categories (2) Registers multiple sets of functions with CSSM TP MMgr Common Security Services Manager TP2 Application: Hdl = CSSM_Attach(pkcs11_guid) CSSM_Encrypt(Hdl, ) CSSM_DL_DataGetFirst(Hdl, ) CSP MMgr CSP1 DL MMgr DL1 CL MMgr CL1 Elective MMgr New Service PKCS#11 Add-in Module 38
39 Adaptation Layers in CDSA CSSM API CSP Manager TPM Mgr CLM Mgr DLM Mgr SPI TPI CLI DLI SPI to SPI Adaptation Layer Native CSP TP Lib C Lib D Lib Legacy Cryptographic Service Provider Example legacy CSPs: BSAFE PKCS#11 HW tokens Fortezza token Data store 39
40 Intel s PKCS#11 Adaptation Layer One implementation of PKCS#11 adapter Inter-operating devices in Intel Labs (today) Rainbow (CryptoSwift, add-in card) DataKey (Smart card) Litronic (ME2000, CryptOS) Fischer (Smart disk) Chrysalis (Luna) New devices under test GemPlus Sign Data S-Card Data Reader A Verify Data Signature S-Card Data Reader B 40
41 CSSM Enhancements Putting it all together, with integrity
42 Integrity Requirements In a dynamic environment, components must authenticate themselves prove identity prove integrity Components must have signed credentials certificate manifest CSSM Module Mgr Attach Who are you? Module Are you the CSSM? Component object modules must be signed 42
43 The Model for Credentials Certificate chain represents trust in a vendor used to prove identity supported by real world licenses Manifest describes the integrity of the module s functional capabilities the module s object code (this is the module) Acknowledgements to Netscape and Javasoft for early work on Manifests (W3C effort w/ Intel) review of Intel s Enhanced Manifests 43
44 An Add-in Module s Certificate A hierarchical chain of three certificates CSSM vendor owns the root certificate Add-in module vendor owns the middle certificate The module owns the leaf certificate Certificate File CSSM Vendor s Certificate (self-signed) Add-in Module Vendor s Certificate (signed by CSSM Vendor) Product Certificate (signed by Add-in Module Vendor) 44
45 A Manifest Manifest File Manifest Sections SectionName: MD5-Digest: Capabilities Object Reference SectionName: MD5-Digest: Capabilities Object Reference 45
46 CSSM Integrity Services Built on an Embedded Integrity Services Library (EISL) EISL Use self_check to establish a trust perimeter CSSM base Use credential-based bilateral authentication procedure to extend trust perimeter to dynamically CSSM base EISL attaching components EISL Module EISL 46
47 Status and Summary
48 Summary of our Response to PKI-TG Evolution new APIs for Cert Life Cycle and Key Recovery modified CSSM APIs based on experience Future enhancements - layered technologies continued work on Object-oriented i/f: e.g., Java, support high level APIs, e.g., GSS, SSPI, etc. provide packagable protocols, e.g., PKCS#12 Documents/Specifications available 13 documents: Arch, APIs, SPIs, Special Srvs 48
49 Categorization of CDSA Documentation Normative Informative Apps Developers CSSM-API, EISL, KR-API 3 CDSA, Signed-Mfests CSSM Developers Add-in Module Developers CSSM-API, EISL, CSSM-EMMI, CSSM-AMmgmt (1 of) {TPI, CLI, DLI, SPI, KRI } CSSM-AMmgmt, EISL 4 3+ CDSA,API, Signed-Mfests CSSM Policy CDSA, Signed-Mfests 49
50 Status of CDSA Reference Implementation Release 1.1.a on the Intel Web site ( for Windows* 95 and Windows NT* statically linked, exportable CSP used in two Intel applications Release 1.2 will be on web site Sept-97 same as release 2.0 minus some APIs Release 2.0 before Dec-97 50
51 Status of CDSA for TOG Fast Track Process Intel is a specification member of the TOG PKI-TG has signed TOG Fast Track Agreement is prepared to present specs for TOG Technical Managers Review in July 1997 is preparing for the normal Fast Track process during August and September 1997 is committed to carefully consider all feedback resulting from Fast Track review 51
52 CDSA Questions for the Panel
53 Example - Limited Strength Encryption or Failure without KR 1. Create Key Handle (side A) Communication Protocol 2. Context Handle HA1 CSSM 3. EncryptData (HA1, msg) KeyExch, Enc(msg) 4. Obtain Key Handle (side B) Communication Protocol 5. Context Handle HB1 CSSM 6. DecryptData (HB1, Enc(msg)) Policy: Encrypt: <= 56 bits or >56 bits + KR Short key encryption or the EncryptData call fails 53
54 Example - KR-enabled Communication 3. Generate Recovery Fields 4. Handle HA2, KRFields 1. Create Key Handle (side A) Communication Protocol 2. Key Handle HA1 CSSM-KRMM 5. EncryptData (HA2, msg) KeyExch KRFields, Enc(msg) Intercept Point 6. Obtain Key Handle (side B) Communication Protocol 7. Key Handle HB1 10. DecryptData (HB2, Enc(msg)) CSSM-KRMM 8. Process Recovery Fields 9. Handle HB2 KR and CSPs are separate, but they work together via the KRMM and the CSP MM Policy: Encrypt: <= 56 bits or >56 bits + KR 54
55 MS CAPI 2.0 as a Multi-Service Add-in Module MS CAPI 2.0 is a multi-service provider cryptographic operations certificate store certificate encode/decode CSSM API CSP Manager DLM Mgr CLM Mgr TPM Mgr SPI DLI CLI TPI Adaptation Layer TP Lib MS CAPI 2.0 Implementation Data store 55
56 A Signed Manifest All signing is performed using the module s certificate Manifest File Signer Information File Signature Block File Manifest Sections SectionName: Name: MD5-Digest: Capabilities SectionName: Name: MD5-Digest: Capabilities Relative File Name Digest of object refenced by Name URL Digest of object refenced by Name Signer Info File SectionName: Name: MD5-Digest: Capabilities Manifest Section Identifier Hash of Manifest Section Hash of Signature Info File PKCS#7 Signature Block SectionName: Name: MD5-Digest: Capabilities In Memory Digest of object refenced by Name Digest value Signature Block Encrypted Hash Value 56
57 System-wide Policy Compliance A system-wide policy can be defined constrains the use of security services» restrict certificate creation or cryptographic opers specified by a certificate and signed manifest CSSM can provide generic mechanisms to record and test for policy compliance record and protect system-wide policy at CSSM install check service provider s capabilities at service provider install and attach check function calls against system-wide contraints 57
58 Credential Verification Procedure A six step procedure packaged as two functions in the EISL 1. Verify the certificate chain 2. Verify the signature on the manifest 3. Verify the digest values for each of the manifest sections 4. For each manifest section, verify the digest value on each referenced object code file 5. Verify secure linkage» verified object code is the code you are about to invoke» or the code that invoked you 58
59 Bilateral Authentication Performed as the first phase of ModuleAttach processing Six step procedure 1. CSSM performed a self integrity check 2. CSSM performs an integrity check of the attaching module 3. CSSM verifies secure linkage by checking that the initiation point is within the verified module 4. The add-in module performs a self integrity check CSSM Module Mgr Attach 5. The add-in module performs an integrity check of CSSM Who are you? Module Are you the CSSM? 6. The add-in module verifies secure linkage by checking that the function call originated from the verified CSSM Use EISL functions 59
CDSA Technology. Intel Corporation Denise Ecklund July 1998
CDSA Technology Intel Corporation Denise Ecklund July 1998 Agenda Problem of Protecting Applications The CDSA Solution What is CDSA? Intel s Technology Role CDSA Today CDSA Tomorrow 2 Protecting an Application
More informationIBM KeyWorks Accelerate Development of your Secure e-business Solutions Sekar Chandersekaran IBM
IBM KeyWorks Accelerate Development of your Secure e-business Solutions Sekar Chandersekaran IBM chanders@us.ibm.com IBM KeyWorks Market Needs History KeyWorks KeyWorks KeyWorks KeyWorks KeyWorks Suite
More informationSecurity Training Seminars An integral part of The Open Group Security Programme
Security Training Seminars An integral part of The Open Group Security Programme Dean Adams Director, Security & Electronic Commerce Agenda Check! M Brief Overview of Security Program Key Projects Introduction
More informationGeneric Support for PKIX Certificate Management in CDSA
Generic Support for PKIX Certificate Management in CDSA Shabnam Erfani WatchGuard Technologies serfani@watchguard.com Sekar Chandersekaran Microsoft Corporation sekarcha@microsoft.com Abstract The Common
More informationOpenVMS Security Update 1M01
OpenVMS Update M0 Helmut Ammer TCSC München Agenda Ratings ITSEC E C & E B update on V6. TCSEC C Ramp -> > Common Criteria COE DII Current Projects: Enterprise Features & Projects History Per- Profiles
More informationDigital Certificates Demystified
Digital Certificates Demystified Ross Cooper, CISSP IBM Corporation RACF/PKI Development Poughkeepsie, NY Email: rdc@us.ibm.com August 9 th, 2012 Session 11622 Agenda Cryptography What are Digital Certificates
More informationIBM KeyWorks Toolkit. Trust Policy Interface (TPI) Specification
IBM KeyWorks Toolkit Trust Policy Interface (TPI) Specification June 11, 1999 Copyright 1999 International Business Machines Corporation. All rights reserved. Note to U.S. Government Users Documentation
More informationIBM i Version 7.2. Security Digital Certificate Manager IBM
IBM i Version 7.2 Security Digital Certificate Manager IBM IBM i Version 7.2 Security Digital Certificate Manager IBM Note Before using this information and the product it supports, read the information
More informationPKI is Alive and Well: The Symantec Managed PKI Service
PKI is Alive and Well: The Symantec Managed PKI Service Marty Jost Product Marketing, User Authentication Lance Handorf Technical Enablement, PKI Solutions 1 Agenda 1 2 3 PKI Background: Problems and Solutions
More informationApple Product Security
Apple Product Security Meeting IT Security Needs Fed/Ed XIV Washington,DC - December 14, 2006 Shawn Geddis Enterprise Security Consulting Engineer geddis@apple.com December 2006 Certificates and Keys Everywhere
More informationMavenir Systems Inc. SSX-3000 Security Gateway
Secured by RSA Implementation Guide for 3rd Party PKI Applications Partner Information Last Modified: June 16, 2015 Product Information Partner Name Web Site Product Name Version & Platform Product Description
More informationSecurity Digital Certificate Manager
System i Security Digital Certificate Manager Version 6 Release 1 System i Security Digital Certificate Manager Version 6 Release 1 Note Before using this information and the product it supports, be sure
More informationIBM. Security Digital Certificate Manager. IBM i 7.1
IBM IBM i Security Digital Certificate Manager 7.1 IBM IBM i Security Digital Certificate Manager 7.1 Note Before using this information and the product it supports, be sure to read the information in
More informationConfiguring Certificate Authorities and Digital Certificates
CHAPTER 43 Configuring Certificate Authorities and Digital Certificates Public Key Infrastructure (PKI) support provides the means for the Cisco MDS 9000 Family switches to obtain and use digital certificates
More informationSend documentation comments to
CHAPTER 6 Configuring Certificate Authorities and Digital Certificates This chapter includes the following topics: Information About Certificate Authorities and Digital Certificates, page 6-1 Default Settings,
More informationAn Application Developers Guide Proposal and Feedback Session. Phil Holmes. How to with CDSA
1 "How-to" with CDSA An Application Developers Guide Proposal and Feedback Session Phil Holmes How to with CSDA - Agenda 2 Overall Objectives The conventional approach Collaboration - How to Book & CD-ROM
More informationSSH Communications Tectia SSH
Secured by RSA Implementation Guide for 3rd Party PKI Applications Last Modified: December 8, 2014 Partner Information Product Information Partner Name Web Site Product Name Version & Platform Product
More informationSSL Certificates Certificate Policy (CP)
SSL Certificates Last Revision Date: February 26, 2015 Version 1.0 Revisions Version Date Description of changes Author s Name Draft 17 Jan 2011 Initial Release (Draft) Ivo Vitorino 1.0 26 Feb 2015 Full
More informationPrincess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)
Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536) Prepared by Dr. Samia Chelloug E-mail: samia_chelloug@yahoo.fr Content
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 11: Public Key Infrastructure Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Public key infrastructure Certificates Trust
More informationDirectTrust Governmental Trust Anchor Bundle Standard Operating Procedure
DirectTrust Governmental Trust Anchor Bundle Standard Operating Procedure Change Control Date Version Description of changes 15-December- 2016 1-December- 2016 17-March- 2016 4-February- 2016 3-February-
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationIBM Systems and Technology Group
IBM Systems and Technology Group Encryption Facility for z/os Update Steven R. Hart srhart@us.ibm.com 2013 IBM Corporation Topics Encryption Facility for z/os EF OpenPGP Support X.509 vs. OpenPGP Certificates
More informationSecureDoc Disk Encryption Cryptographic Engine
SecureDoc Disk Encryption Cryptographic Engine Security Policy Abstract: This document specifies Security Policy enforced by the SecureDoc Cryptographic Engine compliant with the requirements of FIPS 140-2
More informationTLS. RFC2246: The TLS Protocol. (c) A. Mariën -
TLS RFC2246: The TLS Protocol What does it achieve? Confidentiality and integrity of the communication Server authentication Eventually: client authentication What is does not do Protect the server Protect
More informationEntrust Connector (econnector) Venafi Trust Protection Platform
Entrust Connector (econnector) For Venafi Trust Protection Platform Installation and Configuration Guide Version 1.0.5 DATE: 17 November 2017 VERSION: 1.0.5 Copyright 2017. All rights reserved Table of
More informationUser s Guide. PolicyAgent and Key Recovery for SecretAgent 5.9 and SpyProof! 1.3
User s Guide PolicyAgent and Key Recovery for SecretAgent 5.9 and SpyProof! 1.3 Information in this document is subject to change without notice and does not represent a commitment on the part of Information
More informationSharing Secrets using Encryption Facility - Handson
Sharing Secrets using Encryption Facility - Handson Lab Steven R. Hart IBM March 12, 2014 Session Number 14963 Encryption Facility for z/os Encryption Facility for z/os is a host based software solution
More informationThe SafeNet Security System Version 3 Overview
The SafeNet Security System Version 3 Overview Version 3 Overview Abstract This document provides a description of Information Resource Engineering s SafeNet version 3 products. SafeNet version 3 products
More informationXenApp 5 Security Standards and Deployment Scenarios
XenApp 5 Security Standards and Deployment Scenarios 2015-03-04 20:22:07 UTC 2015 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement Contents XenApp 5 Security Standards
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through
More informationPKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006
PKI-An Operational Perspective NANOG 38 ARIN XVIII October 10, 2006 Briefing Contents PKI Usage Benefits Constituency Acceptance Specific Discussion of Requirements Certificate Policy Certificate Policy
More informationCryptography and Network Security. Sixth Edition by William Stallings
Cryptography and Network Security Sixth Edition by William Stallings Chapter 19 Electronic Mail Security Despite the refusal of VADM Poindexter and LtCol North to appear, the Board's access to other sources
More informationPublic Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman
Public Key Infrastructure PKI National Digital Certification Center Information Technology Authority Sultanate of Oman Agenda Objectives PKI Features etrust Components Government eservices Oman National
More informationCertification Authority
Certification Authority Overview Identifying CA Hierarchy Design Requirements Common CA Hierarchy Designs Documenting Legal Requirements Analyzing Design Requirements Designing a Hierarchy Structure Identifying
More informationUser s Guide. PolicyAgent and Key Recovery for SecretAgent 5.8 and SpyProof! 1.2
User s Guide PolicyAgent and Key Recovery for SecretAgent 5.8 and SpyProof! 1.2 Information in this document is subject to change without notice and does not represent a commitment on the part of Information
More informationEncryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls
Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls Overview Cryptography functions Secret key (e.g., DES) Public key (e.g., RSA) Message
More informationBackground. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33
Background Network Security - Certificates, Keys and Signatures - Dr. John Keeney 3BA33 Slides Sources: Karl Quinn, Donal O Mahoney, Henric Johnson, Charlie Kaufman, Wikipedia, Google, Brian Raiter. Recommended
More informationPKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures
Public Key Infrastructures Public Key Infrastructure Definition and Description Functions Components Certificates 1 2 PKI Services Security Between Strangers Encryption Integrity Non-repudiation Key establishment
More informationKey Management and Distribution
Key Management and Distribution Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/
More informationFederated Web Services with Mobile Devices
Federated Web Services with Mobile Devices Rajeev Angal Architect Sun Microsystems Pat Patterson Architect Sun Microsystems Session TS-6673 Copyright 2006, Sun Microsystems, Inc., All rights reserved.
More informationPKI Configuration Examples
PKI Configuration Examples Keywords: PKI, CA, RA, IKE, IPsec, SSL Abstract: The Public Key Infrastructure (PKI) is a general security infrastructure for providing information security through public key
More informationDigital signatures: How it s done in PDF
Digital signatures: How it s done in PDF Agenda Why do we need digital signatures? Basic concepts applied to PDF Digital signatures and document workflow Long term validation Why do we need digital signatures?
More informationForensics Challenges. Windows Encrypted Content John Howie CISA CISM CISSP Director, Security Community, Microsoft Corporation
Forensics Challenges Windows Encrypted Content John Howie CISA CISM CISSP Director, Security Community, Microsoft Corporation Introduction Encrypted content is a challenge for investigators Makes it difficult
More informationServer-based Certificate Validation Protocol
Server-based Certificate Validation Protocol Digital Certificate and PKI a public-key certificate is a digital certificate that binds a system entity's identity to a public key value, and possibly to additional
More informationCDSA Program Update SECURITY. Graham Bird. opengroup.org (650)
CDSA Program Update SECURITY Graham Bird g.bird@opengroup opengroup.org (650) 323 7992 Agenda Product Standards The Open Brand program Diffusion Schedules Q&A Product Standards Product Standards Real World
More informationPublic Key Infrastructure. What can it do for you?
Public Key Infrastructure What can it do for you? What is PKI? Centrally-managed cryptography, for: Encryption Authentication Automatic negotiation Native support in most modern Operating Systems Allows
More informationThis Security Policy describes how this module complies with the eleven sections of the Standard:
Vormetric, Inc Vormetric Data Security Server Module Firmware Version 4.4.1 Hardware Version 1.0 FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation May 24 th, 2012 2011 Vormetric Inc. All rights
More informationCertificateless Public Key Cryptography
Certificateless Public Key Cryptography Mohsen Toorani Department of Informatics University of Bergen Norsk Kryptoseminar November 9, 2011 1 Public Key Cryptography (PKC) Also known as asymmetric cryptography.
More informationUser Authentication Principles and Methods
User Authentication Principles and Methods David Groep, NIKHEF User Authentication - Principles and Methods 1 Principles and Methods Authorization factors Cryptographic methods Authentication for login
More informationCryptography and Network Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 15 Electronic Mail Security Despite the refusal of VADM Poindexter and LtCol North to appear,
More informationConfiguring SSL CHAPTER
7 CHAPTER This chapter describes the steps required to configure your ACE appliance as a virtual Secure Sockets Layer (SSL) server for SSL initiation or termination. The topics included in this section
More informationENTRUST CONNECTOR Installation and Configuration Guide Version April 21, 2017
ENTRUST CONNECTOR Installation and Configuration Guide Version 0.5.1 April 21, 2017 2017 CygnaCom Solutions, Inc. All rights reserved. Contents What is Entrust Connector... 4 Installation... 5 Prerequisites...
More informationPublic Key Infrastructure
Public Key Infrastructure Ed Crowley Summer 11 1 Topics Public Key Infrastructure Defined PKI Overview PKI Architecture Trust Models Components X.509 Certificates X.500 LDAP 2 Public Key Infrastructure
More informationAxway Validation Authority Suite
Axway Validation Authority Suite PKI safeguards for secure applications Around the world, banks, healthcare organizations, governments, and defense agencies rely on public key infrastructures (PKIs) to
More informationTFS WorkstationControl White Paper
White Paper Intelligent Public Key Credential Distribution and Workstation Access Control TFS Technology www.tfstech.com Table of Contents Overview 3 Introduction 3 Important Concepts 4 Logon Modes 4 Password
More informationOverview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation
Overview Key exchange Session vs. interchange keys Classical, public key methods Key generation Cryptographic key infrastructure Certificates Key storage Key escrow Key revocation Digital signatures May
More informationCoSign Hardware version 7.0 Firmware version 5.2
CoSign Hardware version 7.0 Firmware version 5.2 FIPS 140-2 Non-Proprietary Security Policy Level 3 Validation July 2010 Copyright 2009 AR This document may be freely reproduced and distributed whole and
More informationIntroduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution
Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution Egemen K. Çetinkaya Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University
More informationCryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea
Cryptography SSL/TLS Network Security Workshop 3-5 October 2017 Port Moresby, Papua New Guinea 1 History Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent
More informationETSI TS V1.2.2 ( )
TS 101 733 V1.2.2 (2000-12) Technical Specification Electronic signature formats 2 TS 101 733 V1.2.2 (2000-12) Reference DTS/SEC-004001 Keywords IP, electronic signature, security 650 Route des Lucioles
More informationConfiguring SSL. SSL Overview CHAPTER
CHAPTER 8 Date: 4/23/09 This topic describes the steps required to configure your ACE (both the ACE module and the ACE appliance) as a virtual Secure Sockets Layer (SSL) server for SSL initiation or termination.
More informationManaging Certificates
CHAPTER 12 The Cisco Identity Services Engine (Cisco ISE) relies on public key infrastructure (PKI) to provide secure communication for the following: Client and server authentication for Transport Layer
More informationChapter 9: Key Management
Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange
More informationCertification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure
Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure 1.0 INTRODUCTION 1.1 Overview The Federal Reserve Banks operate a public key infrastructure (PKI) that manages
More informationCryptography and Network Security Chapter 14
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 14 Key Management and Distribution No Singhalese, whether man or woman, would venture
More informationConfiguring SSL. SSL Overview CHAPTER
7 CHAPTER This topic describes the steps required to configure your ACE appliance as a virtual Secure Sockets Layer (SSL) server for SSL initiation or termination. The topics included in this section are:
More informationQUANTUM SAFE PKI TRANSITIONS
QUANTUM SAFE PKI TRANSITIONS Quantum Valley Investments Headquarters We offer quantum readiness assessments to help you identify your organization s quantum risks, develop an upgrade path, and deliver
More informationBut where'd that extra "s" come from, and what does it mean?
SSL/TLS While browsing Internet, some URLs start with "http://" while others start with "https://"? Perhaps the extra "s" when browsing websites that require giving over sensitive information, like paying
More informationCertificate Enrollment for the Atlas Platform
Certificate Enrollment for the Atlas Platform Certificate Distribution Challenges Digital certificates can provide a secure second factor for authenticating connections from MAP-wrapped enterprise apps
More informationX.509. CPSC 457/557 10/17/13 Jeffrey Zhu
X.509 CPSC 457/557 10/17/13 Jeffrey Zhu 2 3 X.509 Outline X.509 Overview Certificate Lifecycle Alternative Certification Models 4 What is X.509? The most commonly used Public Key Infrastructure (PKI) on
More informationFIPS Non-Proprietary Security Policy
Quantum Corporation Scalar Key Manager Software Version 2.0.1 FIPS 140-2 Non-Proprietary Security Policy Document Version 1.4 Last Update: 2010-11-03 8:43:00 AM 2010 Quantum Corporation. May be freely
More informationCS 356 Internet Security Protocols. Fall 2013
CS 356 Internet Security Protocols Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5
More informationHP Instant Support Enterprise Edition (ISEE) Security overview
HP Instant Support Enterprise Edition (ISEE) Security overview Advanced Configuration A.03.50 Mike Brandon Interex 03 / 30, 2004 2003 Hewlett-Packard Development Company, L.P. The information contained
More informationeidas Interoperability Architecture Version November 2015
eidas Interoperability Architecture Version 1.00 6. November 2015 1 Introduction This document specifies the interoperability components of the eidas-network, i.e. the components necessary to achieve interoperability
More informationUELMA Exploring Authentication Options Nov 4, 2011
UELMA Exploring Authentication Options Nov 4, 2011 A U T H E N T I C A T I O N M E T H O D S P R E L I M I N A R Y R E P O R T B R A D L E E C H A N G X C E N T I A L G R O U P B R A D @ X C E N T I A
More informationTrusted Computing Group
Trusted Computing Group Backgrounder May 2003 Copyright 2003 Trusted Computing Group (www.trustedcomputinggroup.org.) All Rights Reserved Trusted Computing Group Enabling the Industry to Make Computing
More informationHow to Configure S/MIME for WorxMail
How to Configure S/MIME for WorxMail Windows Phone 8.1 This article describes how to configure S/MIME (Secure/Multipurpose Internet Mail Extensions) for WorxMail Windows Phone 8.1. Note: This feature works
More informationAdding value to your MS customers
Securing Microsoft Adding value to your MS customers Authentication - Identity Protection Hardware Security Modules DataSecure - Encryption and Control Disc Encryption Offering the broadest range of authentication,
More informationThe Match On Card Technology
Precise Biometrics White Paper The Match On Card Technology Magnus Pettersson Precise Biometrics AB, Dag Hammarskjölds väg 2, SE 224 67 Lund, Sweden 22nd August 2001 Abstract To make biometric verification
More informationElliptic Curve Cryptography (ECC) based. Public Key Infrastructure (PKI) Kunal Abhishek Society for Electronic Transactions & Security (SETS), Chennai
Elliptic Curve Cryptography (ECC) based Public Key Infrastructure (PKI) Kunal Abhishek Society for Electronic Transactions & Security (SETS), Chennai 14th November, 2017 Focus of this talk What should
More informationCS530 Authentication
CS530 Authentication Bill Cheng http://merlot.usc.edu/cs530-s10 1 Identification vs. Authentication Identification associating an identity (or a claimed identity) with an individual, process, or request
More informationPublic Key Technology in Windows 2000
01 pp. 001-182.qxd 2/6/01 9:38 AM Page 105 Chapter 4 Public Key Technology in Windows 2000 The Windows 2000 operating system has a built-in public key infrastructure (PKI) to address the business needs
More informationETSI ES V1.1.3 ( )
ES 201 733 V1.1.3 (2000-05) Standard Electronic Signature Formats 2 ES 201 733 V1.1.3 (2000-05) Reference DES/SEC-003007-1 Keywords IP, electronic signature, security 650 Route des Lucioles F-06921 Sophia
More informationDigi-CPS. Certificate Practice Statement v3.6. Certificate Practice Statement from Digi-Sign Limited.
Certificate Practice Statement v3.6 Certificate Practice Statement from Digi-Sign Limited. Digi-CPS Version 3.6. Produced by the Legal & Technical Departments For further information, please contact: CONTACT:
More informationDisplaying SSL Configuration Information and Statistics
CHAPTER 7 Displaying SSL Configuration Information and Statistics This chapter describes the show commands available for displaying CSS SSL configuration information and statistics and an explanation of
More informationAn Introduction to Trusted Platform Technology
An Introduction to Trusted Platform Technology Siani Pearson Hewlett Packard Laboratories, UK Siani_Pearson@hp.com Content What is Trusted Platform technology and TCPA? Why is Trusted Platform technology
More informationKeyA3 Certificate Manager
3 PKI. .........KeyA3 Certificate Manager... -... --... --... User PIN --... SO PIN --... -... --... User PIN...... -- -- --... --... --... -- ... --... --... --... E-mail...Mozilla Thunderbird -...K3PKCS
More informationLecture 9a: Secure Sockets Layer (SSL) March, 2004
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu Security Achieved by
More informationCredential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003
Credential Management in the Grid Security Infrastructure GlobusWorld Security Workshop January 16, 2003 Jim Basney jbasney@ncsa.uiuc.edu http://www.ncsa.uiuc.edu/~jbasney/ Credential Management Enrollment:
More informationSymantec Managed PKI Overview. v8.15
Symantec Managed PKI Overview v8.15 Legal Notice Copyright 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo and are trademarks or registered trademarks of
More informationLecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005
Lecture 30 Security April 11, 2005 Cryptography K A ciphertext Figure 7.3 goes here K B symmetric-key crypto: sender, receiver keys identical public-key crypto: encrypt key public, decrypt key secret Symmetric
More informationParticipant User Guide, Version 2.6
Developers Integration Lab (DIL) Participant User Guide, Version 2.6 3/17/2013 REVISION HISTORY Author Date Description of Change 0.1 Laura Edens Mario Hyland 9/19/2011 Initial Release 1.0 Michael Brown
More informationApple Inc. Certification Authority Certification Practice Statement
Apple Inc. Certification Authority Certification Practice Statement Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA Apple Application Integration - G3 Sub-CA Version 6.2 Effective
More informationEXBO e-signing Automated for scanned invoices
EXBO e-signing Automated for scanned invoices Signature Policy Document OID: 0.3.2062.7.2.1.12.1.0 Approval Status: Approved Version: 1.0 Page #: 1 of 13 1. Introduction 1.1. Scope This document covers
More informationCT30A8800 Secured communications
CT30A8800 Secured communications Pekka Jäppinen October 31, 2007 Pekka Jäppinen, Lappeenranta University of Technology: October 31, 2007 Secured Communications: Key exchange Schneier, Applied Cryptography:
More informationECA Trusted Agent Handbook
Revision 8.0 September 4, 2015 Introduction This Trusted Agent Handbook provides instructions for individuals authorized to perform personal presence identity verification of subscribers enrolling for
More informationIBM Education Assistance for z/os V2R1
IBM Education Assistance for z/os V2R1 Items: TLS V1.2 Suite B RFC 5280 Certificate Validation Element/Component: Cryptographic Services - System SSL Material is current as of June 2013 Agenda Trademarks
More informationDigital Certificate Operation in a Complex Environment PKI ARCHITECTURE QUESTIONNAIRE
Digital Certificate Operation in a Complex Environment A project within the Joint Information Systems Committee s Authentication, Authorisation and Accounting middleware programme PKI ARCHITECTURE QUESTIONNAIRE
More informationTrusted Computing in Drives and Other Peripherals Michael Willett TCG and Seagate 12 Sept TCG Track: SEC 502 1
Trusted Computing in Drives and Other Peripherals Michael Willett TCG and Seagate 12 Sept 2005 TCG Track: SEC 502 1 The Need for Trusted Computing 2 The Real World Innovation is needed: Client software
More information