cryptovision s Enterprise Solutions Brian Kowal, Guido Ringel cryptovision Mindshare 2017

Size: px

Start display at page:

Download "cryptovision s Enterprise Solutions Brian Kowal, Guido Ringel cryptovision Mindshare 2017"

Gervais Washington
6 years ago
Views:

1 cryptovision s Enterprise Solutions Brian Kowal, Guido Ringel cryptovision Mindshare 2017 cv cryptovision GmbH T: +49 (0) F: +49 (0) info(at)cryptovision.com 1

2 cryptovision Gelsenkirchen Office Vienna Office Silicon Valley Office Mexico City Subsidiary New York City 2

Developing elementary cryptographic applications cryptovision is adult Long history in customer projects Studying cryptographic basic algorithms

3 Developing elementary cryptographic applications cryptovision is adult Long history in customer projects Studying cryptographic basic algorithms Learning about customer needs Huge expirience in cryptographic product development Providing consulting service in many projects all over the world 3

4 What did we learn in 18 years? Solutions that work in practice! Simple administration Helpdesk support Simple deployment Include incident handling Scalable solutions Support work groups Process automation User self service 4

5 cryptovision's cryptographic solutions Flexible and scalable Comfortable and highly secure Based on almost two decades of experience 5

Result of almost two decades of customer projects:

6 cryptovision's solutions Result of almost two decades of experience: Four lines of high quality security products Result of almost two decades of customer projects: Convergence Convenience Convergence and Convinience that s covfefe. They get it! 6

7 Smallia small company up to 50 or 100 employees; manual managed administration Customers Mediumia Ltd medium company up to 1,000 employees; integrated services Largia Group large enterprise with several premises; highly automated services 7

8 Scenario definitions Smallia certificates to authenticate user beginning to secure infrastructure components Mediumia Ltd extend use cases by encryption use cases looking for a solution to combine logical and physical access Largia Group extend use cases by canteen payment add user self services and comparable easy 3rd party PKI administration 8

9 Smallia User Client Login directory 9

10 Smallia Certificate Authority (CA) Smart card sc/interface User Client Login directory 10

11 Smallia CA epasslet Suite Smart card sc/interface User Client Login directory 11

12 Smallia CA epasslet Suite! Smart card sc/interface User Client Login directory 12

13 Smallia CA Smart card sc/interface User Client Login directory Web application 13

14 Smallia CA Smart card sc/interface User Client Login directory workstation/cic WIFI Web application 14

15 Mediumia Ltd CA Smart card sc/interface scep/responder User Client Login directory workstation/cic WIFI Web application 15

16 Mediumia Ltd Card Management CA epasslet Suite Smart card sc/interface scep/responder User Client Login directory workstation/cic WIFI Web application 16

17 Mediumia Ltd Card Management CA epasslet Suite Smart card sc/interface scep/responder s/mail User Client Login directory workstation/cic WIFI Web application 17

18 Mediumia Ltd Card Management CA epasslet Suite s/mail! Smart card sc/interface scep/responder User Client Login directory workstation/cic WIFI Web application 18

19 Mediumia Ltd Card Management CA epasslet Suite Smart card HSM scep/responder sc/interface s/mail User Client Login directory workstation/cic WIFI Web application 19

20 Mediumia Ltd Card Management CA ocsp/responder epasslet Suite Smart card HSM scep/responder sc/interface s/mail User Client Login directory workstation/cic WIFI Web application 20

21 Mediumia Ltd Card Management CA ocsp/responder epasslet Suite Smart card HSM scep/responder sc/interface s/mail User Client Login directory workstation/cic WIFI Physical access Web application 21

22 Largia Group Card Management CA ocsp/responder epasslet Suite Smart card HSM scep/responder sc/interface s/mail User Client Credential cache Login directory workstation/cic WIFI Physical access Web application 22

23 Largia Group Card Management CA ocsp/responder epasslet Suite Smart card HSM scep/responder sc/interface s/mail User Client Credential cache Login directory workstation/cic Biometrics WIFI Physical access Web application 23

24 Largia Group Card Management CA ocsp/responder epasslet Suite Smart card sc/interface RA Shalott workflow HSM scep/responder s/mail User Client Credential cache Login directory workstation/cic Biometry PKI Client: Pendragon Physical access WIFI Web application 24

25 Largia Group Card Management CA ocsp/responder epasslet Suite Smart card sc/interface RA! Shalott workflow HSM scep/responder s/mail User Client Credential cache Login directory workstation/cic Biometry PKI Client: Pendragon Physical access WIFI Web application 25

26 Largia Group Card Management CA ocsp/responder epasslet Suite Smart card sc/interface RA! Shalott workflow Key Storage HSM Key Recovery Remote Key scep/responder s/mail User Client Credential cache Login directory workstation/cic Biometry PKI Client: Pendragon Physical access WIFI Web application 26

27 Largia Group External CA Card Management CA ocsp/responder epasslet Suite Smart card sc/interface RA Shalott workflow Key Storage HSM Key Recovery Remote Key scep/responder s/mail User Client Credential cache Login directory workstation/cic Biometry PKI Client: Pendragon Physical access WIFI Web application 27

28 Largia Group External CA! Card Management CA ocsp/responder epasslet Suite Smart card sc/interface RA Shalott workflow Key Storage HSM Key Recovery Remote Key scep/responder s/mail User Client Credential cache Login directory workstation/cic Biometry PKI Client: Pendragon Physical access WIFI Web application 28

29 Largia Group External CA Card Management CA ocsp/responder epasslet Suite Smart card sc/interface RA Shalott workflow Key Storage HSM Key Recovery Remote Key scep/responder s/mail User Client Credential cache Login directory workstation/cic Biometry PKI Client: Pendragon Physical access Payment WIFI Web application 29

30 Largia Group External CA Card Management CA ocsp/responder epasslet Suite Smart card sc/interface RA Shalott workflow Key Storage HSM Key Recovery Remote Key scep/responder s/mail User Client Credential cache Login directory workstation/cic Biometry PKI Client: Pendragon Physical access Payment WIFI Web application 30

31 Largia Group epasslet Suite s/mail!! Smart card sc/interface External CA! RA! Shalott workflow Card Management CA Key Storage HSM Key Recovery Remote Key ocsp/responder scep/responder User Client Credential cache Login directory workstation/cic Biometry PKI Client: Pendragon Physical access Payment WIFI Web application 31

32 Local registration authority HSMs card management system user PKI issuing and renewal use case Manual administration processes Centralized user services Card management without key management Token based key storage employee batch certificate authority LDAP IDM system 32

33 1 How to import a trust anchor 2 How to import a certificate What a PKI user needs to know 3 How to protect your private keys 4 How to apply for a certificate 5 Why you shouldn't ignore PKI warnings 10 How to export a certificate 6 How to interpret PKI error messages 11 Risks of changing encryption keys 7 How to turn on digital signing 12 Difference between signature and.signature file 8 How to install someone's public key 13 How to turn on encryption 9 How to get someone's public key 14 How to interpret security icons 15 What happens if a key is revoked 16 What does the padlock really mean 17 Why check the three boxes in Netscape/ Mozilla 18 What does "untrusted CA' mean 19 How to move and install certificates and private keys Source: Prof. Angela Sasse 33

34 Market trends Next Generation Key Management Easy administration User self service Centralized Secure Key Management Secure Key Roaming IT administration has to provide numerous different applications has to ensure application and data security is looking for lean security management is looking for services that can be easily integrated in environment 34

35 Market trends Next Generation Key Management Easy administration User self service Centralized Secure Key Management Secure Key Roaming cryptovision: Digital transformation is going on IT environments will become more and more complex (due to mobile devices and IoT) so it is important to offer automated and integrated solutions customer must have full control over the security infrastructure security management must be easy to administrate 35

36 Enrolment: signature certificate Local RA Generate certificate Public key Certificate Workflow powered by Shalott LDAP user Key generation Next Generation Key Management Easy administration User self service Centralized Secure Key Management Secure Key Roaming Smart card PKI client: Pendragon Registration authority (CAmelot) Remote Key Key server Key Recovery Certificate authority 36

37 Enrolment: encryption certificate Local RA Workflow powered by Shalott LDAP User Smart card Registration authority (CAmelot) Key pair certificate Next Generation Key Management Easy administration User self service Centralized PKI client: Secure Pendragon Key Management Key Secure Key Roaming generation Private key Remote Key Key server Key Recovery Certificate authority 37

38 1 How to import a trust anchor 2 How to import a certificate What a PKI user needs to know 3 How to protect your private keys 4 How to apply for a certificate 5 Why you shouldn't ignore PKI warnings 10 How to export a certificate 6 How to interpret PKI error messages 11 Risks of changing encryption keys 7 How to turn on digital signing 12 Difference between signature and.signature file 8 How to install someone's public key 13 How to turn on encryption 9 How to get someone's public key 14 How to interpret security icons 15 What happens if a key is revoked 16 What does the padlock really mean 17 Why check the three boxes in Netscape/ Mozilla 18 What does "untrusted CA' mean 19 How to move and install certificates and private keys Source: Prof. Angela Sasse 38

39 Gateways Server Smart card login Mail encryption Smart card Signing User Authentication Smart Card Middleware and CMS Multi token support Card management Partial BYOD support Full application support Physical Access Payment Enterprise Auth 39

40 Market trends Smart Cards and Mobility Multi Credential support Secure Credential Management Full BYOD support Full application support Cryptographic token Are far better than passwords to secure data and devices Have to be handy Are more and more replaced by other ways of authentication 40

41 Market trends Smart Cards and Mobility Multi Credential support Secure Credential Management Full BYOD support Full application support cryptovision: It security has to be used Token don t have to be misused, e.g. broken cards in readers so it security has to support handy authentication objects all these ways to authenticate must be supported 41

42 Credential orchestration system Smartcard Reader Device Reader Driver (PCSC) Smartcard Middleware Application Extension to support additional virtual token (Intel SGX, ios, Android, etc.) offer seamless integration for existing infrastructure TPM Intel SGX Remote Server (HSM) Smartcard Simulation Service Token Enclave Service Remote Connection Service Virtual Reader Driver (PCSC) Virtual Reader Driver (PCSC) Virtual Reader Driver (PCSC) Smartcard Middleware Smartcard Middleware Smartcard Middleware Application Application Application Security Level Smart Cards and Mobility Multi Credential support Secure Credential Management Full BYOD support Full application support Mobile Phone (ios, Android) PFX file Mobile Connection Service PFX File Service Virtual Reader Driver (PCSC) Virtual Reader Driver (PCSC) Smartcard Middleware Smartcard Middleware Application Application 42

Module TPM SGX Remote Mobile Phone Hardware Token Virtual Token Virtual Token Virtual Token

43 Credential orchestration system Use of existing smart card based applications No modification of existing use cases Virtual Token Module: Configuration of different token Virtual Token Module TPM SGX Remote Mobile Phone Hardware Token Virtual Token Virtual Token Virtual Token Virtual Token Virtual Token sc/interface Minidriver PKCS#11 Smartcard Logon SSL/TLS VPN CMS 43

44 client File system mail server Encrypt data We need usable encryption No encrypted Communication No encrypted Documents No encrypted Assets Only network protection User Key exchange User 44

45 Market trends We need usable encryption Encrypted Communication Encrypted Documents Encrypted Assets End-To-End-Encryption Snowden-Case and other cases have shown we have to think of new aspects to secure networks and information often internal stuff deals with confidential information it is not enough to secure the network interfaces specific assets have to be secured 45

46 Market trends We need usable encryption Encrypted Communication Encrypted Documents Encrypted Assets End-To-End-Encryption cryptovision: More and more customers ask for mechanisms to secure their confidential information That means that they want to encrypt files and storage and even s Some customers think about end-to-end encryption in communication 46

47 client client File system mail server mail server We need usable encryption Encrypted Communication Encrypted Documents Encrypted Assets End-to-End-Encryption s/mail User PKI Client: Pendragon s/mail User other s/mime client 47

48 User User We need a transnational guideline for the use of digital signatures No regulation for electronic business processes No transnational acceptance for digital signatures No defined delivery and archive services Certificate authority Certificate authority 48

49 Content of the eidas regulation: Electronical Identification We need a transnational guideline for the use of digital signatures No regulation for electronic business processes No transnational acceptance for digital signatures No defined delivery and archive services Electronic trusted services Electronic signatures Electronic seals Electronic time stamps Website-Authentication Electronical delivery services Electronical archive services 49

50 Market trends We need a transnational guideline for the use of digital signatures Common legal basis for electronic business processes Transnational accepted digital signatures Also accepted delivery and archive services eidas regulation Provides an europeanwide standardized basis for trustworthy and continuously verifyable digital business processes Allows the digital implementation of business processes in one of the biggest economic areas Will accelerate the correspondence of the companies and reduce their administration 50

51 Market trends We need a transnational guideline for the use of digital signatures Common legal basis for electronic business processes Transnational accepted digital signatures Also accepted delivery and archive services cryptovision: We believe in smart and lean and strongly secured electronic workflows We highly appreciate the new initiative to establish qualified electronic signatures without bureauctratic overhead We think the eidas regulation has the potential to revolutionize the transnational business correspondence in Europe 51

52 User User We need a transnational guideline for the use of digital signatures Common legal basis for electronic business processes Transnational accepted digital signatures Also accepted delivery and archive services Certificate authority Certificate authority 52

53 Public LDAP Workflow powered by Shalott User Smart card Registration authority (CAmelot) External CA Internal CA (Camelot) PKI client: Pendragon Remote Key Key server Key Recovery LDAP 53

54 4.0 Mar June Feb June Jan 2019 More Camelot: Shalott workflow engine Pendragon PKI client CAmelot Roadmap 54

55 4.0 Mar June Feb June Jan 2019 More CAmelot Keyp: Secure Key Storage Key Recovery / Escrow Remote Key CAmelot Roadmap 55

56 4.0 Mar June Feb June Jan 2019 More Mini-CMS Full integrated workflow with LDAP connectivity CAmelot Roadmap 56

57 4.0 Mar June Feb June Jan 2019 More CV-Certificates according to TR V2.2 CV (CHAT extension) Single Point of Contact (SPOC according točsn ) National PKD CAmelot Roadmap 57

58 4.0 Mar June Feb June Jan 2019 More CV-Certificates according to TR V2.2 CV (CHAT extension) Single Point of Contact (SPOC according točsn ) National PKD CAmelot Roadmap 58

x Module extensions Apple crypto token kit PKCS#11 ios PKCS#11 V2.

59 Version 7.0 (6.xx) MS VSC PACE with GoID Signature profile with CardOS 5.3 Biometrie with Neuro Technology Version 7.x Module extensions Apple crypto token kit PKCS#11 ios PKCS#11 V2.40 Bio SourceAFIS epasslet 3.0 support More smart cards / profiles (IDClassic, D-Trust 3.1,..) Cryptovision ID-Card Credential Cache 2.0 SGX sc/interface Roadmap

PIV Edition 2.0 Version 7.x PACE / SM mit CardOS 5.

Virtual Token (cryptovision) TPM connection SGX GUI Enhancements (4K) Version 8.

60 PIV Edition 2.0 Version 7.x PACE / SM mit CardOS 5.3 Credential Orchestration System Phase I Virtual Token Module MS VSC / TPM Virtual Token Manager Version (7.xx) Credential Orchestration System Phase II Virtual PC/SC STI Minidriver Virtual Token (cryptovision) TPM connection SGX GUI Enhancements (4K) Version 8.0 (7.xx) Credential Orchestration System mobile Android ios Windows Mobile GUI Enhancements (4K) sc/interface Roadmap

61 5.0 Sep Jan Aug 2018 More Token Support Certificate Verification Certificate Management S/MIME File Encryption s/mail Roadmap 61

62 5.0 Sep Jan Aug 2018 More Outlook Integration Message Recovery PKI-Client Integration PGP Support (X.509) Full Crypto Support s/mail Roadmap 62

63 5.0 Sep Jan Aug 2018 More Notes Integration Full CRL Support PIN Cache Mobile Client s/mail Roadmap 63

64 More S/MIME Library Mail Gateway Full PGP Support Alternative Clients Great technology, great company. They re going to make cryptography great again. s/mail Roadmap 64

65 Contact cv cryptovision cv cryptovision GmbH Munscheidstr Gelsenkirchen Germany Tel: +49 (0) 2 09 / Fax: +49 (0) 2 09 / info@cryptovision.com Public Relations Klaus Schmeh Marketing Guido Ringel Product Management Benjamin Drisch, Ralf König, Guido Ringel Sales Brian Kowal, Adam Ross, Marco Smeja, Uwe Skrzypczak, Sascha Wester, Fermin Vasquez Thank You for your attention! 65

The Top Four Trends in eid Technology Marco Smeja, cryptovision Mindshare 2017

The Top Four Trends in eid Technology Marco Smeja, cryptovision Mindshare 2017 cv cryptovision GmbH T: +49 (0) 209.167-24 50 F: +49 (0) 209.167-24 61 info(at)cryptovision.com 1 2 The Smart Card Evolution