Enterprise Key Management Infrastructure: Understanding them before auditing them. Arshad Noor CTO, StrongAuth, Inc. Chair, OASIS EKMI-TC

Transcription

1 Enterprise Key Management Infrastructure: Understanding them before auditing them Arshad Noor CTO, StrongAuth, Inc. Chair, OASIS EI-TC

2 Agenda What is an EI? Components of an EI Auditing an EI ISACA members at OASIS EI Summary

3 Business Challenges Regulatory compliance PCI-DSS, FISMA, HIPAA, SB-1386, etc. Avoiding fines ChoicePoint: $15M, Nationwide: $2M Avoiding lawsuits TJX (multiple), Bank of America Avoiding negative publicity to the brand TJ Maxx, Ralph Lauren, Citibank, Wells Fargo, IBM, Ernst & Young, Fidelity, etc.

4 The Encryption Problem Generate Encrypt Decrypt Escrow Authorize Recover Destroy Generate Encrypt Decrypt Escrow Authorize Recover Destroy Generate Encrypt Decrypt Escrow Authorize Recover Destroy Generate Encrypt Decrypt Escrow Authorize Recover Destroy Generate Encrypt Decrypt Escrow Authorize Recover Destroy Generate Encrypt Decrypt Escrow Authorize Recover Destroy...and so on

5 Key-management silos Application Application Application Application Application Application Key Management Connections Network PKI Database or DB Driver OS or its Drivers Database or DB Driver Database or DB Driver Database or DB Driver OS or its Drivers OS or its Drivers Database or DB Driver Database or DB Driver Database or DB Driver OS or its Drivers OS or its Drivers OS or its Drivers Database or DB Driver Database or DB Driver Database or DB Driver OS or its Drivers OS or its Drivers OS or its Drivers

6 What is an EI? An Enterprise Key Management Infrastructure is: A collection of technology, policies and procedures for managing all cryptographic keys in the enterprise.

7 EI Characteristics A single place to define E policy A single place to manage all keys Standard protocols for E services Platform and Application-independent Scalable to service millions of clients Available even when network fails Extremely secure

8 E Harmony Application Application Application Application Application Application Network Key Management Connections EI Database or DB Driver Database or DB Driver Database or DB Driver PKI SS OS or its Drivers OS or its Drivers OS or its Drivers

9 The Encryption Solution Encrypt Decrypt Encrypt Decrypt SKS Server Encrypt Decrypt Encrypt Decrypt WAN Generate Protect Escrow Authorize Recover Destroy SKS Server Encrypt Decrypt Encrypt Decrypt

10 EI Components Public Key Infrastructure For digital certificate management; for strong-authentication, secure storage & transport of symmetric encryption keys Symmetric Key Management System SKS Server for symmetric key management SKCL for client interaction with SKS Server SKSML for SKCL-SKS communication EI = PKI + SS

11 PKI Well known, but not well understood Reputation for being costly and complex BUT... Used in every e-commerce solution Used by DOD of most democratic nations Citizen cards, e-passports Corporate Access Cards US Personal Identity Verification (PIV) IETF PKIX standards

12 SS: SKS Server Symmetric Key Services Server Contains all symmetric encryption keys Generates, escrows and retrieves keys ACLs authorizing access to encryption keys Central policy for symmetric keys: Key-size, key-type, key-lifetime, etc. Accepts SKSML protocol requests Functions like a DNS-server

13 SS: SKCL Symmetric Key Client Library Communicates with SKS Server Requests (new or old) symmetric keys Caches keys locally (KeyCachePolicy) Encrypts & Decrypts data (KeyUsePolicy) Currently supports 3DES, AES-128, AES-192 & AES-256 Makes SKSML requests Functions like DNS-client library

14 SS: SKSML Symmetric Key Services Markup Language Request new symmetric key(s) from SKS server, when Encrypting new information, or Rotating symmetric keys Request existing symmetric key(s) from SKS server for decrypting previously encrypted ciphertext Request key-cache-policy information for client

15 The Big Picture Java Application RPG Application C/C++ Application RPGNI JNI SKCL Crypto Module Key Cache 5 Network Application Server 4 DB Server Crypto Module Client Server 1. Client Application makes a request for a symmetric key 2. SKCL makes a digitally signed request to the SKS 3. SKS verifies SKCL request, generates, encrypts, digitally signs & escrows key in DB 4. Crypto HSM provides security for RSA Signing & Encryption keys of SKS 5. SKS responds to SKCL with signed and encrypted symmetric key 6. SKCL verifies response, decrypts key and hands it to the Client Application 7. Native (non-java) applications make requests through Java Native Interface

16 Security in an SS Symmetric keys are encrypted with SKS server's RSA public-key for secure storage Client requests are digitally signed (RSA) Server responses are digitally signed (RSA) and encrypted (RSA) All database records are digitally signed (RSA) when stored, and verified when accessed including history logs for message integrity

17 Common problems Using proprietary encryption algorithm Hiding encryption key on the machine Embedding encryption key in software Encrypting symmetric key with another Using a single key across the enterprise Backing up key with data on the same tape Using weak passwords for Password-Based- Encryption (PBE) No key-rotation or key-compromise plan

18 Auditing an EI Key-management policy Prerequisite controls: Physical access control to EI machines Logical & network access control to EI Standard security controls Firewall Minimal attack-surface (minimal services) Security patches Security logging

19 Auditing an SS Client Is a hardware token being used? How many people are required to log into the token to activate it? How many people have access to token? How often is the token PIN changed? How much data is encrypted with 1 key? SHA-1 hash of client library? Is the token backed up and how is it protected?

20 Auditing an SS Server Is a hardware token being used? How many people are required to log into the token to activate it? How many people have access to token? How often is token PIN changed? SHA-1 hashes of server jar files? Is the token backed up and how is it protected?

21 OASIS IDTrust Member Section Identity & Trusted infrastructure components Identity & Trust Policies, Enforcement, Education & Outreach Identify barriers and emerging issues Current Technical Committees: Enterprise Key Management Infrastructure TC Public Key Infrastructure Adoption TC

22 OASIS EI-TC Four (4) objectives & Sub-Committees: Standardize on Symmetric Key Services Markup Language (SKSML) Create Implementation & Operations Guidelines Create Audit Guidelines Create Interoperability Test-Suite

23 Current EI-TC Members FundServ (Canada) PA Consulting (UK) PrimeKey (Sweden) Red Hat (USA) StrongAuth (USA) US Department of Defense (USA) Visa International (USA) Wave Systems (USA) Many security/audit focused individuals

24 ISACA OASIS Many ISACA members from San Francisco are EI-TC (AGSC) members Full-day workshop scheduled for October- November 2007 Setting up an SS Operating an SS Auditing an SS Attacking an SS

25 Conclusion Securing the Core should have been Plan A from the beginning... but its not too late to remediate. OASIS EI-TC is driving new keymanagement standards that cuts across platforms, applications and industries. Auditing EIs requires new levels of knowledge and understanding. Get involved!

26 Thank you!