Mindshare 2018 The Nine Steps to Your Company ID:

Transcription

1 Mindshare 2018 : An IT Hero s Quest to Get Smart Adam Ross cv cryptovision GmbH T: +49 (0) F: +49 (0) info(at)cryptovision.com 1

2 Hooray! Your company has won a lucrative contract! Your company had been awarded a contract to supply widgets to a NATO member defense organization. Only a few tender requirements are standing between your company and a dragon s hoard of treasure. And so our journey begins 2

3 On our journey we use an IT project as an allegorical quest Your Company ID Project We don t tell the whole epic saga We just pick out some typical challenges, pitfalls, traps, and other surprises that are encountered during different project phases 3

4 And so our journey begins... Digital transformation More and more business processes are transferred from the analog world to the digital world In the digital world spying, counterfeiting, tampering is easy security is crucial Analog identities need to be transferred to digital identities 4

5 We will need to exchange restricted info with widget using Army We use this secure project as our quest for digital identities Requirements: security must be NATO-restricted compliant (comparable to VS-NfD in Germany) Administrator smart token use is extended to a full Company ID Card Strong authentication extended (including smart tokens, middleware, PKI, encryption) 5

6 We will need to exchange restricted info with widget using Army We use this secure project as our quest for digital identities Other important challenges: Connection to a 3rd party CA Lean CA management Compliance (e.g. separation of duties) Upgrade to company card possible Maybe add physical access 6

7 1. Analysis 2. Design 3. Implementation 4. Test 5. Pilot 6. Modification 7. Acceptance 8. Going Live 9. Extension 7

8 Analysis: Our first discovery... Some infrastructure is already existing. Is the existing environment NATO-restricted compliant? How much does my company already use security tokens? Do we already have a security token middleware that we can reuse? At least we already use some PKI (Microsoft) Analysis is made to find out whether customer could continue to use existing PKI 8

9 Analysis uncovers: GAPS! Analysis Certificates used not sufficient for NATO-restricted (Separation of ENC & SIGN Certs is needed) Algorithms used not sufficient for NATO-restricted Smart cards use pseudorandom generation and not sufficient for NATOrestricted (true random number generation on card required) smart card middleware not sufficient for NATOrestricted 9

10 Analysis uncovers: GAPS! Analysis results Certificates used not sufficient for NATO-restricted (Separation of ENC & SIGN Certs is needed) Algorithms used not sufficient for NATO-restricted Smart cards use pseudorandom generation and not sufficient for NATOrestricted (true random number generation on card required) smart card middleware not sufficient for NATOrestricted 10

11 Analysis: Propose applications that can close these gaps 11

12 1. Analysis 2. Design 3. Implementation 4. Test 5. Pilot 6. Modification 7. Acceptance 8. Going live 9. Extension 12

13 Design: How can we address this new challenge? Analysis shows: Beside software, we have to modify processes which is the next challenge. Company identifies that different groups of people will require different certificate types and business processes. How can we effectively build processes that support this information security model? 13

14 Design: The answer to our prayers... More managers! Different Enrolment processes required Machine certificates Person Typical User People Organizational Groups Person Priviliged Account Router, Gateways Employees Working groups Management Automated Enrolment via SCEP Approved by one just one additional employee External certificates (V-PKI) Reviewed and vetted before Approved by two managers It has been declared that different workflows are necessary... 14

15 Design: Build your own certificate processes Powerful Workflow engine: cryptovision s CAmelot Shalott Graphical Editor based on BPMN Workflow designer Editable form designer Simple to use 15

16 1. Analysis 2. Design 3. Implementation 4. Test 5. Pilot 6. Modification 7. Acceptance 8. Going Live 9. Extension 16

17 Implementation: Let s put this together and see if it works Now, let s get the infrastructure set up. Analysis shown: Need to migrate to different tokens NATO-restricted requirements are mandatory Need to implement PKI workflow (as already seen) 17

18 Implementation: How to effectively use what we ve got? Having support for old and new cards means we now support our company wide target. Start producing new certificates Migrate to new token Evaluate different authenticators: Mobile phones, TPM, or even Remote Token rather than smart tokens 18

19 Implementation: We need a token middleware that PKI-Applications Signature Browser SSO-Client Admin Tool User Tool Register Tool supports all major OS and token form factors ACTK Apple Crypto Token Driver PKCS#11 CSP Mini Driver Secure Token Interface Operating Systems Security Token 19

20 Implementation: We need sc/interface that supports multiple Card OS and a huge range of applications Cards ATOS CardOS: M4.01a / V4.2 / V4.2B / V4.2C / V4.3 / V4.3B / V4.4 / V5.0 / V5.3 AustriaCard JCOP: 21 V2.2 / 21 V2.3.1 / 31 V2.2 / 31 V2.2 contactless / 31 V2.3.1 / 31 V2.3.1 contactless / 31/72 V2.3.1 / 31 / 72 V2.3.1 contactless / 41 V2.2.1 / 41 V2.2.1 contactless / 41 V2.3.1 / 41 V2.3.1 contactless / 41 V2.4 / 41 V2.4 contactless Bundesdruckerei: GoID card v1, v2 D-Trust: D-Trust Card 3.0, 3.1, 3.2 epasslet-suite 1.1/1.2: on JCOP V2.4.1R3, on JCOP V2.4.1R3 with PACE Profile epasslet-suite 2.0: on JCOP V2.4.2R3, on JCOP V2.4.2R3 with PACE Profile Gemalto: TOP IM GX4 G&D Sm@rtCafé Expert: 3.1 / 3.1 contactless / 3.2 / 4.0 / 5.0 / 6.0 / 6.0 SCP 03 / 7 G&D STARCOS: 3.0 / 3.2 / 3.4 (Swiss Health Card egk) / 3.5 HID Crescendo: C700 / C700 contactless Infineon: JCLX80 jtop / JCLX80 jtop contactless NXP JCOP: V 2.1 / V2.2 / V2.2 Contactless / V2.2 / V2.3.1 / V2.4 / V2.4.1 / V2.4.2 / V2.4.2 R3 / V2.4.2 R3 SCP03 SwissSign: suisseid (CardOS M4.3B / M4.4) TCOS: Signature Card 2.0 Tokens Certgate microsd (NXP JCOP) G&D Sm@rtCafé Expert 3.2 USB token NXP JCOP: V2.2.1 IDptoken 200 SwissSign SwissID (CardOS M4.3B) Swissbit (SCT3512) Windows, OS X, Linux, edirectory IE, Firefox, Safari, Chrome Secure SAP R/3, SSH Windows, NCP, OpenVPN CryptWare, Secude, WinMagic s/mail, Outlook, Notes, PGP, GroupWise, Secude Novell, Secude, IBM Tivoli Access Manager Adobe Reader, suisseid Citrix, IGEL 20

21 Implementation: Choose your own adventure (or credential) Smartcard Reader Device Reader Driver (PCSC) Smartcard Middleware Applications TPM Smartcard Simulation Service Virtual Reader Driver (PCSC) Smartcard Middleware Applications Intel SGX Remote Server (HSM) Token Enclave Service Remote Connection Service Virtual Reader Driver (PCSC) Virtual Reader Driver (PCSC) Smartcard Middleware Smartcard Middleware Applications Applications Security Level Mobile Phone (ios, Android) Mobile Connection Service Virtual Reader Driver (PCSC) Smartcard Middleware Applications PFX-Datei PFX File Service Virtual Reader Driver (PCSC) Smartcard Middleware Applications lets tokens play a minor role 21

22 Implementation: Focus on our main quest for secure Implement the key to project: BSI approved solution Sign and encrypt s transparent using Microsoft Outlook and IBM Notes Free from backdoors Use it also without a PKI (with manual key exchange) 22

23 Implementation: We implement the solution cryptovision s GreenShield Mail Supports current crypto algorithms S/MIME capabilities Interoperable S/MIME solution Supports many tokens / profiles Usability functions (message recovery, group mailboxes) Optimized workflows Smart user concepts Supports Military Messaging Label 23

24 1. Analysis 2. Design 3. Implementation 4. Test 5. Pilot 6. Modification 7. Acceptance 8. Going Live 9. Extension 24

25 Test: How can this mail to a shared inbox be read by all? During the test phase, we check that the implementation will run as designed. Group mailboxes are tested and we learn Certain mails shall be answered from any member of a certain working group This requirement means that new group processes shall be supported 25

26 Test: Add KeyServer with remote keys and HSM Group mailboxes with CAmelot Keyp personal authentication based on users auth cert private working group key Sender Mail encrypted for working group Working Group symmetric key CAmelot Keyp decrypt mail with symmetric key Private key does not leave the securitycritical environment 26

27 Test: An effective solution Benefits of cryptovision s CAmelot Keyp Audit-compliant logging function Key generation on Key Server Keys can be stored on an HSM CAmelot Keyp can act as a key server routing access to group keys CAmelot Keyp can act as a key box providing keys for access to security critical components CAmelot Keyp can provide keys for remote authentication 27

28 1. Analysis 2. Design 3. Implementation 4. Test 5. Pilot 6. Modification 7. Acceptance 8. Going Productive 9. More 28

29 Pilot: POC was great for expert users, but what about Bob? User-friendliness is essential. We discovered that in particular, simple enrollment necessary. Otherwise users won't accept the system. Can normal users handle things like selfenrollment? This can be achieved with a little bit of magic and PKI client 29

30 Pilot: A wizard is never late, nor is he early, he arrives precisely when he means to. cryptovision s Pendragon PKI Client Administrators can pre-configure clients for certificate generation PKI Client reminds user to renew or to get new certificates User authenticates with his PIN against the PKI Client Process will run magically 30

31 1. Analysis 2. Design 3. Implementation 4. Test 5. Pilot 6. Modification 7. Acceptance 8. Going Live 9. Extension 31

32 Modification: Oops, we forgot about QES (eidas) Because of European vendors who require qualified signatures, the pilot has to be changed to implement QES. Some (but not all) users need qualified certificates Qualified signatures (legally binding) require the use of an additional CA (operated by a third party) Third party CA needs to be integrated 32

33 Modification: We are getting very meta... As in a Meta PKI Integrating a Third Party CA for qualified signatures User Local RA CAmelot Shalott Workflow Meta-PKI Certification Authority (CAmelot) CMP protocol (supported by many V-PKI CA) will be used Internal PKI workflow can be used for enrollment of 3rd party certificates For administrators choice of CA (internal or external) is transparent PKI Client Pendragon Remote Key Key Key Recovery Server HSM Company PKI serves as Meta-PKI connecting external PKI(s) Customer has complete control over certificates 33

34 Modification: Camelot RA and external CMS are the heart Local Registration Authority (RA) Meta-PKI to easily control and manage all certificates of your company whether internal certificate or routed to a 3rd party Local Registration Authority with Interface to a resource directory to get access to user data, user roles, user rights, and user certificates 34

35 Modification: Camelot RA and external CMS are the heart Card Management System (CMS) CMS integration to easily control and manage all security tokens Security Token Middleware supports virtually all available CMS with universal modules (CSP, Minidriver, PKCS#11 and Apple CTDK) 35

36 1. Analysis 2. Design 3. Implementation 4. Test 5. Pilot 6. Modification 7. Acceptance 8. Going Live 9. Extension 36

37 Acceptance: Getting everyone on board Acceptence is the most important challenge. Do we fulfil the requirements? NATO-restricted compliant solution installed Certified smart token Connection to V-PKI Manageable Meta-PKI Automated PKI workflows Satisfaction for the allpower auditors Universal smart token for strong authentication introduced First steps towards a full Company ID Card Introduced employee badge for logical access 37

38 Acceptance: Getting everyone on board Acceptence is the most important challenge. Did we face the other important challenges? V-PKI is connected via Meta-PKI Lean CA management is implemented using automated workflows Compliance is established using auditing together with central key services Used smart token can be upgraded to Company ID Card Physical access can also be added to token 38

39 Acceptance: Did putting it all together cover everything? Important concepts Separation of Duties Key Recovery Message Recovery Information protection Remote Key Usage User Self Service Automated processing 39

40 1. Analysis 2. Design 3. Implementation 4. Test 5. Pilot 6. Modification 7. Acceptance 8. Going Live 9. Extension 40

41 Going live After a successful acceptance test, we roll it out to everyone. What has been tested in the pilot now needs to work for a much larger amount of users. Some users are reluctant to embrace the system as it means a lot of repetitive PIN entry. 41

42 Going live: Adding extra value via improved user experience cryptovision s sc/interface cache sc/interface cache Single-Sign-On for 2-factor authentication Supports any application using a PIN Cross-platform capable of using multiple cryptointerfaces simultaneously Universal Windows Plattform (UWP) support Support for VDI environments Future-proof validated by Microsoft Caching configurable per process Interprocess exchange of PIN (e.g. PKCS11, Minidriver) Using your token as a key: lock and unlock your computer with it and use cached credentials by entering your PIN only once. Magic! 42

43 Going live: Adding sc/interface cache Within a company with 50,000 users (5 uses -> 5 times a day -> 5 sec per PIN entry) Pure working hours per day: 1,389 hrs Pure working time per day: 174 days Costs at 200 gross wage per day: 34,722.- Costs per month: 694,

44 1. Analysis 2. Design 3. Implementation 4. Test 5. Pilot 6. Extension 7. Acceptance 8. Going Live 9. Extension 44

45 Extension: Great success!!! Our Smart Token used for encryption becomes a multi-function Company ID card Employees love their company card and want to use it for things like: IT authentication, file encryption, signature Time recording Payment Physical access 45

46 Extension: File encryption to add protection for your assets Extend protection by using GreenShield File: Protect your assets Sign and encrypt files using Windows Explorer Also free from backdoors Use it also without a PKI (with manual key exchange) 46

47 Extension: File encryption to add protection for your assets cryptovision s GreenShield File Supports current crypto algorithms Interoperable S/MIME solution JAVA Technology, ready-to-use also on mobile platform Secure information exchange with non S/MIME mail clients and vice versa 47

48 Extension: Add more goodies, +ROI The infrastructure deployed can do even more. Additional concepts that can be realized with card deployed: Physical access Payment 48

49 Extension: One Card to do it All Physical access Different technologies are used for IT login and physical access PKI-based authentication Symmetric authentication Both can be implemented on the same card 49

50 Extension: It s all about the treasure (or money) Payment epasslet Suite 3.0 Virtually any kind of card payment scheme is possbile with cryptovision's epasslet Suite

51 Summary: One big picture PKI Smart card User Client Login directory 51

52 Summary: One big picture CAmelot Smart card HSM User Client Login directory 52

53 Summary: One big picture Card Management CAmelot Smart card sc/interface HSM User Client Login directory Web application 53

54 Summary: One big picture Card Management CAmelot epasslet Suite Smart card sc/interface HSM User Client Login directory Web application 54

55 Summary: One big picture Card Management CAmelot epasslet Suite Smart card sc/interface Shalott workflow HSM scep/responder Router User Client Login directory Router Web application 55

56 Summary: One big picture Card Management CAmelot epasslet Suite Smart card sc/interface Shalott workflow HSM scep/responder Router Green Shield Mail User Client Login directory Router Web application 56

57 Summary: One big picture Card Management CAmelot epasslet Suite Smart card sc/interface Shalott workflow CAmelot Keyp Key Recovery Remote Key HSM scep/responder Router Green Shield Mail User Client Login directory Router Web application 57

58 Summary: One big picture Card Management CAmelot External CA epasslet Suite Smart card sc/interface Local RA Shalott workflow CAmelot Keyp Key Recovery Remote Key HSM scep/responder Router Green Shield Mail User Client Login directory Router PKI Client: Pendragon Web application 58

59 Summary: One big picture Card Management CAmelot External CA epasslet Suite Smart card sc/interface Local RA Shalott workflow CAmelot Keyp Key Recovery Remote Key HSM scep/responder Router Green Shield Mail User Client sc/interface cache Login directory Router PKI Client: Pendragon Web application 59

60 Summary: One big picture Card Management CAmelot External CA epasslet Suite Smart card sc/interface Local RA Shalott workflow CAmelot Keyp Key Recovery Remote Key HSM scep/responder Router Green Shield Mail User Client sc/interface cache Login directory Router Green Shield File PKI Client: Pendragon Physical access Payment Web application 60

61 Summary: What a long strange quest it s been All projects have lots of unintended discoveries and may lead the need for changes of products and also business processes. During the project, additional challenges will also present themselves. Having a flexible strategy enables companies to deal with these unexpected new hurdles And it never hurts to have a bit of magic on your side 61

62 Thanks! cv cryptovision GmbH Munscheidstr Gelsenkirchen Germany Tel: +49 (0) 2 09 / Fax: +49 (0) 2 09 / info(at)cryptovision.com 62