Certification Description KeyOne public key infrastructure (PKI) solution component that provides certification authority (CA) functions. KeyOne CA provides: Public key infrastructure deployment for governments, certification service providers and corporate environments. Management of user digital certificates in mobile devices, centralized servers and smart cards. Digital certificate provision for servers, applications and communication devices that require authentication, e-signing and data encryption. Maximum security guarantees and CA compliance with CEN and ETSI recommendations. Reduced integration and maintenance costs through support for integration standards including JSON/ REST and XML/SOAP interfaces. Benefits Complete and scalable KeyOne CA is optimized for managing large volumes of certificates. It can handle CRLs with multiple distribution points, ideal for government and large infrastructures. The KeyOne solution includes components that provide advanced functions to the PKI, including registration (KeyOne XRA), certificate validation (KeyOne VA) and time-stamping (KeyOne TSA). Standard support and movility KeyOne CA supports X.509 digital certificates interoperable with Windows, Mac and Linux desktop environments and mobile devices with Google Android and Apple ios operating systems. KeyOne provides PKI authentication, e-signing and date encryption without requiring proprietary applications. It is adaptable to the security mechanisms of a wide range of PKI-compatible applications and platforms. Greater PKI control and management KeyOne automatically manages the CA keys, providing greater ease of management and control of the public key infrastructure (PKI). You can define the events executed when keys are renewed, incorporate mechanisms to adjust the maximum lifetime of the digital certificates and manage the coexistence of expired CA keys (used to transparently revoke certificates generated with these keys). Integration and reduced maintenance costs KeyOne CA operates as a network-accessible specialized service component. The system can be operated from the GUI or via the JSON on REST and XML on SOAP interfaces it incorporates. This reduces the cost of integrating and maintaining the digital certificate management functions. It supports standard protocols for information and security event management and monitoring, facilitating integration with SIEM and corporate monitoring systems. Maximum security and trust KeyOne CA is designed to facilitate compliance with the security requirements for trustworthy systems managing certificates for electronic signatures (CEN CWA 14167-1) in terms of roles and events. It facilitates adaptation to the ETSI TS 101 456 recommendations for certification authority policies that issue recognized digital certificates. The system supports FIPS 140-2 level 3 HSMs and is currently being ISO/IEC 15408 EAL4+ (ALC_FLR.2) certified. Safelayer Secure Communications S.A. is a leading provider of security software for public key infrastructure (PKI), multi-factor authentication, electronic signature, data encryption and for the protection of electronic transactions.
Certification Architecture The following figure illustrates a Certification (CA) operated by KeyOne CA and how it interacts with KeyOne (or third party) products to provide registration and publishing options for the status of the certificates. The registration system can be implemented with KeyOne XRA or a corporate application that acts as the RA. A directory, a Web server (not shown in the figure) or KeyOne VA can be used to publish the status of the certificates (using CRLs or OCSP). The HSM (network or internal) used for protecting the private keys of the CA is also shown in the figure. Specifications subject to change without notice. All brand names are registered trademarks of their respective owners. Updated September 2014. Functions KeyOne CA can act as a Root CA, Subordinate CA, Cross CA and a Bridge CA. Depending on how it is used, the CA operates in conjunction with the Safelayer KeyOne XRA product or an application that assumes the entity registration functions. KeyOne CA can also operate in conjunction with the KeyOne VA product to provide the digital certificate validation service. The main functions of KeyOne CA are to: Generate and protect the private keys via the use of cryptographic devices (HSM). Automatically manage the life-cycle and the coexistence of the private keys of the CA. Manage recognized RAs and assign them certification policies. Generate the ITU-T X509v3 digital certificates (for users and applications) requested by the RAs. Generate and publish lists of revoked and suspended certificates (CRLs). Report on the status of the digital certificates so the validation service (VA) can publish it via OCSP. Allow the secure protection and retrieval of encryption keys (if they become lost). Guarantee the secure auditing of the events and actions carried out in the system. Technical Specifications Certificate format: ITU-T X.509v3, IETF RFC 5280. Certification profiles: All standard extensions defined by ITU-T X.509v3, ETSI TS 101 862, IETF RFC 5280, RFC 6818 and RFC 3739. Revocation information: Single and multiple ITU-T X.509v2 CRL distribution points. OCSP via the optional KeyOne VA component. Certificate generation: RSA PKCS#10/PKCS#7. Support of Certificate Transparency (IETF RFC 6962). Key archiving: RSA PKCS#8 and PKCS#12 via the optional KeyOne Archive component. Connectivity: SQL, LDAP/SLDAP, Microsoft Active Directory, HTTP/HTTPS, REST/JSON Web Services and SOAP/XML, POP3 and SMTP. Cryptographic devices: RSA PKCS #11 with M-out-of-N secret sharing schemes. Event monitoring: SNMP v1, v2c and v3. SIEM integration and audit: Syslog protocol or Windows Event Log Certification: CC EAL4+.(*) System Requirements Operating systems: Windows or Solaris SPARC. Database systems: Oracle or Microsoft SQL Server. Optional HSM: Thales ncipher and Safenet. Contact Safelayer to find out which models are homologated. LDAP server: Recommended for publishing certificates and CRLs to directory. (*) KeyOne CA has achieved the ISO/IEC 15408 EAL4+(ALC_FLR.2) guarantee level (http://www.oc.ccn.cni.es/) and complies with the CIMC security level 3 Protection Profile Certificate Issuing and Management Component, NIST, 31 October 2001. Safelayer Secure Communications S.A. Basauri, 17 Edif. Valrealty Edif. B Pl. Baja Izquierda Ofi. B 28023 Madrid (Spain) Tel. +34 917 080 480 Fax +34 913 076 652 www.safelayer.com World Trade Center (Edif. Sud- 4ª Planta). Moll de Barcelona s/n 08039 Barcelona (Spain) Tel. +34 935 088 090 Fax +34 935 088 091
Validation Description KeyOne VA is suitable for critical processes of electronic signature validation since it provides evidential value and greater efficiency in the verification of the status of the digital certificates (in contrast to the conventional mechanism which are based in revocation lists). KeyOne VA is designed to: Provide reliable information on the status of a digital certificate Benefits Maximum security KeyOne products support defining the roles and events required to operate in compliance with the Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures (CWA14167-1). KeyOne VA supports the roles of security operator, system administrator and system auditor. Reliability and control The event system guarantees the integrity of the registered data and that no information is lost. This is possible thanks to an emergency mechanism that is activated when connection to the database is lost. KeyOne also supports selecting automatic events (which are assigned different levels of severity) and defining manual events (for registering actions that occur outside the application). Efficiency for large infrastructures KeyOne VA facilitates managing large volumes of certificates via the KeyOne CertStatus Server publication service. As certificate status updating is optimized, the response efficiency is guaranteed. KeyOne VA supports high availability and scalable architectures. Easy to integrate and accounting KeyOne VA includes an interpreted programming language to define the interaction with information systems. It is possible to customize the system, incorporate new functions, connect to access-control systems and access internal information systems (to complement the information generated). Facilitate integration with corporate information systems Reduce installation and maintenance costs Safelayer Secure Communications S.A. is a leading provider of security software for public key infrastructure (PKI), multi-factor authentication, electronic signature, data encryption and for the protection of electronic transactions.
Specifications subject to change without notice. All brand names are registered trademarks of their respective owners. Updated September 2014. KeyOne Validation Functions The main functions of KeyOne VA are to: Store information on the status of the certificates generated by one or more Certification Authorities. The status of a digital certificate is updated by downloading the revocation lists or the information provided by Certification Authorities (CA) that have the KeyOne publication service (KeyOne CertStatus Server) installed. In both cases, updating is performed remotely. Receive user or service-provider requests on the status of the digital certificates used in the signing of electronic transactions. Guarantee the non-repudiation of the responses. These responses are digitally-signed by the Validation and specify the date and status (valid, revoked, cancelled or unknown) of a certificate. To enroute requests to other VAs that can provide authoritative answer for certain digital certificates, as defined in RFC 2560. Generate event logs so operators can monitor the system status, its security and to what extent the corporate specifications are being met. Customize the system to tailor response delivery and content to the identity of the requester. Architecture The following figure illustrates the general architecture of KeyOne VA and how it interacts with network components (applications or users) under the IETF OCSP standard. KeyOne VA can operate with a HSM (network or internal) and requires access to a database and a network time source (not shown in the figure). Depending on the configuration of the certificate status update system, KeyOne VA connects regularly to a CA or an LDAP directory. If it connects to a CA, the information on the status of the digital certificates comes from the KeyOne CA databases (which are accessed via the CertStatus service and the Safelayer s NDCCP protocol). If it connects to an LDAP directory, the CRL published in the directory (or in a Web server not shown in the figure) is downloaded. Technical Specifications Online validation protocol: IETF RFC2560. Cryptographic devices: RSA PKCS #11. Connectivity: SQL, LDAP/SLDAP, Microsoft Active Directory, HTTP/HTTPS, REST and SOAP Web Services, POP3, SMTP and I/O standard. Update mechanism: ITU-T X509.v3 CRL and/or the KeyOne CertStatus Server module. Supports multiple CAs. Event monitoring: SNMP v1, v2c and v3. SIEM integration and audit: Syslog protocol or Windows Event Log. Certification: CC EAL4+.(*) System Requirements Operating systems: Windows or Solaris SPARC. SMTP mail server: Recommended for implementing customized event notification. Database systems: Oracle or Microsoft SQL Server. Optional HSM: Thales ncipher and SafeNet. Contact Safelayer to find out which models are homologated. Time source: Operating system time synchronized with an external source. (*) KeyOne VA has achieved the ISO/IEC 15408 EAL4+(ALC_FLR.2) guarantee level (http://www.oc.ccn.cni.es/) and complies with the CIMC security level 3 Protection Profile Certificate Issuing and Management Component, NIST, 31 October 2001. Safelayer Secure Communications S.A. Basauri, 17 Edif. Valrealty Edif. B Pl. Baja Izquierda Ofi. B 28023 Madrid (Spain) Tel. +34 917 080 480 Fax +34 913 076 652 www.safelayer.com World Trade Center (Edif. Sud- 4ª Planta). Moll de Barcelona s/n 08039 Barcelona (Spain) Tel. +34 935 088 090 Fax +34 935 088 091
Registration Description KeyOne XRA is part of the Safelayer Public Key Infrastructure (PKI) solution. It provides the Registration (RA) functions and it is designed to: User registration and digital certificate lifecycle management through interaction with KeyOne CA. Certificate life-cycle management for PKI services and applications that require authentication, signature and data encryption. Digital certificate management for a wide range of user platforms and devices. Simplified PKI deployment thanks to a complete range of face-to-face and remote registration mechanisms. Benefits User and mobility environments KeyOne XRA s user management is independent of its environment. This enables deploying PKI authentication, e-signing and encryption for a wide range of PKI-compatible applications and platforms: Windows, Mac and Linux desktop environments and mobile devices with Google Android and Apple ios operating systems are supported. Certificates for applications KeyOne XRA also manages applications that require digital certificates. It interacts with KeyOne CA to provide digital certificates for different purposes, including SSL, SSL EV, VPN certificates and certificates for PKI services requiring authentication, e-signature and data encryption based on X.509 digital certificates Workflows and registration KeyOne XRA is extremely adaptable to business needs: for user registration processes and for the delivery of digital certificates to users. Its workflow manager provides simple and reliable system configuration for defining what data processing actions are to be included in the registration process and what data the system is to exchange with users, operators and applications. Integration and cost saving KeyOne XRA is ideal for integrating PKI registration in corporate processes. System functions can be used as Web services via the product s JSON and XML interfaces. The workflow management system supports easily defining which functions are provided as Web services and which are accessible from the GUI. Maximum security and control KeyOne XRA includes the role management, auditing and reporting mechanisms recommended for digital certificate management systems for CEN CWA 14167-1 e-signature. It facilitates adaptation to the ETSI TS 101 456 recommendations for the policies of certification authority policies that issue recognized digital certificates. Registration system integration in corporate processes using the JSON/REST and XML/ SOAP standard interfaces. Safelayer Secure Communications S.A. is a leading provider of security software for public key infrastructure (PKI), multi-factor authentication, electronic signature, data encryption and for the protection of electronic transactions.
Specifications subject to change without notice. All brand names are registered trademarks of their respective owners. Updated Seprember 2014. KeyOne Registration Functions KeyOne XRA operates as a user/application registration service (RA) for requesting the issuing and revocation of digital certificates (in conjunction with KeyOne CA). The system can combine the following registration procedures: Face-to-face. Requesters verify their identity face-to-face to obtain their digital certificates. Once the registration agent approves the request, the keys are generated on the user s cryptographic card, mobile device or PC, depending on the registration policy. For deploying the registration station close to requesters, the agent can use KeyOne LXRA, the KeyOne XRA client application. Remote. Entirely remote certificate request and delivery processes are executed via the Web or in combination with other protocols, such as SCEP and Windows Enrollment. Requests can be pre-authorized (in this case, the requester usually authenticates by password), or the registration agent can approve them after validating the registration details provided by the requester. Automatic. Supports loading requester details from a trusted source, e.g., a HRM database or directory provided by a corporate application that interacts with KeyOne XRA. The connection with KeyOne XRA is performed using XRA s JSON/REST or XML/SOAP interfaces for remotely invoking the registration system s digitalcertificate approval, renewal and revocation functions. The RA can also connect directly with the corporate database or directory to obtain requester details. Architecture The following figure illustrates a Registration (RA) operated by KeyOne XRA and how it interacts with the different components of the architecture and other KeyOne products (KeyOne CA and KeyOne LXRA) to provide the types of registration supported. Optionally, depending on the registration procedure, the RA agent can have the KeyOne LXRA client application connected to a smart card printer (not shown in the figure). Requesters either have PCs for software certificates or certificates on cryptographic cards, or mobile devices for certificates and keys for mobile operating systems. Application certificates for servers and HSMs are also requested via the Web or in combination with the SCEP (Simple Certificate Enrollment Protocol), depending on the device. Technical Specifications Certification request formats: RSA PKCS #10, ITU-T X.509v3 and Firefox. Certificate delivery and certification chain formats: RSA PKCS #7, PKCS #12 and ITU-T X.509v3. Certificate inscription protocols: REST/JSON, SOAP/XML, SCEP, Windows Enrollment and OTA Enrollment of Apple. Certification profiles: All the standard extensions defined by ITU-T X.509v3, Firefox and Microsoft. Revocation information: Single and multiple ITU-T X.509v2 CRL distribution points. OCSP via the optional KeyOne VA component. Connectivity: SQL, LDAP/SLDAP, Microsoft Active Directory, HTTP/HTTPS, REST and SOAP Web Services, POP3, SMTP and I/O standard. Cryptographic devices: RSA PKCS #11. Event monitoring: SNMP v1, v2c and v3. SIEM integration and audit: Syslog protocol or Windows Event Log. Certification: CC EAL4+.(*) System Requirements Operating systems: Windows or Solaris SPARC Database systems: Oracle or Microsoft SQL Server. Optional HSM: Thales ncipher and SafeNet. Contact Safelayer to find out which models are homologated. LDAP server: Recommended for publishing certificates and CRLs in directory. SMTP mail server: Recommended for the generation of automatic notifications. Smart card printers: Datacard. Contact Safelayer to find out which models are homologated. Smart cards: G&D or Gemalto. Contact Safelayer to find out which models are homologated. (*) KeyOne XRA has achieved the ISO/IEC 15408 EAL4+(ALC_FLR.2) guarantee level (http://www.oc.ccn.cni.es/) and complies with the CIMC security level 3 Protection Profile Certificate Issuing and Management Component, NIST, 31 October 2001. Safelayer Secure Communications S.A. Basauri, 17 Edif. Valrealty Edif. B Pl. Baja Izquierda Ofi. B 28023 Madrid (Spain) Tel. +34 917 080 480 Fax +34 913 076 652 www.safelayer.com World Trade Center (Edif. Sud- 4ª Planta). Moll de Barcelona s/n 08039 Barcelona (Spain) Tel. +34 935 088 090 Fax +34 935 088 091
Time Stamping Description Electronic time-stamping is the only way to guarantee that a transaction occurred or an electronic document was signed at a given time. KeyOne TSA, the Safelayer secure time-stamping service, is designed to: Guarantee, objectively and precisely, the registering of the moment a transaction occurs Protect the time-stamp records Allow the connection, easily and securely, with the corporate control systems, minimizing installation and maintenance costs Benefits Maximum security KeyOne products support defining the roles and events required to operate in compliance with the Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures (CWA14167-1). KeyOne TSA supports the roles of security operator, system administrator and system auditor. Reliability and control The reliability of a TSA (Time Stamping ) registration system is vital for ensuring the traceability of the issued time-stamps and auditing their operation. The KeyOne registration mechanism incorporates a data protection system and an emergency system that ensures logs cannot be lost. KeyOne also supports selecting automatic events (with different levels of severity) and defining manual events (for registering actions that occur outside the application). Maximum performance and scalability Connected to cryptographic accelerators, KeyOne CA meets the highest load requirements, can be integrated in high availability architectures and guarantees the fastest-possible transactional response times. Easy to integrate and accounting KeyOne TSA includes an interpreted programming language to define the interaction with information systems. It is possible to customize the system, incorporate new functions, connect to access-control systems and access internal information systems (to complement the information generated). Safelayer Secure Communications S.A. is a leading provider of security software for public key infrastructure (PKI), multi-factor authentication, electronic signature, data encryption and for the protection of electronic transactions.
Time Stamping Architecture The following figure illustrates the general architecture of KeyOne TSA and how it interrelates with the network components (under the IETF time-stamp protocol). KeyOne TSA can operate with a HSM (network or internal) and requires access to a database and a network time source (e.g., via NTP). Specifications subject to change without notice. All brand names are registered trademarks of their respective owners. Updated July 2016. Functions The main functions of KeyOne TSA are to: Receive time-stamp requests via the Internet from users and service providers that want to add time stamps to electronic documents or transactions. Generate a digitally-signed time-stamp that includes the time of the request; the information that securely binds the stamp to the electronic document; and a unique registration number for auditing purposes. Generate audit logs so operators can monitor the status of the system, its security and to what extent the corporate specifications are being met. Technical Specifications Time-stamp protocols: IETF RFC 3161 and RFC 5816. Time-stamp profile and policies: ETSI EN 319 421 (replaces TS 102 023 ) and ETSI TS 319 422 (replaces TS 119 422 and TS 101 861). Cryptographic devices: RSA PKCS #11. Conectivity: SQL, LDAP/SLDAP, Microsoft Active Directory, HTTP/HTTPS, REST and SOAP Web Services, POP3, SMTP and I/O standard. Event monitoring: SNMP v1, v2c and v3. SIEM integration and audit: Syslog protocol or Windows Event Log. System Requirements Operating systems: Windows or Solaris SPARC. SMTP mail server: Recommended for implementing customized event notification. Database systems: Oracle or Microsoft SQL Server. Optional HSM: Thales ncipher and SafeNet. Contact Safelayer to find out which models are homologated. Time source: Operating system time synchronized with an external source. Safelayer Secure Communications S.A. Basauri, 17 Edif. Valrealty Edif. B Pl. Baja Izquierda Ofi. B 28023 Madrid (Spain) Tel. +34 917 080 480 Fax +34 913 076 652 www.safelayer.com World Trade Center (Edif. Sud- 4ª Planta). Moll de Barcelona s/n 08039 Barcelona (Spain) Tel. +34 935 088 090 Fax +34 935 088 091