IBM KeyWorks Accelerate Development of your Secure e-business Solutions Sekar Chandersekaran IBM

Similar documents
Intel s Common Data Security Architecture

CDSA Technology. Intel Corporation Denise Ecklund July 1998

Generic Support for PKIX Certificate Management in CDSA

An Application Developers Guide Proposal and Feedback Session. Phil Holmes. How to with CDSA

OpenVMS Security Update 1M01

Security Training Seminars An integral part of The Open Group Security Programme

IBM KeyWorks Toolkit. Trust Policy Interface (TPI) Specification

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

Lightweight DCE Client in NetSEAT PKMS

Digital Certificates Demystified

SSH Communications Tectia SSH

Public Key Technology in Windows 2000

Who s Protecting Your Keys? August 2018

IBM i Version 7.2. Security Digital Certificate Manager IBM

CDSA Program Update SECURITY. Graham Bird. opengroup.org (650)

CS155b: E-Commerce. Lecture 6: Jan. 25, Security and Privacy, Continued

Security Digital Certificate Manager

XenApp 5 Security Standards and Deployment Scenarios

FIPS Security Policy

Axway Validation Authority Suite

Windows IoT Security. Jackie Chang Sr. Program Manager

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

Intel and Symantec: Improving performance, security, manageability and data protection

Hardware Cryptography and z/tpf

IBM. Security Digital Certificate Manager. IBM i 7.1

SecureDoc Disk Encryption Cryptographic Engine

Security in NVMe Enterprise SSDs

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Numerics I N D E X. 3DES (Triple Data Encryption Standard), 48

How to Set Up External CA VPN Certificates

CERTIFICATE POLICY CIGNA PKI Certificates

WHITE PAPER. VeriSign Architecture for Securing Your VPN Go Secure! For Check Point Overview

U.S. E-Authentication Interoperability Lab Engineer

Adding value to your MS customers

Indeed Card Management Smart card lifecycle management system

Connecting Securely to the Cloud

Overview. SSL Cryptography Overview CHAPTER 1

The SafeNet Security System Version 3 Overview

Alliance Key Manager A Solution Brief for Partners & Integrators

Certificate Enrollment for the Atlas Platform

Installation and Configuration Last updated: May 2010


Public Key Establishment

KNOWLEDGE SOLUTIONS. MIC2823 Implementing and Administering Security in a Microsoft Windows Server 2003 Network 5 Day Course

HP Instant Support Enterprise Edition (ISEE) Security overview

New open source CA development as Grid research platform.

CSE 565 Computer Security Fall 2018

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

IBM SecureWay On-Demand Server Version 2.0

UELMA Exploring Authentication Options Nov 4, 2011

IBM Systems and Technology Group

Alliance Key Manager A Solution Brief for Technical Implementers

Apple Product Security

BlackBerry Enterprise Server for IBM Lotus Domino Version: 5.0. Administration Guide

PKI Knowledge Dissemination Program. PKI Standards. Dr. Balaji Rajendran Centre for Development of Advanced Computing (C-DAC) Bangalore

Certificateless Public Key Cryptography

Key Management and Distribution

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

ENTRUST CONNECTOR Installation and Configuration Guide Version April 21, 2017

Managing SSL Security in Multi-Server Environments

PKI is Alive and Well: The Symantec Managed PKI Service

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Open Mobile API The enabler of Mobile ID solutions. Alexander Summerer, Giesecke & Devrient 30th Oct. 2014

Public Key Infrastructure

Designing and Managing a Windows Public Key Infrastructure

KEY DISTRIBUTION AND USER AUTHENTICATION

A Technical Overview of the Lucent Managed Firewall

ROYAL INSTITUTE OF INFORMATION & MANAGEMENT

Implementing Security in Windows 2003 Network (70-299)

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

IBM Tivoli Directory Server

Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution

Trusted Execution Environments (TEE) and the Open Trust Protocol (OTrP) Hannes Tschofenig and Mingliang Pei 16 th July IETF 99 th, Prague

Partner Center: Secure application model

User s Guide. PolicyAgent and Key Recovery for SecretAgent 5.9 and SpyProof! 1.3

T Yritysturvallisuuden seminaari

Elliptic Curve Cryptography (ECC) based. Public Key Infrastructure (PKI) Kunal Abhishek Society for Electronic Transactions & Security (SETS), Chennai

CertAgent. Certificate Authority Guide

PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

Oracle Tuxedo. Using Security in CORBA Applications 11g Release 1 ( ) March 2010

IBM KeyWorks Toolkit. Data Storage Library Interface (DLI) Specification

Bloombase Spitfire SOA Security Server

Entrust Connector (econnector) Venafi Trust Protection Platform

How to Configure S/MIME for WorxMail

COMPLEX CERTIFICATE POLICIES

Exam : Title : Security Solutions for Systems Engineers(SSSE) Version : Demo

Syllabus: The syllabus is broadly structured as follows:

MBF-UDALink Driver. 2 Phase Commit, RPC and SSL. Presented by John Middelveen Technical Mgr. Core Product Development MBFoster

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

DBsign for HTML Applications Version 4.0 Release Notes

CREDENTSYS CARD FAMILY

Acrobat Security Administration Guide

Securing VMware NSX MAY 2014

Windows Server Network Access Protection. Richard Chiu

Cryptomathic Signer. Guillaume Forget. All rights reserved. Copyright Cryptomathic 2013

Configuring SSL Security

Secure Store & Forward / Digital Signatures (BC-SEC-SSF)

Cisco Configuration Engine 2.0

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

Transcription:

IBM KeyWorks Accelerate Development of your Secure e-business Solutions Sekar Chandersekaran IBM chanders@us.ibm.com

IBM KeyWorks Market Needs History KeyWorks KeyWorks KeyWorks KeyWorks KeyWorks Suite Components Functionality And Key Recovery Platform Coverage Futures

Market Needs Provide developers with a rich set of PKI services to build e-business applications or middleware components for a variety of industries! Examples: finance, health, and insurance industries Insulate developers from implementation details of PKI services! Cryptographic services (variety of algorithms, hardware or software implementations)! Certificate management services (validation, parsing, etc.)

Market Needs Promote ubiquity of the infrastructure! Availability on a large number of OS platforms Enable use of strong crypto in distributed applications operating across multiple jurisdictions

History 4Q96: Evaluated a variety of framework options and selected Intel CDSA 1.0 as desired specification 1997: Worked closely with Intel / others to address IBM requirements and standardization at! Key Recovery, Scalability, e-commerce Function, Portability 3Q97: Delivered IBM KeyWorks Release 1.0 1Q98: Delivered IBM KeyWorks Release 1.1

What is KeyWorks? Product Suite! KeyWorks Toolkit (Framework and Add Ins)! Key Recovery Service Provider! Key Recovery Server KMI Approval For Export since Sep 1997! Application Review Minimized Significantly

KeyWorks Toolkit Components Application E-COMMERCE, GLOBAL SIGNON, REGISTRY,DOMINO, VPN, FIREWALL Domains Framework Enabled Protocol Handlers Based on CDSA V 1.2 + SSL, IPSEC, SEC DNS, S-MIME, DCE RPC, IIOP,MQ REG. / MGMT SERVICES CSSM Security API CSSM API INTEGRITYSERVICES CSSM MGRS. JURISDICTION POLICY TABLE Toolkit contents in RED ADD IN KRA CONFIG. FILE ANCHOR, KRA CERTS. NO CRL GENERATION+9 KRMM MGR. IBM KRSP CRYPTO MGR. PKCS BSAFE CCA 4758 TRUST MGR. CERT. MGR. X.509 DSA Verisign Entrust DATALIB MGR. KMI SPI TPI CLI DLI X.509 IBMRegistry DSA ENTRUST Verisign Validation Store Retrieve in FILE H/W Directory Cert Store Additional SPs for IBM VAULT REGISTRY,OTHERS

Trust Issues Need for Trust - FWK and SPs need to be trusted since they:! handle critical information (e.g... cryptographic keys)! make policy and access control decisions! establish trust in public key certificates! generate and process key recovery fields Trust Perimeter - FWK and SPs are within a perimeter of trust! This trust is established through a chain of trust. (Protocol Handlers will be within trust perimeter in a future release.) Chain of Trust - The chain of trust is established as follows:! FWK verifies self-integrity! FWK verifies SP! SP verifies self-integrity! SP verifies FWK

KeyWorks Bilateral Authentication Integrity Steps in FWK 1. self-check 2. checks SP on disk 3. loads SP SP1 4. initiates SP Integrity Checks Integrity Steps in SP 1. self-check 2. checks FWK 3. passes up SP call table to FWK FWK SP2

KeyWorks 1.1 + FEATURES APPLICATION PRIVILEGES SUPPORTED TRACE AND DEBUG CAPABILITIES PORTABILITY (LANGUAGE, ISOLATION) CONTEXT MANAGEMENT SERVICES MULTI THREADING PORTABLE KEY SUPPORT APPLICATION SPECIFIC SERVICES PERFORMANCE AND ROBUSTNESS KEY RECOVERY BLOCK (KRA COMPLIANT) KEY REC SERVER ADDITIONS

Key Recovery Service Provider Builds key recovery blocks to enable recovery of encryption keys! Implements IBM SKR algorithm Variable number of Key Recovery Agents Allows Customers to select their own PKI and No single point of security compromise Can use any approved CA for agent certificates Plugs into KeyWorks Toolkit KR modifications to each CSP no longer needed

Recovering a Key Key Recovery Officer Authentication Info, Key Recovery Block Decryption Key Key Recovery Coordinator Key Recovery Agent 1 Key Recovery Agent 2 Key Recovery Agent N

OVERVIEW OF FRAMEWORKS & KEY RECOVERY CERTIFICATE CERTIFICATE ISSUERS ISSUERS CERTIFICATE ISSUERS CERTIFICATES ISSUED ANCHOR CERT KEY REC OFFICER CERTIFICATES/ PRIV. KEYS DIST. TO KRAs KEY REC COORD. KGINFO FROM KRB RETURN KK INFO KEY REC SERVER KEY REC AGENT KRA CERT AND PRIVATE KEY ANCHOR CERT KRA CERT KRA CERT CERTIFICATES PUT IN CONFIG FILE BY IBM AUTH CREDS PROVIDE KRB, AUTH. INFO RECEIVE ENC.KEY CONFIG. ENC.DATA, KEY REC BLOCK ENTERPRISE FWK PACK 1 FWK PACK 1 CONFIG. LAW ENF KRSP PACK 2 CONFIG. FILES KRSP 4758 PACK 3

Key Recovery Server Recovers keys from blocks generated by Key Recovery Service Provider Stand-alone application with multiple roles! Key Recovery Officer, Key Recovery Coordinator, Key Recovery Agents Key recovery service may be offered by! Enterprise for in-house use! Independent service companies Available on NT since October 1997

IBM CommercePOINT Payment Exploitation EXPLOITERS IBM Registry for SET CommercePOINT Payment etill CommercePOINT PaymentGateway OTHERS APPROPRIATE MIDDLEWEARE REG. / MGMT SERVICES CSSM Security API CSSM API INTEGRITY SERVICES JURISDICTION POLICY TABLE KRMM MGR. CRYPTO MGR. TRUST MGR. CERT. MGR. DATALIB MGR. KMI SPI TPI CLI DLI CSSM MGRS. KRA CONFIG. FILE ANCHOR, KRA CERTS. KRSP PKCS BSAFE 4758 HARDWARE Cert Store Retrieve FILE HARDWARE Directory ADD IN S Cert Store

Certificate Authority Suite - Building Blocks Collaboration Applications Trusted ebusiness Applications Web Server Applications System Management Applications Applications Notes C A Vault Registry CA Domino GO CA Other CA Notes Administrative User Interface Vault Registry Administrative User Interface Domino GO Administrative User Interface Other Administrative User Interface Middleware Notes Specific Policies Vault Registry Specific Policies IBM PKI Domino GO Specific Policies OTHER CA Specific Policies TIS Key Recovery IBM Key Recovery Common Security Framework PKCS11 Cryptographic Services BSAFE Cryptographic Services Entrust Trust Policy SET Trust Policy Verisign Trust Policy Notes Certificate BSAFE Manager Certificate Manager GENERAL LDAP DL Notes Data CMS/CRT Library Data Srvcs. Library Common Infrastructure Differentiation is based on the product's purpose and applications - not the CA

KEYWORKS FUTURES TOG VERSION 2.0 FULL COMPLIANCE FULL NLS SUPPORT FULL PKI SUPPORT (CERT. GENERATION AND CERT. LIFECYCLE SUPPORT ) ADDITIONAL SUPPORT FOR KEY LIFECYCLE MANAGEMENT EXPLOITATION OF W BY NEW APPS IBM REGISTRY, NOTES, IPSEC, SSL..! E-COMMERCE APPS ( PAYMENT etc.)! JAVA CSSM SUPPORT SPECIAL PROJECTS

KeyWorks Data Library Functions Provides persistent storage for certificates and CRLs (custom hardware devices, PKCS 11) LDAP V3 in 4Q 98 IBM 4758 and Other Devices IBM Smart Card and Other Vendors also via Browsers

Encryption with Key Recovery 3. Generate Recovery Fields 4. handle HA2 rec. fields 1. Create Symmetric Context Communication Protocol (side A) 2. context handle HA1 rec. fields 5. EncryptData (HA2, message) 6. Create Symmetric Context Communication Protocol (side B) 7. context handle HB1 Recovery Fields (HB1, rec. fields) 9. handle HB2 10. DecryptData (HA2, enc(message)) KM Framework Cryptographic Framework Cryptographic Framework KM Framework Intercept Point

KeyWorks Signed Manifests Manifest File: CSP1.mf Name: CSP1.dll Section: CSP1 SHA-1 Digest: [18 e3 ] Name: Section: SHA-1 Hash: Signer s Info File: CSP1.sf Section : CSP1 SHA-1 Digest: [2b a9 ] Section : SHA-1 Hash: Signature Block File: CSP1.dsa Hash value PKCS #7 Signature Block Encrypted Hash value

FWK Chain of Trust (I) Self-Integrity Verification by FWK Application Layer code LoadLibrary(CSSM) CSSM_Init( ) EISL KpubIBMRoot FWK DLL Manifest of FWK Signer s Info of FWK Signature Block KprivIBMFWK

FWK Chain of Trust (II) Verification of Service Providers by FWK Application Layer code CSSM_ModuleAttach(CSPi ) EISL KpubIBMRoot FWK DLL Verify Signature of CSPi CSPi DLL Manifest of CSPi Signer s Info of CSPi Signature Block K privibmcsp

FWK Chain of Trust (IV) Reverse Verification of FWK by Service Providers Application Layer code FWK DLL CSSM_AddInAuthenticate ( CSSM_path ) CSSM_RegisterServices (CSPi_EntryTable ) EISL KpubIBMRoot CSPi DLL CSPi verifies FWK integrity Manifest of FWK Signer s Info of FWK Signature Block KprivIBMFWK

FWK Noncircumventability - CSP DLL has no exported service entry points - entry points are registered dynamically at DLL Attach time after attaching application has been authenticated FWK DLL Rogue Application 1 2 3 1 2 CSP DLL CSP DLL 1. LoadLibrary( CSP DLL ) - No exported interfaces 2. CSP verifies FWK 3. CSSM_RegisterServices ( ) - registration of CSP entry points

KEY RECOVERY DEPLOYMENT STEPS Obtain Approval to Export Developed Application! Export Approval From BXA (ONLY ONCE) Description of Application Description of CRYPTO and KRB Usage -- IS IT EXEMPT ETC. DESCRIPTION OF MANUFACTURING JURISDICTION POLICY TABLE APPROVED CA WITH ANCHOR CERTIFICATE AND APPROVED KEYRECOVERY AGENTS IN KR LE MAN TABLE OBTAIN IMPORT Approval for Application Deployment FROM EACH JURISDICTION! APPROVED LOCAL JURISDICTION POLICY TABLE! APPROVED CA, ANCHOR KEY, KRA CERTS. IN KR USE CONFIG. TABLE DISTRIBUTE APPLICATION AND INSTALL WITH PROPER LOCAL JURISDICTION FILE

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback