IBM KeyWorks Accelerate Development of your Secure e-business Solutions Sekar Chandersekaran IBM chanders@us.ibm.com
IBM KeyWorks Market Needs History KeyWorks KeyWorks KeyWorks KeyWorks KeyWorks Suite Components Functionality And Key Recovery Platform Coverage Futures
Market Needs Provide developers with a rich set of PKI services to build e-business applications or middleware components for a variety of industries! Examples: finance, health, and insurance industries Insulate developers from implementation details of PKI services! Cryptographic services (variety of algorithms, hardware or software implementations)! Certificate management services (validation, parsing, etc.)
Market Needs Promote ubiquity of the infrastructure! Availability on a large number of OS platforms Enable use of strong crypto in distributed applications operating across multiple jurisdictions
History 4Q96: Evaluated a variety of framework options and selected Intel CDSA 1.0 as desired specification 1997: Worked closely with Intel / others to address IBM requirements and standardization at! Key Recovery, Scalability, e-commerce Function, Portability 3Q97: Delivered IBM KeyWorks Release 1.0 1Q98: Delivered IBM KeyWorks Release 1.1
What is KeyWorks? Product Suite! KeyWorks Toolkit (Framework and Add Ins)! Key Recovery Service Provider! Key Recovery Server KMI Approval For Export since Sep 1997! Application Review Minimized Significantly
KeyWorks Toolkit Components Application E-COMMERCE, GLOBAL SIGNON, REGISTRY,DOMINO, VPN, FIREWALL Domains Framework Enabled Protocol Handlers Based on CDSA V 1.2 + SSL, IPSEC, SEC DNS, S-MIME, DCE RPC, IIOP,MQ REG. / MGMT SERVICES CSSM Security API CSSM API INTEGRITYSERVICES CSSM MGRS. JURISDICTION POLICY TABLE Toolkit contents in RED ADD IN KRA CONFIG. FILE ANCHOR, KRA CERTS. NO CRL GENERATION+9 KRMM MGR. IBM KRSP CRYPTO MGR. PKCS BSAFE CCA 4758 TRUST MGR. CERT. MGR. X.509 DSA Verisign Entrust DATALIB MGR. KMI SPI TPI CLI DLI X.509 IBMRegistry DSA ENTRUST Verisign Validation Store Retrieve in FILE H/W Directory Cert Store Additional SPs for IBM VAULT REGISTRY,OTHERS
Trust Issues Need for Trust - FWK and SPs need to be trusted since they:! handle critical information (e.g... cryptographic keys)! make policy and access control decisions! establish trust in public key certificates! generate and process key recovery fields Trust Perimeter - FWK and SPs are within a perimeter of trust! This trust is established through a chain of trust. (Protocol Handlers will be within trust perimeter in a future release.) Chain of Trust - The chain of trust is established as follows:! FWK verifies self-integrity! FWK verifies SP! SP verifies self-integrity! SP verifies FWK
KeyWorks Bilateral Authentication Integrity Steps in FWK 1. self-check 2. checks SP on disk 3. loads SP SP1 4. initiates SP Integrity Checks Integrity Steps in SP 1. self-check 2. checks FWK 3. passes up SP call table to FWK FWK SP2
KeyWorks 1.1 + FEATURES APPLICATION PRIVILEGES SUPPORTED TRACE AND DEBUG CAPABILITIES PORTABILITY (LANGUAGE, ISOLATION) CONTEXT MANAGEMENT SERVICES MULTI THREADING PORTABLE KEY SUPPORT APPLICATION SPECIFIC SERVICES PERFORMANCE AND ROBUSTNESS KEY RECOVERY BLOCK (KRA COMPLIANT) KEY REC SERVER ADDITIONS
Key Recovery Service Provider Builds key recovery blocks to enable recovery of encryption keys! Implements IBM SKR algorithm Variable number of Key Recovery Agents Allows Customers to select their own PKI and No single point of security compromise Can use any approved CA for agent certificates Plugs into KeyWorks Toolkit KR modifications to each CSP no longer needed
Recovering a Key Key Recovery Officer Authentication Info, Key Recovery Block Decryption Key Key Recovery Coordinator Key Recovery Agent 1 Key Recovery Agent 2 Key Recovery Agent N
OVERVIEW OF FRAMEWORKS & KEY RECOVERY CERTIFICATE CERTIFICATE ISSUERS ISSUERS CERTIFICATE ISSUERS CERTIFICATES ISSUED ANCHOR CERT KEY REC OFFICER CERTIFICATES/ PRIV. KEYS DIST. TO KRAs KEY REC COORD. KGINFO FROM KRB RETURN KK INFO KEY REC SERVER KEY REC AGENT KRA CERT AND PRIVATE KEY ANCHOR CERT KRA CERT KRA CERT CERTIFICATES PUT IN CONFIG FILE BY IBM AUTH CREDS PROVIDE KRB, AUTH. INFO RECEIVE ENC.KEY CONFIG. ENC.DATA, KEY REC BLOCK ENTERPRISE FWK PACK 1 FWK PACK 1 CONFIG. LAW ENF KRSP PACK 2 CONFIG. FILES KRSP 4758 PACK 3
Key Recovery Server Recovers keys from blocks generated by Key Recovery Service Provider Stand-alone application with multiple roles! Key Recovery Officer, Key Recovery Coordinator, Key Recovery Agents Key recovery service may be offered by! Enterprise for in-house use! Independent service companies Available on NT since October 1997
IBM CommercePOINT Payment Exploitation EXPLOITERS IBM Registry for SET CommercePOINT Payment etill CommercePOINT PaymentGateway OTHERS APPROPRIATE MIDDLEWEARE REG. / MGMT SERVICES CSSM Security API CSSM API INTEGRITY SERVICES JURISDICTION POLICY TABLE KRMM MGR. CRYPTO MGR. TRUST MGR. CERT. MGR. DATALIB MGR. KMI SPI TPI CLI DLI CSSM MGRS. KRA CONFIG. FILE ANCHOR, KRA CERTS. KRSP PKCS BSAFE 4758 HARDWARE Cert Store Retrieve FILE HARDWARE Directory ADD IN S Cert Store
Certificate Authority Suite - Building Blocks Collaboration Applications Trusted ebusiness Applications Web Server Applications System Management Applications Applications Notes C A Vault Registry CA Domino GO CA Other CA Notes Administrative User Interface Vault Registry Administrative User Interface Domino GO Administrative User Interface Other Administrative User Interface Middleware Notes Specific Policies Vault Registry Specific Policies IBM PKI Domino GO Specific Policies OTHER CA Specific Policies TIS Key Recovery IBM Key Recovery Common Security Framework PKCS11 Cryptographic Services BSAFE Cryptographic Services Entrust Trust Policy SET Trust Policy Verisign Trust Policy Notes Certificate BSAFE Manager Certificate Manager GENERAL LDAP DL Notes Data CMS/CRT Library Data Srvcs. Library Common Infrastructure Differentiation is based on the product's purpose and applications - not the CA
KEYWORKS FUTURES TOG VERSION 2.0 FULL COMPLIANCE FULL NLS SUPPORT FULL PKI SUPPORT (CERT. GENERATION AND CERT. LIFECYCLE SUPPORT ) ADDITIONAL SUPPORT FOR KEY LIFECYCLE MANAGEMENT EXPLOITATION OF W BY NEW APPS IBM REGISTRY, NOTES, IPSEC, SSL..! E-COMMERCE APPS ( PAYMENT etc.)! JAVA CSSM SUPPORT SPECIAL PROJECTS
KeyWorks Data Library Functions Provides persistent storage for certificates and CRLs (custom hardware devices, PKCS 11) LDAP V3 in 4Q 98 IBM 4758 and Other Devices IBM Smart Card and Other Vendors also via Browsers
Encryption with Key Recovery 3. Generate Recovery Fields 4. handle HA2 rec. fields 1. Create Symmetric Context Communication Protocol (side A) 2. context handle HA1 rec. fields 5. EncryptData (HA2, message) 6. Create Symmetric Context Communication Protocol (side B) 7. context handle HB1 Recovery Fields (HB1, rec. fields) 9. handle HB2 10. DecryptData (HA2, enc(message)) KM Framework Cryptographic Framework Cryptographic Framework KM Framework Intercept Point
KeyWorks Signed Manifests Manifest File: CSP1.mf Name: CSP1.dll Section: CSP1 SHA-1 Digest: [18 e3 ] Name: Section: SHA-1 Hash: Signer s Info File: CSP1.sf Section : CSP1 SHA-1 Digest: [2b a9 ] Section : SHA-1 Hash: Signature Block File: CSP1.dsa Hash value PKCS #7 Signature Block Encrypted Hash value
FWK Chain of Trust (I) Self-Integrity Verification by FWK Application Layer code LoadLibrary(CSSM) CSSM_Init( ) EISL KpubIBMRoot FWK DLL Manifest of FWK Signer s Info of FWK Signature Block KprivIBMFWK
FWK Chain of Trust (II) Verification of Service Providers by FWK Application Layer code CSSM_ModuleAttach(CSPi ) EISL KpubIBMRoot FWK DLL Verify Signature of CSPi CSPi DLL Manifest of CSPi Signer s Info of CSPi Signature Block K privibmcsp
FWK Chain of Trust (IV) Reverse Verification of FWK by Service Providers Application Layer code FWK DLL CSSM_AddInAuthenticate ( CSSM_path ) CSSM_RegisterServices (CSPi_EntryTable ) EISL KpubIBMRoot CSPi DLL CSPi verifies FWK integrity Manifest of FWK Signer s Info of FWK Signature Block KprivIBMFWK
FWK Noncircumventability - CSP DLL has no exported service entry points - entry points are registered dynamically at DLL Attach time after attaching application has been authenticated FWK DLL Rogue Application 1 2 3 1 2 CSP DLL CSP DLL 1. LoadLibrary( CSP DLL ) - No exported interfaces 2. CSP verifies FWK 3. CSSM_RegisterServices ( ) - registration of CSP entry points
KEY RECOVERY DEPLOYMENT STEPS Obtain Approval to Export Developed Application! Export Approval From BXA (ONLY ONCE) Description of Application Description of CRYPTO and KRB Usage -- IS IT EXEMPT ETC. DESCRIPTION OF MANUFACTURING JURISDICTION POLICY TABLE APPROVED CA WITH ANCHOR CERTIFICATE AND APPROVED KEYRECOVERY AGENTS IN KR LE MAN TABLE OBTAIN IMPORT Approval for Application Deployment FROM EACH JURISDICTION! APPROVED LOCAL JURISDICTION POLICY TABLE! APPROVED CA, ANCHOR KEY, KRA CERTS. IN KR USE CONFIG. TABLE DISTRIBUTE APPLICATION AND INSTALL WITH PROPER LOCAL JURISDICTION FILE