PKI Credentialing Handbook

Similar documents
Identity and Authentication PKI Portfolio

HIPAA Compliance Checklist

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

Getting to Grips with Public Key Infrastructure (PKI)

Who s Protecting Your Keys? August 2018

IBM i Version 7.2. Security Digital Certificate Manager IBM

HARDWARE SECURITY MODULES (HSMs)

Security Digital Certificate Manager

Creating Trust in a Highly Mobile World

IBM. Security Digital Certificate Manager. IBM i 7.1

SafeNet Authentication Client

Overview. SSL Cryptography Overview CHAPTER 1

A Practical Step-by-Step Guide to Managing Cloud Access in your Organization

Digital Certificates Demystified

Access Management Handbook

Deliver Data Protection Services that Boost Revenues and Margins

Indeed Card Management Smart card lifecycle management system

Keep your fingers off my keys today & tomorrow

IDCore. Flexible, Trusted Open Platform. financial services & retail. Government. telecommunications. transport. Alexandra Miller

Secure Government Computing Initiatives & SecureZIP

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

Authentication Technology for a Smart eid Infrastructure.

Xerox FreeFlow Print Server. Security White Paper. Secure solutions. for you and your customers

Dissecting NIST Digital Identity Guidelines

CERN Certification Authority

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Security in NFC Readers

The SafeNet Security System Version 3 Overview

Single Secure Credential to Access Facilities and IT Resources

Adding value to your MS customers

SecureDoc Disk Encryption Cryptographic Engine

MU2b Authentication, Authorization and Accounting Questions Set 2

SECURE DATA EXCHANGE

Chapter 9: Key Management

Certification Authority

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

MobilePASS. Security Features SOFTWARE AUTHENTICATION SOLUTIONS. Contents

EBOOK The General Data Protection Regulation. What is it? Why was it created? How can organisations prepare for it?

Atmel Trusted Platform Module June, 2014

egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO

FAMILY BROCHURE. Gemalto SafeNet Authenticators. Diverse Form Factors for Convenient Strong Authentication

SENETAS ENCRYPTION KEY MANAGEMENT STATE-OF-THE-ART KEY MANAGEMENT FOR ROBUST NETWORK SECURITY

hidglobal.com Still Going Strong SECURITY TOKENS FROM HID GLOBAL

The Match On Card Technology

About & Beyond PKI. Blockchain and PKI. André Clerc Dipl. Inf.-Ing. FH, CISSP, CAS PM TEMET AG, Zürich. February 9, 2017

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

CSE 565 Computer Security Fall 2018

The Open Protocol for Access Control Identification and Ticketing with PrivacY

Cryptographic Concepts

Apple Inc. Certification Authority Certification Practice Statement

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

SafeNet Authentication Client

Connecting Securely to the Cloud

CERTIFICATE POLICY CIGNA PKI Certificates

Apple Inc. Certification Authority Certification Practice Statement

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

A HOLISTIC APPROACH TO IDENTITY AND AUTHENTICATION. Establish Create Use Manage

Trusted Computing Group

TFS WorkstationControl White Paper

Certificate Enrollment for the Atlas Platform

Make security part of your client systems refresh

Diffie-Hellman. Part 1 Cryptography 136

white paper SMS Authentication: 10 Things to Know Before You Buy

Windows 10 IoT Core Azure Connectivity and Security

Moser Baer Group 25 years of excellence

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Electronic Signature Policy

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Forensics Challenges. Windows Encrypted Content John Howie CISA CISM CISSP Director, Security Community, Microsoft Corporation

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution

Windows IoT Security. Jackie Chang Sr. Program Manager

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

Digital signatures: How it s done in PDF

Yubico with Centrify for Mac - Deployment Guide

Using PIV Technology Outside the US Government

TPM v.s. Embedded Board. James Y

$263 WHITE PAPER. Flexible Key Provisioning with SRAM PUF. Securing Billions of IoT Devices Requires a New Key Provisioning Method that Scales

Network Security Essentials

CT30A8800 Secured communications

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

UNIT - IV Cryptographic Hash Function 31.1

Study on data encryption technology in network information security. Jianliang Meng, Tao Wu a

Public-key Cryptography: Theory and Practice

Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control

Dyadic Security Enterprise Key Management

Lecture Embedded System Security Trusted Platform Module

Google Cloud Platform: Customer Responsibility Matrix. December 2018

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

Crypto meets Web Security: Certificates and SSL/TLS

3 CERTIFICATION AUTHORITY KEY PROTECTION (HSMS)

Installation and usage of SSL certificates: Your guide to getting it right

Security Using Digital Signatures & Encryption

The Gemalto offer for PKI market in Russia

HARDWARE SECURITY MODULES DEPLOYMENT STRATEGIES FOR ENTERPRISE SECURITY

Encryption and Key Management. Arshad Noor, CTO StrongAuth, Inc. Copyright StrongAuth, Inc Version 1.1

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

Security Requirements for Crypto Devices

New Paradigms of Digital Identity:

Transcription:

PKI Credentialing Handbook

Contents Introduction...3 Dissecting PKI...4 Components of PKI...6 Digital certificates... 6 Public and private keys... 7 Smart cards... 8 Certificate Authority (CA)... 10 Key security (HSM)... 12 Management tools... 13 PKI use cases...14 Logical and physical access... 14 Digital signature... 15 Email encryption... 17 Endpoint protection... 18 The bigger picture...20 Wrapping up...23

An introduction to PKI and Credential Management Public Key Infrastructure or PKI is a well-known security ecosystem used by top enterprises, defense departments and governments around the world. Regulations, increased use of cloud-based services and the Internet of Things (IoT) are prompting a surge in PKI adoption. Many well-known organizations, such as the Department of Defense, the FBI, and Microsoft depend on Gemalto PKI solutions for user authentication and physical access. PKI also offers additional security functionalities. With PKI, you can encrypt data, hard disks, and email, as well as digitally sign. These functions are becoming increasingly important as companies need to protect digital file exchange and encrypt content to prevent hackers from intercepting communications. Even though PKI has been around for many years, it s still a vital, top security protocol offering military-grade security and the highest assurance level. This handbook will provide an overview of PKI and its many use cases to protect users, networks and devices.

Dissecting PKI for identity and credential management A PKI supports the distribution and identification of public digital certificates. It is a collection of hardware, software, and processes that support the use of public key cryptography and the means to verify the authenticity of public keys. PKI enables users and computers to verify the identity of parties they re communicating with, and securely exchange data over private networks as well as public networks such as the Internet.

With the assurance of identities, the concept is similar to a secret handshake. Users may exchange an envelope with a message written in code; but with PKI, both parties can be certain the person they re exchanging with is truly who they say they are. That assurance of identity comes in the form of a digital certificate from a certificate authority (CA). A pair of cryptographic keys one public and one private are used to encrypt, sign and decrypt data. The private key is maintained by the end user and remains secure. The public key is available as part of a digital certificate within a directory that can be freely accessed. The digital certificate links the personal details of an individual to their public key. The CA that issues the digital certificate signs it using its own private key. Some entity must be trusted in the entire chain, and that boils down to the certificate authority.

Components of PKI Digital certificates A digital certificate is a form of identification, much like a driver s license or passport, only in electronic form. X.509 is a standard certificate for PKI and defines the different information you could find on the certificate, such as information about the identity of the owner, SAMPLE CERTIFICATE INFORMATION Version (X.509 v2, v3) Serial Number Algorithm ID (signature algorithm) Issuer (CA) (X.500 name*) Validity (Not Before..., Not After...) Owner (X.500 name*) Owner s Public Key Information Public Key Algorithm: e.g. RSA Owner Public Key: 1f 0a 01 15 96 9a 5a 1c cc ab 1b f1 13 e8 Issuer/owner Unique Identifiers (Optional) Extensions (Optional) as well as other data such as serial number, issuer name, validity period, public key algorithms, and much more. A digital certificate must be issued by a certificate authority that ultimately guarantees the validity of the information in the certificate. The digital certificate is what pairs the key to a person s identity and what guarantees you can trust the sender is who he claims to be.

Public and private keys Public and private keys are each comprised of a long string of random numbers and alphabetic characters. The public key can be shared, but the private key is known only to the owner. The public and private key pair is mathematically related, so data encrypted with a public key may only be decrypted by its corresponding private key and vice versa.

Smart cards The private key is the most sensitive data in computer security. It must be stored in a place where no one will have access, and in such way that if someone tries to steal or use our private key without our consent we ll know about it (tamper proof and tamper evident). A smart card is an electronic integrated circuit, a microprocessor (a chip) that is designed to store cryptographic keys and preform cryptographic mathematical operations in a secure and efficient way. There are a couple of differences between a regular microprocessor and a smart card. The smart card usually has a cryptographic co-processor, which makes cryptographic operations very fast. More importantly, a smart card has physical attributes and electrical components that make breaking in to the card and almost impossible.

Smart cards, often referred to as secure elements, can be found in many forms, which enables different communications methods. The most common form factors are smart cards, SIMs, USB tokens, virtual smart cards, chip form factors that can be placed on the PCs mother board (TPM), micro SD cards and more. Smart cards should hold an industry certification, such as FIPS or Common Criteria.

Certificate Authority (CA) In a typical PKI, the trusted party is a CA. The CA is a trusted entity that generates digital certificates. We must trust the CA to verify the person s identity before issuing a digital certificate. In many ways, this is similar to a passport or driver s license (used as ID), but the trusted party there is the government.

The CA responsibilities include: > > Issuing certificates for intended identified owners. > > Including attributes in a certificate and verifying them. > > Managing which certificates were issued, when they were issued, and who holds them. > > Policies ensure every certificate applicant goes through a known procedure that verifies his/her identity > > Policies enable clients of the CA to evaluate the amount of trust that can be given to a digital certificate > > Policies control and monitor how the CA and certificate publishers are issuing and publishing certificates and CRLs > > Issuing and publishing the certificate revocation lists (CRLs), to which revoked certificates are added.

Key security (HSM) The private keys of the CAs are the heart of the security of the PKI. In a multi-tier environment, each CA, including a root CA, has its own unique private key. It s critical to guard these keys, as a compromise means revoking all the certificates issued by a compromised CA and re-issuing all the certificates. The best security practice is to store the keys of CAs in a hardware security module (HSM). An HSM is a FIPS certified dedicated hardware device, which is separately managed and stored outside of the operating system software. It comes with multiple tamper-resistant and self-destructing features in case there s evidence of continuous attacks. HSMs can be partitioned to store different keys for each client.

Management tools Credential Management Systems (CMS) are critical for the day-to-day operations of a PKI environment. CMS software automates much of the manual work, such as issuing certificates for users, helping user unblock their device PIN, etc.

PKI use cases Logical and physical access Adding PKI using smart cards can significantly improve client logon security by requiring multi-factor authentication. Adding multiple factors ensures secure login to workstations and enterprise networks, eliminates complex and costly passwords and significantly reduces helpdesk calls. Along with permission needed for logical access (such as Windows logon), many organizations have the need to protect physical locations, including doors, parking facilities and secure zones. A converged badge solution combines logical access and physical access. Adding a converged badge solution has clear benefits for the office user who only needs to carry one credential and remember a single PIN code or a short password to use in conjunction with their badge.

Digital signature PKI provides additional security features to digitally sign documents, files, forms, and transactions anywhere using SafeNet etokens or IDPrime smart cards as the Secure Signature Creation Device (SSCD) or Qualified Secure Signature Creation Device (QSCD), ensuring compliance with regulatory requirements, and a seamless transition towards a paperless office environment. Code signing and online tender/bid signing are the most notable uses of digital signature.

Digitally signed documents and transactions are sealed electronically, providing evidence of signer and document authenticity and guaranteeing document integrity and thus are resistant to fraud and tampering. This is known as nonrepudiation. With PKI-based trusted credentials, the level of assurance is typically higher than that of electronic signatures protected only by a password. Standards-based Gemalto PKI solutions enable compliance with security and privacy standards. Using PKI for Digital Signature THIS IS JACK Hash Algorithm Encryption Digitally Signed Document Network Hash Algorithm Dencryption Hash When hash values are equal, signature is valid Digitally Signed Document Hash THIS IS JILL

Email encryption A PKI can be configured to include a cryptographic process to provide email encryption that can only be decrypted by the intended recipient. Email encryption with PKI smart cards and USB tokens use Multi-Purpose Internet Mail Extensions (S/MIME), a system for sending email securely using encryption and digital signatures. Gemalto smart cards and USB tokes all support symmetric (secret) key algorithms Data Encryption Standard (DES) and Advanced Encryption Standard (AES), as well as asymmetric (public/private) key algorithms RSA and Elliptical Curve Cryptography (ECC). Implementing email security is easy, as most users already have Outlook and email security built into their ecosystem.

Endpoint protection Other advanced security features supported by PKI include pre-boot authentication and full-disk encryption. Gemalto credential management solutions provide a crypto framework that integrates with many applications that provide these security processes. Implementing pre-boot authentication and disk encryption helps ensure security of hard drive data. For example, if a device is lost or stolen, requiring authentication before the operating system boots makes it nearly impossible for thieves to get to the data it remains secure and encrypted.

The bigger picture: Moving to the cloud Most organizations today are moving to the cloud, seeking quick time to value, minimal maintenance overhead and superior scalability. Security, however, continues to be a source of concern especially to many organization that want to maintain high assurance PKI authentication schemes. These organizations would like to extend PKI authentication to cloud applications, and in some cases, combine PKI with other authentication methods to create a more nuanced approach that allows them to fit an appropriate assurance level to a business scenario or regulatory need.

Gemalto s access management and authentication solutions give organizations the means to rationalize their existing PKI authentication scheme and integrate it into a broader policy configuration framework. By extending PKI credentials to the cloud and combining them with other methods of authentication within access policies that provide centralized risk management and SSO, organizations can ultimately retain optimal security and improve users login experience. Extending PKI Credentials to the Cloud PKI compatible App Existing use cases Winlogon U: P: SafeNet Trusted Access Extend PKI to cloud apps

Wrapping up In addition to providing peace of mind that your data, users and systems are protected, PKI provides many business advantages such as: > > Military-grade security: PKI provides the highest protection of your sensitive documents and authentication of your users. > > Additional security functionalities: With PKI, you can encrypt data, disk, and email, as well as digitally sign. > > Optimized authentication and cost savings: Password management is costly. PKI eliminates the need for users to remember long, complex passwords that they will need to change frequently. A single credential will give users access to multiple applications. > > Improved business processes: Eliminating password protocols will reduce helpdesk calls and an overall IT overhead. The bottom line PKI authentication provides the highest level of security. It is ideal for high assurance multi-factor authentication and when there is a need to comply with security regulations, as well other use cases including converged physical / logical access, email encryption and digital signing.

Through its acquisition of SafeNet, Gemalto offers one of the most complete portfolios of enterprise security solutions in the world, enabling its customers to enjoy industryleading protection of digital identities, transactions, payments and data from the edge to the core. Gemalto s newly expanded portfolio of SafeNet Identity and Data Protection solutions enable enterprises across many verticals, including major financial institutions and governments, to take a data-centric approach to security by utilizing innovative encryption methods, best-in-class crypto management techniques, and strong authentication and identity management solutions to protect what matters, where it matters. Through these solutions, Gemalto helps organizations achieve compliance with stringent data privacy regulations and ensure that sensitive corporate assets, customer information, and digital transactions are safe from exposure and manipulation in order to protect customer trust in an increasingly digital world. Contact Us: For all office locations and contact information, please visit safenet.gemalto.com/contact-us Follow Us: blog.gemalto.com/security GEMALTO.COM Gemalto 2018.eB (EN)-Jan.15.2018 - Design: ELC

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback