PKI Credentialing Handbook
Contents Introduction...3 Dissecting PKI...4 Components of PKI...6 Digital certificates... 6 Public and private keys... 7 Smart cards... 8 Certificate Authority (CA)... 10 Key security (HSM)... 12 Management tools... 13 PKI use cases...14 Logical and physical access... 14 Digital signature... 15 Email encryption... 17 Endpoint protection... 18 The bigger picture...20 Wrapping up...23
An introduction to PKI and Credential Management Public Key Infrastructure or PKI is a well-known security ecosystem used by top enterprises, defense departments and governments around the world. Regulations, increased use of cloud-based services and the Internet of Things (IoT) are prompting a surge in PKI adoption. Many well-known organizations, such as the Department of Defense, the FBI, and Microsoft depend on Gemalto PKI solutions for user authentication and physical access. PKI also offers additional security functionalities. With PKI, you can encrypt data, hard disks, and email, as well as digitally sign. These functions are becoming increasingly important as companies need to protect digital file exchange and encrypt content to prevent hackers from intercepting communications. Even though PKI has been around for many years, it s still a vital, top security protocol offering military-grade security and the highest assurance level. This handbook will provide an overview of PKI and its many use cases to protect users, networks and devices.
Dissecting PKI for identity and credential management A PKI supports the distribution and identification of public digital certificates. It is a collection of hardware, software, and processes that support the use of public key cryptography and the means to verify the authenticity of public keys. PKI enables users and computers to verify the identity of parties they re communicating with, and securely exchange data over private networks as well as public networks such as the Internet.
With the assurance of identities, the concept is similar to a secret handshake. Users may exchange an envelope with a message written in code; but with PKI, both parties can be certain the person they re exchanging with is truly who they say they are. That assurance of identity comes in the form of a digital certificate from a certificate authority (CA). A pair of cryptographic keys one public and one private are used to encrypt, sign and decrypt data. The private key is maintained by the end user and remains secure. The public key is available as part of a digital certificate within a directory that can be freely accessed. The digital certificate links the personal details of an individual to their public key. The CA that issues the digital certificate signs it using its own private key. Some entity must be trusted in the entire chain, and that boils down to the certificate authority.
Components of PKI Digital certificates A digital certificate is a form of identification, much like a driver s license or passport, only in electronic form. X.509 is a standard certificate for PKI and defines the different information you could find on the certificate, such as information about the identity of the owner, SAMPLE CERTIFICATE INFORMATION Version (X.509 v2, v3) Serial Number Algorithm ID (signature algorithm) Issuer (CA) (X.500 name*) Validity (Not Before..., Not After...) Owner (X.500 name*) Owner s Public Key Information Public Key Algorithm: e.g. RSA Owner Public Key: 1f 0a 01 15 96 9a 5a 1c cc ab 1b f1 13 e8 Issuer/owner Unique Identifiers (Optional) Extensions (Optional) as well as other data such as serial number, issuer name, validity period, public key algorithms, and much more. A digital certificate must be issued by a certificate authority that ultimately guarantees the validity of the information in the certificate. The digital certificate is what pairs the key to a person s identity and what guarantees you can trust the sender is who he claims to be.
Public and private keys Public and private keys are each comprised of a long string of random numbers and alphabetic characters. The public key can be shared, but the private key is known only to the owner. The public and private key pair is mathematically related, so data encrypted with a public key may only be decrypted by its corresponding private key and vice versa.
Smart cards The private key is the most sensitive data in computer security. It must be stored in a place where no one will have access, and in such way that if someone tries to steal or use our private key without our consent we ll know about it (tamper proof and tamper evident). A smart card is an electronic integrated circuit, a microprocessor (a chip) that is designed to store cryptographic keys and preform cryptographic mathematical operations in a secure and efficient way. There are a couple of differences between a regular microprocessor and a smart card. The smart card usually has a cryptographic co-processor, which makes cryptographic operations very fast. More importantly, a smart card has physical attributes and electrical components that make breaking in to the card and almost impossible.
Smart cards, often referred to as secure elements, can be found in many forms, which enables different communications methods. The most common form factors are smart cards, SIMs, USB tokens, virtual smart cards, chip form factors that can be placed on the PCs mother board (TPM), micro SD cards and more. Smart cards should hold an industry certification, such as FIPS or Common Criteria.
Certificate Authority (CA) In a typical PKI, the trusted party is a CA. The CA is a trusted entity that generates digital certificates. We must trust the CA to verify the person s identity before issuing a digital certificate. In many ways, this is similar to a passport or driver s license (used as ID), but the trusted party there is the government.
The CA responsibilities include: > > Issuing certificates for intended identified owners. > > Including attributes in a certificate and verifying them. > > Managing which certificates were issued, when they were issued, and who holds them. > > Policies ensure every certificate applicant goes through a known procedure that verifies his/her identity > > Policies enable clients of the CA to evaluate the amount of trust that can be given to a digital certificate > > Policies control and monitor how the CA and certificate publishers are issuing and publishing certificates and CRLs > > Issuing and publishing the certificate revocation lists (CRLs), to which revoked certificates are added.
Key security (HSM) The private keys of the CAs are the heart of the security of the PKI. In a multi-tier environment, each CA, including a root CA, has its own unique private key. It s critical to guard these keys, as a compromise means revoking all the certificates issued by a compromised CA and re-issuing all the certificates. The best security practice is to store the keys of CAs in a hardware security module (HSM). An HSM is a FIPS certified dedicated hardware device, which is separately managed and stored outside of the operating system software. It comes with multiple tamper-resistant and self-destructing features in case there s evidence of continuous attacks. HSMs can be partitioned to store different keys for each client.
Management tools Credential Management Systems (CMS) are critical for the day-to-day operations of a PKI environment. CMS software automates much of the manual work, such as issuing certificates for users, helping user unblock their device PIN, etc.
PKI use cases Logical and physical access Adding PKI using smart cards can significantly improve client logon security by requiring multi-factor authentication. Adding multiple factors ensures secure login to workstations and enterprise networks, eliminates complex and costly passwords and significantly reduces helpdesk calls. Along with permission needed for logical access (such as Windows logon), many organizations have the need to protect physical locations, including doors, parking facilities and secure zones. A converged badge solution combines logical access and physical access. Adding a converged badge solution has clear benefits for the office user who only needs to carry one credential and remember a single PIN code or a short password to use in conjunction with their badge.
Digital signature PKI provides additional security features to digitally sign documents, files, forms, and transactions anywhere using SafeNet etokens or IDPrime smart cards as the Secure Signature Creation Device (SSCD) or Qualified Secure Signature Creation Device (QSCD), ensuring compliance with regulatory requirements, and a seamless transition towards a paperless office environment. Code signing and online tender/bid signing are the most notable uses of digital signature.
Digitally signed documents and transactions are sealed electronically, providing evidence of signer and document authenticity and guaranteeing document integrity and thus are resistant to fraud and tampering. This is known as nonrepudiation. With PKI-based trusted credentials, the level of assurance is typically higher than that of electronic signatures protected only by a password. Standards-based Gemalto PKI solutions enable compliance with security and privacy standards. Using PKI for Digital Signature THIS IS JACK Hash Algorithm Encryption Digitally Signed Document Network Hash Algorithm Dencryption Hash When hash values are equal, signature is valid Digitally Signed Document Hash THIS IS JILL
Email encryption A PKI can be configured to include a cryptographic process to provide email encryption that can only be decrypted by the intended recipient. Email encryption with PKI smart cards and USB tokens use Multi-Purpose Internet Mail Extensions (S/MIME), a system for sending email securely using encryption and digital signatures. Gemalto smart cards and USB tokes all support symmetric (secret) key algorithms Data Encryption Standard (DES) and Advanced Encryption Standard (AES), as well as asymmetric (public/private) key algorithms RSA and Elliptical Curve Cryptography (ECC). Implementing email security is easy, as most users already have Outlook and email security built into their ecosystem.
Endpoint protection Other advanced security features supported by PKI include pre-boot authentication and full-disk encryption. Gemalto credential management solutions provide a crypto framework that integrates with many applications that provide these security processes. Implementing pre-boot authentication and disk encryption helps ensure security of hard drive data. For example, if a device is lost or stolen, requiring authentication before the operating system boots makes it nearly impossible for thieves to get to the data it remains secure and encrypted.
The bigger picture: Moving to the cloud Most organizations today are moving to the cloud, seeking quick time to value, minimal maintenance overhead and superior scalability. Security, however, continues to be a source of concern especially to many organization that want to maintain high assurance PKI authentication schemes. These organizations would like to extend PKI authentication to cloud applications, and in some cases, combine PKI with other authentication methods to create a more nuanced approach that allows them to fit an appropriate assurance level to a business scenario or regulatory need.
Gemalto s access management and authentication solutions give organizations the means to rationalize their existing PKI authentication scheme and integrate it into a broader policy configuration framework. By extending PKI credentials to the cloud and combining them with other methods of authentication within access policies that provide centralized risk management and SSO, organizations can ultimately retain optimal security and improve users login experience. Extending PKI Credentials to the Cloud PKI compatible App Existing use cases Winlogon U: P: SafeNet Trusted Access Extend PKI to cloud apps
Wrapping up In addition to providing peace of mind that your data, users and systems are protected, PKI provides many business advantages such as: > > Military-grade security: PKI provides the highest protection of your sensitive documents and authentication of your users. > > Additional security functionalities: With PKI, you can encrypt data, disk, and email, as well as digitally sign. > > Optimized authentication and cost savings: Password management is costly. PKI eliminates the need for users to remember long, complex passwords that they will need to change frequently. A single credential will give users access to multiple applications. > > Improved business processes: Eliminating password protocols will reduce helpdesk calls and an overall IT overhead. The bottom line PKI authentication provides the highest level of security. It is ideal for high assurance multi-factor authentication and when there is a need to comply with security regulations, as well other use cases including converged physical / logical access, email encryption and digital signing.
Through its acquisition of SafeNet, Gemalto offers one of the most complete portfolios of enterprise security solutions in the world, enabling its customers to enjoy industryleading protection of digital identities, transactions, payments and data from the edge to the core. Gemalto s newly expanded portfolio of SafeNet Identity and Data Protection solutions enable enterprises across many verticals, including major financial institutions and governments, to take a data-centric approach to security by utilizing innovative encryption methods, best-in-class crypto management techniques, and strong authentication and identity management solutions to protect what matters, where it matters. Through these solutions, Gemalto helps organizations achieve compliance with stringent data privacy regulations and ensure that sensitive corporate assets, customer information, and digital transactions are safe from exposure and manipulation in order to protect customer trust in an increasingly digital world. Contact Us: For all office locations and contact information, please visit safenet.gemalto.com/contact-us Follow Us: blog.gemalto.com/security GEMALTO.COM Gemalto 2018.eB (EN)-Jan.15.2018 - Design: ELC