IdenTrust Partner WebSummit March 19, 2008

Transcription

1 Authenticating Identities to Empower Global ecommerce IdenTrust Partner WebSummit March 19, 2008

2 Welcome and Opening Comments Andrea Klein Chief Marketing Officer Copyright 2008 IdenTrust, Inc. All Rights Reserved. 2

3 Agenda IdenTrust Root Rollover Vish Patel Taking the Pain Out of a Root Rollover Hari Nair, Tumbleweed Communications A Comprehensive Approach to Access Phil Pavay, Aladdin Knowledge Systems IdenTrust hosted mixer during the RSA Conference Christy Q&A Closing Comments - Christy Copyright 2008 IdenTrust, Inc. All Rights Reserved. 3

4 Authenticating Identities to Empower Global ecommerce IdenTrust Partner Update Product Enhancements Vishvas Patel March 2008

5 Agenda Dual Trust Anchors Architecture Changes Impact on Partners and Operating Rules Implementation Status Copyright 2008 IdenTrust, Inc. All Rights Reserved. 5

6 IdenTrust Root CA Key Rollover Current TN Root CA expires March Generate new 15 year Root CA and propagate through the system. Generate the New TN Root CA in March Start working with OCSP and DSMS vendors to ensure they can handle multiple Trust Anchors. Complete migration of all participants to updated DSMS and OCSP software by Dec 31, Copyright 2008 IdenTrust, Inc. All Rights Reserved. 6

7 Dual Trust Anchor Validation Flow 1. Signed message Existing Trust Network Root (Existing TN Root) New Trust Network Root (New TN Root) 2. RC requests SC validation 3. RP forwards Request to IP 4. IP validates RP at New TN Root 4 5 8, 16 7, New TN Root responds with status of RP 6. IP responds to IG with status of SC 7. RP validates IP at Existing TN Root 6 8. Existing TN Root responds with status of IP 9. RP forwards SC status to RC Issuing Participant (IP) 3 Relying Participant (RP) 10. RC requests validation of RP 11. RP forwards RP validation request to New TN Root 2, 10, 14 9, 12, New TN Root responds with status of RP 13. RP forwards response to RC Subscribing Customer (SC) 18 1 Relying Customer (RC) 14. RC request IP validation 15. RP forwards IP validation request to Existing TN Root 16. Existing TN Root responds status of IP 17. RP forwards Root response to RC 18. Return Status of Message to SC Copyright 2008 IdenTrust, Inc. All Rights Reserved. 7

8 Impact on IdenTrust Partners All applications must recognize both existing and new Root CA. DSMS software providers will need be able to accept digital signatures from both existing and Root CA concurrently. All OCSP Responders must be capable of making OCSP requests to both existing and new Root CA OCSP Responders. All OCSP and DSMS software must be capable of accepting OCSP Responses from both existing and new Root CA concurrently. Copyright 2008 IdenTrust, Inc. All Rights Reserved. 8

9 Impact on Operating Rules IT-OCSPCR Root Responder Requirement Each root responder will trust both IdenTrust root certificates. Each root shall respond to requests signed by OCSP responder certificates issued by either IdenTrust root CA. Each root responder shall provide status of certificates issued by the CA it represents and sign these responses with a certificate signed by the root CA that issued the certificate being validated. Prior to responding, the root responder will validate the OCSP requester s signing certificate. For this purpose each root responder shall have status (CRL/directory) information for both Root CAs. Participant\L1 OCSP Responder Requirement All Participant L1 responders will trust both roots. L1 responders will send requests to the appropriate peer or root responder by following the AIA in the certificate being checked. This means that: When validating root issued certificates the L1 responder will query the root that issued the Sub-CA or OCSP peer responder s signing certificate. When validating an end entity certificates the L1 responder will query the issuer s responder. L1 responder will provide responses to requests signed by peer OCSP responders issued by either root. Copyright 2008 IdenTrust, Inc. All Rights Reserved. 9

10 Impact on Operating Rules (cont d.) IT-DSMSSP All DSMS/DSVR applications will trust both roots. Applications must trust signatures created with certificates issued under either hierarchy. When validating certificates, applications must send OCSP requests to their own OCSP Responder (RP OCSP Responder) for certificates issued under either IdenTrust root hierarchy. When processing OCSP responses applications must trust proxied responses signed by both root responders. The response will be signed by the root that issued the certificates being validated. Copyright 2008 IdenTrust, Inc. All Rights Reserved. 10

11 Sample Test Case using POC Environment Copyright 2008 IdenTrust, Inc. All Rights Reserved. 11

12 Dual Trust Anchor Target Dates Root Cert Expires Generate New Root Stand up New Root Responders Issue Internal Test L1 CA, L1 OCSP & EE Issue External Test Certs to Participants/ Partners Infrastructure Ready Production 3/31/2015 5/2/2008 5/30/2008 N/A 6/30/2008 6/30/2008 PTE 12/11/2014 3/7/2008 3/21/2008 3/28/2008 4/25/2007 4/25/2008 Partner (Proof of Concept) 2/5/2015 1/18/2008 1/18/2008 1/25/2008 3/7/2007 3/7/2008 Copyright 2008 IdenTrust, Inc. All Rights Reserved. 12

13 Taking the Pain out of a Root Rollover (with the Validation Authority) Hari Nair Product Manager

14 Customers Trust Tumbleweed» 50% of Fortune 100 Multi-Nationals Government» 7 of 10 top Worldwide Banks» 8 of 10 top US Banks» 50% of Blue Cross/ Blue Shield» 300+ law firms» 7 of 10 top US brokerages» All 4 arms of the US Military» 8 of 10 top pharma companies» World s largest central banks Financial Services Insurance Manufacturing Healthcare Retail Technology Energy Telecommunications 14

15 Validation Authority Delivers Trust Government Public Consortia Private Credential Issuer Relying Party Subscriber

16 Validation Authority Suite

17 IdenTrust Validation Workflow Authentication to Root VA to validate peer VAs and self identity IdenTrust Root IdenTrust Root IdenTrust Root (new) Root CA Root 1 CA Root CA 2 Root VA Root 1 VA Root 1 VA 2 Authentication to Root VA to validate peer VAs and self identity Issuing Participant Relying Participant IPCA 1 IPCA IPVA IPVA 1 IPCA 2 IPVA 2 Clients communicate With local banks only Subscribing Client Req / Resp proxy RPVA 1 RPCA 1 RPCA RPVA 1 RPVA 2 RPCA 2 Relying Client Clients communicate With local banks only DSMS Client-side transactions Desktop Validator Microsoft IIS Server

18

19 etoken Strong Authentication Solution Complimenting IdenTrust and the PLOT Framework Philip Pavay, Vice President Global Business Development March 19, 2008 a l a d d I n. c o m

20 Legal Notice Copyright 2008 Aladdin Knowledge Systems Ltd. All rights reserved. Aladdin, Aladdin Knowledge Systems, HASP, etoken TM and esafe are only a few of Aladdin Knowledge Systems Ltd s ( Aladdin ) proprietary trademarks. The Aladdin Knowledge Systems logo is also proprietary to Aladdin. The information contained in this presentation is protected by international copyright laws. The copyrights are owned by Aladdin or the original creator of the material. The information contained herein is provided to you for informational purposes only, and except and to the extent specifically permitted, no portion of this presentation may be copied, reproduced (or the like), distributed or used in any way whatsoever whether directly or indirectly. In addition to Aladdin s trademarks, logos, content and information, this presentation may contain references to trademarks and/or logos owned by other entities. Aladdin expressly disclaims any proprietary interest in trademarks and/or logos owned by other entities and makes no representation of any association, sponsorship, affiliation, or endorsement with or by the owners of such trademarks and/or logos. This presentation may contain references and use of third party web sites for purposes of providing examples relevant to this course. Aladdin assumes no responsibility and/or liability for any content and/or information contained in such third party web sites. Aladdin further does not endorse the companies or contents of any referenced sites. Aladdin does not assume any responsibility or liability for the accuracy of the information contained in this presentation. The information contained in this presentation is provided "as is" and does not constitute a warranty of any kind, either express or implied. Aladdin disclaims all warranties, expressed or implied, including but not limited to implied warranties of merchantability, fitness for a particular purpose, and non-infringement. a l a d d I n. c o m

21 Agenda: Aladdin Company Overview Market Changes in Strong Authentication/PKI etoken Family of Products and Services Aladdin and IdenTrust Solution a l a d d I n. c o m

22 Founded: 1985, publicly traded since 1993 Global Presence: Innovative Technology Growth Momentum: Sample Customers Partners: US, Germany, UK, France, Russia, Italy, China, India, Japan, Israel - DRM (HASP), - Enterprise Security (etoken, esafe) 460 employees, $105.9M (20% ANGR) Strong Financial Position Disney, Hertz, Canadian DOD, Dartmouth, U.TX, Unisys, India CITIE, NFL, United, Continental Unisys, HP, Cisco, IBM, SAP, Chosen Security, RSA, CA, IdenTrust, Oracle, Check Point, PGP, HID Controls what users can do Identifies who users are Ensures safe access to content a l a d d I n. c o m

23 Growing Enterprise Usage PKI is changing from complex to practical Increasing usage of certificate-based applications SSL VPN Smart card logon Digital signing Data encryption The original public-key infrastructure (PKI) vision is changing, moving key management functions... to be close to applications that use the keys and to apply PKI technology to Web services security. - Gartner, June 2007 a l a d d I n. c o m

24 Strong Authentication Technologies A wide set of technologies are available to choose from USB tokens OTP tokens Hybrid tokens Smart Cards Biometrics And more Which is the best for you? a l a d d I n. c o m

25 PKI Enables Business Today 24x7 secure access to sensitive business information Compliance with regulations Enhanced online services Digital signing of transactions Secure PCs and laptops a l a d d I n. c o m

26 Aladdin etoken An Overview etoken enables secure and simple PKI implementation with: A variety of smart card tokens Complimentary Security Solutions PKI supporting software Robust token life-cycle management system Services a l a d d I n. c o m

27 etoken Smart-card-based Devices etoken PRO USB, reader-less smart card High level of security for strong user authentication and credential storage etoken PRO Smartcard etoken PRO in smart card form factor etoken NG-OTP Award winning USB smart card token with One-Time Password generation capabilities etoken NG-FLASH USB smart card token with encrypted flash memory a l a d d I n. c o m

28 etoken Supported PKI Solutions Secure Network Access VPN Access Certificate-based authentication to VPN any VPN client that supports PKI authentication and smartcards Including Check Point, Cisco, MS-VPN, Nortel and others Web Access Secure web access using certificates for SSL authentication Smart Card Logon Network logon using certificates Enteprise Single Sign-On SSO for network logon, desktop and web applications a l a d d I n. c o m

29 etoken Supported PKI Solutions Data Security Signing & Encryption Support for any mail application that supports PKI authentication and smartcards Including Outlook, Netscape, Mozilla, Lotus Notes and more Data Security PC/boot protection, file & data encryption Secure Digital signing Including PGP, CheckPoint (PointSec), McAfee (SafeBoot), Utimaco, etc. Digital Signing Signing of sensitive transactions, documents, and s using certificates Provides non-repudiation a l a d d I n. c o m

30 etoken PKI Client etoken middleware Links applications and etoken devices Facilitates authentication using securely stored credentials Enables etoken usage for PKI based authentication, encryption, and digital signing Provides full local administration of etoken devices a l a d d I n. c o m

31 etoken Product Offering (Management System) a l a d d I n. c o m

32 etoken Service and Support 24X7 Customer Support Custom Branding (Color, Logo s, Engraving, etc.) Logistics (Versions, Serial Numbers, etc.) Initialization (Admin passwords, Key length, FIPS, etc.) RFID a l a d d I n. c o m

33 Aladdin and IdenTrust Partnership was signed In March 2008 Global alliance to provide secure trusted access for on-line banking; Certificate base strong authentication; Global joint marketing, sales and support a l a d d I n. c o m

34 Solution Scenario Architecture with IdenTrust CA Bank a l a d d I n. c o m

35 Thank you! For more info, please contact: or a l a d d I n. c o m

36 Q&A Copyright 2008 IdenTrust, Inc. All Rights Reserved. 36

37 Closing Comments Christy Serrato Director, Global Partner Delivery Thank you for participating in the IdenTrust Partner WebSummit! For more information: Copyright 2008 IdenTrust, Inc. All Rights Reserved. 37