Kristen Noakes-Fry Product Report 1 August 2003 RSA Security RSA Keon Certificate Authority PKI Product Summary RSA Keon Certificate Authority a PKI platform for Internet and e-commerce applications serves as root certification authority for multiple PKIs and allows rapid deployment of Internet applications. Note In June 2003, RSA Security announced that RSA Keon PKI software has been selected as one of two certification authorities selected by the U.S. Department of Defense (DOD) to support its Common Access Card deployment. Table of Contents Overview Analysis Pricing Competitors Strengths Limitations Insight List Of Tables Table 1: Enhancements: RSA Keon CA 6.5, December 2002 Table 2: Overview: RSA Keon CA Table 3: RSA Keon CA Architecture Basic Components Table 4: RSA Keon Certificate Management Solution Table 5: Features and Functions: RSA Keon CA Table 6: Standards Supported by RSA Keon CA Table 7: Price List: RSA Keon CA Table 8: RSA Keon Competitors Gartner Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.
Corporate Headquarters RSA Security Inc. 174 Middlesex Turnpike Bedford, MA 01730, U.S.A. Tel: +1 781 515 5000 Overview The RSA Keon Certificate Authority (RSA Keon CA) issues, manages and validates digital certificates that you may use in a wide range of public key infrastructure (PKI)-enabled applications. Such applications include Web access via Secure Sockets Layer (SSL), virtual private network (VPN) using Internet Protocol Security (IPsec), secure e-mail through Secure Multipurpose Internet Mail Extensions (S/MIME) and custom enterprise applications. A single system can provide certificate-based security for multiple enterprise applications and devices. RSA Keon CA software was the first digital certificate management solution to be Common Criteria EAL 4+ certified. RSA Keon The RSA Keon Certificate Management product line consists of three main components with a number of supporting modules, components and solutions. RSA Keon Certificate Management Product Line RSA Keon CA RSA Keon Registration Authority (RA) RSA Keon Key Recovery Module RSA Keon WebSentry RSA Keon Web PassPort RSA Keon Root Signing Service RSA Keon Certificate Management Solution Focus Areas RSA Keon Web Server SSL RSA Keon Secure VPN RSA Secure e-mail RSA Secure e-forms Signing Supporting RSA Security Product or Modules RSA BSAFE Development Components RSA SecurID time synchronous tokens, smart cards and Universal Serial Bus (USB) token 1 August 2003 2
Table 1: Enhancements: RSA Keon CA 6.5, December 2002 GF One Minus Satisfiability Tester (GOST) Public Key Digital Signature Algorithm European Qualified Certificate Common Criteria EAL4+ Certification RSA Keon CA software supports GOST 28147-89 Standard Cryptographic Protection for Data Processing Systems, an implementation of First Guarded Fragment (GF-1). A Russian algorithm originally published in 1990, GOST became the standard for Russian-based organizations to create trusted e-business processes. RSA Keon CA is in full compliance with all mandatory requirements as defined by the European Directive on Electronic Signatures. Table 2: Overview: RSA Keon CA Version 6.5 Date Announced RSA Keon CA 6.5 shipped in December 2002. Platforms Supported Windows 2000, Windows NT, Sun Solaris. Standards RSA Keon CA is based on open standards. It delivers certificates that will interoperate with PKI solutions from any vendor that follows current PKI standards, such as Lightweight Directory Access Protocol (LDAP), Public Key Cryptography Standard (PKCS), X.509v.3 and Public Key Infrastructure X.509 (PKIX). Certification Common Criteria Evaluation Assurance Level 4 Augmented (EAL4_+), the level that specifies that a product has been methodically designed, tested and reviewed. Identrus Fully compliant with all mandatory requirements as defined by the European Union (EU) Directive on Electronic Signatures and GOST, the Russian standard. Table 3: RSA Keon CA Architecture Basic Components Component RSA Keon CA RSA Keon OneStep LDAP Certificate Repository RSA Keon RA RSA Keon Key Recovery Module (KRM) Description RSA Keon CA creates, authorizes and manages digital certificates, allowing organizations to define and self-administer their own security procedures, trust relationships, certificate formats and rules for certificate life cycles. A component of the RSA Keon CA, RSA Keon OneStep provides a customizable mechanism to authenticate, approve, issue and install digital certificates automatically through existing authentication technologies and other data sources. Thus, the certificate enrollment process can be hidden from users and reduced to one simple step. Repository in which certificates and certificate revocation lists (CRLs) are stored securely for later retrieval by systems and users. RSA Keon CA includes a built-in Secure Directory Server and can also publish certificates and CRLs to any standards-compliant LDAP directory. Works with RSA Keon CA to streamline the enrollment process for handling large volumes of end-user certificate requests. The RSA Keon RA software enables organizations to set up either remote or local stand-alone enrollment centers for large-user implementations at distributed geographic locations. RSA Keon KRM securely archives and recovers private encryption keys of users. It combines reliable and secure long-term encryption key-pair storage with straightforward, secure user enrollment. RSA Keon KRM is an add-on module and is not a required module for RSA Keon CA. 1 August 2003 3
Table 3: RSA Keon CA Architecture Basic Components Component RSA Keon WebSentry RSA e-sign Description RSA Keon WebSentry is an optional security plug-in solution that works with the RSA Keon CA to provide real-time status checking of client certificates for leading Web servers. RSA e-sign is a zero-footprint, downloadable, Web-browser plug-in designed to digitally sign HTML Web-based forms, enabling organizations to realize the fulfillment of trusted and secure end-to-end electronic processes. RSA e-sign is an add-on module and is not a required module for RSA Keon CA. Table 4: RSA Keon Certificate Management Solution RSA Keon Web Server SSL Solution RSA Keon Secure VPN RSA Secure e-mail RSA Secure e- Forms Signing RSA Keon Web Server SSL Solution enables organizations to issue and manage their own trusted SSL certificates. It includes RSA Keon CA and the RSA Keon Root Signing Service to allow an organization s CA to be signed by the trusted RSA Keon CA. It also includes a Quick Start Package with a set of service-based delivery items in support of implementation planning, software installation and training. RSA Keon Secure VPN enables strong authentication of users devices and transactions within a VPN. Digital certificate protected IP-VPNs offer anytime-, anywhere-secure remote access for users. It is interoperable with leading VPN vendors, such as Nortel, Cisco, Checkpoint and NetScreen. RSA Secure e-mail allows end users to encrypt and digitally sign important e-mail communications including any type of attachments so that only intended recipients can access the message. RSA Keon digital certificate management software is integrated with Microsoft Exchange and Microsoft Outlook for confidentiality and data integrity. RSA Secure e-forms Signing provides digital signatures to enable a trusted and secure end-to-end electronic process. Targeted at organizations looking to improve business efficiencies by replacing paper-based forms or extending existing e- business processes with Web-based, electronically signed forms. Table 5: Features and Functions: RSA Keon CA Digital Certificate Technology Certificate Validation Certificate Revocation Non-Repudiation The RSA Keon CA relies on the Online Certificate Status Protocol (OCSP) to check the validity of a certificate with the certification authority in real time by pulling fresh status information from the CA repository. RSA Keon CA can also generate and publish CRLs to an LDAP directory, allowing for certificate validation through standard CRL checking. RSA Keon CA s real-time implementation of OCSP pulls fresh status information from the CA repository rather than information from a pre-published CRL that may be out of date. Full-certificate revocation support with CRL v.2. RSA Keon CA supports dual keys, one for signing and another key for encrypting. Configurable domains for delegating administration authority support both dual-key and single-key systems; thus, several products, such as Web browsers and secure e-mail packages, use only a single key for both signing and encryption. 1 August 2003 4
Table 5: Features and Functions: RSA Keon CA Digital Certificate Technology Support for Dual Keys Creation of Multiple Certificates Encryption Cross-Certification Customized Certificates Administration Certificate Renewal Certificate Administration PKI Administration Integration Integration Toolkit Algorithms Supported Single certificate for combined signing and encryption keys. Dual certificates for separate signing and encryption keys to facilitate non-repudiation. Administrators can approve large numbers of user certificate requests with the batch driver, or RSA Keon OneStep can be used to automatically approve large user populations. RSA Keon CA provides the highest possible root-key assurance by bundling hardware security modules certified to be Federal Information Processing Standard (FIPS) 140-compliant. The root keys are generated securely and stored in tamperresistant hardware. The RSA Keon CA supports a hierarchical, peer-to-peer or a hybrid trust model, allowing it to be chained in a certificate hierarchy. Permits an organization to set up a trust model that maps its worldwide organizational structure, allowing control at regional or divisional levels. In addition, for an organization requiring cross-organizational trust, the RSA Keon CA root certificate can be signed by another vendor s certification authority root certificate. RSA Keon CA also supports PKIX compliant cross-certificates used for projects such as the Federal Bridge CA. RSA Keon CA offers certificate formats for the applications that customers are deploying: SSL for Web applications, S/MIME for secure e-mail, IPsec for VPNs and customized certificates through the use of certificate extensions. Certificate/key renewal is configurable by an organization; the end user may renew his or her certificate without administrator intervention. The RSA Keon OneStep feature reduces administrative effort by combining request, verification, user authentication, certificate population and approval into one automatic process. The roles of certificate administrator and system administrator are highly differentiated: Certificate administrators handle registration, enrollment and certificate revocation across the enterprise. System administrator can maintain the entire RSA Keon CA. Larger organizations may have one system administrator and several certificate administrators. However, smaller enterprises can manage with one individual to handle both system and certificate administration tasks. RSA BSAFE Cert-C and Cert-J software includes the application programming interfaces (APIs), documentation, source code examples and cryptographic libraries needed for developers to create, test and deploy development components to create secure applications for a variety of PKI vendor environments. The algorithms that are supported are Digital Signal Algorithm (DSA), Elliptic Curve Digital Signal Algorithm (ECDSA), GOST, Message-Digest Algorithm 5 (MD5), Rivest-Shamir-Adelman (RSA) and Secure Hash Algorithm 1 (SHA-1). 1 August 2003 5
Table 5: Features and Functions: RSA Keon CA Digital Certificate Technology Application Support VPN Readiness Security Features Security Policy High Root Key Assurance Installation and Support Installation Compatible with a wide variety of firewalls, VPNs, routers and directory services or applications, such as Netscape Navigator and Microsoft Internet Explorer. Also works with Web servers and popular e-mail packages such as Microsoft Outlook. Supports the Simple Certificate Enrollment Protocol (SCEP) for VPN certificate enrollment. Generates certificates that are usable by VPN-enabled systems out of the box. The organization determines its own security procedures, trust relationships, certificate formats and rules for certificate life cycles. RSA Keon CA bundles hardware security modules that protect keys in secure, tamper-resistant hardware. Designed to be installed right out of the box into established networks or used in custom enterprise applications, third-party directory service, routers, firewalls and other network applications and systems products. Can be used across a range of PKI-enabled applications, including Web access using SSL, VPNs using IPsec and secure e-mail using S/MIME. Table 6: Standards Supported by RSA Keon CA Algorithm RSA (512-2048) DSA (512-1024) ECDSA MD5 SHA-1 3-Data Encryption Standard (3-DES) Standard X509 v.3 CRL v.2 Request for Comments (RFC) 2459 RFC 2510 (Certificate Management Protocol [CMP]) RFC 2511 PKCS#1 PKCS#5 PKCS#7 PKCS#10 PKCS#11 Comments Asymmetric algorithm; certificates, key generation and internal messaging Digital Signature Algorithm Elliptic Curve Digital Signature Algorithm Hash algorithm; certificates Hash algorithm; certificates and internal messaging Symmetric algorithm; encryption of private keys Comments Certificate standard Certificate revocation list standard Profile for X.509 v.3 certificates Certificate Management Protocols Certificate Request Message Format Certificate creation, verification and internal messaging Password-based encryption Certificate reply, internal messaging Certificate request syntax, including cross-certification Communication with external cryptographic modules 1 August 2003 6
Table 6: Standards Supported by RSA Keon CA Algorithm PKCS#12 LDAP SSL-LDAP TCP/IP HTTP Over SSL (HTTPS) RFC 2560 (OCSP) SCEP CRS FIPS 140-1 level 3 FIPS 180-1 FIPS 186-2 FIPS 46-3 FIPS 81 Cipher Block Chaining (CBC) Comments Vault to store private keys and certificates Communication with LDAP and X.500 directories Secure LDAP over SSL for internal communication and communication with external LDAP and X.500 directories Internal/external communication Secure HTTP over SSL Supported natively by RSA Keon PKI Simple Certificate Enrollment Protocol Certificate Request Syntax Supported through third-party hardware Standard for SHA-1 Digital Signature Standard (DSA, RSA, ECDSA algorithms) Standard for 3-DES Standard for DES in CBC mode RSA SecurID Products RSA Security has augmented the PKI product with a token business including SecurID and smart card solutions. RSA Keon s relationship with the RSA SecurID products provides smart cards and USB tokens to support multiple security applications based on public-key cryptography. RSA Security products include: RSA SecurID Key Fob (SD600) RSA SecurID Card (SD200) RSA SecurID PINPad Card (SD520) SK, proprietary time synchronous RSA SecurID Software Token for Windows Workstations SK, proprietary time synchronous RSA SecurID for Windows Pocket PC RSA SecurID for the Palm Handhelds RSA SecurID for the Nokia 9210 Communicator RSA SecurID for the Ericsson R380s SK, proprietary time synchronous RSA SecurID 5100 SK, proprietary time synchronous PK, certificate-based RSA SecurID 6100 USB Token 1 August 2003 7
SK, proprietary time synchronous PK, certificate-based RSA Mobile (server sends one-time password (OTP) to user s mobile device via SMS or text messaging) Analysis The flexibility of the Keon modules allows organizations to define and administer their own security procedures and relationships also specifying their own certificate formats and rules for certificate life cycles. A signing engine makes it possible to sign end-user certificates and system events digitally. RSA Keon CA includes secure administration, enrollment, directory and logging servers. The SCEP server provides automatic enrollment for issuing certificates to SCEP-compliant VPN devices. Certificates, system data and certificate status are stored in Keon s integrated data repository. RSA Security is a founding member of the PKI Forum, along with IBM, Microsoft, Baltimore Technologies and Entrust Technologies. Established in December 1999, the PKI Forum is a multivendor organization promoting PKI interoperability and dedicated to speeding the adoption of the technology. The PKI Forum operates as an autonomous, unincorporated entity under The Open Group. RSA Keon CA software was the first digital-certificate management solution to be Common Criteria EAL 4+ certified. Modular Design RSA Keon CA s modular design makes it customizable both in appearance and function. RSA Keon is modular and flexible, interoperable with other certification authorities and is server-based, requiring no proprietary client software: Web interfaces allow system administrators to modify the look of the server to match the organization s style. In addition, the task of registering users can be scaled to the needs of the enterprise through browser-accessible wizards. Web-browser interfaces allow the enterprise to take advantage of the scaling and customization already in place in established Web server and firewall technologies. A jurisdictions concept permits a central system administrator to designate multiple certificate administrators, each with permissions to operate different sections of the PKI. As users generate requests, they are routed automatically to the appropriate certificate administrators. The OCSP Interoperability Initiative is a cooperative endeavor to advance this emerging Internet standard by establishing criteria and performing interoperability testing of third-party, OSCP-enabled products to ensure they will work together. Identity Management Systems RSA Security s product and solutions are built around a standards-based identity management system, integrating, over time, all enterprise products of RSA ClearTrust, RSA Mobile, RSA SecurID and RSA Keon with a common set of services. These services include: User Management Services provide ease of administration, enabling organizations to leverage a single solution to manage their user and access policies. Identity Authority Services validate the authenticity of digital identities via multiple authentication methods, ensuring trust in online transactions even across federated communities based on standards such as Liberty. 1 August 2003 8
Access Authority Services enforce consistent business policies across the entire e-business infrastructure; controlling access, while facilitating single sign-on (SSO). System Services use a single architectural foundation for the integration of technology (security, performance, audit and others), for faster deployment and enhanced scalability. Network and Application Integration Services ensure integration across a heterogeneous e- business infrastructure for less complexity in deployment and improved return on investment and extends infrastructure beyond users to include support for Web services with secure Extensible Markup Language (XML) and certificate integration tools. Web Services RSA Security s strategy also involves software development kits (SDKs) to secure the Web services that ultimately leverage an identity management infrastructure: BSAFE SDKs enable applications to integrate with an identity management infrastructure. Web services SDKs enable Web services to protect transactions intelligently and perform security functions in accordance with defined organizational policies. Training Programs RSA Security offers PKI-related courses for customers at various locations throughout North America and Europe. Among these courses are: RSA Keon Core PKI Administration reviews the features and functions of the RSA Keon Core PKI product line, prepares the student to administer certificates and works with both local and external certification authorities. RSA Keon Core PKI Installation and Configuration provides in-depth instruction necessary to plan, install and configure the RSA Keon Core PKI product line. RSA Authorized Training Partners deliver additional courses. RSA Certification RSA certification requires that the participant complete the designated RSA Security course (or courses) and pass a supervised test with a grade of 80 percent or higher, after which the participant is awarded a diploma and permission to use the designated certification on his or her business card. Designations include the following: Certified RSA SecurID Administrator Certified RSA SecurID Systems Engineer Certified RSA SecurID Instructor Certified RSA Keon Systems Engineer Support RSA Security s Customer Services organization offers a number of choices ranging from Web site information to renewable maintenance agreements. (Resellers can partner with RSA Security to offer these services as well.) All service offerings include technical telephone support, all software releases, documentation updates and subscription to RSA SecurCare Online. Customers can also purchase technical telephone or on-site support on a per-incident basis. 1 August 2003 9
Pricing The RSA Keon CA is sold on a user-based pricing model. Customers can issue any type/number of certificates to the licensed users over the lifetime of the product without an extra fee. Table 7: Price List: RSA Keon CA Minimum Users Maximum Users Keon Certificate Authority ($ per licensed user) 1 500 30.00 501 1,000 26.05 1,001 5,000 16.28 5,001 10,000 14.16 10,001 25,000 11.56 25,001 50,000 10.06 50,001 100,000 8.74 100,001 200,000 7.00 200,001 300,000 6.22 300,001 400,000 5.74 400,001 500,000 5.40 500,001 600,000 5.15 600,001 700,000 4.94 700,001 800,000 4.77 800,001 900,000 4.62 900,001 1,000,000 4.50 1,000,001 Unlimited 4.39 GSA Pricing No. Competitors Table 8: RSA Keon Competitors Vendor and Product Baltimore Technologies UniCERT Computer Associates International (CA) etrust PKI Features UniCERT had its beginning as an international product and can be used with many languages and character sets an advantage for international e-business. It has a flexible modular infrastructure, which allows the product to grow and change along with the organization. etrust PKI has the strength of being part of CA s etrust family of integrated, extensible security solutions. etrust PKI is shipped with its own directory and OCSP responder; thus, rollout of the PKI does not involve extensive integration. CA s vision is of invisible PKI built into enterprise solutions, such as SSO, e-mail, Web access and other CA products. 1 August 2003 10
Table 8: RSA Keon Competitors Vendor and Product Microsoft Enterprise PKI VeriSign On-site Features Part of the Windows server systems from Windows 2000 onwards, Enterprise PKI deploys and manages certificates in support of existing Windows domain trust-andauthentication mechanisms. These mechanisms are based on the domain controller (DC) and Kerberos Key Distribution Center (KDC). Integrated with the Windows base platform without replacing existing Windows security. Integration with the operating system allows the integration of the public key with the policy administration. VeriSign offers the major, hosted service in the market a service to secure intranet, extranet, VPN and e-commerce applications. The client organization controls certificate issuance and management, while VeriSign provides the technical infrastructure for certificate processing services. Strengths Open Standards Ensure Compatibility RSA Keon CA supports digital certificates from any standards-based Certificate Authority, making it suitable for participation in industry business models like the Identrus financial industry consortium. Modular Design Eases Implementation The modular components allow customers to build PKI a piece at a time in the same way that they built their networks adding components and integrating additional solutions as needed. Certificate Validation Cross-validation allows the enterprise to run the product as an arbiter of trust, accepting outside users with certificates from other suppliers. Use of OCSP permits certificates to be validated in real time. Thus, users will never trust invalid certificates. In addition, the burden of the validation is removed from the applications themselves. Total Cost of Ownership Keon takes advantage of established technology investments any information available in any way on the Web can be introduced into the certificate generation and verification process. Requires No Proprietary Client Software Keon does not require proprietary upgrades or plug-ins and therefore prevents the need for expensive retrofitting of desktop applications. Limitations Certificate/Key Renewal The current release of the RSA Keon CA lacks fully automatic certificate/key renewal. As a result, a renewal requires some user interaction. Good Product in a Declining Market 1 August 2003 11
According to Gartner Dataquest, the PKI market as a whole declined 32 percent from 2001 to 2002. To survive, RSA must retain its strong products and continue diversifying from tokens and PKI into identity management. Insight RSA Keon like the competing products faces the challenge of a declining PKI market, which has lasted several quarters. RSA Keon, however, has the advantage that, although RSA Security has always been focused on security, the company does not rely solely on the PKI product, actively pursuing its token and smart card identity management solutions. As a PKI platform for the Internet, RSA Keon CA permits rapid deployment of Internet applications serving up to eight million users per server (independently tested) and acting as an arbiter of trust for e-commerce communications networks. Because RSA Keon CA operates as a root certification authority system for multiple PKIs, corporations can interoperate with certificates from any certification authority. Through cross-validation, allows the acceptance of users with certificates from other suppliers. In addition, the product can access and use information stored anywhere on the Web in the certificate generation and verification process and integrates with an organization s established applications, making RSA Keon a robust choice for finance, real estate, government and other networked organizations needing robust security. 1 August 2003 12