nexus PKI Solution Brief nexus PKI



Similar documents
Public Key Applications & Usage A Brief Insight

Using Entrust certificates with VPN

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

CS 356 Lecture 28 Internet Authentication. Spring 2013

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

API-Security Gateway Dirk Krafzig

Data Protection: From PKI to Virtualization & Cloud

esign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used?

nexus Hybrid Access Gateway

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

RSA SecurID Two-factor Authentication

STRONGER AUTHENTICATION for CA SiteMinder

Information Security Basic Concepts

Authentication Solutions. Versatile And Innovative Authentication Solutions To Secure And Enable Your Business

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Guide to Evaluating Multi-Factor Authentication Solutions

A brief on Two-Factor Authentication

Cloud security architecture

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui

Authentication Solutions VERSATILE AND INNOVATIVE AUTHENTICATION SOLUTIONS TO SECURE AND ENABLE YOUR BUSINESS

ADDING STRONGER AUTHENTICATION for VPN Access Control

Strong Authentication for Secure VPN Access

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

Brainloop Cloud Security

White Paper. The risks of authenticating with digital certificates exposed

encryption keys, signing keys are not archived, reducing exposure to unauthorized access to the private key.

Evaluation of different Open Source Identity management Systems

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

PRIME IDENTITY MANAGEMENT CORE

Identity & Privacy Protection

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

Why it s Time to Make the Change Analysis of Current Technologies for Multi-Factor Authentication in Active Directory

Security Digital Certificate Manager

esign Online Digital Signature Service

Chapter 1: Introduction

TrustedX: eidas Platform

FileCloud Security FAQ

Neutralus Certification Practices Statement

Entrust IdentityGuard

Concept of Electronic Approvals

Symantec Managed PKI Service Deployment Options

Certification Practice Statement

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

An Introduction to Entrust PKI. Last updated: September 14, 2004

Cybersecurity and Secure Authentication with SAP Single Sign-On

Securing Virtual Desktop Infrastructures with Strong Authentication

Authentication Application

Entrust IdentityGuard Versatile Authentication Platform for Enterprise Deployments. Sam Linford Senior Technical Consultant

Security Digital Certificate Manager

CALIFORNIA SOFTWARE LABS

Ensuring the security of your mobile business intelligence

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

How To Understand And Understand The Security Of A Key Infrastructure

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

WHITE PAPER ENTRUST ENTELLIGENCE SECURITY PROVIDER 7.0 FOR WINDOWS PRODUCT OVERVIEW. Entrust All rights reserved.

Where every interaction matters.

Legalesign Service Definition Electronic signature and contract management service

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

The Security Behind Sticky Password

Axway Validation Authority Suite

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Asymmetric cryptosystems fundamental problem: authentication of public keys

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

Entrust Managed Services PKI

Dashlane Security Whitepaper

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Adding Stronger Authentication to your Portal and Cloud Apps

RSA SecurID Software Token 1.0 for Android Administrator s Guide

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Baltimore UniCERT. the world s leading PKI. global e security

Introduction to Network Security Key Management and Distribution

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

Part III-a. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

PortWise Access Management Suite

Certificate Authority Product Overview Technology White Paper

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

IDENTITY & ACCESS. Providing Cost-Effective Strong Authentication in the Cloud. a brief for cloud service providers

WHITE PAPER Usher Mobile Identity Platform

ADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

Enhancing Organizational Security Through the Use of Virtual Smart Cards

WE MAKE SECURITY WORK

PKI Made Easy: Managing Certificates with Dogtag. Ade Lee Sr. Software Engineer Red Hat, Inc

etoken TMS (Token Management System) Frequently Asked Questions

Public Key Infrastructure (PKI)

A SECURITY ARCHITECTURE FOR AGENT-BASED MOBILE SYSTEMS. N. Borselius 1, N. Hur 1, M. Kaprynski 2 and C.J. Mitchell 1

CTERA Cloud Storage Platform Architecture

Configuring Digital Certificates

The Top 5 Federated Single Sign-On Scenarios

Key Management Interoperability Protocol (KMIP)

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

HKUST CA. Certification Practice Statement

Transcription:

Public Key Infrastructure (PKI) protects business critical information, communication and IT processes against threats like unauthorized access, data leakage, espionage, identity theft and fraud, and denial of service. PKI technology leader nexus provides world-class solutions for the issuing, validation and delegated lifecycle management of PKI-based identities for internal, Internet and cloud users, and for technical components; for all industries, critical infrastructures and service providers; on any scale. Public Key Infrastructure Public Key Infrastructure (PKI) is the world s most generic, most scalable and most interoperable security technology that provides digital identities (certificates) for users people and devices of information and communication systems. Users can use their digital identities for various purposes, such as authentication, digital signature and encryption. In a PKI, each user is assigned a key pair and a certificate. A key is a piece of digital data used for cryptographic operations, like signing or encrypting. The user s unique key pair consists of a private key and a public key. The private key is secret and is stored only on the user s device (smart card, computer, phone or other). It is computationally infeasible to find out the private key corresponding to a public key, so that the it can be made publicly known. The public key is combined with the user s identity data and validity information in a certificate, which serves as the user s digital identity card. The Certificate Authority (CA) digitally What is a digital certificate? A digital certificate comprises: the certificate owner s identity data, the certificate owner s unique public key, the certificate validity period, and the digital signature of the Certificate Authority. 1

Security services supported by PKI: User authentication Data origin authentication Data integrity protection Non-repudiation Confidentiality signs and publishes the certificate. The CA signature approves the user s ownership of the public key and the corresponding private key. User authentication For user authentication, the validating or relying party (e.g. a device or service that the user wants to log in to) sends a piece of random challenge data to the user. In turn, the user s device digitally signs the challenge, i.e. combines it with the private key according to a signature algorithm. The signature is unique with respect to the private key, so that only the user can create the signature for the challenge. With the help of the public key in the user s certificate, the relying party can verify if the challenge was indeed signed with the corresponding private key. If so, the user is successfully authenticated. The challenge is changed for every authentication operation to prevent replay attacks. Digital signatures A digital signature provides evidence that the signed data originates from the certificate owner. The digital signature is created and verified in the same way as for authentication, except that useful data is signed in place of a random challenge. Since signing is a one-way function, it is not feasible to find other data that result in the same signature. Therefore, it is practically impossible to falsify the signed data and so, the integrity of the data is protected. The uniqueness of the signature with respect to the user and the integrity of the signed data are the basis for legally 2

valid non-repudiation electronic signatures. Encryption Encryption of data is performed with the help of the public key in a user s certificate according to an encryption algorithm. Encrypted data can be decrypted only with the help of the corresponding private key, which is in control of the certificate owner. Without knowing the private key, it is infeasible to recover the data. In this way, confidentiality of the data is protected. Meeting the needs of modern id Management Scalability Scalability is the biggest advantage of PKI compared to other authentication techniques. Scalability is based on the following characteristics: Only a piece of public information (the public key) is needed for validation, which makes it possible to decouple identity issuing from identity validation without secure processes for distributing secret system information and without the remaining security risk of sharing such in various systems. Due to this, validation can be delegated to any organization other than the CA, and even to the end users; while the security of the credentials (i.e. of the private keys) remains unaffected. The CA signs the user certificates so that their authenticity can be verified by the relying party. Therefore, the user certi- 3

ficates can be stored in or transferred over unsafe facilities, typically in X.500/LDAP compliant directory servers. To verify the authenticity of user certificates, the validating party only needs an authentic copy of the CA s certificate, also called the trust anchor. In this way, the CA certificate can provide trust in certificates of an arbitrary and constantly changing number of users. CA certificates themselves can be signed by another CA to build a trust hierarchy and further increase scalability. CAs can cross-certify CAs in other hierarchies, establishing trust in this way among different CA hierarchies, so called PKI islands. Security Security of PKI is based on public key cryptography, one of the greatest inventions of 20th century s mathematics research. Public key algorithms and protocols are analysed by a broad research community and this is the best possible security guarantee. PKI s key feature is that it needs no system secret to be shared among validation authorities and end user devices for the sake of mutual validation of the credentials. This makes it not only practically, but theoretically safe against key compromise attacks on production or validation systems, which have caused large 4

damages in recent times to customers and vendors of symmetric key based RFID and OTP authentication tokens. Compared to symmetric key based systems, updating system keys (system key roll-over) is simpler: only the authenticity, not the secrecy, of the system key (i.e. of the public key) has to be ensured in the distribution process, which can be achieved in many different ways, including with the help of out-of-the-band mechanisms, like official publication of fingerprints. Lifecycle information Lifecycle information is a built-in feature of PKI. Each certificate has a validity period encoded in the certificate which is checked by the validating party. In addition to that, certificates can be revoked, if the private key is compromised or not needed for other reasons. There are standardized ways for the relying party to ascertain the revocation status of a certificate: either over a revocation list (CRL) that is typically published in a directory, or over an OCSP (Online Certificate Status Protocol) service. Identity federation Identity federation is the capability of systems to exchange and combine user identity data across systems and organizations. Certificates hold user identity data in the standardized form of X.501 directory attributes (the user data representation in LDAP A Certificate Revocation List contains: The name of the issuing CA, CRL serial number, CRL validity period, time of next CRL publication, a list of revoked certificates, including: the digital signature of the CA. certificate serial number, revocation reason (compromise or other), revocation time, and 5

type of directories) and can in this way carry user information across systems in an inter-operable form. Typical PKI use cases Device infrastructures PKI is traditionally used for SSL/TLS and IPSec security in virtual private networks (VPN), firewalls, routers and other networking products. The new LTE standard for broadband mobile Internet services mandates PKI-secured communication along the landline connections of the mobile network. PKI secures communication in many other types of technical infrastructures, like between electronic travel documents and trusted document readers (epass, eid) or in smart metering systems. Enterprise PKI PKI is broadly used in standard applications that most organization use for smart card desktop login, enterprise single sign-on (SSO), client-server SSL/TLS communication, email and document signing and encryption, machine authentication in the corporate network or VPN security. Secure (online) banking Smart cards provide strong two-factor authentication in applications that carry out high value transactions and/or are exposed to the Internet, and are therefore in the focus of cyber-crime. Many other public online services are protected with strong PKI-based authentication, when the high value or the legal relevance of the transactions requires. Electronic identity Several countries, large banks and telecom operators have introduced electronic identities (eid) for their end customers. These eids can be used for user authentication and legal nonrepudiation signatures, and are widely recognized in various application contexts (e.g. citizen services, online banking, Internet-retail) even across country borders. 6

Legal signatures and long-term validation Electronic signatures accelerate legal procedures, enable paperless processes without media breaks and improve user comfort and business economy. In European countries, electronic signatures are recognized by the legislation as legally valid provided that the corresponding eid is a qualified certificate, i.e. provides the highest level of assurance of the user identity. Signed legal documents must remain verifiable over a long period of time (10 30 years). In order for long-term validation, so-called advanced signatures have to be created, which contain in addition to the signee s electronic signature the corresponding certificate chain, revocation information and a timestamp referring to the signing time. These allow validation of the signature, even if the eid meanwhile expires or the eid issuer no longer provides revocation information. Legal signatures need to be archived in a secure long-term archive with regular timestamping of all signature content. Trust center Trust Service Providers (or Trust Centers) are high security computer centers that implement a Certificate Authority (or several of them for different business clients). Trust Centers offer high-assurance user registration, certification, revocation and revocation status information services to business clients or to private customers. To make it easy for applications to use PKI-based identities, advanced Trust Centers are gradually introducing services for validation, authentication, signatures and timestamping, which are consumed by business clients over APIs. New challenges Besides the traditional use cases, we can observe emerging new application areas and scenarios for PKI technology, as described below. 7

Open organisations require safe identities IT services are increasingly consumed from the cloud (e.g. SalesForce), and end users use devices (PCs, tablets, phones) and personal cloud applications (like Google) of their own choice during their daily work. At the same time, consumers expect fast, non-bureaucratic registration processes and easy access to all resources across various application contexts. These tendencies make organisations face the challenge that firewalls and VPNs no longer define the borders of the security domain, but the security domain grows over the organization s network domain and over the pool of in-house applications and computers. Such open organisations therefore need a new security strategy. Safe identification of users and devices with risk-appropriate assurance level is fundamental in such a strategy. The Internet of things More and more wide-area applications rely on mobile machineto-machine (M2M) Internet communication: facility and fleet management, transportation, traffic control, patient care. Using mobile communication, mobile units like vehicles, containers, goods can exchange information not only with a central server, 8

but also among each other, creating a new paradigm for mobile applications. It is anticipated that by 2020 more than 200 billion devices will be connected to the Internet, generating the majority of data traffic. Safe identification and secure communication is fundamental for the security, reliability and eventual success of M2M applications. Critical infrastructures Critical infrastructures comprise organisations and facilities in defence, finance, healthcare as well as communication, industry, transportation and supply that are inevitable for national security, i.e. the fulfilment of basic human demands and the continuity of the national economy. Critical infrastructures must be protected from manipulation, internal sabotage and denial-of-service attacks from the Internet in the age of commercial and state-organized cyber-crime and feasible cyber war scenarios. High-assurance identities and strong access control measures are relevant parts of an effective defence strategy. Economy of PKI services The value of a security technology is related either to the risk and the damage that related securities breaches may cause or to the business value that it directly produces (e.g. by replacing paper-based processes or shortening the sales process). The cost of any applied security technology must be in balance with those business risks and values. Cost efficient PKI authentication methods such as using software tokens on PCs or mobile devices can increase security of low risk online transactions significantly with tolerable costs. At the same time, legally relevant signatures or defence applications require high security smart cards, smart microsd cards or SIM cards as authentication and signing device. A trust service provider has to serve different risk levels at appropriate costs. 9

One-time private key (OTPK) OTPK technology offers an economical option for PKI-based digital signatures without an expensive signing device, thus making digital signatures affordable for causal usage, such as an annual tax declaration or closing an insurance contract. In this approach, a private key (an OTPK) is generated at a central signing service, which is applied for one single digital signature. Prior to signing, the user is identified with appropriate assurance level, which may be established by presenting an eid or referring to a valid contract with a telecom provider. After proper authentication the user can use the signing service. Privacy in Internet Internet communities and communities attract billions of people. A typical Internet user is a member of a few communities and consumer of 50-100 commercial or free-of-charge services (like Google, Amazon or ebay). Besides the direct attack on users and credential data (Trojans, phishing, social engineering etc.) and related fraud, identity information can be misused on the Internet in various other ways too: unwanted profiling of users, commercial use of identity or profile information without the explicit agreement of the consumer, or uncontrolled access to identity data and private information over Internet services by unauthorized or unintended users. Due to frequent misuse, Internet users and national authorities are becoming more and more conscious about these security aspects. Accordingly, the demand is emerging for appropriate technologies, which helps Internet users to protect their identity and private data, possibly without limiting the quality of the services and user comfort. Anonymity One possible countermeasure against revealing identity data to untrusted services is anonymity. An electronic identity can carry a unique and random pseudonym in place of real identity 10

data and thus decouple the user s real identity in an application context from the context-specific digital identity. At the same time, the anonymous identity assures the business party (e.g. an online shop) about the existence of the user as legal entity. The real identity of the user can be recovered by a trusted payment service or by a court in a legal debate. Different pseudonyms can be used in different sessions and in different application contexts, so that the user cannot be recognized in different contexts to be the same user, preventing profiling or identity data collection in this way. User-centric identity management With user-centric identity management the user has a means to control what pieces of identity data that is forwarded to an application. Here, PKI may help with issuing an attribute certificate with (partial) user identity information or a statement of majority, profession or procuration on the user s demand, which can be used in a specific business context. Furthermore, the user can decide against publishing his certificates. The platform PKI expert nexus provides best-of-breed products for the issuing, Internal and external users Security Client IT and telecommunication systems and devices Industrial facilities and critical infrastructure Internet of things, M2M Smart card production Self-Service Portal Management Portal Certificate Mgmt APls Certificate Authority Key and PIN Management OCSP Responder Validation Server Timestamp Server Identity issuing and lifecycle management Core PKI functions Validation of identity claims Nexus PKI Platform 11

validation and delegated lifecycle management of PKI identities and credentials, which safely identify the user and support a broad range of security services, like user authentication, data origin authentication and integrity protection, data encryption and electronic signatures. The comprehensive and flexible platform provides: central, high security certificate authority and key management, web based, delegated credential issuing and lifecycle management processes, validation and timestamping services, various APIs for certificate management and validation, and a PKI security client that enables using smart card and software-based tokens on all computer and browser platforms. can retrieve end user identity data from the corporate directory or other user data sources. PKI credentials can be issued for registered users and devices in assisted or automated mode of operation. Various PKI credentials are supported: smart cards, smart USB tokens, credential files and software tokens in the host system s trust store. is designed for multi-tenancy: The same service platform can be used for multiple business clients with separation of user and management domains. Our systems are often used with 10-50 CAs and respective management domains. The nexus PKI platform is scalable to any practical size and is platformagnostic. It has been proven to be high-performing and reliable in high-scale deployments with millions of credential holders. Its certified security is trusted by national trust centres and financial institutions in security critical infrastructures worldwide. Your benefits with Availability platform makes security services and relying applications available to users in a user-friendly and timeefficient way, so that high security can be implemented with no loss of working efficiency. 12

Self-services, multilingual support and notifications enable end users to manage their own credentials anytime, anywhere. Credential management tasks can be delegated to any roles and locations in the organisation and to business clients. Quick PIN reset, card unblocking and replacements scenarios help users in all real-life emergency situations: when smart card is lost, left at home, defect or blocked, or when PIN forgotten. Versatile authentication methods can be used to enter management and self-service portals. Usability Decades of PKI experience have boiled down to safe, simple and user-friendly credential delivery and management processes by hiding the technical depth of PKI from the users. Simplicity is the primary principle in designing credential management portals, use cases and processes. The intuitive UI is designed so that users without technical expertise can quickly learn the system and can perform the tasks in a convenient and safe way. Reminders and notifications with URL contents and onetime credentials help users to quickly perform the required actions in the systems. Manageability, economy Delegated and self-service credential management relieves IT resources. Multi-tenancy saves costs: One system can serve multiple business clients with safe separation of user and management domains. Web technology eliminates the need for client installations and upgrades. nexus offers own-developed standard software with shared maintenance costs and long-term product lifecycle. 13

The products are available as on-premises software with license or rental agreement, or as Software as a Service. Application support The products come with out-of-box interoperability with broadly used security applications, like desktop login, web authentication, secure email, VPN security, document signing and encryption. Interoperability is compliant with international technology standards, wherever applicable. Various APIs and large degree of configuration flexibility enable integration in any identity solution and relying application. Our PKI products are platform-agnostic and come with out-of-the-box support for operating systems, database, directory, HSM and smart card products of major vendors. Compliance CommonCriteria EAL3+ certified security. Security architecture, strong two-factor authentication, rolebased access control and audibility contribute to policy compliance. Flexible role definitions and configurable authentication levels help adapting the security policy to the organisational structures and risks. User experience with nexus puts the users in focus. Usability and simplicity are our leading design principles. All credential forms are delivered in a convenient way to various user devices. Notifications remind users about due lifecycle management tasks. They can use versatile authentication methods to enter the self-service portal. The intuitive and appealing UI hides the complexity of the background processes and makes PKI manageable without expertise. 14

In an emergency, quick help is available at the nearest location or in the self-service portal. Why nexus nexus, PKI pioneer and technology leader with prominent customers in government, defence, banking, industry, and among certified trust service providers (trust centres) and with several million end users, has decades of PKI experience and mature, reliable technology. The nexus PKI Suite covers all components for issuing, validation and lifecycle management of PKI based credentials. High security, cost-efficient processes, user-friendliness and simplicity are our key design principles. Through a high degree of flexibility in integration and in configuration, our systems can adapt to customer requirements in various environments and scenarios. 15

The Suite: nexus Certificate Manager It implements the high security PKI core functions of the Certificate Authority, PIN and key management and central smart card production. Various certificate formats are supported, e.g. X.509 public key and attribute certificates and card verifiable CV certificate. nexus Credential Manager The central tool for implementing efficient and user-friendly credential issuing and lifecycle management processes in an organisation with delegation and self-service capabilities. Certificates and keys can be delivered on smart cards or in software tokens. nexus OCSP Responder An online service to validating parties for checking the revocation status of certificates with quick response times, zero latency and high service capacity. nexus Personal Security Client A brandable, multi-card, multi-platform smart card middleware to enable PKI security in client applications, such as for desktop smart card logon, email and document encryption and signing and SSL/TLS authentication. Browser plug-ins make it easy to implement online security applications with safe authentication and document signing. nexus Timestamp Server A standard compliant time stamping service for applications relying on a trusted evidence of the existence of a document such as a legal signature or a tender application at a certain time. Portwise Validation Server A service for validating identity claims and digital signatures, so that relying applications need not implement these functions, but can rely on a central trusted service. PortWise Validation Server supports various national and bank eids, PKCS#7, XML and PDF signature formats, and the creation of advanced signatures for long-term archiving and validation. 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information