Microsoft Identity Lifecycle Manager & Gemalto.NET Solutions. Jan 23 rd, 2007



Similar documents
Application Note Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services on Windows 2008

Global eid Developments. Detlef Eckert Chief Security Advisor Microsoft Europe, Middle East, and Africa

Managed Portable Security Devices

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

Enhancing Organizational Security Through the Use of Virtual Smart Cards

CRESCENDO SERIES Smart Cards. Smart Card Solutions

Introducing etoken. What is etoken?

The Convergence of IT Security and Physical Access Control

Schlumberger PKI /Corporate Badge Deployment. Neville Pattinson Director of Business Development & Technology IT & Public Sector

Longmai Mobile PKI Solution

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

How To Use A Smart Card With A Fingerprint On A Card On A Pc Or A Smartcard On A Microsoft Gina (Smart Card) On A Powerbook (Smartcard) On Windows Xp (Windows Xp) On An Iphone

The Convergence of IT Security and Physical Access Control

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Enhancing Web Application Security

Authentication Solutions. Versatile And Innovative Authentication Solutions To Secure And Enable Your Business

Executive Summary P 1. ActivIdentity

etoken TMS (Token Management System) Frequently Asked Questions

Converged Smart Card for Identity Assurance Solutions. Crescendo Series Smart Cards

Using Entrust certificates with VPN

INTEGRATION GUIDE MS OUTLOOK 2003 VERSION 2.0

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Application Note. Gemalto Smart Cards with Citrix XenApp 5.0

CS 356 Lecture 28 Internet Authentication. Spring 2013

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

Deriving a Trusted Mobile Identity from an Existing Credential

Secure Web Access Solution

Authentication Solutions VERSATILE AND INNOVATIVE AUTHENTICATION SOLUTIONS TO SECURE AND ENABLE YOUR BUSINESS

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

PRIME IDENTITY MANAGEMENT CORE

Gemalto Mifare 1K Datasheet

Securing Cloud Computing. Szabolcs Gyorfi Sales manager CEE, CIS & MEA

Smart Card Technology Capabilities

Security Considerations for DirectAccess Deployments. Whitepaper

Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions. July, Developed by: Smart Card Alliance Identity Council

Symantec Client Management Suite 8.0

EXPLORING SMARTCARDS: AN INDEPENDENT LOOK TO TECHNOLOGIES AND MARKET

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

Ensuring the security of your mobile business intelligence

Implementing Federal Personal Identity Verification for VMware View. By Bryan Salek, Federal Desktop Systems Engineer, VMware

STRONGER AUTHENTICATION for CA SiteMinder

Single Sign-On. Security and comfort can be friend. Arnd Langguth. September, 2006

NIST s FIPS 201: Personal Identity Verification (PIV) of Federal Employees and Contractors Masaryk University in Brno Faculty of Informatics

TrustKey Tool User Manual

Apache Milagro (incubating) An Introduction ApacheCon North America

Entrust IdentityGuard Versatile Authentication Platform for Enterprise Deployments. Sam Linford Senior Technical Consultant

PrivateServer HSM Integration with Microsoft IIS

CoSign by ARX for PIV Cards

Managing SSL Security in Multi-Server Environments

CryptoNET: Security Management Protocols

Deploying Smart Cards in Your Enterprise

RSA SecurID Two-factor Authentication

Entrust Smartcard & USB Authentication

Entrust IdentityGuard

PKI Uncovered. Cisco Press. Andre Karamanian Srinivas Tenneti Francois Dessart. 800 East 96th Street. Indianapolis, IN 46240

ADDING STRONGER AUTHENTICATION for VPN Access Control

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

Smart Card Deployment in the Data Center: Best Practices for Integrating Smart Card Authentication in a Secure KVM Environment

Issues in Smart Card Development

SAFEAPP TECHNOLOGY PROGRAM

MyKey is the digital signature software governed by Malaysia s Digital Signature Act 1997 & is accepted by the courts of law in Malaysia.

Chapter 1: Introduction

Secure Data Exchange Solution

Entrust Managed Services PKI

ViSolve Open Source Solutions

Using BroadSAFE TM Technology 07/18/05

Microsoft Azure Multi-Factor authentication. (Concept Overview Part 1)

Secure Network Communications FIPS Non Proprietary Security Policy

Symantec Managed PKI Service Deployment Options

Why it s Time to Make the Change Analysis of Current Technologies for Multi-Factor Authentication in Active Directory

RSA SecurID Software Token 1.0 for Android Administrator s Guide

PrivyLink Cryptographic Key Server *

Integration Guide. SafeNet Authentication Client. Using SAC CBA for Check Point Security Gateway

Microsoft Windows Server 2003 Integration Guide

Information Security Basic Concepts

Smart Card Certificate Authentication with VMware View 4.5 and Above WHITE PAPER

Securing Administrator Access to Internal Windows Servers

Moving to Multi-factor Authentication. Kevin Unthank

Deploying and Managing a Public Key Infrastructure

WHITE PAPER Usher Mobile Identity Platform

Symantec Mobile Management 7.2

Enterprise SSL FEATURES & BENEFITS

DigitalPersona Pro Enterprise

DigitalPersona, Inc. Altus AUTH SDK. Version 1.1. Developer Guide

How To Encrypt Data On A Network With Cisco Storage Media Encryption (Sme) For Disk And Tape (Smine)

ipad in Business Security

Identity and Access Management

CardOS API V3.2. Standard cryptographic interface for using applications with CardOS smart cards

CipherShare Features and Benefits

Transcription:

Microsoft Identity Lifecycle Manager & Gemalto.NET Solutions Jan 23 rd, 2007

Microsoft ILM is a comprehensive, integrated, identity and access solution within the Microsoft system architecture. It includes a complete solution for centrally managing a certificate-based infrastructure and strong authentication credentials, including smart cards. ILM provides a policy and workflow driven solution that helps organizations manage the lifecycle of digital certificates and smart cards. ILM lowers the costs associated with digital certificates and smart cards by enabling organizations to more efficiently deploy, manage, and maintain a certificate-based infrastructure. ILM streamlines the provisioning, deprovisioning, configuration, and auditing of digital certificates and smart cards, while increasing security through strong, multi-factor authentication technology. October 2006 2

Architecture October 2006 3

Certificate Management Single administration point for digital certificates and smart cards Configurable policy-based workflows for common tasks Enroll/renew/update Recover/card replacement Revoke Retire/disable smart card Issue temporary/duplicate smart card Personalize smart card Detailed auditing and reporting Support for both centralized and self-service scenarios Integration with existing infrastructure investments Windows Active Directory; Windows Certificate Services October 2006 4

Certificates & Smart Cards ILM features related to Certificate & Smart Card management include: A complete and integrated management solution for deploying smart cards and digital certificates Delegated request and approval capabilities for distributed environments In-person authentication and self-service management features Closely integrated with Active Directory and Microsoft certification authorities (CAs) Policy support for workflow, registration data collection, and document printing Smart card lifecycle management, including smart card printing Complete Personal Identification Number (PIN) management features for activating and unblocking PINs. This can be managed either in a self-service method or by an administrator. Smart card inventory system that is updated upon smart card activation, simplifying distribution Sophisticated, complete reporting and audit tracking of all smart card lifecycle activities Bulk Smart Card Issuance Tool to facilitate enrollment and smart card issuance for hundreds of users October 2006 5

Gemalto.NET & Microsoft ILM Architecture October 2006 6

Gemalto.NET Card: Main Benefits Provides strong two-factor authentication to secure a company s assets and identities on a network Integrates quickly and seamlessly within the Microsoft world Is easy to deploy and manage, resulting in lower implementation cost Implements.NET framework to enable development of comprehensive on card / off card security solutions.net Smart Card Framework October 2006 7

Gemalto.NET card: Main Characteristics Microsoft Mini Driver Assembly onboard.net Smart Card Framework PKI Crypto RSA 2048 Protiva OTP Assembly onboard 75KB available for additional assemblies Mini Driver assembly compatible with 32 bit and 64 bit Windows platforms Available memory for assemblies and certificates can be extended to 85 KBytes by removing the Protiva OTP assembly Protiva OTP is Gemalto s OATH One Time Password Key Generator assembly, compatible with Protiva OTP Server Solution. For more information visit www.protiva.gemalto.com October 2006 8

Technical details I Silicon features Chip Infineon SLE88CFX4000P (400 KB Flashmask) 32-bit micro-controller in advanced CMOS technology Cryptographic co-processor for faster RSA and 3-DES True random number generator Cryptographic capabilities RSA signature and verification up to 2048-bit keys DES, 3-DES (CBC, EBC), AES, HMAC, SHA1,SHA2 and MD5 Customizable authentication framework and secure channel capabilities Standards ISO 7816-1-2-3-4 (partial) ECMA 335 / ISO/IEC 23271 Common Language Interface File system Secure data storage Role-based access control Enables assembly and data separation Enables Assembly update with data preservation October 2006 9

Technical Details II Application development.net compatible and programming language independent (CLI) 75KB expandable to 90KB memory available for applications Legacy compatible application development On-card XML parser Support for int-64 Security Off-card application verification integrated in tool chain On-card verifier to check type structural integrity and type safety of applications Only strong-name signed assembles can be loaded ensuring integrity and authenticity Communications Standard I/O transfer speed up to 223 Kbps Negotiable PPS T=0 protocol SConnect.NET Remoting October 2006 10

Why.NET on a Smart Card? Seamlessly integrates the application developer language and tools for both on and off-card application development Web Services enable the smart card to communicate as a peer computing device The.NET CLR and Remoting provides a consistent security model between applications on and off-card Makes smart cards available to a wider audience which will lead to more smart card integrated applications in the future October 2006 11

Microsoft Crypto Architecture Framework enabling smart cards for strong authentication Manages access to readers and smart cards Standard model for interfacing smart cards and readers with computers Microsoft Crypto Next Generation Architecture Microsoft Smart Card Tools Microsoft Base Smart Card CSP Smart Card Vendor Mini Driver MS Smart Card Resource Manager PC/SC Identity Lifecycle Manager & PIN Tool Plug-in to the MS Base CSP to perform the cryptographic algorithms using vendor card October 2006 12

Gemalto.NET Crypto Architecture Gemalto.NET Crypto architecture Microsoft Smart Card Tools Microsoft Base Smart Card CSP leveraging Microsoft s new security architecture Proxy plug-in to the MS Base CSP to forward calls to the Mini Driver on the Gemalto.NET card.net Mini Driver Proxy MS Smart Card Resource Manager PC/SC Gemalto.NET Mini Driver October 2006 13

Gemalto.NET in the Microsoft ecosystem.net card built into Windows Vista.NET card built into Microsoft Base CSP Package (available via Windows Update) for Windows 2000, XP & Server 2003 CMS of reference: Microsoft ILM.NET SDK integrated in Microsoft Visual Studio.NET Gemalto.NET Card is used by Microsoft s as its own Corporate Badge October 2006 14

Case Study: Microsoft security solution with Gemalto.NET Smart Cards Complex Situation Despite strong password policies, Microsoft determined that additional forms of authentication were required, especially for remote access to their corporate network. Clarifying Solution To counter the threat of unauthorized access to the Microsoft corporate network, Microsoft chose to deploy smart cards because of the cumulative sum of the products reliability, performance, cost, security features, convenience and portability benefits. The logical access control is provided by a microprocessor contact smart card with specialized security features and large memory for application storage. A contactless feature embedded in the card will provide physical access to buildings and offices. The Gemalto.NET smart card runs a small footprint version of the.net framework and provides customizable two-factor authentication, in addition to full cryptographic capabilities. Better Performance This approach to logical access security, completed worldwide in 2002 for Microsoft s 61,000 employees, has substantially increased the overall security of enterprise network assets and data at Microsoft. October September 2006 2006 15

Case Study: Microsoft security solution with Gemalto.NET Smart Cards Corporate-wide deployment Issued to 60K+ employees worldwide Protects network access and other corporate intellectual property Logical and physical access Badge Remote access (VPN) Web authentication Encryption Digital signatures Password replacement Microsoft partner Gemalto "has done a super job on this", said Gates. "We will be using their smartcards internally - each employee will use those to get in and out of the buildings as we used to connect to our machines. We're requiring them. We will completely replace passwords. October 2006 16