How To Use Pki On A Pc (For A Non-Profit)



Similar documents
Pointsec Enterprise Encryption and Access Control for Laptops and Workstations

Enova X-Wall LX Frequently Asked Questions

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

Management of Hardware Passwords in Think PCs.

DriveLock and Windows 7

Innovative Secure Boot System (SBS) with a smartcard.

Using Entrust certificates with VPN

Check Point FDE integration with Digipass Key devices

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

Using BitLocker As Part Of A Customer Data Protection Program: Part 1

CRYPTAS it-security GmbH

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

An Introduction to Cryptography and Digital Signatures

DriveLock and Windows 8

Security Considerations for DirectAccess Deployments. Whitepaper

Concept of Electronic Approvals

Security Architecture Whitepaper

Do "standard tools" meet your needs when it comes to providing security for mobile PCs and data media?

Online Backup by Mozy. Common Questions

Securing your Online Data Transfer with SSL

Secure cloud access system using JAR ABSTRACT:

Encrypting with BitLocker for disk volumes under Windows 7

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features


Securing Corporate Data and Making Life Easier for the IT Admin Benefits of Pre Boot Network Authentication Technology

Presentation on Black Hat Europe 2003 Conference. Security Analysis of Microsoft Encrypting File System (EFS)

Pulse Secure, LLC. January 9, 2015

Digital Signatures on iqmis User Access Request Form

Key Hopping A Security Enhancement Scheme for IEEE WEP Standards

MyKey is the digital signature software governed by Malaysia s Digital Signature Act 1997 & is accepted by the courts of law in Malaysia.

Self-Service, Anywhere

A Maturity Model for Enterprise Key Management. Lessons Learned

Factory-Installed, Standards-Based Hardware Security. Steven K. Sprague President & CEO, Wave Systems Corp.

How Drive Encryption Works

Windows Client/Server Local Area Network (LAN) System Security Lab 2 Time allocation 3 hours

Secure web transactions system

Public Key Infrastructure for a Higher Education Environment

Understanding Digital Signature And Public Key Infrastructure

Virtual Desktop Infrastructure

High Security Online Backup. A Cyphertite White Paper February, Cloud-Based Backup Storage Threat Models

Apptix Online Backup by Mozy

Secure Storage. Lost Laptops

WHITE PAPER AUGUST Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords

How To Encrypt Data With Encryption

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Data Security 2. Implement Network Controls

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008

How to Encrypt your Windows 7 SDS Machine with Bitlocker

Enterprise effectiveness of digital certificates: Are they ready for prime-time?

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Recipe for Mobile Data Security: TPM, Bitlocker, Windows Vista and Active Directory

Navigating Endpoint Encryption Technologies

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

Two Factor Authentication for VPN Access

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Introduction to BitLocker FVE

Defense In-Depth to Achieve Unbreakable Database Security

Dashlane Security Whitepaper

Data Protection: From PKI to Virtualization & Cloud

Transparent Data Encryption: New Technologies and Best Practices for Database Encryption

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

EMC DATA DOMAIN ENCRYPTION A Detailed Review

Whitepaper Enhancing BitLocker Deployment and Management with SimplySecure. Addressing the Concerns of the IT Professional Rob Weber February 2015

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

Cloudifile Getting Started

User Guide. Digital Signature

Encrypted File Systems. Don Porter CSE 506

PLUS PACK

Two factor strong authentication. Complex solution for two factor strong authentication

FileCloud Security FAQ

Deploying EFS: Part 1

The Use of the Simple Certificate Enrollment Protocol (SCEP) and Untrusted Devices

Managing Remote Access

SecureAuth Authentication: How SecureAuth performs what was previously impossible using X.509 certificates

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Key & Data Storage on Mobile Devices

HP ProtectTools Embedded Security Guide

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Public Key Infrastructure. A Brief Overview by Tim Sigmon

Case Study: Leveraging TPM for Authentication and Key Security

Sync Security and Privacy Brief

Concepts of Database Management Seventh Edition. Chapter 7 DBMS Functions

The Encryption Anywhere Data Protection Platform

Frequently Asked Questions (FAQs) SIPRNet Hardware Token

Secure any data, anywhere. The Vera security architecture

Security Overview for Windows Vista. Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation

Chapter 17. Transport-Level Security

Transcription:

Using PKI for PC Security Public Key Infrastructure (PKI) is an important foundation for network and information security. In essence, PKI provides an enterprise infrastructure for managing the keys necessary to operate a variety of familiar security applications such as Virtual Private Networks and secure email. PC security products can also be integrated with PKI, although there are some unique architectural and performance issues to be considered. Properly viewed, PKI is a useful, but not the only, means of integrating existing PC security products with an enterprise security architecture. PKI does not itself secure PCs. However, it can be used facilitate the administration of both types of PC security - file encryption or full disk encryption. Consequently the issue is not whether to use PKI, but rather to make a deliberate choice between file or disk encryption products. Given the considerable expense required to implement PKI, it is not cost effective to implement PKI for the sole purpose of central administration of PC security. This integration should be deferred until the enterprise can spread the cost of PKI across several PKI-enabled security applications. Meanwhile, some advanced PC security products provide effective proprietary means of central administration. 1

Because PKI is proposed as a universal security architecture, it is often erroneously believed that all security problems are resolved with the introduction of PKI. While PKI certainly makes a major contribution by providing scalable, central key management for multiple security applications, there remains the considerable task of creating those applications. PC security products are attractive targets for PKI implementation precisely because it has always been difficult to assimilate PCs into the enterprise security architecture. However, PKI is not the only way to centrally manage PC security. Some advanced products such as Pointsec have proprietary management tools that accomplish the same tasks. As the diagram below illustrates, PKI simply provides an alternative way to manage and secure the symmetric key that is actually used to encrypt or decrypt data. Symmetric keys are almost always used for bulk data encryption because they are an order of magnitude faster in operation than public-private key pairs. Since the symmetric key must be used to unlock the data, its own security is of paramount importance. In a PKI system, the symmetric key is encrypted with the public key and decrypted by the corresponding private key when needed. For extra security, the private key can be stored in a secure device such as a smart card. While smart cards definitely enhance security, the difficulty in establishing card standards coupled with the cost and compatibility issues surrounding card readers and drivers have made this option impractical for most organizations at present. Consequently, the private key is often stored on the disk in company with the symmetric key that it decrypts. In a proprietary system, the symmetric key can be encrypted and decrypted using a oneway hash of a password known to the user. Provided the password is never stored on the PC, this is also effective security. Both PKI and proprietary administration systems rely on a central authority to manage access to the symmetric key. Consequently, both systems lose control when the PC is not connected to the network. Even if user authorization has been revoked, the PC security software will not take appropriate action until communication with the central authority is re-established. 2

Protecting the Symmetric Key with encryption via one-way hash of user password Protecting the Symmetric Key with encryption via PKI 3

Overview File encryption products allow individuals in organizations to encrypt specific files on Windows based PCs. The files, once encrypted, are stored with and treated like any other file; thus users can copy, delete, or rename these files as security permissions permit. Except for those specifically encrypted files, access to the PC itself, the operating system, and system files remains uncontrolled. Issues High overhead degrades performance. In contrast with disk encryption where PKI is only utilized once per user session, file encryption products must use PKI each time a file is opened or closed. Since the entire file must be decrypted before it is displayed, long files can require a substantial wait. Inability to enforce security policy. Since users cannot be forced to use a file encryption system, it is not feasible to have a uniform application of security policy within the organization. File encryption technology requires users to be cognizant of security policies and procedures and to use this knowledge to determine which data files should be secured. To maintain security, each user must act conscientiously to manually encrypt files or to store sensitive information in specific encrypted directories. Incomplete security. File encryption does not control access to the PC, the operating system, system files or temp files. It also leaves directories and file structures visible to attackers. 4

Overview Full hard disk encryption is attractive because it is automatic and transparent to the users. Every sector of the hard drive is encrypted at all times. Security is therefore not dependent on user knowledge and compliance with security standards. Full disk encryption is invariably linked to boot protection. Before the user can access the PC, he must authenticate himself to the security product. Requiring user authentication before the operating system can be started greatly improves overall security because it prevents the use of many widely available Windows cracking utilities that compromise passwords. One clear advantage of full disk encryption is that PKI certificates, which contain the key pair, are fully encrypted with everything else on the hard drive. This process hides all directory structures making it virtually impossible to determine if a certificate is present or where it resides. Issues Boot level authentication cannot use PKI directly. PKI certificates cannot be used without the PC operating system. However, this can be remedied by creating a linkage between the boot authentication and the process that starts the certificates. Essentially the authentication to the PC security system also triggers a check of the certificate once the operating system is available. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information