Entrust by wuyunyi

VIEWS: 3 PAGES: 30

									Entrust Public Key Infrastructure

                    Erik Schetina
              Chief Technology Officer
                     IFsec, LLC
                eriks@ifsec.com www.ifsec.com



   Orchestrating Enterprise Security            1997 Entrust Technologies
Agenda
Introduction to Entrust
What is a PKI
Entrust Product Line
Piloting and Rolling out a PKI
Questions




                                  1997 Entrust Technologies
   What is a PKI?
                            Certification
                             Authority
   Cross-certification                        Key Histories



                                                   Key Backup
  Support for
                                                   & Recovery
non-repudiation




    Certificate                               Certificate
                                 Automatic
    Repository                                Revocation
                                 Key Update
                  Timestamping
PKI Requirements
     Certification Authority
     Certificate repository
     Revocation system
     Key backup and recovery system
     Support for non-repudiation
     Automatic key update
     Management of key histories
     Cross-certification
     Timestamping services
     Client-side software

                                  1997 Entrust Technologies   p. 4
PKI with Entrust
Consistent     security and trust
Single password and keys secure all
 applications
Automated key management
  • Key backup/recovery
  • Certificate issuance, storage and
    revocation
  • Key distribution, rollover and expiry
Low   administrative cost/burden

                                            1997 Entrust Technologies
PKI without Entrust
Inconsistent   security and trust
  • Fragmented or non-existent policies and
   key management functions
Security   “silos”
  • Each application performs its own security
  • Multiple key pairs and certificates
  • Multiple passwords
  • Costly, burdensome administration


                                       1997 Entrust Technologies
Entrust Components
Certificate   Authority
Directory
Client   Software (Certificate Store)
 • E-Mail
 • Web
 • VPN
 • Any Entrust-Ready Application
Applications



                                     1997 Entrust Technologies   p. 7
What is Key Management?
Issues:
  • generating keys
  • keeping backup keys
  • dealing with compromised keys
  • changing keys
  • restoring keys
Key and certificate management is
 difficult


                              1997 Entrust Technologies   p. 8
Why is Key Management
Important?
User Enrollment
Key Renewal
Restoration of Lost Keys
Automated functionality




                            1997 Entrust Technologies   p. 9
Certificate-Issuing Services (CA)
What   they provide:
    Issue certificates for a fee (per cert/per year)
What   you don’t get:
    Little control over certificate issuance policies
    No key recovery (forgotten password = lost data)
    No key history (what happens when certificates expire?)
    Liability issues
    No control over trust model and root keys
    No automatic and transparent certificate revocation
     checking
    No client capabilities




                                                        1997 Entrust Technologies   p. 10
     Entrust Architecture
    Security Officers
 Entrust Administrators                                Entrust/Admin
Directory Administrators
         …                                                        …




                     Directory                  Entrust/Manager

         …                                                        …


                                                       Entrust Users

                         Entrust-Ready applications
                  and Entrust/Engine desktop crypto software
The Directory
Stores   certificates, CRLs, cross-
 certificates, ...
Interoperates with numerous LDAP-
 compliant directories
  • ICL, Control Data, Digital, Netscape,
    Unisys, ...
  • supports Directory distribution
Supports   redundancy


                                      1997 Entrust Technologies
Entrust Products
Entrust/Entelligence
 • Stores and Manages Certificates
Entrust/Express - Email plug-in
Entrust/Direct - Web, Extranet
Entrust/Unity - SSL & S/MIME
Entrust/Access - VPN
Entrust/Toolkit - Enable applications
Entrust/TimeStamp


                                   1997 Entrust Technologies   p. 13
Entelligence on the Desktop
Tight integration into Entrust-Ready
 applications
Secure key storage options
  • smart cards, PC cards, biometric devices,
   and secure software profiles
Secure  single log on
Consistent, trustworthy key lifecycle
 management across applications
 • minimizes administrative costs

                                       1997 Entrust Technologies
      ‘Entrust-Ready’ Desktop Architecture


                      “Entrust-Ready” applications

                                        ...
          Entrust
          User
                                Entrust/Engine
                      Communications          Security
...                      Services              Kernel
                                                         PKCS #11
to Entrust/Manager
  and Directory      Personal                   Tokens
                     address       User
                     book          profile
Entrust/Toolkit Integration
                                                                                                           ™

                                                                                    Toolkit
   Entrust                        Entrust-Ready Remote Access
becomes the
  security                               Entrust-Ready E-mail
management
 point for all                                 Entrust-Ready E-forms

  Entrust-                                            Entrust-Ready
  Ready                                              Browser

applications
and services


   Orchestrating Enterprise Security                            1998 Entrust Technologies   p.
                                                                    1997 Entrust Technologies    1p. 16
Secure e-mail made easy
What is Entrust/Express?
Secure   e-mail plug-in for users of
 Microsoft Exchange and Microsoft
 Outlook
Encrypt and/or digitally sign message
 text and attachments
Provides message confidentiality and
 integrity
For Windows 95 and Windows-NT 4.0
Secure VPNs/Remote Access

              Entrust/Access




 Orchestrating Enterprise Security   1997 Entrust Technologies
Virtual Private Networks
What   is a VPN?
  • A private and secure network carved out of
    a public or insecure network
 Relevant Standards
  • IPSec - interoperable packet-layer
    encryption
  • ISAKMP Oakley - users are authenticated
    with digital signatures and X.509 certificates


                                          1997 Entrust Technologies
VPN Partners
 Remote   Access, Firewall, VPN Gateways
  Milkyway -SecurIT
  Raptor - EagleMobile Pro
  Timestep- PERMIT Product Suite
  Stac - ReachOut
  Sagus - Defensor
  KyberPASS
  Check Point - FireWall-1
                                  PS
                              Kyber A S




                                     1997 Entrust Technologies
Secure Remote Access
provides  significant cost savings over
 dial-up (phone lines, maintenance, ID
 cards)
scalable - able to grow as the demand
 for remote access increases.       Entrust Manager

     Mobile User



                                    Human Resources Server



                          VPN
               Internet
                          Gateway
                                    Finance Server




                                                      1997 Entrust Technologies
                                    TM




       Secure Extranet Applications


Orchestrating Enterprise Security        1997 Entrust Technologies
       Intra/Extra Net Solution
                              Target Solution

b
wser


       Server
                             Internet, Intranet,
                                or Extranet
                                                                               Web Browser


       • Provides Entrust Enterprise Solution PKI capabilities to off-
         the-shelf Web browsers and servers
       • Thin client software on user desktop
       • Extranet applications

                                                            1997 Entrust Technologies
R
Security you set and forget
Entrust/ICE
Desktop/laptop              encryption software
Easy-to-use
Works  with any desktop application
Automatic encryption
Security on-line or off-line
Windows 95 and Windows-NT 4.0




   Orchestrating Enterprise Security
                                              1997 Entrust Technologies   p. 26
Entrust-Ready Applications

Web Browser
Email
Workgroup
Smart Cards and Biometrics
VPN
Forms
Human Resources
Deploying a PKI
Begin   with a pilot
 • Pick a single application
 • Evaluate the technology
 • Prove the utility
Currently piloting Entrust
 • CA, X.500, Secure E-Mail
 • Lotus Notes
 • Short time to deploy (weeks)


                                  1997 Entrust Technologies   p. 28
Deploying a PKI (cont.)
Rolling   out an Operational PKI
  • Planning and Goals
  • Acceptable Usage (CPS)
  • Disaster Recovery
  • Applications
    Access to records
    E-commerce with State contractors
    Remote access to internal resources




                                           1997 Entrust Technologies   p. 29
Summary
Automates   user administration
Integration across many applications
 (single sign-on)
Enables trustworthy business over the
 web
Growing collection of Entrust-enabled
 applications



                                 1997 Entrust Technologies   p. 30

								
To top