Docstoc

Download Powerpoint Presentation 1 _2.83 MB_ - Arizona State

Document Sample
Download Powerpoint Presentation 1 _2.83 MB_ - Arizona State Powered By Docstoc
					ECURE 2002
PKI Records Management and Archive Issues
October 10, 2002 Phoenix, AZ
Charles Dollar Dollar Consulting

Agenda
1. 2. 3. 4. 5. Introduction/Orientation Digital Communication What is PKI? PKI Administrative Records Functions PKI Operational Records v. PKI Electronic Recordkeeping Requirements 6. Recommendations

PKI Case Study: Overview






Not a PKI tutorial Work for the National Archives and Records Administration Opportunity for records managers/archivists

Digital communication


Closed and secure (national defense, VPN) Open and secure (SSL) Open and non-secure (PKI)





PKI a „hot technology”


E-Commerce E-Governance State of Illinois





What Is PKI?
A PKI is an asymmetric cryptography security environment that supports the transmission, delivery, and receipt of digital communications over a nonsecure communications channel.

What Does PKI Do?


 

Authenticates sender of digital communications Protects integrity of digital communications Key Pair
 

Private Public



Trusted third party

How PKI Works in Digital Communications

Hash Digest Values
337.60 KB
AaAEAACoAQAKAGjhX8 4+VC1d3)NgDiPHvG+/R8 hKCAUCACOvWKATFOY Iz3XS5gAAgI1wrAKO1ge AAAAAAAAAAAAAAAA=

337.60 KB
AaAEAACoAQAKAGy2YV 8gORjFeuf3yfnn7V)QMKB CgKywNfTD+avB8UVEYK AAAoUB2gKo1gEAALgAA AAAAAAAAAA=

Key PKI management concepts









PKI standard: X.509 Certificate Policy (CP): What Certificate Practice Statement (CPS): How PKI administrative records v. PKI transaction records Little or no good practice guidance

Certificate Policy (CP) for Access Certificates for Electronic Services



 

  

General Provisions Identification and Authentication Operational Requirements Physical, Procedural, and Personnel Security Controls Technical Security Controls Certificate and CRL Profiles Policy Administration

CP Operational Requirements

   

Certificate Issuance & Acceptance Certificate Suspension & Revocation Computer Security Audit Procedures Records “Archival” Compromise & Disaster Recovery

Certificate Practice Statement (CPS)
To Be Discussed Later Under PKI Operational and Electronic Recordkeeping Requirements

PKI Records
ALL PKI RECORDS

ADMINISTRATIVE RECORDS

TRANSACTION RECORDS

Unique Administrative Records

Subscriber Use of Digital Signature

Supporting Administrative Records

PKI Administrative Records
ALL PKI RECORDS

ADMINISTRATIVE RECORDS

TRANSACTION RECORDS

Unique Administrative Records

Subscriber Use of Digital Signature

Supporting Administrative Records

PKI Administrative Records Guidance Constraints


PKI records are not unique PKI operational system v. PKI recordkeeping system Some PKI records are paper-based





PKI functions

   

Plan/define PKI Establish, startup, install Operate Audit/monitor Reorganize/dismantle

PKI Functions, Activities, and EXAMPLE Records
Function Plan/Define Establish Operate Audit/ Monitor Reorganize
Dev elop business plan Authorize project Dev elop project plan Personnel requirements In/out source analy sis Develop Certificate Policy Develop Certificate Practice Statement Develop Certificate Profile Select Certificate Authority and Registra tion Authority Select/establish Certificate Repository Establish Certificate Archive Create CA signature Internal -install and test Hw/SW Test security Identity proof and register users Issue digital certificates Establish CRL Maintain CRL Suspend/revoke certificates Renew certificates Hire, train staf f Install HW/SW updates Monitor external security Inv estigate internal f raud Internal audit of HW/ SW security External audit of HW/ SW security Create audit trail of PKI events CA/RARenewal approval Create plan to reorganize, consolidate, or terminate Approve termination Notyify subscribers Transfer inactive keys and CRLs to storage Transfer consenting suscribers to new CA

Activities

Example Records

Project Authorization Project plan In/out source analhy sis decision Certificate Policy Certificate Practice Statement

Analysis/selection records for CA and RA 3rd Party validation records CA key Installation records Test records Security procedures

Identity proofing records Subscriber agreement Issuance/rejection of certificates Certificates CRL Audit trailk of CRL changes Job applications and training records

Inv estigativ e reports and disciplinarry reports Internal aduit reports Exteranl audit reports Audit trail of PKI events CA/RA renewal, approval documents

Decisionn documents Plan to reorganize or terminate CA List of subscriber notification Subscriber transfer documentation Approval of termination

Example Operate Functions and Related Records
Functions
Identity proof and register users Issue digital certificates Establish CRL Maintain CRL Suspend/revoke certificates Renew certificates Hire, train staff Install HW/SW updates

Records
Identity proofing records Subscriber agreement Issuance/rejection of certificates Certificates CRL Audit trail of CRL changes Job applications and training records

PKI Requirements Overview

PKI Record capture
Operational
1. 2. Accurate and complete at or near the time of the event Event log that tracks all activities associated with capture Automatic population of record series title, disposition, and vital records status 1. 2. 3. 4. 5. 6.

Recordkeeping
As database tables or as “rendered for viewing” Technology neutral formats Paper-based records Document transfer of records to ERS Confirm integrity of transferred records Complete and accurate transfer of metadata

3.

PKI records metadata
Operational
1. Augment event log data with series title, retention period, vital record status For each unique event
Common name Certificate number Date of event Distinguished name

Recordkeeping
1. Minimum attributes specified in operational requirements 2. For CP and CPS use registered Object ID 3. View/print complete metadata 4. Computer generated unique id for each record 5. Record location of electronic and paper records 6. Human readable bar code for all paper records 7. Restrict changes to authorized persons

2.

3.

Restrict changes in metadata to authorized persons

Recommendations











Become knowledgeable about X.509 Get involved in PKI discussions NOW Understand the differences between operational PKI systems and PKI recordkeeping requirements Adopt/implement federal government guidance Don‟t accept “we can‟t do that” from IT and PKI vendors Make the risk management argument

Summary


Topics covered
Seize the opportunity



Questions?

Thank you!

Charles Dollar thecdollar@cs.com Tel.: (253) 853-6346


				
DOCUMENT INFO