1 / 30

Entrust Public Key Infrastructure

Entrust Public Key Infrastructure. Erik Schetina Chief Technology Officer IFsec, LLC eriks@ifsec.com www.ifsec.com. Agenda. Introduction to Entrust What is a PKI Entrust Product Line Piloting and Rolling out a PKI Questions. Certification Authority. Cross-certification.

fala
Download Presentation

Entrust Public Key Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Entrust Public Key Infrastructure Erik Schetina Chief Technology Officer IFsec, LLC eriks@ifsec.com www.ifsec.com Orchestrating Enterprise Security

  2. Agenda • Introduction to Entrust • What is a PKI • Entrust Product Line • Piloting and Rolling out a PKI • Questions

  3. Certification Authority Cross-certification Key Histories Key Backup & Recovery Support for non-repudiation Certificate Repository Certificate Revocation Automatic Key Update Timestamping What is a PKI?

  4. PKI Requirements • Certification Authority • Certificate repository • Revocation system • Key backup and recovery system • Support for non-repudiation • Automatic key update • Management of key histories • Cross-certification • Timestamping services • Client-side software

  5. PKI with Entrust • Consistent security and trust • Single password and keys secure all applications • Automated key management • Key backup/recovery • Certificate issuance, storage and revocation • Key distribution, rollover and expiry • Low administrative cost/burden

  6. PKI without Entrust • Inconsistent security and trust • Fragmented or non-existent policies and key management functions • Security “silos” • Each application performs its own security • Multiple key pairs and certificates • Multiple passwords • Costly, burdensome administration

  7. Entrust Components • Certificate Authority • Directory • Client Software (Certificate Store) • E-Mail • Web • VPN • Any Entrust-Ready Application • Applications

  8. What is Key Management? • Issues: • generating keys • keeping backup keys • dealing with compromised keys • changing keys • restoring keys • Key and certificate management is difficult

  9. Why is Key Management Important? • User Enrollment • Key Renewal • Restoration of Lost Keys • Automated functionality

  10. Certificate-Issuing Services (CA) • What they provide: • Issue certificates for a fee (per cert/per year) • What you don’t get: • Little control over certificate issuance policies • No key recovery (forgotten password = lost data) • No key history (what happens when certificates expire?) • Liability issues • No control over trust model and root keys • No automatic and transparent certificate revocation checking • No client capabilities

  11. Security Officers Entrust Administrators Directory Administrators Entrust/Admin … … Directory Entrust/Manager … … Entrust Users Entrust-ReadyÔ applications and Entrust/Engine desktop crypto software Entrust Architecture

  12. The Directory • Stores certificates, CRLs, cross-certificates, ... • Interoperates with numerous LDAP-compliant directories • ICL, Control Data, Digital, Netscape, Unisys, ... • supports Directory distribution • Supports redundancy

  13. Entrust Products • Entrust/Entelligence • Stores and Manages Certificates • Entrust/Express - Email plug-in • Entrust/Direct - Web, Extranet • Entrust/Unity - SSL & S/MIME • Entrust/Access - VPN • Entrust/Toolkit - Enable applications • Entrust/TimeStamp

  14. Entelligence on the Desktop • Tight integration into Entrust-Ready applications • Secure key storage options • smart cards, PC cards, biometric devices, and secure software profiles • Secure single log on • Consistent, trustworthy key lifecycle management across applications • minimizes administrative costs

  15. User profile ‘Entrust-Ready’ Desktop Architecture “Entrust-Ready” applications ... Entrust User Entrust/Engine Communications Services Security Kernel ... PKCS #11 to Entrust/Manager and Directory Tokens Personal address book

  16. Secure e-mail made easy

  17. What is Entrust/Express? • Secure e-mail plug-in for users of Microsoft Exchange and Microsoft Outlook • Encrypt and/or digitally sign message text and attachments • Provides message confidentiality and integrity • For Windows 95 and Windows-NT 4.0

  18. Secure VPNs/Remote AccessEntrust/Access Orchestrating Enterprise Security

  19. Virtual Private Networks • What is a VPN? • A private and secure network carved out of a public or insecure network • Relevant Standards • IPSec - interoperable packet-layer encryption • ISAKMP Oakley - users are authenticated with digital signatures and X.509 certificates

  20. VPN Partners • Remote Access, Firewall, VPN Gateways • Milkyway -SecurIT • Raptor - EagleMobile Pro • Timestep- PERMIT Product Suite • Stac - ReachOut • Sagus - Defensor • KyberPASS • Check Point - FireWall-1

  21. Secure Remote Access • provides significant cost savings over dial-up (phone lines, maintenance, ID cards) • scalable - able to grow as the demand for remote access increases. Entrust Manager Mobile User Human Resources Server VPN Gateway Internet Finance Server

  22. TM Secure Extranet Applications Orchestrating Enterprise Security

  23. Internet, Intranet, or Extranet Web Browser Intra/Extra Net Solution Target Solution • Provides Entrust Enterprise Solution PKI capabilities to off-the-shelf Web browsers and servers • Thin client software on user desktop • Extranet applications

  24. Security you set and forget

  25. Entrust/ICE • Desktop/laptop encryption software • Easy-to-use • Works with any desktop application • Automatic encryption • Security on-line or off-line • Windows 95 and Windows-NT 4.0 Orchestrating Enterprise Security ã1997 Entrust Technologies p. 26

  26. Entrust-Ready Applications • Web Browser • Email • Workgroup • Smart Cards and Biometrics • VPN • Forms • Human Resources

  27. Deploying a PKI • Begin with a pilot • Pick a single application • Evaluate the technology • Prove the utility • Currently piloting Entrust • CA, X.500, Secure E-Mail • Lotus Notes • Short time to deploy (weeks)

  28. Deploying a PKI (cont.) • Rolling out an Operational PKI • Planning and Goals • Acceptable Usage (CPS) • Disaster Recovery • Applications • Access to records • E-commerce with State contractors • Remote access to internal resources

  29. Summary • Automates user administration • Integration across many applications (single sign-on) • Enables trustworthy business over the web • Growing collection of Entrust-enabled applications

More Related