Embed Size (px)
Citation preview
Certification AuthorityCertification Authority
OverviewOverview
Identifying CA Hierarchy Design Identifying CA Hierarchy Design RequirementsRequirements
Common CA Hierarchy DesignsCommon CA Hierarchy Designs Documenting Legal RequirementsDocumenting Legal Requirements Analyzing Design RequirementsAnalyzing Design Requirements Designing a Hierarchy StructureDesigning a Hierarchy Structure
Identifying CA Hierarchy Identifying CA Hierarchy Design RequirementsDesign Requirements
Project ScopeProject Scope Applications that Use a PKIApplications that Use a PKI Which Accounts Use PKI-Enabled Which Accounts Use PKI-Enabled
Applications?Applications? How to Identify Technical RequirementsHow to Identify Technical Requirements How to Identify Business RequirementsHow to Identify Business Requirements
Roles in a Certification Roles in a Certification Authority HierarchyAuthority Hierarchy
Root CARoot CA
Policy CAPolicy CA
Issuing CAIssuing CA
SoftwareCode Signing
SoftwareCode Signing
EncryptingFile SystemEncryptingFile System
Smart CardLogon
Smart CardLogon
802.1x802.1x IP SecurityIP Security
InternetAuthentication
InternetAuthentication
SecureE-mailSecureE-mail
Applications That Use a PKIApplications That Use a PKI
Windows 2003Certificate Services
Windows 2003Certificate Services
SoftwareRestriction Policy
SoftwareRestriction Policy
DigitalSignatures
DigitalSignatures
Which Accounts Use PKI-Which Accounts Use PKI-Enabled Applications?Enabled Applications?
UsersUsers
ComputersComputers
ServicesServices
How to Identify Technical How to Identify Technical RequirementsRequirements
ForFor AskAsk
Security requirements
What is your organization’s security policy?What is your organization’s security policy?Do you have any business partners? Do you have any business partners? Do you have requirements for complying Do you have requirements for complying with industry or government standards?with industry or government standards?
Administration requirements
Who will manage CAs?Who will manage CAs?Who will manage certificates?Who will manage certificates?
Availability requirements
How many CAs does your organization How many CAs does your organization require?require?How are certificates distributed between How are certificates distributed between CAs?CAs?
How to Identify Business How to Identify Business RequirementsRequirements
ForFor AskAsk
External access requirements
Will you issue certificates to non-Will you issue certificates to non-employees?employees?Will you get your certificates validated Will you get your certificates validated from external networks?from external networks?
Availability requirements
Will you require certificate services at all Will you require certificate services at all hours?hours?Will you require certificate services at all Will you require certificate services at all locations?locations?
Legal requirements
What are your organization’s security What are your organization’s security practices?practices?What is the liability of the organization?What is the liability of the organization?
Common CA Hierarchy DesignsCommon CA Hierarchy Designs
CA Hierarchy Based on Certificate UsageCA Hierarchy Based on Certificate Usage CA Hierarchy Based on LocationCA Hierarchy Based on Location CA Hierarchy Based on DepartmentsCA Hierarchy Based on Departments CA Hierarchy Based on Organizational CA Hierarchy Based on Organizational
StructureStructure
CA Hierarchy Based on CA Hierarchy Based on Certificate UseCertificate Use
Use a CA hierarchy based on certificate use to:Use a CA hierarchy based on certificate use to:
Implement different issuance requirements
Meet local legal requirements for a specific certificate type
Implement different issuance requirements
Meet local legal requirements for a specific certificate type
Certificate UseCertificate Use
S/MIMES/MIME
RootRoot
PolicyPolicy
EFSEFS RASRAS
CA Hierarchy Based on CA Hierarchy Based on LocationLocation
Use a CA hierarchy based on location to:Use a CA hierarchy based on location to:
Meet legal requirements for local management
Meet business requirements for CA availability
Meet legal requirements for local management
Meet business requirements for CA availability
LocationLocation
IndiaIndia CanadaCanada United StatesUnited States
RootRoot
PolicyPolicy
CA Hierarchy Based on CA Hierarchy Based on Organizational StructureOrganizational Structure
Use a CA hierarchy based on organizational structure to:Use a CA hierarchy based on organizational structure to:
Implement policies for each user category
Delegate management of user categories to separate teams
Implement policies for each user category
Delegate management of user categories to separate teams
Organizational Structure
Organizational Structure RootRoot
PolicyPolicy
EmployeeEmployee ContractorContractor PartnerPartner
Documenting Legal RequirementsDocumenting Legal Requirements
Steps for Designing Legal RequirementsSteps for Designing Legal Requirements Security PolicySecurity Policy Certificate PolicyCertificate Policy Certification Practice StatementCertification Practice Statement
Steps for Designing Legal Steps for Designing Legal RequirementsRequirements
SecurityPolicy
SecurityPolicy
11
Develop the security policyDevelop the security policy11
Root CA
Policy CA
Issuing CA
44
Publish the CPS on the policy CAPublish the CPS on the policy CA44
Create the certificate policyCreate the certificate policy22
CertificatePolicy
CertificatePolicy
22
Create the CPSCreate the CPS33
CertificatePractice
Statement
CertificatePractice
Statement
33
A security policy:A security policy:
Defines for using security services
Reflects an organization’s business and IT strategy
Identifies applications to secure by using certificates
Defines security services to offer by using certificates
Defines for using security services
Reflects an organization’s business and IT strategy
Identifies applications to secure by using certificates
Defines security services to offer by using certificates
Security PolicySecurity Policy
A certificate policy describes:A certificate policy describes:
The user identification process
Private key management requirements
The process for responding to lost or compromised private keys
Certificate enrollment and renewal requirements
The maximum dollar value for transactions
The user identification process
Private key management requirements
The process for responding to lost or compromised private keys
Certificate enrollment and renewal requirements
The maximum dollar value for transactions
Certificate PolicyCertificate Policy
A CPS can include these sections:A CPS can include these sections:
Introduction
General Provisions
Identification and Authentication
Operational Requirements
Physical, Procedural, and Personnel Security Controls
Technical Security Controls
Certificate and CRL Profile
Specification Administration
Introduction
General Provisions
Identification and Authentication
Operational Requirements
Physical, Procedural, and Personnel Security Controls
Technical Security Controls
Certificate and CRL Profile
Specification Administration
Certification Practice StatementCertification Practice Statement
Analyzing Design RequirementsAnalyzing Design Requirements
Recommendations for Meeting Security Recommendations for Meeting Security RequirementsRequirements
Recommendations for Meeting External Recommendations for Meeting External Access RequirementsAccess Requirements
Recommendations for Meeting Recommendations for Meeting Application Requirements Application Requirements
Recommendations for Meeting Recommendations for Meeting Administration Requirements Administration Requirements
Recommendations for Meeting Recommendations for Meeting Availability RequirementsAvailability Requirements
Recommendations for Meeting Recommendations for Meeting Security RequirementsSecurity Requirements
RequirementRequirement Recommended actionsRecommended actions
Secure root and policy CAs
Remove root and policy CAs from the Remove root and policy CAs from the networknetworkStore offline CAs in a secure physical Store offline CAs in a secure physical locationlocation
Secure issuing CAs
Use a secured server room with card Use a secured server room with card accessaccessMinimize services on issuing CAsMinimize services on issuing CAs
Protect private keys
Use Software CSPsUse Software CSPsUse smart cards or PC card tokens with Use smart cards or PC card tokens with PIN numbersPIN numbersUse Hardware Security ModulesUse Hardware Security Modules
Provide different issuance requirements
Implement separate CAs to host certificate Implement separate CAs to host certificate templates for each type of issuance templates for each type of issuance requirementrequirement
Recommendations for Meeting Recommendations for Meeting External Access RequirementsExternal Access Requirements
RequirementsRequirements Recommended actionsRecommended actions
Enable external Enable external clients to recognize clients to recognize certificates certificates
Use a commercial CAUse a commercial CAImplement cross certificationImplement cross certificationImplement qualified subordinationImplement qualified subordinationPublish the CRL and AIA information Publish the CRL and AIA information externallyexternally
Manage certificates Manage certificates issued to external issued to external users users
Issue certificates from a private CA Issue certificates from a private CA hierarchyhierarchy
Trust certificates Trust certificates from another from another organizationorganization
Implement certificate trust listsImplement certificate trust lists
Implement cross certification or Implement cross certification or qualified subordinationqualified subordination
Recommendations for Meeting Recommendations for Meeting Application RequirementsApplication Requirements
RequirementRequirement Recommended actionRecommended action
Minimize the number of issued certificates
Implement multiple-use certificatesImplement multiple-use certificates
Minimize the number of CAs Publish multiple certificates from one CAPublish multiple certificates from one CA
Manage CAs based on applications
Publish each certificate template from a Publish each certificate template from a dedicated CAdedicated CA
Recommendations for Meeting Recommendations for Meeting Administration RequirementsAdministration Requirements
RequirementRequirement Recommended actionsRecommended actions
Support delegated administration
Place CAs at same location as Place CAs at same location as administrative staff administrative staff
Create a CA hierarchy based on project Create a CA hierarchy based on project teams teams
Implement role separationImplement role separation
Support centralized administration
Prohibit remote administration of CAsProhibit remote administration of CAs
Deploy CAs in restricted physical Deploy CAs in restricted physical locationslocations
Deploy fewer CAs and place them at Deploy fewer CAs and place them at major hubs of the networkmajor hubs of the network
Recommendations for Meeting Recommendations for Meeting Availability RequirementsAvailability Requirements
RequirementRequirement Recommended actionsRecommended actions
High availability of a certificate template
Publish the certificate template to Publish the certificate template to more than one CA in the CA more than one CA in the CA hierarchyhierarchy
Support multiple regions
Publish certificate templates to CAs Publish certificate templates to CAs in each geographic regionin each geographic region
Minimize CA failure
Provide sufficient disk space for the Provide sufficient disk space for the predicted certificate enrollment predicted certificate enrollment activity activity
Use separate physical disks for CA Use separate physical disks for CA database and log filesdatabase and log filesImplement RAID 5 or RAID 0+1 for Implement RAID 5 or RAID 0+1 for database diskdatabase disk
Designing a CA Hierarchy Designing a CA Hierarchy StructureStructure
Recommended Depth of a CA HierarchyRecommended Depth of a CA Hierarchy Security Levels in the CA HierarchySecurity Levels in the CA Hierarchy Considerations for Choosing a CA TypeConsiderations for Choosing a CA Type CA Management Using Role SeparationCA Management Using Role Separation Guidelines for Designing a CA HierarchyGuidelines for Designing a CA Hierarchy
Recommended Depth of a CA Recommended Depth of a CA HierarchyHierarchy
RequirementsRequirements Recommended DepthRecommended Depth
Low security
(1 level)
A single root CAA single root CASmall number of certificate requestsSmall number of certificate requestsLower security requirements for CA security Lower security requirements for CA security
Medium security
(2 levels)
Offline root and online subordinatesOffline root and online subordinatesA single offline CA is removed from the A single offline CA is removed from the networknetworkIssuing online CAsIssuing online CAsTwo or more CAs to issue each certificate Two or more CAs to issue each certificate templatetemplate
High security
(3-4 levels)
Offline root and offline policyOffline root and offline policyOnline issuing subordinatesOnline issuing subordinatesMaximizing securityMaximizing securityLarger, geographically distributed, or high Larger, geographically distributed, or high security organizationssecurity organizations
Security Levels in the CA Security Levels in the CA HierarchyHierarchy
Security at the root Security at the root CA:CA:
Requires highest level of Requires highest level of securitysecurity
Requires minimal accessRequires minimal access
As the distance from As the distance from the root CA increases:the root CA increases:
Security decreases Security decreases Access to issuing CAs Access to issuing CAs
increasesincreases
Root CA
Policy CA
Issuing CA
More
Less
Less
More
Ease of AccessEase of Access
SecuritySecurity
Considerations for Choosing a Considerations for Choosing a CA TypeCA Type
Decision Decision pointspoints StandaloneStandalone EnterpriseEnterprise
When to use Offline CAsOffline CAs Issuing CAsIssuing CAs
Active Directory
Does not require Does not require Active DirectoryActive Directory
Requires Active Requires Active DirectoryDirectory
Certificate typeProvides support for Provides support for standard certificate standard certificate typestypes
Implements certificate Implements certificate templatestemplates
Certificate request management
Issued or denied by a Issued or denied by a certificate managercertificate manager
Issued or denied Issued or denied based on certificate based on certificate template permissionstemplate permissions
Guidelines for Designing a CA Guidelines for Designing a CA HierarchyHierarchy
When designing a CA hierarchy:When designing a CA hierarchy:
Define the scope of your CA hierarchy design
Define all requirements for your CA hierarchy
Deploy an offline root CA
Design a hierarchy that is no more than 3-4 layers
Define appropriate security levels for each CA
Choose the appropriate CA policy for each CA
Plan role separation early in the CA hierarchy design
Define the scope of your CA hierarchy design
Define all requirements for your CA hierarchy
Deploy an offline root CA
Design a hierarchy that is no more than 3-4 layers
Define appropriate security levels for each CA
Choose the appropriate CA policy for each CA
Plan role separation early in the CA hierarchy design
