Embed Size (px)
Citation preview
Mobile CredentialsEnnio J. CarboniEnnio J. Carboni
Product Manager, Keon PKIProduct Manager, Keon PKI
781-301-5323781-301-5323
ecarboni@rsasecurityecarboni@rsasecurity
RSA Keon®
• Robust, flexible Certification Authority
• Enhanced PKI Services – Interoperable across multiple certificate authorities,
directory servers and applications
– Powerful desktop with common credential store, two-factor authentication and file encryption
– Security server providing policy management, trust management and credential mobility
• Application Integration– RSA BSAFE® Cert tools natively PKI-
enabling applications
– RSA Keon Agent toolkit for integrating existing non-PKI applications (SSO)
RSA Keon Agent
RSA Keon Enhanced Services
RSA Keon Advanced PKI
RSA Keon Certificate Server
Web App
Applicationserver
(e.g.SAP)
RSA BSAFEPKI-enabled app.
RSA Keon Security
Server
RSA SecurIDAuthenticator
RSA Keon Desktop
RSA Keon Security Server
• Keon Credential Store management and delivery for mobile users
• Focal point for CA interoperability within Keon
• Automated certificate validation
• Centralized management for private key access policy
• Centralized logging depot for Keon components
• Replication for scalability
• Simplified Administration
Extend the use of digital certificates across organizations and applications
RSA Keon Desktop
• File Encryption
• Protection of Credentials
• PKI Credential Interoperability
• Smart Card Support
• Reduced Logon
• Ease of Deployment
Providing the critical requirements for desktop e-Security
Certificates & Cryptography bind digital identities to the data and transactions they manipulate
Authenticators bind people to their digital identities
SecurityNon-repudiation requires trust in certificates
How Secure is the Private Key?
Crypto OperationCrypto Operation
Where is it stored?Where is it stored?Hard DriveHard Drive
SmartSmartCardCard
How user authenticatesHow user authenticatesto the store?to the store?
VirtualVirtualSmart CardSmart Card
PKCS #12 export
PasswordPassword
Local PKI Credential Storage
PasswordPassword
PKCS #12 Issues
• PKCS #12 implementations hard to use
• Requires manual intervention
• No life cycle support
• Inconsistent update of credentials
• Limited security for private key– Password based
• Allows replication of identity
Smart Cards and Authentication
• Smart Cards are ideal for PPK Authentication– The Private Key lives in secure tamper
resistant storage
– “2 factor” authentication is re-introduced since you need both the Smart Card and a PIN to unlock it
– The crypto happens on the Smart Card with the help of a crypto accelerator
– They fit into your wallet, and they scrape frost off car windows nicely!
The Benefits of Smart Cards
• They are secure
• They are portable
• They can perform operations other than authentication– signatures, encryption
• They can support other applications– E-cash, Loyalty, ...
• They can be used as Employee badges
RSA SecurID 3100 Smart Card
• Highest security – On-card digital signatures
• Supports latest application features – Dual keys and certificates
• Mobility – Credential store on-card with keys,
certificates, login information and RSA SecurID seed
• Versatile– Supports RSA Keon Desktop for PKI
applications and classic RSA SecurID-protected systems
RSA SecurID 3100 Smart Card
Smart Card Readers– PC/SC– Setec SetCad 203N– Philips PE112/PE122
• Smart Cards– Philips DX– Setec 8k– Setec 16k– GemPlus GPK8000
Smart Card-Reader Interface
• There are actually two standardization issues to be dealt with– The electrical interface between the reader hardware and the
PC
• Fortunately standards exist here RS232 and USB
– More problematic is the interface between the reader hardware and the smart card
• Two classes of interface were needed here:
– Electrical Interface StandardsElectrical Interface Standards
– Command Interface StandardsCommand Interface Standards• ISO 7816 addresses these issues
Smart Card Reader Interface
• The next level of problem is the API between the smart card reader, and the host PC software– Until recently, each reader manufacturer had a
proprietary API which was used to talk to the reader driver
• This was an effort by the smart card reader manufacturers to lock applications into a particular reader
• Several years ago a consortia headed by Microsoft defined the PC/SC interface
– It was intended to be use by systems other It was intended to be use by systems other than Windows (Unix, PDAs, …)than Windows (Unix, PDAs, …)
– In reality, it is primarily a Microsoft Windows In reality, it is primarily a Microsoft Windows standardstandard
Smart Card Formatting
• There are two major ways of dealing with this formatting problem:– One solution is to develop a standardized way to layout
the card directory, and name the files
• PKCS15 developed by RSA Labs is an example
– The other solution is to abstract the interface to the card so that you no longer deal with directories and files
• JavaCard is an example
NetscapeCommunicator
Microsoft apps
RSA KeonCredentialStore
CAPI/CSP PKCS#11
PKI Credential InteroperabilitySharing credentials across multiple applications
The Barriers to Smart Cards
• They need a reader– This will be an issue until these become embedded in
keyboards and notebooks
• They cost money– But prices are getting pretty reasonable
• Not all applications support PPK and Smart Cards– But many of today’s applications are Web based, and the
browsers do support them
• Industry compatibility– PC/SC Readers now available
– PKCS #15 from RSA Labs
PKCS15
• What is it?– It is a specification for organizing cryptographic data onto an
authentication objects (e.g. card, other devices)– Allows multiple PKCS15 applications to live
on same card
• People frequently confuse PKCS11 and PKCS15– PKCS11 is a standard which defines how to plug cryptographic
tokens into a crypto solution• These tokens could be smart cards or crypto accelerators for
example– PKSC15 is a standard which defines the layout of a smart card
format, and the naming standard for common files
• The application developers who use smart cards are focusing on PKCS15
Virtual Smart & Physical Smart Card
RSA Keon Advanced PKICredential Store Format
Keon Credential Store
Private Area
Public Area
Symmetric FileEncryption Key
NT/NetWare Credentials
RC4 128-bit Private Area Key
User’s EncryptionX.509 Certificate
Public Key
User’s SigningX.509 Certificate
Public Key
RC4 128-bit Private Area Key
SigningPrivate Key
Encryption Private Key
Unique PKI Issues forB2B & Extended Enterprises
• Partners wishing to use PKI to protect transactions over the Internet.– Must support the “Big 2” web browsers and mail clients
– Must be secure over a public network
– Must be unobtrusive to partners’ PCs
– Must be easy to use
– Solution must be secure, scalable, and manageable
– Users credentials must be mobile
• Large enterprise deployments wanting to use PKI for a variety of functions– Browser, S/MIME, IPSec
– The enterprise requires unobtrusive software
– Must be easy to use
– The solution must be secure and be run over a public network
Unique PKI Issues forB2B & Extended Enterprises
RSA Keon Advanced PKI Ease of Use: Credential Mobility
RSA Keon Security Server
Downloadable Desktop Architecture
COM server
Local Security Service
RSA Security Cryptographic Services
PKCS #11 Browsersand Mail Clients
Microsoft Browsersand Mail Clients
IPSec andOther Applications
PKCS #11 PKCS #11 or CSPCSP
LogoffService
Downloadable Desktop
• Credential mobility
• Multiple user credentials
• Certificate auto-enrollment– Keon Certificate Server Support
• Optional SecurID authentication
• Standards-based repository
Downloadable Desktop
• Unobtrusive software– Small footprint– No device drivers– Installed by a normal user– No reboot
• Reduced sign-on/web SSO
• Interoperability with client PKI applications– Microsoft Internet Explorer, Outlook Express, Outlook 2000– Netscape Navigator, Messenger– Other “CSP” Applications
• Compatibility with authorization products
• Public APIs and CLIs for integration and customization
Authentication Options
• Physical Smart Card
• Virtual Smart Card– PKCS #5 Password Enhancement
– SecurID
The Most Trusted Name in e-Security
WWW.RSASECURITY.COM
