PKI

1
PKI Mobile Commerce

• Lisa Pretty, PKI Forum
• Philip Berton, Baltimore

2
Overview

• m-Commerce needs for security
• PKI Tutorial
• Current Advancements in PKI
• QA

3
Intro to PKI Forum

• The PKI Forum is an international,
  not-for-profit, multi-vendor and end-user
  alliance whose purpose is to accelerate the
  adoption and use of Public-Key Infrastructure
  (PKI). The PKI Forum advocates industry
  cooperation and market awareness to enable
  organizations to understand and exploit the value
  of PKI in their e-business applications.

4
State of Digital Mobile Telephony

• Global System for Mobile Communications (GSM)
  has over 215 million subscribers
• GSM alone has more subscribers than the Internet
  has users (210)

5
Examples of Wireless Applications

• Top three uses of Internet enabled mobile phones
• Travel related uses
• Online banking
• Email

6
Trust in The Wireless World
Who are you?
Can you pay?
Can you prove it?
Authentication
Payment
Validation
7
What is Public Key Infrastructure

• Public Key Infrastructure (PKI) is a combination
  of enabling technologies and practices which
  offer organizations and individual users ways to
  significantly enhance their security as well as
  protecting, identities, transactions and privacy
  on internal and public networks
• It is essential for successfully deploying
• e-business applications

8
PKI lets applications use public key cryptography
9
What PKI Provides

• Authentication to ensure parties are who they
  say they are
• Confidentiality to protect sensitive information
• Integrity to guarantee a transaction is not
  altered
• Non-repudiation to prove the transaction
  occurred to prevent any of the parties from
  reneging on a transaction

10
Business
11
Technology

• PKI technologically rests on
• Cryptographysymmetric, asymmetric and hash
• Directories and data bases
• IT security protocols (SSL, SMIME, IPSEC, etc.)
• Communications/network substrate (TCP/IP,
  networking, telephony, etc.)
• Certificate interoperability, management
• V509 V3, DCE, etc.
• CRL, OCSP, ASN1

12
Cryptography Is THE Basis for PKI

• There are three types of Cryptosystems
• Symmetric Key (sometimes called Secret Key)
• Asymmetric Key (Public Private Key Pairs)
• Message digests
• The best systems use all 3 cryptosystems

13
Symmetric Key
The same key is used to encrypt and decrypt the
data. DES is one example, RC4 is another.
14
Symmetric Key

• The Advantages
• Secure
• Widely Used
• The encrypted text is compact
• Fast

• The Disadvantages
• Complex Admin
• Requires Secret Key Sharing
• Large Number of Keys
• No non-repudiation
• Subject to interception

15
Asymmetric or Public/Private Key
What is encrypted with one key, can only be
decrypted with the other key. RSA is one example,
Elliptic Curve is another.
16
Asymmetric or Public/Private Key

• The Advantages
• Secure
• No secret sharing
• No prior relationship
• Easier Admin
• Many fewer keys
• Supports non-repudiation

• The Disadvantages
• Slower than symmetric key
• The encrypted text is larger than a symmetric
  version

17
Message Digest Algorithms

• Hashes are also widely used in cryptography, but
  crypto hashes have some special properties
• They cannot be run backwards to learn something
  about the original plain text
• The resulting hash does not tell you anything
  about the original plain text
• You cannot easily identify a plain text which
  will hash to a specific hash value
• SHA1 and MD5 are examples of crypto hashes

18
One Way Hash Function

• Cryptographic function that receives a variable
  length message as input and generates a fixed
  size message-digest (or hash)
• Easy to compute and irreversible
• Also used for providing data integrity

MD5
5d41402abc4b2a76b9719d911017c592
9bcfacf49c4636ee69e6ca22aae984c6
HashingAlgorithm
19
Digital Signatures
20
Digital Signatures
21
Cryptosystems
22
PKI Components

• Public/private key pair
• Digital certificate
• Certificate authority
• Repository
• PKI Enabled Client
• POLICY

23
Digital Certificates

• X.509 Standard Digital Certificate
• - generally used in ASN1 format in binary
• - can be represented in ASCII text
• (add a sample digital certificate)

24
Trusting the Public Key
X.509 Digital Certificate I officially
notarize the association between this
particular user and this particular Public
Key
25
X.509 What????
The International Telecommunications Union,
ITU-T (formerly know as CCITT), is a
multinational union that provides standards for
telecommunication equipment and systems. ITU-T
possesses a particular fashion for naming an
ITU-T X.500 directory CCI88b, X.509
certificates and Distinguished Names.
Distinguished names are the standard form of
naming ITU-T Recommendation X.509 CCI88c
specifies the authentication service for X.500
directories, as well as the widely adopted X.509
certificate syntax. in other words, a
standards body
26
Standards

• PKCS
• IETF
• ANSI X9F

27
Public Key Cryptography Standards (PKCS)-1
PKCS1 - Encrypting and signing using RSA
public-key cryptosystems PKCS3 - Key agreement
with Diffie-Hellman key exchange PKCS5 -
Encrypting with a secret key derived from a
password PKCS7 - Syntax for messages with
digital signatures and encryption PKCS8 - Format
for private key information PKCS9 - Attribute
types for use in other PKCS standards
28
Public Key Cryptography Standards (PKCS)-2
PKCS10 - Syntax for certification
requests PKCS11 - Defines the Cryptoki
programming interface PKCS12 - Portable format
for storing or transporting private keys PKCS13
- Encrypting and signing data using elliptic
curve cryptography PKCS14 - Gives a standard for
pseudo-random number generation PKCS15 - This
standard is under development it proposes a
standardized way of storing credentials on tokens
(smart cards)
29
PKIX

• A working group of the IETF
• RFC 2459 Certificate and CRL profile
• RFC 2510 CMP Operational Protocols
• RFC 2527 Cert Policy and Certification
  Practices Framework
• RFC 2559 LDAP
• RFC 2560 OCSP
• PKIX documents and related RFCs can be found at
  the following URLhttp//www.ietf.org/html.chart
  ers/pkix-charter.html

30
Certification Authority (CA)

• An Entity Whose Public Key You Trust
• Can be a Trusted Third Party
• The CA Issues Credentials
• Digital certificates is a form of credential
• Types of Digital Certificates
• Identity
• Attribute
• Role
• Permission

31
What is a Registration Authority?

• Definition
• Entity that typically operates locally to
  collect validated subject information and perform
  subject/key binding for a certification
  authority.
• Functions
• Validate subjects identity
• Generate and submit validated certification
  request to CA
• Provide local certificate life-cycle management
  support
• Optionally supports distribution of certificate
  to subject

32
What is a Directory/Repository?

• Definition
• Data structure associated with a Certification
  Authority(s) which hosts public key certificates
  for use by PKI population.
• Functions
• Support publication of certificates from CA(s)
• Support publication of certificate revocation
  lists from CA(s)
• Service subscriber/relying party requests for
  cert and CRL info
• High availability application transactional
  services
• Trusted operations, high integrity

33
Security Policies

• Corporate/business practices
• General security policies and practices
• Security policies and practices
• Specific IT security policies
• Cryptographic policies and practices
• Uses of cryptography for authentication,
  authorization, signing, non-repudiation, etc.
• Certificates policies and practices
• Certification Practices Statement (CPS
• Characteristics of policies
• Pertinent
• Actionable
• Enforceable
• Auditable

34
Legal Considerations

• US
• Electronic Signatures in Global and National
  Commerce (E-SIGN) US law, June 2000
• National Conference of Commissioners on Uniform
  State Laws (NCUSL)Uniform Commercial Code
• Government Paperwork Elimination Act 1998(GPEA)
  Title XVII of Public Law 105-2
• EU
• EU Directive on Electronic Signature
• Directs all member states to establish laws
  following EU Directive by end of 2001.
• Member states previous and current positions on
  cryptography, privacy and electronic signatures
• Asia and Others In development

35
Practical Steps for PKI Implementation

• A PKI solution should consist of
• A Security Policy
• Certificate Practice Statement (CPS)
• Certificate Authority (CA)
• Registration Authority (RA)
• Certificate Distribution System
• PKI-enabled Applications

36
Practical Steps for PKI Implementation

• There are several questions that need to be asked
  before starting
• What are you using PKI for?
• There are a rush of people wanting to use PKI
• People just dont understand PKI...
• Most people who don't fully understand the
  technology, will not understand why major,
  complex issues still exist

37
Practical Steps for PKI Implementation

• What goals do you hope to achieve with it?
• Focus on defining the business requirements and
  the value that PKI will add to your business.
• One of the largest issues in implementing PKI
  It is how PKI affects the business practice and
  models in use today at their firms.

38
Practical Steps for PKI Implementation

• Does scalability matter to you?
• If you are only going to issue a small number of
  certificates - no problems
• If you want to do tens of millions then you need
  to thoroughly investigate the options
• Think about manageability, security and policies
  issues.

39
Practical Steps for PKI Implementation

• Basic Steps for Implementing a Secure Application
  
• in an Internet Environment
• Identify the issues
• Define your requirements - short and longer term!
• Evaluate the security of your current application
• Establish security policies and procedures
• Define your Certification Practice Statement
• Select your security officers and administrators
• PKI-enable your applications
• Integrate your Directory
• Set up a Certification Authority
• Secure your CA facilities
• Run a preliminary test
• Launch your solution

40
Practical Steps for PKI Implementation

• Areas to think about
• I) Primary functional components
• Certificate application requests
• Identity verification
• Certificate issuance
• Revocation and renewal
• Interfaces
• Standards support

41
Practical Steps for PKI Implementation

• Areas to think about
• II) Certificate management support
• Certificate Revocation Lists (CRL) vs
  OnlineCertificate Status Protocol (OCSP)
• Key escrow/recovery
• Archiving
• Logging
• Directory services

42
Practical Steps for PKI Implementation

• Areas to think about
• III) Operational considerations
• Availability
• Performance and capacity
• Security policies and procedures
• Insurance and bonding
• Reporting and alarms
• Customer service
• Product service and support
• Training and documentation
• Cross-certification and interoperability

43
Public Key Lifecycle
44
M-Commerce Needs for Security

• Intra-domain and end-to-end
• Authentication
• Data integrity
• Data confidentiality
• Wireless Networking Constraints
• Handheld device size and processing power
• Carrier network bandwidth
• Carrier network reliability
• Network discontinuities
• Between different wireless carriers
• Between wireless and wired networks

45
Current Advancements in PKI

• Philip Berton
• Director Market Development
• Baltimore Technologies

46
Agenda

• Whos Baltimore
• PKI Uptake Integral for E/commerce
• Catalysts
• Example Applications
• Seamless Security Integration
• Wireless
• Advancements
• Smartcards Over The Air Registration
• Roaming Enterprise Solutions
• Hybrid PKI/Biometric Models
• Embedded PKI technology

47
Baltimore Technologies

• Global Company based in Dublin Ireland
• Over 1100 employees in 40 countries
• FY 2000 revenue 106M
• Philosophy Open protocols, standards based,
  create a foundation for widespread E/commerce
• What Baltimore Does
• PKI Unicert-- Hardware/Software, Hosting,
  Consulting
• Content Security-- MIME/Sweeper product family
• Access Control and Authorization -- Select
  Access announced best in class by E-Week

48
PKI Uptake

• 98 of Global 2000 Enterprises using PKI by
  2003 - Data monitor 1999.
• 280M in 99 and Expected to be 3B by 2004
• Australian Taxation Office (ATO)
• More digital certificates in 6 months than the
  entire existing certificate industry
• Being found in most Industries and applications
  Banking, Govt, Enterprise, Technology,
  Communications, HealthCare, B2B, etc.

49
Catalysts

• Growing Acceptance (Digital Signature laws)
• Analysts Technologists
• Large Scale Business Deployments
• Internet
• Business Philosophy Shift (share vs. concealment)
• Business Opportunities (HIPPA, E-Tax, E-Vote,
  etc.)
• Revolutionary
• Increased Efficiency
• Technology (Applications)

50
Legally Binding Digital Signatures

• 50 US States now have enacted laws regarding the
  scope of digital signatures
• http//www.mbc.com/ecommerce/legis/table01.html
• Germany, Italy, UK, EU and US Governments have
  enacted legislation
• Security continues to enable, more
  sophisticated, more valuable, more channels of
  electronic commerce

51
Change in Corporate Thinking
Identity/Signatures
Managing Business Relationships Online

• Secure Documents
• Personal Records
• Business trading distribution
• Affinity
• Information Access

Integration
Offense
Certificates
Smart Cards
Access
Assessment/Policy
Treating Large Groups Internally
Intrusion/Anti Virus
Password/PIN
Defense

• Email
• File access/share
• Directory lookup

Yellow Stickies
Firewalls
52
Todays Tomorrows PKI Incorporates
53
PKI Enabling

• Developer tools used to enable and create all
  kinds of
• Applications.
• XML (sign or verify)
• SSL (secure http, ftp, telnet)
• IP/Sec (VPN)
• WAP (authenticating and digital signing)
• S/MIME (email, EDI, legacy systems, storage)
• Java
• PKI enabled E/commerce w/o client via applets

54
The Identrus System

• An International trust infrastructure
• Identrus provides a technology and legal
  infrastructure to enable secure business to
  business e-commerce for member bank clients on a
  global basis by providing strong authentication
  and real time validation services.
• Business processes
• Legal Policies
• Risk Management
• Standards-based PKI
• Applications

55
Business Applications
Electronic Commerce
Financial Services

• Online Auction Markets
• Electronic Content Delivery
• Insurance Sales Contract
• Securities Trading
• Government Filings, Procurement, etc.

• ACH Payments
• Corporate Purchasing
• International Trade
• Letter of Credit
• Bill Presentation
• Statement Delivery

Identrus Certificate
7
56
Global Legal Framework
57
Seamless Security Integration
58
Defining policy based esecurity
POLICY
PKI
ACCESSCONTROL
CONTENTSECURITY
PKI as high security authentication
Content Policy Rules for Access Control
Authorization
59
Securing Wireless World
Wireless esecurity will extend Public Key
Infrastructures to mobile users
users
60
WTLS Authentication Levels

• All have privacy and integrity
• Class I- Anonymous (No authentication)
• Class II (Server authentication only)
• Class III (Client and server authentication)

X.509
X.509
WTLS
WAP Gateway
Web Server
Mobile User
61
Wireless Application Protocol (WAP)and WPKI

• WIM (Wireless Identity Module)
• Certificate IDs A reference URL pointing
• to the actual certificate
• It is a simple string requiring minimal
• bandwidth/storage
• No problem sending over the air
• Can store multiple certificates
• But most existing applications dont
• understand CertIDs

URL1
URL2
URL3
URL4
URL5
URLn
62
Enterprise - sample model
WTLS CLASS 3
63
PDA Market Forecasts

• Within 2-3 years 20-25 of corporate knowledge
  workers will obtain a companion computing device
  (e.g., PDA)...- META Group Feb, 2000
• Almost a quarter of desktop management spending
  in 2003 will be allocated to the control of
  mobile and remote PCs and other handheld devices
  within the enterprise... - IDC 9/01/99
• Researchers predict global sales of hand-held
  computers hitting 7.2B in 2003, with unit sales
  increasing to 32.5M from the current 8.2M -
  Wall Street Journal April, 2000

64
Embedded PKI

• Devices (phones, PDAs, appliances, satellites,
  cars, network devices, cable modems, etc.
• Increasing Intelligence in these devices
• Looking to include basic crypto and security
  functions like PKI which continues to build the
  foundation.
• TCPA (Trusted Computing Platform Alliance)
• Looking to complement standards such as VPN, IKE,
  PKI, SSL, IPSec, S/MIME, etc. by creating basic
  security functions into platform hardware, BIOS,
  system and operating software.
• Moores Law For Another Decade Speed Doubles
  Every 18 Months

65
SmartCards PKI

• Expand the boundaries of what you can do
• Bulk and Over the Air Registration
• Multiple factor authentication
• Increased Security (secure device)
• Feasibly integrated into any application with
  readers
• Allows for mobility a personal take it with you
  device
• Makes a roaming solution for Enterprise
  Road-Warriors obsolete the use of kiosks, public
  or 3rd party devices.

66
Hybrid Models PKI/Biometrics

• Biometrics identifying something unique to the
  individual finger print, iris, retina, hand
  geometry, voice, handwriting, etc.
• Biometrics being used in authentication into
  physical areas, onto networks, and onto
  personal/work devices.
• Many Biometric (Service Providers) companies are
  looking to have PKI back-ends and use biometrics
  for 2nd/3rd factor authentication. Device or
  Server Centric.
• There are issues in having the biometric data
  being communicated and compatible with PKI
  standards.

67
Conclusion Where Are We?
Crossing The Chasm by Geoffrey Moore
68
Conclusion

• The critical question-- What Needs to Happen for
  True
• PKI enabled E/Commerce?
• The continued convergence of technologies in
  communications, affiliated technologies and
  simple useful applications to make security easy
  invisible.
• Continued proof of efficiencies associated with
  the technology and the digital revolution.

69
Additional Information

• Website www.pkiforum.org
• Email info_at_pkiforum.org
• Phone 781-876-8810