Sentry: A Scalable Solution

1
Sentry A Scalable Solution

• Margie Cashwell
• Senior Sales Engineer
• mcashwell_at_xcert.com
• Sept 2000

2
Overview

• State of Digital Mobile Telephony
• Examples of Wireless Applications
• PKI Architecture
• Scalability
• Extensibility
• Scalable Solutions
• Sample Architectures

3
State of Digital Mobile Telephony

• Global System for Mobile Communications (GSM)
  has over 215 million subscribers
• GSM alone has more subscribers than the Internet
  has users (210)
• Paradigm shift in mobile telephony 3G,
• Sprint 1st cellular provider to offer service in
  US

4
Examples of Wireless Applications

• Top three uses of Internet enabled mobile phones
• Travel related uses
• Online banking
• Email
• Wireless scale Internet Scale x 100
  Enterprise x 1,000

5
PKI Architecture

• Requirements
• Multi- Functional
• Extensible
• Support mass-market network devices embedded in
• mobile phones
• pagers
• PDAs
• smart phones

6
Extensibility

• Ration of device size to certificate size
• X.509 certificate format too complex
• Elliptic curve keys in certificates
• WTLS certificate format
• Ability to support new certificate formats

7
Proven Scalable Solutions

• 8 Million Certificates on a single server
• Individual and batch certificate issuance and
  revocation
• Remote publishing of user certificates
• Locating and retrieving user certificates
• Concurrent signing operations
• Concurrent real time online certificate status
  checking

8
Xcert Sample Architecture
9
Trust Model with External CAs
10
WebSentry
11
Sentry Product Suite

• Unique rapid deploy PKI platform
• for Internet and e-commerce applications
• that scales to a million users
• manages security for corporations
• that use the Internet to conduct business

12
Sentry Product Suite
Sentry CA - Issue manage certificates
Sentry RA - Provide remote enrollment
WebSentry - PKI enable your servers
Xcert Development Kit - PKI enable your apps
Professional Services Training - Achieving ROI
Support - Reliable customer service
13
Xcert PKI Overview

• Internet based
• Customizable
• Simple
• Scalable
• Lightweight
• Secure
• Non-proprietary

• Remote user enrollment
• Minimizes enrollment bottlenecks

• Industrial strength CA
• Issues certificates
• Manages certificates
• Manages Access Control Lists
• Supports PKI enabled applications

• PKI enables the application service
• User authorization
• Non-repudiation of transactions (digital
  signatures)

14
Sentry CA Specifications

• Platforms
• NT Solaris
• Certificates CRLs
• X509 v3 (all standard extensions)
• Application Support
• Web
• Email
• VPN
• ERP
• SSO
• Document security

• Directories
• LDAP, X500
• Protocols
• HTTP, SSL, LDAP, SMTP, PKCS
• Crypto
• DSA, RSA, ECC
• Crypto Hardware
• All PKCS 11
• High Assurance
• FIPS-140 level 3 hardware
• Real time revocation

15
Sentry CA Architecture

• Basic Components
• Directory Server
• Signing Engine
• Administration Server
• Enrollment Server
• Logging Server

16
Sentry CA Architecture

• Basic Components
• Directory Server
• Signing Engine
• Administration Server
• Enrollment Server
• Logging Server

17
Sentry CA Architecture

• Basic Components
• Directory Server
• Signing Engine
• Administration Server
• Enrollment Server
• Logging Server

18
Sentry CA Architecture

• Basic Components
• Directory Server
• Signing Engine
• Administration Server
• Enrollment Server
• Logging Server

19
Sentry CA Architecture

• Add-on Components
• Publishing Backend
• Alternate SQL data stores

20
Sentry CA Features
Certificate lifecycle management

• Enrollment
• Interfaces
• Vetting
• Notification
• Examination
• Auto vetting

• Extensions
• Profiles
• Storage
• Interfaces
• Suspension revocation
• Status checking
• Renewal

21
Sentry CA Features
CA lifecycle management

• Creating CAs
• Managing CAs
• User maintenance
• CA security practices

• Exporting CAs
• Importing CAs
• Cloning
• Subordination
• CRLs
• External CAs

22
External CAs
23
Sentry CA Features

• System administration
• Work benches
• ACL management
• Admin, vettors, end users
• Logging
• Backing up
• Upgrading
• Extending the back-end
• Publishing
• Data stores

24
Sentry RA

• Industrial strength enrollment solution
• Accepts certificate requests
• Verifies credentials
• Supports CA signing process
• Revokes certificates
• Streamlined configuration
• auto notification
• auto enrollment
• auto renewal
• application specific profiles
• Distributed component / Stand-alone server
• Offloads enrollment bottlenecks from CA
• Flexible scalability

25
Sentry RA
26
WebSentry

• High assurance PKI for web servers
• Plugs into standard web servers
• User authorization
• Controls access to web pages
• Queries Sentry CA
• certificate status
• ACL rules
• Zero tolerance security

27
Wrap Up

• Wireless devices large part of the future,
• The best way to bring these devices into the
  network in a secure fashion is with
  certificates.
• We expect to see significant PKI and WAP
  development over the next 18 months.