About Us  |  Search  | FAQ  | Contact Us
Risk Management
Human Resources
Smarts Cards
Optimise CRM
Data Warehousing
Disaster Recovery
Swift Messaging
BPM & Workflow
Capital Markets
Global Custody




PKI for Corporate Security


Corporate security nowadays necessarily includes links with public networks (the Internet), the security of local networks and application security. In all of these cases information security means guaranteeing the authenticity, confidentiality, integrity and legal validity of messages while also ensuring the availability and legitimate use of resources. New concepts in the areas of encryption, digital signatures and single sign-on technologies using smartcards promise improved protection. In this context, the significance of PKI (public key infrastructure) technology for secure electronic (business) processes is indisputable.

A company's IT security infrastructure requirements are essentially determined by the applications to be supported, the relevant statutory regulations and the company's organizational form (structure, locations). The organization and operation of an IT security infrastructure accounts for the greater part of the associated costs. Before security products are procured, therefore, it is advisable to analyse the way in which they can be integrated into the existing organization and to examine any special requirements.

Products and services in the area of security infrastructures can be developed and maintained in-house, bought off the shelf or completely outsourced to a specialist provider. Outsourcing offers medium-sized businesses the possibility of gaining a crucial market advantage when constructing and implementing their security infrastructure thanks to short implementation times and reduced costs. Of course, in this situation a company has to ask itself how much security it can actually outsource before it runs the risk of losing important business-related information and data?

The task of a security infrastructure
In essence, the PKI procedure involves allocating a unique pair of keys to a person or a physical component (e.g. a server). This pair of keys consists of a private key (PrK) and a corresponding public key (PuK).

The advantage of this method rests on the fact that the private key, which holds the secret of the encryption procedure, isaccessible only to its owner (see Security Token) and that the allocation of the public key to the relevant owner (certification of the public key) is confirmed by a trusted third party (TTP).

There are therefore two main tasks for the security infrastructure (PKI/SCI):

Management of secret information (confidentiality)

A. Registration of users

B. Generation of key pairs (signature, encryption, authentication)

C. Secure (encrypted) backup of private keys

D. Recovery of private keys (signature, encryption, authentication) in accordance with internal security policy

E. Personalization and delivery of smartcards

F. User support

Management of certificates (confidence),

A. Certification and publication of valid public keys or

B. Certificate revocation lists

C. Certification of the public key for each user

D. Publication of certificates

E. Publication of certificate revocation lists


The Registration Authority (RA) is responsible for producing the smartcards and sending them to the identified users. Within companies, the RA is generally operated by Human Resources.

The Card Information Server (CIS) generates the secret elements for each card and user and manages the secret information stored in encrypted form in the Key Repository.

The Assistant (A) can be used to provide support for users who are experiencing problems using their smartcard (which may have been lost, mislaid, blocked etc.). This means that card usability is optimized.

The decentralized approach means that both the Registration Authority (RA) and the Assistant (A) can be operated from separate locations (Region/OU). Connections between the RA or A and the CIS are encrypted, and "strong" authentication is carried out on both sides each time a link is established.

The CIS operates as the RA vis-à-vis the Certification Authority (CA). This means that the SCI can be linked without difficulty to open CA systems via standard interfaces. The CA signs and publishes the certificates and certificate revocation lists on the Directory Server (DS).

This architecture allows a flexible, decentralized security infrastructure to be set up which can then be customized to meet the needs of large and medium-sized enterprises.

iT_SEC_sci is a state-of-the-art smartcard management system which supports seamless integration into existing and future security infrastructures. iT_SEC_sci can manage up to three (authentication, encryption, signature) private keys per card as well as several cards per user, and offers interfaces to the leading CA products (Entrust, Microsoft etc.).

Outsourcing CA services
Setting up an online CA places extremely high security demands on the infrastructure and hence also on the knowledge and experience available within the company as well as its financial and human resources. Certificates can be obtained from public CAs relatively quickly, simply and at a price that can be calculated in advance. While public CAs offer the advantage that they are well known and enjoy broad acceptance, the company for its part must be prepared to do without a policy (CPS) of its own.

Most public Certification Authorities are heavily geared to the needs of e-commerce. The main features required in this context are strong authentication on both sides (client and server) and the assurance of data integrity and confidentiality during transmission. This means that no sensitive data is affected, even if a private key is lost.

At the same time, though, the loss of secret elements has an immediate impact on applications that are used throughout the company, such as single sign on, secure e-mail and file/folder encryption. While the availability of the smartcard is the important factor for the individual user in the case of SSO, key recovery is the crucial factor for secure e-mail and file/folder encryption.

Public CAs generally restrict themselves to registering users, certifying public keys and publishing certificates and certificate revocation lists. The generation of key pairs is generally left to the user.

The presented PKI/SCI concept makes it possible for medium-sized companies to use public certificates without having to make compromises on the security front.

The Zurich-based company iT_SEC iT_Security AG is the leading pioneer in smartcard management and single sign-on solutions.

Single Sign on
Having lots of different login procedures makes life difficult for employees. They end up choosing simple passwords or writing them down on pieces of paper, and still manage to forget them on a regular basis. In this context, the idea of a single signon is becoming increasingly important: users authenticate themselves by means of a single login process and thus gain access to all the systems for which they are authorized. New identification procedures are making a crucial contribution to data security in this area.

Smartcards allow companies to implement single sign-on rapidly and comprehensively in that they simultaneously support traditional and certificate-based identification procedures. Existing procedures can be enhanced while new mechanisms are being introduced. In addition, it is possible to migrate from weak to strong authentication at any time in a way which is transparent for users.

iT_SEC_signon is a smartcard-based single sign-on solution. The distribution and management of the smartcards is handled by the Smart Card Infrastructure (SCI) which is linked to a Public Key Infrastructure (PKI). The SCI guarantees the protection of secret elements during generation, distribution and maintenance. It also allows help to be provided rapidly if problems arise with smartcards during day-to-day use. Meanwhile, employee authentication is guaranteed by the PKI.

Security Tokens
A security token is a piece of hardware which contains at least the user's private key and the trusted third party's root certificate. Security is based on the same features that protect credit cards, namely knowledge (of a PIN and/or password) and ownership (of the token).

The cheapest version is the floppy disk (known as a "soft token"). The disadvantages of using floppies are clear: they can be copied without anyone knowing. Passwords, on the other hand, provide a certain degree of protection, but they cannot withstand "brute force" attacks.

Smartcards with built-in cryptoprocessors currently offer the best protection. Unlike soft tokens, smartcards cannot be copied. They use their built-in chip to carry out all the necessary encryption/decryption operations on the user's behalf. Personal secret elements like passwords, keys and certificates are therefore protected against theft and manipulation. If an incorrect PIN is entered several times the smartcard is blocked; preventing the possibility of brute force attacks.


iT_SEC iT_Security AG




Decision Cycle
Web Enabled
Drivers for STP
Personal Touch
Micro Finance
Intelligent hub
Treasury Solutions
Mobile e-commerce
Copy of Supplier Financing
Relationship Management
Data Management
Rise of e-commerce
Computer Crime
FX deals
Intranet Problems
Operational risk
Successful e-commerce
Wireless payments
Net Impact



Home  |  About Us  |  Search  | FAQ  | Contact Us