About Us | Search | FAQ | Contact Us
PKI for Corporate Security
Corporate security nowadays necessarily includes links with public networks (the Internet), the security of local networks and application security. In all of these cases information security means guaranteeing the authenticity, confidentiality, integrity and legal validity of messages while also ensuring the availability and legitimate use of resources. New concepts in the areas of encryption, digital signatures and single sign-on technologies using smartcards promise improved protection. In this context, the significance of PKI (public key infrastructure) technology for secure electronic (business) processes is indisputable.
Products and services in the area of security infrastructures can be developed and maintained in-house, bought off the shelf or completely outsourced to a specialist provider. Outsourcing offers medium-sized businesses the possibility of gaining a crucial market advantage when constructing and implementing their security infrastructure thanks to short implementation times and reduced costs. Of course, in this situation a company has to ask itself how much security it can actually outsource before it runs the risk of losing important business-related information and data?
The task of a security
The advantage of this method rests on the fact that the private key, which holds the secret of the encryption procedure, isaccessible only to its owner (see Security Token) and that the allocation of the public key to the relevant owner (certification of the public key) is confirmed by a trusted third party (TTP).
There are therefore two main tasks for the security infrastructure (PKI/SCI):
Management of secret information (confidentiality)
A. Registration of users
B. Generation of key pairs (signature, encryption, authentication)
C. Secure (encrypted) backup of private keys
D. Recovery of private keys (signature, encryption, authentication) in accordance with internal security policy
E. Personalization and delivery of smartcards
F. User support
Management of certificates (confidence),
A. Certification and publication of valid public keys or
B. Certificate revocation lists
C. Certification of the public key for each user
D. Publication of certificates
E. Publication of certificate revocation lists
The Registration Authority (RA) is responsible for producing the smartcards and sending them to the identified users. Within companies, the RA is generally operated by Human Resources.
The Card Information Server (CIS) generates the secret elements for each card and user and manages the secret information stored in encrypted form in the Key Repository.
The Assistant (A) can be used to provide support for users who are experiencing problems using their smartcard (which may have been lost, mislaid, blocked etc.). This means that card usability is optimized.
The decentralized approach means that both the Registration Authority (RA) and the Assistant (A) can be operated from separate locations (Region/OU). Connections between the RA or A and the CIS are encrypted, and "strong" authentication is carried out on both sides each time a link is established.
The CIS operates as the RA vis-à-vis the Certification Authority (CA). This means that the SCI can be linked without difficulty to open CA systems via standard interfaces. The CA signs and publishes the certificates and certificate revocation lists on the Directory Server (DS).
This architecture allows a flexible, decentralized security infrastructure to be set up which can then be customized to meet the needs of large and medium-sized enterprises.
iT_SEC_sci is a state-of-the-art smartcard management system which supports seamless integration into existing and future security infrastructures. iT_SEC_sci can manage up to three (authentication, encryption, signature) private keys per card as well as several cards per user, and offers interfaces to the leading CA products (Entrust, Microsoft etc.).
Outsourcing CA services
Most public Certification Authorities are heavily geared to the needs of e-commerce. The main features required in this context are strong authentication on both sides (client and server) and the assurance of data integrity and confidentiality during transmission. This means that no sensitive data is affected, even if a private key is lost.
At the same time, though, the loss of secret elements has an immediate impact on applications that are used throughout the company, such as single sign on, secure e-mail and file/folder encryption. While the availability of the smartcard is the important factor for the individual user in the case of SSO, key recovery is the crucial factor for secure e-mail and file/folder encryption.
Public CAs generally restrict themselves to registering users, certifying public keys and publishing certificates and certificate revocation lists. The generation of key pairs is generally left to the user.
The presented PKI/SCI concept makes it possible for medium-sized companies to use public certificates without having to make compromises on the security front.
The Zurich-based company iT_SEC iT_Security AG is the leading pioneer in smartcard management and single sign-on solutions.
Single Sign on
Smartcards allow companies to implement single sign-on rapidly and comprehensively in that they simultaneously support traditional and certificate-based identification procedures. Existing procedures can be enhanced while new mechanisms are being introduced. In addition, it is possible to migrate from weak to strong authentication at any time in a way which is transparent for users.
iT_SEC_signon is a smartcard-based single sign-on solution. The distribution and management of the smartcards is handled by the Smart Card Infrastructure (SCI) which is linked to a Public Key Infrastructure (PKI). The SCI guarantees the protection of secret elements during generation, distribution and maintenance. It also allows help to be provided rapidly if problems arise with smartcards during day-to-day use. Meanwhile, employee authentication is guaranteed by the PKI.
The cheapest version is the floppy disk (known as a "soft token"). The disadvantages of using floppies are clear: they can be copied without anyone knowing. Passwords, on the other hand, provide a certain degree of protection, but they cannot withstand "brute force" attacks.
Smartcards with built-in cryptoprocessors currently offer the best protection. Unlike soft tokens, smartcards cannot be copied. They use their built-in chip to carry out all the necessary encryption/decryption operations on the user's behalf. Personal secret elements like passwords, keys and certificates are therefore protected against theft and manipulation. If an incorrect PIN is entered several times the smartcard is blocked; preventing the possibility of brute force attacks.
iT_SEC iT_Security AG
|Home | About Us | Search | FAQ | Contact Us|