SPOCK Demonstration of Entrust PKI NSA NAVY ARMY SPOCK AIR FORCE MAJ
30 Slides261.00 KB
SPOCK Demonstration of Entrust PKI NSA NAVY ARMY SPOCK AIR FORCE MAJ Michael W. Davis, 410-859-6318 [email protected] IRS SPOCK Demonstration of Entrust PKI 13 August 1998
AGENDA MAJ Michael W. Davis, 410-859-6318 [email protected] What’s the SPOCK Program Past Accomplishments Who’s in SPOCK What does the SPOCK team do Demonstration Process SPOCK PKI Architecture PKI Claims and Results Lessons Learned Return on Investment Summary SPOCK Demonstration of Entrust PKI 13 August 1998
What’s SPOCK ? “A and Consortium of Product Developers Government System Integrators interested in exploring solutions MAJ Michael W. Davis, 410-859-6318 [email protected] and INFOSEC commercial Enabling Technologies” SPOCK Demonstration of Entrust PKI 13 August 1998
PAST ACCOMPLISHMENTS 1995-1998 32 Consortium Meetings - Over 1500 Attendees 96 Emerging Topic Areas Briefed 8 Diverse Solutions Demonstrated Established Zones of Cooperation Over 40 Government System Integration Communities Over 100 Solution Developers Input for the President’s Quality Award Nominated for SECDEF’s Team Excellence Award MAJ Michael W. Davis, 410-859-6318 [email protected] SPOCK Demonstration of Entrust PKI 13 August 1998
Who’s in SPOCK Army - BCBL-G, LIWA, DISC4 Navy - SPAWAR, NAVSEA, NIA FIWC, NIWA, NRL Air Force - AFIWC, 609 IWS, AFOSI CPSG Joint - J6, DISA Non DoD - NASA, DoJ NSA - V, Y, X, C MAJ Michael W. Davis, 410-859-6318 [email protected] SPOCK Demonstration of Entrust PKI 13 August 1998
What’s the SPOCK Team do ? Attend monthly briefings on Warfighter Architectures and Solutions Demonstrate Security Claims in Warfighter Architectures Write SPOCK Demonstration Reports Develop Draft Security Targets and Protection Profiles MAJ Michael W. Davis, 410-859-6318 [email protected] SPOCK Demonstration of Entrust PKI 13 August 1998
DEMONSTRATION PROCESS 1. Solution/Developer Identified. 2. Developer briefs the Solution during meeting. 3. Developer presents Security Claims, Architecture, and Equipment Requirements. 4. SPOCK prepares Scripts to demonstrate Claims. 5. SPOCK demonstrates Security Claims in Government Architectures. 6. SPOCK writes the Demonstration Report, signed by Chief, NSA V2. MAJ Michael W. Davis, 410-859-6318 [email protected] SPOCK Demonstration of Entrust PKI 13 August 1998
ENTRUST CA ARCHITECTURE Directory Users Entrust/Authority Entrust/Admin CERTIFICATE AUTHORITY Other CAs MAJ Michael W. Davis, 410-859-6318 [email protected] SPOCK Demonstration of Entrust PKI 13 August 1998
SPOCK PKI COMPONENTS CA Entrust/Manager & Entrust/Admin iCL i500, X.500 Directory Directory User MAJ Michael W. Davis, 410-859-6318 [email protected] User Entrust/Clients SPOCK Demonstration of Entrust PKI 13 August 1998
SPOCK PKI Directory Schema Each Site Contains iCL’s i500, X.500 Directory Each Site Contains 3,000 User Entries Each Site “chained” to all of the others o US Gov to browse and retrieve certificates c US o IITRI ou Army ou Navy ou Air Force ou NSA cn user1 cn user2 cn user3 cn user4 cn user1 cn user2 cn user3 cn user4 cn user1 cn user2 cn user3 cn user4 cn user1 cn user2 cn user3 cn user4 MAJ Michael W. Davis, 410-859-6318 [email protected] SPOCK Demonstration of Entrust PKI cn user1 ou ITRLab cn user2 cn user3 cn user4 KEY c country cn webserver o organization ou organizational unit cn common name 13 August 1998
SPOCK PKI ARCHITECTURE CA1 NSA DECIN Lab - Linthicum, MD User Directory User Air Force CA5 CA2 Army - DISC4 CPSG - San Antonio, TX User Directory J.G. Van Dyke - Alexandria, VA Cross-certified User User Directory User CA3 IRS Navy - NIWA CA4 IITRI - Lanham, MD COACT - Columbia, MD CA User MAJ Michael W. Davis, 410-859-6318 [email protected] Directory User User Directory User SPOCK Demonstration of Entrust PKI Certificate Authority (Entrust/Manger) X.500 Directory (Entrust/Directory) LDAP Connectivity 13 August 1998
DECIN Lab ARCHITECTURE MAJ Michael W. Davis, 410-859-6318 [email protected] SPOCK Demonstration of Entrust PKI 13 August 1998
ENTRUST PKI CLAIMS 1.1 Key Management Transparency 1.2 Secure Key Recovery 1.6 Support Cross-certification 1.7 Entrust Scalability 1.8 Hardware Tokens Option 1.3 Auto Key Update 1.9 Support Multiple Algorithms 1.4 Client Key Initialization 1.10 Support Multiple 1.5 Certificate Revocation Applications MAJ Michael W. Davis, 410-859-6318 [email protected] SPOCK Demonstration of Entrust PKI 13 August 1998
Key Management Transparency Claim: Method: Result: Users should be able to use security product without understanding cryptography or key management E-Mail - Signed and Encrypted E/Express Desktop File Encryption E/ICE 1. Claim verified. The management of keys is transparent to users. 2. Searching the Directory, is NOT transparent. MAJ Michael W. Davis, 410-859-6318 [email protected] SPOCK Demonstration of Entrust PKI 13 August 1998
Secure Backup & Key Recovery Claim: Method: Result: Entrust provides the ability to recover keys in cases where a valid user has forgotten their password or an employee has left the company There are three general cases for “key recovery”. Send Authentication Code, Reference Number “out of band” to authorized individual. 1. Claim verified. Recovered files and email. 2. Entrust Key Recovery solution is best suited for Authorized user that has forgotten their password. MAJ Michael W. Davis, 410-859-6318 [email protected] SPOCK Demonstration of Entrust PKI 13 August 1998
Automatic Key Update Claim: Method: Result: Certificates are updated without user involvement. Set Encryption and Verification period to 2 months Set Signing Private to 10 percent. 1. Claim verified. User informed by message box. 2. If renewal period is missed, key recovery is required. MAJ Michael W. Davis, 410-859-6318 [email protected] SPOCK Demonstration of Entrust PKI 13 August 1998
Client Key Initialization Claim: Method: Result: Clients are initialized using a secure “pipe”. Clients can be set up remotely over a network. Run installation program over the network. Requires: Authentication Code, Reference Number and access to install program and entrust.ini file. SEP was not verified. Claim verified. Remote install in 20 minutes. MAJ Michael W. Davis, 410-859-6318 [email protected] SPOCK Demonstration of Entrust PKI 13 August 1998
Certificate Revocation Claim: Method: Result: Entrust provides the ability to revoke certificates. Revoke user. Attempt to send and receive email. Attempt to access web server. Attempt to use ICE. 1. Claim verified after modifications. 2. Express does not verify certificate prior to sending. MAJ Michael W. Davis, 410-859-6318 [email protected] SPOCK Demonstration of Entrust PKI 13 August 1998
Support Cross-Certification Claim: Certificate Authorities are able to cross-certify. Method: Establish Search base by “chaining” directories Use Entrust Managers to Cross Certify Send encrypted mail/files to another domain. Result: MAJ Michael W. Davis, 410-859-6318 [email protected] 1. Claim verified. 2. Problems searching the Directory SPOCK Demonstration of Entrust PKI 13 August 1998
Scalability Claim: Method: Result: MAJ Michael W. Davis, 410-859-6318 [email protected] Quickly add 3,000 users within each domain. “Bulk Load” using a disk loaded with 3,000 names and serial numbers. Real users were loaded individually. Claim verified. SPOCK Demonstration of Entrust PKI 13 August 1998
Hardware Tokens Biometrics Claim: Method: Result: Support Tokens for storing profiles and Biometrics for authentication of users. Use DateKey smart card to store user’s profile. Use Biometrics device instead of a password to authenticate users Hardware Token claim verified. Biometrics device vendor could not provide correct drivers. MAJ Michael W. Davis, 410-859-6318 [email protected] SPOCK Demonstration of Entrust PKI 13 August 1998
Multiple Algorithms Claim: Method: Result: Entrust supports multiple algorithms for hashing encryption and digital signature. Use Entrust Manager to select hashing and digital signature algorithms. Use Entrust Client and Applications to select different encryption algorithms. Send email and files to other users. 1. Claim verified within the abilities of the SPOCK Team. MAJ Michael W. Davis, 410-859-6318 [email protected] SPOCK Demonstration of Entrust PKI 13 August 1998
Single Password Many Applications Claim: Method: Result: Entrust uses the single password for a user’s certificate to logon to secure applications. Start Client, enter password. Start ICE, enter same password. Start Express, enter same password. Start Entrust-Ready Netscape, enter same password. Claim verified. Automatic logoff time is set for each application. MAJ Michael W. Davis, 410-859-6318 [email protected] SPOCK Demonstration of Entrust PKI 13 August 1998
LESSONS LEARNED The significance of the X.500 Directory. “Open” Security Policy. Key Recovery. Significant Firewall configuration issues. MAJ Michael W. Davis, 410-859-6318 [email protected] SPOCK Demonstration of Entrust PKI 13 August 1998
RETURN ON INVESTMENT SYSTEM INTEGRATOR Quick look at emerging technology Solution strengths and weaknesses are demonstrated in THEIR warfighter configurations GOVERNMENT Learn about and influence emerging solutions Insight into future architectures (requirements) INDUSTRY Better understands Warfighter’s needs Rapid exposure of solution in Warfighter Architecture MAJ Michael W. Davis, 410-859-6318 [email protected] SPOCK Demonstration of Entrust PKI 13 August 1998
SUMMARY SPOCK focuses on commercial INFOSEC solutions and emerging technologies SPOCK demonstrates security in legacy and contemporary architectures SPOCK “teams” to demonstrate security in operational architectures SPOCK supports development of Protection Profiles and Security Targets MAJ Michael W. Davis, 410-859-6318 [email protected] SPOCK Demonstration of Entrust PKI 13 August 1998
QUESTIONS & COMMENTS MAJ Michael W. Davis, 410-859-6318 [email protected] SPOCK Demonstration of Entrust PKI 13 August 1998
SPOCK CONTACTS SPOCK Chairman Louis Giles, Chief V2 (410) 859-6281 SPOCK Program Manager Terry Losonsky (410) 859-6318 SPOCK Deputy Program Manager MAJ Michael Davis (410) 859-6318 http://spock.v.nsa:12080/ SPOCK Contract Support Larry McGinness (301) 498-0150 [email protected] FAX: (410) 859-6897 [email protected] FAX: (410) 859-6897 [email protected] FAX: (301) 498-0855 www.coact.com/spock.html MAJ Michael W. Davis, 410-859-6318 [email protected] SPOCK Demonstration of Entrust PKI 13 August 1998
SECURE E-MAIL Mail Server Mail Entrust Server CA Directory CA Directory OS Client E-mail Entrust Remote Sites Internet OS Client Encrypt/Decrypt Sign/Verify Signature E-mail Entrust MAJ Michael W. Davis, 410-859-6318 [email protected] SPOCK Demonstration of Entrust PKI Mail Server Directory CA OS Client E-mail Entrust 13 August 1998
SECURE WEB BROWZER Directory Web Server Web Entrust Server CA CA Directory OS Client Browser Entrust Internet OS Encrypt/Decrypt Sign/Verify Signature Client BrowserEntrust MAJ Michael W. Davis, 410-859-6318 [email protected] Remote Sites Web Server Directory CA OS Client SPOCK Demonstration of Entrust PKI Browser Entrust 13 August 1998