accelerate development of your secure e-business solutions · cert. module mgr. datalib module mgr....

Copyright 1998 IBM CorporationAll rights reserved

IBM KeyWorks

Accelerate Development of yourSecure e-Business Solutions

Sekar Chandersekaran [email protected]


IBM KeyWorks

� Market Needs

� History

� KeyWorks

� KeyWorks� KeyWorks

� KeyWorks

� KeyWorks

Suite Components Functionality And Key Recovery Platform Coverage Futures


Market Needs

� Provide developers with a rich set of PKI servicesto build e-Business applications or middlewarecomponents for a variety of industries! Examples: finance, health, and insurance industries

� Insulate developers from implementation detailsof PKI services! Cryptographic services (variety of algorithms, hardware or

software implementations)! Certificate management services

(validation, parsing, etc .)


Market Needs

� Promote ubiquity of the infrastructure! Availability on a large number of OS platforms

� Enable use of strong crypto in distributedapplications operating across multiplejurisdictions


History

� 4Q96: Evaluated a variety of framework optionsand selected Intel CDSA 1.0 as desiredspecification

� 1997: Worked closely with Intel / others toaddress IBM requirements and standardization at! Key Recovery, Scalability, e-Commerce Function, Portability

� 3Q97: Delivered IBM KeyWorks Release 1.0� 1Q98: Delivered IBM KeyWorks Release 1.1


What is KeyWorks?

� Product Suite! KeyWorks Toolkit (Framework and Add Ins)! Key Recovery Service Provider! Key Recovery Server

� KMI Approval For Export since Sep 1997! Application Review Minimized Significantly


KeyWorks Toolkit Components

CSSM Security API

ApplicationDomains

Cert Store

FrameworkEnabledProtocolHandlers

IBMKRSP

PKCS

BSAFE

CCA4758

X.509DSAVerisignEntrust

StoreRetrieve inFILEH/WDirectory

SSL, IPSEC, SEC DNS, S-MIME, DCE RPC, IIOP,MQ

E-COMMERCE, GLOBAL SIGNON, REGISTRY,DOMINO, VPN, FIREWALL

CSSM API

KRMM MODULE

MGR.

CRYPTO MODULE

MGR.

TRUST MODULE

MGR.

CERT. MODULE

MGR.

DATALIB MODULE

MGR.

KMI SPI TPI CLI DLI

X.509IBMRegistryDSAENTRUSTVerisignValidation

REG. / MGMT SERVICES INTEGRITYSERVICES

JURISDICTION POLICY TABLE

ADD IN MODULE

CSSM MODULEMGRS.

Toolkit contents in RED

KRA CONFIG. FILEANCHOR, KRA CERTS.

Based on CDSA V 1.2 +

Additional SPs for IBM VAULT REGISTRY,OTHERS

NO CRL GENERATION+9


Trust Issues

� Need for Trust - FWK and SPs need to be trusted since they:! handle critical information (e.g... cryptographic keys)

! make policy and access control decisions

! establish trust in public key certificates

! generate and process key recovery fields

� Trust Perimeter - FWK and SPs are within a perimeter of trust! This trust is established through a chain of trust. (Protocol Handlers will

be within trust perimeter in a future release.)

� Chain of Trust - The chain of trust is established as follows:! FWK verifies self-integrity

! FWK verifies SP

! SP verifies self-integrity

! SP verifies FWK


KeyWorks Bilateral Authentication

Integrity Steps in FWK1. self-check2. checks SP on disk3. loads SP4. initiates SP Integrity Checks

Integrity Steps in SP1. self-check2. checks FWK3. passes up SP call table to FWK

FWK

SP1 SP2


KeyWorks 1.1 + FEATURES

� APPLICATION PRIVILEGES SUPPORTED� TRACE AND DEBUG CAPABILITIES� PORTABILITY (LANGUAGE, ISOLATION)� CONTEXT MANAGEMENT SERVICES� MULTI THREADING� PORTABLE KEY SUPPORT� APPLICATION SPECIFIC SERVICES� PERFORMANCE AND ROBUSTNESS� KEY RECOVERY BLOCK (KRA COMPLIANT)� KEY REC SERVER ADDITIONS


Key Recovery Service Provider

� Builds key recovery blocks to enable recovery ofencryption keys! Implements IBM SKR algorithm

� Variable number of Key Recovery Agents

� Allows Customers to select their own PKI and

� No single point of security compromise

� Can use any approved CA for agent certificates

� Plugs into KeyWorks Toolkit� KR modifications to each CSP no longer needed


Recovering a Key

Authentication Info,Key Recovery Block

Decryption Key

KeyRecoveryCoordinator

Key RecoveryAgent 1

Key RecoveryAgent 2

Key RecoveryAgent N

Key Recovery Officer


OVERVIEW OF FRAMEWORKS & KEY RECOVERY

FWK PACK 1

KRSPPACK 2

CONFIG. ENTERPRISE FWK PACK 1

KRSP

CONFIG.FILES

ENC.DATA, KEY REC BLOCK

KEY REC

COORD.

KEY REC AGENT

KGINFO FROM KRB

RETURN KK INFO

KRA CERTAND

PRIVATE KEY

KEY REC SERVER

CERTIFICATE ISSUERSCERTIFICATE

ISSUERSCERTIFICATE

ISSUERS

ANCHORCERT

KRA CERT

CERTIFICATES PUT IN CONFIG FILE BY IBM

CERTIFICATES ISSUED

CERTIFICATES/ PRIV. KEYS DIST. TO KRAs

RECEIVE ENC.KEYPROVIDE KRB,

AUTH. INFO

KRA CERT

4758PACK 3

ANCHORCERT

KEY REC

OFFICER

CONFIG. LAW ENF

AUTH CREDS


Key Recovery Server

� Recovers keys from blocks generated by KeyRecovery Service Provider

� Stand-alone application with multiple roles! Key Recovery Officer, Key Recovery Coordinator, Key

� Recovery Agents� Key recovery service may be offered by

! Enterprise for in-house use! Independent service companies

� Available on NT since October 1997


IBM CommercePOINT Payment Exploitation

CSSM Security API

Cert Store

PKCS

BSAFE

Cert StoreRetrieveFILEHARDWAREDirectory

APPROPRIATEMIDDLEWEARE

CSSM API

KRMM MODULE

MGR.

CRYPTO MODULE

MGR.

TRUST MODULE

MGR.

CERT. MODULE

MGR.

DATALIB MODULE

MGR.

KMI SPI TPI CLI DLI

REG. / MGMT SERVICES INTEGRITY SERVICES

IBM Registryfor SET

CommercePOINTPayment eTill

CommercePOINTPaymentGateway

4758HARDWARE

JURISDICTION POLICY TABLE

ADD IN MODULES

CSSM MODULEMGRS.

KRSP

EXPLOITERS OTHERS

KRA CONFIG. FILEANCHOR, KRA CERTS.


Certificate Authority Suite - Building Blocks

IBM PKI

Entrust Trust Policy

Notes Certificate Manager

Notes Data

Library Srvcs.

TIS Key Recovery

SET Trust Policy

Common Infrastructure

Common Security Framework

Middleware

Notes Administrative User Interface

Vault Re gistry Administrative User Interface

Domino GO Administrative User Interface

Other Administrative User Interface

Applications

Notes Specific Policies

Notes C A

Collaboration Applications

Vault Registry CA

Vault Re gistry Specific Policies

Trusted eBusiness

Applications

Domino GO CA

Domino GO Specific Policies

Web Server Applications

Other CA

OTHER CA Specific Policies

System Management Applications

BSAFE Certificate Manager

CMS/CRT Data

Library

BSAFE Cryptographic

Services

IBM Key Recovery

Verisign Trust Policy

Differentiation is based on the product's purpose and applications - not the CA

PKCS11Cryptographic

Services

GENERALLDAP DL


KEYWORKS FUTURES

� TOG VERSION 2.0 FULL COMPLIANCE� FULL NLS SUPPORT� FULL PKI SUPPORT (CERT. GENERATION

AND CERT. LIFECYCLE SUPPORT )� ADDITIONAL SUPPORT FOR KEY LIFECYCLE

MANAGEMENT� EXPLOITATION OF W BY NEW APPS� IBM REGISTRY, NOTES, IPSEC, SSL ..

! E-COMMERCE APPS ( PAYMENT etc.)! JAVA CSSM SUPPORT

� SPECIAL PROJECTS


KeyWorks Data Library Functions

� Provides persistent storage for certificates andCRLs (custom hardware devices, PKCS 11)

� LDAP V3 in 4Q 98� IBM 4758 and Other Devices� IBM Smart Card and Other Vendors also via

Browsers


Encryption with Key Recovery

CryptographicFramework

CryptographicFramework

KM

Framework

KMFramework

3. Generate Recovery Fields

4. handle HA2 rec. fields

Recovery

Fields (HB1, rec. fields)

9. handle HB2

1. Create Symmetric

Context

2. context handle HA1

5. EncryptData

(HA2, message)

rec. fields

6. Create Symmetric Context

7. context handle HB1

10. DecryptData (HA2, enc(message))

Intercept Point

CommunicationProtocol(side A)

CommunicationProtocol(side B)


KeyWorks Signed Manifests

Name: CSP1.dllSection: CSP1SHA-1 Digest: [18 e3 …]

Name: Section:SHA-1 Hash:

Section : CSP1SHA-1 Digest: [2b a9 …]

Section : SHA-1 Hash:

Hash value Encrypted Hash valuePKCS #7 Signature Block

Manifest File: CSP1.mf Signer’s Info File: CSP1.sf

Signature Block File: CSP1.dsa


FWK Chain of Trust (I)Self-Integrity Verification by FWK

FWK DLL

Signer’s Info of FWK

Application Layer codeLoadLibrary(CSSM)CSSM_Init( )

KpubIBMRootEISL

Manifest of FWK

Signature Block KprivIBMFWK


FWK Chain of Trust (II)Verification of Service Providers by FWK

FWK DLL

Application Layer code

CSPi DLL

Manifest of CSPi

CSSM_ModuleAttach(CSPi )

Verify Signature of CSPi

KpubIBMRootEISL

Signature Block KprivIBMCSP

Signer’s Info of CSPi


FWK Chain of Trust (IV)Reverse Verification of FWK by Service Providers

FWK DLL

Application Layer code

CSPi DLL

CSSM_RegisterServices (CSPi_EntryTable )

CSPi verifies FWK integrity

Signature Block KprivIBMFWK

Manifest of FWK

KpubIBMRoot

EISL

CSSM_AddInAuthenticate (CSSM_path )

Signer’s Info of FWK


FWK Noncircumventability

1. LoadLibrary(“CSP DLL”) - No exported interfaces2. CSP verifies FWK 3. CSSM_RegisterServices ( ) - registration of CSP entry points

FWK DLL

CSP DLL

1 2 3

Rogue Application

CSP DLL

1 2

- CSP DLL has no exported service entry points - entry points are registered dynamically at “DLL Attach” time

after attaching application has been authenticated


KEY RECOVERY DEPLOYMENT STEPS

� Obtain Approval to Export Developed Application! Export Approval From BXA (ONLY ONCE)

� Description of Application

� Description of CRYPTO and KRB Usage -- IS IT EXEMPT ETC.

� DESCRIPTION OF MANUFACTURING JURISDICTION POLICY TABLE

� APPROVED CA WITH ANCHOR CERTIFICATE AND APPROVEDKEYRECOVERY AGENTS INKR LE MAN TABLE

� OBTAIN IMPORT Approval for Application Deployment FROMEACH JURISDICTION! APPROVED LOCAL JURISDICTION POLICY TABLE

! APPROVED CA, ANCHOR KEY, KRA CERTS. IN KRUSE CONFIG. TABLE

� DISTRIBUTE APPLICATION AND INSTALL WITH PROPERLOCAL JURISDICTION FILE

accelerate development of your secure e-business solutions · cert. module mgr. datalib module mgr....

Documents