accelerate development of your secure e-business solutions · cert. module mgr. datalib module mgr....
TRANSCRIPT
Copyright 1998 IBM CorporationAll rights reserved
IBM KeyWorks
Accelerate Development of yourSecure e-Business Solutions
Sekar Chandersekaran [email protected]
Copyright 1998 IBM CorporationAll rights reserved
IBM KeyWorks
� Market Needs
� History
� KeyWorks
� KeyWorks� KeyWorks
� KeyWorks
� KeyWorks
Suite Components Functionality And Key Recovery Platform Coverage Futures
Copyright 1998 IBM CorporationAll rights reserved
Market Needs
� Provide developers with a rich set of PKI servicesto build e-Business applications or middlewarecomponents for a variety of industries! Examples: finance, health, and insurance industries
� Insulate developers from implementation detailsof PKI services! Cryptographic services (variety of algorithms, hardware or
software implementations)! Certificate management services
(validation, parsing, etc .)
Copyright 1998 IBM CorporationAll rights reserved
Market Needs
� Promote ubiquity of the infrastructure! Availability on a large number of OS platforms
� Enable use of strong crypto in distributedapplications operating across multiplejurisdictions
Copyright 1998 IBM CorporationAll rights reserved
History
� 4Q96: Evaluated a variety of framework optionsand selected Intel CDSA 1.0 as desiredspecification
� 1997: Worked closely with Intel / others toaddress IBM requirements and standardization at! Key Recovery, Scalability, e-Commerce Function, Portability
� 3Q97: Delivered IBM KeyWorks Release 1.0� 1Q98: Delivered IBM KeyWorks Release 1.1
Copyright 1998 IBM CorporationAll rights reserved
What is KeyWorks?
� Product Suite! KeyWorks Toolkit (Framework and Add Ins)! Key Recovery Service Provider! Key Recovery Server
� KMI Approval For Export since Sep 1997! Application Review Minimized Significantly
Copyright 1998 IBM CorporationAll rights reserved
KeyWorks Toolkit Components
CSSM Security API
ApplicationDomains
Cert Store
FrameworkEnabledProtocolHandlers
IBMKRSP
PKCS
BSAFE
CCA4758
X.509DSAVerisignEntrust
StoreRetrieve inFILEH/WDirectory
SSL, IPSEC, SEC DNS, S-MIME, DCE RPC, IIOP,MQ
E-COMMERCE, GLOBAL SIGNON, REGISTRY,DOMINO, VPN, FIREWALL
CSSM API
KRMM MODULE
MGR.
CRYPTO MODULE
MGR.
TRUST MODULE
MGR.
CERT. MODULE
MGR.
DATALIB MODULE
MGR.
KMI SPI TPI CLI DLI
X.509IBMRegistryDSAENTRUSTVerisignValidation
REG. / MGMT SERVICES INTEGRITYSERVICES
JURISDICTION POLICY TABLE
ADD IN MODULE
CSSM MODULEMGRS.
Toolkit contents in RED
KRA CONFIG. FILEANCHOR, KRA CERTS.
Based on CDSA V 1.2 +
Additional SPs for IBM VAULT REGISTRY,OTHERS
NO CRL GENERATION+9
Copyright 1998 IBM CorporationAll rights reserved
Trust Issues
� Need for Trust - FWK and SPs need to be trusted since they:! handle critical information (e.g... cryptographic keys)
! make policy and access control decisions
! establish trust in public key certificates
! generate and process key recovery fields
� Trust Perimeter - FWK and SPs are within a perimeter of trust! This trust is established through a chain of trust. (Protocol Handlers will
be within trust perimeter in a future release.)
� Chain of Trust - The chain of trust is established as follows:! FWK verifies self-integrity
! FWK verifies SP
! SP verifies self-integrity
! SP verifies FWK
Copyright 1998 IBM CorporationAll rights reserved
KeyWorks Bilateral Authentication
Integrity Steps in FWK1. self-check2. checks SP on disk3. loads SP4. initiates SP Integrity Checks
Integrity Steps in SP1. self-check2. checks FWK3. passes up SP call table to FWK
FWK
SP1 SP2
Copyright 1998 IBM CorporationAll rights reserved
KeyWorks 1.1 + FEATURES
� APPLICATION PRIVILEGES SUPPORTED� TRACE AND DEBUG CAPABILITIES� PORTABILITY (LANGUAGE, ISOLATION)� CONTEXT MANAGEMENT SERVICES� MULTI THREADING� PORTABLE KEY SUPPORT� APPLICATION SPECIFIC SERVICES� PERFORMANCE AND ROBUSTNESS� KEY RECOVERY BLOCK (KRA COMPLIANT)� KEY REC SERVER ADDITIONS
Copyright 1998 IBM CorporationAll rights reserved
Key Recovery Service Provider
� Builds key recovery blocks to enable recovery ofencryption keys! Implements IBM SKR algorithm
� Variable number of Key Recovery Agents
� Allows Customers to select their own PKI and
� No single point of security compromise
� Can use any approved CA for agent certificates
� Plugs into KeyWorks Toolkit� KR modifications to each CSP no longer needed
Copyright 1998 IBM CorporationAll rights reserved
Recovering a Key
Authentication Info,Key Recovery Block
Decryption Key
KeyRecoveryCoordinator
Key RecoveryAgent 1
Key RecoveryAgent 2
Key RecoveryAgent N
Key Recovery Officer
Copyright 1998 IBM CorporationAll rights reserved
OVERVIEW OF FRAMEWORKS & KEY RECOVERY
FWK PACK 1
KRSPPACK 2
CONFIG. ENTERPRISE FWK PACK 1
KRSP
CONFIG.FILES
ENC.DATA, KEY REC BLOCK
KEY REC
COORD.
KEY REC AGENT
KGINFO FROM KRB
RETURN KK INFO
KRA CERTAND
PRIVATE KEY
KEY REC SERVER
CERTIFICATE ISSUERSCERTIFICATE
ISSUERSCERTIFICATE
ISSUERS
ANCHORCERT
KRA CERT
CERTIFICATES PUT IN CONFIG FILE BY IBM
CERTIFICATES ISSUED
CERTIFICATES/ PRIV. KEYS DIST. TO KRAs
RECEIVE ENC.KEYPROVIDE KRB,
AUTH. INFO
KRA CERT
4758PACK 3
ANCHORCERT
KEY REC
OFFICER
CONFIG. LAW ENF
AUTH CREDS
Copyright 1998 IBM CorporationAll rights reserved
Key Recovery Server
� Recovers keys from blocks generated by KeyRecovery Service Provider
� Stand-alone application with multiple roles! Key Recovery Officer, Key Recovery Coordinator, Key
� Recovery Agents� Key recovery service may be offered by
! Enterprise for in-house use! Independent service companies
� Available on NT since October 1997
Copyright 1998 IBM CorporationAll rights reserved
IBM CommercePOINT Payment Exploitation
CSSM Security API
Cert Store
PKCS
BSAFE
Cert StoreRetrieveFILEHARDWAREDirectory
APPROPRIATEMIDDLEWEARE
CSSM API
KRMM MODULE
MGR.
CRYPTO MODULE
MGR.
TRUST MODULE
MGR.
CERT. MODULE
MGR.
DATALIB MODULE
MGR.
KMI SPI TPI CLI DLI
REG. / MGMT SERVICES INTEGRITY SERVICES
IBM Registryfor SET
CommercePOINTPayment eTill
CommercePOINTPaymentGateway
4758HARDWARE
JURISDICTION POLICY TABLE
ADD IN MODULES
CSSM MODULEMGRS.
KRSP
EXPLOITERS OTHERS
KRA CONFIG. FILEANCHOR, KRA CERTS.
Copyright 1998 IBM CorporationAll rights reserved
Certificate Authority Suite - Building Blocks
IBM PKI
Entrust Trust Policy
Notes Certificate Manager
Notes Data
Library Srvcs.
TIS Key Recovery
SET Trust Policy
Common Infrastructure
Common Security Framework
Middleware
Notes Administrative User Interface
Vault Re gistry Administrative User Interface
Domino GO Administrative User Interface
Other Administrative User Interface
Applications
Notes Specific Policies
Notes C A
Collaboration Applications
Vault Registry CA
Vault Re gistry Specific Policies
Trusted eBusiness
Applications
Domino GO CA
Domino GO Specific Policies
Web Server Applications
Other CA
OTHER CA Specific Policies
System Management Applications
BSAFE Certificate Manager
CMS/CRT Data
Library
BSAFE Cryptographic
Services
IBM Key Recovery
Verisign Trust Policy
Differentiation is based on the product's purpose and applications - not the CA
PKCS11Cryptographic
Services
GENERALLDAP DL
Copyright 1998 IBM CorporationAll rights reserved
KEYWORKS FUTURES
� TOG VERSION 2.0 FULL COMPLIANCE� FULL NLS SUPPORT� FULL PKI SUPPORT (CERT. GENERATION
AND CERT. LIFECYCLE SUPPORT )� ADDITIONAL SUPPORT FOR KEY LIFECYCLE
MANAGEMENT� EXPLOITATION OF W BY NEW APPS� IBM REGISTRY, NOTES, IPSEC, SSL ..
! E-COMMERCE APPS ( PAYMENT etc.)! JAVA CSSM SUPPORT
� SPECIAL PROJECTS
Copyright 1998 IBM CorporationAll rights reserved
KeyWorks Data Library Functions
� Provides persistent storage for certificates andCRLs (custom hardware devices, PKCS 11)
� LDAP V3 in 4Q 98� IBM 4758 and Other Devices� IBM Smart Card and Other Vendors also via
Browsers
Copyright 1998 IBM CorporationAll rights reserved
Encryption with Key Recovery
CryptographicFramework
CryptographicFramework
KM
Framework
KMFramework
3. Generate Recovery Fields
4. handle HA2 rec. fields
Recovery
Fields (HB1, rec. fields)
9. handle HB2
1. Create Symmetric
Context
2. context handle HA1
5. EncryptData
(HA2, message)
rec. fields
6. Create Symmetric Context
7. context handle HB1
10. DecryptData (HA2, enc(message))
Intercept Point
CommunicationProtocol(side A)
CommunicationProtocol(side B)
Copyright 1998 IBM CorporationAll rights reserved
KeyWorks Signed Manifests
Name: CSP1.dllSection: CSP1SHA-1 Digest: [18 e3 …]
Name: Section:SHA-1 Hash:
Section : CSP1SHA-1 Digest: [2b a9 …]
Section : SHA-1 Hash:
Hash value Encrypted Hash valuePKCS #7 Signature Block
Manifest File: CSP1.mf Signer’s Info File: CSP1.sf
Signature Block File: CSP1.dsa
Copyright 1998 IBM CorporationAll rights reserved
FWK Chain of Trust (I)Self-Integrity Verification by FWK
FWK DLL
Signer’s Info of FWK
Application Layer codeLoadLibrary(CSSM)CSSM_Init( )
KpubIBMRootEISL
Manifest of FWK
Signature Block KprivIBMFWK
Copyright 1998 IBM CorporationAll rights reserved
FWK Chain of Trust (II)Verification of Service Providers by FWK
FWK DLL
Application Layer code
CSPi DLL
Manifest of CSPi
CSSM_ModuleAttach(CSPi )
Verify Signature of CSPi
KpubIBMRootEISL
Signature Block KprivIBMCSP
Signer’s Info of CSPi
Copyright 1998 IBM CorporationAll rights reserved
FWK Chain of Trust (IV)Reverse Verification of FWK by Service Providers
FWK DLL
Application Layer code
CSPi DLL
CSSM_RegisterServices (CSPi_EntryTable )
CSPi verifies FWK integrity
Signature Block KprivIBMFWK
Manifest of FWK
KpubIBMRoot
EISL
CSSM_AddInAuthenticate (CSSM_path )
Signer’s Info of FWK
Copyright 1998 IBM CorporationAll rights reserved
FWK Noncircumventability
1. LoadLibrary(“CSP DLL”) - No exported interfaces2. CSP verifies FWK 3. CSSM_RegisterServices ( ) - registration of CSP entry points
FWK DLL
CSP DLL
1 2 3
Rogue Application
CSP DLL
1 2
- CSP DLL has no exported service entry points - entry points are registered dynamically at “DLL Attach” time
after attaching application has been authenticated
Copyright 1998 IBM CorporationAll rights reserved
KEY RECOVERY DEPLOYMENT STEPS
� Obtain Approval to Export Developed Application! Export Approval From BXA (ONLY ONCE)
� Description of Application
� Description of CRYPTO and KRB Usage -- IS IT EXEMPT ETC.
� DESCRIPTION OF MANUFACTURING JURISDICTION POLICY TABLE
� APPROVED CA WITH ANCHOR CERTIFICATE AND APPROVEDKEYRECOVERY AGENTS INKR LE MAN TABLE
� OBTAIN IMPORT Approval for Application Deployment FROMEACH JURISDICTION! APPROVED LOCAL JURISDICTION POLICY TABLE
! APPROVED CA, ANCHOR KEY, KRA CERTS. IN KRUSE CONFIG. TABLE
� DISTRIBUTE APPLICATION AND INSTALL WITH PROPERLOCAL JURISDICTION FILE