Luc ClementDirector of Products, Zoomit CorporationLClement@zoomit.com

DeployingDirectory-Enabled

Enterprise-Wide Security

Internet Expo Business-to-business Enterprise Solutions

San Jose Convention CenterFebruary 10,1998

Zoomit has security objectives ...

Directory-enabling everything - securely Lead in identity management - establishing and

managing identities in cyberspace Solve the single login problem Create metasecurity to integrate useful security

protocols, especially X.509, Kerberos, and Radius Lead in Cryptologistics - the way to successfully

deploy and deliver keys and certificates Interoperate with everyone

… but is a real Intranet company

Zoomit uses the Internet Services Model, in which network services are based on open standards

Zoomit VIA is comfortable in environments where Internet security services are offered by other vendors

We will make every effort so our tools, clients and servers will work with X.509 PKI’s and Kerberos servers from any vendor - including MIT/Cygnus, Microsoft, Verisign, Entrust, Netscape, and others.

Redeeming the Evil Twin

Directory Security

Public Key Infrastructure

What is it about public key?

The concept is awesome… Has a pristine mystical

quality Must not be sullied by

compromise with mortality Perfect authentication for

angelsPublic Key

Management of PKI

Must be directory enabled and managed Not just sticking certificates in the directory Rethink of the whole process given the universal

infrastructure PKI not fully rooted in directory is a ruse. Beware the evil twin’s YETA (YET Another directory)

A Need to Use Natural Business Processes

Use existing authentication machinery to grant certificates - transparently

Monitor the use of the certificates to deepen their quality

Add other certificates only when someone gets a real benefit from it

Make public key a natural extension of existing authentication systems

Why has PKI been so hard to deploy?

With public key, we have to manage certificates (and private key material), whereas before we didn’t.

With public key, people have to go through metaphorical “fingerprinting”, whereas before they didn’t.– Most companies have no processes for

certification In most cases, there is no instantaneous, tangible

reward for the apparent hardship involved with public key deployment

LPKI versus OPKI

Lightweight PKI Based on

Metadirectory

Automatic and transparent

Grows organically, bottom up or top down

Simple

Overweight PKI Based on a YETA,or

worse…

A big intrusion and cumbersome

Grows bureaucratically

Really really complicated

The Authentication Framework

Should we start again as angels?

Era of authentication as we know it

Glorious NewPublic Key Era

Or build on who we are?

Authentication as we know it

NewPublic Key

Realistically, authentication protocols will co-exist

VIA builds on information assets

Unified Metadirectory

NT LANEmail

InfrastructureHuman

Resources

Information Capital Authentication Capital

KerberosInfrastructure

Public KeyInfrastructure

… and can extend authentication ...

Unified Metadirectory

ExistingAuthentication

Framework

IntranetAuthentication

Kerberos

PublicKey

… by being an enabling force

MetadirectoryAuthentication

ExistingAuthentication

AutomaticDeployment

of PublicKey

Public KeyApplicationsand Benefits

IncreasingCertificate

Quality

Synergy - not protocol wars

DHCPDNS

PublicKey

KerberosRadius HTTP

Metadirectory -- Inclusive Technology

Keys, keys, keys…all you ever talk about is Keys!

Public Key - Identifying Yourself

In Public Key, every network participant holds a private key

This private key is central to proving who you are, what you are allowed to do, and what you claim to be true

The storage of this private key is crucial to the deployment of public key infrastructure. Any limitations placed on this storage end up being limitations on all the technology which depends on public key

The Directory-enabled Token

A soft token stored in the directory in encrypted form and transmitted to the user under a second session-based layer of encryption

Implements the storage functions of PKCS #11 When decrypted on the workstation, loads the local

client-based crypto engine (CAPI or PKCS #11) Allows users to access their crypto materials from

any workstation Operates under centralized management

Method Advantages Disadvantages

Hard Token Most secure. User must possessthe token, which cannot becopied.

Expensive. Not useable ondesktops where reader is notpresent.

Disk or registrybased token

User can only access passwordsand keys from one work station.

Workstation must be 100%physically secured or tokencan be subjected to passwordattack.

Directory-enabledtoken

Users can move freely fromworkstation to workstation .Workstations do not need to bephysically secured. Token cannot be subjected to passwordattack.

If password is revealed to anenemy by the user, token canbe accessed from anotherworkstation.

A strategy for transition

When Authenticated to the Metadirectory ...

A PKI security policy object is consulted by the client

The client automatically generates encryption and signature key pairs if they don’t already exist

The private encryption key is escrowed

The metadirectory issues a certificate for each key binding it to the user’s directory name

The certificate follows all PKIX recommendations and specifies a policy limited to directory binding

The certificate will interwork with certificates from other CAs.

MetadirectoryWorkstation

EncryptionKey

Escrow

EncryptionKey

Escrow

Encryptionand

SignatureKeys

Encryptionand

SignatureKeys

User’sToken

User’sToken

CertificateRequest

CertificateRequest

VIA PKIXCertificate

User’sToken

User’sToken

Empowering The Enterprise

The PKIX Certificate

PKIX is the preferred profile for X.509 on the Internet Specifies not only a policy OID, but a link to a Web

page in which the policy is defined Defines and limits the purposes for which a certificate

can be used All of these parameters are configured through a

signed directory object belonging to the VIA Certificate Authority.

Can bind email addresses as well as DNs.

Special issues addressed in VIA

Renewal for short-term signature certificates– “Valid From” date remains fixed– “Valid To” date may be limited and extended as

required by use– Shifting of location in the directory results in a

natural expiry, not in a revocation– Binding of user credentials to a hierarchical

directory name becomes possible without CRL babble

Special issues addressed in VIA

Optional binding of encryption key to a unique and permanent identifier rather than to a directory name– Once again reducing CRL babble

Ability to place access controls on individual certificates

The user security policy object

Specifies key type, key size Specifies which crypto providers the user is allowed

to employ Specifies when keys must be rolled over Specifies what kind of token should be used (hard or

soft) Specifies whether a soft token should be stored in the

directory, on a file system, or both

Working with Others - Verisign, Entrust, Microsoft, Netscape

Don’t assume that you will only ever have one set of certificates

Different realms could use certificates produced by others.

Clients and servers will support the Entrust version of GSSAPI.

Zoomit VIA has been tested and functions as an Entrust certificate repository.

Getting Benefit

PKCS #11/CAPI

Converter

PKCS #11/CAPI

ConverterPKCS #11

Hard orSoft Token

PKCS #11Hard or

Soft Token

PKCS #11 APIPKCS #11 API

ZoomitCertificate,

Key,S/MIME

API

ZoomitCertificate,

Key,S/MIME

API

CAPICAPI

DirectoryEnabledStorageToken

DirectoryEnabledStorageToken

VIA and Zoomit API applicationsVIA and Zoomit API applications

Zoomit Crypto Adapter (ZCAD)

CAPICAPI

DirectoryEnabledStorageToken

DirectoryEnabledStorageToken

Microsoft ApplicationsMicrosoft Applications

Zoomit Crypto Adapter (ZCAD)

DirectoryEnabledStorageToken

DirectoryEnabledStorageToken

Netscape ApplicationsNetscape Applications

Zoomit Crypto Adapter (ZCAD)

PKCS #11Hard or

Soft Token

PKCS #11Hard or

Soft Token

A Metadirectory Benefit - Kerberos Authentication

ΠInitial clientauthentication toKDC

� Request sessionticket from KDC fortarget server

Application Server(Target)

� Verifiessessionticket issuedby KDC

� Presentsession ticket atconnection setup

The MetadirectoryIdentity Service andKey DistributionCenter (KDC)

The login logjam torments us

Login is the first point where Mary encounters namespace chaos

This chaos encompasses both who we are and how we prove it

Mary is confused by the chaos, and that confusion costs bigtime

The promise of distributed computing is jammed by individual vendors’ exclusive directory infrastructures.

NT

Notes

NDS

SA

P

Mary MooreInsomnia2

Mary Tyler MooreEsoteric21

maryminsomnia2

The Metadirectory enabled password caching service

Zoomit single logon information is stored in the metadirectory

Secret information - optionally be stored in hard or workstation-based tokens

automatically updates a user's password cache

administrators can view and update all proprietary systems through a single common interface

no administrative burden at the desktop

logs you in to our desktops and our existing network operating systems automatically

NT

Names and Passwords

Netware

Notes

HR System

PrivateKey

MetadirectoryName andPassword

The Metadirectory Token

Single Logon and Your Metadirectory Token

With Zoomit's single logon solution, metadirectory-based policy management allows the security administrator to select the type of token employed by each user, and determine whether soft tokens are stored on the desktop and/or in the directory - or group of users.

Security administrators can assess the risks associated with various roles and select the kind of token which is most appropriate. Because private keys and passwords are always stored in a token, it is easy for security personnel to evaluate the cryptographic methods being used to protect secret information.

Single Logon with Metadirectory

UnifiedSecurity

Administration

UnifiedSecurity

Administration

Metadirectory

ProprietaryConnectedDirectories

VIA Intranet Security Infrastructure

VIASingle Logon

VIASingle Logon

VIAPublic Key

Infrastructure

VIAPublic Key

Infrastructure

VIA Kerberos Real-time

Authentication

VIA Kerberos Real-time

Authentication

Full-Spectrum Solution

A full-spectrum solution creates a continuum between the existing authentication infrastructure and new Intranet Security Services