ad bezemer [email protected]€¦ · rabobank group • rabobank coöperat ivebank –largest...
TRANSCRIPT
-
R
Ad Bezemer
How to secure an IntranetPKI case study
-
R
Topics
• Rabobank
• Why Rabobank needs PKI
• Directory Implementation
• PKI implementation
• Authorisation
• Further uses of PKI
• Lessons learned
-
R
Rabobank Group
• Rabobank Coöperative bank
–Largest dutchretail bank
–1500 branch offices, 50.000 employees
–Largest Internet bank in Europe
• Interpolis Insurance and pensions
• De Lage Landen Leasing, Trade Finance
• Robeco Asset Management, Investment funds
-
R
Thanks to ICT the Rabobank handles 7,000,000 customer financial transactions
-
R
Topics
• Rabobank
• Business need for PKI
• Implementing an Enterprise Directory
• Implementing a PKI
• Further uses of PKI
-
R
What is PKI
• 1998: PKI hype cures everything
• 2000: PKI illusion is expensive and brings nothing
• 2002 PKI if there is a business need
-
R
Why does Rabobank need PKI
• Banking business changes
–From transaction from a branch office
–To transactions anytime anywhere
• Type of application changes
–From local applications with defined external interfaces
–To distributed applications accessed anytime anywhere
• Role of security changes:
–From protecting business
–To enabling business
-
R
Application landscape in 1997
• Many applications (>200)
• Data in different places
• Different architectures:
–Specific hardware
–Terminal emulation
–PC applications
–Client server applications
-
R
New application Architecture
• Started 1997
• Supports different and new distribution channels
• All data centralised
• Intranet based
• RaboWeb development started
-
R
RaboWeb needs infrastructure
• Rabobank started to develop RaboWeb
• Philosophy: make use of the internet developments internally
• This raises a number of questions:
–Authentication
–Authorisation
–Integrity
• To provide answers to these questions the RaboWeb Security program was started
-
R
RaboWeb security
• Problem:
–Many systems for authorisation
–A lot of maintenance
–Higher security is needed
–30000 users
–100+ applications
• Questions:
–Uniform authorisation, roll-based
–Accommodate highly secure applications
–Financial transactions on RaboWeb
–Improved security in PC access.
-
R
RaboWeb security plan
• How to reach the goals?
• Research started 1997
–Request for Information
–6 vendors
–0 solutions
–1 roadmap
-
R
RaboWeb security Roadmap
• Goals are reached by
–Implement authorisation middleware
–Implement central Directory
–Implement PKI
–Use PKI as a uniform security infrastructure
• Use standards
• No specials
-
R
Major functions RaboWeb security
authentication
registration
authorisation
[who is this][who has access to up to which amount]
[store of information,]
[ secure /comm.]
log & audit
[who has performed what]
-
R
RaboWeb Security
• Development started 1998
• Major functions
–Registration Central Directory
–Authentication PKI
–Authorisation Role based
-
R
Central Directory Overview
• Central Master server for maintenance
• Slave servers for queries; access via LDAP
• Every object has a unique key: RabobankID
• Started with X500 product on NT platform
–Gave performance problems with >20000 users
• Migrated in 2001 to OpenLDAP
• Migration took 6 weeks
• Standardise on LDAP V3.
-
R
Directory serverresponsetime
0
10
20
30
406:
01:5
1
6:42
:30
7:23
:12
8:04
:41
8:46
:34
9:31
:53
10:1
4:58
11:0
0:48
11:4
2:58
12:2
2:20
13:0
1:23
13:4
0:13
14:2
0:37
14:5
9:36
15:4
0:29
16:2
0:41
17:0
4:42
17:4
4:56
Seco
nds
DS-old(31-10) DS-New(09-11)
-
R
Central Directory Current status
• 33000 Users in Directory
• Users are replicated to Windows NT and Exchange
• Authorisations are stored as a user attribute
• Synchronisation with Active Directory in development
-
R
PKI Overview
• Logical CA is started for every group member
• No hierarchy
• Start with signing certificate
• Encryption certificate will follow
• Started withXCert CA
• Xcertacquired by RSA in 2001
• Now upgrading to KEON CA 6.01
–compatible with Windows 2000
-
R
PKI Current status
• Operational since November 2000 for Large customers
–access via SSL-3 over Internet
• In test for use by employees of local banks
-
R
PKI Issues and challenges
• CRL lifetime
• CA Certificate lifetime
• CA rollover
• Certificate publishing in external Directory
• Version upgrades
• High availability is difficult
• Integration with Windows2000
• Detection of expiring certificates
-
R
Smartcard Overview
• Two factor authentication
–Possession of the card
–Knowledge of the PIN
• Local issuing of cards
• Datakey 330 card
• Key generation on card
• Supports PKCS and Crypto API
• Compaq keyboard with reader
• No USB
-
R
Smartcard Current status
• Operational for large customers
• In test for local banks with Windows 95
• Migration to XP starts December 2002
–smartcard logon obligatory
• Use for digital signatures:
–Standards not always standard
–Isolate use ofcrypto middlewarefrom application
-
R
Smartcard Issues and challenges
• Issuing process
–To be issued within 5 minutes
• Integration with Terminal Server
• Secure PIN entry
• Performance
• Two readers on Windows 95
• Supports for more than one certificate
• Offline authentication
–now in research with Vasco
-
R
Authorisation overview
• Role based authorisation
Dept. User Role Function
management organisation application
management Management
-
R
Authorisation Technical details
• First implementation based on signed cookies
–Roles implemented as NT groups
• Second version integrates with Directory and PKI
–Roles from Directory
–Cookies issued in SSL-3 session
• 60+ applications are operational
• In progress implementation of new roles
-
R
Authorisation Issues and challenges
• Availability is major issue
• Products are available IBM, Baltimore, RSA etc.
• No standards yet
• Wait for standards
–Attribute certificates?
–SAML?
-
R
PKI Example
Directory Directory Service (LDAP)Service (LDAP)
Name:XRaboID YName:XRaboID Y
111011110001
000111101111
“Normal” workstation“Normal” workstation
Local bank
111011110001
000111101111
“Normal” workstation“Normal” workstation
Customer location
111011110001
000111101111
Internet
Use of smartcard for Authentication en authorisationRaboWebRaboWebApplicationsApplications
RaboWeb
1: Make RWA connectionwith http://appl.rabobank.nl
PKI PKI GatewayGateway
CRL
2b: Make SSL connectionto https://gateway/app
2a: Ask client for theright certificate
3: Make RWA connectionwith http://appl.rabobank.nl
-
R
Further use of PKI
• Secure mail
• VPN
• Secure PIN entry
• PC Logon
• Comptible with outlook
• Compatible with Cisco
• Compatible with Digipass 850
• Compatible with Windows 2000
-
R
Lessons learned
• Do an RFI
–Make requirements clear
–Paper is patient
–Do a pilot
–Also test support
• Use standards
–Even if you get less functionality
–Even then there are differences