![Page 1: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/1.jpg)
Luc ClementDirector of Products, Zoomit [email protected]
DeployingDirectory-Enabled
Enterprise-Wide Security
Internet Expo Business-to-business Enterprise Solutions
San Jose Convention CenterFebruary 10,1998
![Page 2: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/2.jpg)
Zoomit has security objectives ...
Directory-enabling everything - securely Lead in identity management - establishing and
managing identities in cyberspace Solve the single login problem Create metasecurity to integrate useful security
protocols, especially X.509, Kerberos, and Radius Lead in Cryptologistics - the way to successfully
deploy and deliver keys and certificates Interoperate with everyone
![Page 3: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/3.jpg)
… but is a real Intranet company
Zoomit uses the Internet Services Model, in which network services are based on open standards
Zoomit VIA is comfortable in environments where Internet security services are offered by other vendors
We will make every effort so our tools, clients and servers will work with X.509 PKI’s and Kerberos servers from any vendor - including MIT/Cygnus, Microsoft, Verisign, Entrust, Netscape, and others.
![Page 4: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/4.jpg)
Redeeming the Evil Twin
Directory Security
![Page 5: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/5.jpg)
Public Key Infrastructure
![Page 6: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/6.jpg)
What is it about public key?
The concept is awesome… Has a pristine mystical
quality Must not be sullied by
compromise with mortality Perfect authentication for
angelsPublic Key
![Page 7: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/7.jpg)
Management of PKI
Must be directory enabled and managed Not just sticking certificates in the directory Rethink of the whole process given the universal
infrastructure PKI not fully rooted in directory is a ruse. Beware the evil twin’s YETA (YET Another directory)
![Page 8: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/8.jpg)
A Need to Use Natural Business Processes
Use existing authentication machinery to grant certificates - transparently
Monitor the use of the certificates to deepen their quality
Add other certificates only when someone gets a real benefit from it
Make public key a natural extension of existing authentication systems
![Page 9: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/9.jpg)
Why has PKI been so hard to deploy?
With public key, we have to manage certificates (and private key material), whereas before we didn’t.
With public key, people have to go through metaphorical “fingerprinting”, whereas before they didn’t.– Most companies have no processes for
certification In most cases, there is no instantaneous, tangible
reward for the apparent hardship involved with public key deployment
![Page 10: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/10.jpg)
LPKI versus OPKI
Lightweight PKI Based on
Metadirectory
Automatic and transparent
Grows organically, bottom up or top down
Simple
Overweight PKI Based on a YETA,or
worse…
A big intrusion and cumbersome
Grows bureaucratically
Really really complicated
![Page 11: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/11.jpg)
The Authentication Framework
![Page 12: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/12.jpg)
Should we start again as angels?
Era of authentication as we know it
Glorious NewPublic Key Era
![Page 13: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/13.jpg)
Or build on who we are?
Authentication as we know it
NewPublic Key
Realistically, authentication protocols will co-exist
![Page 14: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/14.jpg)
VIA builds on information assets
Unified Metadirectory
NT LANEmail
InfrastructureHuman
Resources
Information Capital Authentication Capital
KerberosInfrastructure
Public KeyInfrastructure
![Page 15: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/15.jpg)
… and can extend authentication ...
Unified Metadirectory
ExistingAuthentication
Framework
IntranetAuthentication
Kerberos
PublicKey
![Page 16: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/16.jpg)
… by being an enabling force
MetadirectoryAuthentication
ExistingAuthentication
AutomaticDeployment
of PublicKey
Public KeyApplicationsand Benefits
IncreasingCertificate
Quality
![Page 17: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/17.jpg)
Synergy - not protocol wars
DHCPDNS
PublicKey
KerberosRadius HTTP
Metadirectory -- Inclusive Technology
![Page 18: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/18.jpg)
Keys, keys, keys…all you ever talk about is Keys!
![Page 19: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/19.jpg)
Public Key - Identifying Yourself
In Public Key, every network participant holds a private key
This private key is central to proving who you are, what you are allowed to do, and what you claim to be true
The storage of this private key is crucial to the deployment of public key infrastructure. Any limitations placed on this storage end up being limitations on all the technology which depends on public key
![Page 20: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/20.jpg)
The Directory-enabled Token
A soft token stored in the directory in encrypted form and transmitted to the user under a second session-based layer of encryption
Implements the storage functions of PKCS #11 When decrypted on the workstation, loads the local
client-based crypto engine (CAPI or PKCS #11) Allows users to access their crypto materials from
any workstation Operates under centralized management
![Page 21: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/21.jpg)
Method Advantages Disadvantages
Hard Token Most secure. User must possessthe token, which cannot becopied.
Expensive. Not useable ondesktops where reader is notpresent.
Disk or registrybased token
User can only access passwordsand keys from one work station.
Workstation must be 100%physically secured or tokencan be subjected to passwordattack.
Directory-enabledtoken
Users can move freely fromworkstation to workstation .Workstations do not need to bephysically secured. Token cannot be subjected to passwordattack.
If password is revealed to anenemy by the user, token canbe accessed from anotherworkstation.
A strategy for transition
![Page 22: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/22.jpg)
When Authenticated to the Metadirectory ...
A PKI security policy object is consulted by the client
The client automatically generates encryption and signature key pairs if they don’t already exist
The private encryption key is escrowed
The metadirectory issues a certificate for each key binding it to the user’s directory name
The certificate follows all PKIX recommendations and specifies a policy limited to directory binding
The certificate will interwork with certificates from other CAs.
MetadirectoryWorkstation
EncryptionKey
Escrow
EncryptionKey
Escrow
Encryptionand
SignatureKeys
Encryptionand
SignatureKeys
User’sToken
User’sToken
CertificateRequest
CertificateRequest
VIA PKIXCertificate
User’sToken
User’sToken
![Page 23: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/23.jpg)
Empowering The Enterprise
![Page 24: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/24.jpg)
The PKIX Certificate
PKIX is the preferred profile for X.509 on the Internet Specifies not only a policy OID, but a link to a Web
page in which the policy is defined Defines and limits the purposes for which a certificate
can be used All of these parameters are configured through a
signed directory object belonging to the VIA Certificate Authority.
Can bind email addresses as well as DNs.
![Page 25: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/25.jpg)
Special issues addressed in VIA
Renewal for short-term signature certificates– “Valid From” date remains fixed– “Valid To” date may be limited and extended as
required by use– Shifting of location in the directory results in a
natural expiry, not in a revocation– Binding of user credentials to a hierarchical
directory name becomes possible without CRL babble
![Page 26: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/26.jpg)
Special issues addressed in VIA
Optional binding of encryption key to a unique and permanent identifier rather than to a directory name– Once again reducing CRL babble
Ability to place access controls on individual certificates
![Page 27: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/27.jpg)
The user security policy object
Specifies key type, key size Specifies which crypto providers the user is allowed
to employ Specifies when keys must be rolled over Specifies what kind of token should be used (hard or
soft) Specifies whether a soft token should be stored in the
directory, on a file system, or both
![Page 28: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/28.jpg)
Working with Others - Verisign, Entrust, Microsoft, Netscape
Don’t assume that you will only ever have one set of certificates
Different realms could use certificates produced by others.
Clients and servers will support the Entrust version of GSSAPI.
Zoomit VIA has been tested and functions as an Entrust certificate repository.
![Page 29: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/29.jpg)
Getting Benefit
![Page 30: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/30.jpg)
PKCS #11/CAPI
Converter
PKCS #11/CAPI
ConverterPKCS #11
Hard orSoft Token
PKCS #11Hard or
Soft Token
PKCS #11 APIPKCS #11 API
ZoomitCertificate,
Key,S/MIME
API
ZoomitCertificate,
Key,S/MIME
API
CAPICAPI
DirectoryEnabledStorageToken
DirectoryEnabledStorageToken
VIA and Zoomit API applicationsVIA and Zoomit API applications
Zoomit Crypto Adapter (ZCAD)
![Page 31: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/31.jpg)
CAPICAPI
DirectoryEnabledStorageToken
DirectoryEnabledStorageToken
Microsoft ApplicationsMicrosoft Applications
Zoomit Crypto Adapter (ZCAD)
![Page 32: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/32.jpg)
DirectoryEnabledStorageToken
DirectoryEnabledStorageToken
Netscape ApplicationsNetscape Applications
Zoomit Crypto Adapter (ZCAD)
PKCS #11Hard or
Soft Token
PKCS #11Hard or
Soft Token
![Page 33: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/33.jpg)
A Metadirectory Benefit - Kerberos Authentication
Œ Initial clientauthentication toKDC
� Request sessionticket from KDC fortarget server
Application Server(Target)
� Verifiessessionticket issuedby KDC
� Presentsession ticket atconnection setup
The MetadirectoryIdentity Service andKey DistributionCenter (KDC)
![Page 34: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/34.jpg)
The login logjam torments us
Login is the first point where Mary encounters namespace chaos
This chaos encompasses both who we are and how we prove it
Mary is confused by the chaos, and that confusion costs bigtime
The promise of distributed computing is jammed by individual vendors’ exclusive directory infrastructures.
NT
Notes
NDS
SA
P
Mary MooreInsomnia2
Mary Tyler MooreEsoteric21
maryminsomnia2
![Page 35: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/35.jpg)
The Metadirectory enabled password caching service
Zoomit single logon information is stored in the metadirectory
Secret information - optionally be stored in hard or workstation-based tokens
automatically updates a user's password cache
administrators can view and update all proprietary systems through a single common interface
no administrative burden at the desktop
logs you in to our desktops and our existing network operating systems automatically
NT
Names and Passwords
Netware
Notes
HR System
PrivateKey
MetadirectoryName andPassword
The Metadirectory Token
![Page 36: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/36.jpg)
Single Logon and Your Metadirectory Token
With Zoomit's single logon solution, metadirectory-based policy management allows the security administrator to select the type of token employed by each user, and determine whether soft tokens are stored on the desktop and/or in the directory - or group of users.
Security administrators can assess the risks associated with various roles and select the kind of token which is most appropriate. Because private keys and passwords are always stored in a token, it is easy for security personnel to evaluate the cryptographic methods being used to protect secret information.
![Page 37: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/37.jpg)
Single Logon with Metadirectory
UnifiedSecurity
Administration
UnifiedSecurity
Administration
Metadirectory
ProprietaryConnectedDirectories
![Page 38: Deploying Directory-Enabled Enterprise-Wide Security](https://reader034.vdocuments.us/reader034/viewer/2022051018/5681462a550346895db337f8/html5/thumbnails/38.jpg)
VIA Intranet Security Infrastructure
VIASingle Logon
VIASingle Logon
VIAPublic Key
Infrastructure
VIAPublic Key
Infrastructure
VIA Kerberos Real-time
Authentication
VIA Kerberos Real-time
Authentication
Full-Spectrum Solution
A full-spectrum solution creates a continuum between the existing authentication infrastructure and new Intranet Security Services