globalglobale-securitye-security

1

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

Baltimore Presents:Baltimore Presents:

ABN AMRO Bank’s CorporateABN AMRO Bank’s CorporateCryptographic InfrastructureCryptographic Infrastructure

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

2

Baltimore TechnologiesBaltimore Technologies

n 20 years experience in cryptography and PKIn 20 years experience in design and deployment

of e-security solutionsn World class PKI technologyn Breadth of product offering

u Certificate Authorityu Toolkits

n Commitment to open standards

Market-leading innovation, features and flexibilityMarket-leading innovation, features and flexibility

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

3

ABN ABN Amro Amro BankBank

n One of the leading universal network banksn Headquartered in the Netherlandsn Locations in 76 different countries and

territoriesn More than 3,500 officesn Total assets exceed 464 billion Euron Ranked the world’s sixth largest bank (based on

total assets)n Over 105,000 full time employees

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

4

ABN ABN Amro Amro IT InfrastructureIT Infrastructure

n Global and distributed infrastructuren Great variety in platformsn Multi-vendor environmentn Complex systemsn Growing integrationn External connectionsn Use of public networksn High value payment transactions

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

5

What Is The CCI Project?What Is The CCI Project?

n Corporate Cryptographic Infrastructuren Security system based on secret and public key

cryptography that provides security to ABNAMRO banking activities around the world

n Objective of CCI is to deliver cryptographicservices to any user of ABN AMRO applicationthat needs it, on any platform, anywhere in theworld in a common and consistent way

n Project delivers a full operational PKI combinedwith a standard set of cryptographic services

n Partnership with Baltimore and IBM (SolutionProvider)

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

6

Why Does ABN AMRO NeedWhy Does ABN AMRO NeedCCI?CCI?

n Need for secure storage and transport of datawith bank’s infrastructure

n Need for secure communications withcustomers, partners, and other banks

n Cryptography can make security independent ofthe complexity of the banks IT infrastructure

n Cryptography is the only known practicalmethod for delivering end to end security

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

7

Banking Costs Per TransactionBanking Costs Per Transaction

0

0,2

0,4

0,6

0,8

1

1,2

Bra

nch

e

Ph

on

e

PC

Ban

kin

g

Inte

rnet

US$

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

8

Situation Before CCISituation Before CCI

n Different security solutions for basically thesame security requirements

n Security solutions integrated into theapplications, which makes re-use of solutions aproblem

n Variety of different tools is inefficient to managen Integration of partial solutions is difficult and

parts of the infrastructure are not protected

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

9

CCI – Security ServicesCCI – Security Services

n Peer Entity Authenticationn Data Integrityn Origin Authenticationn Data Confidentialityn Software Integrityn Message Sequence Integrityn Non-repudiation with proof of Originn Non-repudiation with proof of Delivery

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

10

CCI – RequirementsCCI – Requirements

n Secure implementationn Standards based/ Interoperabilityn Multi-platform supportn Performance scalabilityn Hardware independentn Highly automated key managementn Proven technologyn Selectable level of securityn Ease of usen High availability

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

11

CCI – Architectural OverviewCCI – Architectural Overview

CCI Servers

CCI Servers

CCIClient

AS

400

4

7

C

1

5

8

D

2

6

9

E

3

4

7

C

1

5

8

D

2

6

9

E

3

4

7

C

1

5

8

D

2

6

9

E

3

4

7

C

1

5

8

D

2

6

9

E

3CCI Desktop

Unix

CCIClient

4

7

C

1

5

8

D

2

6

9

E

3

4

7

C

1

5

8

D

2

6

9

E

3

RAO

ABN AMROCorporateNetwork

OS/390 Parallel Sysplex

CCI Servers

CCI Client CM

OS

Certification Authorities

Registration Authorities

CCI NT ApplicationServers

4

7

C

1

5

8

D

2

6

9

E

3 PolicyManager

User Workstations

Directory Services

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

12

CCI – ComponentsCCI – Components

n Smart Cards as personalized tokens for userauthentication and for generation of digitalsignatures

n PC-software modules for workstationsn Cryptographic Adapters (IBM 4758, nCipher) for

servers and critical workstationsn Security servers and CMOS technology (on-

board crypto) on IBM mainframes

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

13

CCI Security ArchitectureCCI Security Architecture

A Range of Options:

• Software only

• SmartCard

• SmartCard Reader

• PCMCIA

• PC Cryptoboard

• Host Security Module

Security API

Application

SecurityProcessors

SecurityServices • Smart Disk

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

14

The Extended NetworkThe Extended Network

6

9

3

7

5

8

2

6

9

3

CCI Servers

CCI Servers

CCIClient

AS

400

4

7

C

1

5

8

D

2

6

9

E

3

4

7

C

1

5

8

D

2

6

9

E

3

4

7

C

1

5

8

D

2

6

9

E

3

4

7

C

1

5

8

D

2

6

9

E

3CCI Desktop

Unix

CCIClient

4

7

C

1

5

8

D

2

6

9

E

3

4

7

C

1

5

8

D

2

6

9

E

3

RAO

ABN AMROCorporateNetwork

OS/390 Parallel Sysplex

CCI Servers

CCI Client CM

OS

Certification Authorities

Registration Authorities

CCI NT ApplicationServers

4

7

C

1

5

8

D

2

6

9

E

3 PolicyManager

User Workstations

Directory Services

Internet

CorporateClients

Partners

Suppliers

Offices RegistrationAuthorities

Users

Firewall

InformationServers

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

15

n Cryptographic algorithms (DES, triple-DES, RSA, SHA-1,ANSI X9.9, etc)

n ISO 9796 format (SHA-1 and RSA) digital signatures

n ISO/IEC CD 11770-3 key management mechanismsusing asymmetric techniques

n ISO/IEC 9798-3 entity authentication using a public keyalgorithm

n X.509 v3 Public Key Certificates with extensions

n CRL v2 Revocation Lists

n X.500 Directory Services

n PKIX standards (RA/CA & CA/CA)

n GSS-API, IDUP GSS-API, LDAP v2, PKCS, OCSP

Summary of StandardsSummary of Standards

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

16

CCI PKI Architecture

End Entity

Face-to-face

RAO RAO

CAO

RAHSM

D/BRA

HSM

D/BRA

HSM

D/B

Gate-ways

E-mailBrowser

VPN

CAHSM

D/B

CAHSM

D/B

CA

CrossCertification CA

HSM

D/B

DirectoryServices

LDAP, DAPLDAP, DAP

End UserEnd UserDomainDomain

PKI enabledapplications

LDAPLDAP

RAO

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

17

Who is IDENTRUS?

IDENTRUS

Sanwa BankCIBC

(Situation early 1999)

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

18

Strategy Of IDENTRUSStrategy Of IDENTRUS

n Facilitate electronic commerce through theestablishment of trusted certificate authoritiesowned and operated by leading global banks

n Bank certificate authorities to be independentbut interoperable

n Standards-based, vendor neutral, global scope,legal framework

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

19

IDENTRUS Four Corner ModelIDENTRUS Four Corner Model

Buyer’s Bank

Buyer Seller

Seller’s Bank

NO Trust

TRUST TRUST

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

20

Trust enables E-Commerce

Buyer’s BankCertificate Authority

Buyer Seller

Seller’s BankCertificate Authority

On-Line CertificateValidation / Warranty

Request

Certificate Validation/Warranty

Request and Reply

I N T E R N E T

ABN AMRO

Identrus

Legal/Contract FrameworkDefine standard operating and liability rules for corporations

Other Bank

IDENTRUSRoot CA

Smart Cardswith certificates purchase order (Signed Data)

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

21

Value Throughout TheValue Throughout TheTransaction Life CycleTransaction Life Cycle

Buyer Purchasing Process

Selling Process

Bank

Bank

Trading PartyIdentificationProvided by

IdentrusMember Banks

Seller

Select Supplier

Source Suppliers

NegotiateSales Terms

Create & Send Purchase Order

ReceiveGoods &Invoice

MakePayment

Cash &Accounting

Credit Application

Source Customers

NegotiateTerms

ReceivePayment

Cash &Accounting

Ship Goods &Send Invoice

Quotation CreditRating

ReceivePO/OrderEntry &AllocateInventory

SellerID

SellerID

SellerID

SellerID

SellerID

SellerID

BuyerID

BuyerID

BuyerID

BuyerID

BuyerID

BuyerID

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

22

CCI Public Key InfrastructureCCI Public Key Infrastructure

n PKI will be based on UNICERT (Baltimore)

n PKI supports all ABN AMRO public key based

solutions

n Key generation is responsibility of applications

n Secure transport of public key certificate

requests via public networks using smart cards

n Generation of smart card keys during

personalisation

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

23

CCI Future DirectionsCCI Future Directions

n More focus on Internet/Intranet

n Automatic certificate renewal

n Bulk certificate issuing

n Encryption of stored data

n Key recovery

n Attribute certificates

n Time stamping

n Secure Single Sign-on

n New algorithms and Protocols

n More use of products on the market(instead of own developments)

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

24

PKI At The Heart Of ABN AMROPKI At The Heart Of ABN AMROSecuritySecurity

ww

w.b

alti

mo

re.c

om

ww

w.b

alti

mo

re.c

om

globalglobale-securitye-security

25

ABN AMRO and BaltimoreABN AMRO and Baltimore

Eric KoopVP, IT Solutions Division - ABN AMRO Bank

We selected Baltimore because ofWe selected Baltimore because oftheir understanding of the securitytheir understanding of the securityneeds of the banking sector. Weneeds of the banking sector. We

expect their PKI and their systemsexpect their PKI and their systemsintegration capability will give usintegration capability will give usexactly the solution we require.exactly the solution we require.