480 likes | 648 Vues
cryptovision advanced security with digital certificates Marco Smeja marco.smeja@cryptovision.com. GWAVACon Munich. internet e-mail = postcard. GW client. client. !. internet. mail server. GW server. !. !. client. GW client. !. client. GW client.
E N D
cryptovision advanced security with digital certificatesMarco Smeja marco.smeja@cryptovision.com GWAVACon Munich
internet e-mail = postcard GW client client ! internet mail server GW server ! ! client GW client ! client GW client
e-mail without GroupWise = unsealed letter & postcard Even not using GroupWise, at least the Admin is able to read e-mails! client client ! ! internet mail server mail server ! ! ! client client ! ! client client
some basics: alice, eve, bob model Bob Eve Alice
some basics: digital signature Bob Eve Alice private key public key
Owner : Marco Smeja Public key: idhDFfiahidsFhfafShJidFGshgiHDdgVhio valid: 10.06.2002 – 09.06.2007 Ser.No.: 34 12 53 29 18 08 15 issuer: CA 1 Keyuse: encr, sign, auth CRL-URL: http://www.cryptovision.com/crl signature: dFGshIDhDusFhfafShHDdgVhioidhDFfiJi digital certificate
some basics: public key infrastructure Trust Center / CA and digital certificates Trustcenter / CA PKI digital certificate digital certificate private key of recipient public key of sender sender recipient
end-to-end e-mail encryption How e-mail encryption works client client internet mail server mail server Internet client client client client
some basics: digital signature Bob Eve Alice private key public key
gateway based encryption Alternative for environments without high security requirements client client internet mail server mail server client e-mail encryption gateway e-mail encryption gateway client client client
identity management without pki ERP System CRM IDM Groupware DIR
pki – outdated approach ERP System CRM ERP System CRM PKI IDM DIR Groupware Groupware DIR
pki – modern approach ERP System CRM IDM with PKI Groupware DIR
cv act PKIntegrated - architecture CA / Signatur Engine IdentityManager PKI Applications PKIntegrated Administration OCSP, SCEP iManager LDAP NovelleDirectory IdentityManager Lotus Notes, LDAP SAP HR, Peoplesoft Siemens DirX, Microsoft ADS
motivation: secure e-mail with GroupWise • Due to many ID card projects, digital Signature activities and enterprise PKI projects, the S/MIME standard has overtaken PGP ! • GroupWise Client supports S/MIME using MS Crypto API and therefore even Smartcards ! • But how to integrate PKI, Digital Certificates and Smartcards into a Novell GroupWise system in a mostly effective way ?
secure GroupWise e-mail in three steps • GENERATE KEYS AND ISSUE CERTIFICATES • Automated Certificate Processing and Provisioning with IDM • SECURE KEY DISTRIBUTION • Utilize SecretStore for Roaming Tasks • CLIENT CONFIGURATION • No User Interaction • No Admin Interaction
New employees automatically get access to systems and applications, based on their roles. Certificates are issued automatically. generate keys and issue cretificates with IDM HR E-mail Computer Phone Certificate
automated de-provisioning process HR E-mail Computer Employees leaving the company automatically lose access to the systems. Issued certificates are automatically revoked. Phone Certificate
generate keys and issue certificates - film • Create new User in SAP HR (sim.) • IDM Process generates eDirectory User-Object and GroupWise Account • S/MIME Certificate Provisioning Process starts as soon as eMail-Adress is available • Certificates will be written in designated eDirectory User Attribute • Private Keys are stored in Users SecretStore
SecretStore SecretStore SecretStore private key 2 private key 1 private key 3 secure key distribution with cv act pki/roamer cv act pki/roamer realises roaming keys and configures GroupWise for instant using client 1 Novell eDirectory client 2 client 3
secure e-mail with GroupWise • S/MIME support • X.509 certificate support • MS Crypto-API integration • Smart Card via CSPs
client configuration with act pki/roamer • x.509 certificate support • uses MS Crypto-API • Smart Card via CSPs • initial configuration is done by cv act pki/roamer
cv act pki/roamer – provisioning demo • User logs into any Workstation • cv act pki/roamer reads Keys and Certificates from User SecretStore and installs into MS-CAPI Store • Finally cv act pki/roamer configures GroupWise S/MIME Settings • User can send secure e-mails • Automatic Key deletion at logout
compliance a driver for you? Sarbanes-Oxley Act (SOX) • US law aiming to grant high-quality corporate financial reporting • management is “responsible for establishing and maintaining internal controls“ • CIOs are responsible for security, accuracy and reliability of systems processing financial data PKI is a must for Sarbanes-Oxley compliance! Paul SarbanesSenator Michael G. OxleyCongressman
use case: IEEE 802.1X authentication Novell eDirectory LAN client access point 802.1x Smart Card key store RADIUS
workstation/cic workstation/cic workstation/cic cv act workstation/cic CA engine IdentityManager workstation 1 Novell eDirectory workstation 2 workstation 3 cv act workstation/cic provides auto-enrollment for workstations using ZENworks
use case: virtual privat network (VPN) Server Client Key Store Internet VPN concentrator IPsec Smart Card Server Client Client Client
use case: secure www with ssl Client Key Store Internet WWW-Portal Application Server HTTPS Smart Card Client Client
use case: NMAS authentication PC Novell Client Key Store Server Novell Client Novell eDirectory Smart Card PC Novell Client PC
use case: biometric user authentication Client cv act sc/interface PKCS#11 MS-CAPI proprietary Smart Card
need more informations? www.cryptovision.com http://www.novell.com/coolsolutions/appnote/17830.html Marco Smeja marco.smeja@cryptovision.com
Questions Questions Questions Questions
PKINTEGRATED REFERENCES Aarhus Amt PKI
PKINTEGRATED REFERENCES Clariden PKI
PKINTEGRATED REFERENCES Debeka PKI
PKINTEGRATED REFERENCES JNET digital signatures
PKINTEGRATED REFERENCES Star Alliance PKI
PKINTEGRATED REFERENCES Netkoncept PKI
PKINTEGRATED REFERENCES Organisator PKI
PKINTEGRATED REFERENCES Postbank PKI
PKINTEGRATED REFERENCES Raiffeisen Druckerei PKI
PKINTEGRATED REFERENCES Rewe PKI