1 / 47

GWAVACon Munich

cryptovision advanced security with digital certificates Marco Smeja marco.smeja@cryptovision.com. GWAVACon Munich. internet e-mail = postcard. GW client. client. !. internet. mail server. GW server. !. !. client. GW client. !. client. GW client.

dutch
Télécharger la présentation

GWAVACon Munich

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. cryptovision advanced security with digital certificatesMarco Smeja marco.smeja@cryptovision.com GWAVACon Munich

  2. internet e-mail = postcard GW client client ! internet mail server GW server ! ! client GW client ! client GW client

  3. e-mail without GroupWise = unsealed letter & postcard Even not using GroupWise, at least the Admin is able to read e-mails! client client ! ! internet mail server mail server ! ! ! client client ! ! client client

  4. some basics: alice, eve, bob model Bob Eve Alice

  5. some basics: digital signature Bob Eve Alice private key public key

  6. Owner : Marco Smeja Public key: idhDFfiahidsFhfafShJidFGshgiHDdgVhio valid: 10.06.2002 – 09.06.2007 Ser.No.: 34 12 53 29 18 08 15 issuer: CA 1 Keyuse: encr, sign, auth CRL-URL: http://www.cryptovision.com/crl signature: dFGshIDhDusFhfafShHDdgVhioidhDFfiJi digital certificate

  7. some basics: public key infrastructure Trust Center / CA and digital certificates Trustcenter / CA PKI digital certificate digital certificate private key of recipient public key of sender sender recipient

  8. end-to-end e-mail encryption How e-mail encryption works client client internet mail server mail server Internet client client client client

  9. some basics: digital signature Bob Eve Alice private key public key

  10. gateway based encryption Alternative for environments without high security requirements client client internet mail server mail server client e-mail encryption gateway e-mail encryption gateway client client client

  11. identity management without pki ERP System CRM IDM Groupware DIR

  12. pki – outdated approach ERP System CRM ERP System CRM PKI IDM DIR Groupware Groupware DIR

  13. pki – modern approach ERP System CRM IDM with PKI Groupware DIR

  14. cv act PKIntegrated - architecture CA / Signatur Engine IdentityManager PKI Applications PKIntegrated Administration OCSP, SCEP iManager LDAP NovelleDirectory IdentityManager Lotus Notes, LDAP SAP HR, Peoplesoft Siemens DirX, Microsoft ADS

  15. cv act PKIntegrated – administration with iManager

  16. cv act PKIntegrated & IDM3

  17. motivation: secure e-mail with GroupWise • Due to many ID card projects, digital Signature activities and enterprise PKI projects, the S/MIME standard has overtaken PGP ! • GroupWise Client supports S/MIME using MS Crypto API and therefore even Smartcards ! • But how to integrate PKI, Digital Certificates and Smartcards into a Novell GroupWise system in a mostly effective way ?

  18. secure GroupWise e-mail in three steps • GENERATE KEYS AND ISSUE CERTIFICATES • Automated Certificate Processing and Provisioning with IDM • SECURE KEY DISTRIBUTION • Utilize SecretStore for Roaming Tasks • CLIENT CONFIGURATION • No User Interaction • No Admin Interaction

  19. New employees automatically get access to systems and applications, based on their roles. Certificates are issued automatically. generate keys and issue cretificates with IDM HR E-mail Computer Phone Certificate

  20. automated de-provisioning process HR E-mail Computer Employees leaving the company automatically lose access to the systems. Issued certificates are automatically revoked. Phone Certificate

  21. generate keys and issue certificates - film • Create new User in SAP HR (sim.) • IDM Process generates eDirectory User-Object and GroupWise Account • S/MIME Certificate Provisioning Process starts as soon as eMail-Adress is available • Certificates will be written in designated eDirectory User Attribute • Private Keys are stored in Users SecretStore

  22. generate keys and issue certificates - film

  23. SecretStore SecretStore SecretStore private key 2 private key 1 private key 3 secure key distribution with cv act pki/roamer cv act pki/roamer realises roaming keys and configures GroupWise for instant using client 1 Novell eDirectory client 2 client 3

  24. secure e-mail with GroupWise • S/MIME support • X.509 certificate support • MS Crypto-API integration • Smart Card via CSPs

  25. client configuration with act pki/roamer • x.509 certificate support • uses MS Crypto-API • Smart Card via CSPs • initial configuration is done by cv act pki/roamer

  26. cv act pki/roamer – provisioning demo • User logs into any Workstation • cv act pki/roamer reads Keys and Certificates from User SecretStore and installs into MS-CAPI Store • Finally cv act pki/roamer configures GroupWise S/MIME Settings • User can send secure e-mails • Automatic Key deletion at logout

  27. cv act pki/roamer – provisioning demo

  28. compliance a driver for you? Sarbanes-Oxley Act (SOX) • US law aiming to grant high-quality corporate financial reporting • management is “responsible for establishing and maintaining internal controls“ • CIOs are responsible for security, accuracy and reliability of systems processing financial data PKI is a must for Sarbanes-Oxley compliance! Paul SarbanesSenator Michael G. OxleyCongressman

  29. use case: IEEE 802.1X authentication Novell eDirectory LAN client access point 802.1x Smart Card key store RADIUS

  30. workstation/cic workstation/cic workstation/cic cv act workstation/cic CA engine IdentityManager workstation 1 Novell eDirectory workstation 2 workstation 3 cv act workstation/cic provides auto-enrollment for workstations using ZENworks

  31. use case: virtual privat network (VPN) Server Client Key Store Internet VPN concentrator IPsec Smart Card Server Client Client Client

  32. use case: secure www with ssl Client Key Store Internet WWW-Portal Application Server HTTPS Smart Card Client Client

  33. use case: NMAS authentication PC Novell Client Key Store Server Novell Client Novell eDirectory Smart Card PC Novell Client PC

  34. use case: biometric user authentication Client cv act sc/interface PKCS#11 MS-CAPI proprietary Smart Card

  35. need more informations? www.cryptovision.com http://www.novell.com/coolsolutions/appnote/17830.html Marco Smeja marco.smeja@cryptovision.com

  36. Questions Questions Questions Questions

  37. PKINTEGRATED REFERENCES Aarhus Amt PKI

  38. PKINTEGRATED REFERENCES Clariden PKI

  39. PKINTEGRATED REFERENCES Debeka PKI

  40. PKINTEGRATED REFERENCES JNET digital signatures

  41. PKINTEGRATED REFERENCES Star Alliance PKI

  42. PKINTEGRATED REFERENCES Netkoncept PKI

  43. PKINTEGRATED REFERENCES Organisator PKI

  44. PKINTEGRATED REFERENCES Postbank PKI

  45. PKINTEGRATED REFERENCES Raiffeisen Druckerei PKI

  46. PKINTEGRATED REFERENCES Rewe PKI

More Related