170 likes | 474 Vues
CONTENT-BASED INFORMATION SECURITY. CBIS. PUBLIC KEY ENABLING (PKE). Agenda The Threat The Answer What is PKI What is PKE PKE Services Who Needs PKE Services What can be PK Enabled When do you PK Enable an Application Why Implement PKE
E N D
CONTENT-BASED INFORMATION SECURITY CBIS PUBLIC KEY ENABLING (PKE)
Agenda • The Threat • The Answer • What is PKI • What is PKE • PKE Services • Who Needs PKE Services • What can be PK Enabled • When do you PK Enable an Application • Why Implement PKE • Where can I find more PKE Information • How do you PK Enable an Application • Cost of PK Enabling an Application • ROI for PK Enabling • Conclusion
Analysis By Incident 2001 Economic Impact of Malicious Code Attacks Year Code Name Worldwide Economic Impact ($ U.S.) Cyber Attack Index 2001 Nimda $635 Million 0.73 2001 Code Red(s) $2.62 Billion 2.99 2001 SirCam $1.15 Billion 1.31 2000 Love Bug $8.75 Billion 10.00 1999 Melissa $1.10 Billion 1.26 1999 Explorer $1.02 Billion 1.17 The Threat Source: Computer Security Institute/FBI Computer Intrusion Squad, Washington; survey of 538 IT security professionals Michael Erbschloe, vice president of research at Computer Economics and author of Information Warfare: How to Survive Cyber Attacks. 359,000 servers in less than 14 hours The Spread of the Code-Red Worm (CRv2) An analysis by David Moore (dmoore@caida.org) on the spread of the Code-Red (CRv2) Worm.
The Answer Public Key Infrastructure (PKI) • Non-Repudiation • Authentication • Integrity • Confidentiality • Encryption • Digital Signature • Audit trail • Security in Depth • Key Escrow • Validation • High & Medium Assurance • Code Signing C A P A B I L I T I E S Public Key Enabling (PKE) Source: CSI/FBI Computer Crime and Security Survey, 1998-2001)
What is PKI ? Car without Wheels • PKI is the framework and services that provide the following: • Digital Key Generation • Digital Key Distribution • Digital Key Revocation • Digital Key archiving • Digital Key tracking • Digital Key Destruction • Digital Key Certificate policy Plane without an Engine Public Key Infrastructure Roadmap for the Department of Defense, 29 October 1999 Version 3.0 FACILITIES PROCEDURES Looks Good But! P O L I C y P E O P L E House without Furniture CERTIFICATE MANAGEMENT
What is PKE ? • Public Key Infrastructure (PKI) alone is not sufficient to meet DoD mission requirements • A Public Key Enabled application, Server or Network is one that can accept and process a DoD X.509 certificate to support one or more specific functions: • Digital Signature • Data Encryption • User Authentication • Date Integrity • Non-Repudiation FIT FORM FUNCTIONALITY
Dear Bob, Please use PKI next time. Love, Alice TO:BOB wascdfee944 x./,cafvza/qfaservbrsrtrt TO: BOB wascdfee944 x./,cafvza/qfaservbrsrtrt 999081 Bob PKE Services • Ascertaining that an entity is who or what he/she/it claims to be Authentication Access control Data confidentiality Data integrity Non-repudiation: • Authorization determining what resources an authenticated identity can access and what actions he/she/it can perform FROM: ALICE TO: BOB 33728 Alice • Preventing data interception by using encryption Ensuring that the information has not been changed or tampered with in any way • Ensuring that authenticated identities cannot deny performing actions that he/she/it performed
Who Needs PKE Services ? • Application Developers and Analysts • Web Masters • Systems Administrators • Security Managers • Commanders • Senior Staff • Crisis Action Teams • Network Managers • Systems integrators • Application program Managers • End users of • Command and Control applications • Sensitive applications • Financial or high dollar applications • Sensitive or privacy information
Encrypt web traffic over the Internet Sign and encrypt electronic mail Authenticate users for access management Digitally sign documents for non-repudiation Manage network access Virtual Private Network (VPN) What can be PK Enabled ? Requirement What do You Need • 128-Bit web browser • S/MIME compatible email client • PKE client tool (such as web browser) • PKE signature client tool • PKE network • PKE firewall or VPN tool
When do you PK Enable an Application? • All DoD unclassified networks that authenticate users • Unclassified DoD networks hosting Mission Category I systems • All unclassified private DoD Web Servers • E-mail in all operating environments • Web applications in unclassified environments • Legacy, Mission Category I applications that use or require the use of public key cryptography shall be PK enabled to interoperate with the DoD PKI. • Sensitive unclassified systems handling high value (both dollar and mission value) • Applications processing classified information in a high-risk environment (over an unprotected network)
Why Implement PKE ? Promotes the electronic delivery of services Risk Management New Technology 43 countries have Digital Certificate laws Online banking • Authentication • Access control • Data confidentiality • Data integrity • Non-repudiation • Digital Encryption • Digital Signature Verify identity of customer • Online payment of bills DoD Mandate Ease of use Espionage Sign online transactions E-Signing law Increase Security NATO & Coalition Partners Federal and State Interoperability Cost Reduction Risk Avoidance Secure infrastructure Legally, binding mechanism Privacy
Where can I find more PKEInformation? https://afpki.lackland.af.mil/ https://www.noc.usmc.mil/secure/PKI/default.htm U.S. Department of Health and Human Services https://warlord.spawar.navy.mil/PKI/ http://aspe.os.dhhs.gov/admnsimp/ Defense Information Systems Agency http://www.c3i.osd.mil/org/sio/ia/pki/index.html http://iase.disa.mil/ http://web.mit.edu/network/ietf/sa/ http://eca.orc.com/ http://jitc.fhu.disa.mil/pki/index.html http://www.defenselink.mil/acq/ebusiness/projects/proj_pki.htm http://www.verisign.com/ https://itac.lackland.af.mil/product.asp?prod=58 http://csrc.nist.gov/encryption/kms/ http://www.digsigtrust.com/
PKI-Aware Applications Legacy Applications New PKI-Enabled Applications Plug-Ins Shims Native APIs (OS- or Product-Specific) How do you PK Enable an Application? PK Enabling Implementations • Single sign on • Wireless applications • Virtual private networks • Web authentication • Content management • Intrusion detection • Network management • Secure e-mail (S/MIME) • Database Access Control There are many approaches to PKI enabling an application; which one is best? • Direct modification of application • Middleware • Web-based front end • Proxy type application • Encapsulation • VPN • IPSec • Best practices • Requirements Analysis • Mission Linkage • Cost Analysis • Risk Analysis • Pilot Testing • Program Evaluation • Implementation • Re-Evaluation
Cost of PK Enabling an Application? The first step in Public Key Enabling an application is to perform a requirements assessment. Generally, this involves understanding exactly what functions the application is required to accomplish. • The principle factors that must be considered when Cost Estimating the PK Enabling of an application are as follows: • The present Architecture of the system • Method of PK Enabling • Hardware • Software • Training • Manpower • Travel • Testing Balancing act over time Compliance Risk Costs Process Improvement Return on Investment ROI Total Cost of Investment TCO
ROI for PK Enabling? Option-Based Pricing • Treats the outcome of investing one stage/phase of a project as a pre-requisite for the next • Valuation is more complex • Useful for justifying pilot projects ROI Factors • Compliance with Policy • Risk Reduction • Process improvements • Overall Cost reduction • Less errors, downtime, or lost productivity Pay-Back Analysis • Looks at the time required to recoup investment (also called breakeven time) • Helps to quantify risk exposure • Undercounts upside project benefits • 6-9 month payback is a good rule of thumb Purchase Justification: Calculations • TCO = Total Costs of Ownership • NPV = PV (Benefits) – PV (Costs) • Payback Time = T where Σ(Benefits)t = Σ(Costs)t • ROI = Benefits - Costs Costs • ROO = Benefits to Business Growth - Costs Costs Different Methodologies Different Factors Different Cost basis
Conclusion Benefits of PKI/PKE • Stronger authentication than userid/password • Easier management and administration of devices • Investment in secure infrastructure can be leveraged for additional applications • Reduced risk of data loss / theft • Privacy and integrity of data • Authentication of user • User accountability to data • Centralized control of trust policies and parameters • Provable chain of evidence as to the authenticity of documents • Authorization to access documents based on user authentication Call us (210) 925-2562, DSN Prefix 945 Visit us on the Web https://afpki.lackland.af.mil/ Fax us (210) 925-2641/2644, DSN Prefix 945 Visit us 4241 E. Piedras Dr., Suite 210, San Antonio, TX Write us 4241 E. Piedras Dr., Suite 210, San Antonio, TX