1 / 42

Towards Trusted Web Services: Trust management framework using Public Key Infrastructure Technology

Towards Trusted Web Services: Trust management framework using Public Key Infrastructure Technology. London – November 2006. WISeKey. CertifyID BlackBox. Identity (r)Evolution. The Company. Company Details Founded in 1999 Headquarters in Geneva, Switzerland Competence & Activites

mercia
Télécharger la présentation

Towards Trusted Web Services: Trust management framework using Public Key Infrastructure Technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Towards Trusted Web Services:Trust management framework using Public Key Infrastructure Technology London – November 2006

  2. WISeKey • CertifyID BlackBox • Identity (r)Evolution

  3. The Company • Company Details • Founded in 1999 • Headquarters in Geneva, Switzerland • Competence & Activites • Global and Neutral Trust Model • Based on principles of neutrality and strategic global relationships • InfoSec Projects • Global PKI Deployments • World’s First Internet e-Voting Project • Digital Video Broadcasting MHP Security Framework • Secure Video Processing Alliance • High Security Data Centres • Trust Centre Solution • Windows Certificate Services and technology stack

  4. Getting There… e-Voting first ever binding Internet Vote Developing Countries Deploying infrastructures with the ITU Digital TV Securing the Digital Video Broadcasting Infrastructure & Secure Video Processor Alliance Object eIDs Securing object (luxury goods, construction materials) Intelligent cities Securing DestiNY USA, and Incheon, South Korea National ID SystemsID cards, drivers permits, health cards, passports...

  5. WISeKey • CertifyID BlackBox • Identity (r)Evolution

  6. Problem Statement • The Internet was built without a way to know who and what you are connecting to • Everyone offering an internet service has had to come up with a workaround • Patchwork of identity one-offs • Not fair blaming the user – no framework, no control • We are “Missing the identity layer” • Digital identity currently exists in a world without synergy because of identity silos

  7. identity 0.0

  8. Identity 0.0

  9. Identity 0.0 • Resides on a Trusted Third Party • E.g. Confédération suisse • Asymetric relationship • No direct link with the issuer upon its utilisation • Usable on a massive scale • Optimal in terms of respect of the sphere of privacy • Controlable by its holder

  10. identity 0.0 1.0 /

  11. Service Driven Model

  12. Identity 1.0 • Specific to each use case • One use – One identity • Controlled by a Third Party • Absence of sphere of privacy • Reutilisation impossible / complex • Limited confidence / trust

  13. Identity Crisis

  14. Multiplication eID Cost Complexity Confusion

  15. Identity Theft • Phishing • Pharming 50 millions identities estimated stolen during the first quarter 2005

  16. identity 1.0 2.0 /

  17. User Centric Model

  18. Example of a Digital ID Jordi Aymerich X.509 travelux 4159 6234 622 Member Level: Platinum Member Since: 1997Code: 625 Valid Through: 7/2006

  19. Example of a Digital Identity

  20. “Identity Management is not only about specifications and technologies… Its also addressing national issues”

  21. DataAccuracy DelegatedAdmin SelfService AutomateProcesses Reduce risks Improve Service and productivity Federation Centralize Singlesign-on Helpdesk ServiceProvisioning Pre-auditchecks ProtectSystems SOX Achieve“Compliance” Improve Security Roles BASEL II StrongAuthn HIPPA SecureAccess PCI-DSS ….. ProtectData

  22. EU Data Protection Directive European Union data protection directive Source : Kerry Shackelford -www.KLSConsultingLLC.com

  23. Sarbanes Oxley Section 404 of the Sarbanes-Oxley directive obliges companies to formalise all of the processes that could impact their finances

  24. Drivers – proof points Data Sources: Gartner, AMR Research, IDC, eMarketer, U.S. Department. of Justice

  25. Suppliers Clients Distant Employees Partners Enterprise Networks Entreprises et employees

  26. Web Services = +vulnerable zones • Identity management and authentication • How to establish trusted authorities for handling identities? • What form of identities to use? • UID/password or strong authentication? • Digital certificates? • How to validate identities? • How to federate across trusted authorities? • Access Control • What services and methods can be consumed by requesting application? • Shall dynamic data determine access rights? • Groups based, roles based, resource based, combination thereof?

  27. +vulnerable zones = +security needs • Data Privacy • What regulatory requirements apply, do I even know? • How is data privacy to be enforced? • What level of data encryption is necessary – internal storage at rest, over the internal network, over external networks, transfer to partner network? • Network Security • Internal network must be protected, how? • Firewall policy implementation, enforcement points? • Examine packet content, data content?

  28. Addressed by specifications • SAML • WS-* • XML- XML Encryption / Digital Signature • SOAP • SSL, TLS • PKIX • Liberty Alliance • etc • Most conservative companies are hesitant to deploy widespread web services • But for those that do deploy, the use of common standards such as the following are essential: • SSL, TLS • XML (Encryption, Digital Signature) • SOAP • WSDL • SAML

  29. “It is not only about specifications and technologies… Its also about addressing business and trust problems”

  30. WISeKey • PKI Deployment • Identity (r)Evolution

  31. Core PKI Services a public key infrastructure (PKI) is an arrangement that provides for trusted third party vouching for user identities Authentication assurance to one entity that another entity is who he, she, or it claims to be Integrity assurance to an entity that data has not been altered between “there” and “here” or between “then” and “now” Confidentiality assurance to an entity that no one can read a particular piece of data except the intended receiver

  32. One of the Best Foundations

  33. Email Encryption And signature Access Control User management Mobile Data Encryption Digital Signature Data Encryption Digital Identity Intranet/Extranet Access Management Certificate usage

  34. … but not the only answer • Certificates are commonly accepted and used as official issued virtual IDs • CardSpace and other systems extends this so that other identity providers can provide identity claims with Privacy • RP can be hidden from IP • User controls release of information • Examples – Health, Travel etc.

  35. Distributed trust CertifyID Blackbox™ is an innovative way to reduce the cost of deployingand managing a CA in a trusted environment “Traditional” classical model WISeKey model • Takes advantage of existing corporate “identity management” infrastructure • Certificate lifecycle easier to manage • Easy integration with corporate systems Root WISeKey / OISTE CA • High cost and complexity in managing certificates • Little integration between professional CA and corporate database “Professional” / Outsourced CA Corporate [MS Server-based] CA Certificate holder/ Business user Certificate holder/ Business user

  36. The CertifyID Trust Model Swiss Federal Government: Supervisory Authority Independent Auditor: Annual audit Policy Approval Authority Governance Operator: National Sovereignty Country D Country A Country B Country C

  37. Guardian XM database redundancy and high availability services for Certification Authorities (CAs) on the Microsoft platform Web Services API Enterprise applications integration Trust Service CRL Manager provides issued identities with global recognition & trust publish and monitor the Certificate Revocation List (CRL). Blackbox™ offering The CertifyID Blackbox™ offers a complete and affordable out-of-the-box solution for establishing a Trusted Identity Infrastructure dedicated to your organization.

  38. Blackbox™ benefits • Low cost – solution is cheaper than traditional PKI solution • Ease of use – • based on Microsoft’s Certification Services • wizard-based installation – no PKI know-how necessary • simplified certificate management – transparent to users • data resiliency • Integration – • tight integration with company’s Active Directory • easy integration with corporate applications through web services API • Totally standards based – PKIX, X.509, CRL, OCSP • Extended Trust Model – • internally managed issuance of e-IDs (confidentiality) • inclusion in community of trust for inter-company recognition of e-IDs

  39. WISeKey Trust Model • Use existing Trust Parties - digitizing their current processes – Analog to Digital Trust • Technically achieved through the sharing of a root certificate by high authenticate Certification Authorities • Flexible and scalable development of distributed trust communities • Neutral root certificate ownership, administered by a neutral forum providing global recognition and inter-operability • Achieve high security via technical controls, security hardware modules, auditing mechanisms • Affordable, Low cost, ease of use, portability

  40. Conclusions • eID is happening • Continues to drive more secure architectures on the Internet. • Many countries are playing a leader role • Scenarios include • Many eGovernment applications • National eID card & Social security & Health & Tax etc. • Many Corporate to Corporate applications • Essential for Protecting Web Services • Increasing use in Identity management and Privacy Protection • Technology for driving affordable government and business Trusted eID management and web services is available today! • OISTE Trust Model + WISeKey CertifyID Products

  41. Questions WISeKey S.A WISeKey S.A - World Trade Center II - 29, route de Pré-Bois CP 885 1215 Geneva, Switzerland Tel: +41 22 594 30 00 - Fax: +41 22 594 30 01 e-mail: info@wisekey.com - www.wisekey.com

More Related