 |
|
|
BT Trustwise OnSite 4.5 Most people concerned with security will have heard of VeriSign, the public CA that provides digital authentication services and products for electronic commerce. Founded in 1995 as a spin-off of RSA Data Security, VeriSign offers a range of personal and server-based digital ID’s, which allow organisations to implement and make use of Secure Sockets Layer (SSL) technology and other security features on the server (both in-house and external). For those organisations wishing to implement a full-blown PKI, however, VeriSign also offers a hybrid outsourced service that combines elements of on-site management with a secure outsourced PKI backbone. This service is sold by VeriSign directly as well as through partners, and the offering tested here is from British Telecom – known as BT TrustWise OnSite. OnSite, a fully integrated PKI platform, enables enterprises to secure their complete range of intranet, extranet, virtual private network (VPN), and e-commerce applications. More recent releases of OnSite have improved significantly on earlier versions with the inclusion of several important PKI features such as key management and recovery, automated certificate administration, enterprise integration tools and broader third-party application support. One of the big advantages of OnSite for many organisations is the fact that it attempts to address the seemingly irreconcilable problem of deploying a fully-managed in-house PKI without having to invest in the back-end infrastructure required to support it. With OnSite, the enterprise controls the CA and can administer and audit the operation continuously.� However, day-to-day back-end secure data processing functions - such as certificate-signing, cryptographic hardware, and records retention -� are delegated to BT and operated out of a BT secure data centre. This is achieved through the WorldTrust distributed PKI architecture, components of which are operated by both BT and the enterprise.� A PKI implementation needs to be highly secure. Requirements generally exceed those for typical secure transaction processing systems, since issuance of just one bad certificate or penetration of a CA’s security can result in an unlimited number of bad transactions or issuance of an unlimited number of bad certificates. In addition to high security, a PKI used for mission-critical purposes also requires 7x24 availability, redundant systems, and full disaster recovery backup.� With OnSite, the PKI automatically gains the advantage of hardware-based cryptography, screened and trained personnel, a military-grade secure facility, and a rigidly audited system of procedural controls. It also benefits from a fully redundant infrastructure, with 7x24 service levels guaranteed for all critical components.� There are redundant systems for servers, database, Internet service providers, telecommunications, and power. Disaster recovery operates 7x24 using a geographically separated site.
The WorldTrust architecture comprises the following module families: Subscriber Manager: Support for end-user registration and other end-user services such as certificate renewal, typically through web servers located on enterprise premises or at a BT centre. The "look and feel" of the various screens are tailored to the enterprise.� RA Control Centre: Management of the lifecycle process for enrolling, approving, revoking and renewing certificates is performed easily through the OnSite Control Centre, giving the customer full control of the registration and authentication process at the enterprise front end.� It is also possible to distribute registration authority (RA) functions such as certificate approval, revocation, audit, and day-to-day management to an unlimited number of administrators (each with different privileges), providing for complete separation of administrative roles.� The system provides customers with audit trails and reporting capabilities along with auditable security practices – all features which support non-repudiation of certificate-based transactions. These functions can be software-interfaced to local management systems, such as an employee or customer database, to allow them to be fully automated.� CA Control Centre: On Site provides web-based configuration wizards, administration and support tools, report generators and application integration modules to give an enterprise full control over its CA and to provide the link to BT’s processing centres.� The CA Control Centre allows establishment of local CA policy, such as certificate content rules and administration authorisations, and these functions are typically located at the enterprise.� Certificate Processing: This module provides certificate issuance (based on RA approval), certificate life-cycle compliance and protocol support, cryptographic key management, secure records retention, data base mirroring for disaster recovery purposes, and other core functions. These functions are built around a high-performance transaction engine located at a secure facility operated by BT, VeriSign or one of VeriSign’s worldwide affiliates.� Cryptographic functions and root keys are embedded in government-certified hardware cryptographic modules, with enabling keying materials split between multiple independent responsible persons.� Certificate Manager: The component of OnSite where the customer chooses the different types of certificates to be issued for example, SSL S/MIME, IPSec, or Trust Gateway certificates.� Key Management: Software components and a supporting service to provide secure generation, backup, and recovery of user key pairs. Dual key pairs are supported for signing and encryption, and multiple active certificates are allowed per user. Private keys are stored on the enterprise premises in a non-vulnerable, enveloped form, allowing for protection of the keys without the need for a “bullet proof” secure facility at the customer site.� This is done primarily to remove the requirement for BT to store these keys on its own site, and thus limit its liability as much as possible. It therefore results in a more convoluted private key recovery mechanism than is strictly necessary, since it requires retrieval from BT of a unique key which can then unlock the envelope on the client site. Key Manager software runs at the customer site, generating the encryption private key pair, creating a backup of the private key, requesting the corresponding certificate, and delivering the key and certificate to the end user. Each private encryption key is also triple-DES encrypted under a unique session key which is then itself encrypted using BT’s public key to create a Key Recovery Block (KRB). Key Recovery procedures ensure that only authorised customer key recovery administrators can recover stored private keys. BT TrustWise never sees the private key, but merely unlocks the KRB after validating administrator identity, thus allowing the administrator access to the session key, which can then be used to recover the original private encryption key. This approach provides a high level of security, since even if the customer’s database of private keys is stolen or copied, no private keys are endangered, as unauthorised personnel cannot get the triple-DES keys unless unlocked by BT TrustWise, and without those keys the private keys cannot be accessed. All recovery actions are logged at BT TrustWise, so even if customer administrators are compromised, no private keys can be recovered without leaving a clear audit trail, and both single and dual control models of key recovery are supported if required. When it comes to certificate revocation, daily CRL's are supported by standard BT OnSite policy choices, and hourly CRL-issuance is available as an option.� BT also supplies a revocation plug-in for Microsoft’s IIS and Netscape’s Enterprise Server that checks the revocation status of a presented client certificate, automatically fetching CRL’s as needed. This gives a fully-automated revocation environment for web servers which will operate with standard web browsers. Enterprise Integration Software Modules: These are software modules that provide interfaces to enterprise databases to support automated certificate issuance and other administration functions, automated posting of certificates to enterprise directory or database, and access to certificate revocation information by enterprise web servers.� To begin with, an organisation may choose to use just the manual administration system for their PKI via admin web pages hosted by BT. As the PKI develops, however, it is possible to provide a more automated system via links to corporate applications.� This can result in, say, a certificate being issued to a new employee as soon as the record has been created in the HR database. When the employee leaves the company and his HR record is marked as terminated, the digital certificate would be revoked automatically. Application Integration Toolkits: For use by commercial application vendors or enterprise customers for enabling PKI-ready applications.� This is without a doubt one of the biggest attractions of OnSite, since there is no requirement for any software or hardware installation on the customer’s site. This still does not make it the quickest system to get up and running, however, since there is a rather involved procedure to go through in terms of registration, company verification, contract completion, and so on before BT will allow you to finally get your hands on your own PKI. Enrolment is performed via a Web page on the BT site, where the administrator enters details about himself and his organisation. OnSite Administrators manage the service using a standard browser, authenticating, approving, and rejecting Certificate requests, and issuing and revoking Certificates. Many organisations choose a Human Resources representative, an IS manager, or a security/badging officer to be their OnSite Administrator. OnSite uses the Company/Department/Agency and the optional Division/Organisation/Project fields entered on the enrolment form to constitute the "domain" or "affiliation" associated with all of the Subscriber Certificates, and Subscribers will inherit those fields as part of their Certificate identity.� After the first OnSite Administrator has been successfully enrolled, additional Administrators may be enrolled (for an additional charge) to help manage separate unique domains. If it is necessary to have separate Division/Organisation/Project affiliations associated with a Company/Department/Agency, each one becomes a separate domain, and thus, a separate OnSite license. Once the enrolment information has been completed and submitted (during which process a key pair is generated), the Administrator must print out a contract and submit by post to BT (along with some means of confirming the authenticity of the company), who will then verify the submitted details (by phone checks and other means) before creating the PKI and issuing the Administrator certificate.
The Administrator is informed via e-mail that the certificate is available for collection, and is provided with a PIN number. By visiting a specific Web page and entering the PIN number and a secret challenge phrase which was entered during the registration process, the certificate is issued and installed in the Administrator’s browser. Once this has been installed, it provides access to the OnSite Administration Control Centre. For anyone who wants to gain a basic understanding of the processes behind the CA, they should refer to our analysis of RSA Keon on which the BT/VeriSign software is based. When looking at the Keon software in isolation we were initially puzzled by the structure of the Jurisdictions and Signers, and the additional powers available to the RAO that were not common in other CA products. When the BT/VeriSign offering is examined, it becomes apparent that the strange terminology and subtly different way of working is there to support the outsourced model required here. Currently, all CA operations are performed in one of two secure locations, protected by extensive military-grade physical as well as data security measures. The VeriSign secure centre is in Mountain View, California and cost in the region of �6 million to create. It has a certificate issuing capacity of approximately 20,000 certificates per day. The BT secure centre is in Cardiff, Wales and cost approximately �4 million to create. It has an issuing� capacity of approximately 10,000 certificates per day. None of the operation or configuration of the CA need concern the end-user organisation, however, making this section of OnSite the most straightforward of all those we have reviewed. The RA operations are performed by the Certificate Administrator using the Certificate Administration Control Centre, a Web-based admin interface that provides access to the OnSite CA services.� On accessing the Control Centre, the Administrator is prompted to authenticate himself and is asked to present the digital certificate that was issued by BT. Security for this certificate is thus of vital importance, and smartcard support is available for this purpose. The Control Centre provides menus for Configuration, Certificate Management, software/documentation Download, and OnSite News. The links in the Configuration menu open a variety of Configuration Wizards, allowing the Administrator to tailor the OnSite service to meet individual corporate needs. The following Wizards are available:� Policy Wizard: This is the most important of all the Wizards initially, since it provides the means to design the certificate enrolment form and to specify the contents of the organisation's certificates.�
When configuring the policy using the Wizard, the administrator can provide an e-mail address for subscriber questions, select the Cryptographic Service Provider (Enhanced, Basic or Other) and key size (512 or 1024 bytes), choose whether to allow the subscriber to select whether or not protect the private key, and customise the subscriber enrolment page. Care should be taken when selecting the CSP and key size that low-grade crypto products (such as those available for export from the US until now) are not excluded from using the PKI by selecting a key size that cannot be generated by the required CSP – we settled for Basic CSP and a 512 bit key to ensure that our European browsers would work correctly. When customising the subscriber enrolment page, the Last Name, First Name� and E-mail Address fields are always required, and a number of additional fields (Title, Employee Number, Mail Stop, State, Country and Locality) can be selected to appear. It is also possible to define up to three additional custom fields that are specific to the subscriber’s organisation and can be used for further identification or authentication purposes.
The next step is to customise the certificate itself. The administrator may not wish to include all of the information that the subscriber enters (on the enrolment page) in the certificate. For example, subscribers may be required to enter the number of their last pay advice as a shared secret that is used to authenticate the certificate request. This information is used only to make the decision whether to approve a certificate for the person and has no value in identifying the subscriber, and therefore should not be included in the certificate.� Depending on the agreement with BT, the OnSite service operates under either a public hierarchy or a private hierarchy with a private Certificate Authority (CA) for the end-user organisation. The default for the public hierarchy is that all certificates will be published in the BT/VeriSign central directory, whereas the default for private CA’s is that certificates are never published. These defaults can be reversed if required, or the subscriber can be asked for their preference. Finally, the Administrator can specify the validity period of the certificate. The default for this is one year, though this can be reduced down to one week where necessary.� The renewal “reminder period” must also be configured, this being the amount of time before certificate expiry when the subscriber is prompted to renew. If no OnSite options have been purchased, the PKI is fully configured once this Wizard has been completed. Certificates can then be requested for browsers and browser-based e-mail packages like Netscape Communicator or Microsoft Outlook. It is also possible to create policies for Secure Server and IPSec certificate services if required, though only the end-user certificate policy Wizard was available to us for testing.
If the Local Hosting option has been purchased for OnSite, the Policy Wizard performs extra steps to specify configuration settings that further tailor the OnSite service. These settings are then used to generate a policy file that holds a complete list of the configuration choices. The policy file is downloaded and used with template files from the OnSite CD to generate the pages that subscribers will use to request certificates and to perform certificate management activities (the lifecycle services pages).� The completed pages are then hosted on the local corporate Web server, and this obviously provides the means to further customise the look, feel, and operation of the enrolment process. Note that it is still only the enrolment “front end” that is hosted locally – the CA operations still reside with BT. CSR Enrolment Wizard: It is possible to support non-browser applications that enrol for certificates using a Certificate Signing Request (CSR). The CSR Enrolment Wizard enables the administrator to make that choice and to generate appropriate enrolment pages.� Logo Wizard: The Logo Wizard allows the Administrator to further customise the enrolment process by displaying the company logo on the certificate enrolment page. This is limited to a single GIF file of approximately 100 pixels wide by 63 high, however. E-mail Wizard: Using the E-mail Wizard, the Administrator can customise OnSite's automated e-mail messages (enrolment confirmation, approval, renewal, and rejection).� Authentication Wizard: The Authentication Wizard determines whether to allow certificate pickup PIN’s to be distributed directly to end users or to require them to contact the Administrator or a third party to receive pickup PIN’s. This enables an organisation to enforce a personal presence authentication model.� Administrator Roles Wizard: The Administrator Roles Wizard enables delegation of all or some Administrator responsibilities to multiple certificate Administrators as required. There are four Administrator roles:� The Configuration Administrator can configure the system, change certificate contents and enrolment screens, and otherwise manage the IS aspects of the system.� The Certificate Management Administrator can approve certificate requests, revoke certificates, and otherwise manage the certificate lifecycle.� The Security Administrator can assign Administrator roles to other Administrators.� Read-only is the default privilege level for all Administrators after the first. The Read-only role enables the Administrator to view current requests, certificate data, and log files.� Install CA: The Install CA link provides an automated means to install the organisation's CA certificate into client and server applications. This enables those applications to trust messages signed or encrypted using subscriber certificates signed by the organization's CA� Renewal Wizard: The Renewal Wizard enables the Administrator to specify the method that subscribers use to request renewal of expiring certificates. One month (configurable) before the certificate is due to expire, the system generates an e-mail message to the subscriber informing them of the impending event and inviting them to visit a URL to renew the certificate. Subscribers can also submit a renewal request via the Digital ID Centre (see Client section). When the subscriber submits the renewal request, it is possible to provide instant issue of new certificates without Administrator intervention, or the Administrator can perform a manual approval, similar to the initial enrolment process. Subscribers must always initiate this process with a renewal request, however, since there is no client-side software to provide automatic key update. The Certificate Management menu provides the day-to-day processing functions for the Administrator. From this page, he can process certificate applications, review certificate status, revoke certificates, and generate reports and directory data. Possibly the most important option is Process Requests. Clicking this brings up a list of all certificate applications that are pending approval. Requests can be assigned to other Administrators (if multiple Administrators have been configured) or can be immediately Approved or Rejected.� It is also possible to view details of the request and add comments which will be stored against the request and e-mailed to the subscriber. With the default OnSite offering, all enrolment requests must be processed manually in this way. However, there is also the Auto Admin option, which allows the approval and issue of certificates to be performed automatically based on a number of Administrator-defined rules.
At their simplest, these rules are simply entered into a text file on the corporate server used to host the OnSite Web pages (it is thus necessary to implement Local Hosting in order to use Auto Admin). More complex options include the ability to query LDAP or ODBC databases in order to provide the required subscriber authentication. An option called Passcode Authentication is also available, whereby the authentication database is created by the customer but uploaded to BT for hosting (therefore Local Hosting is not required). When the subscriber request comes in to the Auto Admin server, the rules database is checked and the result can be approved, pending or rejected. Only the pending result requires Administrator intervention, since it then reverts to being a normal manual enrolment request, processed as detailed previously. If rejected, the subscriber is informed of this automatically and no further action is taken, though all Auto Admin functions are logged, of course, for review by the Administrator. If the request is approved, a Certificate Signing Request (CSR) is generated and sent off to the OnSite CA via a secure SSL3 connection. A Luna CA token is required in the Auto Admin server to ensure that the CSR is not “spoofed” by another machine. At the CA, an encryption key pair is generated and the CSR is assembled into a certificate, signed and returned to the subscriber – no further Administrator intervention is required. Getting back to the Certificate Management menu, the View Requests and View Certificate options are self explanatory, with each providing the Administrator with the ability to view by subscriber name or e-mail address, and filter by date and certificate status (pending, approved, revoked or all).� The final options on the Certificate Management menu (other than reporting options which are covered in the next section) include Revoke Certificates, and the ability to download both the CRL (as a PKCS#7 file) and all directory information (as an LDIF file) to allow automatic update of a local LDAP directory. The Premium Revocation option enables customers to upgrade the frequency of the refresh rate for the CRL from the default 24 hours to hourly for each of their CA’s. Reporting and auditing within OnSite is fairly basic.
Apart from the certificate and pending request view options covered in the previous section, an Administrator Audit Trail is available via the Certificate Management menu, as is a complete history of certificate activity. All reports except the Certificate Activity History are viewed on-line, whilst the latter is made available in CSV format for download and post-processing. OnSite subscribers are provided with a URL for the Digital ID Centre for their particular CA. During enrolment, the subscriber is prompted for the usual name and e-mail address, plus any additional fields that were defined in the certificate template by the Administrator. A challenge phrase is also requested, to be used whenever the subscriber wishes to revoke his/her own certificate.� Depending on the options selected by the Administrator when creating the policy, the subscriber may or may not be offered a choice of CSP or whether or not to protect the private key. Finally, the subscriber is given the option of entering comments. In some cases, the Administrator may instruct the subscriber to enter Shared Secret (information known only to the subscriber and the Administrator) information in this field. The Administrator uses this shared secret to further authenticate the subscription request, and the comment is not included in the certificate. �
Once the request has been approved, the subscriber will receive an e-mail with a PIN number for certificate retrieval. The Digital ID Centre provides a Pick-Up ID option, where the subscriber enters the PIN number, following which the certificate is downloaded and automatically installed in the browser or smartcard device.� Also on the Digital ID Centre menu page are options for searching for, renewing and revoking certificates. Subscriber names or e-mail addresses can be entered as search criteria, and a list of certificates is returned. Individual certificates can then be examined in detail, downloaded or revoked. Whether revoked here or via the main menu Revoke option, the user is prompted for the challenge phrase entered during enrolment as additional authentication, along with a reason for the revocation request. The Renewal option searches the user’s browser for any certificates which are about to expire and presents them for renewal. After a subset of the original enrolment information is entered, the request is forwarded to the Administrator and a new certificate is issued. The final option is Install CA, which simply installs a copy of the OnSite CA Root certificate in the user’s browser to provide a complete trust hierarchy for certificate verification. Client-side software is appearing for OnSite to improve and streamline the user experience by making applications PKI aware.� Personal Trust Agent (PTA) is a browser plug-in that presents digital certificates to the user as on screen “credit cards” during logon or authentication operations. GoSecure provide PKI-aware plug-ins for key applications such as Microsoft Exchange and Checkpoint firewalls. Thus a Checkpoint VPN user can have the OnSite certificate request handled entirely by the Checkpoint software via GoSecure. Tool kits are also available to PKI-enable in-house applications where necessary. Click here to view checklist.� For customers with up to 1000 seats, two base product options exists: BT TrustWise OnSite Lite is for customers with applications of 1,000 users or less where automated administration is not required.� It includes one certificate per user, and supports a maximum of 1,000 users.� It includes:
Sample prices for the following quantities of users:
Local Hosting is available as an option with OnSite Lite at a cost of �8,000 (payable in first year only) plus an annual charge of� �1,600 Go Secure! for Exchange – Quick Start Package The Go Secure! for Exchange Quick Start Package is targeted at medium-sized businesses and those wishing to carry out secure messaging pilots. The Quick Start Package includes a 500 seat Public OnSite licence together with the components listed below. This allows the customer to use the major components of Go Secure! For Exchange without incurring the costs of some of the more complex components, such as Automated Administration. The Quick Start Package includes:
Sample prices for the following quantities of users:
For customers with more than 1000 seats, two base product choices and three optional products exist. OnSite - Single Application service is for customers planning to use client certificates in a single application only. OnSite - Single Application includes all the features of OnSite, but limited to use with one application.�� This is a one application, one certificate (two for use with dual key pairs) per user offering that can apply to an application using SSL, S/MIME or IPSec certificates. This service is designed for entry level customers with a single application who wants the advanced functionality of full OnSite.� The single application offering is limited to one CA, one OnSite account and one copy of the included software listed below.�� For customers needing multiple applications, multiple certificates per user, multiple software copies and complex hierarchies should use the full OnSite offering. It includes:
Sample prices for the following quantities of users:
BT TrustWise OnSite enables secure corporate applications such as secure email, intranets, extranets, and Web access with digital certificates.� It allows corporations to set up their own Public Key Infrastructure (PKI) quickly, easily, and cost effectively. BT TrustWise provides all of the certificate lifecycle services, application support, and management tools required to operate a robust business-class PKI. It includes:
Sample prices for the following quantities of users:
Key Manager provides OnSite (and Single Application) customers with a complete centralised key management solution. This solution has three main functions; the generation and distribution of end user keys and certificates; back up of private encryption keys; and the recovery of those keys and certificates. This product is appropriate for OnSite (& Single Application) customers who want to enrol for certificates on the end users behalf and/or for customers who want to have back-up and recovery for encryption private keys.� Sample prices for the following quantities of users:
Premium Revocation enables OnSite (& Single Application) customers to upgrade the frequency of the refresh rate for the Certificate Revocation List (CRL) from 24 hours to hourly for each of their CA's Sample prices for the following quantities of users:
Option 3: Go Secure! For Exchange Go Secure! For MS Exchange provides OnSite (and Single Application) customers with a pre-packaged secure email integration solution using Microsoft Exchange Server and the Outlook email client. This solution provides seamless, native integration of OnSite issued certificates with the Exchange directory and email client.� The solution package includes an end-user secure email tutorial for Outlook corporate users as well as an administrative implementation guide with step-by-step instructions for integrating Microsoft Exchange and BT TrustWise OnSite.� It includes:�
Sample prices for the following quantities of users:
Note that all prices exclude set-up fees, which vary from �12,500 for 1,000 seat OnSite or OnSite Single Application to �43,750 for 1,000,000 seats. Obviously OnSite is a bit of a strange beast compared to the other PKI products we have reviewed, since it is the only one that provides a completely managed PKI facility. As you may imagine, this can be something of a mixed blessing. On the down side, we found that the fact that all Administration was taking place over the Internet rather than a corporate intranet meant that administration tasks became cumbersome and slow on occasion as general Internet traffic increased during the day. We also noted slow response times between approving certificates and the user receiving the confirmation e-mail. On the up side, we found that we had one of the most advanced CA installations at our disposal, including outstanding physical and data security measures and disaster recovery procedures to safeguard our certificates, and it didn’t cost us a single penny in up-front capital to create this marvellous facility. We noted that it was very simple to create security policies and modify enrolment forms and certificates to a limited degree. We also thought that OnSite offered remarkable flexibility when combined with the Local Hosting and Auto Admin options. When it comes to pricing there are a couple of things to consider. The first is that you are paying an annual charge for OnSite, not a one-off cost. We found that OnSite could be very expensive for large deployments, and this was compounded by the fact that the costs were levied again and again each year. VeriSign and BT may have to reconsider pricing for large numbers of certificates. At the other end of the scale, OnSite was almost unrivalled for smaller implementations of 1000 users and under. Coupled with the fact that there is no requirement for trained CA personnel, secure, redundant facilities, and so on and OnSite becomes almost unbeatable for smaller CA’s or pilot implementations. Contact
Details Click here to return to the PKI Index Section
|
 |
Send mail to webmaster
with questions or�
|
