 |
|
|
De La Rue Interclear ClearCert De La Rue ought to know a thing or two about security. With over 150 years experience, De La Rue has an unrivalled reputation, both in the physical and digital environments, for the delivery of services that underpin security, integrity and trust. The company has been relied upon by numerous governments, banks and other international organisations to provide critical services that sit at the heart of both the social and commercial worlds: the printing of banknotes and stamps, and the delivery of systems to establish and manage identity via passports and driving licences, for example. De La Rue believes that although e-business may look different, it is no less a part of the real world than any other business channel. As such, it is dependent on the same foundations and values (trust, authentication, brand, security and legal status) that have enabled traditional commerce for centuries. With InterClear at its centre, De La Rue is able to extend these high-value and highly regarded trust, integrity and security services into the digital world. InterClear was established in 1997 as the UK's first commercial digital Certification Authority (CA) to provide digital certificates authenticating individuals and companies using open and closed networks for transactions. The company designs, builds and maintains outsourced trust networks that provide proof of identity and authentication to manage and reduce the legal, brand and technical risks of exploiting digital technologies. The outsourced model adopted by InterClear � known as ClearCert - enables organisations to implement a PKI without the financial and managerial burden of an in-house implementation. This makes it perfect for limited trials as well as full-blown PKI implementations. Unlike other managed PKI solutions, ClearCert provides a much higher degree of control for the customer right down to individually branded certificates.
With ClearCert, the customer remains in complete control of their own PKI. The certificates are issued according to rules defined by the customer and InterClear as part of the initial consultation, and signed with a unique root key on the customer�s behalf. If the customer requires secure e-mail, restricted web access, mutual authentication, or other services that rely on the PKI platform, InterClear also provides the vital planning, support, documentation, management and web functionality required to deploy and use the certificates throughout the organisation. The following features are included in a bundle of services known as �ClearStart�:
When it comes to physical security, it can be very expensive to provide adequate protection for a PKI. Any company that operates a CA is asking clients and end users to trust it completely when it comes to the integrity of its digital certificates. In order to earn that trust, the organisation needs to be able to demonstrate that its logical procedures and physical protection are adequate for the task of preventing fraudulent generation and issue of certificates. InterClear operates its managed PKI functions from a secure area in one of its office buildings. This means that physical access to the building is available to a wide range of InterClear staff, not just those tasked with the PKI operation. However, physical access to the building is tightly controlled, and access to the PKI areas within the building (the computer room and strong room, where the root CA is located) are further restricted, preventing non-essential staff from entering. The site is fenced and gated, and although the gate is open during normal business hours it is monitored constantly via CCTV. Outside normal business hours the gate is closed and can only be opened remotely by guards. Employees can communicate with guards via a communications device at the gate. Beam alarms between the building and the fence, and alarms and locks on external doors make unauthorised access extremely difficult. Receptionists man the main entrance during business hours every day, supervising the entrance turnstiles. Authorised persons use an access card to operate the waist height turnstile to enter the main building from reception. Photographs on access cards are used to prevent impersonation, and the card gives access to restricted areas only when used with a PIN known only to the card holder. There is an alternative side entrance for InterClear staff only which is protected by a full height turnstile requiring the use of a card and PIN number for access. The use of turnstiles prevents �tailgating�, where an unauthorised person follows closely behind another person who gains authorised access. Various key areas throughout the building are monitored via CCTV cameras, and sensitive areas of the building are alarmed using passive infra-red detectors.
All cards have controlled access rights associated with them, and changes to those rights are carefully controlled and audited. InterClear personnel are allowed only into the areas where they need to go, and visitors are always accompanied throughout the building by their host. Contractors are only allowed into the area in which they need to work. The corridor leading to the computer room, the computer room itself and the strong room are all separately controlled. Access to the computer room and strong room is available only by exposing the photo card to proximity readers and entering the PIN number on a key pad to operate the door locks. An audit system allows full traceability of employee movements throughout building, and in case of improper activity, records can be consulted to identify perpetrators. Personnel entering the strong room are required to sign in and record the purpose of the visit, and this record can be (and is) cross-checked with the automated recording of PIN numbers as personnel enter restricted areas. The Web Server (which is used to provide public access to Web-based certificate operations) and Managed Server (used for validation purposes) are in the computer room, access controlled by photo card and PIN. Only specified InterClear employees or contractors have authorised access. Both servers are password protected, and only certain privileged personnel have log-on rights. Public access to the Web server from the Internet is, of course, not restricted but permits only legitimate use of web-pages. The Managed Server is backed up and tapes are taken off-site and secured so the system could be reconstructed in case of a disaster.
The Signing Server is in the strong room protected by outer wooden doors secured by a proximity reader that requires both a valid photo card and PIN number to gain access. The heavy inner steel door has a further electronic combination lock, with strictly controlled access rights for only a very small number of privileged persons. When the steel door is open the outer wooden doors are electronically interlocked with an internal steel grille, which is closed to prevent users of the strong room being surprised should an intruder manage to gain access through the external wooden doors. If the outer doors are opened the steel grille locks itself, and the door of the strong room has a dedicated camera trained on it. Damage to the Signing Server itself is not a problem as no keys are permanently stored in it, and the computer can always be rebuilt providing the relevant smart cards are available. The whole of De La Rue House has an integrated system of fire alarms which are tested weekly. There are fire detectors and alarm bells in both the computer room and in the strong room. Because the strong room is an enclosed space - a �room within a room� - it has a separate fire detection and alarm system of its own in addition to the system installed throughout the building. Inergen gas fire extinguishing systems are installed in the computer room and in the strong room. The inert gas (which smothers fire) is discharged thirty seconds after the alarm sounds, providing enough time for operators to leave the area. Both safes, in the computer room and in the strong room, are fire safes designed to be fire resistant for a period of more than one hour. The gateway to the Internet is protected by an industry standard firewall which provides access to the Web Server on the standard ports only (80 for HTTP, 443 for HTTPS, etc). Network Address Translation (NAT) is used to protect internal addresses. Firewalls and intrusion detection systems are also used to monitor and restrict access between internal network segments, and a strict anti-virus policy is in place. The Managed Server does not have an external IP address and can not be directly addressed from the Internet. It resides in its own network segment and access to it is constrained to the minimum necessary to allow it to do its job. The digital certificate Signing Server is dedicated to its task and performs no additional functions. To provide the maximum protection, the Signing Server is a completely stand-alone machine (secured within the separate strong room), and is not networked in any way. As with any managed or outsourced PKI system, ClearCert provides the most straightforward installation process, in that there is no hardware or software required on the user�s premises. This does not mean that there is no thought or planning required however, and this is where the InterClear approach begins to demonstrate its advantages. The operation of any PKI is dependent on far more than CA and RA software. Of more importance are the procedures and legal framework that surround the PKI, and these can often be overlooked or implemented incorrectly in an in-house solution. One of the key pre-installation operations is the completion of the User Requirements Questionnaire, a lengthy and detailed document that specifies key operational details such as types of certificates required and their uses, certificate contents, the format of applicant validation data, root key strength, PKI structure, access control lists, use of smart cards, the client environment, required reports, and so on. The client organisation also provides InterClear with the necessary logos and other graphics to allow a corporate �branded� Web site to be produced, as well as a complete validation list for the first batch of applicants. From the questionnaire, InterClear can build a complete PKI. In addition to the Web site that is custom built for each client to provide the means for end users to apply for, collect, search for and revoke certificates, InterClear will also produce all the necessary documentation to support the PKI. This will include key documents that are often overlooked completely by organisations implementing an in-house solution, such as a Certificate Policy (CP), a Certification Practice Statement (CPS), and an End User Agreement based on appropriate PKCS and PKIX standards including IETF RFC 2527. These documents will include the customer�s own organisation name as the Issuing Authority. Finally, InterClear will ensure that all procedures necessary to support the CPS and PKI are put in place, and can even assist with application deployment. Because each PKI is essentially �bespoke�, InterClear can develop custom applications which make use of the PKI where required. For example, as part of this test, InterClear provided us with a modified version of our own Web site that used Access Control Lists triggered by digital certificates to determine which employees were allowed access to which pages. This was a fairly basic application, but is a good example of how digital certificates can be used within an organisation � other examples would be remote access authentication and, of course, secure e-mail. The InterClear approach, however, is unique amongst the other PKI vendors tested here, since the emphasis is less on the PKI itself, and more on the use of that PKI in applications throughout the organisation. This approach can also ensure that procedures are built in to force applications to check Certificate Revocation Lists (CRLs), something which is often overlooked in many PKI implementations. Whereas many organisations would find few difficulties in installing PKI software and issuing certificates, they often fall at the second hurdle � actually using those certificates. InterClear�s approach is designed to address this. It is also possible to create an �Experimentation PKI�, which allows companies to rapidly create non-validated personal certificates which can be used to test applications, but cannot be relied on for authenticating identities. In this case, the CPS will define that no-one will accept any financial risk related to the use of the certificates. ClearCert includes between four and seven consultant days on site including one day for general discussions of the planned PKI architecture and CPS before the customer signs the service contract. The remaining days will cover such items as briefing the customer about the CPS and validation rules or database; how roles and responsibilities are shared with InterClear; training first line support staff; quarterly review meetings; and a final wrap-up meeting. As mentioned in the Architecture section of this report, all CA operations are carried out within a secure location managed by InterClear staff. The Signing Server itself is not connected to any network (internal or external) and is stored in a secure strong room protected by various security and fire prevention devices. As with any outsourced PKI solution, the organisation which �owns� the PKI plays no part in the day to day CA operations. All CA management and certificate signing processes are carried out by InterClear staff � this is one of the main attractions of a managed PKI service. The CA signing processes should always be determined by the specific rules, regulations and individual requirements of each organisation, however. To accommodate for a potentially broad range of CA signing requirements InterClear provides a flexible CA signing framework. Certificate applicant registration, for example, can take into account various methods of ID validation, such as face-to-face, remote, points systems, credit checks, and so on.
The authority to sign certificates is always split amongst a specified number of cards, some of which can potentially be held by clients. This is known as �shared secret signing�, and the number of individuals required for the signing process is dictated by the client organisation. For example five people may have the ability to sign a certificate request, and the client may demand that two out of five must be present during the signing process. Equally, the same five people may be able to generate a sub-root, but in this instance the client may demand that four must be present for this function. No single person can conduct signing alone - a conspiracy of two or more privileged persons would be necessary to commit any illicit act. The shared secret process also provides the provision for secure key recovery. Smart cards, which are indispensable to the signing process, are stored in the fire-safe in the strong room, and the combination is known to only a very small number of privileged persons. The safe also has a key, which is held in a second fire-safe in the computer room. Two kinds of smart card are used - known as red and green�- which cannot function without each other. Typically, red cards are owned by an operator, and green cards are owned by a supervisor. Both types of card are needed to recreate a root key and conduct signing, and cards are activated by a PIN known to the holder alone. The PIN can not be extracted from the card, although a new PIN can be applied to the card if an employee leaves and the card is assigned to someone else. There is even scope for the client to hold some of the cards if they wish to ensure that signing cannot occur without their knowledge and approval. InterClear has gone to great lengths to ensure that no critical part of the procedure depends upon or is conducted by a single person in isolation. It is therefore very difficult for anyone to indulge in criminal activity to subvert the system without it becoming apparent to someone else. For example, even if someone succeeded in gaining access to the signing server to sign a certificate request which had not been validated, the subterfuge would be discovered because there is an end-to-end sequence numbering system for applications and the certificates eventually issued are checked before dispatch for consistency with the application originally received. Applications for certificates are received on the web server, where they are matched against records in the validation database provided by the Registration Authority. Validation data is transmitted to InterClear from the RA whenever necessary (i.e. as new employees join a company). This data is critical to the registration process, and must therefore be transmitted in as secure a manner as possible � preferably out of band (i.e. delivered in person as a printed list or on floppy disk), but always encrypted if transmitted electronically. Certain fields within the validation database can be designated as �close match required� � perhaps the incorrect spelling of a street name in the address would be acceptable � whilst others can be designated as �exact match required� � the applicant�s e-mail address, for example. If any critical fields are deemed not to match, the application is rejected and the applicant is informed via e-mail. If the application is satisfactory, however, it is approved and passed for signing. At regular intervals throughout the day, approved applications are transferred to floppy disk and passed to the strong room for signing. The disk is inserted in the signing server and the signing requests are retrieved individually. The operator is prompted for the appropriate smart cards that contain the root signing keys (uniquely generated for each PKI managed by InterClear) required for each request or group of requests, and these must be inserted into the Hardware Security Module attached to the signing server. None of the keys are stored in memory or on the hard disk of the signing server at any time. Where multiple smart cards are required (where shared secret signing is in operation and the root keys are split across several smart cards) the required number of cards must be inserted (say two of five) before the signing operation can be completed. Once the requests have been signed, the digital certificates are written back to the floppy disk, which is then passed back to the computer room to be uploaded to the Managed Server and published in the LDAP database. The applicant is then informed via e-mail that the certificate is ready for collection. Note that the frequency of signing operations per day for any client is determined by the SLA in place � the default is once every 24 hours, but more frequent runs are possible at additional cost. ClearCert supports the use of multiple key pairs � separate keys for signing and encryption purposes, for example � and can provide secure key backup and recovery mechanisms if required. ClearCert certificates comply with X509 version 3, using RSA encryption and the MD5 hashing algorithm, so they are compatible with the following protocols: SSLv3, TLSv1, S/MIMEv2, S/MIMEv3. This signing model may appear cumbersome at first sight, but it is the most secure means of issuing digital certificates, since the actual signing equipment is completely off-line, utilising true �air gap� security measures. Revocation requests are raised in one of three ways:
CRL updates are currently made to the system every hour, but the revocation signing run is performed once a day. If more frequent CRL signing runs are required, then it is possible at extra cost. As with frequency of certificate signing operations, revocation updates are based on the Service Level Agreements that De La Rue has in place with its customers.� The Registration Authority can take many forms in a ClearCert PKI, depending on how the customer wishes to run the RA. Where it is required that certificates are only issued to known and verified applicants, then the user organisation (acting as the RA) must provide sufficient data to the InterClear CA for the CA to be able to make accurate decisions on whether a particular certificate request should be approved or denied. This validation data must be transmitted to the InterClear CA in a secure and timely manner�� preferably prior to the end user application being received. For example, as part of this test The NSS Group provided InterClear with a list of employees that were to be granted certificates. Against each employee was data � such as name, e-mail address and a unique employee reference number � that could be used to verify certificate applications that would follow. During the test, we applied for numerous personal certificates, with some applications bearing deliberately invalid data. On all occasions, certificates were only issued against those requests that matched the validation data exactly. Of course, this model is really only appropriate for closed user groups, where the identity of each applicant can be determined beyond any doubt and validation data prepared ahead of the certificate application being received. In a more open environment, the InterClear CA can be governed by a more relaxed CPS on a particular PKI, where it may be instructed to issue certificates to any individual who supplies a valid e-mail address. A number of different reports on certificate issuing and revocation activity can be provided as part of the service. These reports are normally tailored to the individual client requirements. Reports are produced by InterClear staff at regular intervals and provided to the client in a suitable format. As part of our test, we were provided with a number of reports showing certificates created within specific date ranges, and these were supplied as HTML files (see above). A Web-based interface is provided for the end-user to request, collect, view and revoke personal certificates. These Web pages are carefully constructed by InterClear to closely resemble the existing corporate �look and feel�, using familiar logos and other graphical objects. Each PKI is assigned a unique URL in the form http://nss.interclear.net which provides access to the enrolment page. The first screen provides some very clear and detailed instructions on how to complete the process, from installing the CA root certificate that was issued and signed by InterClear when the PKI was created, through applying for, collecting, and installing the personal digital certificate. The first thing that is noticeable is that the root certificate, once installed, bears the customer organisation�s own name as CA rather than the name of a generic third party CA, which is the case with may outsourced solutions. During enrolment, the applicant is prompted (over a secure HTTPS link) for the information that was specified as part of the User Requirements Questionnaire. Some of this data will be stored in the certificate, whilst some may be collected for validation purposes only. The data is checked to ensure that all the mandatory information required on the form has been provided. If the check function is not satisfied with the results � for example, if the data is missing or inappropriate for the field (numerical data in a character field) - it will inform the applicant of the error and return to the form for the user to amend the data before the process can continue.
Once the enrolment data has been collected, the user is asked to provide a challenge phrase that can be used later to collect or revoke the certificate, and the browser generates two key pairs � one for signing and one for encryption. Note that every applicant will be required to click on a check box to signify agreement to the customer�s Certificate Practice Statement (CPS) before he is allowed to start the application process. The applicant will be provided the ability to read the CPS online or download a copy before agreeing to abide by the rules within it. In the event that the applicant does not agree to the CPS, the application process will abort, and the applicant will be notified that their request for a digital certificate is denied. Once the applicant accepts the terms and conditions of the Customer�s CPS the application process will continue and the request is transmitted to the CA for approval and signing. After the signing process is complete, the user is informed via e-mail that the certificate is ready for collection. An HTML document is attached to the e-mail which provides the most straightforward method of certificate collection and installation. All that is necessary is to open the attachment in a Web browser and click on the �Install� button. An alternative method is to select the �Collect Certificate� option from the Web site and enter the challenge phrase created during the application, and the PIN number provided in the collection e-mail. In both cases the certificate is installed in the user�s Web browser automatically.
Also on the certification services Web page are options for searching for, viewing and revoking certificates. Subscriber e-mail addresses can be entered as search criteria, and a list of certificates is returned. Individual certificates can then be examined in detail, downloaded or revoked. Whether revoked here or via the main menu Revoke option, the user is prompted for the challenge phrase entered during enrolment as additional authentication, along with a reason for the revocation request. The final option on the main menu is �Terms & Conditions�, which provides on-line access to the Certification Practice Statement (CPS) in Word or PDF format. Click here to view Checklist Since there is no base �product� as such in ClearCert (purely a managed service), there is no need to recruit or train staff to install, configure and maintain it, nor to provide any secure environment for either the product itself, or the audit trails which are a necessary part of the PKI service. These costs (which are often overlooked in a costing exercise) are therefore zero.� There is, however, an annual licence fee for the individual certificates. This fee ranges from �7 per certificate for the minimum of 200 certificates, down to 10p per certificate for over one million certificates. In the first year of each certificates life, an issuing fee equal to this annual licence fee is also charged. In addition to the cost of issuing certificates, there is a cost associated with specifying and setting up each PKI. Note that in the case of a product based PKI, this is usually met by the customer providing internal staff resources, which can be very expensive, especially if recruiting and training are required. De La Rue InterClear can set up a simple �no frills� PKI for 100 users for as little as �1900. Customers wishing to set up PKIs for 1000 to 1,000,000 users will be advised to invest in options suitable to the size, complexity and sensitivity of the PKI they need: the minimum cost of these options can be expected to fall in the range between �4000 and �50,000, as specified in the cost details to follow. PKI Registration Authority and other User Service Options One of the most costly elements of running most large PKIs is the provision of RA services. In particular, if PKIs that supply certificates to users via an interactive process are not set up carefully, the running costs can be dominated by providing help to those users who misunderstand such things as how to apply for their certificates in a manner that they can be securely authenticated, or how to use the secure services that their certificates are intended to enable. De La Rue InterClear is in a unique position to be able to provide such services, but it is particularly difficult to quote a price for such a service without a PKI specification: in the simplest case, pre-defined users may simply receive a smart card, plug it in, and use a simple application with little opportunity to make a mistake or get confused. In a different PKI, the users may be required to authenticate themselves online with separately verifiable information from differing sources (e.g. employee roll number, home address, corporate email, single use PIN, etc.)� Depending on the size and complexity of PKI concerned, InterClear offers training for customers' own staff to offer first line support for these services. This is backed up by InterClear's second line support, either on an annual contract or an "on demand" basis. De La Rue InterClear's PKI Services are able to be tailored exactly to the customer's requirements, so it is impossible to provide exact pricing for �optional extras�, but the following list gives an indication of the wide range of PKI flexibility and services which can be made available: Online (web based) Registration Authority, hosted within InterClear's secure web vault, but using the customer's branding. The minimum cost for a simple site (such as that used within the NSS Evaluation) could be as little as �1000, but further tailoring and integration is available if required. For instance, it can be tuned to authenticate applications by various means including:
Sample license costs for the following quantities of users, assuming two certificates per user and taking into account all the above costs of mandatory items - and the recommended minimum �advised� options - are as follows in Pounds Sterling:
Note that these costs assume that User certificates will be valid for 3 years, but different certificate lifetimes can be chosen by the customer. The NSS Group performed the testing and analysis described in this report based on a bundle of ClearCert services known as ClearStart. This is a complete bundle of services based on the �100 user� licence package above, but it also includes certain PKI Tailoring and User Service options that are strongly recommended to customers wishing to explore the possibilities afforded by owning their own PKI. What is lacking from many of the more �traditional� outsourced PKI offerings on the market at the moment can be summed up in a single word � control. Lack of control over processes, look and feel, and branding of the certificates can be enough to put many organisations off the managed PKI route and opt instead for an in-house solution. ClearCert sidesteps this problem neatly in a number of ways. The first is by providing �white label� certificates that appear as though they were issued by the customer organisation, rather than the trusted third party used to manage the PKI. The second is that the branding exercise is continued throughout the PKI, making the Web pages and applications appear as close as possible in look and feel to the customer�s existing corporate Web site. Finally, the �bespoke� approach taken by InterClear throughout the design and implementation process means that the CPS and CP are tailored to each individual customer, and customer-specific processes can be accommodated into the PKI wherever necessary. Where ClearCert really scores is that the policies and procedures necessary to create a realistic trust model are handled directly by people with extensive experience in implementing Public Key Infrastructures. Many of these � such as the drafting of the CPS � are complex matters and are often overlooked or poorly implemented in a pure in-house solution. It is also pertinent that the Certification Practice Statement and Certificate Policy are both unique to each PKI in ClearCert, in stark contrast to many other managed PKI solutions where an attempt is made at a �one size fits all� solution. Our only criticism is one that can be levelled at any outsourced PKI � speed. It may be desirable on occasion to have certificates available within minutes of the end user submitting the request, but this kind of turnaround is usually only available with in-house solutions. That is not the case here, however, but if more frequent certificate signing and revocation runs are required, then a different � and obviously more expensive � SLA will have to be negotiated with InterClear. In most situations, we feel that the 24 hour turnaround would not pose a problem. And, of course, on the up side, we had the benefit of a very expensive secure installation to host the PKI, with advanced burglar alarms, access control and fire prevention mechanisms, not to mention strong physical security for the root CA. All of this is manned and monitored 24 hours a day, and none of the burden of that infrastructure falls on the customer.� This is definitely the most cost-effective means of implementing a PKI solution. De La Rue InterClear Click here to return to the PKI Index Section
|
 |
Send mail to webmaster
with questions or�
|
