 |
|
|
Most people concerned with security will have heard of VeriSign, the public CA that provides digital authentication services and products for electronic commerce. Founded in 1995 as a spin-off of RSA Data Security, VeriSign offers a range of personal and server-based digital ID�s, which allow organisations to implement and make use of Secure Sockets Layer (SSL) technology and other security features on the server (both in-house and external). For those organisations wishing to implement a full-blown PKI, however, VeriSign also offers a hybrid outsourced service that combines elements of on-site management with a secure outsourced PKI backbone. This service is sold by VeriSign directly as well as through partners, and the offering tested here is from BT Ignite Trust Services � known as BT Ignite Managed PKI. BT Ignite Trust Services provide a comprehensive catalogue of digital certificate solutions, designed to enable large-scale secure communications and commerce over intranets, extranets, and the Internet at large. Managed PKI functionality provides secure Web access, local hosting, key management and recovery, certificate validation, an application toolkit, dual-key support, and automated certificate renewal. Managed PKI enables any organisation to provide certificate services without the time, effort, risk, and expense of buying and maintaining its own certificate server system. Managed PKI uses BT Ignite�s hardware, software, and secure processes and facilities to issue and manage certificates for subscribers. Designated people within an organisation (the Managed PKI administrators) control the system, while a BT Ignite-operated Certification Authority (the BT Ignite CA) issues the certificates to subscribers from BT Ignite�s secure facility. With Managed PKI, an organisation is able to:
One of the big advantages of Managed PKI for many organisations is the fact that it attempts to address the seemingly irreconcilable problem of deploying a fully-managed in-house PKI without having to invest in the back-end infrastructure required to support it. With Managed PKI, the enterprise controls the CA and can administer and audit the operation continuously. However, day-to-day back-end secure data processing functions - such as certificate-signing, cryptographic hardware, and records retention - are delegated to BT and operated out of a BT secure data centre. A PKI implementation needs to be highly secure. Requirements generally exceed those for typical secure transaction processing systems, since issuance of just one bad certificate or penetration of a CA�s security can result in an unlimited number of bad transactions or issuance of an unlimited number of bad certificates. In addition to high security, a PKI used for mission-critical purposes also requires 7x24 availability, redundant systems, and full disaster recovery backup. With Managed PKI, the PKI automatically gains the advantage of hardware-based cryptography, screened and trained personnel, a military-grade secure facility, and a rigidly audited system of procedural controls. It also benefits from a fully redundant infrastructure, with 7x24 service levels guaranteed for all critical components. There are redundant systems for servers, database, Internet service providers, telecommunications, and power. Disaster recovery operates 7x24 using a geographically separated site. The main components of a Managed PKI implementation are as follows: The end user (subscriber) uses the Internet browser on his or her computer to request Managed PKI services. End users can request the following Managed PKI services:
Requests to enrol for a new certificate or renew an existing certificate are sent securely to the Managed PKI Control Centre in the BT Ignite Issuing Centre for review. Certificate tracking, retrieval, searches, and revocations do not require approval, and are automatically completed for the end user. However, a record of these actions is made available to the Managed PKI administrator for tracking purposes. The Managed PKI administrator (also called Local Registration Authority Administrator, or LRAA) reviews, rejects, and/or approves the end user�s request. The administrator also requests reports, searches for account information, and downloads Certificate Revocation Lists (CRLs). The administrator uses the Managed PKI Control Centre to perform these tasks. The Managed PKI Control Centre is hosted at the BT Ignite Issuing Centre, and can be accessed via a standard Web browser. The administrator uses a Managed PKI administrator certificate to identify himself to the Managed PKI Control Centre. The certificate also encrypts data sent to the BT Ignite Issuing Centre, ensuring secure communications. An administrator�s certificate can be installed in the browser, or on a smartcard. The BT Ignite Issuing Centre is operated by BT Ignite Trust Services and comprises VeriSign hardware and software, together with BT Ignite secure processes and facilities that issue certificates and process Managed PKI service requests. The BT Ignite Issuing Centre processes the end user�s request once it is approved through the Managed PKI Control Centre, and sends the end user an email notifying him of the result. The Issuing Centre also generates reports and Certificate Revocation Lists (CRLs) that the administrator can access through the Control Centre to manage Managed PKI customer accounts. Daily CRLs are supported by standard BT Managed PKI policy choices, and hourly CRL-issuance is available as an option. The Managed PKI Control Centre is hosted at the BT Ignite Issuing Centre. Cryptographic functions and root keys are embedded in government-certified hardware cryptographic modules, with enabling keying materials split between multiple independent responsible persons. Managed PKI provides web-based configuration wizards, administration and support tools, report generators and application integration modules to give an enterprise full control over its CA and to provide the link to BT�s processing centres. The CA Control Centre allows establishment of local CA policy, such as certificate content rules and administration authorisations, and these functions are typically located at the enterprise. It is also possible to distribute registration authority (RA) functions such as certificate approval, revocation, audit, and day-to-day management to an unlimited number of administrators (each with different privileges), providing for complete separation of administrative roles. The following products and services can be purchased as part of the Managed PKI implementation: Local Hosting enables an organisation to host Managed PKI enrolment and lifecycle pages on its own Web server rather than at the BT Ignite Processing Centre. With Local Hosting, it is possible to customise and co-brand these pages, providing company-specific text, links, or logos. Managed PKI operations remain in BT Ignite�s secure facility, but the administrator controls the look and feel of the end-user interface. Local Hosting is required to implement Automated Administration, Key Management Service, and Trusted Messaging for Microsoft Exchange. Subscribers use the Managed PKI lifecycle pages to perform the following certificate activities:
The Automated Administration option enables an organisation to approve requests for certificates without the intervention of an administrator. Automated Administration compares the applicant�s enrolment data with pre-configured authentication data stored in an authentication database (such as a Human Resources database or an LDAP directory). The database may contain information on security access levels, purchase limits, or other information which may form part of the final certificates. If the person�s identity is authenticated (that is, the data matches) the request is approved automatically. Optionally, custom software can add data (for example, purchase limit) to the approved request. Thus, it is possible to replace the certificate administrator�s manual certificate-approval procedure with a customised software process. The Automated Administration software can read authentication data from an LDAP-compliant directory. In addition, when a certificate is issued, Automated Administration can write certificates and related information into the directory. Passcode Authentication is a service to automatically authenticate certificate requests. It is similar to Automated Administration, except that BT Ignite provides the authentication software and support. Configuration takes place through the browser interface. Passcode Authentication is simpler to implement, though considerably less flexible, than Automated Administration. As with the Automated Administration module, when a subscriber applies for a certificate, the enrolment information is securely uploaded to the BT Ignite Processing Centre and compared to information provided by the organisation. Based upon rules defined by the organisation, a certificate is either approved or rejected. The organisation provides no programming or additional hardware. All certificate generation and maintenance operations are hosted at the BT Ignite Processing Centre, relieving organisations of the time and expense of creating and supporting certificate authentication solutions. Trusted Web Transactions for Web Applications Trusted Web Transactions for Web Applications makes it easy to secure user access over the Internet, intranet, or extranet. Access to Web resources is managed based upon either information directly embedded in a certificate, or information that resides in an organisation�s firewall, in an LDAP directory, or access control database. Trusted Web Transactions for Web Applications uses VeriSign�s Personal Trust Agent (PTA) to enable subscriber authentication, transaction signing, and access control to Web resources. The PTA uses digital signatures (in conjunction with SSL server authentication) for authentication, supports certificate revocation list (CRL) checking to ensure that a presented certificate is valid, and uses a configuration file to specify the Web resources that require protection. The PTA provides its own implementation of subscriber authentication, as opposed to the native SSL-based subscriber authentication in browsers and servers (both access control methods can run simultaneously on the same system if required.) This enables an organisation to develop more user-friendly Web access control systems. VeriSign also provides a generic CGI front end that can be used to develop support for transaction verification with any Web server that supports SSL. Two certificate management tools are provided with Managed PKI: the Certificate Parsing Module (CPM) and the Certificate Validation Module (CVM). These modules typically are used in conjunction with a Web server that is using native client authentication, and may be installed automatically with Trusted Web Transactions for Web Applications. However, these tools can be used independently of Trusted Web Transactions for Web Applications, or of each other. Certificate Parsing Module: The VeriSign Certificate Parsing Module (CPM) software suite extracts fields from client certificates presented to a Web server and makes that information available to certificate-enabled applications. VeriSign provides two CPM implementations:
For most sites, VeriSign recommends the server plug-in version (loaded at server start-up and accessed during a client session) because it offers a considerably simpler interface, and because it is upgraded by replacing a single file. Certificate Validation Module: In its role as a Certification Authority, BT Ignite Trust Services publishes certificate revocation information in the form of Certificate Revocation Lists (CRLs). The BT Ignite Processing Centre regularly updates, and makes available, a CRL for each Certification Authority (CA) operated by BT Ignite Trust Services on behalf of customers. Before trusting a certificate, server software must check the corresponding CRL. VeriSign�s Certificate Validation Module (CVM) provides ready-to-use Web server plug-ins that automates CRL-checking, as well as providing OCSP lookups. CVM includes plug-ins for stronghold, Netscape and Microsoft Web servers, as well as a programmer�s interface for developing custom applications. Online Certificate Status Protocol Online Certificate Status Protocol (OCSP) is a set of rules and standards that enable users and applications to determine the status (valid, revoked, suspended, or unknown) of a specific certificate in real time. Managed PKI can be configured to take advantage of OCSP to determine the status of Managed PKI certificates. A Managed PKI OCSP client (such as the VeriSign Certificate Validation Module Web server plug-in) issues a status request to the Managed PKI OCSP responder when an end-user certificate is presented for access to a secure Web site. Once a response is received, the OCSP client accepts or rejects the certificate based on the status returned. In addition to certificate status checking, the Managed PKI OCSP service allows the Managed PKI administrator to suspend a certificate as an alternative to revoking it. A suspended certificate appears as a revoked certificate to an OCSP status request (though it does not appear in a CRL). Unlike a revoked certificate, a suspended certificate can be returned to a valid status. The Managed PKI OCSP service can also be configured to log all OCSP transactions and provide a report of these transactions to the Managed PKI administrator. Key pairs are used for one or more of three basic purposes: encryption, authentication, and signing. If keys are lost, it is impossible to duplicate them, and therefore in many instances it makes sense to manage keys centrally. Managed PKI Key Management Service enables an organisation to generate key pairs centrally (as opposed to distributed generation, with each certificate generated in the end user�s browser). With central key generation and escrow it is possible to store private keys for retrieval if the original key is lost or withheld by an incapacitated or uncooperative user. Neither BT Ignite Trust Services or VeriSign ever sees the user�s private keys. Dual Key Pair Option: The Dual Key Pair option of Managed PKI Key Management Service enables an organisation to benefit from the advantages of both central and distributed key generation. In a dual key pair system, one key pair is centrally generated and stored. Another key pair is generated and stored in a distributed manner within each user's browser. The user receives two separate Managed PKI certificates, and uses the centrally generated private key/certificate for client authentication, and for data encryption and decryption. The other private key/certificate is used for authentication and signing. Single Key Pair Option: With Managed PKI Key Management Service�s Single Key Pair option, the subscriber receives a single key pair and Managed PKI certificate, and can use it for signing, client authentication, and data encryption (all uses). Key Management Services: Over time, a subscriber will use different key pairs (for example, a new key pair every year), and the old private key must be used to decrypt an old encrypted file. For this reason, a key management system must maintain a key history for each subscriber, and must be able to recover any key from that history if required. The Key Management capability provides software components and a supporting service to provide secure generation, backup, and recovery of user key pairs. Dual key pairs are supported for signing and encryption, and multiple active certificates are allowed per user. Private keys are stored on the enterprise premises in a non-vulnerable, enveloped form, allowing for protection of the keys without the need for a �bullet proof� secure facility at the customer site. This is done primarily to remove the requirement for BT to store these keys on its own site, and thus limit its liability as much as possible. It therefore results in a more convoluted private key recovery mechanism than is strictly necessary, since it requires retrieval from BT of a unique key which can then unlock the envelope on the client site. It does however provide a fully independent audit trail of all key recovery transactions. Key Manager software runs at the customer site, generating the encryption private key pair, creating a backup of the private key, requesting the corresponding certificate, and delivering the key and certificate to the end user. Each private encryption key is also triple-DES encrypted under a unique session key which is then itself encrypted using BT�s public key to create a Key Recovery Block (KRB). Key Recovery procedures ensure that only authorised customer key recovery administrators can recover stored private keys. BT Ignite never sees the private key, but merely unlocks the KRB after validating administrator identity, thus allowing the administrator access to the session key, which can then be used to recover the original private encryption key. This approach provides a high level of security, since even if the customer�s database of private keys is stolen or copied, no private keys are endangered, as unauthorised personnel cannot get the triple-DES keys unless unlocked by BT Ignite, and without those keys the private keys cannot be accessed. All recovery actions are logged at BT Ignite, so even if customer administrators are compromised, no private keys can be recovered without leaving a clear audit trail, and both single and dual control models of key recovery are supported if required. Trusted Messaging for Microsoft Exchange Trusted Messaging for Microsoft Exchange integrates with Microsoft Exchange Server to distribute digital certificates to users of Microsoft Outlook email software, and publish certificate information to the Exchange Server directory. Outlook users can access other users� certificates from Exchange�s Global Address List (GAL). This integration with the GAL enables users to easily exchange digitally signed and encrypted e-mail and keeps the directory of user certificates up to date. Trusted IPSec for Check Point integrates VeriSign Managed PKI digital certificates with Check Point VPN-1 to enable an organisation to set up Virtual Private Networks (VPNs). An organisation�s servers can use Check Point and digital IDs to authenticate any user or other server before granting access. Servers can then establish encrypted and secure communication channels between themselves and the user or server. This secure communication channel (the Virtual Private Network), along with authentication, allows the organisation to connect mobile or remote Windows users to enterprise networks over Internet or intranet connections. Secure Server Managed PKI enables an organisation to issue and manage multiple Secure Server IDs within a domain, and safeguard all Web servers in one enrolment. With Secure Server IDs, Web sites are able to identify themselves to clients (browsers) and initiate Secure Sockets Layer (SSL) sessions. SSL creates a secure connection between a client and Web server using digital certificates that enable encryption and decryption of transferred data. Secure Server IDs engage in 40-bit SSL sessions for export version browsers, and 128-bit for non-export version browsers. To enable persons using �export� (40-bit) browsers to benefit from 128-bit SSL sessions, VeriSign � in association with the US Bureau of Export Administration, Microsoft, and Netscape � has developed the Global Server ID. A Global Server ID is a special type of Server ID that, in addition to authenticating a Web site, ensures that all visitors with a 3.0 or newer browser version can engage in 128-bit SSL sessions. Global Server IDs �step up� an export version browser SSL session from 40- to 128-bits. Financial institutions, insurance companies, health/medical organisations, online merchants, and foreign subsidiaries of U.S. organisations are examples of merchants who qualify for a Global Server ID. Global Server Managed PKI offers turnkey issuance of multiple Global Server IDs within a domain, and enables a company to safeguard all Web servers in its domain with one simple enrolment. IPSec is a framework of open standards for ensuring secure private communications over IP networks at the network layer. Managed PKI for IPSec enables an organisation to issue and manage digital certificates for IPSec compliant devices, routers and firewalls. The certificates encrypt and authenticate data sent between these devices, creating a secure Virtual Private Network (VPN). Since Managed PKI for IPSec works on the network layer, digital IPSec certificates can also be used to secure communications between company offices, business partners, and remote users over the Internet, eliminating the need for dedicated, leased communications lines and costly, hard-to-maintain modem pools. This is without a doubt one of the biggest attractions of Managed PKI, since there is no requirement for any software or hardware installation on the customer�s site. This still does not make it the quickest system to get up and running, however, since there is an involved procedure to go through in terms of registration, company verification, contract completion, and so on before BT will allow you to finally get your hands on your own PKI. Enrolment is performed via a Web page on the BT site, where the administrator enters details about himself and his organisation. Managed PKI Administrators manage the service using a standard browser, authenticating, approving, and rejecting Certificate requests, and issuing and revoking Certificates. Many organisations choose a Human Resources representative, an IS manager, or a security/badging officer to be their Managed PKI Administrator. Managed PKI uses the Company/Department/Agency and the optional Division/Organisation/Project fields entered on the enrolment form to constitute the "domain" or "affiliation" associated with all of the Subscriber Certificates, and Subscribers will inherit those fields as part of their Certificate identity.
After the first Managed PKI Administrator has been successfully enrolled, additional Administrators may be enrolled (for an additional charge) to help manage separate unique domains. Each administrator can be assigned one or more roles, allowing them to assign roles to other administrators, to configure the PKI, or to process certificate requests. The default setting if none of these roles is assigned is to allow read-only access only, for auditing and reporting purposes. If it is necessary to have separate Division/ Organisation/ Project affiliations associated with a Company/ Department/ Agency, each one becomes a separate domain. Once the enrolment information has been completed and submitted (during which process a key pair is generated), the Administrator must print out a contract and submit by post to BT (along with some means of confirming the authenticity of the company). BT will then verify the submitted details (by phone checks and other means) before creating the PKI and issuing the Administrator certificate. The Administrator is informed via e-mail that the certificate is available for collection, and is provided with a PIN number. By visiting a specific Web page and entering the PIN number and a secret challenge phrase which was entered during the registration process, the certificate is issued and installed in the Administrator�s browser. Once this has been installed, it provides access to the Managed PKI Administration Control Centre. The CA software used by VeriSign and BT for their Managed PKI offering is based on a version of the original RSA Keon software (somewhat enhanced and improved, of course, since VeriSign was spun off from RSA). However, given that the administrator is never actually exposed directly to the CA software, this is largely irrelevant, other than to demonstrate the pedigree of the underlying code. Currently, all CA operations are performed in one of two secure locations, protected by extensive military-grade physical as well as data security measures. The VeriSign secure centre is in Mountain View, California and cost in the region of �6 million to create. It has a certificate issuing capacity of approximately 20,000 certificates per day. The BT secure centre is in Cardiff, Wales and cost approximately �4 million to create. It has an issuing capacity of approximately 10,000 certificates per day. None of the operation or configuration of the CA need concern the end-user organisation, however, making this section of Managed PKI the most straightforward of all those we have reviewed. The steps below illustrate what happens when an end user requests, is approved for, and retrieves a certificate using the basic Managed PKI installation.
The RA operations are performed by the Certificate Administrator using the Certificate Administration Control Centre, a Web-based admin interface that provides access to the Managed PKI CA services. On accessing the Control Centre, the Administrator is prompted to authenticate himself and is asked to present the digital certificate that was issued by BT. Security for this certificate is thus of vital importance, and smartcard support is available for this purpose. The Control Centre provides menus for Configuration, Certificate Management, software/documentation Download, and Managed PKI News. The links in the Configuration menu open a variety of Configuration Wizards, allowing the Administrator to tailor the Managed PKI service to meet individual corporate needs. The following Wizards are available: Policy Wizard: This is the most important of all the Wizards initially, since it provides the means to design the certificate enrolment form and to specify the contents of the organisation's certificates.
When configuring the policy using the Wizard, the administrator can provide an e-mail address for subscriber questions, select the Cryptographic Service Provider (Enhanced, Basic or Other) and key size (512 or 1024 bytes), choose whether to allow the subscriber to select whether or not protect the private key, and customise the subscriber enrolment page. Care should be taken when selecting the CSP and key size that low-grade crypto products (such as those available for export from the US until recently) are not excluded from using the PKI by selecting a key size that cannot be generated by the required CSP. When customising the subscriber enrolment page, the Last Name, First Name and E-mail Address fields are always required, and a number of additional fields (Title, Employee Number, Mail Stop, State, Country and Locality) can be selected to appear. It is also possible to define up to three additional custom fields that are specific to the subscriber�s organisation and can be used for further identification or authentication purposes.
The next step is to customise the certificate itself. Whereas the fields which make up the Distinguished Name must always be in the certificate, the administrator may not wish to include all of the additional information that the subscriber entered on the enrolment page. For example, subscribers may be required to enter the number of their last pay advice as a shared secret that is used to authenticate the certificate request. This information is used only to make the decision whether to approve a certificate for the person and has no value in identifying the subscriber, and therefore should not be included in the certificate. Depending on the agreement with BT, the Managed PKI service operates under either a public hierarchy or a private hierarchy with a private Certificate Authority (CA) for the end-user organisation. The default for the public hierarchy is that all certificates will be published in the BT/VeriSign central directory, whereas the default for private CA�s is that certificates are never published. These defaults can be reversed if required, or the subscriber can be asked for their preference. Finally, the Administrator can specify the validity period of the certificate. The default for this is one year, though this can be reduced down to one week where necessary. The renewal �reminder period� must also be configured, this being the amount of time before certificate expiry when the subscriber is prompted to renew. If no Managed PKI options have been purchased, the PKI is fully configured once this Wizard has been completed. Certificates can then be requested for browsers and browser-based e-mail packages like Netscape Communicator or Microsoft Outlook. It is also possible to create policies for Secure Server and IPSec certificate services if required.
If the Local Hosting option has been purchased for Managed PKI, the Policy Wizard performs extra steps to specify configuration settings that further tailor the Managed PKI service. These settings are then used to generate a policy file that holds a complete list of the configuration choices. The policy file is downloaded and used with template files from the Managed PKI CD to generate the pages that subscribers will use to request certificates and to perform certificate management activities (the lifecycle services pages). The completed pages are then hosted on the local corporate Web server, and this obviously provides the means to further customise the look, feel, and operation of the enrolment process. Note that it is still only the enrolment �front end� that is hosted locally � the CA operations still reside with BT. CSR Enrolment Wizard: It is possible to support non-browser applications that enrol for certificates using a Certificate Signing Request (CSR). The CSR Enrolment Wizard enables the administrator to make that choice and to generate appropriate enrolment pages. Logo Wizard: The Logo Wizard allows the Administrator to further customise the enrolment process by displaying the company logo on the certificate enrolment page. This is limited to a single GIF file of approximately 100 pixels wide by 63 high, however. E-mail Wizard: Using the E-mail Wizard, the Administrator can customise Managed PKI's automated e-mail messages (enrolment confirmation, approval, renewal, and rejection).
Authentication Wizard: The Authentication Wizard determines whether to allow certificate pickup PINs to be distributed directly to end users or to require them to contact the Administrator or a third party to receive pickup PINs. This enables an organisation to enforce a personal presence authentication model. Administrator Roles Wizard: The Administrator Roles Wizard enables delegation of all or some Administrator responsibilities to multiple certificate Administrators as required. There are four Administrator roles:
Install CA: The Install CA link provides an automated means to install the organisation's CA certificate into client and server applications. This enables those applications to trust messages signed or encrypted using subscriber certificates signed by the organization's CA Renewal Wizard: The Renewal Wizard enables the Administrator to specify the method that subscribers use to request renewal of expiring certificates. One month (configurable) before the certificate is due to expire, the system generates an e-mail message to the subscriber informing them of the impending event and inviting them to visit a URL to renew the certificate. Subscribers can also submit a renewal request via the Digital ID Centre (see Client section). When the subscriber submits the renewal request, it is possible to provide instant issue of new certificates without Administrator intervention, or the Administrator can perform a manual approval, similar to the initial enrolment process. Subscribers must always initiate this process with a renewal request, however, since there is no client-side software to provide automatic key update. Download OCSP Cert: This link provides the means for the administrator to download and install the digital certificate for the OCSP responder in binary X.509 format. The Certificate Management menu provides the day-to-day processing functions for the Administrator.
From this page, he can process certificate applications, review certificate status, revoke certificates, and generate reports and directory data. Possibly the most important option is Process Requests. Clicking this brings up a list of all certificate applications that are pending approval. Requests can be assigned to other Administrators (if multiple Administrators have been configured) or can be immediately Approved or Rejected. It is also possible to view details of the request and add comments which will be stored against the request and e-mailed to the subscriber.
With the default Managed PKI offering, all enrolment requests must be processed manually in this way. However, there is also the Auto Admin option (available at additional cost), a slick offering which allows the approval and issue of certificates to be performed automatically based on a number of Administrator-defined rules. With Auto Admin, an applicant accesses a certificate enrolment form on the Local Hosting Web server via their browser. The applicant enters enrolment data and authentication data (a shared secret or PIN), and the public key is generated by the browser. The applicant then submits the request, and the Local Hosting server runs a CGI program called Sophialite, provided by VeriSign (it is thus necessary to implement Local Hosting in order to use Auto Admin). Sophialite calls the AA server, which extracts the data and compares it with the authentication data in the verification data source. At their simplest, the identity verification rules are simply entered into a text file on the corporate server used to host the Managed PKI Web pages . More complex options include the ability to query LDAP or ODBC databases in order to provide the required subscriber authentication � these can be Human Resources databases or LDAP directories containing information such as security access levels, purchase limits, or other information that is used in the final certificates. An option called Passcode Authentication is also available, whereby the authentication database is created by the customer but uploaded to BT for hosting (therefore Local Hosting is not required). When the subscriber request comes in to the Auto Admin server, the rules database is checked and the result can be approved, pending or rejected. Only the pending result requires Administrator intervention, since it then reverts to being a normal manual enrolment request, processed as detailed previously. If rejected, the subscriber is informed of this automatically and no further action is taken, though all Auto Admin functions are logged, of course, for review by the Administrator.
If the request is approved, a Certificate Signing Request (CSR) is generated and sent off to the Managed PKI CA via a secure SSL3 connection. A Luna CA token is required in the Auto Admin server to ensure that the CSR is not �spoofed� by another machine. At the CA, an encryption key pair is generated and the CSR is assembled into a certificate, signed and returned to the subscriber � no further Administrator intervention is required. Getting back to the Certificate Management menu, the View Requests and View Certificate options are self explanatory, with each providing the Administrator with the ability to view by subscriber name or e-mail address, and filter by date and certificate status (pending, approved, revoked or all). The final options on the Certificate Management menu (other than reporting options which are covered in the next section) include Revoke Certificates, and the ability to download both the CRL (as a PKCS#7 file) and all directory information (as an LDIF file) to allow automatic update of a local LDAP directory. The Premium Revocation option enables customers to upgrade the frequency of the refresh rate for the CRL from the default 24 hours to hourly for each of their CA�s. The use of an OCSP responder provides real time certificate verification services. Reporting and auditing within Managed PKI is fairly basic.
Apart from the certificate and pending request view options covered in the previous section, an Administrator Audit Trail is available via the Certificate Management menu, as is a complete history of certificate activity. All reports except the Certificate Activity History are viewed on-line, whilst the latter is made available in CSV format for download and post-processing. Managed PKI subscribers are provided with a URL for the Digital ID Centre for their particular CA. During enrolment, the subscriber is prompted for the usual name and e-mail address, plus any additional fields that were defined in the certificate template by the Administrator. A challenge phrase is also requested, to be used whenever the subscriber wishes to revoke his/her own certificate. Depending on the options selected by the Administrator when creating the policy, the subscriber may or may not be offered a choice of CSP or whether or not to protect the private key. Finally, the subscriber is given the option of entering comments. In some cases, the Administrator may instruct the subscriber to enter Shared Secret (information known only to the subscriber and the Administrator) information in this field. The Administrator uses this shared secret to further authenticate the subscription request, and the comment is not included in the certificate. Once the request has been approved, the subscriber will receive an e-mail with a PIN number for certificate retrieval. The Digital ID Centre provides a Pick-Up ID option, where the subscriber enters the PIN number, following which the certificate is downloaded and automatically installed in the browser or smartcard device.
Also on the Digital ID Centre menu page are options for searching for, renewing and revoking certificates. Subscriber names or e-mail addresses can be entered as search criteria, and a list of certificates is returned. Individual certificates can then be examined in detail, downloaded or revoked. Whether revoked here or via the main menu Revoke option, the user is prompted for the challenge phrase entered during enrolment as additional authentication, along with a reason for the revocation request. The Renewal option searches the user�s browser for any certificates which are about to expire and presents them for renewal. After a subset of the original enrolment information is entered, the request is forwarded to the Administrator and a new certificate is issued. The final option is Install CA, which simply installs a copy of the Managed PKI CA Root certificate in the user�s browser to provide a complete trust hierarchy for certificate verification. When we first looked at Managed PKI (then called OnSite) it was still in its infancy and client-side software was only just beginning to appear. Now, client-side tools such as the Personal Trust Agent (PTA) are helping to improve and streamline the user experience by making applications PKI aware. The PTA is a browser plug-in that enables subscriber authentication and authorisation, together with transaction signing and verification. At the Web server, another plug-in seamlessly adds PTA-secured access control to the corporate Web site. The PTA uses digital signatures for authentication, checks the certificate revocation list (CRL) to ensure that a presented certificate is valid, and uses a configuration file to specify the Web resources that require protection. In an attempt to simplify the user interface, the PTA holds certificates and keys in a common store, enabling end users to use any browser to access the required resource. Certificates are presented to the user as on screen �credit cards� during logon or authentication operations.
A clever piece of software known as the Certificate Preference Management Control software determines which of the subscriber�s certificates are applicable to the current use and presents only that list of certificates to the subscriber. For example, for a subscriber who banks with two different institutions and is accessing Bank A�s page, the PTA inspects each certificate and presents only valid Bank A certificates. It does not present expired certificates or Bank B certificates. The subscriber selects the appropriate certificate when attempting to access a protected resource, and the PTA server then authenticates the subscriber. If successful, the PTA server determines whether the subscriber is authorised to access that particular resource. If access is authorised, the resource is displayed � if access is not authorised, an error page is displayed. After the first authentication, the end-user has transparent access to the resources that he is allowed to access. The PTA enables an organisation to add transaction signing to HTML pages, and invoke the PTA to generate digital signatures. It also includes server-side components that enable the application to verify a signature. In addition, the Agent is capable of detecting when users do not have relevant certificates and automatically directing them to the appropriate Managed PKI enrolment page. Similarly, owners of expired and about-to-expire client certificates are redirected automatically to the appropriate Managed PKI certificate renewal page. One of the biggest problems in many PKI deployments is the fact that client-side software rarely forces the use of the certificates that are issued to end users. The PTA puts those digital certificates to use in controlling access to Web resources and/or signing Web transactions. Certificate Validation Module (CVM) The Certificate Validation Module (CVM) is the Web server plug-in module that provides access control capabilities for the PTA. It runs under Netscape Enterprise Server 3.x, iPlanet Enterprise Server, Microsoft IIS 4.x, Microsoft IIS 5.0, or Stronghold 3.0. The CVM checks the validity of all client-authentication certificates presented to the Web server using either CRL status checking or OCSP status checking. The CVM can read and acquire (and verify, of course) CRLs from any combination of local files, HTTP servers, or LDAP servers, caching them into a local directory on the Web server and refreshing them when necessary.
During a Secure Sockets Layer (SSL) session, the Web server requests a certificate from the client. The CVM verifies that the certificate has not been revoked, and ends the transaction if the certificate is not valid. If the CVM ever determines that its CRL information has become out of date, it automatically attempts to re-acquire the CRLs. If a more �real time� status check is required. the CVM can forward client certificate data directly to an OCSP responder server across an Internet connection in the form of an OCSP request. The OCSP responder verifies the certificate�s status (valid, revoked, suspended, expired or unknown), creates and digitally signs an OCSP response, and returns the response to the CVM. Based on the response content and signature returned by the OCSP responder, the CVM grants or denies access to the Web server or other resource. Trusted Messaging for Microsoft Exchange Trusted Messaging for Microsoft Exchange PKI-enables the Exchange and Outlook environment providing seamless access to digital certificates for all users on an Exchange Server. Trusted Messaging integrates with Microsoft Exchange Server to distribute digital certificates to Outlook users and publish certificate information to the Exchange Server directory, and as a result, Outlook users can access other users� certificates through the Exchange Global Address List (GAL), as well as being able to exchange digitally signed and encrypted e-mail within the organisation. Interoperability with other S/MIME e-mail clients can also allow users to communicate securely with business partners, customers, and suppliers over the Internet.
As with the normal certificate request operations within the Managed PKI system, the end user (subscriber) enrols for a certificate through a Web page that is hosted on the organisation�s Registration server. However, in this case, most � if not all � of the information required during enrolment can be retrieved automatically from the Exchange Server database, making enrolment a simple matter. Where an organisation is using Local Hosting and Automated Administration (as we were in testing) it is possible to use NT authentication as the authentication method. NT Authentication checks user credentials to confirm if information in the user�s certificate request matches information contained in that user�s mailbox. Providing the user has entered his login name and password when logging on to the machine from which he is enrolling for a certificate, it is not even necessary to enter a password while enrolling for a certificate. In the Auto Admin model, the subscriber request is approved automatically, the certificate is delivered immediately to the user, and the Exchange Global Address List (GAL) is updated. It is also possible to use a manual approval method, in which case the end user receives an e-mail notification to pick up the certificate, and then the GAL is updated at that point. Directory replication enables reciprocity between each user�s mailbox and the corresponding user objects in the Active Directory.
Once certificates have been deployed, it is possible to force Outlook to perform certificate revocation-checking by using the �CRL Distribution Points� extension in the end-user certificate. If this is set in the End User Policy, Outlook automatically opens up a URL pointing to the CRL that is present in the �CRL Distribution Points� certificate extension, allowing the user to check to see if the certificate is on this list. The revocation-checking feature appears on the end user�s machine once the end user certificate is installed. Obviously Managed PKI is a bit of a strange beast compared to the other PKI products we have reviewed, since it is the only one that provides a completely managed PKI facility. As you may imagine, this can be something of a mixed blessing. On the down side, we found that the fact that all Administration was taking place over the Internet rather than a corporate intranet meant that administration tasks became cumbersome and slow on occasion as general Internet traffic increased during the day. We also noted slow response times between approving certificates and the user receiving the confirmation e-mail. On the up side, we found that we had one of the most advanced CA installations at our disposal, including outstanding physical and data security measures and disaster recovery procedures to safeguard our certificates, and it didn�t cost us a single penny in up-front capital to create this marvellous facility. We noted that it was very simple to create security policies and modify enrolment forms and certificates to a limited degree. We also thought that Managed PKI offered remarkable flexibility when combined with the Local Hosting and Auto Admin options. The client-side software offerings have been expanded and improved considerably since we last looked at this product, enabling common end-user applications to be PKI-enabled to a much greater degree, whilst providing the user with virtually seamless PKI operation. Exchange and Outlook users in particular will appreciate the simplified enrolment and automatic loading of certificates into the Exchange directory. The combination of Personal Trust Agent on the desktop and Certificate Validation Module at the server also provides a transparent means of enforcing certificate status checking, together with certificate-based authentication and authorisation for Web-based applications. In use, this could not be much simpler, and is a great step forward in actually forcing users and applications to use the certificates with which they have been issued. When it comes to pricing there are a couple of things to consider. The first is that you are paying an annual charge for Managed PKI, not a one-off cost. We found that Managed PKI can appear very expensive for large deployments, and this is compounded by the fact that the costs are levied again and again each year. However, this does need to be balanced against the fact that with an outsourced solution such as this, there is no need for the extensive human resource, infrastructure (hardware and security) and other costs incurred when operating a full-blown PKI in house. At the other end of the scale, however, Managed PKI was almost unrivalled for smaller implementations of 1000 users and under. Pricing at the low end has become even more flexible � and attractive � in the current release with price breaks from as low as 25 users now (the lowest used to be 500) under the Managed PKI Lite offering. Coupled with the fact that � as with the larger implementations � there is no requirement for trained CA personnel, secure, redundant facilities, and so on and Managed PKI becomes almost unbeatable for smaller CA�s or pilot implementations. Product
name: VeriSign
MPKI 4.5.1 Click here to
go to the BT Checklist |
Security Testing |
Send mail to webmaster
with questions or
|
