 |
|
|
Entrust has been in the PKI market since 1994, and such is the power of the company and the strength of its products, that many of the Entrust technologies are fast becoming de facto standards in their own right. Many third party developers are thus keen to make their products �Entrust ready�. The latest release of the Entrust/PKI software � version 5.0 - has been available for almost a year at the time of writing, and has thus had plenty of time to settle down as a stable and robust offering. The Entrust infrastructure consists of seven core components: Entrust/Authority is the central component of an Entrust system. As the Certification Authority (CA), Entrust/Authority creates encryption key pairs and signs all certificates in the system. Entrust/Authority also contains a secure database to back up users� encryption key pairs. Besides handling user initialisation and key update requests, Entrust/Authority issues certificate revocation lists (CRL�s) and performs cross-certification operations with other trusted Certification Authorities (using either a peer-to-peer or hierarchical cross certification model). The Directory is a publicly-accessible storage method for users� encryption public key certificates and CRL�s. Client-side workstations, Entrust/Authority, AutoRA and Entrust/RA all communicate with the Directory using the Lightweight Directory Access Protocol (LDAP). Entrust/RA is the graphical interface to the Entrust system, used by Security Officers and Administrators to manage users and certificates, process certificate requests, revoke certificates, perform reporting and auditing, and so on. Role-based permissions mean that it is possible to have different SO�s and Administrators performing different tasks. Entrust/AutoRA eliminates administrator involvement in user enrolment and user authentication by providing flexible Web-based self-registration and automatic authentication for users. Using back-end authentication and a shared secret to authorise the registration process, AutoRA allows remote users to acquire a digital certificate immediately via a browser interface. Entrust/Profile Server � In previous versions of Entrust/PKI it has been necessary to store the Entrust profile on the user desktop, which could cause problems in organisations where desktop roaming was common. It is now possible to create �roaming profiles� as well as �desktop profiles� and store these in the Profile Server. When the roaming-enabled user wants to begin work on an independent PC or kiosk, they simply type the name of their profile and password and are quickly able to begin working as credentials are retrieved securely from the Profile Server. When the user logs out, their credentials are deleted automatically and securely from desktop memory. Entrust/Timestamp provides secure time stamping services to Entrust users, offering support for notarisation services that require non-repudiation Entrust/Entelligence - This provides a common, single layer of security that allows users to log in once to all applications. Seamlessly integrated into the desktop environment, Entelligence transparently and automatically manages certificates, encryption, digital signatures, and other security issues on behalf of the user. The underlying engine within Entelligence is the run-time software implementing the interfaces in the tool kits. Entrust-aware applications communicate with Entrust/RA, AutoRA and the Directory through the Entelligence engine. Besides communicating with core Entrust components, the engine provides access to the user�s chosen method for storing keys (hardware or secure disk file). A number of complimentary products are available, including: Entrust/Web Connector � allows Administrators to issue Web certificates to standard Netscape and Microsoft Web browsers and servers for S/MIME, SSL and object signing-based applications Entrust/Commerce Connector � Allows Administrators to issue SET certificates to SET cardholders, merchants and payment gateways to support secure credit card transactions over the Internet Entrust/VPN Connector � Distributes certificates to VPN devices such as routers, VPN gateways, firewalls and remote access devices that use standard PKCS#10 certificate requests or Cisco CEP/SCEP protocols. Entrust/WAP Connector � Provides the ability to issue Wireless Application Protocol (WAP) server certificates and other wireless digital certificates to provide mobile devices and applications, like e-commerce servers, with end-to-end security through strong encryption and authentication Entrust/DesktopDesigner � allows the administrator to fully customise desktop installations and create a single install file Entrust-Ready applications, such as Entrust/Express (e-mail), Entrust/TrueDelete (secure file deletion) and Entrust/ICE (file/folder encryption). Entrust also provides a family of high-level security application programming interfaces (APIs) and tool kits to developers free of charge. The APIs provide security services, including full key life-cycle management, to a broad spectrum of applications. As provided for review, the product runs under NT Server (though it is also available on Sun, HP and AIX platforms) and uses an Informix database as a repository for system-related data (though not as a store for the certificates themselves). Oracle is also supported in version 5.0 of Entrust/PKI, though it must be purchased separately. Something else that must be purchased separately with the latest release is the LDAP directory. Entrust/Directory is no longer provided out of the box, but the company resells the Peer Logic/Critical Path Live Content X.500 directory for those who do not have their own LDAP-compliant directory already deployed. For many organisations considering PKI deployment, this is not a problem. Installation is reasonably straightforward, if a little tedious. It is certainly not a case of launch the install routine and let it go � several stages are involved, though everything goes smoothly enough if the excellent documentation is followed to the letter. We found that the installation process had been streamlined slightly from previous versions, and getting the basic CA and related components up and running took very little time. There was some extensive configuration required once we attempted to install AutoRA and Profile Server, however, the former in particular requiring numerous changes to various config files and Web pages before everything was nicely integrated and running smoothly. At the end of the day, there was nothing particularly tricky about the installation (which, of course, is a one-time-only process) provided the documentation is followed closely, and Entrust usually provides Professional Services support for this. Though Entrust would recommend otherwise, it is possible to run the various components on a single machine if required, and there is a separate section in the installation guide on this method of configuration. Note that it is now possible to support multiple CA�s on a single host, which makes Entrust/PKI more attractive for managed service providers. In support of this, there has also been some work done behind the scenes to enhance the scalability of the Release 5 product, and Entrust reports CA�s tested with over five million users (over ten million certificates). When it comes to installing the various Entrust client components, these can be installed individually from the CD if required, or the administrator can make use of the DesktopDesigner. This is a utility that allows the administrator to build an optimal custom install package for each user or group of users, selecting from a checklist of all the available applications � and even individual components within applications � and configuration files, as well as being able to answer all install-time questions ahead of time and store the responses as part of the distribution. The result is a self-extracting .EXE file that is simply run on the user�s PC to install and configure all the appropriate Entrust components in one hit, and with no intervention required by either user or administrator. The installation can even be set to run �silently�, allowing the install files to be located on a central server and called via the user�s login script, thus completing the install without the user being aware. There is not much to do as far as the Certificate Authority is concerned in Entrust, since it tends to operate very much as a �black box�, with little administrator intervention required. The Entrust/Master Control is the ultimate administration point for the Entrust PKI system. Here is where the master administrator can perform all necessary Informix database administration such as backing up, validating the contents and re-encrypting if necessary. Backing up does nothing more than take a snapshot of the database contents to disk � it is up to the administrator to arrange to transfer that snapshot to some form of off-line storage medium, and the whole process can be fully automated. A number of different �roles� are used within Entrust, the highest authority being the �Master User�, who will physically access the PKI host, as well as create and recover �Security Officers�. SO�s perform sensitive operations such as setting security policies, add and delete other SO�s and Administrators, cross certify with other CAs, and so on. Everyday operations are undertaken by the �Administrators�, whose jobs include adding, removing, maintaining, revoking and recovering users.
It is possible to specify that more than one Security Officer or Administrator needs to log on before important tasks can be performed � the equivalent of having to turn two keys simultaneously to fire the nuclear missile! Should SO�s forget their passwords then it is possible to recover their profiles from here. Forgetful Administrators can be recovered by SO�s via Entrust/RA. Be warned, however � if the Master Users should forget their passwords, you are completely locked out of the system. No back doors! The CA signing key needs to be managed securely to ensure the integrity of the trusted e-business transaction. CA signing keys can be stored in hardware if required (a range of HSM devices are supported), and Release 5 has introduced CA key rollover, so that now even the CA signing key can be updated automatically and seamlessly for all users of the PKI. This feature, like user-key update, is an automatic and transparent operation that updates the CA signing key before the expiry date to enhance security. This process allows administrators to choose the appropriate CA key lifetime and algorithm for their organisation while making that policy transparent to the end user. Cross certification is supported by Entrust/PKI allowing multiple CA�s to securely exchange keying information to provide mutual trust for their employees. The process is similar to creating user profiles, though the operation obviously need to be completed at both CA�s, and this can be completed on-line or off-line. Once the trust is established, the certificates can be managed, updated and revoked in the same way as user certificates. One advantage of this is that sub-CA�s in a hierarchy can be revoked without compromising the root CA certificates in any way. Entrust/PKI 5.0 supports both hierarchical and peer-to-peer cross-certification to allow organisations to build a PKI network of their choosing. The Hierarchical trust model reflects a centralised control which is typical in many institutions and associations where a single root CA maintains a chain of trust with the subordinate CAs that it certifies. Hierarchical cross certification is thus ideally suited within large organisations which require their root CA to have maximum control over all subordinate CA�s within the organisation�s hierarchy. The peer-to-peer model is a distributed trust model that reflects the direct one-to-one relationships typical in a business environment where several Peer CAs (each Peer CA could represent a business unit for example) establish a dynamic network of trust, and the end users of each CA trust their immediate CA. Peer-to-peer cross certification is thus ideally suited between organisations where maximum flexibility is needed to form and revoke trust relationships with other organisations as changing business needs dictate. Fine-grained control is provided in order to limit trust relationships between CA�s. Policy networking provides the means to establish limited trust between CA�s to mirror business relationships between or within organisations. This is achieved by:
Entrust/PKI was the first PKI solution to provide secure time stamping of data. Entrust/Timestamp provides secure, trustworthy time stamping services within the Entrust/PKI framework, allowing an accurate time stamp to be applied to any data in support of applications which require absolute statements of time, such as for financial transactions. As time stamping is incorporated into e-commerce applications in the future it will provide a secure framework for complete non-repudiation, since it will always be possible to identify the originator of a transaction, as well as to date and time it precisely. Certificate revocation is something to which Entrust has given a lot of thought. The standards-based method of maintaining, distributing and checking Certificate Revocation Lists (CRL) is cumbersome, subject to latency and definitely not scalable. Entrust splits its CRL into small blocks (maximum of 750 certificates) and the CRL consists only of the certificate serial number. Each certificate has a space pre-allocated for it in the CRL at the time of creation, and the certificate itself contains a pointer to that CRL entry. Thus, when a client wants to check the status of a certificate, it knows exactly where to look for the CRL entry, and it only has to download a small subset of the revocation data in order to check. In addition to this, the Entrust/RA program provides the means to issue CRL�s immediately, thus reducing the latency problem significantly. The technology behind CRL Distribution Points � originally developed by Entrust - was offered to the standards bodies and has now been adopted as part of the relevant standards as an optional feature. Naturally, Entrust/PKI can also issue a single CRL for compatibility with other products. Entrust/RA is where users are registered, updated, revoked, recovered and deleted, and any number of remote RA�s can be supported per CA. It is also where security policy is defined, a procedure that often gets its own separate utility in other products. Instead, administrative capability in Entrust/PKI is also defined by policy, with the same utility providing different capabilities depending on the level of the person running it. A dual-pane GUI for the RA provides a hierarchical tree view on the left, with report results and object properties displayed in the right hand pane when selected. The tree view contains branches for Users, Groups, Audit Logs, Searchbases, Security Policies and Certificate Authorities. New policy controls in Entrust/PKI 5.0 allow organisations to create RA operator Roles with defined responsibilities. Policy controls include:
Entrust provides a small number of built in �Roles�, including the Security Officer, Administrator, Directory Administrator, Auditor and End User, each of which has a different set of permissions. In previous versions, the built-in Roles were fixed and new ones could not be added. Version 5, however, allows new Roles to be created (either based on existing ones, or defined from scratch), wherein it is possible to set permissions that specify which administrative operations (if any) the Role allows, and whether those operations require authorisation. The permissions are many and varied (for instance defining which certificates and certificate types can be administered, whether the directory can be administered, and so on) allowing extremely fine-grained control of the administration of the PKI. It is also possible to create end-user roles that have different client-side settings and no administrative permissions. Each Role has a User Policy (or policy certificate, as it is also known) associated with it. The Policy contains a list of settings that are applied when members of that particular Role log in to client applications. These settings are changed by selecting a series of check boxes and entering information into text fields, covering such areas as password parameters, signature algorithms allowed, encryption algorithms allowed, and so on. The settings are contained within a certificate that is stored in the directory along with all other certificates, and changed (or new) Policies are applied automatically to affected users the next time they log on to the system. There is also a Master Security Policy for the PKI as a whole, which specifies such things as cross certificate lifetimes, CRL lifetimes, and key pair algorithm and size.
Another feature that has been improved in the latest release, though not quite far enough in our opinion, is certificate modification. Certificate definitions are stored in the Entrust/Authority database, and the current settings can be exported to a text file from the Entrust/RA GUI. This text file can then be amended by hand � following the extensive documentation in the Admin Guide � and imported back into Entrust/RA. Using this method it is now possible to extend the user certificates in any way you wish, adding new fields that are to be included on the certificate, or fields that are for information to be collected at registration time and stored in the database, but not actually written to the certificate. Once the master certificate specification has been imported back into Entrust/RA, the registration screen is updated automatically to reflect the new fields. This is all very much more flexible � and a whole lot easier � than in previous versions of Entrust/PKI, but it would still be nice to see the certificate definition part of the process accommodated by its own GUI interface. Once you have your certificates and Policies defined (and bear in mind that many organisations might not need to do either of those things at all), registering new users is a cinch. Key update policies can be inherited from the certificate security policy or can be overridden on a user by user basis, setting key lifetimes in terms of months, or setting expiry dates directly for encryption, signing and verification keys. Security Officers can also prohibit Administrators from overriding the default key update policy. Once a user has been registered in Entrust/RA, a directory entry is made. The new user record contains a reference number and authorisation code which is used as a secret key to complete the registration from the client � this information should thus be transmitted to the user in as secure a fashion as possible. The user must run some client software (such as Entrust/Entelligence) which will use the reference number and authorisation code to create the unique Entrust profile for that user and activate the user in Entrust/PKI. Alternatively, the administrator can create the profile in Entrust/RA at the time of registration, and then distribute the profile securely to the user. Obviously, Entrust/RA necessitates the involvement of an administrator to effect end user registration operations. This is not always convenient, however. Banks, for example, might prefer to allow their customers to register via a Web-based form at any time of the day or night without administrator involvement. In such cases, it would be necessary to positively identify an applicant at the back end in order to automate the registration process by the used of a shared secret key � banks would be in a position to do this, since they will usually issue PIN numbers to customers for their credit, debit or cash cards.
Entrust/AutoRA has been developed to provide this level of functionality to Entrust/PKI. It supports the following operations without any administrator involvement:
AutoRA achieves the automated registration by mapping specific fields on the Web form to a rule-base at the server side. A Java servlet takes the requests from the user and certain fields are compared with some form of back-end authentication service to positively identify the user via a shared secret. If this matches, the registration is approved and the appropriate data � the reference number and authorisation code to create an Entrust profile, for example � is passed back to the user via the Java servlet. When the user first logs onto Entrust in a fully managed environment (i.e. when the client-side software is installed) he is prompted to create a new profile. The authorisation information is entered and the client and CA communicate to generate the public and private keys. The certificates are created and the directory populated, whilst the private keys are stored locally. In order to fully support non-repudiation, two key pairs are created � one for encryption and one for signing and verification.
The certificate is also exported to P7C and KEY files allowing them to be sent to others so they can encrypt data. The P7C file is for non-Entrust users who have access to mail using S/MIME, whilst the KEY file is for other Entrust users who are outside the users trust domain. Entrust currently supports two methods for storing keys securely. Hardware key storage devices (tokens) are optional security components - such as PC cards - that contain cryptographic keys or algorithms (or both) for use in environments implementing strict security standards. Entrust supports the PKCS #11 standard interface to tokens providing access to a range of secure smartcard and biometric devices. For environments not requiring tamper-proof tokens, secure software profiles can be used to store users' keys. With respect to public-key algorithms, the security kernel supports the RSA algorithm for encryption and digital signature using 1024 or 2048 bit keys. The security kernel also supports the Digital Signature Algorithm (DSA) for digital signature (1024 bit) and the Diffie-Hellman algorithm for key exchange. In terms of symmetric encryption algorithms, the security kernel supports CAST, Triple-DES, DES, IDEA, and RC2. Release 5 also includes Elliptic curve DSA for signing, and AES support is available via tool kits. Entrust/RA can also be used to update key pairs, change the user�s Distinguished Name, disable a user, or revoke a certificate. With Release 5.0, it is also possible to move a user between CA�s. This is a necessary function in the �real world�, where administrators need to be able to move users from a pilot system to a live system, or from CA to CA following a merger or acquisition, as seamlessly as possible. By transferring the user�s decryption key history to the new CA along with the certificate data, the change CA function ensures that users do not need to decrypt their existing data before moving. Through Entrust/RA, it is also possible to initiate Key Recovery should a user�s certificate expire or a password is forgotten. This sets in motion a procedure similar to the initial registration, but allows the user to retain a full key history once the recovery operation is complete. Naturally, only the encryption key pairs can be recovered in this way, since the signing keys never leave the client. Under normal circumstances, automatic key update before key expiry will all but eliminate this manual recovery scenario for most users. The only exceptions are those who fail to contact Entrust/Authority during the key update window, which may occur if a user did not log on for long periods of time. Normally, Entrust stores its profile on the local hard drive of a PC (in encrypted form), unlocking it in response to a user password. This is a relatively secure approach, but has the disadvantage that it ties a user to a specific PC. If that user wishes to log on to Entrust from other machines, he or she must transfer the profile in order to do that. The new roaming capability introduced with release 5.0 extends the capabilities of Entrust/PKI to deliver a flexible mobile solution for end users to access their credentials from a centrally managed directory without the need for additional authentication mechanisms such as smartcards or tokens. This is achieved via the Profile Server, which stores double-encrypted copies of user�s Entrust profiles rather than storing them on the hard disk of a particular PC. Entrust/Roaming uses SPEKE (the Simple Password Exponential Key Exchange protocol which Entrust Technologies has licensed from Integrity Sciences) to ensure the security of mobile access by establishing a full-strength key using an easily-memorised password for authentication. When the roaming-enabled user wants to begin work on an independent PC or kiosk, they simply type the name of their profile and password at the Entelligence logon prompt and the appropriate credentials are retrieved immediately from the central Profile Server, allowing the user to complete the logon process. When the user logs out, their credentials are automatically and securely deleted from desktop memory. The audit trail records all security-related events that occur in Entrust/Authority. Audit records are time stamped and can be viewed only by Security Officers and Administrators using the audit log viewer in Entrust/RA.
Entrust/RA also has a basic reporting feature that allows creation of simple lists of all Entrust users in a CA domain, or of users in specific �states� such as enabled, active, disabled, key recovery or DN change. These reports are saved to disk as text files to be imported by third party spreadsheet or database applications Reporting is not Entrust�s strong point in the current release, and needs improving by the addition of a more extensive and flexible reporting tool to provide access to the data in the underlying Informix (or Oracle) database. With Release 5.0, the CA database schema has been fully documented to enable this to happen, and other small improvements have been made such as the addition of performance counters and the ability to automatically exported log information via syslog (Unix) or the Windows event viewer for remote alerts and alarms. Entrust maintains that to achieve a fully managed PKI, it is necessary to deploy a clienfrom client to CA. Entelligence is the Entrust Ent-side component to provide end-to-end PKI functionality terprise client, designed to allow Entrust-Ready applications to integrate and work with Entrust/PKI. Entelligence is split into two parts: the engine and the application.
The engine acts as a universal access point to all crypto and signing functions, allowing applications above it to remain oblivious as to whether encryption is performed by hardware or software, or whether keys are stored in a token or a file, for instance. Above the engine sit any number of applications (which have to be written to the client API�s), each of which can now access crypto functions via the single engine interface. Part of the Entelligence client is a simple file encryption and signing capability integrated with the Windows shell, and a secure file delete utility (Entrust/TrueDelete). The engine provides equal access to other applications such as secure e-mail (using a variety of clients) or Web browsers, and has the advantage of providing a single sign on to both Entrust/PKI and the host operating system. Wizards provide a simple way for users to initiate key generation (initial registration with the CA) and key recovery. Entelligence also provides a single point of access to certificates, keys and key histories for all applications above it, as well as ensuring that CRL�s are checked rigorously. A built-in address book allows the user to store keys for secure exchange of files and e-mail with others outside the immediate CA trust domain. Note that PKI-enabling an application using the Entrust tool kits does not make them natively PKI-aware. Thus all applications designated as �Entrust Ready� still require the Entelligence engine to be running on each desktop if it is required to take advantage of the full functionality offered by that client, such as transparent key history and CRL checking. Sometimes it is necessary to provide a fully managed PKI solution for the web which has no client software deployment. This can now be achieved using Entrust/TruePass. Using the AutoRA and Roaming server components, TruePass is a small Java applet that supports transaction signing and encryption operations over the web. This becomes particularly important in the areas of B2B and B2C where there is no control over the user's desktop or corporation firewall.
Entrust/TruePass is a small Java applet that runs in the JVM sandbox provided by the browser that provides a "run anywhere, zero-footprint solution". The end user downloads it transparently from the corporate Web site, and this provides the means to perform a range of functions that used to require the full Entrust client, such as authenticate to Entrust/PKI, sign and encrypt transactions, and change the user�s password. Since TruePass does not require any software deployment on the user�s desktop, all security features and upgrades are handled centrally at the Web site, and the entire secure logon and transaction process becomes as transparent as you need it to be, whilst remaining fully secure. Where it is impossible or undesirable to install client-side software, or even use TruePass, Entrust provides plug-in modules called �Connectors�. This family of products work seamlessly within the Entrust infrastructure to provide a pure WAP, Web or SET model. For instance, the Entrust/Web connector provides a completely open means of supporting browser-only and Web server certificates. The connector distributes certificates to standard Web browsers, e-mail clients and web servers for SSL, S/MIME, and object signing applications.
The Entrust/VPN Connector allows an organisation to issue certificates to Virtual Private Network (VPN) devices such as routers, gateways, firewalls, and any device that uses PKCS#10 or Certificate Enrolment Protocol (CEP). This makes the use of VPN's very much simpler and more scaleable since the manual handling of keys is eliminated. The Entrust/Commerce Connector enables the issue of Secure Electronic Transaction (SET) certificates to SET card holders, merchants and payment gateways to support secure credit card transactions over the Internet. The Entrust/WAP Connector provides the means to incorporate wireless devices into the PKI by issuing certificates to WAP devices such as mobile phones, thus tightly binding digital identities to content providers and wireless customers. The invisibility of the Entrust end-user interface is undoubtedly its strong point. It provides a single point of contact for the user and any security-related applications with the heavy duty crypto and signing operations happening below. At the same time, it integrates the client fully into the PKI, providing single login to applications and ensuring that keys are updated transparently, key histories and lifecycles are maintained automatically, key recovery is simplified, and CRL�s are checked rigorously. The usual vehicle for this is the Entrust/Entelligence client, but it can also be achieved via applications custom-written using the Entrust toolkit. Certain elements � such as authenticating to the Entrust/PKI, signing and encrypting transactions � can also be effected via the new zero-footprint Java client, TruePass. The product has improved considerably with this latest release, providing features such as automatic CA key rollover, multiple CA�s on a single host, support for both peer-to-peer and hierarchical cross certification with policy-based control, new algorithms, RA policy control, custom �one step� desktop installations, and flexible certificate support (with automatic update of the registration screen). Probably the biggest new features are TruePass zero-footprint client, AutoRA, and client roaming, any of which are worth the upgrade on their own. AutoRA and TruePass will appeal particularly to companies wishing to offer secure PKI-based services to outside users, where there is no possibility of installing a custom client and where automatic registration is a must. Client roaming will be of particular interest to large corporates, allowing Entrust users to move from PC to PC without having to trail their Entrust profile behind them. Entrust/PKI 5.0 is a huge advance over version 4.0 (itself an impressive product), and with the strong base that is the legacy of the long-established Entrust/PKI product, and the excellent new features included in this latest release, Entrust/PKI has once again set the target for the competition. A very strong range of offerings suitable for PKI deployment in enterprise, B2B and B2C environments. Well worth a look. EMEA Click here to
go to the Entrust Checklist |
Security Testing |
Send mail to webmaster
with questions or
|
