Time/DateStamp

Time/DateStamp

AuthorizationAuthorizationSecureNon-

repudiation

SecureNon-

repudiation

KeyRecovery

KeyRecovery

MessageConfidentiality

MessageConfidentiality

(S/MIME)(S/MIME)

SessionConfidence

SessionConfidence

(SSL)(SSL)

AccessControlAccessControl

(SSO/CSO)(SSO/CSO)

Non-repudiation

Non-repudiation

(SET)(SET)

IntegrityIntegrity

(Signature)(Signature)

1. Certificate Granting Agent1. Certificate Granting Agent2. Trusted Third Party2. Trusted Third Party3. Security Servers and Agents3. Security Servers and Agents4. Certified Delivery System4. Certified Delivery System5. Digital Notary Server5. Digital Notary Server

6. Digital Signature Generation6. Digital Signature Generation7. Digital Signature Verification7. Digital Signature Verification8. Confidentiality Key Exchange8. Confidentiality Key Exchange9. Key Pair Generation9. Key Pair Generation

PKICertificate

Management

PKICertificate

ManagementPolicy ApprovalPolicy Approval

CertificateRevocationCertificateRevocation

CertificationArchiving

CertificationArchiving

RepositoryRepository Naming and Naming and RecognitionRecognition

44

55 11

22

33

88

99

66

77

Data ArchivesData Archives

SupplierSupplier CustomerCustomer

Collaborative CommerceCollaborative CommerceIntellectual PropertyIntellectual Property

Search, Discovery, OfferingSearch, Discovery, OfferingReputationReputation

EFTEFTValueValue

Logistics/SCMLogistics/SCMTheftTheft

Trusted TransactionsTrusted TransactionsIntegrityIntegrity

CRM — Intimate KnowledgeCRM — Intimate KnowledgePrivacyPrivacy

MarketingMarketing

SellingSelling

Shipping Shipping

Service andService andSupportSupport

DesignDesign

ReceivablesReceivables

ShoppingShopping

PurchasingPurchasing

Using, MaintainingUsing, Maintaining

DevelopmentDevelopment

PayablesPayables

ReceivingReceiving

E-Business Information Security Vulnerabilities

Prioritizing PKI Applications

Application PrioritySecure VPN

Secure Web Access High

Secure E-mail

Overall Risk Reduction High

New Business Opportunity High

Digital SignatureServer IDs

Desk/LapTop Encryption Medium

Consolidated Sign-On

SET Low

SSL - A No Brainer

Cyber-browser visits a secure site.

Web Server

Server

Server’s public key

The Web server submits its site/server public key certificate to the browser. The channel is encrypted, the Web server identified.

The Primary PKI App today

Signing and Sealing the E-Mail Envelope

X.400X.400PEMPEM

PGPPGP

MOSSMOSS

S/MIME S/MIME V.3V.3

OpenPGPOpenPGP

SignatureDMS/MSPDMS/MSP

Being Being DeployedDeployed

Not Being Not Being DeployedDeployed

Web Access: Portals Through the Firewall

Public Web site

Customer extranetSupplier extranetEmployee intranet

Channels extranet

EDI Transactions Require Digital Signatures and Encryption

Transaction Type

Invoice

Application Advise

Price Sales Catalog

Contract Award Summary

Trading Partner Profile

Request for Quote

Response to Request for Quote

Purchase Order, Delivery Order

Purchase Simple Contracts

Purchase Order Change

Text Message

Order Status Report

Functional Acknowledgment

DigitalSignatureRequired

Yes

No

No

No

Yes

Yes

Yes

Yes

Yes

Yes

No

No

No

EncryptionCapability

Needed

No

No

No

No

No

No

Yes

Yes

Yes

No

No

No

No

PKI Integration With Acrobat

California Independent Systems Operator PKI Architecture

Master Directory Server

(LDAP/X.500)

Network

Policy Creation Authority

CA Signing Certificates

Medium AssuranceMedium Assurance

Medium CA

High AssuranceHigh Assurance

High CA

Basic AssuranceBasic Assurance

Basic CA

Register UsersRevoke Certs

Registration Authority WorkstationRegistration Authority Workstation

Policy Approval Authority

Client ApplicationsClient ApplicationsPKI Mail ServerPKI Mail Server

ACES ArchitectureSubscriber

App1 CAM

Browser

CA1CertCA2CertCANCert

App1PrivateKeyApp1Cert(FIPS 140-1)

SubscrbrPrivateKey

Subscrbr Cert

(HW Token Opt’l)

Agency

List of Invalid

Cert IDsAudit Log

CA1CertCA2CertCANCert

CAM:- Parse Cert- Verify SubscrbrCert Issuer as an ACES

CA- Verify SubscrbrCert Issuer’s signature- Verify SubscrbrCert’s operational

period- Check cached Invalid Cert IDs- Get route to Issuer- Send signed Status Request & Cert

data to Issuer- Receive signed Status Response- Verify Status Response signature- Pass status & cert data to App- Log audit data

AppAPI

CAM

ACESCAN

(FIPS 140-1)

CANPrivateKey

ACESCA2

(FIPS 140-1)

CA2PrivateKey

ACESCA1

(FIPS 140-1)

CA1PrivateKey

RSA DSA ECDSACrypto API

CAAPIcert

status +cert fields

RSA,DSA

DSA,ECDSA

RSA

RSA

RSA

CA1SubscrbrCerts

CA1CertCA2CertCANCert

RSA

CA2SubscrbrCerts

CA1CertCA2CertCANCert

RSA

CANSubscrbrCerts

CA1CertCA2CertCANCert

“Brand B” CA

Private KeyToken Digital ID

“Four Corner Transaction”

ManufacturerTrading Partner

Place Order Receive Order

Digital Order10 18975BBE E41675DE 6F4593D8 71D2BDA720 D519E511 6B7824C5 0B70E1E7 40C1BC3630 C2AD5ACD 80CB4616 419D066A E707418C40 C08BACF5 1A172119 ED2BF17 2E55DBF250 F657EE32 27A84F70 51A2FB63

Digitally Signed

Private KeyToken Digital ID

• Provides verification of identities & signatures and assurance (“TRUST”)

• Facilitate interbank certificate checking• Utilize tools to allow interoperability

across CA’s and supplies software developers toolkit with standard functionality to member banks

Private KeyToken Digital ID

BANK ABANK B

“Brand A” CA

Private KeyToken Digital ID

Source: Entegrity Solutions

European Private Banking (Anon)

• Private, personal, retail banking & brokerage services

• Operation in fiscal haven with strict bank secrecy laws

• Worldwide Customer Base• Smartcards with certificate client credentials• SSL, User ID, password model was not

appropriate• Transparent certificate management• Initial smartcard/certificate issuance

Bolero

directoryservices

registrationauthority

sends publickey

certification ofpublic key

registry

certificationauthority

identification

exchange of EDI messages

exporter

carrier

bank

private key sent byregistration authority

Transuranic Reporting and Inventory Processing

System (TRIPS)

PKI Case Studies

Nuclear Waste Facility Document Management, DigitalSignatures

Law Enforcement Consortium Secure Email

Retail Bank Consumer E-Banking

State Government Funds Transfer Authorization, EForms

Utility Independent SystemsOperator

Secure Communications, Controls,Business Services

Insurance Company Browser based field agent access;encrypted files

PKI Integration Scorecard

Comments

Web BrowsersWeb Browsers AA SSL --> TLS and WirelessSSL --> TLS and Wireless

E-MailE-Mail AA S/MIME;PGP -->OpenPGPS/MIME;PGP -->OpenPGP

VPNsVPNs B+B+ IPSec, IPV6IPSec, IPV6

E-FormsE-Forms B+B+ Signing, EncryptingSigning, Encrypting

PackagedPackaged DD Driven by Webification, ASPsDriven by Webification, ASPsApplicationsApplications

Legacy/CustomLegacy/Custom FF Bridging RACF, DCE/KerberosBridging RACF, DCE/KerberosApplicationsApplications

Wireless Application ProtocolCompare/Contrast to Web