Abstract - This document would give the reader a clear idea 1.7 The Attributes that are compared are: -3. Weighted matrix comparing various softwares100users €15,0001000users€50,00010,000users €150,000100,000users €500,000 1,000,000users €800,000Survey of Software packages supporting Public Key Infrastructure Mayur Enjamoor, Rohan Misquith Abstract - This document would give the reader a clear idea about a few top PKI products available in the market and where they stand when compared to each other. The first part of the report explains what PKI is, where it finds its use and what role does it play in e-commerce and other web applications. In the second part a weighted matrix is generated and the products are compared. The 3rd part gives an insight into the companies and the final verdict on them. 1. INTRODUCTION 1.1 What is PKI? It is simply the single most effective method for securing a public communications networks, and is used throughout the world for the transmission of sensitive data. The Army, Navy, and Air force use PKI. Government agencies use PKI. Financial and medical institutions use PKI. And now you can too. That's because some products provide e-mail services, which incorporates PKI at every possible point in its infrastructure. 1.2 When was the concept of Public Key introduced? The public disclosure of both secure key exchange and asymmetric key algorithms in 1976 by Diffie, Hellman, and Rivest, Shamir, and Adleman changed secure communications entirely. With the further development of high speed digital electronic communications (the Internet and its predecessors), a need became evident for ways in which users could securely communicate with each other, and as a further consequence of that, for ways in which users could be sure with whom they were actually interacting. The idea of cryptographically protected certificates binding user identities to public keys was eagerly developed. 1.3What service does it provide? PKI arrangements enable users to be authenticated to each other, and to use the information in identity certificates (i.e., each others' public keys) to encrypt and decrypt messages traveling to and fro. In general, a PKI consists of client software, server software such as a certificate authority, hardware (e.g., smart cards) and operational procedures. A user may digitally sign messages using his private key, and another user can check that signature (using the public key contained in that user's certificate issued by a certificate authority within the PKI). This enables two (or more) communicating parties to establish confidentiality, message integrity and user authentication without having to exchange any secret information in advance. The basic services that PKI may provide are : ¾ Key registration: issuing a new certificate for a public key. ¾ Certificate revocation: canceling a previously issued certificate. ¾ Key selection: obtaining a party's public key. ¾ Trust evaluation: determining whether a certificate is valid and what operations it authorizes. 1.4 What are the components of PKI? A public key infrastructure is created by combining a number of services and technologies ¾ Certification authority (CA) ¾ Revocation ¾ Registration Authority (RA) ¾ Certificate publishing methods ¾ Certificate Management System ¾ ‘PKI aware’ applications All other components that are to be discussed can be categorized under one of the above components.1.5 This is how a PKI infrastructure looks like……. 1.6 Who the best among PKI vendors? What follows is a comparison of the PKI capabilities which decide the extent to which the various software products are meeting the expected requirements a weighted matrix is designed allocating a fixed weight to each of the capabilities in the order of their importance. From the comparison tables, points were allocated to each attribute and a weighted matrix resulted which would help decide which is the winner among the 6 compared softwares is. 1.7 The Attributes that are compared are: - 1) Certificate support 2) Revocation methods 3) Scalability 4) Security 5) PKI topologies 6) Registration mechanism. 7) Directory support 8) Smart card and token support Interoperability 9) Interoperability 10) Key management 11) Management Interface The above attributes are to be compared later in the project. 1.8 The Products we will be comparing in this project are as follows: 1. Baltimore Unicert V5 2. BT Ignite Managed PKI 5.4.1 3. RSA Keon 6.5 4. Safelayer KeyOne 2.1 5. SSH 6. Certicom 231.9 A few PKI standards and their description Client/Sever PKI Communication Standards SSL -Secure Sockets Layer (Public/Private Key encryption standard) S/MIME -Standard that supports the signing and encryption of e-mail IPSEC - Standard for a network layer security protocol PKCS #1 -Describes a method for encrypting data using the RSA public-key cryptosystem in the construction of digital signatures and envelopes PKCS #3 -Describes a method for implementing Diffie-Hellman key agreement PKCS #7 -Describes a method for syntax of data that may have cryptography applied to it PKCS #13- Describes public key techniques based on elliptic curve cryptography Certificate Repository Standards LDAP- Describes a directory service interface PKCS #6- Describes a method for verifying a X.509 certificate with a single public-key operation PKCS #9 -Defines selected attribute types for use in PKCS #6, #7, and #8 PKCS #10- Describes syntax for certification requests. A certification request consists of a distinguished name, a public key, and optionally Attributes OCSP -Describes the Online Certificate Status Protocol for real-time checking of certificates RFC 2527- Describes how to implement certificate policies RFC 2528 -Describes formats and fields of x.509 V3 certificates RFC 2559 -Describes methods for accessing the certificate repository RFC 2560 -Describes how use FTP to access the certificate repository RFC 2585 -Describes how use HTTP to access the certificate repository RFC 2587 -Describes how to access the certificate repository when the CR is using LDAP4X.509 v.3 -Overall standard to support secure management and distribution of digitally signed certificates Private Key Storage
View Full Document
Unlocking...