DOC PREVIEW
UVA CS 588 - PKI Implementation in the Real World

This preview shows page 1-2-3-4 out of 12 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 12 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 12 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 12 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 12 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 12 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

PKI Implementation in the Real WorldClient CA ImplementationGlossaryUSCA’s CAUSCA’s CertificatesOverall Certificate Issuance ProcessLessons Learned from this ImplementationIdentity ProofingUser RegistrationUser TrainingPKI IntegrationContact InfoCopyright 2003 Accenture. All rights reserved. Accenture, its logo, and Accenture Innovation Delivered are trademarks of Accenture.PKI Implementation in the Real WorldLessons LearnedClient CA ImplementationOne of our current Government clients has implemented a Certificate Authority to issue PKI certificates for Federal Employees at participating Agencies.  Recently, they asked us to help them document and update their processes, and help to expand their business.  We can use their example to understand a real world implementation and gather some lessons learned. We will call this client “US Certificate Authority,” or USCA.GlossaryPublic Key Crypto – key pairs used to encrypt/decrypt or sign/verifyCertificate – a digital method of binding a key pair or pairs to a specific identityCertificate Authority – the system that securely creates the certificatesPublic Key Infrastructure – the whole system of creating, issuing, managing, utilizing and revoking certificatesUSCA’s CAUSCA has implemented a private Certificate Authority based on Entrust software. It was built and is operated by USCA employees, at a local datacenter with remote failover.•The Certificate Authority’s primary responsibility is to ensure the validity of each certificate and key pair that is issued.• Secure architecture to generate keys and certificates• Secure, enforceable processes to verify the users or systems to whom it issues the certificates• Unlike the Verisign model, each private Certificate Authority is part of a closed system that is not automatically trusted by other systems or external users.• In order to trust the Certificates issued by the USCA, the end user has to explicitly import and trust the Public Key of the CA or the system or application has to trust the Public Key.USCA’s CertificatesEach USCA User Certificate is issued with 2 key pairs and can be used for:•Authentication,•Cryptography: Encryption / Decryption.•Digital Signatures•Enable Virtual Private Network using Checkpoint Firewalls, •Encrypted/Digital Signature E-Mail, •Encrypted E-Mail, •Application Encryption and/or Digital Signature (non Web), and•Desktop Encryption.There have been about 5000 user certificates issued so far. In addition, USCA can issue SSL certificates.Overall Certificate Issuance ProcessSubmit Required FormsIdentity ProofingCertificate CreationUser Activation Certificate Expirationand RenewalCertificate RevocationCertificate DeactivationCertificate UseBecome an NFC CA CustomerCertificate RecoveryLessons Learned from this ImplementationThe technology is NOT the problem. Once the technologies are successfully implemented, the biggest problems are user issues and process issues.–User registration–LRA identity proofing –User training–Use of certificates within applicationsIdentity ProofingOnce a new client group has been added to the closed Certificate Authority, the CA is set up to issue certificates for authorized members of the new group.The first step is to validate who is requesting the new certificate by identity-proofing. This is performed by a Local Registration Authority from the client group.–Need to verify the identity of the new user. This is hard! –Must be in person, which is hard for distributed organizations.–What documents can a user present to prove they are John Doe?–How much trust can you place on State Driver’s License and other “breeder” documents?User RegistrationThe next step is to collect information about the user and verify that they have the approval of the client group to receive a certificate.–The user information must match the information given to the Local Registration Authority – this means that you can’t just ask the user to type in their information, you have to build in a process to double-check it.–The user registration process is also typically used to help deliver the actual certificate, often by giving the user one of multiple “tokens” that they will need to download the certificate.–Since the certificates cost the client group $$$, the approval is important. How is this verified?User TrainingAnother big problem is training the end user on how to use their certificate.–Training is needed for end users, LRAs, RAs and Help Desk; generally the people who actually run the system know how things work, but using the PKI system interfaces is usually confusing.–Users also need help actually using their certificate within their PKI-enabled applications.PKI IntegrationClients need to decide what are certificates used for within the organization prior to purchasing services:–Often they get sold on the idea of PKI without a clear business reason.–Applications must be modified in order to use certificates for signing, encryption etc. Or, if the PKI system client is used, the client must be embedded into the standard desktop build.Contact InfoDan [email protected] 947 2226Jennifer [email protected] 947 4093Treb [email protected] 947


View Full Document

UVA CS 588 - PKI Implementation in the Real World

Download PKI Implementation in the Real World
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view PKI Implementation in the Real World and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view PKI Implementation in the Real World 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?