Enterprise Key Management Infrastructures: Understanding them before auditing

Enterprise Key Management Infrastructures: Understanding them before auditing

Enterprise Key Management Infrastructures: Understanding them before auditing them Arshad Noor CTO, StrongAuth, Inc. Chair, OASIS EKMI-TC Agenda What is an EKMI? Components of an EKMI Auditing an EKMI ISACA members at OASIS EKMI Summary Business Challenges Regulatory compliance PCI-DSS, FISMA, HIPAA, SB-1386, etc.

Avoiding fines ChoicePoint: $15M, Nationwide: $2M Avoiding lawsuits TJX (multiple), Bank of America Avoiding negative publicity to the brand TJ Maxx, Ralph Lauren, Citibank, Wells Fargo, IBM, Ernst & Young, Fidelity, etc., etc. The Encryption Problem Generate Encrypt Decrypt Escrow

Authorize Recover Destroy Generate Encrypt Decrypt Escrow Authorize Recover Destroy

Generate Encrypt Decrypt Escrow Authorize Recover Destroy Generate Encrypt Decrypt Escrow

Authorize Recover Destroy Generate Encrypt Decrypt Escrow Authorize Recover Destroy ....and so on

Generate Encrypt Decrypt Escrow Authorize Recover Destroy Key-management silos Application Application Application Key Management Connections Application

Application Network Application PKI Database or DB Driver OS or its Drivers KM KM Database or DB Driver Database or DB Driver

Database or DB Driver OS or its Drivers OS or its Drivers KM KM KM KM KM Database or DB Driver Database or

DB Driver Database or DB Driver OS or its Drivers OS or its Drivers OS or its Drivers KM KM KM KM KM

KM Database or DB Driver Database or DB Driver Database or DB Driver OS or its Drivers OS or its Drivers OS or its Drivers KM KM

KM KM KM KM What is an EKMI? An Enterprise Key Management Infrastructure is: A collection of technology, policies and procedures for managing all cryptographic keys in the enterprise. EKMI Characteristics A single place to define EKM policy A single place to manage all keys Standard protocols for EKM services

Platform and Application-independent Scalable to service millions of clients Available even when network fails Extremely secure EKM Harmony Application Application Application Application Network Application Application

Key Management Connections EKMI Database or DB Driver Database or DB Driver Database or DB Driver PKI SKMS OS or its Drivers OS or its Drivers OS or its Drivers The Encryption Solution

Encrypt Decrypt Encrypt Decrypt SKS Server Generate Encrypt Decrypt WAN Encrypt Decrypt Protect Escrow Authorize

Recover Destroy SKS Server Encrypt Decrypt Encrypt Decrypt EKMI Components Public Key Infrastructure For digital certificate management; used for strong-authentication, and secure storage & transport of symmetric encryption keys Symmetric Key Management System

SKS Server for symmetric key management SKCL for client interactions with SKS Server SKSML for SKCL-SKS communication EKMI = PKI + SKMS PKI Well known, but not well understood Reputation for being costly and complex BUT....... Used in every e-commerce solution Used by DOD of most democratic nations Citizen cards, e-Passports Corporate Access Cards US Personal Identity Verification (PIV) card IETF PKIX standards SKMS: SKS Server

Symmetric Key Services Server Contains all symmetric encryption keys Generates, escrows and retrieves keys ACLs authorizing access to encryption keys Central policy for symmetric keys: Key-size, key-type, key-lifetime, etc. Accepts SKSML protocol requests Functions like a DNS-server SKMS: SKCL Symmetric Key Client Library Communicates with SKS Server Requests (new or existing) symmetric keys Caches keys locally, per key-cache policy Encrypts & Decrypts data, per key-use policy Currently supports 3DES, AES-128, AES-192 & AES-256 Makes SKSML requests Functions like DNS-client library SKMS: SKSML Symmetric Key Services Markup

Language Request new symmetric key(s) from SKS server, when Encrypting new information, or Rotating symmetric keys for existing ciphertext Request existing symmetric key(s) from SKS server for decrypting previously encrypted ciphertext Request key-cache-policy information for client The Big Picture J ava Application RPG Application C/C++ Application 3 2

1 7 6 RPGNI 7 SKCL Crypto Module Key Cache Client 1. 2. 3. 4. 5. 6. 7.

Network J NI 5 Application Server 4 DB Server Crypto Module Server Client Application makes a request for a symmetric key SKCL makes a digitally signed request to the SKS SKS verifies SKCL request, generates, encrypts, digitally signs & escrows key in DB Crypto HSM provides security for RSA Signing & Encryption keys of SKS SKS responds to SKCL with signed and encrypted symmetric key SKCL verifies response, decrypts key and hands it to the Client Application Native (non-J ava) applications make requests through J ava Native Interface

Security in an SKMS Symmetric keys are encrypted with SKS server's RSA public-key for secure storage Client requests are digitally signed (RSA) Server responses are digitally signed (RSA) and encrypted (RSA) All database records are digitally signed (RSA) when stored, and verified when accessed including history logs for message integrity Common KM problems Using proprietary encryption algorithm Hiding the encryption key on the machine Embedding encryption key in software Encrypting symmetric key with another

Using a single key across the enterprise Backing up key with data on the same tape Using weak passwords for PasswordBased-Encryption (PBE) Auditing an EKMI Key-management policy Prerequisite controls: Physical access control to EKMI machines Logical & network access control to EKMI Standard security controls Firewall Minimal attack-surface (minimal services) Security patches Security logging Auditing an SKMS Client Is a hardware token being used? How many people are required to log into the token to activate it?

How many people have access to token? How often is the token PIN changed? How much data is encrypted with 1 key? SHA-1 hash of client library? Auditing an SKMS Server Is a hardware token being used? How many people are required to log into the token to activate it? How many people have access to token? How often is token PIN changed? SHA-1 hashes of server jar files? OASIS EKMI-TC Standardize on Symmetric Key Services Markup Language (SKSML) Create Implementation & Operations Guidelines Create Audit Guidelines Create Interoperability Test-Suite

OASIS EKMI-TC Members FundServ, PA Consulting, PrimeKey, Red Hat, Sterling Commerce, StrongAuth, US DoD, Visa International, Wave Systems Booz Allen Hamilton, EMC (RSA), Entrust, Mitre Corporation, Oracle, Sigaba, Symantec Individuals representing Audit and Security backgrounds ISACA OASIS Many ISACA members from San Francisco are EKMI-TC (AGSC) members Full-day workshop scheduled for OctoberNovember 2007 Setting up an SKMS Operating an SKMS Auditing an SKMS Attacking an SKMS Conclusion Securing the Core should have been Plan

A from the beginning ... but its not too late to remediate. OASIS EKMI-TC is driving new keymanagement standards that cuts across platforms, applications and industries. Auditing EKMIs requires new levels of knowledge and understanding. Get involved! Thank you!

Recently Viewed Presentations

  • Math 310 - California State University, Northridge

    Math 310 - California State University, Northridge

    Math 310 Section 9.4 3-Dimensional Geometry ... The pyramid consists of the triangular regions determined by the point and each pair of consecutive vertices of the polygon and the polygonal region determined by the polygon. The polygonal region is the...
  • Roof Coating And Solar Energy. - Polarhide

    Roof Coating And Solar Energy. - Polarhide

    Polarhide Roof Coating,Roof Retrofits And Solar Energy. Ending Roof Leaks, Roof Thermal Shock, And Runoff Of Roof Pollutants - Permanently -. Temp Of A Black Roof Surface After 30 minutes of September Heat In Texas Data Gathered in The Afternoon...
  • Welcome to Starry Monday at Otterbein Astronomy Lecture

    Welcome to Starry Monday at Otterbein Astronomy Lecture

    Isaac Newton (1642-1727) Always the same constant pull MEarth Mman R . Title: PowerPoint Presentation Last modified by: User Created Date: 1/1/1601 12:00:00 AM Document presentation format: On-screen Show Other titles:
  • Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

    Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

    The next is new and important, by a conceptual change, the ciphertext is chnaged to temporal 2 form, which has this random vector in 2-dim. Space, span x0 and x1. After that, the target key is changed to this temporal...
  • Status Report on the B820 CO2 Laser R&D

    Status Report on the B820 CO2 Laser R&D

    Where we stand. 2 TW ! CO. 2. laser R&D. of 25. Outline. Introduction. Picosecond long-wave infrared (LWIR) laser. ATF's know-hows (CPA, mixed-isotope CO. 2)Steady progress since last ATF user's meeting. Pulse duration reduced (a lot) Puzzle of pulse extension...
  • Per Pupil Expenditures and ESSA PowerPoint

    Per Pupil Expenditures and ESSA PowerPoint

    ESSA requirements align with existing NCES data collection procedures. Includes. Administration. Instructional Support. Student Support Services. Operation & Maintenance of Plant. Fixed Charges. Preschool. Net expenditures to cover deficits from food services and student body activities. Does NOT Include. Community...
  • Rhetorical Theory Notes from Keith & Lundberg What

    Rhetorical Theory Notes from Keith & Lundberg What

    How, why, when, for whom is a text/discourse persuasive? Need to adapt to audiences Audiences change Audiences are different to begin with Some are fragmented, some less so Therefore, you need to adapt your premises, reasons, examples and speech, including...
  • www.ius.bg.ac.rs

    www.ius.bg.ac.rs

    Ïðåäóãîâîð, ãðà àíñêè îðòàêëóê è ïðåääðóøòâî Ïðåäóãîâîð î çàêšó÷åœó óãîâîðà èñòà ôîðìà êàî è óãîâîð (ïèñìåíà è ñâå÷àíà) ïðåäóãîâîð ¼å ïðåäîñíèâà÷êè óãîâîð îáàâåçà íà çàêšó÷åœå îñíèâà÷êîã óãîâîðà Îäãîâîðíîñò îñíèâà ...