How to Deploy and Get the Most Out of Tokens

Paul Caskey

PKI Deployment Forum 2008

Our setup

• VeriSign Unified Authentication Active Directory-integrated Based on Microsoft CA, but signed by VeriSign public root Managed via an MMC CA and all operations happen at VeriSign

• Dual-key approach Signing, SmartCard login Encryption, EFS (escrowed)

• 3 certificate templates Signing Encryption Key Recovery Agent All certs are on Aladdin tokens only (no software stores)

Our uses

• Email signing and encryption

• Document Signing

• SmartCard login (Our passwords meet LoA2 entropy, but….)

• Remote access??

Enrollment Process

1. User request to Help Desk

2. Help Desk prepares token (initialize, assign)

3. Vetting/Verify Identity

4. Enrollment authorization granted

5. User enrolls at help desk via kiosk

6. That first use of token forces setting a password

Design/implementation issues

• Manual vs. Auto-enrollment

• Dual-key vs. single-key

• Token enrollment (in-person or remote)

• Client software deployment

• PIN resets Local Remote

• Lost tokens

Aladdin Token Management System (TMS) 2.0

• Web-based management interface Look up users, tokens Initialize Assign

• Web-based user self-service Enrollment/software installation Security questions Report lost tokens Password reset

• Web-based remote service Virtual tokens

Questions/Comments/Discussion?