public key enabling (pke)
DESCRIPTION
CONTENT-BASED INFORMATION SECURITY. CBIS. PUBLIC KEY ENABLING (PKE). Agenda The Threat The Answer What is PKI What is PKE PKE Services Who Needs PKE Services What can be PK Enabled When do you PK Enable an Application Why Implement PKE - PowerPoint PPT PresentationTRANSCRIPT
AgendaAgenda
The ThreatThe Threat
The AnswerThe Answer
What is PKIWhat is PKI
What is PKEWhat is PKE
PKE ServicesPKE Services
WhoWho Needs PKE Services Needs PKE Services
WhatWhat can be PK Enabled can be PK Enabled
WhenWhen do you PK Enable an Application do you PK Enable an Application
WhyWhy Implement PKE Implement PKE
WhereWhere can I find more PKE Information can I find more PKE Information
HowHow do you PK Enable an Application do you PK Enable an Application
CostCost of PK Enabling an Application of PK Enabling an Application
ROI ROI for PK Enablingfor PK Enabling
ConclusionConclusion
The ThreatThe Threat
The Spread of the Code-Red Worm (CRv2) An analysis by David Moore ([email protected]) on the spread of the Code-Red (CRv2) Worm.
Source: Computer Security Institute/FBI Computer Intrusion Squad, Washington; survey of 538 IT security professionals
Analysis By Incident2001 Economic Impact of Malicious Code Attacks
YearCode Name
Worldwide Economic Impact
($ U.S.)
Cyber Attack Index
2001 Nimda $635 Million 0.73
2001 Code Red(s) $2.62 Billion 2.99
2001 SirCam $1.15 Billion 1.31
2000 Love Bug $8.75 Billion 10.00
1999 Melissa $1.10 Billion 1.26
1999 Explorer $1.02 Billion 1.17
Michael Erbschloe, vice president of research at Computer Economics and author of Information Warfare: How to Survive Cyber Attacks.
359,000 servers in less than 14 hours
The AnswerThe Answer
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Virus
Laptop Theft
Unauthorized Access by Insider
Denial of Service
Unauthorized Access by Outsider
Theft of Proprietary Info
Sabotage of Data/Network
Financial Fraud
2001 2000
1999 1998
Source: CSI/FBI Computer Crime and Security Survey, 1998-2001)
Non-Repudiation
Authentication
Integrity
Confidentiality
Encryption
Digital Signature
Audit trail
Security in Depth
Key Escrow
Validation
High & Medium Assurance
Code Signing
Public Key Enabling (PKE)
Public Key Infrastructure (PKI)
CAPABILITIES
What is PKI ?What is PKI ?
PKI is the PKI is the frameworkframework and and services that provide the services that provide the following:following:
Digital Key Generation
Digital Key Distribution
Digital Key Revocation
Digital Key archiving
Digital Key tracking
Digital Key Destruction
Digital Key Certificate policyPublic Key Infrastructure Roadmap for the Department of Defense, 29 October 1999 Version 3.0
CERTIFICATE MANAGEMENT
POLICy
PEOPLEHouse without Furniture
Plane without an Engine
Car without Wheels
FACILIT
IES PROCEDURES
What is PKE ?What is PKE ?
Public Key Infrastructure (PKI) Public Key Infrastructure (PKI) alone is not sufficient to meet alone is not sufficient to meet DoD mission requirementsDoD mission requirements
A Public Key Enabled A Public Key Enabled application, Server or Network application, Server or Network is one that can accept and is one that can accept and process a DoD X.509 certificate process a DoD X.509 certificate to support one or more specific to support one or more specific functions:functions:
Digital SignatureDigital Signature
Data EncryptionData Encryption
User AuthenticationUser Authentication
Date IntegrityDate Integrity
Non-RepudiationNon-Repudiation
PKE ServicesPKE Services
AuthenticationAuthentication
Access control Access control
Data confidentialityData confidentiality
Data integrityData integrity
Non-repudiation:Non-repudiation:
Ascertaining that an entity is who Ascertaining that an entity is who or what he/she/it claims to beor what he/she/it claims to be
Authorization determining what Authorization determining what resources an authenticated resources an authenticated identity can access and what identity can access and what actions he/she/it can performactions he/she/it can perform
Preventing data interception by Preventing data interception by using encryptionusing encryption
Ensuring that the information has Ensuring that the information has not been changed or tampered not been changed or tampered with in any waywith in any way
Ensuring that authenticated Ensuring that authenticated identities cannot deny performing identities cannot deny performing actions that he/she/it performedactions that he/she/it performed
33728Alice
TO: BOB
FROM:ALICE
TO: BOB
999081Bob
TO:BOB
Dear Bob,
Please use PKI next time.
Love, Alice
Who Needs PKE Services ?Who Needs PKE Services ?
Application Developers and AnalystsApplication Developers and Analysts
Web MastersWeb Masters
Systems AdministratorsSystems Administrators
Security ManagersSecurity Managers
CommandersCommanders
Senior StaffSenior Staff
Crisis Action TeamsCrisis Action Teams
Network ManagersNetwork Managers
Systems integratorsSystems integrators
Application program ManagersApplication program Managers
End users of End users of Command and Control applicationsCommand and Control applications
Sensitive applicationsSensitive applications
Financial or high dollar applicationsFinancial or high dollar applications
Sensitive or privacy informationSensitive or privacy information
• Encrypt web traffic over the Encrypt web traffic over the InternetInternet
• Sign and encrypt electronic Sign and encrypt electronic mailmail
• Authenticate users for access Authenticate users for access managementmanagement
• Digitally sign documents for Digitally sign documents for non-repudiationnon-repudiation
• Manage network accessManage network access
• Virtual Private Network (VPN)Virtual Private Network (VPN)
RequirementRequirement What do You NeedWhat do You Need
What can be PK Enabled ?What can be PK Enabled ?
• 128-Bit web browser128-Bit web browser
• S/MIME compatible email S/MIME compatible email clientclient
• PKE client tool (such as PKE client tool (such as web browser)web browser)
• PKE signature client toolPKE signature client tool
• PKE networkPKE network
• PKE firewall or VPN toolPKE firewall or VPN tool
When do you PK Enable an Application?When do you PK Enable an Application?
1. All DoD unclassified networks that authenticate users
2. Unclassified DoD networks hosting Mission Category I systems
3. All unclassified private DoD Web Servers4. E-mail in all operating environments5. Web applications in unclassified
environments6. Legacy, Mission Category I applications
that use or require the use of public key cryptography shall be PK enabled to interoperate with the DoD PKI.
7. Sensitive unclassified systems handling high value (both dollar and mission value)
8. Applications processing classified information in a high-risk environment (over an unprotected network)
Why Implement PKE ?Why Implement PKE ?
• AuthenticationAuthentication
• Access control Access control
• Data confidentialityData confidentiality
• Data integrityData integrity
• Non-repudiationNon-repudiation
• Digital EncryptionDigital Encryption
• Digital SignatureDigital Signature
Risk Management
Risk Avoidance
New Technology
Online banking
Online payment of bills
E-Signing law
Legally, binding mechanism
Verify identity of customer
Sign online transactions
Promotes the electronic delivery of services
Secure infrastructure
Federal and StateInteroperability
43 countries have Digital Certificate laws
DoD MandateEase of use
Increase SecurityCost Reduction
Espionage
Privacy
NATO & Coalition Partners
WhereWhere can I find more can I find more PKEPKE Information?Information?
https://itac.lackland.af.mil/product.asp?prod=58
http://jitc.fhu.disa.mil/pki/index.html
http://www.digsigtrust.com/
http://www.verisign.com/
http://csrc.nist.gov/encryption/kms/
http://web.mit.edu/network/ietf/sa/
U.S. Department of Health and Human Services
http://aspe.os.dhhs.gov/admnsimp/https://warlord.spawar.navy.mil/PKI/
http://eca.orc.com/
http://iase.disa.mil/
Defense Information Systems Agency
http://www.c3i.osd.mil/org/sio/ia/pki/index.html
http://www.defenselink.mil/acq/ebusiness/projects/proj_pki.htm
https://afpki.lackland.af.mil/
https://www.noc.usmc.mil/secure/PKI/default.htm
HowHow do you PK Enable an Application? do you PK Enable an Application?
There are many approaches to PKI enabling an There are many approaches to PKI enabling an application; which one is best?application; which one is best?
– Direct modification of applicationDirect modification of application
– MiddlewareMiddleware
• Web-based front endWeb-based front end
• Proxy type applicationProxy type application
– EncapsulationEncapsulation
• VPNVPN
• IPSecIPSec
PK Enabling ImplementationsPK Enabling Implementations
– Single sign onSingle sign on
– Wireless applicationsWireless applications
– Virtual private networksVirtual private networks
– Web authenticationWeb authentication
– Content managementContent management
– Intrusion detectionIntrusion detection
– Network managementNetwork management
– Secure e-mail (S/MIME)Secure e-mail (S/MIME)
– Database Access ControlDatabase Access Control
Native APIs (OS- or Product-Specific)
NewPKI-EnabledApplications
Shims
LegacyApplications
Plug-Ins
PKI-AwareApplications
Best practices
• Requirements Analysis• Mission Linkage• Cost Analysis• Risk Analysis• Pilot Testing• Program Evaluation• Implementation• Re-Evaluation
The principle factors that must be considered when Cost Estimating the PK Enabling of an application are as follows:
• The present Architecture of the system
• Method of PK Enabling
• Hardware
• Software
• Training
• Manpower
• Travel
• Testing
CostCost of PK Enabling an Application? of PK Enabling an Application?
The first step in Public Key Enabling an application is to perform a requirements assessment. Generally, this involves understanding exactly what functions the application is required to accomplish.
ProcessImprovement
Costs
ComplianceRisk
Total Cost of InvestmentTCO
Return on InvestmentROI
ROI ROI for PK Enabling?for PK Enabling?
ROI Factors
– Compliance with Policy
– Risk Reduction
– Process improvements
– Overall Cost reduction
– Less errors, downtime, or lost productivity
Option-Based Pricing
Treats the outcome of investing one stage/phase of a project as a pre-requisite for the next
Valuation is more complex
Useful for justifying pilot projects
Pay-Back Analysis
Looks at the time required to recoup investment (also called breakeven time)
Helps to quantify risk exposure
Undercounts upside project benefits
6-9 month payback is a good rule of thumb
Purchase Justification: Calculations
TCO = Total Costs of Ownership
NPV = PV (Benefits) – PV (Costs)
Payback Time = T where Σ(Benefits)t = Σ(Costs)t
ROI = Benefits - Costs
Costs
ROO = Benefits to Business Growth - Costs
Costs
Different MethodologiesDifferent Factors
Different Cost basis
ConclusionConclusion
Call us (210) 925-2562, DSN Prefix 945
Fax us (210) 925-2641/2644, DSN Prefix 945
Visit us on the Web https://afpki.lackland.af.mil/
Visit us 4241 E. Piedras Dr., Suite 210, San Antonio, TX
Write us 4241 E. Piedras Dr., Suite 210, San Antonio, TX
Benefits of PKI/PKE Stronger authentication than userid/password
Easier management and administration of
devices
Investment in secure infrastructure can be
leveraged for additional applications Reduced risk of data loss / theft Privacy and integrity of data Authentication of user User accountability to data Centralized control of trust policies and
parameters Provable chain of evidence as to the authenticity
of documents Authorization to access documents based on
user authentication