enterprise key management infrastructure ekmi arshad noor
play

Enterprise Key Management Infrastructure (EKMI) Arshad Noor OASIS - PowerPoint PPT Presentation

Aug 30, 2022 •257 likes •513 views

Enterprise Key Management Infrastructure (EKMI) Arshad Noor OASIS Adoption Forum, London November 27-29, 2006 1 Business Drivers Payment Card Industry Data Security Standard HIPAA, GLBA, CA (+ 33 US States) SB-1386 EU Data

  1. Enterprise Key Management Infrastructure (EKMI) Arshad Noor OASIS Adoption Forum, London November 27-29, 2006 1

  2. Business Drivers ● Payment Card Industry Data Security Standard ● HIPAA, GLBA, CA (+ 33 US States) SB-1386 ● EU Data Protection Directive (Article 16) ● Staying in business - ChoicePoint, Cardsystems ● Avoiding fines - ChoicePoint $15M ● Avoiding negative publicity – Intuit, BofA, Wells Fargo, HSBC, Lexis-Nexis, Ralph Lauren, DSW, University of California (LA, SD, Berkeley, Davis), US Veterans Administration, etc. 2

  3. Encryption Layers Data-in-Use Inside Application Network Data-in-Motion (Typically, already encrypted with SSL or IPSec) Database Driver Inside Database File-system Driver in OS Data-at-Rest Device Driver in OS Disk/Tape Firmware 3

  4. Exposure-Spread Application Network Database or DB Driver Operating System and its Drivers Disk Vulnerability due to exposure of unencrypted data 4

  5. Choices for encryption Encryption Location Pros Cons Notes Application 1) Secure everywhere a) Must modify application Needs key management for each application 2) Encrypt only once b) Must modify DB schema 3) Database independent 4) OS independent Database Driver (ODBC, 1) Transparent to application a) Secure only past DB driver Needs key management for JDBC, etc.) each type of DB driver 2) OS independent b) Needs network protection c) Must modify DB schema Inside Database 1) Transparent to application a) Secure only inside database Needs key management for each type of database 2) OS independent b) Needs network protection c) Must modify DB schema Driver for files in OS Transparent to database and a) Secure only inside OS driver Needs key management for application each type of OS b) Needs network protection Driver for disks in OS Transparent to database and a) Secure only inside OS driver Needs key management for application each type of OS b) Needs network protection c) Needs protection outside disk Firmware in disks and Transparent to database, ap- a) Secure only on disk or tape Needs key management for tape drives plication and OS each type of disk or tape b) Needs protection outside the disk or tape 5

  6. Key Management Silos... Application Application Application Application Application Application Key Management Connections Network PKI Database or OS or DB Driver its Drivers KM KM Database or Database or Database or OS or OS or DB Driver DB Driver DB Driver its Drivers its Drivers KM KM KM KM KM Database or Database or Database or OS or OS or OS or DB Driver DB Driver DB Driver its Drivers its Drivers its Drivers KM KM KM KM KM KM Database or Database or Database or OS or OS or OS or DB Driver DB Driver DB Driver its Drivers its Drivers its Drivers KM KM KM KM KM KM 6

  7. ....or KM Harmony? Application Application Application Application Application Application Key Management Connections Network EKMI Database or Database or Database or PKI SKMS OS or OS or OS or DB Driver DB Driver DB Driver its Drivers its Drivers its Drivers 7

  8. What is an EKMI? ● An Enterprise Key Management Infrastructure is “A collection of technology, policies and procedures for managing all cryptographic keys in the enterprise” – A single place to define key-management policy for symmetric and asymmetric (PK) keys – Standard protocols for key-management services – Operating System, Database & Application independent – Scalable for any size enterprise – Highly-available (works even during network failures) – Extremely secure 8

  9. EKMI Architecture ● Public Key Infrastructure – Traditional asymmetric key-management and X.509 certificates – For strong-authentication and secure key-transport in symmetric key-management ● Symmetric Key Management System (2 parts) – Symmetric Key Services (SKS) server ● For key-generation, escrow and recovery – Symmetric Key Client Library (SKCL) ● For integrating applications to use the SKS 9

  10. SKMS – The big picture Java RPG C/C++ Application Application Application 3 2 7 7 1 6 Network RPGNI JNI DB Server Application 4 Server SKCL 5 Crypto Module Crypto Module Key Cache Server Client 1. Client Application makes a request for a symmetric key 2. SKCL makes a digitally signed request to the SKS 3. SKS verifies SKCL request, generates, encrypts, digitally signs & escrows key in DB 4. Cryptographic HSM provides security for RSA Signing & Encryption keys of SKS 5. SKS responds to SKCL with signed and encrypted symmetric key 6. SKCL verifies response, decrypts key and hands it to the Client Application 7. Native (non-Java) applications make requests through Java Native Interface 10

  11. Symmetric Key Server ● SKS contains all symmetric encryption keys ● Generates, escrows and retrieves keys ● ACLs authorizing access to encryption keys ● Central policy for symmetric keys: – Key-size, key-type, key-lifetime, etc. ● Accepts SKSML protocol requests ● Functions like a DNS-server 11

  12. SKCL ● Symmetric Key Client Library communicates with Symmetric Key Server ● Requests (new or existing) symmetric keys ● Caches keys locally, per key-cache policy ● Encrypts & Decrypts data, per key-use policy – Currently supports 3DES, AES-128, AES-192 & AES-256 ● Makes SKSML requests ● Functions like DNS-client library 12

  13. SKSML Protocol ● XML-based protocol for – Requesting new symmetric key(s) from SKS server, when ● Encrypting new information, or ● Rotating symmetric keys for existing ciphertext – Requesting existing symmetric key(s) from SKS server for decrypting previously encrypted ciphertext – Requesting key-cache-policy information for client ● Why XML and not ASN.1? ● Being submitted to OASIS EKMI-TC for potential standardization on royalty-free basis 13

  14. Request for a new key <symkey:SymkeyRequest xmlns:symkey=”http://www.strongauth.com/2006/01/symkey”> <gkid>0-0</gkid> </symkey:SymkeyRequest> ● Global Key ID – Concatenation of “Server ID” - “Key ID” – 0-0 is a request for a new symmetric key ● No need for – Requester ID or authentication; request is digitally signed inside SOAP header – Key information; policy is embedded in the symmetric key 14

  15. Request for existing key <symkey:SymkeyRequest xmlns:symkey=”http://www.strongauth.com/2006/01/symkey”> <gkid>1-234</gkid> </symkey:SymkeyRequest> ● Requester must have authorization for 1-234 ● Authorization can be granted based on keys generated based on requests by – A single client – A group of clients – All clients 15

  16. Symmetric Key Response <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:symkey=" h ttp://www.strongauth.com/2006/01/symkey#"> <ds:KeyInfo> <ds:KeyName>2-2</ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>CKd4hXZkFGXagTaSPXfOzGgmRVQDik377GZ8hbXfL/ XxyzynxGRCS1QUusbgSBqXqjq8goRLcb6lrDtyM+q3MeWIv0/BAoZyUJrGGf lSJ7OqVwH1vClmhrMfqPmPTWlvBznsPJeG9ICb/kPNFQEFyn8Y8pRnbgc38 XkMl7uPWAo=</xenc:CipherValue> </xenc:CipherData> <xenc:EncryptionProperties> <xenc:EncryptionProperty> <symkey:KeyUsePolicy> <symkey:pid>4</symkey:pid> <symkey:name>DES-EDE KeyUsePolicy</symkey:name> <symkey:start_date>1969-12-31 16:00:00.0</symkey:start_date> <symkey:end_date>1969-12-31 16:00:00.0</symkey:end_date> <symkey:duration>0</symkey:duration> <symkey:tx_allowed>10</symkey:tx_allowed> <symkey:policy_type>Tx</symkey:policy_type> <symkey:algorithm> http://www.w3.org/2001/04/xmlenc#tripledes-cbc</symkey:algorithm> <symkey:keysize>192</symkey:keysize> <symkey:status>Active</symkey:status> </symkey:KeyUsePolicy> </xenc:EncryptionProperty> </xenc:EncryptionProperties> </xenc:EncryptedKey> 16

  17. Symmetric Key Fault <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header> ERROR: Other error reported; please review logs for details Server error message is: No authorization to request this key: 2-2; if you believe this response is an error, please contact your Security Officer </SOAP-ENV:Header> <SOAP-ENV:Body xmlns:wsu= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-11546444952951942616024"> <SOAP-ENV:Fault> <faultcode xmlns:skf="http://www.strongauth.com/2006/01/symkey#SymkeyFault"> skf:SymkeyFault </faultcode> <faultstring>symkey.sks.msg.severe.0085</faultstring> <detail> <EndEntity> <EEID>2</EEID> <DN>O=StrongAuth Inc,OU=For DEMO Use Only,CN=POS Register 222,UID=2</DN> <Status>Active</Status> </EndEntity> <Request> <RID>3</RID> <GKID>2-2</GKID> <Timestamp>2006-08-03 15:34:55.0</Timestamp> <Disposition>Failed</Disposition> </Request> </detail> </SOAP-ENV:Fault> </SOAP-ENV:Body> </SOAP-ENV:Envelope> 17

Recommend

Tourism Infrastructure and Enterprise Zone Authority Tourism Enterprise Zone (TEZ) Fiscal and

Tourism Infrastructure and Enterprise Zone Authority Tourism Enterprise Zone (TEZ) Fiscal and

Manager, TEZ Regulation Department Tourism Infrastructure and Enterprise Zone Authority Tourism Enterprise Zone (TEZ) Fiscal and Non-Fiscal Incentives Incentives for Enterprises Outside TEZs TOURISM ENTERPRISE ZONE A vast tract of land with

639 views • 47 slides
Enterprise Risk Management Program Overview 1 Enterprise Risk Management: An Overview ERM

Enterprise Risk Management Program Overview 1 Enterprise Risk Management: An Overview ERM

Enterprise Risk Management Program Overview 1 Enterprise Risk Management: An Overview ERM connects existing risk Strategic Risks management efforts being carried out by individual Reputational IT Risks Risks divisions/units by providing

81 views • 7 slides
Adit Enterprise. Adit Enterprise. Adit Enterprise. Adit Enterprise. ADIT Enterprise is a

Adit Enterprise. Adit Enterprise. Adit Enterprise. Adit Enterprise. ADIT Enterprise is a

Adit Enterprise. Adit Enterprise. Adit Enterprise. Adit Enterprise. ADIT Enterprise is a wholesale distribution business providing complete range of Electronic Security Systems Kamlesh 093232 51184 Adit Enterprise Adit Enterprise Adit

619 views • 29 slides
Road Infrastructure and Enterprise Development in Ethiopia Admasu Shiferaw (The College of

Road Infrastructure and Enterprise Development in Ethiopia Admasu Shiferaw (The College of

Road Infrastructure and Enterprise Development in Ethiopia Admasu Shiferaw (The College of William and Mary) With Mans Sderbom, Eyerusalem Siba and Getnet Alemu Introduction Poor infrastructure and high transport costs pose a major

785 views • 30 slides
Organized By: Facilitator: Syed Arshad Ali, Consultant Corporate Quality SPEAKERS PROFILE AT

Organized By: Facilitator: Syed Arshad Ali, Consultant Corporate Quality SPEAKERS PROFILE AT

Organized By: Facilitator: Syed Arshad Ali, Consultant Corporate Quality SPEAKERS PROFILE AT A GLANCE Basically an Automotive Engineer, undergone advance trainings on Quality and Maintenance Management from Japan. Having over 40-years

758 views • 47 slides
Infrastructure management with Infrastructure management with FusionDirectory

Infrastructure management with Infrastructure management with FusionDirectory

Infrastructure management with Infrastructure management with FusionDirectory http://www.fusiondirectory.org - Linuxtag 2013 CC-BY-SA Infrastructure management with FusionDirectory History History What are today challenges ?

416 views • 24 slides
Enterprise Content Management COMP6205: Web Development Dr A. Rezazadeh December 17 Enterprise

Enterprise Content Management COMP6205: Web Development Dr A. Rezazadeh December 17 Enterprise

Enterprise Content Management COMP6205: Web Development Dr A. Rezazadeh December 17 Enterprise Content Management (ECM) ECM is a set of practices, processes, and methodology that make the technology morph into the most effective way to

765 views • 38 slides
Infrastructure Enterprise Systems George Dranes, Assistant Director of the Computer Center

Infrastructure Enterprise Systems George Dranes, Assistant Director of the Computer Center

Infrastructure Enterprise Systems George Dranes, Assistant Director of the Computer Center Zach Pratt, Systems Programmer ENTERPRISE SYSTEMS Current Mainframe Configuration Separated into four logical partitions Production

392 views • 14 slides
Enterprise SaaS and Enterprise Mobility Management Matthew Leppanen Director of Business

Enterprise SaaS and Enterprise Mobility Management Matthew Leppanen Director of Business

Enterprise SaaS and Enterprise Mobility Management Matthew Leppanen Director of Business Productivity Solutions 1 1439 1969 1975 2 Mobile Proliferation 3 Daily smartphone usage Source: WORKshift 4 The new network Deloitte: Age of

258 views • 22 slides
Town of Burlington Network Infrastructure/Enterprise Security Solutions Fiscal Year 2021 MIS

Town of Burlington Network Infrastructure/Enterprise Security Solutions Fiscal Year 2021 MIS

Town of Burlington Network Infrastructure/Enterprise Security Solutions Fiscal Year 2021 MIS Department Capital Improvements to be funded Project #1 Project #2 5-Year Network Infrastructure plan 5-Year Enterprise Security Solution Total

399 views • 13 slides
INF 5890 IT and Management Enterprise Architecture Bendik

INF 5890 IT and Management Enterprise Architecture Bendik

INF 5890 IT and Management Enterprise Architecture Bendik Bygstad IFI March 2016 Learning outcomes Understand the concept and purpose of enterprise

244 views • 22 slides
Enterprise Data Management (EDM) and Enterprise Product Generation (EPG) Proving Ground in the

Enterprise Data Management (EDM) and Enterprise Product Generation (EPG) Proving Ground in the

Enterprise Data Management (EDM) and Enterprise Product Generation (EPG) Proving Ground in the AWS Cloud 2019 AMS Annual Meeting Rich Baker Solers, Inc. ESPDS Development Chief Architect Peter MacHarrie, Solers , Inc. John Sobanski, Solers,

200 views • 16 slides
Semantic Attribute-Based Access Control An overview of the existing approaches Hamed Arshad

Semantic Attribute-Based Access Control An overview of the existing approaches Hamed Arshad

Semantic Attribute-Based Access Control An overview of the existing approaches Hamed Arshad Department of Informatics University of Oslo March 2018 Hamed Arshad (UiO) SABAC March 2018 1 / 25 Table of Contents Introduction 1

1.17k views • 74 slides
State University of New York Enterprise Risk Management Overview of Current Risk Management

State University of New York Enterprise Risk Management Overview of Current Risk Management

Attachment B State University of New York Enterprise Risk Management Overview of Current Risk Management Activities &amp; Proposed ERM Framework Prepared by the Office of the University Auditor March 6, 2014 ENTERPRISE RISK MANAGEMENT Table

652 views • 20 slides
SSE Enterprise E-Mobility Infrastructure Overview and Capabilities Introduction to SSE Were

SSE Enterprise E-Mobility Infrastructure Overview and Capabilities Introduction to SSE Were

SSE Enterprise E-Mobility Infrastructure Overview and Capabilities Introduction to SSE Were part of the SSE Group Supporting the low-carbon transition Our vision SSEN Transmission To be a leading energy provider in a low carbon world SSE

956 views • 37 slides
SUSE Enterprise Storage 142 142 SUSE Enterprise Storage An intelligent software-defined storage

SUSE Enterprise Storage 142 142 SUSE Enterprise Storage An intelligent software-defined storage

SUSE Enterprise Storage 142 142 SUSE Enterprise Storage An intelligent software-defined storage solution, powered by Ceph technology, that enables IT to transform their enterprise storage infrastructure to deliver highly scalable and resilient

7.16k views • 14 slides
Content Management in Content Management in Enterprise Portals Enterprise Portals Michael

Content Management in Content Management in Enterprise Portals Enterprise Portals Michael

Content Management in Content Management in Enterprise Portals Enterprise Portals Michael Mackey President, ADV Documents Systems, Inc. www.advdoc.com Agenda Agenda Portals and Content Management Portals and Content Management - -

444 views • 30 slides
In Infrastructure for Enterprise Wir ireless Networks Vivek Yenamandra and Kannan Srinivasan

In Infrastructure for Enterprise Wir ireless Networks Vivek Yenamandra and Kannan Srinivasan

Vid idyut: Exploiting Power Lin ine In Infrastructure for Enterprise Wir ireless Networks Vivek Yenamandra and Kannan Srinivasan Motivation Increasing demand for wireless capacity Proliferation of BYOD in workplaces Data

1.02k views • 54 slides
Red Hat Enterprise Virtualization - KVM-based infrastructure services at BNL Presented at NLIT,

Red Hat Enterprise Virtualization - KVM-based infrastructure services at BNL Presented at NLIT,

BNL-95296-2011-CP Red Hat Enterprise Virtualization - KVM-based infrastructure services at BNL Presented at NLIT, June 16, 2011 Vail, Colorado David Cortijo Brookhaven National Laboratory dcortijo@bnl.gov Notice: This presentation was

649 views • 35 slides
Enterprise Risk Management and Culture Jai Ramaswamy Managing Vice President Enterprise Risk

Enterprise Risk Management and Culture Jai Ramaswamy Managing Vice President Enterprise Risk

Enterprise Risk Management and Culture Jai Ramaswamy Managing Vice President Enterprise Risk Management May 14, 2019 Agenda 1. Who am I? 2. How did we get here? 3. What is Enterprise Risk Management? 4. What is the

482 views • 20 slides
Enterprise Applications Enterprise Systems Enterprise Systems Also called enterprise

Enterprise Applications Enterprise Systems Enterprise Systems Also called enterprise

9/20/2012 Enterprise Applications Enterprise Systems Enterprise Systems Also called enterprise resource planning (ERP) systems Suite of integrated software modules and a common central database Collects data from many

460 views • 16 slides
Why Risk Assessment? Enterprise Risk Management is a process, effected by an entitys board

Why Risk Assessment? Enterprise Risk Management is a process, effected by an entitys board

Why Risk Assessment? Enterprise Risk Management is a process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may

312 views • 4 slides
Developing enterprise level infrastructure and governance for data sharing Jessie Tenenbaum, PhD

Developing enterprise level infrastructure and governance for data sharing Jessie Tenenbaum, PhD

Developing enterprise level infrastructure and governance for data sharing Jessie Tenenbaum, PhD NC Health &amp; Human Services Amy Hawn Nelson, PhD Actionable Intelligence for Social Policy, UPenn August 2020 Department Overview Led by

309 views • 15 slides
Automation of Discovering of an Enterprise Networks ICT-Infrastructure Link Layer Graph Anton

Automation of Discovering of an Enterprise Networks ICT-Infrastructure Link Layer Graph Anton

Advances in Methods of Information and Communication Technology, 2014 Automation of Discovering of an Enterprise Networks ICT-Infrastructure Link Layer Graph Anton Andreev Iurii A. Bogoiavlenskii Aleksandr Kolosov Department of Computer

447 views • 31 slides

More recommend