CDSA and the Entrust PKI Stephen Hillier Chief Software Architect Director, Strategic Development Entrust Technologies Limited

About Entrust Technologies • A leading provider of Public Key Infrastructure security products • Headquarters in Richardson, TX with offices in: – New York, McLean, San Francisco, Los Angeles, San Diego, Menlo Park, Philadelphia, Boston, St. Louis, Raleigh, Chicago, Ottawa, Toronto, Montreal, UK, Switzerland and Germany. Entrust Proprietary

2

What defines a PKI? • Comprehensive set of functions required to provide trusted public-key encryption and digital signature services, including: – – – –

Enterprise Certification Authority functions Full Certificate & Key lifecycle management Support for Non-repudiation Consistent and controlled trust model

• Establishes and maintains trustworthy extended environment Entrust Proprietary

3

Certification Authority Functions • CA certificate signing • Certificate Repository • Certificate Revocation • Cross Certification • Key Backup and Recovery • Key History

Entrust Proprietary

Cross-certification

Certification Authority

Key Histories

Key Backup & Recovery

Certificate Repository

Certificate Revocation

4

Certificate/Key Lifecycle Management • Automatic Certificate/Key update • Key backup and recovery • Certificate/Key History

Key Histories

Key Backup & Recovery

Automatic Key Update

Entrust Proprietary

5

Non-repudiation Support • Two key pair system • Timestamping services • Notary services • Secure long term storage

Entrust Proprietary

Support for Non-repudiation

6

Consistent and Controlled Trust Model • Certification Authority • Client-side Software • Cross-certification

Cross-certification

Certification Authority

Client-side Software

Entrust Proprietary

7

The Complete PKI Cross-certification

Certification Authority

Key Histories

Support for Non-repudiation

Key Backup & Recovery

Certificate Repository

Client-side Software Entrust Proprietary

Automatic Key Update

Certificate Revocation

8

Important Consideration - Openness • Client to CA interactions – PKCS 10/7, IETF-PKIX

• CA to CA interactions – PKCS 10/7, IETF-PKIX

• Client to Client interactions – S/MIME, SSL, GSS-SPKM, IPSEC, …

• Application to Security Framework interactions – CDSA, MS Crypto API, ... Entrust Proprietary

9

Application to Security Framework Interaction • High-level APIs are best for applications developers – Application developers shouldn’t need to be security experts

• Security frameworks provide flexibility to security providers and end customers – need to easily support multiple trust/security models

Entrust Proprietary

10

APIs versus SPIs Application

API

Control Software

High level API

Not Defined

Common Security Mechanisms

SPI

CSSM

Service Providers

Entrust Proprietary

CDSA

CSP

TLI

CLI

DLI

11

CDSA and the Entrust PKI • CDSA provides framework to provide flexible client side security • Plug-in components to support: – Entrust FIPS 140-1 CSP – Automatic Certificate/Key Lifecycle – Certificate verification (including crosscertificates) – consistent trust/policy decisions – certificate repository access

High Level APIs Common Security Mechanisms CSSM Entrust CSP

TPI & CLI based on Entrust CMS API

DLI

CDSA Security Framework

• High level APIs for security mechanisms Entrust Proprietary

12

Generalized Application Security Framework Applications C o m m o n

L o g o n

High Level Security APIs

Entrust Engine

Security Mechanisms (MS CAPI)

Security Mechanisms (CDSA)

MS CAPI

CSSM

WinTrust

Entrust CSP

SLO Control

SSL, Streams, PKCS 7

Entrust Cert Store

Entrust CSP

TPI & CLI based on Entrust CMS API

DLI

Entrust Java Toolkit (Security Mechanisms) JSA/JCE Java VM

Common Storage, PKI, Token - PKCS 11, SCPC, E-Profile, LDAP, ADSAPI, PKIX Entrust Security Framework

Entrust Proprietary

MS CAPI Security Framework

CDSA Security Framework

Java Security Framework

13