CDSA and the Entrust PKI Stephen Hillier Chief Software Architect Director, Strategic Development Entrust Technologies Limited
About Entrust Technologies • A leading provider of Public Key Infrastructure security products • Headquarters in Richardson, TX with offices in: – New York, McLean, San Francisco, Los Angeles, San Diego, Menlo Park, Philadelphia, Boston, St. Louis, Raleigh, Chicago, Ottawa, Toronto, Montreal, UK, Switzerland and Germany. Entrust Proprietary
2
What defines a PKI? • Comprehensive set of functions required to provide trusted public-key encryption and digital signature services, including: – – – –
Enterprise Certification Authority functions Full Certificate & Key lifecycle management Support for Non-repudiation Consistent and controlled trust model
• Establishes and maintains trustworthy extended environment Entrust Proprietary
3
Certification Authority Functions • CA certificate signing • Certificate Repository • Certificate Revocation • Cross Certification • Key Backup and Recovery • Key History
Entrust Proprietary
Cross-certification
Certification Authority
Key Histories
Key Backup & Recovery
Certificate Repository
Certificate Revocation
4
Certificate/Key Lifecycle Management • Automatic Certificate/Key update • Key backup and recovery • Certificate/Key History
Key Histories
Key Backup & Recovery
Automatic Key Update
Entrust Proprietary
5
Non-repudiation Support • Two key pair system • Timestamping services • Notary services • Secure long term storage
Entrust Proprietary
Support for Non-repudiation
6
Consistent and Controlled Trust Model • Certification Authority • Client-side Software • Cross-certification
Cross-certification
Certification Authority
Client-side Software
Entrust Proprietary
7
The Complete PKI Cross-certification
Certification Authority
Key Histories
Support for Non-repudiation
Key Backup & Recovery
Certificate Repository
Client-side Software Entrust Proprietary
Automatic Key Update
Certificate Revocation
8
Important Consideration - Openness • Client to CA interactions – PKCS 10/7, IETF-PKIX
• CA to CA interactions – PKCS 10/7, IETF-PKIX
• Client to Client interactions – S/MIME, SSL, GSS-SPKM, IPSEC, …
• Application to Security Framework interactions – CDSA, MS Crypto API, ... Entrust Proprietary
9
Application to Security Framework Interaction • High-level APIs are best for applications developers – Application developers shouldn’t need to be security experts
• Security frameworks provide flexibility to security providers and end customers – need to easily support multiple trust/security models
Entrust Proprietary
10
APIs versus SPIs Application
API
Control Software
High level API
Not Defined
Common Security Mechanisms
SPI
CSSM
Service Providers
Entrust Proprietary
CDSA
CSP
TLI
CLI
DLI
11
CDSA and the Entrust PKI • CDSA provides framework to provide flexible client side security • Plug-in components to support: – Entrust FIPS 140-1 CSP – Automatic Certificate/Key Lifecycle – Certificate verification (including crosscertificates) – consistent trust/policy decisions – certificate repository access
High Level APIs Common Security Mechanisms CSSM Entrust CSP
TPI & CLI based on Entrust CMS API
DLI
CDSA Security Framework
• High level APIs for security mechanisms Entrust Proprietary
12
Generalized Application Security Framework Applications C o m m o n
L o g o n
High Level Security APIs
Entrust Engine
Security Mechanisms (MS CAPI)
Security Mechanisms (CDSA)
MS CAPI
CSSM
WinTrust
Entrust CSP
SLO Control
SSL, Streams, PKCS 7
Entrust Cert Store
Entrust CSP
TPI & CLI based on Entrust CMS API
DLI
Entrust Java Toolkit (Security Mechanisms) JSA/JCE Java VM
Common Storage, PKI, Token - PKCS 11, SCPC, E-Profile, LDAP, ADSAPI, PKIX Entrust Security Framework
Entrust Proprietary
MS CAPI Security Framework
CDSA Security Framework
Java Security Framework
13