How To Secure Mission Critical Applications Using Cryptography and Hardware Security Module www.aepnetworks.com The Key Distribution Challenge • Data link encryption requires a shared secret key, that is only known to both ends Cleartext Cleartext Encrypted Z1 Cleartext Z2 • Some of our competitors use physical Key Distribution • We can use Diffie-Hellman (D-H) for Key Negotiation • Dynamic (re)negotiation of shared secret key, as required • But, without endpoint authentication this is susceptible to the man in the middle attack www.aepnetworks.com Public Key Infrastructure (PKI) • A system used to manage Digital Certificates • Certificate Authority (CA) – Certificate Issuance: responding to certificate requests – Certificate Revocation: Certificate Revocation List (CRL) www.aepnetworks.com Function of CA’s Private Key CA Frontend Policy Manager LDAP Management System HSM CA Private Key Store Signs certificate requests (PKCS#10) Signs CRL Data Centre HQ Encrypted management traffic Branch Office Unencrypted management traffic www.aepnetworks.com Certified Encryptors Pass Traffic Management System HSM Data Centre HQ Encrypted data Branch Office Unencrypted data www.aepnetworks.com IPSec Tunnel (SA) Establishment Cleartext Encrypted Z1 1. 2. 3. 4. 5. 6. 7. 8. Cleartext Z2 Z1 starts negotiation by sending challenge to Z2 - "challenge" data is unique for each negotiation Z2 responds by sending its challenge to Z1 Z1 signs Z2's challenge and sends the signature and its own digicert to Z2 Z2 uses Z1's digicert to verify the signature and the validity of Z1 If 4 is OK, Z2 uses some of Z1's challenge material to derive the session keys. Z2 then signs Z1's challenge and sends the signature and its own digicert to Z1 Z1 uses Z2's digicert to verify the signature and the validity of Z2 If 6 is OK, Z1 uses some of Z2's challenge material to derive the session keys Trust and SA (including session keys) are established www.aepnetworks.com Role of Digital Certificate • Digital certificate asserts (according to the issuing CA) – Unit is a trusted component of the PKI – Unit’s key (pair) is explicitly associated with that unit – Any Cryptographic Policy • SA establishment process verifies – Certificates are issued by same CA – Other unit’s key (pair) matches that in its certificate – Therefore, endpoint is authenticated www.aepnetworks.com Cryptographic Communities of Interest X.509v3 Certificate CCOI Community: Department A X.509v3 Certificate CCOI Community: Department B Management System HSM Accredited cryptographic isolation separates Mgmt System, Dept A CCOI, and Dept B CCOI using X509v3 certificate extensions www.aepnetworks.com A way to define Security of a PKI • Control of the CA’s Private Key means the ability to create/forge digital certificates • How well is the CA’s Private Key secured? www.aepnetworks.com Features of a good HSM • • • • Security Performance SW Interfaces 3rd Party Accreditation Supports • HTTPS establishment • CA Trust Anchor • Code signing • Secure DNS Hardware Security Module Platform PCI, or Ethernet e.g. Linux, Windows www.aepnetworks.com HSM Security • High quality key generation – Based on high quality entropy • Tamper Reactive – Securing both the keys and product itself • • • • • Health check of cryptographic mechanisms before use Multi-part user authorization schema Secure Key backup Audit trail Assured Manufacturing – From components to received product, audited by 3rd party • Security needs to be designed in from the beginning • High Availability www.aepnetworks.com HSM DR Primary Management System Alternate Management System HSM HSM HSM Secured Key Replication Public Network www.aepnetworks.com HSM Performance • Must meet peak demands of applications • In a real world context • Support for a range of algorithms www.aepnetworks.com HSM Software Interfaces • Support for Standards – PKCS#11 – MS-CAPI www.aepnetworks.com HSM 3rd Party Accreditation • FIPS 140-2 Level 4 www.aepnetworks.com Integrated Encryptor / HSM Architecture Management System Remote worker Remote worker Remote worker HSM Mgmt Public Internet, Private MPLS Data Centre HQ Encrypted traffic Branch Office Branch Office Branch Office Branch Office+ Unencrypted traffic www.aepnetworks.com
© Copyright 2024