Certificate and Key Storage Tokens and Software Mark Swyers VeriSign, Inc. [email protected] Key Storage Considerations + Many different ways to store a certificate and private key + Application will usually dicatate the appropriate method + Concerns include: ▪ Security ▪ Portability ▪ Functionality ▪ Usability ▪ Managability ▪ Expense Software-Based Certificates + Several different software stores ▪ Microsoft CAPI ▪ Netscape certificate database ▪ Macintosh keyring ▪ Java keystores ▪ Vendor specific – VeriSign Personal Trust Agent + Pros ▪ Browser based, so easy to use ▪ Inexpensive – no new infrastructure – easy distribution + Cons ▪ Locks user to desktop ▪ Desktop management ▪ Cannot control password use PKI Tokens + Generally provide greater security than software certificates ▪ ▪ ▪ ▪ Can require PINs or passwords, even biometric authenication Keys usually cannot be exported Tokens can be locked in a safe when not in use FIPS (Federal Information Protection Standard) 140 rated + Provide better portability than software certificates ▪ ▪ Can be used on multiple machines while maintaining only one copy of the private key Have the capcaity to hold multiple keys and certificates + Challenges ▪ ▪ ▪ ▪ ▪ Typically require installation of drivers May require a separate reader End user acceptance Token lifecycle management: distribution, forgotten/lost/broken tokens Cost Smart Cards + Can support multiple forms of access ▪ Physical access to building ▪ Logical access to workstation + Can double as ID card ▪ Can print photo and other info ▪ Can support a magnetic stripe + Requires a reader ▪ Contact or contactless (proximity) + Examples ▪ FIPS 201 standard for HSPD-12 ▪ DoD Common Access Card ▪ DOI Employee ID Cards ▪ University ID cards USB Tokens + Many form factors ▪ PKI only ▪ PKI with One-Time Password ▪ PKI with OTP and storage + Easily portable ▪ Ensures tokens travel with user (i.e. when attached to car keys) + Most computers have USB ports + Better for consumers and when you don’t have control over the user environment VeriSign Approach – Flexible Authentication Platform Multi-Function Token (OTP & USB Smart Card) Multi-Function Token with Secure Storage PKI-USB Token Cost-Effective OTP Smart Card For Physical & Network Access VeriSign Unified Authentication Mobile Devices Soft Certificate And Soft OTP Many Credential Types – One Integrated Platform – One Strategic Vendor