The World Internet Security Company

Practical Experiences of PKI-enabled Applications and Implications for Mass Deployment of e-IDs
Conference on
Cryptology and digital Content Security An activity of MATHESS, a NEST coordination activity of the EC CRM, Bellaterra, 15 de mayo 2007

Victor Canivell, CEO, Wisekey ELA

Agenda
The World Internet Security Company

On Wisekey PKI today: - challenges - PKI & PKO - DNI-e Mass deployments tools: - Wisekey CertfyID Blackbox Wisekey references Conclusions

Wisekeys development
The World Internet Security Company

1999

Developing Countries
Deploying infrastructures with the ITU

Technology Platform
Unicert Gold CA Platform (HP)

2001

e-Voting
first ever binding Internet Vote Biometric enabled PKI evoting for Blind

Bronze Box (RA System)

eVoting Solutions

2003

Digital TV Apps Protection

Securing the Digital Video Broadcasting Infrastructure

Intelligent cities
DestiNY USA

Customised Identity & Secuity Solutions

2005
Device & Content Protection Object eIDs
Securing objects (silicon, luxury goods, materials)

NIS partnership
Microsoft, HP, WISeKey ID cards, drivers permits, passports...

Birth of CertifyID Platform

Trust Service Blackbox for Enterprise Validation Solutions Signing Solutions TrustEcoSystem

Biometrics, PKI, DRM, Physical & Logical Secuirty

2007

Secure Video Processor Alliance

Wisekey SA
The World Internet Security Company

Geneva, Switzerland, 1999 e-ID specialization Our vision is to enable the volume deployment of eIDs in a way that is cost effective and easy to integrate with existing IT backbones From supplier of digital certificates to supplier of certificate-enabled solutions and services On site, hosted, managed and/or ASP models Signs a strategic e-ID partnership with Microsoft (Brussels, June 2006) M.DeSmedt ex SrVP MSFT EMEA becomes an investor and Board Member in 2007

Wisekey ELA
The World Internet Security Company

Joint venture of Wisekey SA and Veliba-Sectec for the development of the business model in Spain and LatinAmerica Initiates operations as of 2007 in Madrid, Barcelona, Bilbao Secure facility under construction in Bilbao 2008 Initiates operations in LatinAmerica for local joint ventures

Agenda
The World Internet Security Company

On Wisekey PKI today: - challenges - PKI & PKO - DNI-e Mass deployments tools: - Wisekey CertfyID Blackbox Wisekey references Conclusions

Internet: (great) success with (some) challenges

The World Internet Security Company

Internet has scaled over four decades - showing exponential growth - and becoming mission critical Internet continues to augment its bandwidth - Internet2 - IPv6 But Internet suffers from architecture constraints related to some of its founding assumptions: - principle of trust - computers always in fixed locations and always connected

An old problem
The World Internet Security Company

On the Internet, nobody knows youre a dog!

The New Yorker,1993

Exponential growth in e-IDs

The World Internet Security Company

No. of e-IDs
Business Partners Automation (B2B)
Company (B2E)

Customers (B2C)
Mobility

Internet Client Server Mainframe Pre 1980s 1980s 1990s

plus all devices to be tracked!!

Time
2000s

Supply chain openness = more e-IDs

The World Internet Security Company

Customer satisfaction & customer intimacy Cost competitiveness Reach, personalization

Customers

Suppliers
Collaboration Outsourcing Faster business cycles; process automation Value chain

Employees
M&A Mobile/global workforce Flexible/temp workforce

Remote employees

Partners

Demand vectors
The World Internet Security Company

27.000 phishing sites (RSA Jan. 07)

Malware in 40% of systems (Panda)

The best antidote

The World Internet Security Company

Note to The best antidote

The World Internet Security Company

Yes, PKI but we must not forget* that security (1) is a chain; its only as secure as its weakest link (2) is a process, not a product
* Bruce Schneier

Applicability
The World Internet Security Company

Usage

Access Control

Email encryption And signature

User management

Mobile Data Encryption

Digital Signature Data Encryption

Digital Identity

Intranet/Extranet Access Management

The PKI components

The World Internet Security Company

Technology platform Policies and procedures Trust model

The perception of PKI success

The World Internet Security Company

No and/or limited volume PKI deployments

but
In fact they now exist (DNI-e et al.) The above refers to authenticating individuals in the meantime there is an explosion of authentication requirements for servers, devices, digital content, etc And, in fact, PKI-enabled solutions for addressing individuals are now becoming economically attractive The first issue to recognize is that we are dealing with an infrastructure element, and its attractiveness is a function of the ROI for the first solution it supports (einvoicing, email encryption, SSO, etc)

The classical barriers to PKI

The World Internet Security Company

Complexity Cost Lack of applications Lack of integration

PKI technology acceptance

The World Internet Security Company

PKIs ROI - Tangible & intangible - Current and future (perceptions) - Comparative to alternatives (incl. do-nothing) - Direct economic returns - Legislative drivers related to traceability McKinsey-Gartners new technology acceptance curve: - PKI is emerging embedded in many apps

PKI & PKO

The World Internet Security Company

Open PKI (Public Key Infrastructure) Integrated use of certificates to authenticate individuals across disparate public- and privatesector applications Closed PKI (Public Key Infrastructure) Use of broader PKI services but limited to use by one enterprise or a closed community of business partners, users or devices

PKO (Public Key Operations) Integrated use of certificates within one application or service for limited key management uses

Uses of PKI technologies today

The World Internet Security Company

DRIVERS

SCOPE

SIZE

NO. IN EU Tens

EXAMPLES

OPEN PKI

e-GOVERMENT G2C

RECOGNIZED

Millions

DNI-e

CLOSED PKI

B2B, B2C

ADVANCED

Thousands Thousands

SSO

PKO OPERATIONS

INTERNAL

STANDARD

Tens

Millions

em encryption

A case in point: DNI-e

The World Internet Security Company

Political agenda - EC Lisbon 2010 - e-government goals - EC Digital Signature Directive - Application to Spanish law - DNI-e project (across different party majorities) Volume deployment of certificates - 500k since March 2006 - Authentication and signature certs - New law in Parliament for Electronic Administration 2007 forces all public transactions via internet 2010

DNI-e impact
The World Internet Security Company

Infrastructures (keyboards et al.), public transactions and both individual and private sector awareness DNI-e as the registration facilitator for the obtention of other credentials Immediate complementary needs to surface: - other CAs - signature platforms - identity management across systems

What is now required

The World Internet Security Company

Solutions to emit and manage certificate lifecycles - in an economic manner - and easily integrateable (SOA) Value added services - time stamping - OCSP - secure vault - etc International interoperability schemes

Agenda
The World Internet Security Company

On Wisekey PKI today: - challenges - PKI & PKO - DNI-e Mass deployments tools: - Wisekey CertfyID Blackbox Wisekey references Conclusions

The World Internet Security Company

Vision: Mass Deployment

The World Internet Security Company

WISeKey : - Trust model international, neutral, commercially Microsoft Platform provides: acceptable, policy and governance structure - Commercially widespread platform - Full technology stack with tested and certified - Globally available support andDelivery through: training components - Certifications and accreditationsLocalEAL4) - (CC partners - Widespread knowledgeable &-technical resources - Secure infrastructure hosting, and operations Affiliates - Affiliate and partner network support - Strong security program & update/patch cycle - Certificate support in base engineering specs - Common interface and usage across product families

CertifyID Platform
The World Internet Security Company

Trust Service MS CA Web Svc API

Universal RA (URA) OCSP

Exchange SPS

CRL | Directory Svcs

Exchange, SPS, BizTalk, MMS, ISA SQL Server

SMS 2003, MOM

.Net Framework

Active Dicrectory

WMI Kerberos SmartCard PKI VPN

Microsoft Platform provides: MSMQ RAS - CC EAL4 certification - Industrial class millions of certificates Windows Media Services Transaction Service - Strong security program & update/patch cycle - Common interface andFile Service Distributed usage across product families IIS - Long term platform base
RMS APS .NET

Windows Kernel
Common Mgmt Infra Consistent Interfaces Single Sign-On

Visual Studio .NET

Windows Server

Mobile Info Server

Office 2003

Guardian

Timestamp ARM

3rd Party Product

MMS, ISA, AD

BizTalk CS2002

OISTE Trust Service

The World Internet Security Company

Trust Service MS CA Web Svc API Guardian CRL | Directory Svcs

Universal RA (URA) OCSP Timestamp ARM

Trust Service :

Exchange, SPS, BizTalk, MMS, ISA SQL Server

WISeKey verifies and certifies your organisations identity so that your users and devices electronic identities can be trusted and recognised globally.

SMS 2003, MOM

- Self or 3rd party audit depending on Trust Class .Net Framework Active Dicrectory - Global multilateral and commercial acceptability of eIDs MSMQ RAS - Microsoft Root Certificate Progam - Apple Leopard OS X 10.5 Windows Media Services Transaction Service - Mozilla, Nokia, etc. pending
Distributed File Service RMS IIS APS .NET

WMI Kerberos SmartCard PKI VPN

Windows Kernel
Common Mgmt Infra Consistent Interfaces Single Sign-On

Visual Studio .NET

Windows Server

CA Web Service SOA

The World Internet Security Company

Trust Service MS CA Web Svc API Guardian CRL | Directory Svcs

Universal RA (URA) OCSP Timestamp ARM

Exchange, SPS, : CerifyID MS CA Web Services API (C#,C++) BizTalk,

- SOAP/XML Layer - Enterprise SOA integration Windows - Default interface for URA, ARM etc.

MMS, ISA

SQL Server Visual Studio .NET

Single Sign-On

Server
WMI Kerberos SmartCard PKI VPN

SMS 2003, MOM

.Net Framework MSMQ

Active Dicrectory RAS

Windows Media Services Other Apps Transaction Service Distributed File Service IIS APS .NET

ESB - SOA RMS

Windows Kernel
CA

Common Mgmt Infra

Consistent Interfaces

Guardian CA Disaster Recovery /BC

The World Internet Security Company

Trust Service MS CA Web Svc API Guardian CRL | Directory Svcs

Universal RA (URA) OCSP Timestamp ARM

Guardian (C++) :

Exchange, SPS, BizTalk, MMS, ISA SQL Server

SMS 2003, MOM

.Net Framework

Active Dicrectory

WMI Kerberos SmartCard PKI VPN

- Certificate Service Exit Module MSMQ RAS - Saves all certificates, status, history to MS SQL DB - Disaster recovery from MS SQL DB to MS SQL DB
Windows Media Services Distributed File Service RMS IIS APS .NET

Transaction Service

Recovery console

Windows Kernel
CA
Consistent Interfaces

Common Mgmt Infra

MS SQL DB

Single Sign-On

Visual Studio .NET

Guardian XM provides professional grade database redundancy and data persistency services for Certification Authorities on the Microsoft Windows Windows Server Server platform.

CRL Manager
The World Internet Security Company

Trust Service MS CA Web Svc API Guardian CRL | Directory Svcs

Universal RA (URA) OCSP Timestamp ARM

CRL Manager (C#) :

Exchange, SPS, BizTalk, MMS, ISA SQL Server Visual Studio .NET
Single Sign-On

Reliably publish and monitor certficate revocation lists.

SMS 2003, MOM

Windows Server - Monitor and replicate revocation information - Detect fault conditions and alert operators Dicrectory .Net Framework Active
MSMQ Windows Media Services Distributed File Service RMS RAS Transaction Service IIS APS .NET

WMI Kerberos SmartCard PKI VPN

CRL Manager (Ext. Monitor)

Windows Kernel
CA
Common Mgmt Infra

Public Web CRL Manager Consistent Interfaces (Replicate/Int. Monitor)

OCSP Server
The World Internet Security Company

Trust Service MS CA Web Svc API Guardian CRL | Directory Svcs

Universal RA (URA) OCSP Timestamp ARM

OCSP Server (C/C++): Provides real time validation of certificates. Can interface directly with the Certificate Services DB, or via Guardian SQL DB for more efficient performance. Supports pre-built responses and distributed OCSP for large scale scenarios. - IETF RFC 2560 compliant - use CRLs, or provides real time responses - Pre-built responses for distributed OCSP, using SQL 2005 DB replication - Integrated with IIS ISAPI extension

Clients

CA

OCSP

OCSP DB

Directory Service / Publishing

The World Internet Security Company

Trust Service MS CA Web Svc API Guardian CRL | Directory Svcs

Universal RA (URA) OCSP Timestamp ARM

Exchange, SPS, BizTalk, MMS, Directory Server (ADAM) / Certificate Publisher (C++/C# ) : SQL Server

ISA

SMS 2003, MOM

.Net Framework

Active Dicrectory

WMI

- Publish to WISeKey Global Directory Service (GDS) for universal accessibility MSMQ RAS Kerberos - Reliably publish certificates to local and/or external Directory instances - Multi-master replication and directory scaling Windows Media Services Transaction Service SmartCard - Optionally remove revoked and/or expired certificates Directory Srv - Schema conformance to ISI-MTT, Federal Govt, Distributed File Service IIS PKI (ADAM) and others on demand
RMS APS .NET VPN

Windows Kernel
Common Mgmt Infra

CA

Consistent Interfaces

CID Services Publisher Module

Single Sign-On

Visual Studio .NET

Provides a highly available and reliable directory service (LDAP), with flexible certificate publishing whose schema can conform to be compliant the ISIS-MTT PKI management specification, and other governmentWindows Server specifications.

URA
The World Internet Security Company

Trust Service MS CA Web Svc API Guardian CRL | Directory Svcs

Universal RA (URA) OCSP Timestamp ARM

Universal Registration Authority (C++/C# ) : Provides a registration authority interface and certificate lifecycle manager that interfaces with multiple load balanced CAs in the backend, designed for scalability to millions of users and certificates. ASP .Net application that is network load balanced across several servers using MS SQL 2005 as data store. Configuration data, user account, authentication, templates, certificates, requests etc. are stored in SQL 2005 database. Authentication can be done against LDAP. Used in CertifyID Trust Center Managed PKI services, and with Stand-alone CAs at customer sites. Clients

CA

URA Web

URA DB

CertifyID Black Box Enterprise Offering

The World Internet Security Company

The CertifyID Blackbox offers a complete and affordable out-of-the-box solution for establishing a Trusted Identity Infrastructure dedicated to your organization.

35

Partners
The World Internet Security Company

Athena SCS Aladdin Gemalto HP IBM idQuantique MCI Microsoft NCP NDS Novell OASIS Omnikey Precise Biometrics SafeNet Secure Video Processor Alliance

Agenda
The World Internet Security Company

On Wisekey PKI today: - challenges - PKI & PKO - DNI-e Mass deployments tools: - Wisekey CertfyID Blackbox Wisekey references Conclusions

References
The World Internet Security Company

Executive Summary
To move to a secure, interoperable web based system that enforces mandatory strong authentication access control and encryption of information and data.

Business Challenge
Customization of CPS and policy sets, lightly to meet client needs. Reviewing the entire certificate lifecycle, system design, auditability, security in conjunction with KPMG as a trusted neutral party. Hosting of a custom portal solution based on the WISeKey Universal Registration Authority.

Value Delivered & Benefit for the client

Delivered a neutral Swiss Trust Root PKI system, specific custom development, application and PKI hosting, for the certificate issuance and management of certificates that protect the clients information systems end-to-end, which include sensitive financial and consumer data. Support of a Swiss based company compliant with strict the Swiss Banking regulation on outsourcing. The client was able to incorporate a highly secure logical access control system protecting sensitive business information on time and on budget.

Finance
Organisation of cooperating Financial Institutions.
Switzerland

References
The World Internet Security Company

Executive Summary
The financial sector of this retail company needed to use digital certificates for their internal financial system and for email exchange.

Business Challenge
Implementation of a dedicated CA for our client, for the usage of certificates within their financial system, defined the type of certificates to be issued.

Value Delivered & Benefit for the client

Dedicated CA managed by WISeKey staff and client certificates issued by WISeKey staff

Customization of CPS and policy sets, lightly to meet client needs.

Reviewing the entire certificate lifecycle, system design. Hosting of the CA

Retail
Privately-held, international, low-cost home products retailer
Switzerland, Sweden and Belgium

Benefit
Greater data confidentiality No technical knowledge for the client No cost for technical maintenance Low cost

References
The World Internet Security Company

Executive Summary
The Client PKI is designed to ensure secure communications and system access to protect confidential information between departments within the organizations and most importantly from external parties.

Business Challenge
Implementation of the core infrastructure used to protect the Clients systems and data. This core infrastructure is based on WISeKeys CertifyID Solution and Trust Infrastructure. Customization of operational procedures; technical design, implementation; legal documents and agreements; and service operation.

Value Delivered & Benefit for the client

Project Management. Implementation of Client PKI, legal, technical, security and operational infrastructure. Legal consulting including organization structure, production certificate practice statement, certificate policies, and end user agreements. The customer can safely rely on WISeKey expertise and experience to provide the delivery of a world class certification service that ensures the security, and availability of its core PKI infrastructure that is essential to the safety and security of its internal community and collaborators.

International Organization
IO dedicated to pursuing justice and prosecuting international crimes that fall within their mandate, namely genocide, war crimes, and crimes against humanity.

The Client chose WISeKeys CertifyID Solution as the basis of their PKI, because of its Trust Framework, its tight integration with the Microsoft Windows Platform and the essential enhancing elements that it adds to Windows Certificate Services.

References
The World Internet Security Company

Executive Summary
The DVB Multimedia Home Platform (MHP) is the software interface between interactive digital TV applications and the terminals on which those applications execute. Such terminals are typically set-topboxes or integrated digital TVs, both of which are also known as MHP receivers, platforms, hosts or clients. The DVB Project Office chose WISeKey to design, implement, host and manage the Public Key Infrastructure that is used to secure MHP applications. WISeKey is the designated Certificate Services Provider and Operator for the DVB MHP PKI.

Business Challenge
Multimedia Home Platform is the open standard platform for interactive TV and multimedia services. MHP is based on Internet and web standards, so it offers compatibility and convergence between TV and the Internet. DVB thus needed to implement a MHP security mechanism that defines the security requirements for the consumer, the service provider and the broadcaster, using a security mechanism that provides confidentiality, integrity, availability, privacy and nonreputability.

Value Delivered & Benefit for the client

WISeKey implemented the core infrastructure that is used to protect the MHP security mechanism and thus implement the security for the consumer, the service provider and the broadcaster. This core infrastructure is the DVB MHP Public Key Infrastructure, including the operational procedures; technical design, implementation; legal documents and agreements; and service operation.

DVB
The Digital Video Broadcasting - DVB Industry consortium dedicated to authoring international DTV standards.
Switzerland

Project Management.
Implementation of DVB MHP PKI, legal, technical, security and operational infrastructure. Provide DVB MHP Operator functions and services. Legal consulting including organization structure, production certificate practice statement, certificate policies, and end user agreements. Outsourced service operation.

References
The World Internet Security Company

Executive Summary
SVP is an open technology specification for protecting digital video content. Applying the SVP specification to any standard video processor turns it into an SVP-compliant video processor that can protect digital content end-to-end.

Business Challenge
The SVP Alliance Licensing Authority chose WISeKey securely host Trusted SVP Roots that are at the heart of the SVP Security Infrastructure, based on a WISeKey designed secure SVP Root software and hardware security platform.

Value Delivered & Benefit for the client

Solution delivers an extremely low total cost of ownership for the client, and also provides extremely increased security via the Hardware Security Module, and use of key shares for role segregation. The advantages of using WISeKey professional services: Leverage on expertise of PKI leaders Lower total cost of ownership Less effort for planning and design Much more cost effective for a small enterprise; the business with the external partner can be extended as need for crypto-enabled applications grows Requires less in-house expertise Leverage liability rules, policies and procedures of WISeKey Can be operational in a short period of time using the WISeKey Key Step deployment approach

SVP
The Secure Video Processor Alliance is a group of media and technology leaders promoting the broad adoption of SVP content protection technology in digital home networks and portable devices.
USA

To move to a secure, interoperable web based system that enforces mandatory strong authentication access control and encryption of information and data.

References
The World Internet Security Company

Executive Summary
The Client wanted to implement an extranet portal communication system, featuring knowledge bases, electronic mail and correspondence tools to provide better service and support to their partners, including their very important dealer community.

Business Challenge
Because of the sensitive nature of the information stored on the portal, the client needed to implement a highly secure access solution, and after extensive analysis decided to use Digital Certificates and secure devices provided by a highly trusted provider. The Client chose WISeKey to provide and host a managed dedicated Public Key Infrastructure to provide digital identity services for their extranet portal, with strict confidentiality and quality of service requirements.

Value Delivered & Benefit for the client

As part of the project WISeKey delivered a turnkey system for the certificate issuance and management, integrating custom CA development with the Clients backend systems.

Industry
Leading Swiss Watch Maker.
Switzerland

Exists a Development, Quality and Production environment. WISeKey maintains a Quality MPKI CA for testing and the Production MPKI CA.
Access is controlled via two-factor authentication control; (certificate based SSL client authentication and a password).

References
The World Internet Security Company

Executive Summary
The canton of Geneva was chosen by the Confederation for a pilot experiment of vote by Internet, from the point of view of its introduction at the national level, by way of additional possibility to vote, to current methods, votes by correspondence and polling station. During its official introduction, voting by Internet will have to guarantee a similar safety even higher than these two modes of poll.

Business Challenge
WISeKey has taken part in the concept drafting. WISeKey has taken care of the of the system security, the server side development, the physical architecture, the installation and of the solution presentation and promotion.

Value Delivered & Benefit for the client

The system was developed and subjected to thorough testing and controlled hacking by the University of Geneva and CERN. It underwent significant load testing, and was utilized by over 20,000 voters over the course of several alpha an beta tests. Since its outset the e-Voting system has been subjected to various tests and security reviews, to collect the observations of the users under the angle of userfriendliness, the facility and the safety of the system. Various trials were run throughout the pilot project, including a test involving over 20,000 students across the SWISS educational system, generating enthusiasm and constructive feedback from the voters of tomorrow.

State of Geneva
e-VOTING INITIATIVE
Switzerland

References
The World Internet Security Company

Executive Summary
Gemini Observatory needed to increase their network, systems and communication security.

Business Challenge
Assisting the Gemini technical administrator to implement the BB and configuring the PKI infrastructure.

Value Delivered & Benefit for the client

Fast PKI implementation Greater data confidentiality Ease of use

Gemini Observatory
Gemini is an international partnership managed by the Association of Universities for Research in Astronomy under a cooperative agreement with the National Science Foundation.
USA - Hawaii

Agenda
The World Internet Security Company

On Wisekey PKI today: - challenges - PKI & PKO - DNI-e Mass deployments tools: - Wisekey CertfyID Blackbox Wisekey references Conclusions

Conclusions
The World Internet Security Company

Both PKO and classical PKI solutions will become prevalent in our communications and computing infrastructures Tools such as Wisekey CertifyID Blackbox will contribute to this deployment by offering economical and easy-to-integrate PKI based solutions Whats next? Watch out for quantum computing schemes! And very interested in learning from advances at forums such as this Conference!!

The World Internet Security Company

WISeKey S.A. WISeKey S.A - World Trade Center II - 29, route de Pr-Bois CP 885 1215 Geneva, Switzerland Tel: +41 22 594 30 00

WISeKey ELA S.L.

Avda. Txorierri,9, 48160 Derio & P Castellana 135, 28046 Madrid Tel: +34 944 545 071 & +34 917 906 868 e-mail: [email protected] - www.wisekey.com