1 / 13

PK-Enabling Toolkits

PK-Enabling Toolkits. August 27, 2001. CSOS Interfaces. STATUS CHECKING. ENROLLMENT. Entrust Web Connector. X.500 Directory. Network Interface: LDAP v3 Port 389 PKI Interface: LDAP Request. Network Interface: HTTP Port 80 PKI Interface: PKCS 10 Request PKCS 7 Response.

estelle
Download Presentation

PK-Enabling Toolkits

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PK-Enabling Toolkits August 27, 2001

  2. CSOS Interfaces STATUS CHECKING ENROLLMENT Entrust Web Connector X.500 Directory Network Interface: LDAP v3 Port 389 PKI Interface: LDAP Request Network Interface: HTTP Port 80 PKI Interface: PKCS 10 Request PKCS 7 Response

  3. CSOS Client Operations • Signing (FIPS 186-2) • Signature Algorithm Support: DSA, RSA, ECC • Hash  SHA-1 • Verification • Validity Check (Is the certificate expired?) • Signature verification (SHA-1) • Certificate status check (LDAP) • Extension checks

  4. How does choosing the right toolkit affect your application? • Toolkits vary in the functionality in which they support (Transparent key rollover, PKCS 11 support etc.) • Some toolkits have features that may be only meaningful with specific CA products. (.epf) • Toolkits vary on which algorithms they support (RSA, Elliptical Curve, Diffie-Hillman etc.) • Does the toolkit meet FIPS 140-1 certification?

  5. Issues • Are the toolkits standards-based? Interoperable with popular COTS PKI’s? • Support for PKCS #7 and PKCS #10 (Cert. Request and Response) • Support for PKCS #11 (Ability to store certificate on a smart card) If desired… • Certificate Store- How certificates and access to keys are managed

  6. Issues (Continued) • Are toolkits affected by certain web browsers? (IE vs. Netscape) • Platform Support • FIPS Web Site  http://csrc.nist.gov/cryptval/ • RSA Crypto-C (Cert # 163; 8/15/2001) • Microsoft CAPI Modules (Cert # 60, 68, 75, 103, 106, 110; 8/05/1999 to 08/15/2000 • Entrust Crypto Kernel (Cert # 130; 12/20/2000)

  7. Solaris Linux Win32 HP-UX Platform Support AIX

  8. RSA BSAFE Toolkit • RSA BSAFE provides a line of products to support PK-Enabling applications. • Supports PKCS #7, PKCS #10 and PKCS #11 • Multi vendor support for Windows, Solaris, Linux, HP-UX, AIX • Support for all necessary algorithms • Customer support via. Professional Services Division

  9. Microsoft Crypto API Toolkit • Microsoft’s Crypto API (CAPI) is a general purpose software-based toolkit that provides a library of key cryptographic modules. • Provides the ability for developers to use key cryptographic functions without the need to understand PKI • Uses common APIs, transparent to applications, multi-product support (via multi CSP support) • The CAPI SDK is freely downloadable at www.microsoft.com • No support is currently available for this toolkit

  10. Entrust Toolkit • The Entrust toolkit provides the ability to add digital signatures and encryption to applications. • Provides multi-CA support • No specific client is required to sign and validate a file • Support for PEM and PKIX standards • Freely downloadable at www.entrust.com • Support available for a nominal fee

  11. FIPS 140-1, -2 Validation • Standard is defined by National Institute of Standards and Technology (NIST) • Security Level 1: a cryptographic module is not required to employ authentication mechanisms to control access to the module. It will then be required that one or more roles be implicitly or explicitly selected by the operator • Security Level 2: a cryptographic module shall employ role-based authentication to control access to the module

  12. FIPS 140-1, -2 Validation • Security Levels 3 & 4: a cryptographic module shall employ identity-based authentication mechanisms to control access to the module • FIPS 140-1 testing ends May 25, 2002 • “After May 25, 2002, all previous validations against FIPS 140-1 WILL STILL BE RECOGNIZED.”

  13. Questions?

More Related