CONTENT-BASED INFORMATION SECURITY
Download
1 / 16

PUBLIC KEY ENABLING (PKE) - PowerPoint PPT Presentation


  • 231 Views
  • Uploaded on

CONTENT-BASED INFORMATION SECURITY. CBIS. PUBLIC KEY ENABLING (PKE). Agenda The Threat The Answer What is PKI What is PKE PKE Services Who Needs PKE Services What can be PK Enabled When do you PK Enable an Application Why Implement PKE

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'PUBLIC KEY ENABLING (PKE)' - foy


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Public key enabling pke

CONTENT-BASED INFORMATION SECURITY

CBIS

PUBLIC

KEY

ENABLING

(PKE)


Public key enabling pke

Agenda

  • The Threat

  • The Answer

  • What is PKI

  • What is PKE

  • PKE Services

  • Who Needs PKE Services

  • What can be PK Enabled

  • When do you PK Enable an Application

  • Why Implement PKE

  • Where can I find more PKE Information

  • How do you PK Enable an Application

  • Cost of PK Enabling an Application

  • ROI for PK Enabling

  • Conclusion


The threat

Analysis By Incident

2001 Economic Impact of Malicious Code Attacks

Year

Code  Name

Worldwide Economic Impact  ($ U.S.)

Cyber  Attack Index

2001

Nimda

$635 Million

0.73

2001

Code Red(s)

$2.62 Billion

2.99

2001

SirCam

$1.15 Billion

1.31

2000

Love Bug

$8.75 Billion

10.00

1999

Melissa

$1.10 Billion

1.26

1999

Explorer

$1.02 Billion

1.17

The Threat

Source: Computer Security Institute/FBI Computer Intrusion Squad, Washington; survey of 538 IT security professionals

Michael Erbschloe, vice president of research at Computer Economics and author of Information Warfare: How to Survive Cyber Attacks.

359,000 servers in less than 14 hours

The Spread of the Code-Red Worm (CRv2) An analysis by David Moore (dmoore@caida.org) on the spread of the Code-Red (CRv2) Worm.


The answer
The Answer

Public Key Infrastructure (PKI)

  • Non-Repudiation

  • Authentication

  • Integrity

  • Confidentiality

  • Encryption

  • Digital Signature

  • Audit trail

  • Security in Depth

  • Key Escrow

  • Validation

  • High & Medium Assurance

  • Code Signing

C

A

P

A

B

I

L

I

T

I

E

S

Public Key Enabling (PKE)

Source: CSI/FBI Computer Crime and Security Survey, 1998-2001)


What is pki
What is PKI ?

Car without Wheels

  • PKI is the framework and services that provide the following:

    • Digital Key Generation

    • Digital Key Distribution

    • Digital Key Revocation

    • Digital Key archiving

    • Digital Key tracking

    • Digital Key Destruction

    • Digital Key Certificate policy

Plane without an Engine

Public Key Infrastructure Roadmap for the Department of Defense, 29 October 1999 Version 3.0

FACILITIES

PROCEDURES

Looks Good But!

P

O

L

I

C

y

P

E

O

P

L

E

House without Furniture

CERTIFICATE MANAGEMENT


What is pke
What is PKE ?

  • Public Key Infrastructure (PKI) alone is not sufficient to meet DoD mission requirements

  • A Public Key Enabled application, Server or Network is one that can accept and process a DoD X.509 certificate to support one or more specific functions:

    • Digital Signature

    • Data Encryption

    • User Authentication

    • Date Integrity

    • Non-Repudiation

FIT FORM FUNCTIONALITY


Pke services

Dear Bob,

Please use PKI next time.

Love, Alice

TO:BOB

wascdfee944 x./,cafvza/qfaservbrsrtrt

TO: BOB

wascdfee944

x./,cafvza/qfaservbrsrtrt

999081

Bob

PKE Services

  • Ascertaining that an entity is who or what he/she/it claims to be

Authentication

Access control

Data confidentiality

Data integrity

Non-repudiation:

  • Authorization determining what resources an authenticated identity can access and what actions he/she/it can perform

FROM:

ALICE

TO: BOB

33728

Alice

  • Preventing data interception by using encryption

Ensuring that the information has not been changed or tampered with in any way

  • Ensuring that authenticated identities cannot deny performing actions that he/she/it performed


Who needs pke services
Who Needs PKE Services ?

  • Application Developers and Analysts

  • Web Masters

  • Systems Administrators

  • Security Managers

  • Commanders

  • Senior Staff

  • Crisis Action Teams

  • Network Managers

  • Systems integrators

  • Application program Managers

  • End users of

    • Command and Control applications

    • Sensitive applications

    • Financial or high dollar applications

    • Sensitive or privacy information


What can be pk enabled

Encrypt web traffic over the Internet

Sign and encrypt electronic mail

Authenticate users for access management

Digitally sign documents for non-repudiation

Manage network access

Virtual Private Network (VPN)

What can be PK Enabled ?

Requirement

What do You Need

  • 128-Bit web browser

  • S/MIME compatible email client

  • PKE client tool (such as web browser)

  • PKE signature client tool

  • PKE network

  • PKE firewall or VPN tool


When do you pk enable an application
When do you PK Enable an Application?

  • All DoD unclassified networks that authenticate users

  • Unclassified DoD networks hosting Mission Category I systems

  • All unclassified private DoD Web Servers

  • E-mail in all operating environments

  • Web applications in unclassified environments

  • Legacy, Mission Category I applications that use or require the use of public key cryptography shall be PK enabled to interoperate with the DoD PKI.

  • Sensitive unclassified systems handling high value (both dollar and mission value)

  • Applications processing classified information in a high-risk environment (over an unprotected network)


Why implement pke
Why Implement PKE ?

Promotes the electronic

delivery of services

Risk Management

New Technology

43 countries have

Digital Certificate

laws

Online banking

  • Authentication

  • Access control

  • Data confidentiality

  • Data integrity

  • Non-repudiation

  • Digital Encryption

  • Digital Signature

Verify identity of customer

  • Online payment of bills

DoD Mandate

Ease of use

Espionage

Sign online transactions

E-Signing law

Increase Security

NATO & Coalition Partners

Federal and State

Interoperability

Cost Reduction

Risk Avoidance

Secure infrastructure

Legally, binding mechanism

Privacy


Public key enabling pke

Where can I find more PKEInformation?

https://afpki.lackland.af.mil/

https://www.noc.usmc.mil/secure/PKI/default.htm

U.S. Department of Health and Human Services

https://warlord.spawar.navy.mil/PKI/

http://aspe.os.dhhs.gov/admnsimp/

Defense Information Systems Agency

http://www.c3i.osd.mil/org/sio/ia/pki/index.html

http://iase.disa.mil/

http://web.mit.edu/network/ietf/sa/

http://eca.orc.com/

http://jitc.fhu.disa.mil/pki/index.html

http://www.defenselink.mil/acq/ebusiness/projects/proj_pki.htm

http://www.verisign.com/

https://itac.lackland.af.mil/product.asp?prod=58

http://csrc.nist.gov/encryption/kms/

http://www.digsigtrust.com/


Public key enabling pke

PKI-Aware

Applications

Legacy

Applications

New

PKI-Enabled

Applications

Plug-Ins

Shims

Native APIs (OS- or Product-Specific)

How do you PK Enable an Application?

PK Enabling Implementations

  • Single sign on

  • Wireless applications

  • Virtual private networks

  • Web authentication

  • Content management

  • Intrusion detection

  • Network management

  • Secure e-mail (S/MIME)

  • Database Access Control

There are many approaches to PKI enabling an application; which one is best?

  • Direct modification of application

  • Middleware

    • Web-based front end

    • Proxy type application

  • Encapsulation

    • VPN

    • IPSec

  • Best practices

  • Requirements Analysis

  • Mission Linkage

  • Cost Analysis

  • Risk Analysis

  • Pilot Testing

  • Program Evaluation

  • Implementation

  • Re-Evaluation


Public key enabling pke

Cost of PK Enabling an Application?

The first step in Public Key Enabling an application is to perform a requirements assessment. Generally, this involves understanding exactly what functions the application is required to accomplish.

  • The principle factors that must be considered when Cost Estimating the PK Enabling of an application are as follows:

  • The present Architecture of the system

  • Method of PK Enabling

  • Hardware

  • Software

  • Training

  • Manpower

  • Travel

  • Testing

Balancing act over time

Compliance

Risk

Costs

Process

Improvement

Return on Investment

ROI

Total Cost of Investment

TCO


Public key enabling pke

ROI for PK Enabling?

Option-Based Pricing

  • Treats the outcome of investing one stage/phase of a project as a pre-requisite for the next

  • Valuation is more complex

  • Useful for justifying pilot projects

ROI Factors

  • Compliance with Policy

  • Risk Reduction

  • Process improvements

  • Overall Cost reduction

  • Less errors, downtime, or lost productivity

Pay-Back Analysis

  • Looks at the time required to recoup investment (also called breakeven time)

  • Helps to quantify risk exposure

  • Undercounts upside project benefits

  • 6-9 month payback is a good rule of thumb

Purchase Justification: Calculations

  • TCO = Total Costs of Ownership

  • NPV = PV (Benefits) – PV (Costs)

  • Payback Time = T where Σ(Benefits)t = Σ(Costs)t

  • ROI = Benefits - Costs

    Costs

  • ROO = Benefits to Business Growth - Costs

    Costs

Different Methodologies

Different Factors

Different Cost basis


Public key enabling pke

Conclusion

Benefits of PKI/PKE

  • Stronger authentication than userid/password

  • Easier management and administration of

    devices

  • Investment in secure infrastructure can be

    leveraged for additional applications

  • Reduced risk of data loss / theft

  • Privacy and integrity of data

  • Authentication of user

  • User accountability to data

  • Centralized control of trust policies and

    parameters

  • Provable chain of evidence as to the authenticity

    of documents

  • Authorization to access documents based on

    user authentication

Call us

(210) 925-2562, DSN Prefix 945

Visit us on the Web

https://afpki.lackland.af.mil/

Fax us

(210) 925-2641/2644, DSN Prefix 945

Visit us

4241 E. Piedras Dr., Suite 210, San Antonio, TX

Write us

4241 E. Piedras Dr., Suite 210, San Antonio, TX