Sentry: A Scalable Solution • Margie Cashwell • Senior Sales Engineer • mcashwell@xcert. com • Sept 2000
Overview • • State of Digital Mobile Telephony Examples of Wireless Applications PKI Architecture Scalability Extensibility Scalable Solutions Sample Architectures
State of Digital Mobile Telephony • Global System for Mobile Communications (GSM) has over 215 million subscribers • GSM alone has more subscribers than the Internet has users (210) • Paradigm shift in mobile telephony 3 G, – Sprint 1 st cellular provider to offer service in US
Examples of Wireless Applications • Top three uses of Internet enabled mobile phones: – Travel related uses – Online banking – Email • Wireless scale = Internet Scale x 100 = Enterprise x 1, 000
PKI Architecture • Requirements: – Multi- Functional – Extensible – Support mass-market network devices embedded in: • • mobile phones: pagers PDAs “smart phones”
Extensibility • • • Ration of device size to certificate size X. 509 certificate format too complex Elliptic curve keys in certificates WTLS certificate format Ability to support new certificate formats
Proven Scalable Solutions • 8 Million Certificates on a single server • Individual and batch certificate issuance and revocation • Remote publishing of user certificates • Locating and retrieving user certificates • Concurrent signing operations • Concurrent real time online certificate status checking
Xcert Sample Architecture
Trust Model with External CAs
Web. Sentry
Sentry Product Suite Unique ‘rapid deploy’ PKI platform for Internet and e-commerce applications that scales to a million users & manages security for corporations that use the Internet to conduct business
Sentry Product Suite Sentry CA - Issue & manage certificates Sentry RA - Provide remote enrollment Web. Sentry - PKI enable your servers Xcert Development Kit - PKI enable your apps Professional Services & Training - Achieving ROI Support - Reliable customer service
Xcert PKI Overview • Internet based • Customizable • Simple • Scalable • Lightweight • Secure • Remote user enrollment • Non-proprietary • Minimizes enrollment bottlenecks • Industrial strength CA • Issues certificates • Manages Access Control Lists • Supports PKI enabled applications • PKI enables the application service • User authorization • Non-repudiation of transactions (digital signatures)
Sentry CA Specifications • Platforms – NT & Solaris • Certificates & CRLs – X 509 v 3 (all standard extensions) • Application Support – Web – Email – VPN – ERP – SSO – Document security • Directories – LDAP, X 500 • Protocols – HTTP, SSL, LDAP, SMTP, PKCS • Crypto – DSA, RSA, ECC • Crypto Hardware – All PKCS #11 • High Assurance – FIPS-140 level 3 hardware – Real time revocation
Sentry CA Architecture Basic Components: • Directory Server • Signing Engine • Administration Server • Enrollment Server • Logging Server
Sentry CA Architecture Basic Components: • Directory Server • Signing Engine • Administration Server • Enrollment Server • Logging Server
Sentry CA Architecture Basic Components: • Directory Server • Signing Engine • Administration Server • Enrollment Server • Logging Server
Sentry CA Architecture Basic Components: • Directory Server • Signing Engine • Administration Server • Enrollment Server • Logging Server
Sentry CA Architecture Add-on Components: • Publishing Backend • Alternate SQL data stores
Sentry CA Features Certificate lifecycle management • Enrollment – Interfaces • Vetting – Notification – Examination – Auto vetting • Extensions – Profiles • Storage – Interfaces • Suspension & revocation – Status checking • Renewal
Sentry CA Features CA lifecycle management • Creating CAs • Managing CAs – User maintenance • CA security & practices • • • Exporting CAs Importing CAs Cloning Subordination CRLs External CAs
External CAs
Sentry CA Features System administration – Work benches – ACL management • Admin, vettors, end users – Logging – Backing up – Upgrading Extending the back-end – Publishing – Data stores
Sentry RA • Industrial strength enrollment solution – – Accepts certificate requests Verifies credentials Supports CA signing process Revokes certificates • Streamlined configuration – – auto notification auto enrollment auto renewal application specific profiles • Distributed component / Stand-alone server • Offloads enrollment bottlenecks from CA • Flexible scalability
Sentry RA
Web. Sentry • High assurance PKI for web servers – – Plugs into standard web servers User authorization Controls access to web pages Queries Sentry CA • certificate status • ACL rules • Zero tolerance security
Wrap Up • Wireless devices large part of the future, • The best way to bring these devices into the network in a secure fashion is with certificates. • We expect to see significant PKI and WAP development over the next 18 months.
Скачать презентацию Sentry A Scalable Solution Margie Cashwell
47371ddbfe10098bbbe8bb4a6cd0f359.ppt