Public-Key Infrastructures
description
Transcript of Public-Key Infrastructures
![Page 1: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/1.jpg)
Public-Key Infrastructures
Mary Horrigan
![Page 2: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/2.jpg)
a quick outline(a.k.a. Bank of Nova Scotia or BNS)
• Established in 1832 in Halifax, Nova Scotia now based in Toronto
• Profitable, with sound Balance Sheet
• Operations in over 50 countries
• Largest Bank in the Caribbean, extensive Latin America Network
• Large syndication lender in the US (top 10)
• Recently acquired National Trust and Mocatta Bullion (326 years old)
• Scoitabank is “Strength, Integrity, Service”
![Page 3: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/3.jpg)
Scotiabank in Asia
• JAPAN 2 Branches
• China
• Hong Kong
• Singapore
• Bangladesh
• India
• Indonesia
• Malaysia
• The Philippines
• Republic of Korea
• Sri Lanka
• Taiwan
• Vietnam
![Page 4: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/4.jpg)
Service and Technology at SCOTIABANK
• Alternate Delivery Channels
• ABMs and Point-of-Sale
• Wireless Devices
• TeleScotia - Telephone Banking
• Internet - ScotiaOnline
• Customer Service/Call Centers
• Smart Cards - VISA Cash and Mondex
Scotia OnLine.lnk
![Page 5: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/5.jpg)
• Scotiabank is “pioneering” the use of PKI’s/digital certificates/CA’s to secure Internet-based business
• This technology is viewed as essential for safe and efficient e-business/commerce
• Partnered with Entrust Tech,. HP, IBM, ICL ect.
• Implemented two PKI’s in 1997 + a test PKI
• Scotia Online Security, an idea to reality in 7 mths
• Customer acceptance exceeding our expectations
• Real-World experience of operations.
![Page 6: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/6.jpg)
• Management of Risk
• Demonstration of Scotia OnLine
• Requirements & Potential Threats
• Scotiabank’s PKI’s
• Scotiabank’s Decisions and Acquisition
• Critical Success Factors
• The “Trust Model”
• Real World Operational Experience
![Page 7: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/7.jpg)
Electronic & Internet based Commerce Scotiabank’s Management of Risk
• What Scotiabank didn’t want to do: – Offer disparate, stand-alone on-line services– Offer dial-up services– Force customers into a Branch to enroll– Send/mail digital Certificates to customers– require our customers to decide the risk they wanted
to take through the Browser the chose to use– validate passwords at the centralized
servers/mainframes– rely on Certificates issued by a third party
![Page 8: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/8.jpg)
Electronic& Internet based Commerce Scotiabank’s Management of Risk
• What Scotiabank wanted to do:– Offer an internet-based service, with state-of-the-art security
to open standards
– Provide a “best-of-breed” information security solution that will be the platform for the future
– Partner with a reputable leader who’s core competency is information security
– Automatic enrollment and Certificate issuance– Have minimal intrusion on the customers PC– Have an exportable solution
![Page 9: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/9.jpg)
Electronic& Internet based Commerce Scotiabank’s Management of Risk
• What Scotiabank wanted to do:– Offer services that “look and feel” alike– Provide Single sign-on and ease of navigation– Use customer controlled Passwords or pass-Phrases– Issue Scotiabank Certificates, that can be trusted– Use multiple and unique “anonymous” Certificates– Reduce risks of :
• web-site spoofing• identity theft• session hijacking, and• insider attacks
![Page 10: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/10.jpg)
Electronic& Internet based Commerce Scotiabank’s Management of Risk
• What Scotiabank wanted to do:
PUT AN ARMOURED CAR ON THE INTERNET
- maintain our brand identity- build on our position of trust- differentiate ourselves in the market place
![Page 11: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/11.jpg)
WHAT ARE THE BUSINESS REQUIREMENTS?
• privacy/confidentiality
• integrity
• authentication
• non-repudiation
• access control
• availability/continuity
![Page 12: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/12.jpg)
Existing Customer Initialization• Contact the bank through 1-800-4-Scotia• Authentication by customer service rep.• Acquire a shared secret/temporary password
from an IVR process• Go online to the Internet• Download and install Bank’s software• Establish personal password/pass-phrase
(certificates are created and exchanged automatically and transparently)
• Access the service
![Page 13: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/13.jpg)
POTENTIAL THREATS
Loss of confidentiality of information or privacy of customer information
Unauthorized changes, duplication or deletion of information/transactions
Malicious acts
Human errorMasquerading/spoofing
Denial of service
![Page 14: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/14.jpg)
POTENTIAL THREATSWhich have changed since 1832?
• Loss of confidentiality of information or privacy of customer information
• unauthorized changes, duplication or deletions of information/transactions
• malicious acts
• human error
• masquerading/spoofing
• denial of service
……………………………disintermediation
![Page 15: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/15.jpg)
So what to Scotiabank is a Public Key Infrastructure?
– Certificate Repository/Directory– Multiple Certificate types for different risks– Certificate Revocation (Lists = CRLs)– Automatic Key aging and update– Key Back-up and Recovery– Key Histories
Certification Authority…that provides:
![Page 16: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/16.jpg)
So what to Scotiabank is a... Public Key Infrastructure?
– Automated enrollment
– “Cross-certification” with other trusted CA’s
– Non-Repudiation
Certification Authority….that supports:
System that includes client side
“software”…including the generation of “keys”
![Page 17: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/17.jpg)
Public Key Infrastructure (PKI)
• Approval by Bank Executive in March 1997
• Two “production” infrastructures
• External - Customers
• Internal - Employees & other FIs
• Based on proven platform (hardware/software)
• Implemented within three months!
![Page 18: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/18.jpg)
Public Key infrastructure (PKI)
• Approval by Bank Executive in March 1997
• Licenses for Entrust products
• Scotiabank group worldwide
• Initial Priorities
• Internet Banking & Scotia Discount Brokerage
• Employee External Access
![Page 19: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/19.jpg)
Public Key Infrastructure (PKI)
• Approved by Bank Executive September 1998
• Acquisition of all Entrust client-side software
• Desktop, Express, Unity, ICE etc.
• Acquisition of SET software and licenses
• Web and VPN connectors
![Page 20: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/20.jpg)
• Open System that has adopted standard
• Endorsed by the Federal Government
• FIPS 140-1 certified
• Product suite…with more to come
• Being adopted by major IT companies
• Growing base of Entrust compatible products
• 15 years experience within NORTEL– cryptography is a core competency
Canadian Content….
![Page 21: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/21.jpg)
Difficulties?
• Adequate, knowledgeable resources
• Immature supporting technologies at the client e.g. operating systems, browsers, ISPs
• General acceptance that this is a business decision not a technology decision
• The rotating
![Page 22: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/22.jpg)
Critical Success Factors
• Executive commitment not viewed as an ROI issue… ..rather a strategic investment
“The best way to predict the future…..…..is to create it!”
![Page 23: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/23.jpg)
Critical Success Factors
• Executive commitment
• Strong Champion
• Partnering
• Focus on business risk, policy matters… …not technical issues
• Use of technology
• Implemented within existing organization
![Page 24: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/24.jpg)
Segregation of Function
P la tfo rmO p era tion s
E n tru s tA d m in is tra t ion
R isk E va lu a tion S ec u rity Q u a lity A ss u ran c e In fo .S ecG overn an c e
Inform ation Security
![Page 25: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/25.jpg)
Critical Success Factors• Executive commitment
• Strong Champion
• Partnering
• Focus on business risk, policy matters… …not technical issues
• Use of technology
• Implemented within existing organization
Strong highly motivated team
We had some funCommitment to……..
![Page 26: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/26.jpg)
Scotiabank’s Commitment toPolicy, Standards & Best Practices
……Information Security Governance
![Page 27: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/27.jpg)
Scotiabank’s Commitment toPolicy, Standards & Best Practices
• Information Security Steering Committee
• Current Portfolio of Policy and Standards
• Certificate and Certification Practice Statement
![Page 28: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/28.jpg)
Information Security Policy- first principle
“Enabling TechnologySecure information processing is an enabling technologythat enhances the development of new products and services, and can support continuous improvements in the delivery of quality service.
As such, Scotiabank promotes sound security practices inconducting its business and in interacting with customers, achieving a balance between customer service needs and the interests of the bank and its shareholders”
![Page 29: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/29.jpg)
So What is
• Governance
• Availability/Reliability
• Accountability
• Risk Management
• User Registration/Authentication
It encompasses:
![Page 30: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/30.jpg)
• Approached Entrust December 17, 1996
• Submitted Business Case January 29, 1997
• Executive Approval March 13, 1997
• Commenced construction before April
• First Server delivered April 12, 1997
• “Entrust Direct” client delivered May 12, 1997
• Commissioned two PKI’s May 31, 1997
• Rebuild of client started June 17, 1997
• First live Interent transactions July 25, 1997
![Page 31: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/31.jpg)
Where are we now?
• April 21, 1999 07:05hrs EST
90,026
![Page 32: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/32.jpg)
Only Authentic Certificates & Keys External infrastructure
29.50%
16.00%6.60%
0.90%
38.80%
Password reactivation discard Unregistered discardNegative Acknowledgement discard Free Licence PoolActive Users
![Page 33: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/33.jpg)
Only Authentic Certificates & Keys Monthly Service Availability
92
94
96
98
100
Jan-98
Feb-98
Mar-98
Apr-98
May-98
Jun-98
Jul-98 Aug-98
Sep-98
Oct-98
Nov-98
Dec-98
Jan-99
Feb-99
Mar-99
Customer Registration Customer Intialization
Sign On Application Average Overall
Average Overall Excluding Planned Outages
![Page 34: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/34.jpg)
Important to
• Overall annual availability = 99.66%
![Page 35: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/35.jpg)
Important to
• Certificates Revoked = over 19, 000
![Page 36: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/36.jpg)
Recennt Accomplishments• Conversion to Entrust Manager REL. 4
– over 220,00 licenses
– largest in the World
• Release of direct 3.0 and MAC clients
• Continued testing of Desk-top suite, Unity, ICE etc..
• Installation of UAT PKI (#5)
• Approval of SET pilot (#6)
• Finalizing plans for remote hot stand-by
• Testing of Direct 4.0 client
![Page 37: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/37.jpg)
Committed to:
• PKI as an enabling technology
• Being leaders in:– PKI– Governance– Cross-certification– e-commerce/e-business
• Canada and International operationsCanada and International operations
![Page 38: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/38.jpg)
Working together in the “Real World”…...developing business solutions…...and succeeding!
![Page 39: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/39.jpg)
What’s on our mind?
• Cost of Registration
• Reliance on Browsers
• Thinner clients and “light certs”
• People-limited understanding
• Cross-certification
• Directories
![Page 40: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/40.jpg)
What’s on Our Mind?• Portability/Roaming
– PDA’s– Smart Cards
• Hardware• Hot standby - remote• Compromise Contingency Planning• Conversion• Security Quality Assurance• Trust Model
![Page 41: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/41.jpg)
What’s on our mind?
Cross CertificationAuthentication and RegistrationPartneringResearchAttribute CertificatesEntrust
![Page 42: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/42.jpg)
You have heard many messages...
• “Industrial Strength” enterprise-wide security based on a core competency
• Encryption
• Digital Signatures
• User Authentication
• “Real-World”
• Automated
![Page 43: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/43.jpg)
You have heard many messages...
• “Industrial Strength” enterprise-wide security based on a core competency
• A platform for secure e-commerce/e-business
• Management of Risk
• Establishment of Trust
• Productivity/efficiency
![Page 44: Public-Key Infrastructures](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813c11550346895da58a15/html5/thumbnails/44.jpg)