Sentry: A Scalable Solution

Margie CashwellSenior Sales Engineer

mcashwell@xcert.comSept 2000

Margie CashwellSenior Sales Engineer

mcashwell@xcert.comSept 2000

OverviewOverview

• State of Digital Mobile Telephony• Examples of Wireless Applications• PKI Architecture• Scalability• Extensibility• Scalable Solutions• Sample Architectures

State of Digital Mobile State of Digital Mobile TelephonyTelephony

• Global System for Mobile Communications (GSM) has over 215 million subscribers

• GSM alone has more subscribers than the Internet has users (210)

• Paradigm shift in mobile telephony 3G, – Sprint 1st cellular provider to offer service

in US

Examples of Wireless Examples of Wireless ApplicationsApplications

• Top three uses of Internet enabled mobile phones:– Travel related uses– Online banking– Email

• Wireless scale = Internet Scale x 100 = Enterprise x 1,000

PKI ArchitecturePKI Architecture

• Requirements:– Multi- Functional– Extensible– Support mass-market network devices

embedded in:• mobile phones:• pagers• PDAs• “smart phones”

ExtensibilityExtensibility

• Ration of device size to certificate size• X.509 certificate format too complex• Elliptic curve keys in certificates• WTLS certificate format• Ability to support new certificate formats

Proven Scalable SolutionsProven Scalable Solutions

• 8 Million Certificates on a single server• Individual and batch certificate issuance and

revocation • Remote publishing of user certificates • Locating and retrieving user certificates • Concurrent signing operations • Concurrent real time online certificate status

checking

Xcert Sample ArchitectureXcert Sample Architecture

Trust Model with External CAsTrust Model with External CAs

WebSentryWebSentry

Sentry Product SuiteSentry Product Suite

Unique ‘rapid deploy’ PKI platform

for Internet and e-commerce applications

that scales to a million users

& manages security for corporations

that use the Internet to conduct business

Sentry Product SuiteSentry Product Suite

Sentry CA - Issue & manage certificates

WebSentry - PKI enable your servers

Sentry RA - Provide remote enrollment

Xcert Development Kit - PKI enable your apps

Professional Services & Training - Achieving ROI

Support - Reliable customer service

Xcert PKI OverviewXcert PKI Overview

•Internet based

•Customizable

•Simple

•Scalable

•Lightweight

•Secure

•Non-proprietary

•PKI enables the application service

•User authorization

•Non-repudiation of transactions (digital signatures)

•Remote user enrollment

•Minimizes enrollment bottlenecks

•Industrial strength CA

•Issues certificates

•Manages certificates

•Manages Access Control Lists

•Supports PKI enabled applications

• Platforms– NT & Solaris

• Certificates & CRLs– X509 v3 (all standard

extensions)• Application Support

– Web– Email– VPN– ERP– SSO– Document security

• Directories– LDAP, X500

• Protocols– HTTP, SSL, LDAP, SMTP,

PKCS• Crypto

– DSA, RSA, ECC• Crypto Hardware

– All PKCS #11• High Assurance

– FIPS-140 level 3 hardware– Real time revocation

Sentry CA SpecificationsSentry CA Specifications

Basic Components:

• Directory Server

• Signing Engine

• Administration Server

• Enrollment Server

• Logging Server

Sentry CA ArchitectureSentry CA Architecture

Basic Components:

• Directory Server

• Signing Engine

• Administration Server

• Enrollment Server

• Logging Server

Sentry CA ArchitectureSentry CA Architecture

Basic Components:

• Directory Server

• Signing Engine

• Administration Server

• Enrollment Server

• Logging Server

Sentry CA ArchitectureSentry CA Architecture

Sentry CA ArchitectureSentry CA Architecture

Basic Components:

• Directory Server

• Signing Engine

• Administration Server

• Enrollment Server

• Logging Server

Sentry CA ArchitectureSentry CA Architecture

Add-on Components:

• Publishing Backend

• Alternate SQL data stores

Sentry CA FeaturesSentry CA Features

• Enrollment– Interfaces

• Vetting– Notification– Examination– Auto vetting

• Extensions– Profiles

• Storage– Interfaces

• Suspension & revocation– Status checking

• Renewal

Certificate lifecycle management

Sentry CA FeaturesSentry CA Features

• Creating CAs• Managing CAs

– User maintenance• CA security &

practices

• Exporting CAs• Importing CAs• Cloning• Subordination• CRLs• External CAs

CA lifecycle management

External CAsExternal CAs

Sentry CA FeaturesSentry CA Features

System administration– Work benches

– ACL management• Admin, vettors, end users

– Logging

– Backing up

– Upgrading

Extending the back-end– Publishing

– Data stores

Sentry RASentry RA

• Industrial strength enrollment solution– Accepts certificate requests– Verifies credentials– Supports CA signing process– Revokes certificates

• Streamlined configuration– auto notification– auto enrollment– auto renewal– application specific profiles

• Distributed component / Stand-alone server• Offloads enrollment bottlenecks from CA• Flexible scalability

Sentry RASentry RA

WebSentryWebSentry

• High assurance PKI for web servers– Plugs into standard web servers– User authorization– Controls access to web pages– Queries Sentry CA

• certificate status• ACL rules

• Zero tolerance security

Wrap UpWrap Up

• Wireless devices large part of the future,• The best way to bring these devices into the

network in a secure fashion is with certificates.

• We expect to see significant PKI and WAP development over the next 18 months.