RootandIssuingCATechnicalOperationsOverviewAsadoptionofcomputersandtheInternethasmatured,sohaveusers’expectationsforsecurity.Newregulationsandchangingattitudestowardscorporateresponsibilityanddataprotectionaredrivingmostorganizationstodevoteconsiderableattentiontocomputersecurity.HydrantIDprovidesdigitalidentityandadvancedauthenticationservicestohelporganizationssecuredataandsystemsaswellasecommercetransactions.HydrantIDservicesassistorganizationstoachieveindustrybestpracticesrelatedtoencryptionandauthenticationwhilereducingoperatingcomplexityandcosts.Intoday’sworldofeverything-as-a-serviceit’seasytoforgetthatPKIsolutionswereamongthefirst‘cloud’servicesavailableinthemarket,wellbeforethetermCloudexistedinthecontextofcomputerservices.OrganizationsallovertheworldhavebeenbuyingtrustedSSLcertificatesonlinesincethemid-nineties.ArguablythisPKI-basedsolutionwasthefirstsecurityproducttobewidelysoldandadoptedgloballybyorganizationsofallsizes.AsignificantcontributortothissuccessisthenatureofPKIitself.AsthenamePublicKeyInfrastructuresuggests,everydigitalcertificatehasa‘public’anda‘private’component.Whenutilizingcloud-basedPKIsolutionstoprotectserversandothercorporateassetstheonlyinformationthatissentandstoredbyourserversisthe‘public’datacontainedinthecertificate.Ourcustomersretainthe‘private’keyandassociatedsensitivedatawithintheirownenvironments.PKIsecuritywasdesignedtoonlycarry‘public’informationandisthebedrockofthesecureinternet(HTTPS)usedtoprotectmillionsoffinancialtransactionseveryday.TheHydrantIDcloudbased,commercialCertificateAuthority(CA)providesmanagedPKIservicestotheenterpriseandpublicsectorintheAmericasandEurope.ThroughouraffiliatepartnerQuoVadisLTD.,thecompanyhasoperationsinSwitzerland,Holland,theUK,GermanyandBermuda.SecurePKIhostingfacilitiesarelocatedintheUnitedStates,SwitzerlandandBermuda.HydrantIDofferstwoManagedPKImodels:APrivatePKI(PrivateRoot)fororganizationsthatneedfullcontrolovercertificatepoliciesandrootkeydistribution;andtheDedicatedIssuingCA(SharedRoot)thatprovidesalow-costalternativefororganizationsthatjustneeddigitalcertificatestosecureinternalserversandotherresources.

Figure1:PrivatePKIHierarchy Figure2:DedicatedICAHierarchy

2

HydrantIDalsodeliversEnterpriseTrustedCertificateServicesforprovidingSSL,SMIMEandotherpre-trustedcertificates.Youcanfindoutmoreabouteachoftheseservicesathttps://www.hydrantid.com.AllourPKIsolutionsprovidethenecessarydocumentation,set-upandon-goingCAoperationstofreeyourstafftofocusonyourcorebusiness.Weprovidescalable,secureandgeographically-distributedimplementationsforManagedPKI’sandleveragehighlysecureandauditedtechnicalfacilitiesandexpertisetodeliverallourservices.HydrantIDprovidesafixedannualsubscriptionfeefortheoperationofourPKIsolutions,witheachsubscriptiontailoredtocustomerrequirements.Allofourservicescanbeincludedinasinglesubscriptionandnewservicescanbeaddedatanytime.

Functionality,SecurityandUsabilityBoththeDedicatedIssuingCAandPrivatePKIofferingsshareacommonsetoffunctionalitythatonewouldexpectfromourworld-classservice:

• AllIssuingCAprivatekeysaregeneratedandmaintainedinFIPS140-2certifiedHardwareSecurityModules

• AllIssuingCAprivatekeysarereplicatedtoageographically-diversebackupsite• CRLpublishing• OCSPresponderserviceusingsoftware-basedsigningkeys• Trust/Linkcertificatemanagementwebportal• OptionalTrust/LinkEnterpriseWebServiceAPIforautomation• Built-insupportforthird-partykeyandcertificatemanagementsolutionssuchas

VenafiandSecardeo• Includes20SAN’spercertificate,moreavailableonrequest• Supportsmultiplecertificatepolicies/typesforsecuringinternalhosts(SSL/TLS,

wildcard,device,etc.)• SupportsmultipleAdministratorsandrightsdelegation• Nolimitonorganizations/departments• Nolimitonsub-domains• OngoingServiceandIndustryUpdates• 6-monthInternalProgramAssessment• Annualsupportandmaintenance

OurserviceusesPolicyTemplatestocontrolthetypesofcertificatesissuedtoyouraccount.Weprovidepre-configuredtemplatesthatcoverthemorepopulartypesofcertificates.Thesecanbeusedasastartingpointforfurthercustomizationtomeetyourbusinessneeds.MovinguptoourPrivatePKIofferingaddsthefeaturesnecessaryfororganizationsthatwantfullcontroloverbranding,policiesandcertificatehierarchy:

3

• Offlineprivaterootkey(s)andcertificate(s)• Scripted,recordedKeygenerationceremony• Offlinerootstorage-HSM,securityworldandcardsets,safeintwogeographically-

diverselocations• CustomCertificatePolicyandCertificatePracticeStatement(optional)• ExistingCertificatePolicyandCertificatePracticeStatementreviewandmapping• OCSPresponderserviceusingsoftwaresigningkeys(hardware-basedkeysare

optional)WeworkcloselywithourcustomerstodeterminethebestPKIarchitecturefortheirneeds.AspartofourPrivatePKIserviceweofferaworkshopthatisusedtodetermine:

• CANaming• CertificatePolicyrequirements• Scopeofcertificateusage• WebServicesConfiguration• Useracceptancetestingcriteria• Internalauditandreportingrequirements

TheresultsoftheWorkshopareusedtocreateacustomizedPrivateRootHierarchydocumentthatcoversthePKIhierarchydesign,branding,policyidentifiersandcertificatetypesrequiredtodeliverafully-functionalPKIservice.Thisbecomestheblueprintforgeneratingtheprivatekeysandassociatedcertificates.PrivatePKIServiceKeyGenerationandStorageThePrivatePKIRootCAkeysarecreatedduringaCAWebtrust-compliantkeygenerationceremonyattendedbyabusinessandtechnicalrepresentativeofyourcompany.Usingnon-networkeddedicatedequipment,thekeyceremonyisperformedinamaximumsecuritydigitalrecordsandmicrofilmstoragevaultlocatedinasolidgranitemountain.Thisvault,builttoDepartmentofDefensespecifications,isusedtosecurededicatedCustomerandHydrantIDsafescontainingtheHardwareSecurityModulesandassociatedactivationdata.On-goingstorageandmaintenanceactivitieslikeKeyandCertificateRollover,CRLgenerationandOCSPSigningcertificaterenewalareincludedinourserviceoffering.RootandIssuingKeyPortabilityThePrivatePKIRootCAwillbegeneratedonaWindowsServervirtualmachineanddedicatedThalesEdgeHSM.Uponterminationofthecontract,thesecomponentsandany“k-of-n”smartcardsandactivationdatawillbeprovidedtotheCustomerinasecuremanneragreeduponbybothparties.

4

TheIssuingCAprivatekeyswillbehostedonsharedHSM’s.Uponterminationofthecontract,thesekeyblobswillbemergedintoamigrationSecurityWorldandthe“k-of-n”smartcardsandactivationdatawillbeprovidedtotheCustomerinasecuremanneragreeduponbybothparties.KeySizesandAlgorithmSupportAlthoughourDedicatedICAandPrivatePKIofferingsarenotgovernedbyanindustrygroupwedoencourageourcustomerstofollowbestpracticesforkeysizeandhashingalgorithmchoices.Thiscurrentlyisabaselineof2048-bitkeysfordeviceandusercertificatesand4096-bitkeysforIssuingandRootCA’s.Wehavetheabilitytoissueawiderangeofkeysizesandhashalgorithmsforcaseswhereyourorganizationneedsacustomsolution.OurstandardCryptographicproviderisRSA#nCipherSecurityWorldKeyStorageProviderwhichiscompatiblewithSHA-256,SHA-384andSHA-512.Wealsosupport:Symmetricpublickeyalgorithms:RSA(1024,2048,4096),Diffie-Hellman,DSA,El-Gamal,KCDSA,ECDSA,ECDHSymmetricalgorithms:AES,ARIA,Camellia,CAST,DES,RIPEMD160HMAC,SEED,TripleDESHash/messagedigest:SHA-1,SHA-2(224,256,384,512bit)FullSuiteBimplementationwithfullylicensedEllipticCurveCryptography(ECC)includingBrainpoolandcustomcurvesBothPrivateandDedicatedPKIrootkeyswillbegeneratedonaThalesEdgeFIPS140-2Level3validatedHardwareSecurityModule(HSM).ThisHSMhelpstoenforcemultipersoncontrolforsensitiveprocesses,suchasconfiguringanewHSMmoduleoractivatingakeyforuse.Thisiscommonlyknownas“kofn”,orhavinga“quorum.”Thebasicpremiseofkofnistodividetheinteractionsneededtoaccessinformationamongmultipleentities.InthecaseofanHSMconnectedtoaCA,multiplesmartcardsneedtobeconnectedtotheHSMtogenerateoractivatetheuseoftheCAprivatekey.Thecardsortokencanthenbeseparated,distributed,andsecurelystoredtohelpenforcetheseprocesses.TheThalesSecurityWorldallowsforphysicallysplittingkeymanagementresponsibilities.Splitresponsibilityisawidelyacceptedcontrolwithinmostsecuritypolicies.Throughitsmulti-party“k-of-n”controlfunctionality,importantkeyfunctions,proceduresoroperationscanmandatethatmorethanonepersonisrequiredtoperformthesetasks.Instead,aquorumofkeyholders(the“k”inthe“k-of-n”)mustauthorizetheactionsoftheconsoleoperator.

5

Figure2:PrivateKeyProtectionandAccessControl

TheSecurityWorldconstructalsosupportsscalabilitybyprovidingasecureandtightlymanagedprocessforprovisioningidenticalIssuingCAkeystoadditionalThalesHSM’s.BackupsareaccomplishedbymakingcopiesoftheIssuingCAapplication“keyblob”andmovingthemtophysicallyandgeographically-diverselocations.TheSecurityWorldconstructensuresthatthe“keyblob”isworthlesswithoutthe“k-of-n”smartcardsandaproperly-initializedHSM.Thefollowingwasprovidedbythevendorforreference:KeyAccessandStorageAnapplication“keyblob”consistsofthekeymaterial,thekey’sAccessControlList(ACL),andacryptographicallystrongchecksum,allencryptedwitha3DESorAESkey.Inthecaseofacardset-protectedapplicationkey,the3DESorAESwrapperkeyusedisstoredviasecret-sharingacrosstheOperatorCardsetandisknownasaLogicalToken.Inthecaseofamodule-protectedapplicationkey,the3DESorAESkeyusedistheSecurityWorldModuleKey,storedintheHSM’snonvolatilememory.

6

Figure3:KeyStorage

TheSecurityWorldModuleKeyisitselfstoredinablobonthehostfilesystem;thekeydata,ACLandchecksumareencryptedwitha3DESorAESLogicalTokenstoredontheACS.ThisallowstheAdministratorCardHolderstoloadtheSecurityWorldModuleKeyintoadditionalHSMs.ThesecurityworldmodulekeycanbeloadedonbothdedicatedThalesnShieldHSMsandonThalesnetHSMs.ALogicalTokenremainsintheHSMandonthesmartcardsandisneverpassedtothehosteveninencryptedform.AdditionalencryptionoftheSharesofaLogicalTokenensuresthatthepassphrases(ifset)arerequiredtoassembletheSharesintotheoriginal3DESorAESkey,andinthecaseofOperatorCards,toensurethatthecardsetisusedonlyinHSMspossessingtheSecurityWorldModuleKey.OCS-protectedapplicationkeyswithRecoveryenabledarealsostoredinaRecoveryBlobalongsidethemainworkingblob.TheRecoveryBlobisencryptedusinganRSAkeypairknownastheRecoveryEncryptionKey.TheprivatehalfoftheRecoveryEncryptionKeyisagainstoredasablobprotectedbyaLogicalTokenstoredontheACS.ThisallowstheAdministratorCardHolderstoperformtherecoveryfromlostorunusableOperatorCardsetsasshownbelow.

7

Figure4:Accesstocryptographickeys

AccessingYourPKIServicesWeprovidetwoprimarywaystoconsumeourPKIofferings:

o Trust/LinkEnterpriseCertificatePortal-Weprovideaneasy-to-useweb-basedcertificateportalthatprovidesasingleinterfaceforyouraccountsetup,managementandreportingneedsforbothManagedPKIandTrustedSSLcertificatesinoneplace.Theportalisaccessedusinganystandardwebbrowseranddoesnotrequireanyadditionalclient-sidesoftware.Thisalsoprovidescustomerstheabilitytodistributetheadministrationofcertificatelifecyclesacrosstheirorganizationalwithcustomizableadministratorroles.WeprovideanAdministratorguidethatexplainstheaccountsettingsandabilitytodelegatespecificpermissionstootherAdministrators.

o CertificateAPI-ThisisaRESTfulWebServicesAPIforautomatingtherequest,issuanceandrevocationofdigitalcertificates.Thewebserviceconsistsof:

8

ACTION URI DESCRIPTION

POST /api/v1/certs Creates a new request, returning transactionId

PATCH /api/v1/certs/{transactionId} Revokes a given certificate

GET /api/v1/certs/{transactionId} Returns the certificate request details

GET /api/v1/certs/{transactionId}/status Returns the certificate status - Valid/Revoked

GET /api/v1/certs/{transactionId}/certificate Returns the issued certificate

GET /api/v1/certs/{transactionId}/info Returns detailed information about the issued certificate

TheHydrantIDCertificateAPIhasalsobeenintegratedbyothersecurityproductvendors.ThisenablestheircustomerstoaccessHydrantIDserviceswithoutanyadditionaldevelopmentwork.Twofeaturedsolutionsare:VenafiTrustforce-https://www.venafi.com/products/trust-force/trust-force-overviewVenafiastheImmuneSystemfortheInternet™,usesVenafiTrustForce™toautomatetheentirekeyandcertificatelifecycle,determiningwhichkeysandcertificatesareselfandtrusted,protectingthosethatshouldbetrusted,andfixingorblockingthosethatarenotbyblacklistingorautomaticallyreplacingvulnerablekeysorcertificates.Inaddition,organizationscaneliminateblindspotsfromencryptedthreatsbyautomatingthedeliveryoftrustedkeysforSSL/TLSdecryptionandthreatprotection.TrustForcealsoextendsitsautomatedcertificatemanagementandsecuritycapabilitiestoawiderangeofEnterpriseMobilityusecases,includingemailencryption,emailsigning,WiFi,VPN,browser,anddeviceauthentication.SecardeocertEP-https://www.secardeo.com/products/certep

9

TheSecardeocertEPCertificateEnrollmentProxysupportsmanualorautoenrollmentofcertificatestocomputersandusersinaWindowsDomainfromanon-MicrosoftCA.certPushenablestheautomateddistributionofuserkeystoallmobiledevicesinanenterprise.certEPoffersyouthefollowingbenefits:

• usageofaCAsoftwareorSaaSofyourchoice–independencefromMicrosoft

• isolationofCAfromproductionnetwork–protectyourPKIfromadvancedthreats

• highdegreeofautomation–minimizePKIoperationalcosts• useestablishedManagedPKIServices–performPKIdeploymentwithin

hours• manyCAssupportedwithcustomizableinterfaces–keepflexibilityfora

futuremigrationtoanotherCA• localkeyarchivalandrecoverybyKRAs-keepfullcontrolandprivacyfor

yourprivateencryptionkeys• autoenrollmentfromapublicCA–globallyacceptedS/MIMEcertificatesfor

yourusersWealsosupportanumberofcertificate-specificprotocolsforspecializedintegrationandautomationsupport.Theseareoutlinedinthediagrambelow.Pleasecontactyourrepresentativeforavailabilityandadditionalinformation.

10

Performance,AvailabilityandScalabilityCustomersofourPKIofferingsrelyontwoprimaryservicesforday-to-dayoperations:CertificateIssuanceandCertificateValidation.Certificateissuanceisamultithreadedservicewiththreeprimarystages:

• Requestsubmittal:IncomingcertificaterequestsfromourportalorAPIareacceptedbyarequestqueue.Thisprovidesanauto-scalingmethodtohandlehighly-variablepeaksincertificaterequestvolumes.Therequestqueuecanacceptinexcessof300certificaterequestspersecond.

• Requestprocessing:RequestsmaybesubjecttoavarietyofrulesprocessingbeforebeingsignedbytheCA(CertificateAuthority).Examplesarenameconstraints,policyenforcementandexternaldependenciesthatmustbeverifiedpriortothecertificatebeingissuedandreturnedtotherequestingcustomer.Thecomplexityofthecertificatetobegeneratede.g.keysize,numberofSAN(SubjectAlternativeName)fields,etc.,canalsoincreasetheissuancetime.Inpractice,themajorityofthisprocessingoccurswithinsecondsandtherequestisthensignedbytheappropriateCA.

• SignedCertificateReturn:Howthesignedcertificateisreturneddependsontherequestmethod.Forportalusers,anemailisgeneratedbyoursystemandsenttotheRequestorandotheraccountadministrators.Astatusindicatorisalsosetintheportal.ThecertificatemaynowbedownloadedinbothPEMandDERformats,aswellaswithoutorwithoutthefullcertificatechain.ForAPIusers,apollingmechanismisusedforAPI-generatedrequestsandthird-partyintegrations.Theseservicespollatfrequentintervalsanddownloadthecertificateassoonasitisavailable.

CertificatevalidationinformationisprovidedbyCertificateRevocationLists(CRL)andOnlineCertificateStatusProtocol(OCSP)servers.AllDedicatedICA’sandPrivatePKI’sareconfiguredtopublishaCRLeachtimeacertificateisrevokedandataspecifiedinterval.Theyarepublishedtoahostedlocationandcanbedownloadedasneeded.OCSPservicesprovidenearreal-timerevocationstatusinformationandisincludedinbothourserviceofferings.WealsosupportOCSPStaplingwhichallowsaserverprotectedbyacertificatetorequeststatusinformationandpassitontoconnectingclients.ThisgreatlyreducesWANtrafficforbusysitesandreducespageloadtimes. BothCRLandOCSPinformationmayservedoutoftheUnitedStates,Bermudaand/orSwissdatacentersonaround-robinDNSbasiswithmultipleserversineachlocation.Thisloadbalancingmethodensuresthatanyinterruptionatanylocationiscoveredbyanotherdatacenter.AsofDecember2015ouraverageOCSPresponsetimes(inseconds)are:FromPennsylvania-0.095

11

FromLondon-0.050 FromAmsterdam- 0.056 FromSanJose,CA- 0.165 FromPhoenix,AZ- 0.173 FromNewYork- 0.095 FromAruba/Italy-0.088 FromZurich,Switzerland-0.078 Incomingconnectionstotheseservicesareasharedresourceandaresizedtoprovideamplebandwidthforallcustomersonourplatform.CapacityismanagedbyHydrantIDandwillbeaddedasnecessarywithoutourcustomersincurringadditionalbandwidthcharges.WemaintainServiceLevelAgreementswithallourcustomerstoensurethatourIssuanceandValidationsystemsareavailableandresponsivewhenyouneedthem.HydrantIDoperatesamulti-locationSupportdesktoprovide24hour/7daysaweeksupportforsolvingoutagesandotherhigh-priorityissues.Acustomer-specificsupportgroupisestablishedinourticketingsystemandkeyHydrantIDcontactsforsupportissuesandescalationareprovidedatserviceinitiation.WesupporttheuseofS/MIMEforauthenticatedandencryptedcommunications,andmaintainalistofauthorizedcustomerrepresentativestoauthenticateservicerequestsandconfirmations.

Formoreinformationcontactquestions@hydrantid.comorvisitwww.hydrantid.com