Authentisierung und Rechte-Management in modernen IT Systemen

Präsentation zum Thema: "Authentisierung und Rechte-Management in modernen IT Systemen"—  Präsentation transkript:

1 Authentisierung und Rechte-Management in modernen IT Systemen
Ingo Schubert, Security Consultant

2 Agenda Notwendigkeit der Authentisierung
Authentisierung alleine reicht nicht: Authorisierung Formen der Authentisierung Token Mobile Zertifikate Rechtemanagement Transaktionssicherheit

3 Authentisierung Authentisierung ist die Grundlage für e-business
Vertrauen in die gegenseitige Identität ist die Vorraussetzung einer erfolgreichen Transaktion. Ohne das Wissen wer am Ende der Leitung sitzt ist eine Zuteilung von Zugriffs- und Transaktionsrechten nicht möglich Vertrauen in eine digitale Signatur nicht möglich In den meisten Fällen (wenn nicht immer) ist es sinnlos Daten zu verschlüsseln, falls der Empfänger nicht authentisiert ist.

4 Authorisierung Sobald ein Benutzer authentisiert ist, stellt sich die Frage “Was darf der Benutzer?” Jedem richtigen Benutzer seine Ressource Vergleich von Benutzerprofilen mit definierten Rollen Zugriff wird gestattet oder verwehren basierend auf Statischen Kriterien (z.B. Stellenbeschreibung, Abteilung etc.) Dynamischen Kriterien (z.B. Kontostand, Tageszeit etc.)

5 Formen der Authentisierung
Je nach Art der Authentisierungsmethode kann einem Benutzer mehr oder weniger vertraut werden. Passwörter sind die gebräuchlichsten Formen der Authentisierung haben aber bekannte Nachteile. Stärkere Formen der Authentisierung sind Hardware Tokens Zertifikate (ggf. kombiniert mit Hardware Tokens) Starke Authentisierung benötigt einen Token und eine PIN. Something you have and something you know.

6 RSA SecurID

7 RSA SecurID Produkte RSA ACE/Server RSA ACE/Agent RSA SecurID
Der Server der alles Verwaltet RSA ACE/Agent Das Sicherheitspersonal In vielen Produkten integriert u.a. Microsoft ISA Server RSA SecurID Hardware Tokens Software Tokens Smart Cards

8 RSA SecurID Zwei-Faktor Authentisierung
RSA ACE/Server Send Session Key Send One Time Passcode RSA ACE/Agent We have talked about the need for strong 2 factor authentication to Secure VPNs--how would it work? As we’ve discussed today, we see a number of companies looking not to support remote access over the dial up lines, as it has been done traditionally, but to do it over the Internet. So how do SecurID and ACE/Server work in this environment using VPN technology? SecurID can be implemented in 2 basic ways with a VPN solution. Either users can first be authenticated and second the encrypted session established OR vice versa. Let’s walk through the first approach as an example: First the remote user requests a network connection Second, the ACE/Server issues a request for the user’s one-time SecurID passcode Next, the user enters the one-time passcode which currently appears on his SecurID token and sends it to ACE/Server. As a further safeguard, RSA Securities’ client-server model employs automatic encryption of the authentication process between ACE/Clients, or AGENTS, and the ACE/Server. This prevents the user’s PIN from being sniffed over the network - whether private or public - during LOGIN and authentication. After receiving a correct passcode, ACE/Server authenticates the user Next - an encrypted session is established which will permit the user to send and receive information through a secure IP “tunnel”. In fact, many VPN vendors, such as Aventail and TimeStep use RSA encryption technology for this purpose! RSA Securities’ strong 2-factor authentication, combined with a VPN product’s session encryption ensure remote access can be conducted safely and securely. RSA SecurID PIN + TOKEN

9 RSA SecurID Architektur
RSA ACE/Agents Web Server RSA ACE/Agent Firewall VPN DMZ Internet RSA ACE/Server (replica) RSA ACE/Server (primary) Intranet Firewall RSA ACE/Agents NT/Unix Sample configuration of an ACE/Server customer Note 3 components of the SecurID solution – authenticator, agent, server Tie this back to Portfolios Notes on the DMZ in this slide: Direct access from the internet is limited to the DMZ segments. Dial-up access (RAS) is limited to the DMZ. The intranet is secured behind a second firewall, limiting damage if the DMZ is compromised. The ACE/Server should be protected behind the second firewall. The same ACE/Server can serve the DMZ and the intranet. Alternatively, you could add another firewall and ACE/Server to support the machines on the DMZ segments. For non-DMZ, remove the inner firewall. Novell RAS

10 RSA ACE/Server 5.1 Highlights
Einfacher, flexibler Database replication LDAP v3 Import und Synchronization Quick Admin Web Help Desk Mehr Performance und Skalierbarkeit Load Balancing und Database Replication Höhere Verfügbarkeit Supports v5.x and legacy RSA ACE/Agents Extensive customer interviews, design reviews and beta testing ACE 5 is addressing top 4 customer requests replication LDAP disaster recovery ease of administration ACE 5 launches product into a whole new category to address customer’s use of the product and requirements for a mission critical system ACE/Server is no longer a point solution – now part of infrastructure that requires uptime and high performance

11 RSA SecurID Authentication Devices
Breites Angebot Key fob Card Pin Pad PC Palm Wireless phones Zero-Footprint Keine Software notwendig (für Hardware Token) Leicht zu bedienen Die am meisten eingesetzte starke Authentisierungsmethode

12 RSA SecurID Smart Card Solution RSA SecurID Passage
Flexible Smartcard Lösung Software Client mit Leser und Karte Key Features: Unterstützt alle gängigen CAs RSA Keon CA, Microsoft, VeriSign, Baltimore, Entrust Natives Windows 2000 Logon PC Logon (Windows NT, 98, 95) Dual CSP (PKCS#11 und CAPI) Ermöglicht sicheres (S/MIME) und Web access (SSL) Java Card (16K option) PC/SC Leser Unterstützung

13 RSA Smart Cards Building Access PC Access Proximity Java Platform
Mag-Stripe Badging PC Access Java Platform Credential Storage Certificates Key sets Passwords Applet Storage SecurID Seed Storage RSA SecurID Passage Partners HID & MiFare The RSA SecurID Smart Badge solution provides impenetrable two-factor authentication for safeguarding physical assets (such as buildings and inventory), information assets (contained in computer systems and networks) and people (including employees and customers). By insulating your business from both internal and external threats, the RSA SecurID Smart Badge solution supports and extends your total security policy.

14 RSA Mobile

15 RSA Mobile Authentisierung (I)

16 RSA Mobile Authentisierung (II)

17 RSA Mobile Authentisierung (III)
3-5 seconds

18 RSA Mobile Authentisierung (III)

19 RSA Mobile Authentisierung (IV)

20 RSA Mobile Authentisierung (V)

21 RSA Mobile - Features Innerhalb von GSM Netzwerken, Übertragung des Accesscode verschlüsselt A5 Accesscode muss innerhalb der selben Browser Instanz eingegeben werden der den Code angefordert hat. RSA Mobile plug-ins ermöglichen Anbindung an Telco Infrastruktur Wireless modem, SMTP, Direkt zum Telko via SMPP Verbindung zu SMS Services via HTTP und SMPP Managed service (Red Message, Dialogue) Zusätzliche Plug-ins können leicht erstellt werden High performance / Availability Basierend auf J2EE BEA WebLogic Application Server SAML / Web Service Unterstützung.

22 RSA Mobile Steps in using RSA Mobile
Web Server Userid + PIN RSA Mobile Agent Userid + PIN Web Browser RSA Mobile Server Userid + PIN Access code + Phone # Access code 294836 Steps in using RSA Mobile Not shown: User attempts to access a web page that is protected with RSA Mobile. Agent intercepts the request and requests user authentication. User enters Userid and PIN RSA Mobile Server looks up user’s phone number, calculates his access code and forwards it to the SMS Gateway SMS Gateway forwards SMS message to telco (NOTE: Mention how this would work in option) Telco sends SMS message through the air to user’s phone User enters access code and is granted access to the protected web page Upon accepting a userID and PIN, RSA Mobile Server sends a challenge string back to the user’s browser. The challenge string is stored in browser and is completely hidden from the user. It is passed back to RSA Mobile when the user enters his access code. This provides security as a user must enter his access code into the same browser from which he requested it. Leverage existing infrastructure: LDAP internally, GSM network externally If out of coverage, can use Temporary Access Password Can be set in advance of a trip for a specified validity period Can be set by a) calling help desk or b) customer can implement user self service using Admin APIs SMS or Server Mobile Network Access code 294836 Access code 294836 SMS or Text Message

23 RSA Keon

24 Certificate Management Solutions
RSA Keon Certificate Authority Stellt Zertifikate aus und verwaltet diese Zertifiziert nach CC EAL 4 Unterstützt Web browser, Smartcard und RSA Keon Web PassPort Credential Storage RSA Keon Root Signing Service SubCA bei Kunden unterhalb der RSA Public Root CA Ermöglicht Vertrauen in SSL Zertifikate, etc. RSA Keon Web PassPort Software Container, Virtual Smartcard Roaming credentials

25 RSA Keon Certificate Management Components
Root Signing Service RSA Keon Key Recovery Module RSA Keon WebPassport Web Server User RSA Keon Certificate Authority & Registration Authority (RA can be distributed)

26 RSA Keon Certificate Authority
Die Certificate Authority stellt Zertifikate aus, verwaltet und validiert diese. Verwaltet Trust Relationships Getestet mit bis zu 8 Millionen Zertifikaten Features u.a.: Keon OneStep Real-time OCSP RSA Keon CA RSA Keon CA is an Internet-based Certificate Authority solution that provides the core functionality for issuing, managing and validating digital certificates thereby delivering online digital identities for customers, partners, suppliers and/or employees, allowing users to identify themselves and establish trusted relationships. It includes a secure web server and a powerful signing engine for digitally signing end-user certificates and system events; and an integrated data repository for storing certificates, system data, and certificate status information. RSA KCA enables you to do e-business securely: users securely gain access to information, interact with other users, and conduct secure transactions. RSA KCA permits you to define who else you and your users are willing to trust by allowing you to automatically trust digital certificates issued by your business partners or customers. RSA KCA has been architected to allow you to design and deploy your PKI to mirror your organization’s structure, with the flexibility to change the system as the organization changes. For example, you can set-up any number of CAs and administrators and physically locate them where convenient. In addition, the user interface can be customized and branded with your organization’s logo so that users are immediately familiar with who they are interacting with. Since RSA KCA is built using open industry standards, it can interoperate out-of-box with other standards-based applications. This means that your RSA KCA can be leveraged across others applications like web-browsers, , and VPN clients to ensure maximum return-on-investment.

27 Easy of Use RSA Keon OneStep
RSA Keon Certificate Authority OneStep CGI YourAuth.dll Authenticate User Populate Certificate Fields External Authentication Database RSA Keon OneStep, a component of the RSA Keon Certificate Authority, provides a flexible framework organizations can use to automatically authenticate, approve, issue and install digital certificates by taking advantage of their existing authentication technologies and other data sources. Once operational, the entire enrollment, authentication and installation process can be accomplished in a single operation without manual intervention by a certificate administrator for approval. With Keon OneStep, users perform the enrollment function themselves. The automated approval process decreases the potential for human error, and ensures data accuracy and consistency. It is also much faster and easier for the certificate administrator than performing manual authentication, and much simpler and easier for the user than entering all the required information into a form, and fetching and installing a certificate. Let me give you and example of how Keon OneStep can work for you. The OneStep framework allows you to build an extension to the Keon Certificate Authority that will pass on registration requests to an external authentication database which can be anything from an HR database to an RSA ACE/Server.. A user goes to the certificate registration page and enters their name and some identifying information, such as their Window NT login password, their employee number, or account number and they submit their request. Keon OneStep uses the supplied information name to lookup user info in the external authentication database. If the authentication is successful, Keon OneStep instructs the RSA Keon Certificate Authority to generate a certificate. You can also extract database information to be used to populate the certificate, as opposed to making users enter lots of data during their request which opens you up to user errors and invalid requests or certificates. The Keon Certificate Authority then pushes the certificate to the user’s browser. To the user, they simply authenticated to a web page and presto! Their certificate appeared. Administrators only have to respond to rejected requests. You can also develop a Keon OneStep framework that uses a SecurID token for authentication purposes and upon success, pass the certificate request to the external database for certificate population and then pass the process back to the Certificate Authority for processing. Using SecurID provides two factor authentication of the request to ensure it is the person requesting the certificate is who they claim to be, thus preventing people from requesting certificates in someone else’s name. So you get ease of use for the administrator, the end user and enhanced security, all in one which will reduce your time and your cost to deployment . Authentication Successful: Certificate Granted Authentication Denied: Certificate Rejected

28 RSA Keon Web PassPort Roaming Credentials ermöglichen Benutzern jederzeit den Zugriff auf ihre Schlüssel Zertifikate und Private Schlüssel können jederzeit über die MS-CAPI und Netscape benützt werden: Browsers Mail Clients (S/MIME) VPNs … Benutzer Schlüssel sind in einem LDAP Verzeichnis Active Directory gespeichert Unobtrusive Software Small footprint Keine Treiber Einfache Installation Kein Reboot

29 RSA Keon Web PassPort Security Infrastructure Applications
Authentication Engines Certificate Authorities Maintained Directories Security Infrastructure Forms Signing Online Payments ID Applications The RSA Keon Web PassPort system includes several components. The user authenticates to a Web page that is protected by the Web PassPort server. The Web PassPort server authenticates the user, retrieves the user’s digital credentials from an LDAP-compliant directory, and securely delivers them along with the Web PassPort plug-in. The Web PassPort plug-in is a small, downloaded plug-in that enables the transparent use of certificates with Web browsers, mail clients and other applications, simplifying the environment for the end user. The user’s credentials are initially created by the RSA Keon Web PassPort virtual card manager and securely stored in an LDAP-compliant directory. When used with the RSA Keon Certificate Server, the optional Web PassPort OneStep module enables the auto-enrollment and pickup of certificates. Mobile Credentials: The virtual smart cards are securely downloaded over the Internet to users. The download occurs over http sockets, so there is no need to loosen firewall policies. Users can download their virtual smart cards from different B2B sites using the same plug-in software, maximizing network bandwidth and user productivity. Users can download their credentials for a site from any PC browser — at home or the office — allowing them to do business where it is convenient for them. Flexible Authentication: For maximum authentication flexibility, RSA Keon Web PassPort software supports both RSA SecurID two-factor user authentication and passwords. Once users have authenticated, they have immediate access to their credentials. Storage of Digital Certificates and Keys in a Virtual Smart Card: At the heart of RSA Keon Web PassPort is the virtual smart card, a secure container with the user’s X.509 encrypting and signing certificates and associated private keys. Sensitive components of the container are encrypted with 112 bit 3DES (Data Encryption Standard) and the container itself is encrypted with a 256 bit RC5 ® symmetric key. For enhanced security, the user’s virtual smart cards are never written to the user’s local file system. RSA Keon Web PassPort software supports multiple virtual smart cards per user, which enables the user to access different B2B environments that do not trust each other. User receives encrypted virtual cards RSA Keon Web PassPort Browser Plug-in downloads and immediately activates

30 RSA ClearTrust

31 Was ist RSA ClearTrust? RSA ClearTrust ist eine Access Management Lösung die sich in bestehende Infrastrukturen einbinden läßt. RSA ClearTrust ermöglicht die Absicherung von Applikationen, Web sites, und anderen Web-basierenden Ressourcen via Intranets, Extranets, B2B und B2C Infrastrukturen RSA ClearTrust unterstützt SAML und wird die Liberty Alliance Spezifikationen unterstützen. RSA ClearTrust is a unified privilege management solution that provides an umbrella infrastructure layer that can be abstracted as well as plug and play with your existing IT infrastructure and applications providing the following centralized services: -user and policy administration-user sso -user authentication -user authorization -auditing of all activities

32 Problem Angestellte Kunden Partner
Wie verwaltet man die Identitäten einer wachsenden Benutzerbasis… Angestellte Kunden Partner Elevator pitch slide 1 of 4 Because the internet strongly promotes the concept of “self-service” and because security principles are not more about setting up an infrastructure that securely lets users into your environment in order to access proprietary resources and is no longer about just keeping bad people out, the number of users that an organization has to administer has grown exponentially. It not only includes employees, but also includes customers and partner. So how do you manage the identity f a growing number of users…

33 Access Channels: Intranet, Extranet, Portal, Wireless
Problem …und deren sicheren Zugriff auf Web Resourcen? Customers Partners Employees Access Channels: Intranet, Extranet, Portal, Wireless “Silo” Access Mgmt. “Silo” Access Mgmt. “Silo” Access Mgmt. “Silo” Access Mgmt. “Silo” Access Mgmt. Elevator pitch slide 2 of 4 …and their secure access to enterprise Web resources in a scalable, cost-efficient manner …. This is the way you may do things today. Controlled access to disparate applications results in poor productivity and negative user experience. You’ll also experience administration and scalability issues trying to manage all these “silos”. Just think each user in each silo has its own data “file” and its own password. HR, Financial Mgmt. e-CRM e-Commerce Supply Chain Mgmt. Industry Specific

34 Access Channels: Intranet, Extranet, Portal, Wireless
Lösung Customers Partners Employees Access Channels: Intranet, Extranet, Portal, Wireless Web Access Management Solution Elevator pitch slide 4 of 4 So what does RSA ClearTrust do? Broadly defined, RSA ClearTrust allows an organization to achieve unified identity and access management across an enterprise. Enterprise applications have all evolved over time with their own identity access management infrastructure and user data repositories. RSA ClearTrust’s identity and access management solution is a framework for application level security that not only provides a centralized layer of authentication and authorization to one’s applications but also provides integration to an organizations existing and dynamically changing infrastructure, be it web servers, application servers, portal servers, etc. RSA ClearTrust, acts as the security middleware or glue, allowing you to leverage the investment in these other technologies while at the same time reducing the cost of administering identity and web access management in each individual silo system. In addition, it provides the user single sign-on access to multiple web-based apps. This results in a positive user experience and greater productivity. SSO HR, Financial Mgmt. e-CRM e-Commerce Supply Chain Mgmt. Industry Specific

35 Authentisierung Jeder Ressource die passende Authentisierung…
Flexible Unterstützung von mehreren Verfahren out-of-the-box ID/password X.509 (z.B: RSA Keon) RSA SecurID Windows NT Logon LDAP Authentication APIs zur Einbindung weiterer Authentisierungsverfahren Verkettung möglich

36 Web Access Management “Was ist erlaubt?”
Zugriff basierend auf Benutzer Rollen und dynamischen Regeln (SmartRules) SmartRules ermöglichen Entscheidungen basierend auf externen Daten (z.B. Kontostand) zu treffen und ensprechend den Zugriff zu ermöglichen oder zu verweigern. Business Benefit: Risk mitigation with protection of your existing web-based resources based on business policy RSA ClearTrust also provides fine-grained access control so that an organization can not only protect access to applications but can also control what users do once they have access to applications. Integration to application servers provides method level protection.

37 Authorisierung Sicherer Zugriff auf Ressourcen
Web Servers Web Pages, CGIs, Directories, GIF & JPG files, etc. J2EE Application Servers EJBs, JSPs, Java Servlets Method-Level Schutz Andere Applikationen Mit Hilfe von APIs können Applikationen eingebunden werden die nicht direkt von ClearTrust unterstützt werden.

38 Delegated Administration
Super User Intranet Extranet Business Unit Business Unit Customer Partner Group Administrators VBU Delegated Administration capabilities allows for distributing user and policy management responsibilities out to the individuals best suited to administer their group of users. This dramatically reduces the burden on a centralized administrative group. VBU VBU VBU Users

39 Delegated Administration
Verhindert die umständliche zentrale Administration grosser Benutzerbestände Delegation von Benutzer und Rechteverwaltung Eingeteilt in Virtual Business Units (VBUs) Abgestufte Zuteilung von Rechten Business Benefit: Reduce cost burden of centralized administration Using RSA ClearTrust’s Delegated Administration capability, departments, business partners, and customers can be grouped into logical administrative units, called Virtual Business Units (VBUs), for distributing user and policy management responsibilities out to the individuals best suited to administer their group of users. This dramatically reduces the burden on a centralized administrative group. Virtual Business Units can be set up as either public or private. If private, only the administrator of that specific business unit can view the user and policy information associated with that business unit. Additionally, administrators can be granted roles that delegate to them only a subset of administrative responsibilities. For example, help desk personnel can be granted password reset capabilities only. An example might include an auto exchange portal. Because there are multiple competing organizations involved, it is imperative that each company maintain control over their own user bases. Please note that an organization can retain centralized administration of users and policies if they so choose.

40 RSA ClearTrust Runtime Architecture
Web & App Servers Encrypted Session Cookie ClearTrust Agents Entitlements Data Store DCOM RT API Client Any Web Browser C RT API Client Java RT API Client ClearTrust Authorization Servers

41 Skalierbarkeit Web Server Farm ClearTrust Authorization Servers Replicated LDAP Directories Lineare Performance-Steigerung durch zusätzliche Authorisation Servers Cache Mehr RAM für mehr Leistung Breite Palette and Möglichkeiten zur weiteren Optimierung

42 RSA ClearTrust Skalierbarkeit
Verteilte Authorization Server Verteilt auf mehrere Server “Round robin” fail-over Webserver plug-in benützt Pool von Authorization Servern Minimale Network Latency Redundante Dispatcher/Key Servers Redundante Entitlement Servers

43 Cross-Domain SSO (SAML)
Ticket encoded in redirect URL and set on response 4 – Process Ticket 1 – Request Access 2 – Request Ticket 3 – Authenticate 6 – Request Ticket 5 – Request Access 7 – Process Ticket Authentication Authority Web Browser Simplified illustration – does not show responses and all redirects. The driving issue here is that privacy constraints imposed by browsers prevent web-sites from easily tracking users. Unfortunately, this doesn’t distinguish between good-tracking (SSO) and bad-tracking (profiling), so authorization solutions have resorted to some clever hacks to work around the problem. Having multiple cookies representing the session for each domain may lead to an inconsistent user experience, particularly in regards to idle timeouts. For example, while browsing on partner-2.com, my session on partner-1.com may expire, even though the user believes he’s been active the entire time. There are several solutions for this problem: Don’t use idle-expiration, just rely on re-authentication on fixed intervals. This is certainly simple, but weakens security. Use web-bugs to constantly touch cookie on authentication authority. Yields consistent behavior and maintains security, but slows performance (each page results in a hit to authentication authority). Cookie Cache

44 ClearTrust APIs Administrative API (Java, C, DCOM)
Erzeugt/Ändert Benutzer Accounts und setzt Zugriffsregeln Runtime API (Java, C, DCOM) Authentisierung und Authorisierung für Applikationen die nicht direkt von ClearTrust unterstützt werden. Plug-in Extension (C only) Erlaubt die Erweiterung existierender Webserver Plug-ins Custom Authentication Adapters Für neue Authentisierungsverfahren (Biometrie, RACF/ACF2, etc…)

45 RSA eSign

46 Absichern von Transaktionen
SSL alleine genügt oft nicht Die Daten einer Transaktion sind nur während der Übertragung geschützt. Auf dem Server angekommen fehlt die Möglichkeit die Transaktion später zu verifizieren. Wird die Transaktion dagegen auf dem Client signiert, kann jederzeit überprüft werden ob z.B. die Daten verändert wurden. eSign ermöglicht es HTML Forms auf dem Client zu signieren, verifizieren und optional zu verschlüsseln. Der Server überprüft vor dem weiteren Verarbeiten die Signatur

47 Die Technik Client Applet Server
Kompatibel mit Netscape 6, 7 und IE 5 – 6 Zugriff auf internen Key/Certificate Store des Browsers (Netscape) bzw. von Windows (IE) Unterstützung von SmartCards (via CSP) Einmaliger Download (ca. 300k) Server Java Klassen via ASP, JSP oder Servlets ansprechbar Verifizieren von Signaturen möglich OCSP, CRL werden unterstützt

48 RSA Keon e-Sign in Action

49 RSA Keon e-Sign in Action

50 RSA Keon e-Sign in Action

51 Beispiel Describe a cash transfer scenario in this slide. Steps
Sam Smith, the controller at Alliance Aviation Corporation, needs to transfer cash to a supplier. Sam logs onto Liberty Bank’s portal and fills out the cash transfer form. (2) Sam Smith has KWP on his client and is able to download the certificate from KCA. Alternately, Sam may already have a certificate in his browser certificate store. (3) Sam Smith’s certificate is validated by the RSA e-Sign at the server side. Joe must review the document before signing. He then digitally signs the form. The form is uploaded to the webserver. At the server side, the signed document can be verified for integrity and the cert can be validated again. (5) Janet Jones, Sam’s boss and the controller of Alliance, then downloads and reviews the form. Before signing, Janet verifies That the document has not been modified. In addition, she requests validation of the cert used to sign (validation occurs on the server side). (6) Janet then signs the form. The form is uploaded to the webserver and the transaction is sent to the clearinghouse for processing. Background on Components KWP Mobile credentials for users (Enabled through KWP) User credentials follow the user no matter where they are as users authenticate to the web server agent, have the RSA Keon Web PassPort virtual smart card downloaded then have their digital credentials securely downloaded not matter what PC they are sitting at, at home, the office or the road Secure credential store. Allows organizations to enforce tight control of private keys. Very important in terms of “Data Integrity” KCA Keon OneStep RSA Keon Key Recovery Module This optional module is used for securely storing and retrieving lost or damaged end-user encryption keys; providing access to the keys while maintaining the highest standards for security and without compromising non-repudiation. Real-time Certificate Status Checks. RSA Keon CA can be configured to use the Online Certificate Status Protocol (OCSP) to provide relying applications up-to-the-second status information on the validity of a certificate. OCSP simplifies the status checking process by providing a central location for CRLs rather than having CRLs distributed to multiple applications. RSA Keon CA’s real-time implementation of OCSP is unique in that it pulls fresh status information from the CA repository rather than stale information from a pre-published CRL. This real-time status information is a necessity for organizations that can’t accept the potential time-delay risks inherent with CRLs. This eliminates the possibility of a user with a revoked certificate gaining access to sensitive company data or applications.

52 RSA BSAFE Entwicklertools Einfachere Bereitstellung sicherer Lösungen
Broadband SSL-J SSL-C WTLS-C IPSec-C SSL Micro Edition Algorithms, Math Libraries Crypto-C Crypto-J Crypto-C Micro Edition Cert-C Cert-J Cert Micro Edition

53 RSA BSAFE Anwendungsbeispiele
integriert in Internet Explorer, Siemens Handy, etc. RSA Enterprise Produkten RSA Sure File Verschlüsselung Signierung Komprimierung (PKZIP)

54 Fragen?

55 The Most Trusted Name in e-Security