|
|
 |
PKI System Architecture
The SPYRUS PKI is a hierarchical Public Key Infrastructure based around the LYNKS PCMCIA Hardware Security Module, a SPYRUS development. The SPYRUS PKI is a totally scalable infrastructure that can support a small enterprise environment with a few hundred users, as well as a global infrastructure with tens of millions of users. Developed to operate on Windows NT and Windows 2000, the SPYRUS PKI uses Active Directory, IIS, IE, Exchange and SQL Server as some of its infrastructure components. At the same time it is fully interoperable with a variety of other third party products such as Oracle and iPlanet.
Root Certification Authority or Policy Approval Authority
The SPYRUS PKI infrastructure is composed of a hierarchy of certificate issuing and certificate requesting components. At the very top of the hierarchy is the Root Certification Authority or Policy Approval Authority (PAA). This is the most trusted component in the infrastructure and as such processes that occur here are afforded the greatest scrutiny and protection. The PAA initializes the SPYRUS PKI hierarchy, and cryptographic infrastructure. The PAA generates its own Root keys and creates its own self-signed Root certificates utilizing the cryptographic facilities of the SPYRUS LYNKS Series II Hardware Security Module (HSM).
Creation of a PAA and its PCA subordinates is normally undertaken as an offline process in a secure environment, as the protection of the Root private keys must be afforded the maximum protection. Once the PAA and PCA creation process is complete, it is normal for the PAA HSM (and computer or hard-disk) to be removed and secured in an off-site bank vault or some other comparable security container, thereby avoiding the necessity of "hardening" the facility for protection of the trusted Root key.
Like other certificate issuing components in the SPYRUS PKI infrastructure, certificate related transactions conducted by the PAA are recorded in its database, such that they can subsequently be audited by relevant interested parties (auditors).
Policy Certification Authorities (PCAs)
SPYRUS PKI implements an additional important component within the infrastructure that other vendors do NOT provide. Positioned subordinate to the PAA and above the CA is another Certification Authority called a Policy Creation Authority (PCA). The PCA is specifically designed to control the propagation of certificate policy throughout the business process infrastructure. Policy is mission-critical information used to convey detailed contractually binding information about reliance, liability, usage, mode of issuance, trust levels, etc. related to an electronic transaction, e.g. a digital signature on an electronic document. Approximately 25 digitally signed policies can be managed by each PCA, to ensure integrity and trust in any issued policy, and then propagated to any single or to multiple CAs that are subordinate in the hierarchy.
SPYRUS PKI is unique in providing a trusted, root-key signed process to control how such vital information ultimately is conveyed via an end-entity digital certificate.
The subordination of the PCA to the PAA is based upon the PCA's certificate that carries the identity of the PCA and is digitally signed by the PAA. The PCA itself is a certificate issuer of subordinate Certification Authorities (CAs), who in turn issue certificates to Registration Authorities and End Entities (Users, Applications, etc.). Once subordinate CAs have been created and their certificates signed, the PCA is normally taken off-line and its software and associated HSM stored in an off-site bank vault or some other comparable security container, thereby avoiding the necessity of "hardening" the facility for protection of the trusted Policy Creation key.
Certification Authorities
Certification Authorities (CAs) are the real operational components within the SPYRUS PKI. CAs can be operated in either offline or online modes and are responsible for issuing and revoking certificates. A CA can issue a variety of different certificate types meeting the X.509 certificate profile requirements of most applications. CAs have a very flexible publishing model that allow certificates and CRLs to be distributed to a variety of different certificate repositories, including Active Directory, Validation Authorities, LDAP directories, files, etc. CAs also maintain their own databases to record all certificate related transactions.
Any CA may manage up to 25 individual policies within the same CA. This permits the flexibility to assign CA' with multiple policies that satisfy the communities of interest served by each CA, and simplifies configuration and network management by reducing CA deployments. The distributed CA/RA architecture permits locating the CAs at more appropriate data processing facilities for ease of security, logistics and communications support. A comprehensive database and audit trail of all certificate related transactions, such as certificate issuance, certificate revocation, etc. is maintained. Certificates are requested via Registration Authorities using a secure mail transport where all requests are digitally signed and encrypted. Only authorized Registration Authorities can communicate with the CA, all other requests not digitally signed and encrypted by an authorized Registration Authority are ignored.
Like all SPYRUS certificate issuing components in the hierarchy, the CA uses a LYNKS Series II HSM to perform all digital signature, key management and encryption operations.
Registration Authorities
Registration Authorities (RAs) provide the interface between a CA and a End Entity (EE). An EE can be a user application, a server application (e.g. a Web Server), a hardware cryptographic device, e.g., Smart Card, USB, PCMCIA, etc. The RA's responsibility is to authenticate EE's request for a certificate and once approved forward the request to a CA, which in turn creates the requested certificate.
The SPYRUS PKI supports a variety of different registration models and enhancement options to accommodate a broad set of customer requirements for registration processes.
- Light Registration Authority (LRA): The LRA is an RA with reduced functionality for software-based, basic assurance identity management solutions.
- Web Registration Authority (WebRA): The WebRA is a web-based registration component that works in conjunction with an enterprise RA for web registration.
- Automated RA (AutoRA): The AutoRA is a registration component that requires no operator intervention. The operation of the AutoRA is fully automated; processing every certificate request that it receives. The policy-based registration processes used to register the WebRA provides trust, and the AutoRA will reject any certificate request that is not digitally signed by a valid WebRA.
- Web Registration (WEBREG™): WEBREG is an HTML-based certificate request interface used by Web clients such as Netscape Communicator and Microsoft Internet Explorer. It is an optional product that allows browsers to send client certificate requests to the RA and easily download the signed certificates.
The RA facilitates various registration models by providing a mechanism for extending the features of the basic registration functions. These extensions are called Programmable Policy Modules (PPMs). The SPYRUS patended PPM technology can add additional RA registration screens to ensure that specific checks; for example, Valid Driving License, are performed on the entity requesting a certificate by the RA operator. In additional ta PPM can be used to interface with external information sources that can be used in the identity checking process.
The RA also approves revocation requests for the CA's action.
Designed for scalability and flexibility of use, RAs can be deployed on a standard workstation or laptop for geographically distributed organizations. The RA requires minimal security for its operation because of non-repudiation trusted communications between the RA and the CA, and the storage of RA keys within a LYNKS Series II HSM.
|
|
