Suomen Kuntaliitto Sairaalapalvelut Sovellusriippumattomat tietoturvapalvelut toimitusjohtaja Timo Kuokka, Nordic Lan & Wan Communication Oy
Timo Kuokka Sovellusriippumattomat tietoturvapalvelut Terveydenhuollon A TK-puivat Pori, 29-30.5.2000 LAN OWAq Paikallinen myynti ja tuki Yksityinen suomalainen yritys Liikevaihto v.1999 n. 67 mill.mk Henkil6kunta n. 50 henkiloa
Miksi? i 'netisth' on tullut kaikenlaisen tiedon defacto tallennus- ja hakupaikka i odotamme aina valitontä tiedon saantia i aina Iisbhntyvässä munn sekh tybmme ett8 henkilökohtainen tomintamrne tapahtuu Iiikkeella ollessamme ' work is no longer a place ' LAN BWAq Sovellukset i hdliro i u'4cpmu i & ~ ~ o i a n h h ~ n ~ m ' i digirdnenhvantamkn i wmqlal~~iut i sähki cliciivimr-sdh i puhelimuucnkcn irile#nim. - VolP i ~ n d l virr~adimlo: ~ u i videmmiiu*ru i ERP i panhkirovd&*<d ymym LANBWAL
Sovellukset verkottuvat Uudd - i n t e kdytdl.. ~ ~ uudet sowllwfra Hajouttwk&ydiBe Vonhonh&d kdytbn, lvetoblnan wkd iictokamjen hajuarkseue Tehoh IP-vrrkko ehhton voaiinus QoS- iotpekio riippuen AWioiGE -iierowrkko Tietoturva i palomuurit i solw i wrkkoioiaeet i vi~orjunto i hybkkdysten io@mia i kdy116jienarnnisius i luikemidopiwiut LDAP, X500 i wnnennejä&%ieimäi i iidoln>an voiwnio jo haitinto i rieroarrvakorioinikrd jo mill<urkrei i inha.&rdnieniei LAN &WAh
PKVAutenticatwn i PKl's described i What do you need? i How do you do it? LAN &WA)\ -**, The PKI Promise Pol' enabled -ublic Infrastru Client LAN&WAh
Certifation Authorities Provide: Key Genemtion CeMcnte Genedon Certifiwte Issuance and distrlbution Revocation system Key beckup and recwey s)ntem Crosacertiflcation LANBWA? Directories Provide: Cetiicate reposltoy slores users and au!horities awtficates. It is used by PKI epplications to rehieve awticates fw verification and elso for encryptim of message to 0 th users Ceruficate revocation lists CA signed lisls of mtiicates that have been revoked and this rendered musable LANBWAh PH In formation Servers Provide: m Certificate Status infomation Quick and lighhveight online status checking l0r mrtifcates (OCSP). Validation sewices Provide atntralised validatim of mrtificates upon dient request(0cvp) Policy lnformation Provide a Central repositay for security policies to be used PKI applications. LANB WA?
But... A PKi can not be fuliy malised with Just Certifidon Authorities and Dimtoriea To rnake we of a PKI we need......... PKlenabled Clie PKVA utentication i PKl's described i What do you need? i How do you do lt? LAN&WA$ What do you need? m PKI enabling an application can occur at different levels depending on your requirernents. m It is vital to analyse your security requirernents and then decide at what level PKI needs to sit within your organisation. i PKI can be as searnless or as integrated as you want. Ideally it rnust be sirnple to use and as unobtrusive as possible. LAN&WA$
PKi Leveis Inurasing cm.* I ian&waq PKI Leveis - Virtual Private Network At thls Ievd ippllc.tlons mm obllvious to thm underiylng sbcurlty. i Whatdoywget? r Complete mmdeniiality of Vie daa on your nehvwk over pubiii netwoiks r Instant wrii ihat works with existing applicatiins What don't YOU get 7 r Non repudiation oi me appiiims and usen in ywr organisation. So yw can't pmve who has d m what. r User io User mnfidentiality and authenl PKI Leveis - Secure Socket Layer At this Iwel your rppllutiona need to be modiiied silghtiy to ura tha ncum socket Iayer. SSL slb dlmtly on top 01 tha nonnrl socket Iayer, along wlth some rddltlonal mmgcmmt ulls. i Whatdoyougei? r Point to Point Wentiality cf the data be(ween your appication md!be remoie SSL enabled application. r Simple Smer side ahmtication. In ihis made your appliwtion does nd require a uiröficate. It dlws you to build en application Vie( can be sure!be remde SSL indeed who it daims to be. r Advanced Client side auuienticatim IANSWAt,
PKI LeveLs - SSL (cont) m Wiutdoyougei? + Admced UiTt side auiknkaöm. In Itls cam yw will have to owin a cartmca(e fiw y w applicaiion &Wll look ai thia later). Ttis now mms thai both sibes oi Um SSL a*nediai burteghomer. WiutdOn'tyo~p.1? 'm bswan (he u-. Tmsacöons can't be x n g ssl ss me -iy is m a data pdet ava am is banslent - i.e.. Ii Issls mly fiw Um duralim oi Um msrion The airrent FRE4 i-ms opsrate m Itls f8shimq pwiding apphcatim ia applicatim secuiiiy LANaWAh, PKI LeveLs - Application Layer For th. ultlmaie ln wcurky fiexlbiliiy you'll need to PKI enible yair applicatlon itielf. Thla Mll allow u.er to user confidentidlty. auihentiution and non-rspudiation. m Whatdoyoupat? user to user wnfidentialiiy. authentication md nonrepudlatiin. What don't y w get? Application independent seairiiy. You'll have to changeldesign yow applwtims with PKI in rnind. LAN 8 WAq PKI LeveLs - Application Layer(cont) To PKI mable yourapplluiion you'll haw ia eonslder wvcnl amas : + PKI Cornmunications - how will yw mmunicate toum valws PKI auihotities - primarily me CA. + Key Management - h w will you store yw private keys and rheve hrn? Mat happens when ihay expre? + Access to ceröhcetes - h w will you rebieve olher users cerwicates and authotiiy cemcates so you cm ventyl~ncrypt rnesseges and aiw veriiy certit~cates? + Cemcate Status - how will you check me s wimin me PKI? So how do you do it LANBWAb,
PIWAutenticatwn % i PKl's described i What do you need? i How do you do it? LAN 6WAq Generate Keys To genwate keym you have fint to doclde whsther you want soffware storage or hardmre aiorage of the keysya Software Storage Generate ywr keys wim a Wkii and men ROre Mm in a PSE (Pemal Seans Enmmnmnt). A PSE can take reveral foms. m m pmplialay. PKCCX15 is a pmposed standard here. PKCS12 is oiien mislakanly used es a PSE. II is only a iransport medium ior keys. noihing eka. Nola ihal you can akap ROre me PSE on hatdware bken. such as a smartcsrd. bul M pivaia kay will akap have b be extraded b Iha compu(ar8 memoy when requirad....
Generate Keys (cont) i Harbinn Shge (and neneration) Gmemle,your k~ya on e hardwra W<m. In this cam h primiw i;syis~lb~onhhardwntolrsnmdnmleivgilthis pnwb h p<ini(i kq M appaa- th the mmphr msin manory a dtiws. The hardwrm, pr(ams th ~l'yp<ognphy (a h appliion. The m m inlorfam to hardwrm, (olwu is PKCSII 1. You ml1 daloolymghmmtopkcshia~hpkcsh1 m~(nae~itisqubeisrgeapiandmgcnienilmbe mall sriboel i8 mquimd). onca thlr step 11 compiate you'ii have a PSE or hardmm tokan (both FlNlplss phnn pmbctad) In whkh tha priv.t. imys am kld. me unr 11 mponrlbie fw tha 1tongn d than. LAN BWAh urndw hms dllnrlng wy d cornrnunicaiing wiih thalr CAa. Howewr klp i1 at hind. ThWO in curiantiy 2 Iarge InMatives to standardise CAlendurar comrnunic.tim1. CMP (PKIX based protocol) + CMC (PKCS#IO and PKCW? based protocol) i Co rrhlch ahwld yw ura h n yw wac4 to submll a nqwst to a CA - curiantiy than's bom Wlll b. nqulrsd by choora tha pmiocol tha pdocol siack sektion. Get Certiped (conl) i bihaiaver protocol is chosen the appl'kation developer should no1 be tempted into using a pmprietary pmtaol. This will inevitably lead to inmmpatibiliiy with other CAs. 00th thase pmtaols suppoti an automated response rnechanism and a polled response rnechanism, allowing Vie application to decide on a synchmnous or asynchronws rnode of operation. The protocols iypically operate sockevhitp based transpats. This will mojt likely be to favoured mechani acceptam of the internel. LAN BWAq
Get Other Certijixates Ome cuuiied md yai have yair CA signed ceitliiutss yai n In l podiion to Intemt wiihin UIO PKI. To vdfy othn iaen -gddih yaill n d thdr cetiifiutes ~d mdr CA c m c w DW~- to YOU ga m-e 7. The maa wideiy used mechanim fw cartiite ni(riwal is Me X500 diredory via Me LDAP pmtocd. You WUM abo keep ywr own local cabie oi caruficaies in a However for wide usage yan appl support as an opiion. LANBWAI) VerijjYCheck Sta!us When you nbieve l cetiificate back horn a npoaiiory then ue a nurnber d step you shouid pott~nn bsfore using tha cetiificate to verlfy d.11. i Check the vaiidiiy perlod d the cetiificaie. Vertly the cmcae itsen. Thi can be quite a mmplex task depanding on the Nudun of me PKI yai an operating under. 1) mtsmimi a pam to a bustad amionty (bust points can be umful) 2) V W each link in Vie pam (mis also me rebieving all the c ~ d eand r checking LANBWAI) Veri>/Check Status (cont.) Once the cetiificate ha verlfied detennine its status. i Detennining shtus cumniiy hiu 2 appmaches 1) CRLs. The- an CA signed Iiris is n-d cefiiiicates. CRLs may be pailitioned m overmme rizing pmblemr. The cefiiiicele beiiwill indicate what fom me CRLstaker. 2) OCSP. This is an online -Mm that allom Uw application Io query me Nibis of a mrihiuite(s). II ove-s Uw sizing and bmdiness pmblem asswatsd CRLs Once the certiiicate is then ta used to veriiy user. LANaWAI)
DEBecure Data i Dapmding on how the data waslir 10 be seaired this may oniy involve verifyinglsigiinp Vie data. Ii may alro require decryptibnaypting the de(e. i How is wenaypmi data padmged 7 Again ihim is an area oi m e discussion. il could be dme in a pmpwbyfashii, bui this meana lhd Iho eppiiii m't mmunicate wim faeiin apphcation. mis may nd be a raquiranenl howeva. i Thereareamberáfam~metosnbe~lhdarewell undemlood and widely eceaped. Tha main on, is PKCW7. ihis is lhn basis fa lhn SSIMIME and il ellom for lhn signing and aiayption oi afbilrary daie fa DEBecure Data (cont) iho cryptognphlc iunctlonillty mcplrmd by i FUI enibisd ippllcition ahould bw kepi ia aimpb is possibis. r You'll nwd io bw abi. iu vsrity wfbiiwteerliipkcsi7 marsages. is nwll as CMP ind CMC messagss. r You'll nwd io be.ms io sign PKCWMlO CMPICMP marsages. r You'll nwd b be ebh io pfionn kepnlwrapping and also symnebic swdeaypiion of date. ~ o d sxlat m mit prcv~d. this functioniilty it i hlph IWOI, mmovlng iha m d ior iha ippllcaiion dmlopo &tali diha canpbx ASN.1 sbuciums. LAN B WAt, Check Key Status Bdom ualnp your ptivib keys y w ahodd check that thy hiw no( sxplmd. You u n bll this imm iha comspaiding camrcitu. UWmy hiw sxplmd ihan you'll necd to gaienb MW hys ind ston ofih dd oms in your PSE (to illow d.crypiim d dd mssiga). s When should you chinpe ywr ksys 7 - Msn hy'vs post (or reaching hir sxpiry date).. If your keys havs been compromised. Somme has gained amss m your private ksys. In hi. cama pu rril mnt to iaid a revoata mvnt io your CA uyig m of he mabned pevbu*. LANSWAt,
Check Key Status (conl) HMchluysshwIdluu?. mm using pii privas keyr io rign dam yw M usa he curnni nlid p- heya (tut ir markd iwadi@nl rignihini'. Rwi Kay emniion h he fmlnida inämier ihir. W p i hm cdy1bypairwdnousmqenipecjn.dihenpi hava cdy 1 choigl ~usingpuprivaskeytoderypldatepi haildusaihepiuatekeyhpirhistoncalusilhei MWei he dam dhe dib. ianswai) In Conclusion Them am a fm point to mmember when PKI enobllng an appllcaiion. i Use standard protocds whem posdble CMPICMC. PKCWlOnnMlZml. LDAP, OCSP) UM me ~ p ii - o ~ n t~~~wcrls. y. Check nlidi penods - Be lolamie dunknown.non-aitic~l eaienrionr Many well knom applicalions hava urnweded behawwr when lhey enmunier wdl an extenrion. KEEP IT SIMPL LANSWAi) HST - henkilön sähköinen tunnistaminen OrganiraatioiUa on hyvin eriiabk mah'tnuksia. Suojaitu päbsy et& käyiiiijiile. intemet käyiiiijille sekä veikon sisäisille käyiiiijille. - Tode~uS vaaditaan Minisille sovelluksille kaikiiia kiiyiiäjillä. - Palvelujen 1 laitteiden tunnistus Infnmnichin LANSWAt,
Perinteiset ri tavat eivät toimi "on-line" maailmassa h-. -1 @& Frarnewatk Credii Card Sinetures Currency Identification 1 A new economy colls for a new conmerce fr-rk LAN &WA$ Ratkaisuksi on tullut PKI -järjestelmät iri9 1& - - m.wi w w *CLi 1I). r i b n - M *.3pmmc.mm..uuikp..<iail""&.WalMFly pmw p.*w pnar -M-m= -wm.mddie'%@.dy.lhlelo-.ibkd..madmn d- npd*a ~==d==e asu- w- dnr LAN B WAr\ Digitaalinen passi Vanennepalvelun rnyöntarna Sisaltaa henkilotiedd liitetiyna kayltajan julkiseen avairneen Sisältää paattymisajan ja yksilöllisen nurnerosa jan Vamnennepalvelun alleki joittarna (CA)
Internet ostokset i Suojattu ahköposti i Suojattu web(rnrn. pankkipalvelut 'kwmutetut' sovellukset potilastietojen hallinta ja käyttö) VPN - verkot uudet sovellukset Koskemattomuus