Microsoft Windows Server 2003 PKI and Deploying...

This paper discusses the benefits that are unique to deploying the integrated solution of the

Windows Server 2003 PKI and the nCipher hardware security modules (HSM). This includes

the essential concepts and technologies used to deploy a PKI and the best practice security

and life cycle key management features provided by nCipher HSMs.

Microsoft Windows Server 2003 PKI and Deploying nCipherHardware Security Modules

WH

ITE

PAPE

R

Microsoft Windows Server 2003 PKI and Deploying nCipher Hardware Security Modules

Contents

Introduction 1

PKI – A Crucial Component to Securing e-commerce 1

Microsoft Windows Server 2003 1

nCipher Hardware Security Model 1

Best Practice Security – nCipher HSMs with Windows Server 2003 PKI 2

Overview 2

Hardware vs. Software 2

Statutory and Regulatory Requirements 2

Windows Server 2003 PKI 4

Overview 4

Windows Server 2003 PKI Components 4

Certificate Services 4

Active Directory 5

Hardware Security Modules 6

How Hardware Security Modules Integrate with Microsoft Windows Server 2003 7

CryptoAP 7

CAPICOM 8

.Net Framework Cryptography 8

Hardware Cryptographic Service Provider (CSP) 8

nCipher Hardware Security Module 9

Overview 9

nCipher Security World – A Key Management Framework 9

Security World Key Management Concepts 10

Key Access and Storage 11

Key Life Cycle Management Features 13

The Synergy: Windows Server 2003 PKI and nCipher HSMs 15

Glossary 18

Further Reading and Related Links 19


Introduction

The modern corporation is using web based infrastructures in many ways to conduct busi-ness across the enterprise and around the globe. Whether it is with customers, partners oremployees, the Internet provides instant access and global reach at a fraction of the costof traditional channels. However, doing business via the Internet presents unique securitychallenges such as ensuring privacy, confirming identity, managing authorization andlegitimizing business transactions. To address these issues, governments have enacted far-reaching privacy legislation and industries are mandating a growing list of new securityrequirements. Increasingly, there is a need for web based solutions that provide instantglobal access, yet also provide security and privacy in a cost effective manner.

PKI – A Crucial Component to Securing e-commerceA Public Key Infrastructure (PKI) is an integral component of most web based business environments. A PKI provides the foundation for authenticating users by issuing each user with a unique credential – a digital certificate. This is used to identify a user on applications such as emails, web servers, singlesign-on applications and databases. However, while PKI is recognized for its security features, it hastraditionally been seen as complicated and expensive to deploy. Often organizations were reluctant todeploy a PKI due to concerns about cost and management. This has changed with the advent of theMicrosoft Windows PKI solutions.

Microsoft Windows Server 2003Windows Server 2003 PKI solution combines easy to install security functionality with a reduced totalcost of ownership (TCO). As with the Microsoft Windows 2000 Server, the Microsoft Windows Server2003 PKI is included with the operating system (OS) at no additional charge. It has all the PKI compo-nents, such as a Certificate Authority (CA), Active Directory (AD) and Cryptographic Service Providers(CSP), to enable the deployment of enterprise wide PKI solutions. New PKI features added to WindowsServer 2003 include improved integration between the Microsoft PKI applications included with the OS.

nCipher Hardware Security Modules (HSMs)Using the nCipher nShield or netHSM Hardware Security Modules (HSMs) to secure the private keys ofthe Microsoft Windows Server 2003 CA adds many benefits to a Windows Server 2003 PKI installation:secure key generation; hardware key protection and key life cycle management; the ability to map userkey security policy to the HSM; and improved performance for high volume CAs. The combination of thenCipher HSM with Microsoft Windows Server 2003 PKI meets or exceeds the best practice securityrequirements set forth by numerous legal and regulatory requirements.

This white paper provides a unique overview of the Windows Server 2003 PKI and the nCiphernShield/netH/netHSM integrated solution, and is complemented by two recommended papers: (1) the Microsoft white paper, Best Practices for Implementing a Microsoft Windows Server 2003 PublicKey Infrastructure (http://technet2.microsoft.com/WindowsServer/en/library/091cda67-79ec-481d-8a96-03e0be7374ed1033.mspx?mfr=true); (2) the nCipher Application Guide (how to install annCipher module), Microsoft Certificate Services and nCipher Modules (http://active.ncipher.com/integrationguides/Microsoft/Microsoft_CA_Windows_2003.pdf).

1

URL=http://active.ncipher.com/integrationguides/Microsoft/Microsoft_CA_Windows_2003.pdf

URL=http://active.ncipher.com/integrationguides/Microsoft/Microsoft_CA_Windows_2003.pdf

http://technet2.microsoft.com/WindowsServer/en/library/091cda67-79ec-481d-8a96-03e0be7374ed1033.mspx?mfr=true


OverviewBest practice security in an e-business environment is a combination of hardware, soft-ware policies, practices and procedures. Each is a building block to a secure web basedenvironment. As highlighted in this white paper, cryptography and the secure administra-tion and distribution of the cryptographic keys is a critical component of “best practice”security – so important, that laws and industry standards have been created specifically to address the need to secure cryptographic keys. This section identifies the best practicestandards, laws and specific industry requirements.

Hardware vs. SoftwareIt is well understood that with software-based cryptography, all the cryptographic components on thehost are vulnerable to attack, where they are susceptible to duplication, modification or substitution.Hardware based cryptography protects the private keys by only ever exposing them as plain text withinthe secure confines of a tamper-resistant HSM. By using a FIPS-140-2 Level 3 validated module, userscan be assured cryptographic keys are protected from misuse. The nCipher HSMs take this securityconcept further:

• Security and Flexibility: nCipher HSMs, nShield and netHSM, combine FIPS 140-2 Level 3 validatedkey management hardware and software to manage the cryptographic keys. The solution allows an organization to take advantage of best practice security and scalability within a unified system.

• Split Key Management Responsibility: nCipher’s Security World, discussed later in this paper, allowsfor physically splitting key management responsibilities. Split responsibility is a widely acceptedcontrol within most security policies. Through its multi-party “k-of-n” control functionality, importantkey functions, procedures or operation can mandate that more than one person is required to performthese tasks.

• Remote Key Management: The nCipher Remote Operator feature provides users with the ability topresent their operator credentials to a single nCipher HSM and authorize key usage at any number ofremote or unattended modules. This allows users to manage their modules in remote locationswithout delegating authority that could result in a compromise of the security of the overall solution.

Statutory and Regulatory RequirementsInformation security is not driven solely by risk management issues, i.e. the need to protect sensitivedata. It has also become a business issue because laws and industry regulations are providing substan-tial penalties associated with compromised user information. Failing to keep sensitive informationsecure can lead to expensive lawsuits, and perhaps more importantly, it can place companies in violationof high profile legislation. Governments around the world now require organizations to establish strongpolicies, adopt best practices and take legal responsibility for keeping personal data safe or face poten-tially hefty fines. The following laws have been enacted which require private information to be secured:

• COPPA – U.S. Children Online Privacy Protection Act

• E-SIGN - U.S. Electronic Signatures in Global and National Commerce

• GISRA – U.S. Government Information Security Reform Act

• GLBA – U.S. Gramm-Leach-Bliley Act

• HIPAA – U.S. Health Insurance Portability and Accountability Act

• California State Bill SB 1386

• EU Data Privacy

• EU Electronic Signature

2


Best Practice Security – nCipher HSMs with Windows Server 2003 PKI



While legislation has forced companies to be proactive about security and privacy, industry standardshave been providing vital best practice benchmarks for years.

Many of these standards have expanded beyond their original sector-focused origins to become de factostandards for industry as a whole, they also serve as the foundation for standards in other countries.Some standards are providing vital guidelines in areas where none previously existed. Many others arecurrently in development by organizations such as the Center for Internet Security and the NationalInstitute of Standards and Technology. In every case, leveraging these highly specific standards can helpcompanies in their mission to comply with legislation lacking implementation specifications. At thesame time, adopting industry standards is essential to establishing prudent best practices and in turn,protecting against lawsuits. The following industry standards require private information to be secured:

• Verified by Visa

• Mastercard SecureCode

• Payment Card Industry (PCI) Data Security Standard

• Europay-MasterCard-Visa (EMV) global smart card standard

• Identrus

• ISO 17799, Code of practice for information security management

• U.S. FDA 21 CFR Part 11, Electronic Records; Electronic Signatures

• ISO 11568, Banking – Key Management (Retail)

• ISO 15782, Banking – Certificate Management

• AICPA.CICA, Web Trust Program for Certificate Authorities 7

• American National Standards Institute X9.57, Public Key Cryptography for the Financial ServicesIndustry: Certificate Management

• American National Standards Institute X9.79, Public Key Infrastructure (PKI) Practices and PolicyFramework

3

4


OverviewWindows Server 2003 provides the complete infrastructure for an enterprise wanting todeploy a PKI. The Microsoft PKI is scalable and customizable, readily able to support boththe smallest and the largest of PKI deployments. It is easy to install and administer, andthe infrastructure is provided as part of the operating system. Unlike other competing PKIproducts, and regardless of the PKI deployment size, there is no charge per certificate.

The Windows Server 2003 PKI offering is the first Microsoft PKI to be part of theMicrosoft Trustworthy Computing initiative. The .NET security framework permits organizations to extend the use of their PKI through digital signing of the applicationcode to ensure application integrity.

Windows Server 2003 PKI ComponentsThe Windows Server 2003 PKI components build upon and enhance the functionality already available in Windows 2000 PKI. The primary components of the Windows Server 2003 PKI are the CertificateServices and Active Directory, which are more closely integrated in Windows Server 2003. Presentedbelow are the key features of the Certificate Services and Active Directory and a summary of some ofthe newer PKI related functionality found in these components.

Certificate ServicesThe Certificate Services application permits an organization to set up its own certificate authority (CA).They can issue and manage certificates to represent their user identities. Certificate Services provide allthe functionality expected of a major CA including validating users, issuing digital certificates to users,securing the private key used to create these certificates and support for hardware security modules.

What’s new in Certificate Services for Windows Server 2003:

• Cross certification: Windows Server 2003, Certificate Services, has demonstrated full compliance withthe U.S. Federal Bridge Certificate Authority (FBCA) requirements. The FBCA is a nonhierarchical PKIarchitecture that permits heterogeneous PKIs from different U.S. government agencies to be cross-certified and interoperate seamlessly. Thus, creating a certificate trust path between the participatingdomains.

• More flexible certificate templates: Windows Server 2003 supports both the Windows 2000 version 1templates and the new version 2 templates. The new Certificate Templates Microsoft ManagementConsole (MMC) snap-in permits administrators to:

- Edit template properties (e.g. key size, renewal period…).

- Permit autoenrollment and autorenewal for both users and machines.

- Set access control on certificate templates to determine which users or machines can enrollfor certificates.

- Require specific Cryptographic Service Provider (CSP) usage and key sizes.

• Certificate autoenrollment: The administrator can specify the types of certificate a user or machinecan automatically receive on logon. Then, if the access controls permit, a Windows XP or WindowsServer 2003 client can access the templates in the Active Directory and enroll for the respectivecertificates.

Windows Server 2003 PKI

• Autorenewal: Administrators can now use the new templates to permit the autorenewal of a user ormachine certificate. This removes the administrative overhead of managing certificate expiration, asusers can automatically receive the new certificate.

• Role-based administration: For the first time, it is possible to enforce separation of the many administrative roles for the CA and OS among different users. Thus, no single user can compromise the entire CA.

• Key counting: The CA supports key counting, where the CSP maintains a count of each use of thesigning key. This provides additional audit information that can be used to track private key usage.

• Key Archival: The CA now has the ability to archive the keys that are associated with the certificates it issues. These keys may be recovered by using the new key recovery agent certificate.

• Delta Certificate Revocation Lists (CRL): The CA can provide delta CRLs in compliance with IETF RFC2459. This reduces the CRL network traffic as complete replication of the full CRL data base is notrequired for a small number of certificate revocations.

• Event auditing: Most events that occur on the CA can be audited, providing a useful logging andmonitoring function e.g. the tracking of role changes, key recovery, certificate issuance and revocation.

Active DirectoryActive Directory is the (LDAP based) directory service for the Windows Server family of operatingsystems. Active Directory stores information about objects on the network, and makes this informationsimple for administrators, users and services to find and use. Active Directory uses a structured datastore as the basis for a logical, hierarchical organization of directory information. It is a core componentin any Certificate Services CA deployment, providing an X.509 certificate store and authentication/iden-tity related information for users and services, including certificate templates.

What’s new in Active Directory for PKI:

• CRL fault tolerance: The Active Directory forest provides for the distribution of CRLs and delta CRLsthroughout the forest.

• Secure storage of X.509 certificates: The new Active Directory credential manager provides a securestore of user X.509 certificates. The credential management in Windows XP has three components:credential prompting UI; stored user names and passwords; and a keyring. Together, these componentscreate a single-sign-on solution.

• Enhanced client cross-certification: This feature is enhanced by enabling the capability for depart-ment-level and global-level cross certifications. More information is available in the Microsoft paperPlanning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003(http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03qswp.mspx)

5


http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03qswp.mspx


6


Hardware Security Modules, or HSMs, provide highly secure operational key management. nCipher HSMsare FIPS 140-2 level 3 validated and are available in multiple form factors.

nShield: PCI form factor physically connected to a server at the device level.

netHSM: appliance based HSM that communicates with servers over Ethernet.

The function of an HSM is to provide highly secure operational key management, this includes:

• Hardware based cryptographic operations, such as random number generation, key generation, digitalsignatures and encryption

• Hardware key protection and management, with centralized key backup/recovery

• Multi-layered authentication capabilities (e.g., “k of n” access) when performing security administra-tion and operational key management

• Acceleration of cryptographic operations, relieving the host server of highly processor intensive cryptographic calculations used in Secure Sockets Layer (SSL) and other protocols

• Load balancing and fail-over of operations in hardware modules through the use of multiple HSMmodules linked together

• FIPS 140-2 Level 3 certification

From an application standpoint, the interface to the HSM is through the Microsoft CryptoAPI interface.

Hardware Security Modules


CryptoAPIThe Microsoft® Cryptographic API (CryptoAPI) provides services that enable application developers toadd cryptography and certificate management functionality to their Win32® applications. Applicationscan use the functions in CryptoAPI without knowing anything about the underlying implementation, inmuch the same way that an application can use a graphics library without knowing anything about theparticular graphics hardware configuration.

The Microsoft CryptoAPI provides a set of functions that allow applications to encrypt or digitally signdata in a flexible manner. All cryptographic operations are performed by independent modules known asa cryptographic service provider (CSP). A number of software CSPs, including the Microsoft RSAproviders and DSA/DH providers, are bundled with the operating system.

CryptoAPI supports many different types of CSP. Some provide different cryptographic algorithm suiteswhile others contain hardware interface components such as smart cards and hardware security modules.Figure 1 illustrates the CryptoAPI support for CSPs.

CryptoAPI Framework with HSM

How Hardware Security Modules Integrate with Microsoft Windows Server 2003

Application .Net Framework

Secure Channel (SSL/TLS)

Core Algorithms (CryptoAPI 2.0)


CertificateDatabase

RSA BaseCSP

nCipher HSMCSP

Smart CardCSP

FortezzaCSP

KeyDatabase

nCiphernShield HSM

Figure 1. An Overview of the Cryptographic Service Provider (CSP) framework, including the nShield.

7

8


CAPICOMThe CryptoAPI interface can also be accessed through a method called CAPICOM which is built onCryptoAPI. CAPICOM is a COM client wrapper. CAPICOM can be used in applications created in manyprogramming languages including Microsoft Visual Basic, C# and C++ to perform fundamental crypto-graphic tasks. A Visual Basic application for instance, can use CAPICOM objects to digitally sign data,verify digital data signatures, encrypt and decrypt arbitrary data.

For additional information regarding the CryptoAPI programming model or CAPICOM, refer to theMicrosoft Developer Network (MSDN) at (http://msdn.microsoft.com).

.Net Framework CryptographyThe .Net Framework cryptography model provides a cryptographic model that supports many standardalgorithms in the .Net managed code. This model relies on the CryptoAPI 1.0 to implement the variousalgorithms. Figure 1 illustrates the .Net Framework relationship with respect to the CryptoAPI.

Additional information about the .Net Framework cryptography model can be found at the MicrosoftDeveloper Network (MSDN) at (http://msdn.microsoft.com).

Hardware Cryptographic Service Provider (CSP)Hardware based CSPs are used to provide enhanced performance by offloading cryptographic operationsfrom host processors to specialized hardware. For the Microsoft Certificate Services, a hardware basedCSP also provides a higher level of assurance for the storage of private keys. Protecting private keys inspecialized tamper-resistant hardware greatly increases their security as well as the overall security ofthe CA and the certificates it signs. It is a best practice to protect CA key material using hardware CSPslike the nCipher nShield or netHSM.

The nCipher HSMs from nCipher provide both FIPS 140-2 level 2 and level 3 compliant solutions. Foradditional information on FIPS 140-2, please visit the National Institute of Standards and Technologyweb site, http://csrc.nist.gov/cryptval/140-2.htm. This includes the nCipher NIST approved evaluations.


OverviewThe nCipher HSM is cryptographically signed by Microsoft for use on Windows 2003. The HSM provides hardware key storage and transactional acceleration, tamper-resistantphysical hardening and full key management functionality. This makes the nCipher familyof HSMs ideally suited for use with certificate authorities and other PKI applications thatuse the Microsoft CryptoAPI.

The nCipher nShield and netHSM products are certified to Level 3 of U.S. FederalInformation Processing Standards (FIPS), FIPS 140-2. This widely recognized security vali-dation is an important factor in establishing the overall system security of a customer’sPKI deployment. FIPS 140-2 certification is especially relevant in federal government andfinancial markets, where security policies frequently mandate FIPS certified products.

In addition, the nCipher HSMs provide cryptographic acceleration by offloading the RSAsignature operations from the host CPU to the HSM. Thus, the CPU resources of the hostserver become available to perform other application processing. The nCipher nShield andnetHSM are capable of sustaining over 4000 1024-bit RSA key signings per second.

A unique feature of the nCipher family of HSMs is that they securely store keys on theserver hard disk. Other solutions that store keys exclusively within the physical confinesof the HSM, limit the number of keys that can be used by the HSM and complicate bothback-up and disaster recovery activities, and the sharing of these keys with other HSMs.nCipher addresses these issues by storing private keys in an encrypted form using dedi-cated 3DES wrapping keys (key blobs) on the host server to deliver best practice securityand maximize key management flexibility. This key management functionality is part ofthe nCipher Security World key management framework.

nCipher Security World – A Key Management FrameworkThe nCipher Security World is a framework which maps security policies onto a flexible hardware-basedsecurity infrastructure. With nCipher’s Security World, organizations can separate administrative andoperational roles. It permits application keys that are securely stored as key blobs on the host to be easilyshared between modules, backed up and recovered, and ensures that they can only be used within theconfines of the tamper-resistant HSM. This security architecture easily scales to accommodate a growingPKI infrastructure; at any time additional modules can be added to an existing nCipher Security World.

The nCipher Security World framework consists of the following components:

• One or more nShield or netHSM HSMs

• Smart cards for the administrative and operational roles

• Management software to install and manage the HSM(s) and cryptographic keys

• Host server that stores nCipher-specific management information

nCipher Hardware Security Module

9

10


Security World Key Management ConceptsThe nCipher Security World differentiates between functions carried out for administrative purposes (e.g.adding a new hardware module, disaster recovery or backup and restoration) and functions for opera-tional usage (e.g. key generation, key loading etc). The role separation is enforced by the use of differentsets of smart cards; an Administrator Card Set (ACS) for administrative functions and multiple OperatorCard Sets (OCS) for operational functions. These sets are not interchangeable.

The nCipher Security World model combines role separation with flexible access control management forindividual roles. This paradigm is closely aligned with the extensive role separation capabilities introducedwith Windows Server 2003 PKI, where it is possible to enforce that each CA function is managed by adifferent user according to their organizational duties, e.g. different users can be specified for archival,recovery, backup etc. For more information on the CA separation of roles, refer to the Microsoft whitepaper, Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure.(<http://technet2.microsoft.com/WindowsServer/en/library/091cda67-79ec-481d-8a96-03e0be7374ed1033.mspx?mfr=true>)

nCipher Security World Components


nCipher HSMCSP

RSA BaseCSP

Smart CardCSP

FortezzaCSP

nCipher nCore Library calls

nCipherAPI Calls – Base Cmds

nCipher (SW) Hard Server

nCipher nShield SCSI HW Security Module Smart Card(s) + Passphrase(s)

KM data– Encrypted Keys

Ethernet, SCSI or PCI

All the nCipher software components to support the Security World framework are shipped as standardwith the nCipher HSMs.

CryptoAPI Relation to HSM

Figure 2. Microsoft CryptoAPI and its relationship to the nShield and Security World

<http://technet2.microsoft.com/WindowsServer/en/library/091cda67-79ec-481d-8a96-03e0be7374ed1033.mspx?mfr=true>

<http://technet2.microsoft.com/WindowsServer/en/library/091cda67-79ec-481d-8a96-03e0be7374ed1033.mspx?mfr=true>


Note that each card set (ACS and OCS) in the nCipher Security World operates its own “k-of-n”, thresh-old based secret share scheme. For example, an OCS may have been created with an “n” of 5 cards anda “k” of 3, which would require 3 out of the 5 card shares to be presented to the HSM to perform oper-ational duties. Thus, if the quorum is set correctly no one person can have total control of a card set.Each card set may be created to optionally include passphrase authentication for each card in a set.

Typically, for conducting administrative tasks, the ACS will be managed by a team headed by the securityofficer. Whereas the OCS would be controlled by a team of operational staff members responsible formanaging applications that require cryptographic actions such as signing and key generation. Each cardfrom a card set would be managed by a unique individual, and any administrative or operational func-tions can only be executed after the respective quorum of individuals correctly present their smart cards.

Key Access and StorageAn application “key blob” consists of the key material, the key's Access Control List (ACL), and a crypto-graphically strong checksum, all encrypted with a 3DES key. In the case of a Cardset-protected applica-tion key, the 3DES wrapper key used is stored via secret-sharing across the Operator Card set and isknown as a Logical Token. In the case of a module-protected application key, the 3DES key used is theSecurity World Module Key, stored in the HSM’s nonvolatile memory. Figure 3 illustrates a key blob.

Protected key data or fragment encrypted with triple-DES

Access control list: lists keys which can authorise use of the unwrapped key

Wrapper key signs and encrypts protected key as a 'key blob'

Message authentication code (MAC) protects the key blob from tampering

Key 1...Key 2...Key 3...

********

Figure 3. Components of a key blob

Administrator Card Set (ACS) Operator Card Set (OCS)

• Restore a Security World

• Recover keys (if key recovery was enabled)

• Replace the existing ACS

• Delegate FIPS 140-2 level 3 authorization activities

• Passphrase recovery

• Manage key counting

• Authorize use of application key(s)

• Authorize FIPS 140-2 level 3management related activities

11

Table 1. Major Functionality of ACS and OCS

12


The Security World Module Key is itself stored in a blob on the host file system: the key data, ACL andchecksum are encrypted with a 3DES Logical Token stored on the ACS. This allows the AdministratorCard Holders to load the Security World Module Key into additional HSMs.

A Logical Token remains in the HSM and on the smartcards and is never passed to the host even inencrypted form. Additional encryption of the Shares of a Logical Token ensures that the passphrases (ifset) are required to assemble the Shares into the original 3DES key, and in the case of Operator Cards, toensure that the Cardset is used only in HSMs possessing the Security World Module Key.

OCS-protected application keys with Recovery enabled are also stored in a Recovery Blob alongside themain working blob. The Recovery Blob is encrypted using an RSA key pair known as the RecoveryEncryption Key. The private half of the Recovery Encryption Key is again stored as a blob protected by aLogical Token stored on the ACS. This allows the Administrator Card Holders to perform the recoveryfrom lost or unusable Operator Cardsets.

Figure 4 illustrates the process of fetching a key blob from the key store.

PA S S P H R A S E

1. Key blob is stored in encrypted form on the server's hard diskExternalstorage

3. The logical token unwraps the key blob inside the HSM

4. The key and its ACL are decrypted and ready for use within the HSM

2. The module key, a user passphrase and the required tokens or shares are presented together to create a logical token

Logical token

Security perimeter of the nCipher HSM

Physical token or "k of n" share

Module key

Access ControlKey 1...Key 2...Key 3...



Figure 4. Loading a key from storage


Key Life Cycle Management FeaturesThe nCipher Security World allows the key security policy to be mapped to the HSM, thereby providingfor full life-cycle management:

Key Security The private key is always generated inside the HSM, and never leaves the HSM security boundary asplaintext. The Security World securely stores each key as a blob on the host. This permits secure easybackup and recovery of important key data.

Key GenerationWhen generating a key pair, it is necessary to use a random number generator (RNG). A good RNG iscrucial to creating keys that are not easily cracked. The RNG should be hardware based and locatedinside the HSM. An application that uses a software RNG produces only pseudo-random numbers and istherefore inferior to a hardware RNG. The true RNG used for creating a key pair inside the nCiphermodule is based on hardware. The number is derived from the thermal noise of a diode to ensure truerandomness, preventing the random number sequence from being predicted. The RNG conforms to thetests specified in FIPS 140-2.

Shared Management and Role SeparationThe ACS and OCS have clearly defined roles that apply to the specific Security World they were createdwith. At card creation, each card set is specified with its own “k of n” quorum. This means a minimumnumber of “k” cards must be presented before any action can be taken with the module. The nCipherSecurity World permits each card holder to also authenticate themselves with a pass phrase, thuspossession of a card alone is not sufficient as use of the pass phrase and the physical card can bemandated. It is recommended that “k” is always less than “n”, in order to ensure that a card loss orfailure does not prevent a quorum being maintained.

The Ability to Support Key PolicyThe Security World is very flexible, allowing it to be mapped to a variety of key policies. For example apolicy might require: (1) that an application key may persist and continue to be used in the HSM afterremoving the OCS; (2) that key use should be limited to a specific amount of time; (3) that the keybackup and recovery process should conform to existing IT policies for backup.

Secure and Simple Backup of Private KeysThe nCipher Security World stores the key blobs outside of the HSM in a secure manner on the host server.This makes the backup of the keys very simple. For example, a security policy may state that the key storeshould be backed up during the regular backup of the system by the server administrators, which can beaccomplished without ever exposing any secrets because the keys are 3DES encrypted. The backed upprivate keys cannot be used without access to the Security World in which they were created. The numberof keys that can be stored on the host is limited only by the available disk space of the host server.

Secure and Simple Disaster RecoveryRecovering from a failed server or failed HSM is straightforward and secure, and can be easily docu-mented in a security procedure. If both server and HSM failed, the server administrator copies theencrypted key store from the backup media to the replacement server. Once the encrypted key store hasbeen recovered, the HSM administrators must introduce a replacement HSM and reload the old SecurityWorld using their existing ACS, and the Operators must present their OCS before key usage can finallyoccur. Thus, no one individual can subvert the process. Further, if the Security World contains more thanone module on a network, the backup can be copied across the network to all the HSMs; this permitsarchitectural flexibility whilst preserving security and scalability.

13

14


Load BalancingThe nCipher Security World permits the modules to share the cryptographic load, i.e. load balance. As the system load increases, it is easy to add another module to accommodate the extra load. Forexample, any permutation of Ethernet (netHSM), PCI or SCSI HSM may be readily added to an existingHSM infrastructure.

FailoverBy adding more than one module to the system, failover is provided. This means that if one of themodules should fail during operation, the other module(s) will continue operating – a critical feature in a 24x7 enterprise.

Standards ComplianceThe nCipher nShield and netHSM are certified to conform to FIPS 140-2 level 3, the Federal InformationProcessing Standard 140-2 - Security Requirements for Cryptographic Modules. Many users require thishigh level of standards assurance, providing an independent third party security validation of the HSM.

ScalabilityThe nCipher Security World allows keys to be safely shared across a series of HSMs. Hence, a large scalePKI installation, that may be geographically dispersed, can be assembled and consistently managedwithout any compromise in the security. Also, the nCipher Security World can be enlarged at any time to accommodate system growth – it is a simple task to add another module to a server.

The Synergy:Windows Server 2003 PKI and nCipher HSMs

A PKI solution requires strong synergy between the PKI application and a hardware security module. A critical part of this synergy is the ability to cater to both the security requirements and the businessrequirements – this means an infrastructure that has the flexibility and security policies to support thetotal key life cycle.

Key life cycle management relates to the secure administration of cryptographic keys throughout theirentire life cycle. This includes key generation, key distribution, installation, backup, archival, usage andtermination of use. Described in a KPMG best practices white paper, A Key Management and PolicyFramework, (http://www.ncipher.com/uploads/resources/kpmg_wp.pdf) Figure 5.0 demonstrates themajor stages in the life cycle of a key. Full life cycle management is achieved by integrating the properties of the Windows Server 2003 PKI and the nCipher Security World using the nShield or netHSM products.

Referring to Figure 5.0 and Table 1.0, each part of the key life cycle is analyzed with respect to the integrated solution, and illustrates how the nCipher and Microsoft components provide full key life cyclemanagement. Table 1.0 clearly demonstrates the synergy between the Microsoft Windows Server 2003PKI and the nCipher HSM, and how together, the integrated solution meets all the key managementrequirements of the modern enterprise.

It can be seen that for each step in the life cycle, the key is managed either by the Windows Server2003 PKI or the nCipher HSM, or both, providing a clear demonstration of the synergy between thesetwo complementary components of an enterprise PKI deployment.

Key Life Cycle

Figure 5. The complete life cycle of a key. (This diagram was first published in the KPMG whitepaper, A Key

Management and Policy Framework.)

Key (pair)Generation

Key Distribution

Key Backup

Key Installation

CertificateRegistration


CertificateRepository

CertificateUsage

CertificateExpiration

KeyTermination

CertificateRevocation

Key Usage

Key Usage

Restricted Key Use


15

http://www.ncipher.com/uploads/resources/kpmg_wp.pdf

16


Table 2. Key Life Cycle and Application Coverage

Stage in LifeCycle

Responsible componentin the integratedsolution

Comments

KeyGeneration

HSMAt the request of the application, (the CA), the HSM generatesa key pair with the appropriate properties for the application(e.g. key size, OCS protected, passphrase, persistent etc).

KeyDistribution


nCipher HSM

Here the private key is securely sent to the appropriate assignedapplication and any backup devices. For a CA key, this could meancloning the CA so that a duplicate backup system is available inthe event of failure in the first system. This would requireexporting the CA certificate and key blob to the backup system.

Key Backup


nCipher HSM

The private key is backed up to prevent loss from an unexpectedevent such as a disk crash. The nCipher Security World stores allkeys it generates as key blobs on the host disk. The key blobs canthen be backed up using the standard backup policies and rolesavailable with the Windows Server 2003 OS. Thus, the CA root keyblob can be securely and easily backed up applying the standardOS backup procedures to the nCipher key store on the host. Keybackup may occur in parallel to key distribution in someapplications. If a key is recovered from the backup store, then itcan be reinstalled at the key installation stage.

KeyInstallation


nCipher HSM

The key is installed in the designated application/device for use. Inthe case of the CA, the key will be generated by the nCipher CSPand secured within the CSP. For a duplicate backup CA system,the key will need to be safely exported and installed on thesecond system. A non-CA example would be a web farm runningMicrosoft IIS6. The certificate and key may need to be installedacross a number of servers. In some application scenarios, keyinstallation may occur in parallel with key distribution.

Key Usage


nCipher HSM

The private key is used for its intended purpose. This requiresboth the HSM and Certificate Services functionality toaccomplish the signing. The CA will receive and validate acertificate signature request (CSR) and the nShield will providethe cryptographic processing.

Key Archival


nCipher HSM

Keys may need to be archived and therefore be available forsome future use. For example, an employee leaves the companyand their documents must be verified or decrypted with their key.

The CA has the ability to encrypt and archive user and machinekeys in it own database, and recover them using a key recoveryagent certificate.

Independently, the nCipher HSM automatically maintains asecure store of all key blobs it creates.


As outlined in Figure 5 and Table 2, there are many stages to the life cycle of a private key used in a PKIapplication. Each stage has its unique business requirements and security needs. A security flaw in anystage in the life cycle of a private key can negatively impact the security of the entire PKI application.The synergy between the nCipher HSM and the Microsoft Windows Server 2003 PKI at each stageprovides best in class security and ease of use for a robust PKI solution.

Stage inLife Cycle

Responsiblecomponent in theintegrated solution

Comments

KeyTermination


In practice, each key will have a finite life time. In a PKIinstallation, the Certificate Services CA administrators willdetermine the life span of a certificate, and thereby the useful lifespan of the respective key. The CA can revoke a certificate beforethe termination date and then distribute the information using adelta CRL. (The HSM does not delete keys in its key store.)

RestrictedKey Usage


Sometimes it is necessary to authorize access to a user’sarchived key (e.g. to allow access to the encrypted files of a former employee and verify their authenticity – see keyarchival). The CA can be set up as a key recovery agent toretrieve and use



nCipher HSM

The CA will receive a CSR and sign a valid request, using theHSM to perform the signing operation.

CertificateDistribution


This is the process of transferring the signed certificate to thecorrect service or device.

CertificateRepository


This stage denotes that the certificate is publicly available. The CA maintains a database of the certificates it has issuedand their status.

CertificateUsage


This step in the life cycle runs concurrently with the key usagestep. The certificate and respective key is available for itsintended purpose.

CertificateExpiration


The CA creates certificates valid for a specific time. When thecertificate expires both the certificate and the associatedprivate key are no longer available for use.

CertificateRevocation


For any number of reasons, a certificate may be revoked beforeits normal expiration time. The CA will issue a delta CRL withthe latest revocations which prevents any future trust in thecertificate.

17

18


Glossary

ACL Access Control List

ACS Administrator Card Set

CA Certificate Authority

CAPICOM Certificate API COM

COM Component Object Model

CSP Cryptographic Service Provider

DSA/DH Digital Signature Authority/Diffie-Hellman

FIPS Federal Information Processing Standard

HSM Hardware Security Module

IETF Internet Engineering Task Force

ISO International Organization for Standardization

netHSM Network connected Hardware Security Module

NIST National Institute of Standards and Technology

OCS Operator Card Set

PCI Peripheral Component Interconnect

PKI Public Key Infrastructure

RFC Request for Comment

RNG Random Number Generator

SCSI Small Computer System Interface

TCO Total Cost of Ownership


Further Reading and Related Links

For more information on Windows 2003 PKI Best Practices, see the Microsoft white paper, Best Practicesfor Implementing a Microsoft Windows Server 2003 Public Key Infrastructure, athttp://technet2.microsoft.com/WindowsServer/en/library/091cda67-79ec-481d-8a96-03e0be7374ed1033.mspx?mfr=true

Information on nCipher HSMs, including nShield and netHSM, can be found athttp://www.ncipher.com/cryptographic_hardware/hardware_security_modules/8/nshield

More information on nCipher’s FIPS 140-2 level 3 validated network connected HSM, netHSM, can befound at http://www.ncipher.com/cryptographic_hardware/hardware_security_modules. This siteincludes the white paper, nCipher netHSM technical overview.

Further information on installing the nCipher nShield in a Microsoft PKI environment can be found inthe nCipher Application Guide, Microsoft Certificate Services and nCipher Modules,http://active.ncipher.com/integrationguides/Microsoft/Microsoft_CA_Windows_2003.pdf

For more information on the nCipher Security World, see the nCipher white paper nCipher SecurityWorld, http://www.ncipher.com/uploads/resources/ncipher_security_world_wp.pdf

A white paper discussing key management policy and framework, refer to the KPMG document KeyManagement Policy and Practice Framework, http://www.ncipher.com/uploads/resources/kpmg_wp.pdf

Further technical information about the Windows Server 2003 Certificate Services can found at theMicrosoft Developer Network (http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx).

Further information on Windows Server 2003 autoenrollment can be found at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx

For information on Planning and Implementing Cross-Certification and Qualified Subordination UsingWindows Server 2003, see http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03qswp.mspx

A white paper, Implementing and Administering Certificate Templates in Windows Server 2003, can befound at http://technet2.microsoft.com/WindowsServer/en/library/c25f57b0-5459-4c17-bb3f-2f657bd23f781033.mspx?

For a white paper on Key Archival and Management in Windows Server 2003, seehttp://technet2.microsoft.com/WindowsServer/en/library/296f87df-06c3-4e27-89ff-5283cb76fb811033.mspx?mfr=true

A Windows Server 2003 PKI Operations Guide can be found athttp://technet2.microsoft.com/WindowsServer/en/library/e1d5a892-10e1-417c-be13-99d7147989a91033.mspx?mfr=true

An overview of Microsoft’s Active Directory technology in Windows server 2003 can be found athttp://www.microsoft.com/windowsserver2003/technologies/activedirectory/default.mspx

Information on PKI Enhancements in Windows XP Professional and Windows Server 2003 can be foundat http://www.microsoft.com/windowsxp/pro/techinfo/planning/pkiwinxp/default.asp

19

http://www.microsoft.com/windowsxp/pro/techinfo/planning/pkiwinxp/default.asp

http://www.microsoft.com/windowsserver2003/technologies/activedirectory/default.mspx

http://technet2.microsoft.com/WindowsServer/en/library/e1d5a892-10e1-417c-be13-99d7147989a91033.mspx?mfr=true

http://technet2.microsoft.com/WindowsServer/en/library/e1d5a892-10e1-417c-be13-99d7147989a91033.mspx?mfr=true

http://technet2.microsoft.com/WindowsServer/en/library/296f87df-06c3-4e27-89ff-5283cb76fb811033.mspx?mfr=true

http://technet2.microsoft.com/WindowsServer/en/library/296f87df-06c3-4e27-89ff-5283cb76fb811033.mspx?mfr=true

http://technet2.microsoft.com/WindowsServer/en/library/c25f57b0-5459-4c17-bb3f-2f657bd23f781033.mspx?

http://technet2.microsoft.com/WindowsServer/en/library/c25f57b0-5459-4c17-bb3f-2f657bd23f781033.mspx?



http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx




http://www.ncipher.com/uploads/resources/kpmg_wp.pdf

http://www.ncipher.com/uploads/resources/ncipher_security_world_wp.pdf

http://active.ncipher.com/integrationguides/Microsoft/Microsoft_CA_Windows_2003.pdf

http://www.ncipher.com/cryptographic_hardware/hardware_security_modules

http://www.ncipher.com/cryptographic_hardware/hardware_security_modules/8/nshield



20


For additional information regarding the CryptoAPI programming model or CAPICOM, refer to theMicrosoft Developer Network (http://msdn.microsoft.com/).

For the latest information about Microsoft’s .NET framework see http://www.microsoft.com/net/

For a consolidated view of what’s new in Microsoft’s Windows XP / Server 2003 PKI, refer tohttp://www.microsoft.com/windowsxp/pro/techinfo/planning/pkiwinxp/default.asp

Information on FIPS 140-2 can be found at the NIST site http://www.csrc.nist.gov/cryptval/

Information on IETF RFC 2459 and other IETF PKI standards can be found at http://www.ietf.org

http://www.ietf.org

http://www.csrc.nist.gov/cryptval/

http://www.microsoft.com/windowsxp/pro/techinfo/planning/pkiwinxp/default.asp

http://www.microsoft.com/net/

http://msdn.microsoft.com/

Identify. Protect. Comply.

Every effort has been made to ensure the information included in this white paper is true and correct at the time of going to press. However, the products described hereinare subject to continuous development and improvement, and the right is reserved to change their specification at any time. Copyright © 2007 nCipher Corporation Ltd. All rights reserved. Microsoft is a registered trademark of Microsoft Corporation in the United States and other countries.

nCipher Inc.92 Montvale Avenue, Suite 4500Stoneham, MA 02180 USATel: +1 (781) 994 [email protected]

nCipher Corporation Ltd.Jupiter House, Station Rd.Cambridge, CBI 2JD UKTel: +44 (0) 1223 [email protected]

nCipher Corporation Ltd.15th Floor, Cerulean Tower, 26-1 Sakuragaoka-cho, Shibuya-ku,Tokyo 150 8512 JapanTel: +81 3 5456 [email protected]

Visit our Web site at www.ncipher.com

CODE

GO

ES H

ERE

2007

About nCipher, Inc.

nCipher protects critical enter-prise data for many of the world'smost security-conscious organiza-tions. Delivering solutions in thefields of identity management,data protection, enterprise keymanagement and cryptographichardware, nCipher enables busi-nesses to identify who can accessdata, to protect data in transit andat rest, and to comply with thegrowing number of privacy-drivenregulations.

Microsoft Windows Server 2003 PKI and Deploying...

Documents

Transcript of Microsoft Windows Server 2003 PKI and Deploying...