Integrated PKI Solutions
Novell Cool Solutions: AppNote
By Steffen Kohler
Digg This -
Posted: 11 Oct 2006
Integrated PKI solutions for Novell eDirectory:
Novell Certificate Server and cv act PKIntegrated by comparison
This AppNote discusses the need for a Public Key Infrastructure and the advantages of a directory-integrated PKI solution in general and compares the two available solutions integrating with Novell eDirectory in particular: Novell Certificate Server and cv act PKIntegrated.
- Identity Management and PKI Require Each Other
- Overview of PKI
- Novell Certificate Server
- cv act PKIntegrated
With Novell Certificate Server (NCS), Novell offers its own PKI solution specially designed for eDirectory. However, it is only suitable for simple applications (e.g., server certificates), because numerous important functions are lacking. For example, NCS does not support an automated certificate update or an OCSP responder. This is why, for example, a German manufacturer would pay for a more complex PKI system in the Novell environment, such as the product cv act PKIntegrated. This product is integrated smoothly into eDirectory and uses iManager as administration tool. It provides about the same functionality as Microsoft CA (Windows 2003) but adds licence fees. This AppNote provides an overall view of NCS and cv act PKIntegrated, dealing with the most important differences.
The necessity of encryption, authentication and digital signatures in computer networks is obvious. After all, it has been known for years that the Internet is not tap-proof, and the non-reputability of digital data is not particularly high. Therefore security is a central issue whenever the use of public computer networks for business applications is intended. This is all the more important since laws like the Sarbanes-Oxley Act (USA) and comparable regulations in other countries explicitly stipulate encryption measures. Thus, "compliance" (conformity with the aforementioned laws) currently is an important motive for the introduction of encryption, authentication and digital signature.
An essential precondition for the use of these technologies is a public-key infrastructure (PKI). Setting up a PKI is a central security task in many enterprises, particularly where compliance is of importance. However, it does not make much sense to plan for a PKI without ensuring that the senders and recipients of messages have been assigned appropriate identities. This is why a high-capacity PKI should be closely interlocked with the identity management of a company. On the other hand, identity handling makes it necessary to employ encryption, authentication and digital signatures - and thus a PKI. There is interdependence between identity management and PKI, which can be summarized in the slogan: Identity management requires PKI, and PKI requires identity management.
But what is a PKI anyway? PKI depends on the entirety of hardware, software, and organizational rules required for the appropriate use of encryption and related technologies in a larger user group. PKI technology is based on so-called public-key crypto procedures. These are modern cryptographic methods which work on the principle that every user receives a public and a private key. The public key is available to the public and is used for encryption and for the verification of a digital signature. The private key is secret and is used for decryption and the creation of a digital signature. In a PKI, public keys are always processed in certified form (digital certificate). For more details on PKI, see [Schmeh01].
The center of a PKI is always a certification authority (CA). It creates the digital certificates that can be requested via a directory service. User registration is carried out by a special registration authority (RA). In many enterprises, the RA is operated by the human resources department. But a PKI makes sense only when it is used by one or several applications. In this connection, especially e-mail encryption, file encryption and VPN (virtual private networks) must be mentioned.
In the late nineties, PKI was considered to be one of the most important future technologies in the IT area and a very interesting future market. However, raised expectations were followed by many disappointments in the form of cancelled projects and wasted budgets. For the most part, the reasons for this were high costs and high complexity, while the apparent practical value was too little. But after this sense of crisis with PKI failures around the year 2000, a change has taken place within the last two years. The number of successful PKI projects has increased slowly but continuously, and a different approach to the subject played a decisive role. Two aspects are important:
- Instead of the PKI itself, its applications meanwhile have moved more and more into centre. As a result, the PKI turned into a tool which is adjusted to its particular applications and is financed through them.
- To an increasing degree PKI systems are integrated into the identity management. Thus the PKI changes from an independent infrastructure to a feature of the identity management.
In summary, PKI has become much more pragmatic within the last few years.
Novell also believes that PKI must become a feature of Identity Management. Novell therefore offers a PKI solution that is integrated into eDirectory: Novell Certificate Server (NCS), included in the Novell Security Services solution packet. NCS provides various CA and RA functionalities that are called by iManager. NCS certificates are not only intended for external applications but are also used within eDirectory for the protection of SSL connections. NCS has the following characteristics:
- It supports the X.509v3 format for digital certificates which is used in all common PKI applications.
- It supports the RSA procedure for the signing of digital certificates.
- Within the scope of X.509v3 it supports different certificate types.
- The registration for the PKI is integrated into eDirectory registration.
In fact, NCS is regarded as a feasible PKI solution and used in many enterprises. But it still lacks numerous functions that are often necessary for the operation of a PKI:
- Certificate update: When the validity of a digital certificate expires (usually after two years), it must be updated. Using NCS, this is a complex process, as NCS does not provide a suitable tool for this purpose. Above all, this is a problem for the simple reason that often many certificates expire at the same time.
- Smartcard support: NCS cannot address smartcards in order to store a private key on the card.
- HSM: Many PKI operators demand to save the private CA key on a special Hardware Security Module (HSM). This measure increases the security and is therefore required by numerous laws and standards. NCS is not equipped with an HSM interface, though.
- OCSP: The Online Certificate Status Protocol (OCSP) is used to request whether a certain certificate is revoked. Many PKI operators demand the use of the OCSP. However, NCS does not provide an OCSP responder.
- SCEP: The Simple Certificate Enrolment Protocol (SCEP) is used for the connecting of Cisco routers and other hardware to a PKI. NCS does not provide an SCEP responder.
- Algorithms: NCS does support RSA but no other crypto procedures. In particular, it does not support procedures that are based on elliptic curves.
- Decentralized certificate creation: Many PKI operators have the requirement that a key pair must be generated within the environment of the user. This function is not provided by NCS.
Figure 1: PKI solution Novell Certificate Manager (NCS). It is integrated into eDirectory and operated via iManager.
- Hierarchy setup: NCS is not suitable to set up a certificate hierarchy, as the relevant certificate fields are not supported.
- CRL: NCS offers only a very restricted handling of revocation lists (CRLs). Because there is also no OCSP interface, the enforcement of certificate revocations is not solved adequately when NCS is used.
- Roaming: NCS does not support key roaming (storing of the private key on a server in order to make it accessible on different PCs).
- Auto-enrollment: For workstation certificates, an automatic enrollment is practical. NCS does not provide this function.
In view of the multitude of missing functions, NCS is only suitable for small numbers of users or for server certificates. For complex PKIs, another solution should be used. Note that NCS provides a considerably smaller functional scope than the Windows 2003 CA by Microsoft (which is integrated into Active Directory).
Considering the missing functions of NCS, it is a good idea to look for other solutions. Standard PKI products, such as Entrust Authority, CyberTrust UniCert, or RSA Keon, should be considered first. These products may offer a large scope of functions, suitable for complex PKIs. However, none of these solutions was developed particularly for eDirectory, and none at all is integrated into it. Therefore the above-mentioned products are only suitable for especially complex PKI projects that support high integration costs, or security-critical projects where eDirectory integration cannot be tolerated for safety reasons. Moreover, the Windows 2003 CA by Microsoft does not provide integration into Novell, but it can be embedded smoothly into a Microsoft environment.
The only PKI solution made for eDirectory, smoothly integrated into it and offering a comparably large scope of functions, is the German product cv act PKIntegrated. This software is offered by the manufacturer cv cryptovision. Because cv act PKIntegrated is fully integrated into Novell eDirectory, it cannot run without it. Here are the main integration features:
- CA: The certification authority is software connected to eDirectory by means of an IDM driver (see Figure 3).
- Administration: The administration is carried out by means of Novell iManager. There is no independent user interface.
- Data management: The data management is carried out via eDirectory. The CA component of cv act PKIntegrated is realized statelessly and does not have its own data storage.
- Log-data acquisition: The log-data acquisition is carried out by means of Novell Audit.
- Authorizations: The extensive user and authorisation management of eDirectory enables the realization of almost any authorization concept for cv act PKIntegrated.
- Key recovery: By means of eDirectory's SecretStore, lost keys can be recovered if necessary.
- Backup: As cv act PKIntegrated does not work directly on eDirectory data stock, all available backup mechanisms are used automatically as well.
Figure 2: Like NCS, cv act PKIntegrated is operated by means of iManager
Compared to NCS, cv act PKIntegrated provides considerably more functions, but it requires the purchase of additional licenses.
Due to a high degree of integration, cv act PKIntegrated appears to the user as part of eDirectory. cv act PKIntegrated operates somewhat like NCS, but it offers a considerably larger functional scope. It also offers solutions to the NCS limitations specified above:
- Certificate update: cv act PKIntegrated provides various functions for the certificate update. In particular, users can prolong the lifetime of their own certificates.
- Smartcard support: cv act PKIntegrated supports the operating of smartcards via the PKCS#11 standard.
- HSM: cv act PKIntegrated supports HSMs (Hardware Security Module) according to the PKCS#11 standard. Theoretically any common HSM can be connected; however, the manufacturer guarantees the support of only nCipher and SafeNet products.
- OCSP: cv act PKIntegrated provides an OCSP responder. It is not included in delivery and requires additional licensing.
- SCEP: cv act PKIntegrated provides an SCEP responder. It is not included in delivery and requires additional licensing.
- Algorithms: Apart from RSA, cv act PKIntegrated also supports procedures based on elliptic curves.
- Local creation: With cv act PKIntegrated, key pairs can be created locally.
- Format: cv act PKIntegrated does not provide a freely editable certificate format (unlike some expensive products), but ten predefined formats are supported - which is sufficient for all common applications.
- Hierarchy setup: cv act PKIntegrated supports the setup of certificate hierarchies.
- CRL: cv act PKIntegrated enables flexible handling of revocation lists.
- Roaming: Using the cv act pki/roamer tool, roaming keys can be created. This is not included in delivery and requires an additional licensing.
- Auto-enrollment: Auto-enrollment is supported via the cv act workstation/cic tool (subject to charge).
Figure 3: The CA engine of cv act PKIntegrated is connected to eDirectory via an IDM driver and administered via iManager.
There are several disadvantages of cv act PKIntegrated to take into account:
- It is rather complicated, and in some cases impossible, to transfer the CA key of an NCS installation into a cv act PKIntegrated-based PKI.
- cv act PKIntegrated requires a license for the IDM Engine (if not already licensed for other IDM drivers).
- In contrast to the Microsoft CA, cv act PKIntegrated is not executable without a directory service (eDirectory).
- cv act PKIntegrated ca/server runs only on Linux (SLES 8/9 (10: experimental), OES Linux, RH ES4).
- Neither NCS nor cv act PKIntegrated are suitable to create qualified certificates according to the European Directive on Digital Signatures. This is because that directive does not approve a high degree of integration for safety reasons. If qualified certificates are required from the PKI administrator, another solution must be used - and considerably higher costs must be expected.
This AppNote deals with a comparison between Novell Certificate Server (NCS) and cv act PKIntegrated. The NCS solution is relatively simple and does not incur additional licence fees. The latter solution provides a much larger scope of functions but costs extra. The PKI administrator should consider the additional values of cv act PKIntegrated explained in this AppNote and decide whether he needs them. If so, a decision in favor of cv act PKIntegrated is highly recommended.
The author would like to thank cv cryptovision for its support.
[schmeh01] Klaus Schmeh: Cryptography and Public-Key-Infrastructure on the Internet. John Wiley, London 2003
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com