English pages/Solutions/IT Security/Complex PKI Systems

Complex PKI Systems

Complex PKI Systems

The defining architecture of encryption, digital authentication and identification is the PKI (Public Key Infrastructure). Its central components are the CA (Certificate Authority) and the systems implementing the related tasks (directory service, certificate issuance and withdrawal, etc).

The PKI system provides a solution to an extended scope of tasks with a complex software package covering such a wide spectrum of protection which could only have been solved by means of using several different software solutions of several manufacturers some years ago. System integration and consultancy services, such as the development of regulation, system design, server environment configuration, network integration, comprehensive security solutions and project management are provided within a PKI-configuration project with a total coverage.

Microsoft PKI based solutions

Cybertrust UniCERT PKI system

UniCERT was developed to enable the user to implement a PKI tailored to their company's own requirements. UniCERT, as the corner stone of PKI, enables PKI to adapt to the changes in the user's requirements and to support the new applications and users. It also facilitates the interoperation with partner organizations and self-adapting to its own infrastructure. By design, UniCERT is really flexible, capable of interoperating with a wide circle of infrastructures with an open code, including the corporate and national special requirements, too. These features are as follows:

Several Windows 2003, Office applications (both native and additive) are capable of using the scope of security services provided by Microsoft PKI: network systems, VPN (Virtual Private Network) systems, ERP (Enterprise Resource Planning) applications, signing of documents and smart card based applications. The types of the required certificates and the assignment (to a computer or a user) depend on the application for which the certificates are intended to be used in the future. The following list contains the scope of Windows 2003 applications which have the greatest significance in the course of creating a Windows 2003 based PKI: - secure Web – secure mailing - file system encryption – code signature - smart card logon – virtual private network – remote access authentication – SMTP Site connection authentication – Microsoft CryptoApi. UniCERT was developed to enable the user to implement a PKI tailored to their own company's requirements. UniCERT, as the corner stone of PKI, enables PKI to adapt to the changes in the user's requirements and to support the new applications and users. It is also capable of cooperation with partner organizations and is self-adapting to its own infrastructure. By design, UniCERT is very flexible, capable of cooperating with a wide circle of infrastructures with an open code, including the corporate and national special requirements, too. These features are as follows:

-	Complex registration and delivery systems: UniCERT supports several different registration and delivery mechanisms, including: e-mail, Web, personal (face-to-face), VPN, CMP and Cisco SCEP mechanisms.
-	It supports a wide range of security modules, USB tokens and smart cards.
-	It supports today’s modern encryption algorithms.
-	It supports a complex publication method and handles external LDAP directories, as well. It supports publication on a disk so that easily customisable publication procedures can be applied.
-	It supports several withdrawal methods, including: CRLs, OCSP and the CRL distribution points (CDPs).
-	Complex PKI hierarchies: UniCERT supports the hierarchy of CAs (at all depths), and the cross certificates of complex RAs, complex RA exchangers (RA Exchange) and other CAs.
-	Complex user keys and certificates: a policy can be developed which is capable of handling the complex user keys and certificates, and using the key is configurable to each key in the event of signing, encryption of each application as if these were separate keys.
-	Flexible authentication: each certificate request can be authenticated by means of one or more authenticating signature depending only on the regulation system. The registration requests can also be handled automatically in the course of a batch type procession.
-	Mission strategies: the installation method of UniCERT depends on the applied PKI configuration, which is capable of operation on the WANs, LANs or on a system of just a few computers (Intranet or Internet use).

Easy use

By design, UniCERT is considered user-friendly for any type of user and they can only access functions they have authorization for. The number of the system related problems arising for users can be reduced by minimal training.

Scalability

By design, UniCERT can be used from small configurations (where the CA, RA and the database are on a single computer) through very large systems. In the event of a large system, several RAs are also possible, subordinated to several subCAs and a root CA, where each RA is assigned to its own operator.

Commercially open

Cybertrust is devoted to following, influencing and implementing the standards within PKI and to the continuous support of a wide circle of third party products. For this purpose, UniCERT is based on known standards (the most important is X.509) and has proven its ability to interoperate with a wide variety of third party’s products.

Security

UniCERT’s security is provided by the comprehensive internal security and integrity and the opportunity for using smart cards and hardware security modules (HSMs). All communications and the data in the database and the supervisory journals can be signed.

Performance

UniCERT’s architecture facilitates an outstandingly high performance as soon as the clones of CA, RA and RA Exchanger are configured to ensure parallel procession. Moreover, UniCERT relies on Oracle, as a powerful, high category database server.