The Single Point Administration of Novell's Public Key Infrastructure
Articles and Tips: tip
Senior Research Engineer
Security Development Manager
01 Jul 1998
Two months ago, we interrupted our coverage of the Black Forest Group's 15 points of security to provide some late-breaking information regarding Novell's integral Public Key Infrastructure (PKI) within Novell Directory Services (NDS). Coincidentally, PKI is the subject of the current point which we discuss in this NetNote.
PKI and NDS
PKI has been receiving an increasing amount of attention lately, and for good reason: you cannot do electronic commerce without a PKI. Novell's PKI is integral to NDS. NDS is the enabling technology for PKI, providing three attributes in PKI and Directory Services integration that are lacking from almost every other commercial offering: scaleability, flexibility, and maintainability.
The fundamental feature afforded by this integration is manageability. While we will discuss this attribute further in another article, it is important to note that it is a primary requirement for end-user companies, as has been stated by the members of the Black Forest Group. It is probably the quintessential component of a PKI.
Novell's PKI shows another extended attribute for managability: Single Point Administration, the ability to administer multiple users and their key pairs from a single site and from a single administration tool.
In addition to Single Point Administration, a PKI should be able to exist in a replicated environment. Our view of how all that gets done is to leverage the power of NDS. Of course, we support the existing standards in this area -- primarily X.509 version 3 as the dominant standard for a certificate (by which we mean the digitally-signed association between a user, some name, some distinguished name, and a public key).
There is actually another kind of a certificate called a PKCS 10 certificate signing request. Every PKI that works with public users needs this. Typically, if you're going to go out across the Internet someplace, you want to get a X.509 certificate. To do this you first make a certificate that has the name, the public key and is signed -- a PKCS 10 signing request -- and you send it to a certificate authority. They send you back a certificate. NetWare 5 provides this ability out of the box, treating the PKCS 10 request as a certificate.
Who Needs Certificates?
There are needs beyond just certificate creation. A PKI must support services which use Public Keys, like the Secure Socket Layer (SSL). A service that depends on SSL is the Light-weight Directory Access Protocol (LDAP). The need for certificate management in the PKI becomes increasingly obvious as other services begin using the Public Keys, or one creates a new structure for key management and generation with each service. Such a course encumbers one to the management of each structure.
Thus, if you're using NDS and accessing the certificates through LDAP (via a browser), you would want to do that securely, using SSL. To do that you need a certificate, and that certificate needs to be placed by the PKI services.
Other kinds of users that might need certificate and PKI services are, like IPSEC, virtual private network users. Public keys are typically used in authentication as well as confidentiality services in these applications. Yet, commercial out-of-the-box services do not commonly offer PKI services that are also integrated to the SSL and LDAP services. This necessitates further purchases and integrations. S/MIME users, as well as collaboration software users are in a similar fix. So, NetWare 5 is the first offering of a PKI service where the PKI is focused on getting services out and available.
Also, a PKI should be available to those who are developing frameworks: the developers. The environment is not one where end-users are the only ones trying to access LDAP. Actually, the developers are most likely to make use of a PKI service. And developers who need the services of IPSEC or SSL or SMIME will need PKI services in addition to the distribution and management of public keys. They will also need Internationalization services. Novell offers these as the secure authentication services, the Novell international cryptography services. These, too, are part of the PKI infrastructure and must be available to developers.
As an example of Novell's commitment to developers with regard to PKI services, NetWare 5 provides developers with an SSL service. NetWare has an API service within the SDK and if a developer wants to run the equivalent of a specialized web server, they can call the API. The other end of the SSL can be provided by a browser, so the developer can call APIs and will be able to provide SSL in a web server capability. In this way, developers do not have to worry about managing sockets. They don't have to worry about managing keys. They don't have to worry about managing a cryptography suite. All they need to do is call the API and tell it to open this connection, and then to read and write to that connection. The SSL is taken care of for them and the certificate for the server is the one provided by the PKI service. That is integrated PKI.
Of high importance after manageability, the security of the services which the Public Key Infrastructure allows the customer is extremely important. If the infrastructure is not secure, there is no practical way to manage it or use it to receive value from the public key certificates. This is why Novell has positioned its PKI within the "trusted" Novell Directory Service as evaluated in NW4.11 at the Class C2 level.
The Importance of an Architecture
A key to extending PKI services into the realm of electronic commerce is understanding how the architecture fits together. One of the important aspects of an architecture is that all of the pieces do fit together coherently and usefully for the customer. It is not just a collection of bits and pieces, like a bunch of floppy disks in a basket. An architecture is about the relationship between different pieces that work together smoothly.
On top of any platform is an infrastructure which provides the plumbing. Developers don't use the infrastructure, and the users don't see it, but it is necessary to make things happen. This is what Novell has submitted for evaluation by independent third parties to ensure a level of performance regarding security. Novell provides authentication as well as the other services needed within the operating system. This is also where administration for infrastructure needs to occur for key components such as the PKI.
NetWare supports the PKI as an enabling cryptographic technology. You can't have a public key infrastructure without cryptography, which opens up a whole set of challenges comprising everything from social issues to legal issues to technical issues. This is another major requirement that a PKI for electronic commerce must have. It must handle international cryptography issues. In the infrastructure, Novell provides a coherent set of solutions with an answer to the various cryptography challenges.
Accountability in electronic commerce is a critical requirement. Accordingly, the infrastructure must include audit capabilities -- you need to know what actions users have taken. As with the other components, the Directory is the foundation on which we build the public key infrastructure.
One of the most often asked-for features using a PKI (and one of the requirements for a integrated PKI) is the ability for a secure Single Sign-On service (SSO). This is very much a part of Netware 5, traditionally called background authentication. It is a very powerful and useful single sign-on capability. However, for PKI to be involved one must be prepared to use the authentication method available through the PKI.
These are the services which are available to PKI from an integrated architecture. To be effective, these services must be protected within a security perimeter commonly known as a trusted computing base (TCB) boundary. In this way, the things that are inside cannot be tampered with without affecting the overall security of the system. However, if they merely exist inside the perimeter, they are of no use to anyone.
Along with features and services plumbing should be the security services which operate within the system. These include the exposed services available in the infrastructure which developers can access but cannot change. This is where a PKI API could exist and be integrated with both the Directory and cryptography services from the underlying services. To date, NetWare 5 is the only operating system that has this ability.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.