12/13/99 Network Computing 36
1999 WL 8446001
Network Computing
Copyright 1999 CMP Publications Inc.
Monday, December 13, 1999
1025
Sneak Previews
Entrust Technologies Unleashes Stronger and Better PKI
Asad Irshad
Feeling insecure? Ask a corporate IT manager-the one responsible for
secure end-to-end transactions-about true insecurity. He or she will be
thankful for the PKI (public key infrastructure), which works to solve
most online security troubles by creating a trust relationship between
the sender and the receiver of information over an insecure network.
I tested a beta release of Entrust Technologies' Entrust 5.0, which
offers a complete PKI solution and much more. Entrust 5.0 is made up of
two components: Entrust Authority/ Entrust RA on the server side and
Entrust/Etelligence for the end user. The program offers a robust
security solution for desktop applications, Internet transactions,
e-commerce, developer applications and access-control devices. It also
features highly customizable options that make deployment much easier
and cost-effective. In all, Entrust 5.0 adds significant improvements to
its version 4.0 predecessor (see "Nortel's Entrust," at www.
networkcomputing.com/717/
717f1.html). Overall, I liked the flexibility and value of the new
features. However, the new support for hierarchical trust architecture
needs some work before it's ready for deployment.
Entrust's PKI is bundled with PeerLogic i500, a directory service for
public directories. You can use Entrust PKI with PeerLogic i500 or a
directory of your choice. Entrust uses a newer version of Informix as
its internal database.
Entrust's added flexibility lets security administrators customize PKI administration-including roles and policies for users and
groups-according to their business needs. For example, Entrust customers
can create users that have independent audit roles with limited access
definable at several levels. Entrust has added a wide range of
out-of-the-box functional roles that can be used as-is or easily
modified.
Most PKI implementations use five typical roles, each with predefined
policies: security officer, administrator, directory administrator, end
user and auditor. Before I added any users, I created some customized
roles and policies. I also created a few groups to help me classify
users, then added the users to the different groups accordingly. The
authentication process was straightforward and intuitive. Entrust gave
me an authorization and reference number and, unlike version 4.0, also
provided an expiration date.
Entrust supports cross-certification of certificate authorities (CAs)
not only in a peer-to-peer architecture but also by hierarchical
architecture. This lets Entrust customers exhaustively control trust
relationships between CAs and their users within the enterprise.
For example, you might want to restrict access to your research and
development department, giving only trusted people and nodes access to
certain information. CAs can be distributed according to domain,
department, security levels and so forth. And these levels can be
created and optimized according to your individual needs.
I wanted to use this feature to deploy two CAs in a hierarchical
fashion. From a root CA, I intended to create a subordinate CA. But
before I could make any change in Entrust/RA, the registration
authority, I was required to create an entry in the PeerLogic i500
directory and provide all the attributes that went with it.
Communication Breakdown
I ran into a series of problems when the directories communicated
with each other to allow cross-certification of CA. I wanted my root CA
DN o=nwc, c=us to be the superior CA with a subordinate CA DN ou=lab,
o=nwc, c=us. Entrust suggested using the same level of CA DN for the
certification process. Later, I experienced problems with
cross-referencing both the directories, and I was disappointed to see
the terse error messages generated by the PeerLogic i500 directory service. A typical message read "XDS unwilling to perform," which didn't
tell me anything about the location of the error. Log files generated by
the i500 didn't offer much help either. In the end, I was forced to
abandon the whole idea of a subordinate CA.
Entrust/RA has its own certificate and lets administrators remotely
add new users. Entrust/RA then connects to the CA for authorization or
it's queued up for authorization from the security officer. Entrust/RA
adds real value to Entrust/PKI.
Entrust/Etelligence
On the client side, Entrust login can be used as a single-site logon,
which is centrally managed. I was able to log on to Entrust and my
Microsoft Windows NT domain at the same time. For increased security,
Entrust workstation automatically locked itself after a few minutes of
inactivity. This feature is integrated with Windows screensaver and
suspend features.
Another client-side component is Entrust/ICE, which provides
encryption and authentication services to the desktop user. Once again,
the process is simple and straightforward. All you have to do is
right-click on any file and select encrypt, or sign, or both. Entrust
also provides TrueDelete, which makes sure a file that an end user
deletes is totally scrubbed off the media, in compliance with the U.S.
Department of Defense standards. It also securely deletes users'
temporary files and protects the Windows swap file.
For Internet security, Entrust has added two components,
Entrust/Unity and Entrust/Direct. Entrust/Unity can be used for Web
browsing (SSL), e-mail (S/MIME) or object signing. Entrust/Direct can be
used for a higher level of commercial security, letting users
automatically manage both keys and certificates through Entrust. Support
of both Internet Explorer and Netscape Navigator is provided.
Asad Irshad is a Syracuse, N.Y.-based freelance writer. Send your
comments on this article to him at airshad@syr.edu.
Vendor Information
Entrust/PKI 5.0, $25,000. Available: Now. Entrust Technologies, (972) 671-9542; fax (972) 943-7305.
www.entrust.com
December 13, 1999
---- INDEX REFERENCES ----
COMPANY (TICKER): Northern Telecom Ltd.; Northern Telecom Ltd.; Bce Inc.; Entrust Technologies Inc.; National Trustco Inc.; Informix Corp. (T.NTL NT BCE ENTU T.NT IFMX)
NEWS SUBJECT: World Equity Index; Internet: World Wide Web; Internet (WEI IWWW NET)
INDUSTRY: Communications Technology; Telecommunications, All; Software (CMT TEL SOF)
Word Count: 878
12/13/99 NTWK-COM 36
END OF DOCUMENT |
