Business Challenge

Today, security is a key word in the Internet business. The aspiration of the free data exchange confronts the requirement to restrict data access to authorized persons and applications.

The newest generation of security systems is based on standardized and proven cryptographic solutions:

• Algorithms: RSA, 3DES, AES
• Protocols: SSL, IPSec
• Devices: smart cards, tokens, HSMs

The magical word that ties all this solutions into a meaningful whole is PKI – Public Key Infrastructure.

Solution = ASEBA Digitrust

ASEBA Digitrust is an integral PKI software solution that comprises of applications that enable registration of subjects and subscribers, certification services, key and certificate life-cycle management. ASEBA Digitrust has the following advantages:

• Easy to use
• Powerful administration
• Interoperability
• Flexible architecture
• High security level

Easy to Use

• Web interface for certificate enrollment. User interface is suitable for customization and localization
• Support for a variety of cryptographic devices and key stores: Microsoft CSP and PKCS#11 based (smart cards and tokens), memory cards (i.e. Athena SCS M64)
• Expandable for other key stores
• Support for PKCS#10 requests suitable for Web servers and appliances
• “On the spot” feature for RA operator to generate keys, issue certificates and personalize devices in registration office

Powerfull Administration

• Convenient user interface for CA configuration and subscriber data manipulation (data entry, certificate issuance, certificate lifecycle management)
• Customizable reports can be changed to serve changing customer requirements
• Multiple authorization levels: Master User, Security Officer, Operator
• Support for different residential and organizational subscribers data
• Support for X.509v3 certificate profiles with different extensions and policies

Interoperability

• X.500 directory distinguished names in registration database
• PKCS#10 certificate requests
• Microsoft CSP and PKCS#11 interfaces for access to cryptographic modules
• SOAP, WSDL, HTTPS protocols between distributed elements of the architecture
• Certificate extensions compatible with Microsoft®Outlook, Microsoft® Internet Explorer, Microsoft® Authenticode

Flexible Architecture

• Variety of deployment options according to specific customer needs
• Support for on-line and off-line CA model
• Multiple logical CA within one ASEBA Digitrust CA(e.g. intermediate CAs for different purposes)
• Optimal use of security hardware through integration with standard security mechanisms (firewall, VPN)
• Extensibility options through special hardware based (HSM) and software based plug-ins for key storage, and cryptographic algorithms (e.g. ECDSA)

High Security Level

• Distributed components communicate using HTTPS protocol with mutual client and server authentication and 128-bit encryption
• Multi-tier architecture with option for high security mechanisms between tiers
• Software (strong password) or hardware (HSM, smart card) based key store for CA keys
• Secure access to registration database

ASEBA Digitrust Architecture

Basic ASEBA Digitrust components are:

• ASEBA Digitrust Certification Service
• ASEBA Digitrust Registration Service
• ASEBA Digitrust Enrollment Service
• ASEBA Digitrust Web
• ASEBA Digitrust RA Operator
• ASEBA Digitrust CA Administrator

ASEBA Digitrust Certification Service
Certification service is a Windows service responsible for storage and usage of CA private keys. Certification service is configured to start automatically, but for the reasons of additional security, configuration is loaded and full operation mode is reached only after Master User enters his password. After configuration load certifications service uses CA private keys for certificate and CRL signing.

Certification service supports extension plug-ins that can provide additional mechanisms for storage and algorithms for usage of CA private keys. Certification service functionality is exposed through Web service installed on the same machine.