DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.

Direct Trust Infrastructure : The Technical Details

Presented by: Scott Rea

02/23/2012

Contents

Slide Title 3 Direct Trust Framework 4 Public Key Infrastructure (PKI) 7 Public & Private Keys 9 Digital Certificates10 Encryption11 Digital Signatures12 Authentication13 Certification Authority14 Registration Authority15 Issuance Process16 CA – RA Relationship17 Transactions

Direct Trust Framework

• The Direct Trust Framework is built on a set of standards that combines technology with policies on how and when the technology is utilized/applied, who the participants are, and what their roles and responsibilities are in the system

• Technology by itself is not sufficient to solve “Trust” issues

• The technology utilized in this case is Public Key Infrastructure (PKI)

What is PKI?• Public Key Infrastructure

• Comprehensive security technology and policies using cryptography and standards to enable users to:– Identify (authenticate) themselves to network services, access

policies, and each other to prove source of origin and destination.

– Digitally sign electronic documents, email and other data to provide authorization and prove integrity.

– Encrypt email, data, and other documents to prevent unauthorized access.

Why PKI?

• Uniform way to address securing many different types of applications

• Enables reliable authentication, digital signing and encryption

• Overcomes many weaknesses of using password based protocols on open networks

• Facilitates easy setup of shared secrets between previously unknown parties

• Strong and proven underlying security technology• Widely included in technology products

Underlying Key Technology• A pair of asymmetric keys is used, one to encrypt, the other

to decrypt.

• Each key can only decrypt data encrypted with the other.• Invented in 1976 by Whit Diffie and Martin Hellman

• Commercialized by RSA Security

• Recently other more efficient schemes emerging e.g. ECC

Plain Text Encrypted Text

Encrypt

Decrypt

(anyone with public key)

(possessor of private key only)

Public and Private Keys

• PKI is based on the use of a pair of related numbers called “keys”

• They are generated in such a way that knowing one, does not give you any knowledge of the other, but using one requires the other to complete a transaction

• The "public" key is placed into a certificate which published far and wide for all to use.

• The "private" key is only used by its owner and MUST be kept a secret.

• No need to exchange a secret "key" ahead of time by some other channel.

Applications of PKI

• Authentication and Authorization of end points in an internet transaction – e.g. users and servers, server to server, user to user– This is the basis for the SSL protocol used to secure web connections

using https.• Secure Messaging

– e-mail (signed and encrypted)– Secure instant messaging

• Electronic signatures– Documents, data, agreements– Prescriptions, Insurance authorizations, case notes

• Data encryption– Medical records, Diagnostic datasets, Business documents, Financial

data, databases, executable code• Network data protection (VPN, wireless)

What is a certificate?

• Signed data structure (x.509 standard) binds some information to a public key.

• Trusted entity, called a Certification Authority (CA) asserts validity of information in the certificate, enforces policies for issuing certificates.

• Certificate information is usually a personal identity, a server name, or a service identifier, with authorizations for how the keys should be used.

• Think of a certificate with its keys as an electronic:– ID card,

– encoder/decoder device, and

– official seal or notary-style stamp.

Encryption• Asymmetric encryption prevents need for shared secrets.

• Anyone encrypts with public key of recipient.

• Requires some mechanism for discovering intended recipient’s public key

• Only the recipient can decrypt with their private key.

• Private key is secret, so “bad guys” can’t read encrypted data.

Plain Text Encrypted Text

Encrypt

Decrypt

(anyone with public key)

(possessor of private key only)

Digital Signatures

• Compute message digest, encrypt with your private key.

• Reader decrypts with your public key.

• Re-compute the digest and verify match with original – guarantees no one has modified signed data.

• Only signer has private key, so no one else can spoof their digital signature.

Plain Text Encrypted Text

Compute digest, sign & date,encrypt

Verify signature, check digest

(possessor of private key only)

(anyone with public key)

Authentication• A CA - Certification Authority, signs a certificate attesting that the public key

belongs to the entity named in the certificate

• Certificate Policy indicates what steps are taken to verify identity and how the CA systems operate to ensure security and integrity

• CA is a Trusted Third Party providing a seal of authenticity

• Use of certificate provides reliability and non-repudiation in the identity of the

source or destination of a transaction

publicpublic

ppuublblicic

What is a certificate authority?

• An organization that creates, publishes, and revokes certificates.

• Verifies the information in the certificate.• Protects general security and policies of the

system and its records.• Allows you to check certificates so you can decide

whether to use them in business transactions.• Has one or more trusted Roots, called a trust

anchor embedded in applications

What is a Registration Authority?

• An organization that collects and verifies the identity information that will be used in a certificate based on published standards.

• Represents a Certification Authority for any face-to-face validation of identity

• Must be authorized by the relevant Certification Authority for this purpose– Audit of processes required– Archival of evidence data required

Certificate Authority (CA)

Registration Authority (RA)

Health Information Service Provider (HISP) LDAP Name System

Healthcare Organization (HCO)

HCO Representative

Assume has Digital Identity

Certificate

9. Direct Address/ Org Certificate

1. Enroll with HISP

2. Request Direct Organization Certificate

Domain Name System (DNS)

Certificate Validation Service

Identity/Trust Verification

Revocation Services

Certificate Signing Services

Compile/Validate Identity and Trust Documentation

Representative FBCA Credentials

Representative Authorization

Legal Entity Documents

Membership/Trust Agreement

HIPAA status

3. Credentials and Documentation

Source: DirectTrust.org February, 2012

5. Public Key

4. Direct OrganizationDomain

8. Direct Organization Certificate

The CA and RA enforce the policies specified in the DirectTrust.org and FBCA Certificate Policies (CPs).

6. Certificate Signing Request

7. Direct Organization Certificate

Issuance Process

Certificate Authority (CA)

Registration Authority (RA)

FBCA Certificate PolicyDirectTrust.org

Certificate Policy

Certificate Validation Service

Identity/Trust Verification

Revocation Services

Certificate Signing Services

Compile/Validate Identity and Trust Documentation

Source: DirectTrust.org February, 2012

Certification Practices Statement

Registration Practices Statement

Audit

RA Agreement

Audit

Audit

CA – RA Relationship

TransactionsCertificates vetted to FBCA

Medium LoA standard ensures strongest binding

between PKI keys and identity listed in the cert

HIPAA Covered Entity Assertion governed by

DirectTrust CP

PKI Encryption ensures confidentiality in messages

PKI Digital Signatures ensures integrity and reliability of messages

PKI Authentication provides authenticity and trust of message reaching intended recipients

Questions?

• Scott Rea, CISSP

VP GOV/EDU Relations and Sr. PKI Architect

DigiCert, Inc. Lindon UT 84042

• Scott@DigiCert.com

• (801) 701-9636• http://www.digicert.com/news/bios-scott-rea.htm

• http://www.directtrust.wikispaces.com• http://www.DigiCert.com/