Noreg MARGARETA
– Design, architecture, features
Security Users, cards on multiple levels Advantages
Agenda
Noreg Ltd.
is an expert provider of information security technologies and services in Hungary
founded in 1998 offers personalized, cost-effective information security
solutions in-house PKI solutions our clients include leading companies of the Hungarian
financial, telecommunications, public administration, industrial and trade sectors
our ISO 27001 certification proves the reliability of our information security management system
Why use certificates?
Certificates issued by a PKI (Public Key Infrastructure) system can be used for:– Authentication– Digital signature– Encryption (e.g.: mail)– …
Why use smart cards/tokensfor certificates?
They are secure + advantages over other two-factor authentication devices:– Simply renewable– Reusable
• No device validity period, no batteries, can be deleted
– Simply revocable– No continuous transaction fee
A secure, multi-level, agent based, clientless card management system, built on the Java EE platform.
What is MARGARETA?
Designed to be more than a usual CMS,
MARGARETA is also a customizable PKI interconnector.
– Migration– Importing– Continuous synchronization
Why the name?
Data source
CA
Certificate
IDM
User Card, VSC
Softtoken
Differentiators / important features
Scalable, flexible, modular– Enterprise application / platform– Supports custom integration modules
No lock in– Multi-PKI, multi-DB, multi-OS, multi-card/token
Multi-level– Physical/logical cards, users, profiles
Differentiators / important features
Seamless migration– of existing users, cards, certificates, keys
• even on multi-level, supporting auto profile generation
Continuous sync– With the connecting CAs, IDM, data sources– Fast recovery after disaster
• new certificates, revocation status, users, etc.
A typical use case
Issuing a card with 3 certificates– Authentication, signing and encryption certs – general, recommended
configuration
Using a PKI system alone (e.g. MS): ~ 5 minutes– 3 separate processes, user and card must be selected each time– The encryption key must be imported manually– Password generation, storage!
Using MARGARETA: ~ 1.5 minutes– One, integrated process– Certificates can be issued from different CAs
Efficient operation
The difference increases later on Imagine replacing (e.g. when lost) a renewed card when 2
encryption certs must be restored!– ~ 10 minutes!!!– 9 operations (3 certificate issuance, 2 key restoration, 3-4 revocations)– The potential for error is high!
Using MARGARETA: ~ 2 minutes
Imagine 500, 10000, 100000 users!
Security
Developed from the beginning according to MIBÉTS (CC EAL4)– Secure architecture– Role separation
• separated management tasks, responsibilities– Certificate based mutual authentication for system users and external
components (CA, IDM, …)– Secure storage of sensitive data with or without Hardware Security
Modules (Thales, SafeNet,…)– Detailed logging
• supporting remote log servers– Approvals: 4 eyes principle for card creation, private key access
Agent based
No inbound connection required to the protected zone:
One MARGARETA can handle multiple zones– Office, production, test
E.g. two accounts– normal user: smart card logon– admin: using password?
Separated zones– Office, test, production– A normal and a privileged account in each:
• 6 auth. certificates from 3 CAs
If employees have multiple user accounts?
Advantages– Faster, more secure than using 6 complex
passwords
Possible– Most current cards can store 10+ certificates– A separated architecture can be managed
securely by only one system
One card to rule them all
How it’s mapped?
Card• Physical• Logical
Profile• Physical• Logical
Certificatetemplates
User• Physical• Logical
Operation
Clientless: web interface, no client software installation required– only Java (for card handling), but can run w/o install (shared folder)– Web Start is the preferred way, but still runnable as an applet
Remote PIN unblock support (where API available) Handles external requests (like IDM) Soft token handling
– including key sending, chain modification for iOS, etc.
Batch card personalization module– supporting photo printing and RFID cards
Supports temporary (one day) cards with HelpDesk module– if the user leaves it at home
Supported systems
Databases: Oracle, MSSQL, MySQL/MariaDB IDM
– SPML / Custom integration
LDAP– LDAPv3 compatible
PKI– Microsoft Active Directory Certificate Services– EJBCA– Verizon UniCERT– cryptovision CAmelot (will be available soon)
Tokens/cards– PKCS#11 (no vendor lock-in)– Most JavaCards and other cards (cryptovision sc/interface)– Microsoft Virtual Smart Card*– Soft token
Advantages
Secure, auditable Agent based, clientless (cloud-ready) Scalable, flexible Easy to implement Easy to use Special multi-level function Supports custom modules
Roadmap
UI improvements Mobile client New self-service portal Support for other application servers / web
containers Virtual appliance MARGARETA as a Service Microsoft Virtual Smart Card
cryptovision + Noreg
VAR since 2015 MARGARETA supports sc/interface since 2015 Microsoft Virtual Smart Card:
– mutual development, testing, feedback
Joined customers since 2015 and more to come soon…