Encryption - Excellence PKI
Excellence is a Public Key Infrastructure (PKI) toolkit designed to protect data as they are processed, stored or transferred between computers. It uses encoding, digital signatures and integrity control technologies based on public key certificates.
The system includes the following features that conform to international standards for digital certificates (format X.509 v.3):
- Issue of certificates
- Certificate revocation
- Temporary revocation and reinstation of certificates
The system works with a number of cryptographic providers (CPs):
- Microsoft Base Cryptographic Provider v1.0
- Microsoft Strong Cryptographic Provide
- Microsoft Enhanced Cryptographic Provider v1.0
- Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)
- Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
System Requirements
The system will run on the following platforms:
- Windows NT 4
- Windows 2000
- Windows XP
- Windows 98
- Windows ME
Content and architecture of the system
The system consists of the following components:
- Certification Authority (CA)
- Registration Centre (RA)
- End Entity (EE)
The function of the CA is to issue and revoke user certificates. The RA registers End Entities.
Each CA can create any number of RAs.
Each CA services its own group of End Entities. The number of users depends on the computer parameters on which the CA is installed.
The Certification Authority (CA)
The CA includes:
- Registration Data Base
- Personal certificates archive
- Archive of root Certification Authorities
- Archive of other users certificates
- Archive of certificates and Certification Revocation List (CRL)
- Archive of incoming CMCs
- Archive of outgoing CMCs
CA:
- Generates the certification key; and two pairs of private keys (for digital signature and for key exchange) for the CA operator
- Publishes its own self-signed certificate
- Creates RAs by registering them in it own registration database
- Issues open key certificates for RAs and End Entities upon request
- Regularly updates and publishes the CRL, which containing revoked certificates
- Regularly updates existing net directory
- If the net directory does not exist it will deliver new certificates and CRL direct to RA and EE
Registration Authority
The RA includes:
- Registration database
- Personal certificate archive
- Root certificate archive
- Other users certificate archive
- Certificate and CRL archive storage
- Archive of incoming CMC
- Archive of outgoing CMC
RA:
- Registered in CA
- Generates two pairs of private keys (for digital signature and for key exchange)
- Generates queries for personal public key certificates and sends them to the CA
- Receives certificates from the CA and includes them in its own certificate archive
- Registers EEs in its registration database and forwards the registration data to the CA
- Generates requests to revoke personal certificates and forwards them to the CA
- Receives new certificates and CRL from the CA or from the net directory and includes them in its own archive
The End Entity
EE includes:
- Registration database: consists of personal registration record and registration records of RA and CA
- Personal certificate archive
- Root certificate archive
- Archive of current user certificates
EE:
- Registered in RA
- Generates two pairs of private keys (for digital signature and for key exchange)
- Generates queries for personal public key certificates and sends them to the CA
- Receives its own certificates from the CA and enters them into their own certificate archive
- Generates requests to revoke personal certificates and forwards them to the CA
- Receives certificates of other users and CRL from the CA or from the net directory and enters them into own certificate archive
General Principles
The general system functionality principles correspond to RFC 2510 recommendations.
The aim of the system is to provide all EEs:
- with digital certificates
- revoke certificates on time
- temporary suspension of certificate
- reinstation of issued certificates
All certificate management is carried out with the use of certificate management messages (CMMs), which are exchanged between EE, RA and the CA. The integrity and authorship of all CMMs are controlled by protecting them with digital signature keys and initialization keys.
Crypto-protection of messages
The system keys and certificates can be used for crypto-protection of messages (encryption, digital signature and integrity control) with the help of Microsoft Crypto API.
The Microsoft Crypto API function description can be found in the Microsoft Development Network. In the section; Platform SDK Documentation | Security | Cryptography | Crypto API. Examples of their use can also be found there.
Base Cryptography Functions as well as Message Functions can be used to protect messages.
APPLICATIONS
Protection of e-mail
Keys and Certificates of Excellence PKI can be used to protect e-mails in Microsoft Outlook and Outlook Express.
E-Commerce
An example of an E-Commerce system which uses PKI is MarketSite Portal Solution (http://www.marketsite.net), which is part of the company, Commerce One.
Electronic Notary Office
The Electronic notary is aimed for certification of rights to Intellectual Property.
Any file on the computer can be certified at any particular time. Certification is carried out by a trusted party, which is normally a special service of the Certification Authority.
A special certificate (timestamp certificate) is issued for the certified file, including the hash value of the file being certified and time stamp, made by electronic notary service. All these are signed by the digital signature of the electronic notary.
An example of electronic notary is the e-TimeStamp (www.e-timestamp.com) of the company DigiStamp, Inc (www.digistamp.com).
Access authorisation
- Authentication for computer access
- Access control for Windows 98/ME/2000/XP
- Authentication for access to VPN
- Access authorisation in e-commerce systems
- Corporate identification cards
- Authorisation of entry to premises
An example of the access authorisation system is the IIG SmartLogon (http://www.smartlogon.ru) of the company Info Industries Group.
Email sales@nest-soft.co.uk for enquiries about this product.