In industries where trust is an integral part of every transaction, such as Web banking and Internet commerce, businesses can not afford even a momentary lapse in security. The latest public key infrastructure (PKI) solution from Baltimore Technologies, UniCERT 3.0.5, offers an iron-clad Windows NT-based certificate authority (CA) system that is well-equipped to easily integrate into your existing infrastructure.
Version 3.0.5 offers several improvements, including enforced unique Distinguished Names and public keys for better security. Also, it can now manually generate and publish certificate revocation lists (CRLs) for fast reaction to your business's changing needs. Most noteworthy is the added support for Baltimore's Archive Server 1.0, which allows implementation of a secure key backup and recovery plan. And its support of hardware and security standards is top notch.
Although UniCERT lacks the out-of-the-box enterprise resource planning integration found in comparable solutions, such as Entrust/PKI, and requires a sizable budgetary commitment, the end result is a comprehensive lockdown of your infrastructure that provides complete control from the CA to the client.
UniCERT's graphical interface will save you time, both when setting up and when administering your PKI, and the new archive server will significantly reduce the overhead of lost key recovery, typically improving users' willingness to use PKI technology. If you need to build a trusted infrastructure so that your large organisation can transact secure Internet commerce, consider UniCERT.
UniCERT's flexibility and cost-effectiveness come from its modular structure, which lets you add and upgrade components as your business needs evolve. The two primary modules are the CA and the registration authority (RA). The CA signs and publishes certificates and CRLs; the RA routes certificate requests.
The two other principal modules are the Certificate Authority Operator (CAO) and the Registration Authority Operator (RAO). With the CAO, I defined security policies for use on the associated CA, determining parameters such as key strength, validity, usage function of the certificate (such as digital signature, encipherment, and nonrepudiation), and registration method (such as via Web browser, e-mail, or virtual private network). The CAO also let me define unique policies for each registration method.
The RAO gathers information from the certificate requester and uses the defined policies to authorise or reject certificate requests. You can automate the entire process for remote registration, and issued private keys can be stored either on disk or on a hardware token.
I separated the modules on individual hardware systems, including the mandatory Oracle database used to store and communicate between components. The result was a highly scalable architecture that distributed the workload and reduced bottlenecking.
You can add a Gateway module to UniCERT, which lets your PKI accept remote certification requests securely via e-mail and the Web. The Gateway channels the request to the RA, which enters it into the database. The RAO processes the request, and the Gateway returns the certificate (or URL reference in the case of a Web-based request) to the end-user via e-mail.
Two of UniCERT's most useful tools are the PKI Editor and the Security Policy Editor. These graphical layout tools provided quick and easy access to some otherwise tedious tasks, and they gave me great insight into my environment.
With the PKI Editor, defining and structuring my PKI was as easy as dragging components to the layout. When I drew lines between the components and their defining attributes, UniCERT built the necessary key pairs and certificates based on the defined policies and dependencies. The resulting hierarchical map provided a clear overview of my PKI, as well as point-and-click access for editing and deleting components.
The Security Policy Editor was equally adept at designing registration screens and certification template for use by the RAO. In addition to the typical fields, such as key strength and renewal policies, nonstandard fields, such as the user's driver's license number or a head-shot, can be included in the registration process. Although not published with the certificate, these extra items are stored with certificate data and improve overall security, allowing you to authenticate the requester of a lost key against a photograph, for example.
Also, the UniCERT Archive Server 1.0 module provides safe archival and retrieval of end-user encrypted private keys. When a personal identification number or smart card is lost, the Security Officer can search for and retrieve keys from the archive using information given by the user. In my testing, I quickly retrieved sample keys based on search criteria via the easy-to-use GUI.
Unfortunately, this implementation of the Archive Server seems to be a stopgap effort to address the need for corporate backup. It does not provide for distributed architecture or multiple security officers, and it fails to support the split Personal Secure Environment (PSE) feature of UniCERT (a distributed PSE file containing certificate and key information). Improvements are slated for a future release, but users are left with an interim solution that falls short of the comprehensiveness offered by the rest of the UniCERT package.
But overall, UniCERT is an effective, policy-driven certificate authoring system that will not only tighten security, but will also reduce maintenance costs through automation and its extensible modular design.
James R. Borck (james.borck @industrialart.com) is a frequent InfoWorld contributor and IS Director for Industrial Art & Science, in Connecticut.
THE BOTTOM LINE: VERY GOOD
Baltimore Technologies UniCERT 3.0.5
Summary: This public key infrastructure (PKI) tool's graphical toolkit makes setting up the certificate authority (CA) easy. Its automated capabilities lighten your workload, and a newly implemented Archive Server can ease key backup and retrieval efforts.
Business Case: Although start-up costs for all of the UniCERT modules needed to build an effective PKI are a major financial commitment, return on investment comes from reduced maintenance and an improved Internet-commerce security framework.
+ Graphical toolkit interface
+ Backup server for key archival
+ Great policy and implementation control+ Modular design integrates easilyCons:
- Windows NT-only certificate authority
Cost: $US25,000, CA; $22,000, archive server; $3,000, gateway; $3,000, Certificate Authority Operator; $5,000, registration authority (RA); $1,500, Registration Authority OperatorPlatform(s): CA: Windows NT; RA: Windows 95/98, NTBaltimore Technologies PLC; +1-877-228-9754; http://www.baltimore.com