McAfee® Endpoint Encryption and PKI
Tokens
1|
Endpoint Encryption and PKI Integration
Endpoint Encryption and PKI
Integration
Endpoint Encryption PKI Connector and PKI
Token Architecture
Overview
Endpoint Encryption uniquely amongst full-disk encryption products is able to utilize
existing PKI certificates stored on tokens such as USB keys and smartcards for
authentication. This has many advantages, such as:
•
re-use of existing tokens – no investment in new technology
•
no need to reinitialize tokens for users
•
revocation of a certificate results in a denial of access to PC’s and Laptops
Using its Connector technology, the Endpoint Encryption Manager integrates
transparently with back-end PKI public key directories such as Microsoft Active
Directory, Novell NDS, and other LDAP systems.
This paper, written by McAfee’s Sale Engineer team explains how the integration with
Endpoint Encryption is performed, and documents some of the advantages of this
solution.
Endpoint Encryption Certified System Engineers
The SCSE award is only issued to the highest caliber Endpoint Encryption trained
engineers who have passed both the SCSA exam and shown complete understanding
of Endpoint Encryption implementation and management. For information on SCSA
and SCSE training courses, please contact your local McAfee representative.
Introduction
PKI, or “Public Key Infrastructure” has become the method of choice for many large
organizations to provide authentication and security services to their users. The unique
advantages of PKI makes the investment worthwhile, for example, being able to host a
public directory of user keys; being able to use the key material for multiple purposes.
The more applications that can make use of this key material, the better the TCO
(Total Cost of Ownership) return.
2|
Endpoint Encryption and PKI Integration
Endpoint Encryption for PC has been able to support tokens such as smart cards and
USB keys within its pre-boot operating system for many years, in fact, the very first
version of Endpoint Encryption in 1992 did not support simple password logon – it
ONLY supported tokens.
Storage Tokens
Typically Endpoint Encryption uses tokens in “storage mode” – this is where a unique
Endpoint Encryption key is stored on the token, protected by the tokens authentication
system.
In a smart card this would be the smart card PIN or password, on a fingerprint token,
the template of the user’s finger. In either case Endpoint Encryption relies on the
token to secure the key, and each token needs to be initialized separately for each
user.
Crypt-Only Tokens
Endpoint Encryption 4.x also supports a special type of token called a “crypt only”
token. This is a token which has no storage (or we choose not to use the storage), but
can perform cryptographic operations under the authentication of a PIN or password.
This type of token is especially useful if we can request the token use asymmetric
(PKI) encryption functions.
Authenticating using a Crypt-Only Token
With a crypt-only token, the Endpoint Encryption key material is not stored in the
token as with a storage token, but within the Endpoint Encryption user profile stored
on the user’s hard disk. This key is stored encrypted with the counterpart to the key
stored on the crypt-only token – with the user’s public key.
To retrieve the user’s Endpoint Encryption key and logon with a storage token, we
simply ask the user to enter the token PIN, then read the key from the device. With a
crypt-only token Endpoint Encryption asks the user to enter the token PIN, then sends
the stored encrypted key to the token with the request that it decrypt it (with the ontoken private key) and send it back.
With a crypt-only token, the user’s decryption key never need leave the token
Comparison of Crypt-only vs Storage Tokens
Storage Tokens:
•
Require initialisation for each user
•
Need to store Endpoint Encryption keys
|3
Endpoint Encryption and PKI Integration
•
Need to share storage between multiple applications
Crypt-Only Tokens:
•
No requirement to Initialise token
•
No storage requirement
•
No shared storage
•
Require Connector architecture
Setting UP Crypt-Only Tokens
Using Endpoint Encryption’s connector architecture, a PKI can be leveraged to set up
PKI tokens without actually needing to touch the physical tokens themselves.
An Endpoint Encryption G2 connector (such as the Active Directory or LDAP
connectors) can obtain a user’s public key from the PKI directory and encrypt the
user’s virtual Endpoint Encryption token key with it. This is stored in the user’s Policy
and distributed to any connected Endpoint Encryption application, such as Endpoint
Encryption for PC or Endpoint Encryption for Files and Folders.
As this data is purely logical, there’s no need for the user’s physical token at this point
– the initialization can occur in the background with no user or administrator
intervention.
By setting up rules within the G2 connector configuration, it will set up users who
match certain criteria, set their policy, and update their policy as their details in the
PKI change. The connector will even move the users between groups, and may
enable/disable their access to certain machines depending on how their policy
changes.
All these activities occur automatically without any administration intervention.
Revocation Lists and Certificate Expiry
There are other advantages in using Endpoint Encryption G2 connectors to manage
the token initialization process. As well as being able to automatically create the user
and allow them to login without ever touching their physical token, the G2 Connector
will also ensure that if the user’s PKI certificate expires or is revoked, the user will be
disabled in the Endpoint Encryption database. Also if a user’s certificate rolls-over the
connector will automatically roll the user’s policy across to use the new certificate
when it becomes active (based on the old and new certificate valid from/valid until
dates).
4|
Endpoint Encryption and PKI Integration
What you need to use this technology
To make use of this technology you need the following Endpoint Encryption
components:
•
PKI Public certificate server, for example LDAP or Active Directory, with
Entrust / Microsoft / Verisign / T-Systems certificates
•
Endpoint Encryption Manager v4.2.12 or above
•
Endpoint Encryption G2 Connector (Active Directory or LDAP)
•
Supported PKI Token (Activcard v2 smart card, eToken 64KB, Setec smart
card, T-Systems smart card, Estonian NationaID smartcard
•
Endpoint Encryption product, such as Endpoint Encryption for PC or Endpoint
Encryption for Files and Folders
Endpoint Encryption is continuously adding support for other tokens and PKI
environments – if your environment is not listed please contact your McAfee
representative for the latest compatibility information.
|5
Endpoint Encryption and PKI Integration
Summary of PKI Usage in Endpoint Encryption
1 The Endpoint Encryption
Connector automatically collects
User Certificates from the PKI,
creates users, and creates logical
tokens. It also configures the
user policy as it goes. There is
no need to access the user’s
physical token.
2
The Endpoint Encryption key
encrypted with the user’s Public
key distributed to laptops and
desktops via Endpoint
Encryption’s automated policy
deployment. The policy also
contains other items collected
from the PKI, such as the user’s
expiry date, logon hours and
other policy details.
3 To logon, the encrypted
Endpoint Encryption key is sent
to user’s physical token for
decryption using the private key
stored on the token. The private
key never leaves the token.
6|