Gartner
RSA Security RSA Keon Certificate Authority PKI Product
Summary
RSA Keon Certificate Authority—a PKI platform for Internet and e-commerce applications—serves as root
certification authority for multiple PKIs and allows rapid deployment of Internet applications.
Note
In June 2003, RSA Security announced that RSA Keon PKI software has been selected as one of two
certification authorities selected by the U.S. Department of Defense (DOD) to support its Common Access
Card deployment.
Table of Contents
Overview Analysis Pricing Competitors Strengths Limitations InsightList Of Tables
Table 1: Enhancements: RSA Keon CA 6.5, December 2002 Table 2: Overview: RSA Keon CA
Table 3: RSA Keon CA Architecture Basic Components Table 4: RSA Keon Certificate Management Solution Table 5: Features and Functions: RSA Keon CA Table 6: Standards Supported by RSA Keon CA Table 7: Price List: RSA Keon CA
Corporate Headquarters
RSA Security Inc.
174 Middlesex Turnpike
Bedford, MA 01730, U.S.A.
Tel: +1 781 515 5000
Overview
The RSA Keon Certificate Authority (RSA Keon CA) issues, manages and validates digital certificates that
you may use in a wide range of public key infrastructure (PKI)-enabled applications. Such applications
include Web access via Secure Sockets Layer (SSL), virtual private network (VPN) using Internet
Protocol Security (IPsec), secure e-mail through Secure Multipurpose Internet Mail Extensions (S/MIME)
and custom enterprise applications. A single system can provide certificate-based security for multiple
enterprise applications and devices. RSA Keon CA software was the first digital certificate management
solution to be Common Criteria EAL 4+ certified.
RSA Keon
The RSA Keon Certificate Management product line consists of three main components with a number
of supporting modules, components and solutions.
RSA Keon Certificate Management Product Line
RSA Keon CA
RSA Keon Registration Authority (RA)
RSA Keon Key Recovery Module
RSA Keon WebSentry
RSA Keon Web PassPort
RSA Keon Root Signing Service
RSA Keon Certificate Management Solution Focus Areas
RSA Keon Web Server SSL
RSA Keon Secure VPN
RSA Secure e-Mail
RSA Secure e-Forms Signing
Supporting RSA Security Product or Modules
RSA BSAFE Development Components
Table 1: Enhancements: RSA Keon CA 6.5, December 2002
GF One Minus Satisfiability Tester (GOST) Public Key Digital Signature Algorithm
RSA Keon CA software supports GOST 28147-89 Standard Cryptographic Protection for Data Processing Systems, an implementation of First Guarded Fragment (GF-1). A Russian algorithm originally published in 1990, GOST became the standard for Russian-based organizations to create trusted e-business
processes. European Qualified
Certificate
RSA Keon CA is in full compliance with all mandatory requirements as defined by the European Directive on Electronic Signatures.
Common Criteria EAL4+ Certification
—
Table 2: Overview: RSA Keon CA
Version 6.5
Date Announced RSA Keon CA 6.5 shipped in December 2002. Platforms Supported Windows 2000, Windows NT, Sun Solaris.
Standards RSA Keon CA is based on open standards. It delivers certificates that will
interoperate with PKI solutions from any vendor that follows current PKI standards, such as Lightweight Directory Access Protocol (LDAP), Public Key Cryptography Standard (PKCS), X.509v.3 and Public Key Infrastructure X.509 (PKIX).
Certification • Common Criteria Evaluation Assurance Level 4 Augmented (EAL4_+), the level that specifies that a product has been methodically designed, tested and reviewed. • Identrus
• Fully compliant with all mandatory requirements as defined by the European Union (EU) Directive on Electronic Signatures and GOST, the Russian standard.
Table 3: RSA Keon CA Architecture Basic Components
Component Description
RSA Keon CA RSA Keon CA creates, authorizes and manages digital certificates, allowing organizations to define and self-administer their own security procedures, trust relationships, certificate formats and rules for certificate life cycles.
RSA Keon OneStep A component of the RSA Keon CA, RSA Keon OneStep provides a customizable mechanism to authenticate, approve, issue and install digital certificates
automatically through existing authentication technologies and other data sources. Thus, the certificate enrollment process can be hidden from users and reduced to one simple step.
LDAP Certificate Repository
Repository in which certificates and certificate revocation lists (CRLs) are stored securely for later retrieval by systems and users. RSA Keon CA includes a built-in Secure Directory Server and can also publish certificates and CRLs to any standards-compliant LDAP directory.
RSA Keon RA Works with RSA Keon CA to streamline the enrollment process for handling large volumes of end-user certificate requests. The RSA Keon RA software enables organizations to set up either remote or local stand-alone enrollment centers for large-user implementations at distributed geographic locations.
RSA Keon Key Recovery Module (KRM)
RSA Keon KRM securely archives and recovers private encryption keys of users. It combines reliable and secure long-term encryption key-pair storage with
straightforward, secure user enrollment. RSA Keon KRM is an add-on module and is not a required module for RSA Keon CA.
Table 3: RSA Keon CA Architecture Basic Components
Component Description RSA Keon
WebSentry
RSA Keon WebSentry is an optional security plug-in solution that works with the RSA Keon CA to provide real-time status checking of client certificates for leading Web servers.
RSA e-Sign RSA e-Sign is a zero-footprint, downloadable, Web-browser plug-in designed to digitally sign HTML Web-based forms, enabling organizations to realize the fulfillment of trusted and secure end-to-end electronic processes. RSA e-Sign is an add-on module and is not a required module for RSA Keon CA.
Table 4: RSA Keon Certificate Management Solution
RSA Keon Web Server SSL Solution
RSA Keon Web Server SSL Solution enables organizations to issue and manage their own trusted SSL certificates. It includes RSA Keon CA and the RSA Keon Root Signing Service to allow an organization’s CA to be signed by the trusted RSA Keon CA. It also includes a Quick Start Package with a set of service-based delivery items in support of implementation planning, software installation and training. RSA Keon Secure
VPN
RSA Keon Secure VPN enables strong authentication of users’ devices and transactions within a VPN. Digital certificate protected IP-VPNs offer anytime-, anywhere-secure remote access for users. It is interoperable with leading VPN vendors, such as Nortel, Cisco, Checkpoint and NetScreen.
RSA Secure e-Mail RSA Secure e-Mail allows end users to encrypt and digitally sign important e-mail communications—including any type of attachments—so that only intended recipients can access the message. RSA Keon digital certificate management software is integrated with Microsoft Exchange and Microsoft Outlook for confidentiality and data integrity.
RSA Secure e-Forms Signing
RSA Secure e-Forms Signing provides digital signatures to enable a trusted and secure end-to-end electronic process. Targeted at organizations looking to improve business efficiencies by replacing paper-based forms or extending existing e-business processes with Web-based, electronically signed forms.
Table 5: Features and Functions: RSA Keon CA
Digital Certificate Technology
Certificate Validation The RSA Keon CA relies on the Online Certificate Status Protocol (OCSP) to check the validity of a certificate with the certification authority in real time by pulling fresh status information from the CA repository.
RSA Keon CA can also generate and publish CRLs to an LDAP directory, allowing for certificate validation through standard CRL checking.
RSA Keon CA’s real-time implementation of OCSP pulls fresh status information from the CA repository rather than information from a pre-published CRL that may be out of date.
Certificate Revocation
Full-certificate revocation support with CRL v.2.
Non-Repudiation RSA Keon CA supports dual keys, one for signing and another key for encrypting. Configurable domains for delegating administration authority support both dual-key and single-key systems; thus, several products, such as Web browsers and secure e-mail packages, use only a single key for both signing and encryption.
Table 5: Features and Functions: RSA Keon CA
Digital Certificate Technology Support for Dual
Keys
Single certificate for combined signing and encryption keys. Dual certificates for separate signing and encryption keys to facilitate non-repudiation.
Creation of Multiple Certificates
Administrators can approve large numbers of user certificate requests with the batch driver, or RSA Keon OneStep can be used to automatically approve large user populations.
Encryption RSA Keon CA provides the highest possible root-key assurance by bundling hardware security modules certified to be Federal Information Processing Standard (FIPS) 140-compliant. The root keys are generated securely and stored in tamper-resistant hardware.
Cross-Certification The RSA Keon CA supports a hierarchical, peer-to-peer or a hybrid trust model, allowing it to be chained in a certificate hierarchy. Permits an organization to set up a trust model that maps its worldwide organizational structure, allowing control at regional or divisional levels.
In addition, for an organization requiring cross-organizational trust, the RSA Keon CA root certificate can be signed by another vendor’s certification authority root certificate.
RSA Keon CA also supports PKIX compliant cross-certificates used for projects such as the Federal Bridge CA.
Customized Certificates
RSA Keon CA offers certificate formats for the applications that customers are deploying: SSL for Web applications, S/MIME for secure e-mail, IPsec for VPNs and customized certificates through the use of certificate extensions.
Administration
Certificate Renewal Certificate/key renewal is configurable by an organization; the end user may renew his or her certificate without administrator intervention.
Certificate Administration
The RSA Keon OneStep feature reduces administrative effort by combining request, verification, user authentication, certificate population and approval into one
automatic process.
PKI Administration The roles of certificate administrator and system administrator are highly differentiated:
• Certificate administrators handle registration, enrollment and certificate revocation across the enterprise.
• System administrator can maintain the entire RSA Keon CA. Larger organizations may have one system administrator and several certificate administrators. However, smaller enterprises can manage with one individual to handle both system and certificate administration tasks.
Integration
Integration Toolkit RSA BSAFE Cert-C and Cert-J software includes the application programming interfaces (APIs), documentation, source code examples and cryptographic libraries needed for developers to create, test and deploy development components to create secure applications for a variety of PKI vendor environments.
Algorithms Supported
The algorithms that are supported are Digital Signal Algorithm (DSA), Elliptic Curve Digital Signal Algorithm (ECDSA), GOST, Message-Digest Algorithm 5 (MD5), Rivest-Shamir-Adelman (RSA) and Secure Hash Algorithm 1 (SHA-1).
Table 5: Features and Functions: RSA Keon CA
Digital Certificate Technology
Application Support Compatible with a wide variety of firewalls, VPNs, routers and directory services or applications, such as Netscape Navigator and Microsoft Internet Explorer. Also works with Web servers and popular e-mail packages such as Microsoft Outlook. VPN Readiness Supports the Simple Certificate Enrollment Protocol (SCEP) for VPN certificate
enrollment. Generates certificates that are usable by VPN-enabled systems out of the box.
Security Features
Security Policy The organization determines its own security procedures, trust relationships, certificate formats and rules for certificate life cycles.
High Root Key Assurance
RSA Keon CA bundles hardware security modules that protect keys in secure, tamper-resistant hardware.
Installation and Support
Installation Designed to be installed right out of the box into established networks—or used in custom enterprise applications, third-party directory service, routers, firewalls and other network applications and systems products. Can be used across a range of PKI-enabled applications, including Web access using SSL, VPNs using IPsec and secure e-mail using S/MIME.
Table 6: Standards Supported by RSA Keon CA
Algorithm Comments
RSA (512-2048) Asymmetric algorithm; certificates, key generation and internal messaging DSA (512-1024) Digital Signature Algorithm
ECDSA Elliptic Curve Digital Signature Algorithm MD5 Hash algorithm; certificates
SHA-1 Hash algorithm; certificates and internal messaging 3-Data Encryption
Standard (3-DES)
Symmetric algorithm; encryption of private keys
Standard Comments
X509 v.3 Certificate standard
CRL v.2 Certificate revocation list standard Request for
Comments (RFC) 2459
Profile for X.509 v.3 certificates
RFC 2510 (Certificate Management Protocol [CMP])
Certificate Management Protocols
RFC 2511 Certificate Request Message Format
PKCS#1 Certificate creation, verification and internal messaging PKCS#5 Password-based encryption
PKCS#7 Certificate reply, internal messaging
PKCS#10 Certificate request syntax, including cross-certification PKCS#11 Communication with external cryptographic modules
Table 6: Standards Supported by RSA Keon CA
Algorithm Comments
PKCS#12 Vault to store private keys and certificates LDAP Communication with LDAP and X.500 directories
SSL-LDAP Secure LDAP over SSL for internal communication and communication with external LDAP and X.500 directories
TCP/IP Internal/external communication HTTP Over SSL
(HTTPS)
Secure HTTP over SSL
RFC 2560 (OCSP) Supported natively by RSA Keon PKI SCEP Simple Certificate Enrollment Protocol CRS Certificate Request Syntax
FIPS 140-1 level 3 Supported through third-party hardware FIPS 180-1 Standard for SHA-1
FIPS 186-2 Digital Signature Standard (DSA, RSA, ECDSA algorithms) FIPS 46-3 Standard for 3-DES
FIPS 81 Cipher Block Chaining (CBC)
Standard for DES in CBC mode
RSA SecurID Products
RSA Security has augmented the PKI product with a token business including SecurID and smart card
solutions. RSA Keon’s relationship with the RSA SecurID products provides smart cards and USB tokens
to support multiple security applications based on public-key cryptography. RSA Security products
include:
•
RSA SecurID Key Fob (SD600)
•
RSA SecurID Card (SD200) RSA SecurID PINPad Card (SD520)
•
SK, proprietary time synchronous
•
RSA SecurID Software Token for Windows Workstations
•
SK, proprietary time synchronous
•
RSA SecurID for Windows Pocket PC
•
RSA SecurID for the Palm Handhelds
•
RSA SecurID for the Nokia 9210 Communicator
•
RSA SecurID for the Ericsson R380s
•
SK, proprietary time synchronous
•
RSA SecurID 5100
•
SK, proprietary time synchronous
•
PK, certificate-based
•
SK, proprietary time synchronous
•
PK, certificate-based
•
RSA Mobile (server sends one-time password (OTP) to user’s mobile device via SMS or text
messaging)
Analysis
The flexibility of the Keon modules allows organizations to define and administer their own security
procedures and relationships—also specifying their own certificate formats and rules for certificate life
cycles. A signing engine makes it possible to sign end-user certificates and system events digitally. RSA
Keon CA includes secure administration, enrollment, directory and logging servers. The SCEP server
provides automatic enrollment for issuing certificates to SCEP-compliant VPN devices. Certificates,
system data and certificate status are stored in Keon’s integrated data repository.
RSA Security is a founding member of the PKI Forum, along with IBM, Microsoft, Baltimore Technologies
and Entrust Technologies. Established in December 1999, the PKI Forum is a multivendor organization
promoting PKI interoperability and dedicated to speeding the adoption of the technology. The PKI Forum
operates as an autonomous, unincorporated entity under The Open Group. RSA Keon CA software was
the first digital-certificate management solution to be Common Criteria EAL 4+ certified.
Modular Design
RSA Keon CA’s modular design makes it customizable both in appearance and function. RSA Keon is
modular and flexible, interoperable with other certification authorities and is server-based, requiring no
proprietary client software:
•
Web interfaces allow system administrators to modify the look of the server to match the
organization’s style. In addition, the task of registering users can be scaled to the needs of the
enterprise through browser-accessible wizards. Web-browser interfaces allow the enterprise to take
advantage of the scaling and customization already in place in established Web server and firewall
technologies.
•
A “jurisdictions” concept permits a central system administrator to designate multiple certificate
administrators, each with permissions to operate different sections of the PKI. As users generate
requests, they are routed automatically to the appropriate certificate administrators.
•
The OCSP Interoperability Initiative is a cooperative endeavor to advance this emerging Internet
standard by establishing criteria and performing interoperability testing of third-party, OSCP-enabled
products to ensure they will work together.
Identity Management Systems
RSA Security’s product and solutions are built around a standards-based identity management system,
integrating, over time, all enterprise products of RSA ClearTrust, RSA Mobile, RSA SecurID and RSA
Keon with a common set of services. These services include:
•
User Management Services—provide ease of administration, enabling organizations to leverage a
single solution to manage their user and access policies.
•
Identity Authority Services—validate the authenticity of digital identities via multiple authentication
methods, ensuring trust in online transactions—even across federated communities based on
standards such as Liberty.
•
Access Authority Services—enforce consistent business policies across the entire e-business
infrastructure; controlling access, while facilitating single sign-on (SSO).
•
System Services—use a single architectural foundation for the integration of technology (security,
performance, audit and others), for faster deployment and enhanced scalability.
•
Network and Application Integration Services—ensure integration across a heterogeneous
e-business infrastructure for less complexity in deployment and improved return on investment and
extends infrastructure beyond users to include support for Web services with secure Extensible
Markup Language (XML) and certificate integration tools.
Web Services
RSA Security’s strategy also involves software development kits (SDKs) to secure the Web services that
ultimately leverage an identity management infrastructure:
•
BSAFE SDKs enable applications to integrate with an identity management infrastructure.
•
Web services SDKs enable Web services to protect transactions intelligently and perform security
functions in accordance with defined organizational policies.
Training Programs
RSA Security offers PKI-related courses for customers at various locations throughout North America and
Europe. Among these courses are:
•
RSA Keon Core PKI Administration reviews the features and functions of the RSA Keon Core PKI
product line, prepares the student to administer certificates and works with both local and external
certification authorities.
•
RSA Keon Core PKI Installation and Configuration provides in-depth instruction necessary to plan,
install and configure the RSA Keon Core PKI product line.
RSA Authorized Training Partners deliver additional courses.
RSA CertificationRSA certification requires that the participant complete the designated RSA Security course (or courses)
and pass a supervised test with a grade of 80 percent or higher, after which the participant is awarded a
diploma and permission to use the designated certification on his or her business card. Designations
include the following:
•
Certified RSA SecurID Administrator
•
Certified RSA SecurID Systems Engineer
•
Certified RSA SecurID Instructor
•
Certified RSA Keon Systems Engineer
SupportRSA Security’s Customer Services organization offers a number of choices ranging from Web site
information to renewable maintenance agreements. (Resellers can partner with RSA Security to offer
these services as well.) All service offerings include technical telephone support, all software releases,
documentation updates and subscription to RSA SecurCare Online. Customers can also purchase
technical telephone or on-site support on a per-incident basis.
Pricing
The RSA Keon CA is sold on a user-based pricing model. Customers can issue any type/number of
certificates to the licensed users over the lifetime of the product without an extra fee.
Table 7: Price List: RSA Keon CA
Minimum Users Maximum Users Keon Certificate Authority
($ per licensed user)
1 500 30.00 501 1,000 26.05 1,001 5,000 16.28 5,001 10,000 14.16 10,001 25,000 11.56 25,001 50,000 10.06 50,001 100,000 8.74 100,001 200,000 7.00 200,001 300,000 6.22 300,001 400,000 5.74 400,001 500,000 5.40 500,001 600,000 5.15 600,001 700,000 4.94 700,001 800,000 4.77 800,001 900,000 4.62 900,001 1,000,000 4.50 1,000,001 Unlimited 4.39 GSA Pricing
No.
Competitors
Table 8: RSA Keon Competitors
Vendor and Product Features Baltimore
Technologies
• UniCERT
UniCERT had its beginning as an international product and can be used with many languages and character sets—an advantage for international e-business. It has a flexible modular infrastructure, which allows the product to grow and change along with the organization.
Computer Associates International (CA)
• eTrust PKI
eTrust PKI has the strength of being part of CA’s eTrust family of integrated, extensible security solutions. eTrust PKI is shipped with its own directory and OCSP responder; thus, “rollout” of the PKI does not involve extensive integration. CA’s vision is of “invisible PKI”—built into enterprise solutions, such as SSO, e-mail, Web access and other CA products.
Table 8: RSA Keon Competitors
Vendor and Product Features Microsoft
• Enterprise PKI
Part of the Windows server systems from Windows 2000 onwards, Enterprise PKI deploys and manages certificates in support of existing Windows domain trust-and-authentication mechanisms. These mechanisms are based on the domain controller (DC) and Kerberos Key Distribution Center (KDC). Integrated with the Windows base platform without replacing existing Windows security. Integration with the operating system allows the integration of the public key with the policy administration.
VeriSign
• On-site
VeriSign offers the major, hosted service in the market—a service to secure intranet, extranet, VPN and e-commerce applications. The client organization controls certificate issuance and management, while VeriSign provides the technical infrastructure for certificate processing services.
Strengths
Open Standards Ensure Compatibility
RSA Keon CA supports digital certificates from any standards-based Certificate Authority, making it
suitable for participation in industry business models like the Identrus financial industry consortium.
Modular Design Eases Implementation
The modular components allow customers to build PKI a piece at a time—in the same way that they built
their networks—adding components and integrating additional solutions as needed.
Certificate Validation
Cross-validation allows the enterprise to run the product as an arbiter of trust, accepting outside users
with certificates from other suppliers. Use of OCSP permits certificates to be validated in real time. Thus,
users will never trust invalid certificates. In addition, the burden of the validation is removed from the
applications themselves.
Total Cost of Ownership
Keon takes advantage of established technology investments—any information available in any way on
the Web can be introduced into the certificate generation and verification process.
Requires No Proprietary Client Software
Keon does not require proprietary upgrades or plug-ins and therefore prevents the need for expensive
retrofitting of desktop applications.
Limitations
Certificate/Key Renewal
