Entrust Authority Security Manager

Features and Benefits

Automated key and certificate lifecycle management

Users do not need to know anything about public keys and certificates to add security to communications and transactions:

  • all user and Certification Authority (CA) key pairs are automatically updated in a secure, flexible, simple, and efficient manner, which helps reduce the costs of user training, user downtime, and helpdesk calls
  • by supporting the creation of up to four key pairs, digital IDs enable broader deployment in environments with specific requirements

Enhanced Certification Authority

Security Manager provides the capabilities of a traditional Certification Authority (CA) and extends it with advanced features necessary to help facilitate administration:

  • users can sign certificates with Elliptic Curve (ECC) signatures, an attractive choice for certain mobile applications
  • digital IDs can be issued to any device or application supporting the X.509 certificate standard, enabling a single infrastructure to support all users, devices and applications
  • certificates can be customized on a per-user basis, providing the flexibility to include user-specific privilege and access control information in a user's certificate
  • an additional dedicated verification certificate and associated digital signature key can be used for signing higher value transactions or for creating digital signatures as specified in the IETF-RFC3039 standard
  • revocation list (RL) attributes — including expiry time, issuance frequency, and the format of CRL distribution points — can be customized to best suit the organization’s management policy

Enhanced Registration Authority (RA)

Security Manager provides an easier method for registering and administering users in the CA without compromising security practices:

  • a minimum acceptable password length of 6 characters provides the flexibility needed to balance between ease of use and security requirements
  • flexible administrative permissions can be granted or denied on a per-RA administrator basis, enabling greater control
  • support for an unlimited number of remote RAs per CA allows multiple RAs to remotely manage the CA as required
  • a single interface for all RA and directory operations helps ease administration and helps reduce costs

Key backup and recovery

Security Manager enables easy key backup and recovery capabilities to help reduce down time:

  • the entire key history may be recovered, allowing the user to decrypt information no matter when it was encrypted
  • flexible key recovery policy provides a secure and flexible per-operator policy to control which administrators can recover users, which users can be recovered by whom, and whether multiple authorizations are required to initiate key recovery

Policy management

Security Manager enables organizations to establish and enforce flexible corporate-wide security policies, including policies for controlling:

  • CA key properties, including key length, lifetimes, and levels of protection
  • digital identity storage options (e.g. locally, on a smart card etc.)
  • administrator permissions
  • user profiles, such as user password lengths, user mobility options, and the inclusion of additional entitlements information in users’ certificates
  • the security network structure (hierarchical or peer-to-peer)

User mobility

Security Manager provides an advanced security infrastructure that can accommodate users who log in from different workstations, work offline, or use various methods of authentication (such as smart cards, tokens or biometric devices):

  • users can access their applications securely from any location using a roaming ID. This feature requires Entrust Authority Roaming Server
  • users can securely access applications while not connected to the network, thereby maintaining user productivity and security
  • Entrust digital certificates and keys can also be stored on a hardware token, such as the Entrust USB Token, to enable two-factor authentication to the desktop, VPN/WLAN or Web portal. The digital certificates used on the Entrust USB token for authentication are extensible to enable digital signatures and encryption in security-aware applications

PKI networking

Security Manager provides a method for establishing and maintaining trustworthy electronic relationships between CAs:

  • seamlessly integrates with Microsoft® Windows® native security capabilities
  • enables the CA root key to be taken offline in an hierarchical trust model, permitting organizations to set up trusted trading groups in B2B relationships
  • enables directory networking to permit the retrieval of user certificates, cross-certificates and revocation information
  • supports peer-to-peer and hierarchical cross-certification

Scalability

Security Manager can scale to meet an organization’s required user levels through high capacity, high availability, advanced network bandwidth management:

  • supports unlimited administrators and up to 10 million users per CA
  • automated key and certificate update functionality enables users to continually work in a secure environment even after original keys and certificates expire
  • supports high availability and disaster recovery environments
  • users can cache certificates and certificate revocation lists (CRLs), reducing the need for directory communication over the network

Interoperability

Security Manager offers high levels of interoperability — including enhanced integration with Microsoft — to help customers leverage existing investments and keep costs in check:

  • Entrust digital IDs are available to the Microsoft Windows® operating system through Microsoft’s CryptoAPI interface, meaning a wide range of CryptoAPI-aware applications (such as Microsoft Outlook®, Internet Explorer, and Microsoft Word) can seamlessly use Entrust security through Window 2000’s own built-in PKI capabilities
  • Security Manager supports an additional key pair specifically for those users who want to leverage the native file encryption services within the Microsoft Windows Encrypting File System (EFS)
  • Users can authenticate to a Microsoft Windows domain using Entrust digital identities stored on smart cards, which provides tamper-resistant storage of the digital identity and protects Entrust private keys and other forms of personal information using native Microsoft Windows security capabilities
  • Entrust solutions can interoperate with other vendors’ PKI systems through standards-based certificate support (X.509), revocation system (CRL distribution points, CRL, OCSP), directory communication (LDAP), application to CA communication (PKIX, PKCS), hardware support (PKCS), broad algorithm support, as well as standards based cross-certification (PKIX and PKCS) and policy constraints (X.509v3 constraints)
  • Interoperability with other applications is provided through X.509v3 certificates with PKIX-compliant extensions, through file formats based on S/MIME, PEM, IPSec, SSL, and SPKM, and through support for Microsoft CryptoAPI
  • Security Manager supports a wide range of algorithms and encryption strengths available in both North America and Europe

Advanced audit and reporting

Security Manager enables users to monitor digital ID and certificate status information and immediately address issues, thus helping to reduce down time:

  • supports customized audit logs over Simple Network Management Protocol (SNMP) to third-party network management solutions
  • enables reports to be formatted using XML, facilitating customized and more granular report creation