I tested a beta release of Entrust Technologies' Entrust 5.0, which offers a complete PKI solution and much more. Entrust 5.0 is made up of two components: Entrust Authority/ Entrust RA on the server side and Entrust/Entelligence for the end user. The program offers a robust security solution for desktop applications, Internet transactions, e-commerce, developer applications and access-control devices. It also features highly customizable options that make deployment much easier and cost-effective. In all, Entrust 5.0 adds significant improvements to its version 4.0 predecessor (see "Nortel's Entrust," at www. networkcomputing.com/717/717f1.html). Overall, I liked the flexibility and value of the new features. However, the new support for hierarchical trust architecture needs some work before it's ready for deployment.
Entrust's PKI is bundled with PeerLogic i500, a directory service for public directories. You can use Entrust/PKI with PeerLogic i500 or a directory of your choice. Entrust uses a newer version of Informix as its internal database.
Entrust's added flexibility lets security administrators customize PKI administration--including roles and policies for users and groups--according to their business needs. For example, Entrust customers can create users that have independent audit roles with limited access definable at several levels. Entrust has added a wide range of out-of-the-box functional roles that can be used as-is or easily modified.
Most PKI implementations use five typical roles, each with predefined policies: security officer, administrator, directory administrator, end user and auditor. Before I added any users, I created some customized roles and policies. I also created a few groups to help me classify users, then added the users to the different groups accordingly. The authentication process was straightforward and intuitive. Entrust gave me an authorization and reference number and, unlike version 4.0, also provided an expiration date.
Entrust supports cross-certification of certificate authorities (CAs) not only in a peer-to-peer architecture but also by hierarchical architecture. This lets Entrust customers exhaustively control trust relationships between CAs and their users within the enterprise.
For example, you might want to restrict access to your research and development department, giving only trusted people and nodes access to certain information. CAs can be distributed according to domain, department, security levels and so forth. And these levels can be created and optimized according to your individual needs.
I wanted to use this feature to deploy two CAs in a hierarchical fashion. From a root CA, I intended to create a subordinate CA. But before I could make any change in Entrust/RA, the registration authority, I was required to create an entry in the PeerLogic i500 directory and provide all the attributes that went with it.
Communication Breakdown
I ran into a series of problems when the directories communicated with each other to allow cross-certification of CA. I wanted my root CA DN o=nwc, c=us to be the superior CA with a subordinate CA DN ou=lab, o=nwc, c=us. Entrust suggested using the same level of CA DN for the certification process. Later, I experienced problems with cross-referencing both the directories, and I was disappointed to see the terse error messages generated by the PeerLogic i500 directory service. A typical message read "XDS unwilling to perform," which didn't tell me anything about the location of the error. Log files generated by the i500 didn't offer much help either. In the end, I was forced to abandon the whole idea of a subordinate CA.
Entrust/RA has its own certificate and lets administrators remotely add new users. Entrust/RA then connects to the CA for authorization or it's queued up for authorization from the security officer. Entrust/RA adds real value to Entrust/PKI.
Entrust/Entelligence
On the client side, Entrust login can be used as a single-site logon, which is centrally managed. I was able to log on to Entrust and my Microsoft Windows NT domain at the same time. For increased security, Entrust workstation automatically locked itself after a few minutes of inactivity. This feature is integrated with Windows screensaver and suspend features.
Another client-side component is Entrust/ICE, which provides encryption and authentication services to the desktop user. Once again, the process is simple and straightforward. All you have to do is right-click on any file and select encrypt, or sign, or both. Entrust also provides TrueDelete, which makes sure a file that an end user deletes is totally scrubbed off the media, in compliance with the U.S. Department of Defense standards. It also securely deletes users' temporary files and protects the Windows swap file.
For Internet security, Entrust has added two components, Entrust/Unity and Entrust/Direct. Entrust/Unity can be used for Web browsing (SSL), e-mail (S/MIME) or object signing. Entrust/Direct can be used for a higher level of commercial security, letting users automatically manage both keys and certificates through Entrust. Support of both Internet Explorer and Netscape Navigator is provided.
Asad Irshad is a Syracuse, N.Y.-based freelance writer. Send your comments on this article to him at airshad@syr.edu.
REPORTS
ANALYTICS
Follow 
