How to Deploy and Get the Most Out of Tokens

1
How to Deploy and Get the Most Out of Tokens

• Paul Caskey
• PKI Deployment Forum 2008

2
Our setup

• VeriSign Unified Authentication
• Active Directory-integrated
• Based on Microsoft CA, but signed by VeriSign
  public root
• Managed via an MMC
• CA and all operations happen at VeriSign
• Dual-key approach
• Signing, SmartCard login
• Encryption, EFS (escrowed)
• 3 certificate templates
• Signing
• Encryption
• Key Recovery Agent
• All certs are on Aladdin tokens only (no software
  stores)

3
Our uses

• Email signing and encryption
• Document Signing
• SmartCard login (Our passwords meet LoA2 entropy,
  but.)
• Remote access??

4
Enrollment Process

• User request to Help Desk
• Help Desk prepares token (initialize, assign)
• Vetting/Verify Identity
• Enrollment authorization granted
• User enrolls at help desk via kiosk
• That first use of token forces setting a password

5
Design/implementation issues

• Manual vs. Auto-enrollment
• Dual-key vs. single-key
• Token enrollment (in-person or remote)
• Client software deployment
• PIN resets
• Local
• Remote
• Lost tokens

6
Aladdin Token Management System (TMS) 2.0

• Web-based management interface
• Look up users, tokens
• Initialize
• Assign
• Web-based user self-service
• Enrollment/software installation
• Security questions
• Report lost tokens
• Password reset
• Web-based remote service
• Virtual tokens

7

• Questions/Comments/Discussion?