Services IT Security and Public Key Infrastructure (PKI)

(Last changed: 2019-08-03.)

Planning and Implementation of Public Key Infrastructures

Design of scalable, multi-tier hierarchies of certification authorities, respective publication points, revocation services and interfaces with directory services. Integration of Hardware Security Modules [HSMs]. Establishing cross-certification with public CA vendors. Technical and organizational support with rollout of certificates to various clients and applications. Co-ordination with application owners, definition of certificate lifecycle management processes. Development and review of Certificate Practice Statements and Certificate Policies.

PKI Workshops - PKI Consulting - PKI Client Support

Initial PKI workshop covering PKI and cryptography basics, hand-on implementation in Microsoft environments and heterogeneous environments. Interface technical/legal issues. Examples: Authentication of users and computers via 802.1x, smart card logon, file encryption, e-mail signature and encryption, signing of code and documents, authentication and encryption in VPN and IPsec. Evaluation and selection of PKI enabled applications and vendors. Analysis of existing applications and certificates.

X.509-Troubleshooting and PKI Drill-Down

Problem analysis and fire-fighting in all issues related to X.509 certificates. Review and fixing of existing PKIs. Train-the-experts workshops and support for software vendors, security consultants and system integrators in the PKI area. Support with application integration problems, access to certificate and key stores, embedding specific certificate extensions and problems with certificate path validation. Evaluation of RFC compatibility. Co-ordination between vendors of PKI hardware and software in case of interface-related issues.

PKI-Risks

Analysis of risks related to a PKI installation and systems connected to it (such as Active Directory), permissions, processes. Utilization of PKI and X.509 certificate tools by attackers / penetration testers.

X.509 Certificate

Approach

Intensive know-how transfer in the planning phase in order to make myself redundant, hands-on support in critical phases.

Vendor-agnostic approach, 'Trusted Advisor'. No solution sales, no deals based on commission, no IT staffing services providers.

Pragmatic security: Implementing 'Compliance' without generating 'paperwork' - also in regulated industries.

Clients: Enterprise clients with global sites as well as small businesses (more than 100 PKI consulting clients since 2006).

Frequently encountered products and vendors: Microsoft 2000/2003/2008/2012/2016/2019 CAs, openssl CA, Verizon Omniroot root signing service. Windows and Linux clients. Smart cards/tokens: SafeNet, Siemens, Infineon. VPN concentrators, appliances, firewalls, MS IIS webserver.

Standards: X.509, SCEP, 802.1x, SMIME, LDAP, SSL, Kerberos.

Elke Stangl

Dr. Elke Stangl

Hands-on PKI experience since 2002. Self-employed since 2006.

Lecturer at master's degree program Advanced Security Engineering, 2007-2011.

Engineer - control systems, measurement data analysis, security of the Internet of Things, since 2012.

Senior Security Consultant at Microsoft Austria 2001-2005.

IT Manager at a research center 2000-2001. Started career in IT as a freelancer working for SMEs in 1997.

Scientist and Lecturer at Linz University and Seibersdorf Research Center 1992-1997.

MSc and PhD in Applied Physics (1995). MSc in Sustainable Energy Systems (2013). Master thesis on smart metering and security.

____

Minor update: September 2019. Last major content update: 2014