Appendix A       Fortezza


Fortezza is a cryptographic system that combines the use of hardware-based tokens and software-based algorithms to secure electronic information exchange. The US government developed Fortezza to manage sensitive but unclassified information. The information in this appendix applies only to US government agencies and businesses that work with the US government. This appendix contains the following sections:

• How It Works

• How Fortezza Crypto Cards Are Certified

• Fortezza Keys, Certificates, and Encryption

• Enabling Fortezza

How It Works

---

Fortezza provides a higher level of security than typical encryption systems because it requires three elements:

• A crypto card, which contains a user's unique cryptographic key

• Fortezza encryption algorithms

• Fortezza key management

First, the US government provides your department or agency access to a certificate authority workstation. The workstation itself may or may not be located at your worksite. A certificate authority (CA) representing your department or agency operates the certificate authority workstation. The CA may be a security office or other designee who establishes, authenticates, and programs Fortezza crypto cards. A Fortezza crypto card is a PCMCIA card that has been activated and issued by the CA. The CA also maintains and revokes user keys and certificates as necessary.

Information system (IS) administrators install Fortezza software and card readers on some or all of your enterprise servers, and then card readers are installed on your users' computers or workstations. Netscape Fortezza products are designed to operate properly with any PCMCIA-compliant card reader that is supported by the Litronic device driver.

Each enterprise user must request and obtain a Fortezza crypto card from a CA.

Typically, a user who wants to access a Fortezza-secured server plugs the Fortezza crypto card into the PCMCIA reader. By inserting the card and typing in a personal identification number (PIN), the user tells the client to do the following:

• Load all of the CA certificates on the card into memory

• Trust the CA certificates provided on the card

• If requested, use the keys on the card for client authentication

How Fortezza Crypto Cards Are Certified

---

The US government established the policy approval authority (PAA), a regulating body, to ensure that only valid users are given authenticated Fortezza cards.

The policy approval authority delegates its authority to policy creation authorities (PCAs). These are groups that may represent a branch of the government or a large corporation. Policy creation authorities in turn delegate authority to certificate authorities (CAs).

Certificate authorities are the individuals who actually verify users' key information. CAs program, activate, and issue cards to government employees and to individuals who conduct business with the government. A single CA might handle the encryption needs of a small company, a single department in a large company, or a department in a government agency.

Fortezza Keys, Certificates, and Encryption

---

CAs program Fortezza crypto cards with any combination of key and certificate management approaches and encryption algorithms. Some of these approaches and algorithms are described briefly here. For more information about how keys, certificates, and encryption work in general, see Appendix B, "Introduction to Public-Key Cryptography" and Appendix C, "Introduction to SSL."

CRLs and CKLs

CAs can provide Certificate revocation lists (CRLs) and compromised key lists (CKLs) to help manage keys and certificates that are stored on Fortezza crypto cards. For information on CRLs and CKLs, see "Managing Certificate Lists."

Encryption Algorithms

CAs can program a number of encryption algorithms into a Fortezza crypto card. This section describes some of the most common algorithms.

SKIPJACK

Data encryption and decryption algorithms typically used with the SSL protocol.

SSL Protocol

Symmetric encryption nested within public-key encryption and authenticated through the use of certificates.

RC4 Encryption

A kind of 128-bit software encryption. Servers use this kind of encryption to optimize performance.

NULL Encryption

Typically used when providing only access control or when using pre-encrypted fields.

Enabling Fortezza

---

Enabling Fortezza typically involves installing your card reader, activating SSL, and enabling ciphers.

The following procedure explains how to set up Fortezza on iPlanet Administration Server. Other iPlanet or Netscape 4.x servers may have different setup options and requirements. See your server's documentation for more information.

To Enable Fortezza on Administration Server

1. Install your Fortezza card reader.

   See "To Install an External Security Device", for more information.

2. Activate SSL.

   When prompted to choose ciphers, select the Fortezza ciphers.

   See "To Activate SSL on an iPlanet Server or a Netscape 4.x Server", for more information.