1、尹东梅,金融业无纸化平台下的网络身份认证和数据安全策略,行业要求及新规,2016年11月7日颁布的中华人民共和国网络安全法2016年9月30日，261号文,1,移动化应用场景,审批&签名,交易验证,手机逐渐代替电脑,物理访问,VPN 登陆,逻辑访问,2,移动化的可信身份保障,3,移动身份认证,4,实时欺诈监控,77.9%的网站仍在使用HTTP,5.2%的网站拥有不完整的证书链,19.2%仍然支持脆弱/不安全的加密网站,42.3%的网站仍然支持 SSL 3.0,https:/www.trustworthyinternet.org/ssl-pulse/,83.1%的主动攻击来自于“心脏流血”,5.

2、5%容易受到 CRIME 的攻击,36.7%不支持Forward Secrecy,无处不在的安全隐患,77.9%,5.2%,19.2%,42.3%,83.1%,5.5%,36.7%,5,新攻击方式及漏洞频现,HeartbleedExploit of Heartbeat extension in OpenSSL 1.0.1.(widely used in web servers,O/Ss)-Anything with OpenSSL is vulnerableFix:Update your version of OpenSSLReplace any keys and certificates o

3、n those machinesAsk users to change passwordsRemaining vulnerabilities:Many certificates replaced without replacing keys!,FREAKFactoring RSA Export(Android)KeysA MITM attack that forces browser to use weaker encryption key,providing attacker access to all encrypted infoResult of US govt policy preve

4、nting stronger encryption from being exportedFix:At server,disable support for insecure ciphersCheck your server at Remaining vulnerabilities:36%of servers still accept“export grade crypto”,POODLEPadding Oracle On Downgraded Legacy EncryptionAttacker can downgrade SSL/TLS sessionFix:Stop supporting

5、SSL 3.0(Browsers already doing this)Patch servers to avoid TLS vulnerabilitiesRemaining vulnerabilities:Check your server at,DROWNDecrypting RSA using Obsolete and Weakened eNcryptionAdapts an old SSLv2 vulnerability Can be used against any TLS protocol with same RSA keyFix:SSL v2 needs to be disabl

6、ed everywhere,without exception.But,this has always been the case,given that weve known about the various SSL v2 vulnerabilities for more than 20 years now,6,现状,Slow website performanceImproperly installed certificatesExpired certificatesMisconfigured serverUser security warnings,FREAKSuperFishPOODL

7、EHeartbleedBEASTCRIMELucky Thirteen,SHA1SHA2OCSP StaplingCAACTTLS 1.2ECCHTTP/2,PCIHIPAASHA1SHA2Security PolicySSL3 deprecation,Do more with lessConsolidate vendorsImplementation costsDe-focused staffLimited trainingRapid deployment,Site outage/performanceData breachSPAM blacklistSearch engine blackl

8、istMalicious impersonation,服务中断,安全威胁,技术革新,规范要求,资源限制,品牌影响,7,什么是SSL？Secure socket Layer,网络安全面临的问题-如何为网站访问者提供身份及数据加密服务？-如何保护服务器之间数据传输？-如何确保数据安全传输？,SSL 针对上述问题的解决方案-身份：对服务器及设备提供身份认证-隐私：提供加密服务,SSL 标准的信息安全技术，在浏览器 与服务器之间提供身份认证 及加密数据传输,经SSL加密后展示,8,SSL 证书的两大主要作用,DVOVEV,低,中,高,Domain Validation域名验证,Organization

9、al Validation组织机构验证,Extended Validation增强型验证,&,9,SSL 数字证书应用场景,基于Https 及FTP的网络文件传输服务,系统登录,任何线上敏感信息接入入口,邮箱接入,虚拟桌面登录,云及移动应用,内网通信(如networks,文件共享，等）,VPN登录,信用卡在线交易,10,谷歌行动,Google 发起此项活动，将安全隐患提升到更高的等级如果网站没有采取正当的安全措施，将向用户进行相关危险提示及展示Mixed contentSHA1 still in useCertificate transparency(public list)for EV ce

10、rtificatesFuture:Warnings for non-SSL pages,RC4,Non-OCSP Stapling,11,12,网站反馈速度的重要性,HTTPS网站,网站访问者,CA-Entrust,1,2,3,4,访问者点击要访问的网站网站回吐证书，浏览器对证书的有效性及根证书是否可信进行校验浏览器向CA中心对证书吊销状态进行检查CA向浏览器反馈Yes/No 值完成整个验证流程,13,SHA-1向SHA-2迁移,2016年1月1日以后CA机构不能再签发 SHA-1算法的SSL证书2016年1月1日之前签发的SHA-1证书，最长使用周期为 2016年12月31号Windows

11、将从2017年开始，不再支持SHA-1 算法的SSL证书相关的浏览器和操作系统服务方都转向支持SHA-2算法其他相关的应用也需配套支持SHA-2,14,Ssl 核心价值,全球可信的根证书服务商持续将根证书预置到各系统内,SSL证书类型提供 OV 和 EV 证书即将推出DV 证书,与众不同的Cloud服务平台 提供多类自助服务实现自动化鉴证,集成Discovery服务 免费网站安全服务包提供CT（证书透明度）服务,15,Entrust cloud证书类型,SSL 类证书,OV SSL 证书,Entrust网站签章,EV SSL 证书,标准版（单域名）优选版（双域名）通配符多域名私有型SSL,EV

12、 多域名，最多可扩展至保护250个域名,普通型网站附加安全包增强型网站附加安全包,Entrust 证书搜索和证书管理系统,Entrust/SSL Labs,网站 配置测试,16,文档签名证书,提供可信电子签名支持Adobe,Microsoft Office,OpenOffice,LibreOffice通过电子签名验证以核查文档是否被篡改Entrust 文档签名技术已通过美国联邦 ESIGN Act 及其他国际相关法律的电子签名合法性认可，可以为诸多需开展国际业务的企业及个人提供文档电子签名服务。支持多种签名形式 手动或自动签署,17,代码签名证书,为各种基于互联网的应用程序或软件进行数字签名软

13、件开发者及自签名以来是否被篡改等信息都将直接给予展示用户经过查看签名可以确认出品者的身份及文件自签署后是否有被修改或破坏过需用EV代码签名证书对Windows 10 的驱动进行签名,18,安全邮件证书,对邮件及文本进行加密确保邮件接受者接受到的邮件文本没被篡改过保障邮件内容的隐私安全，当邮件落入不法分子手中时，增加其破译源文件的难度对发件人身份进行有效确认,19,移动设备证书,Allows secure and transparent authentication to WiFi and VPN networks from mobile devicesEnables Audit of mobi

14、le networksProtects IP and network assets,Same audience as those who buy and manage SSL certificates IT/Security Directors,IT/Security Administrators and Operations,VP of ITOrganizations with mid-sized mobile device deployments,with no MDM,20,Entrust证书查找工具,商业需求,最佳解决方式Discovery!,Scan your network for

15、 certificatesfrom any vendorany typepublic or private,Manage all your certificatesMulti-person,multi-level email notificationsPolicy managementCustom tracking data w/auto-population rules,Application Outages(due to unexpected expiry of certificates),Compliance Concerns(due to inability to inventory

16、certificate population),Complexity of Certificate Management(due to certificates from multiple sources),21,用Discovery来搜索所有SSL证书,应用价值,Avoids application outages by notifying customers when certificates are close to expiry,where they are located,and if they are installed in multiple locationsAvoids da

17、ta breach by highlighting issues with deployed certs,like weak cryptoHelps with compliance reporting,by providing an inventory and reporting tools on your certificate populationFacilitates certificate management by providing a single interface to manage certificates from ANY VENDOR,22,Entrust turbo,

18、应用价值,Saves time and money installing certificates,by having less touches on the web server and automating the processReduces human error installing the chain certificates,potentially preventing possible outagesEasy to use due to one-click interface and one time installation,23,向用户提供安全可靠的网站信息服务及数据传输!

19、,SERVER IMPLEMENTATION,Responsibility=YOU,24,公司成立于1969年，1997年在中国设立直属服务机构全世界 2,000 多名员工，在 150 多个国家进行销售，提供服务和支持我们在中国致力于本地化生产，并已建立符合国家有关部门需求以及符合资质的生产基地 我们与中国的业务伙伴及机关合作机构大力推行本地化优质高效的解决方案更好服务于中国客户,在“支付”和“身份”认证领域，每天签发的凭证量为千万级,年交易处理量超过十亿条,Entrust Datacard,25,市场聚焦可信身份及安全数据传输,电子支付,信息安全,主要市场,主要客户群体,消费者Revolut

20、ionize theConsumer Experience,居民Enhance Citizen Satisfaction&Security,企业Streamline Access Anytime,Anywhere,FOCUS AREAS,26,Entrust 产品线,Digital Signatures,Authentication,Encryption,身份&权限 管理,Public Key Infrastructure(PKI),Entrust 云证书服务,Transaction monitoring,fraud detection,behavior and identity analyt

21、ics,Web access control and single sign-on for online transactions,Extensible software authentication platform for mobile,cloud and physical and logical environments,PKI Certification Authority;digital certificate issuance,Secure,encrypted file sharing and communication,27,即时发卡方案纵览,28,多种即时发卡模式,29,Entrust DATACARD 全球众多客户的品质之选,17 of top 22 Global e-Governments7 of top 10 Global Commercial Savings Banks8 of top 10 Global Telecom Companies7 of top 10 Global Pharmaceuticals8 of top 10 Global Aerospace&Defence4 of top 5 Global Petroleum,30,谢 谢！,