1. Direct Trust Infrastructure :
The Technical Details
Presented by: Scott Rea
02/23/2012
DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.

2. Contents
Slide Title
3 Direct Trust Framework
4 Public Key Infrastructure (PKI)
7 Public & Private Keys
9 Digital Certificates
10 Encryption
11 Digital Signatures
12 Authentication
13 Certification Authority
14 Registration Authority
15 Issuance Process
16 CA – RA Relationship
17 Transactions

3. Direct Trust Framework
• The Direct Trust Framework is built on a
set of standards that combines technology
with policies on how and when the
technology is utilized/applied, who the
participants are, and what their roles and
responsibilities are in the system
• Technology by itself is not sufficient to
solve “Trust” issues
• The technology utilized in this case is
Public Key Infrastructure (PKI)

4. What is PKI?
• Public Key Infrastructure
• Comprehensive security technology and policies using
cryptography and standards to enable users to:
– Identify (authenticate) themselves to network services, access
policies, and each other to prove source of origin and destination.
– Digitally sign electronic documents, email and other data to provide
authorization and prove integrity.
– Encrypt email, data, and other documents to prevent unauthorized
access.

5. Why PKI?
• Uniform way to address securing many different
types of applications
• Enables reliable authentication, digital signing
and encryption
• Overcomes many weaknesses of using password
based protocols on open networks
• Facilitates easy setup of shared secrets between
previously unknown parties
• Strong and proven underlying security technology
• Widely included in technology products

6. Underlying Key Technology
• A pair of asymmetric keys is used, one to encrypt, the other
to decrypt.
• Each key can only decrypt data encrypted with the other.
• Invented in 1976 by Whit Diffie and Martin Hellman
• Commercialized by RSA Security
• Recently other more efficient schemes emerging e.g. ECC
Encrypt
(anyone with public key)
Plain Text Encrypted Text
Decrypt
(possessor of private key only)

7. Public and Private Keys
• PKI is based on the use of a pair of related numbers called
“keys”
• They are generated in such a way that knowing one, does
not give you any knowledge of the other, but using one
requires the other to complete a transaction
• The "public" key is placed into a certificate which
published far and wide for all to use.
• The "private" key is only used by its owner and MUST be
kept a secret.
• No need to exchange a secret "key" ahead of time by some
other channel.

8. Applications of PKI
• Authentication and Authorization of end points in an internet
transaction
– e.g. users and servers, server to server, user to user
– This is the basis for the SSL protocol used to secure web connections
using https.
• Secure Messaging
– e-mail (signed and encrypted)
– Secure instant messaging
• Electronic signatures
– Documents, data, agreements
– Prescriptions, Insurance authorizations, case notes
• Data encryption
– Medical records, Diagnostic datasets, Business documents, Financial
data, databases, executable code
• Network data protection (VPN, wireless)

9. What is a certificate?
• Signed data structure (x.509 standard) binds some
information to a public key.
• Trusted entity, called a Certification Authority (CA) asserts
validity of information in the certificate, enforces policies
for issuing certificates.
• Certificate information is usually a personal identity, a
server name, or a service identifier, with authorizations for
how the keys should be used.
• Think of a certificate with its keys as an electronic:
– ID card,
– encoder/decoder device, and
– official seal or notary-style stamp.

10. Encryption
• Asymmetric encryption prevents need for shared secrets.
• Anyone encrypts with public key of recipient.
• Requires some mechanism for discovering intended recipient’s
public key
• Only the recipient can decrypt with their private key.
• Private key is secret, so “bad guys” can’t read encrypted data.
Encrypt
(anyone with public key)
Plain Text Encrypted Text
Decrypt
(possessor of private key only)

11. Digital Signatures
• Compute message digest, encrypt with your private key.
• Reader decrypts with your public key.
• Re-compute the digest and verify match with original – guarantees
no one has modified signed data.
• Only signer has private key, so no one else can spoof their digital
signature.
Compute digest, sign & date,
encrypt
(possessor of private key only)
Plain Text Encrypted Text
Verify signature, check digest
(anyone with public key)

12. Authentication
• A CA - Certification Authority, signs a certificate attesting that the public key
belongs to the entity named in the certificate
• Certificate Policy indicates what steps are taken to verify identity and how the
CA systems operate to ensure security and integrity
• CA is a Trusted Third Party providing a seal of authenticity
• Use of certificate provides reliability and non-repudiation in the identity of the
source or destination of a transaction
public
p
u
bl
ic

13. What is a certificate authority?
• An organization that creates, publishes, and
revokes certificates.
• Verifies the information in the certificate.
• Protects general security and policies of the
system and its records.
• Allows you to check certificates so you can decide
whether to use them in business transactions.
• Has one or more trusted Roots, called a trust
anchor embedded in applications

14. What is a Registration Authority?
• An organization that collects and verifies the
identity information that will be used in a
certificate based on published standards.
• Represents a Certification Authority for any face-
to-face validation of identity
• Must be authorized by the relevant Certification
Authority for this purpose
– Audit of processes required
– Archival of evidence data required

15. Issuance Process
Certificate Authority (CA)
Identity/Trust Certificate
Verification Validation Service
Certificate Signing Revocation
Services Services
The CA and RA enforce
6. Certificate Signing 7. Direct Organization
Request Certificate
the policies specified in the
DirectTrust.org and FBCA
2. Request Direct Certificate Policies (CPs).
Organization
Assume has
Digital Identity
Certificate
Registration Authority (RA)
Certificate
3. Credentials and
Documentation Compile/Validate Identity and Trust
HCO Documentation
Representative  Representative
FBCA Credentials
 Representative
Healthcare Authorization
Organization (HCO)  Legal Entity 4. Direct
8. Direct Organization
Documents Organization 5. Public
Domain Key Certificate
 Membership/Trust
Agreement
 HIPAA status Domain Name System
(DNS)
1. Enroll with HISP 9. Direct Address/
Org Certificate
Health Information Service
Provider (HISP) LDAP Name System
Source: DirectTrust.org February, 2012

16. CA – RA Relationship
DirectTrust.org
FBCA Certificate Policy
Certificate Policy
Certificate Authority (CA)
Audit
Identity/Trust Certificate
Verification Validation Service Certification Practices
Statement
Certificate Signing Revocation
Services Services
Audit
Registration Practices
Audit Statement
RA Agreement
Registration Authority (RA)
Compile/Validate Identity and Trust
Documentation
Source: DirectTrust.org February, 2012

17. Transactions
Certificates vetted to FBCA HIPAA Covered Entity
Medium LoA standard Assertion governed by
ensures strongest binding DirectTrust CP
between PKI keys and
identity listed in the cert
PKI Encryption ensures confidentiality in messages
PKI Digital Signatures ensures integrity and reliability of messages
PKI Authentication provides authenticity and trust of message
reaching intended recipients

18. Questions?
• Scott Rea, CISSP
VP GOV/EDU Relations and Sr. PKI Architect
DigiCert, Inc. Lindon UT 84042
• Scott@DigiCert.com
• (801) 701-9636
• http://www.digicert.com/news/bios-scott-rea.htm
• http://www.directtrust.wikispaces.com
• http://www.DigiCert.com/