Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKI for improved cybersecurity in NATO Partner countries Software Arsen Hayrapetyan, ArmeSFo CA.

Published byRoderick Eaton Modified over 8 years ago

Similar presentations

Presentation on theme: "PKI for improved cybersecurity in NATO Partner countries Software Arsen Hayrapetyan, ArmeSFo CA."— Presentation transcript:

1 PKI for improved cybersecurity in NATO Partner countries Software Arsen Hayrapetyan, ArmeSFo CA

2 18th EUGridPMA meeting, Dublin, Ireland, 18-20 Jan 2010 2 Beginning of the project Idea of the project originated in 2007 by Ara Grigoryan, ArmeSFo CA Manager Presented at NATO Information and Communication Security Panel meeting in September 2007, Istanbul, Turkey Presented and discussed at 12 th EUGridPMA meeting in Amsterdam, The Netherlands, in January 2008 Received the approval and support of the PMA Applied for NATO collaborative linkage grant (CLG) in January 2008 CLG awarded in June 2008 Principal investigators and co-directors from NATO country: Jens Jensen (UK) from NATO partner country: Arsen Hayrapetyan (Armenia)

3 18th EUGridPMA meeting, Dublin, Ireland, 18-20 Jan 2010 3 Goals of the project Provide target countries of the project (next slide) with tools for deploying PKI as means of improving the level of cybersecurity Establishing CAs Contribute to their integration into EUGridPMA To achieve these goals, the target countries should be provided with: Software for CA operations Policy guidelines

4 18th EUGridPMA meeting, Dublin, Ireland, 18-20 Jan 2010 4 Target countries Countries along the Virtual Silk Highway (large networking project under NATO funding since 1994): Armenia, Azerbaijan, Georgia, Kazakhstan, Kyrgyz Republic, Tajikistan, Turkmenistan, Uzbekistan, Afghanistan Mediterranean Dialogue countries Algeria, Egypt, Israel, Jordan, Mauritania, Morocco, Tunisia -- do have CA -- do not have CA

5 18th EUGridPMA meeting, Dublin, Ireland, 18-20 Jan 2010 5 Software requirements The software should allow Easy deployment on both Windows and Linux Support for all CA operations required by off-line classic CA Easy configuration of CA root and EE certificates in accordance with IGTF standards Provide default configuration conforming to Grid Certificate Profile (GCP) Adding new features seamlessly and without extra effort (posed by the software itself)

6 18th EUGridPMA meeting, Dublin, Ireland, 18-20 Jan 2010 6 Software choice Initially planned to use OpenCA and adapt it to IGTF standards Abandoned the idea of using OpenCA. Instead, own software is being developed. The software will be owned by EUGridPMA

7 18th EUGridPMA meeting, Dublin, Ireland, 18-20 Jan 2010 7 Advantages of using own soft (1) Own software is designed with off-line CAs and IGTF standards in mind. It does not have OpenCA’s extra (and potentially confusing or not-easy-to-configure) features The software is being coded in PHP. Many PMA experts are experienced in PHP (more than in perl?), so they could contribute easily to the future versions of software The software is modular, it has the “core” part and uses SOAP to communicate with other modules performing specific tasks (signing CSR, issuing CRL, etc.). Specific modules can be implemented in any language supporting SOAP communications

8 18th EUGridPMA meeting, Dublin, Ireland, 18-20 Jan 2010 8 Advantages of using own soft (2) Software is IGTF standards-centered. It should allow issuing GCP-compliant certificates, as well as support mechanisms for updating the configuration to match possible changes of GCP Software will be owned by PMA and can be modified or branched at any time without depending on third-party owner

9 18th EUGridPMA meeting, Dublin, Ireland, 18-20 Jan 2010 9 What kind of CAs is the software for? We expect target countries to be off-line CAs with one or more RAs, with no subordinate CAs. The software will provide interfaces for CA operations RA operations User operations

10 18th EUGridPMA meeting, Dublin, Ireland, 18-20 Jan 2010 10 Supported configuration The software is meant to be installed on two machines: offline (CA offline machine), for CA operations like signing certificates, issuing CRLs, etc. online interface for users to request, renew and revoke their certificates, etc. interface for RAs, to approve or reject certificates, etc. Interface for CA to publish CP/CPS, CRLs, send automatic notifications, etc.

11 18th EUGridPMA meeting, Dublin, Ireland, 18-20 Jan 2010 11 CA operations (offline) Support for following operations: Generation of CA key pair and certificate Issuing EE certificates (X.509 v3) Revoking certificates Issuing CRLs (v1 & v2) Configuring certificate profiles Backup operations (making backup, CA recovery using backup, etc.)

12 18th EUGridPMA meeting, Dublin, Ireland, 18-20 Jan 2010 12 CA operations (online) Support for following operations: Publishing CP/CPS, CRLs, other public info Sending automatic notifications about certificate expiration to certificate holders DB lookup operations

13 18th EUGridPMA meeting, Dublin, Ireland, 18-20 Jan 2010 13 RA operations Support for following operations Approving or rejecting requests Requesting revocation of certificates DB lookup operations

14 18th EUGridPMA meeting, Dublin, Ireland, 18-20 Jan 2010 14 User operations Requesting certificates Renewing certificates Requesting revocation of own certificate Verifying status of own certificate

15 18th EUGridPMA meeting, Dublin, Ireland, 18-20 Jan 2010 15 GCP compliancy Support for a default EE certificate profile compliant with GCP Support for importing the profile (the form is not decided yet, e.g. XML) managed centrally (e.g. EUGridPMA repository) Application of GCP changes quickly Staying up-to-date with IGTF requirements to EE certificate profile

16 18th EUGridPMA meeting, Dublin, Ireland, 18-20 Jan 2010 16 Comments, suggestions…?

Download ppt "PKI for improved cybersecurity in NATO Partner countries Software Arsen Hayrapetyan, ArmeSFo CA."

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.
1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.

1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
PKI Administration Using EJBCA and OpenCA

PKI Administration Using EJBCA and OpenCA
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
NASA PKI for PKI FORUM Presenters: Paul Ma, NASA-Ames Research Center

NASA PKI for PKI FORUM Presenters: Paul Ma, NASA-Ames Research Center
UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.

UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Similar presentations

Ads by Google