Presentation is loading. Please wait.

Presentation is loading. Please wait.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.

Similar presentations


Presentation on theme: "A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority."— Presentation transcript:

1 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority Status Report

2 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA Project  Part 1  APNIC CA project  Benefits and costs  Project plans  Future developments  References  Part 2 (if requested)  Cryptography and PKI Overview

3 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA - Why?  In response to  Membership concern for greater security  Confidential info exchange with APNIC  Is my database transaction secure?  Whose prefixes do you accept?  Internet community interest in security, PKI, digital certificates  e.g. rps-auth  IETF working group: PKIX

4 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA - Overview  Certificate issued to APNIC member  Corresponds to Membership of APNIC  Provides uniform mechanism for all security needs :  Encryption and signature of with APNIC  Authentication of access to APNIC web site  Secure maintainer mechanism for APNIC database  Future authorisation mechanism for Internet resources  Authentication of resource custodianship

5 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA - Benefits/Costs  Benefits  Uniform industry-standard mechanism for “single password” security, authentication and authorisation  Strong public key cryptography, end-to-end  Costs  Server and client software  Change to current procedures  New policies  Establishment: software purchase and/or development

6 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA - Roadmap

7 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA - Timeline

8 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA - Scoping Project  October January 2000  Objectives  Analyse impact of introducing PKI  Provide focus for discussions  Raise awareness of PKI in general  Conclusions  Significant benefits for members’ security  Growing standards support for PKI  See:

9 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA – Phase 1 Timeline

10 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA – Phase 1  April – November 2000  Deliverables  Selection of CA software  Procedures for issuance and revocation of Identity certificates to members  Policies for use of APNIC Certificates  Issue trial certificates at APNIC Meeting October 2000  Risk Analysis

11 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E CA Software  CA Architecture based on OpenCA  OpenCA uses OpenSSL for PKI API  Apache-SSL with OpenSSL  APNIC developed client certificate layer  Supported Clients:  Netscape 4.x Navigator and Messenger  Microsoft [4|5].x Internet Explorer  Microsoft 5.x Outlook and Outlook Express  Any client using OpenSSL 0.9.[5|6] toolkit

12 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Certificate Issuance Workflow Offline Identity Confirmation Online Certificate Request APNIC Member RA Verifies and Signs request CA signs request creating certificate RA makes certificate available for download and notifies member Member downloads certificate into browser or mail client APNICMember APNICCertificateAuthority

13 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E CA Architecture DMZ Internal Network Offline Low trust Medium trust High trust Member’sBrowserRegistrationAuthorityCertificateAuthority

14 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Certificate Policy Statement (CPS)  Draft CPS available for download at:   Member feedback welcome  Once completed CPS will be handed to Executive Council for final approval  Future certificates will be issued under this CPS  NOTE: Certificates issued this week as part of pilot testing are NOT issued under this CPS

15 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA – Phase 2  January – June 2001  Deliverables  Browser and deployment issues analysis  Certificates used for website access control  Prototype X509 certificates in whois database  Strong encryption for member correspondence  Trial issuance of Attribute Certificates with resource allocation

16 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA - Future  Generalised CA function  APNIC Certificates may be used for general purposes  Requires tight policy and quality framework for APNIC certificates to be trusted  Hierarchical certification  APNIC Members may use their certificates to certify their own members or customers  May be applicable for ISPs and NIRs

17 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA - Future  Public Key Certificates  X.509 certificate linking a Public Key to an identity, issued by CA  Attribute Certificates  X.509 certificate linking Attributes to an identity, issued by CA or other authority  Provides authorisation, rather than authentication, information  Not yet widely deployed or supported

18 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA - Consultation  Mailing list open after Apricot2000    Further developments  See:

19 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA - Documents  IETF PKIX drafts: draft-ietf-pkix-roadmap-04.txt “Internet X.509 Public Key Infrastructure PKIX Roadmap” draft-clynn-bgp-x509-auth-01.txt “X.509 Extensions for Authorization of IP Addresses AS Numbers, and Routers within an AS” draft-ietf-pkix-ac509prof-01.txt “An Internet Attribute Certificate Profile for Authorization” 

20 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Questions?

21 APNIC Open Policy Meeting October 2000 Part 2 PKI Overview

22 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Cryptography - Terms  Public key cryptography  Cryptography technique using different keys for encoding and decoding messages  Keypair  Private key and public key, generated together, used in public key cryptography  Encryption/Decryption  To encode/decode a message using a public or private key

23 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Decrypt Message Transmit Encrypted Message Public Key Cryptography - Encryption Encrypt Encrypted Message Keypair Retrieve Public Key

24 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Decrypt Message Transmit “Signed” Message Public Key Cryptography - Encryption Encrypt “Signed” Message Keypair Retrieve Public Key

25 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Public Key Cryptography - Digital Signature Assemble Signed Message Digest Hash Signature Encrypt Message Keypair

26 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Public Key Cryptography - Digital Signature Signature Message Digest Valid? Signed Message Digest Decrypt Retrieve Public Key

27 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E PKI - Terminology  Public Key Infrastructure (PKI)  Administrative structure for support of public key cryptography  Public Key Certificate (Digital Certificate)  Document linking a Public Key to an identity, signed by a CA, defined by X.509  Certificate Authority (CA)  Trusted authority which issues digital certificates

28 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Digital Certificates  A digital certificate contains:  Identity details  eg Personal ID, address, web site URL  Public key of identity  Issuer (Certification Authority)  Validity period  Attributes  The certificate is signed by the CA

29 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Digital Certificate - Example Certificate ::= SEQUENCE { tbsCertificate TBSCertificate, tbsCertificate TBSCertificate, signatureAlgorithm AlgorithmIdentifier, signatureAlgorithm AlgorithmIdentifier, signature BIT STRING signature BIT STRING } TBSCertificate ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, version [0] EXPLICIT Version DEFAULT v1, serialNumber CertificateSerialNumber, serialNumber CertificateSerialNumber, signature AlgorithmIdentifier, signature AlgorithmIdentifier, issuer Name, issuer Name, validity Validity, validity Validity, subject Name, subject Name, subjectPublicKeyInfo SubjectPublicKeyInfo, subjectPublicKeyInfo SubjectPublicKeyInfo, issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, extensions [3] EXPLICIT Extensions OPTIONAL extensions [3] EXPLICIT Extensions OPTIONAL }

30 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Digital Certificate - Lifecycle Key Pair Generated Certificate Issued Certificate valid and in use Private Key compromised Certificate Expires Recertify Certificate Revoked Keypair Expired


Download ppt "A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority."

Similar presentations


Ads by Google