Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKI in Higher Education: Dartmouth PKI Lab Update Internet2 Virtual Meeting 5 October 2001.

Published byHorace Nicholson Modified over 8 years ago

Similar presentations

Presentation on theme: "PKI in Higher Education: Dartmouth PKI Lab Update Internet2 Virtual Meeting 5 October 2001."— Presentation transcript:

1 PKI in Higher Education: Dartmouth PKI Lab Update Internet2 Virtual Meeting 5 October 2001

2 Internet2 Fall 2001 Meeting: HEPKI2 Researchers Dartmouth College Computer Science Institute for Security and Technology Studies Dartmouth College Computing Services David Nicol, Sean Smith: CS/ISTS Ed Feustel: ISTS Robert Brentrup, Larry Levine: Computing Services Yasir Ali, Alex Iliev, John Marchesini, Eileen Ye: CS Students Shan Jiang, Evan Knop: Alumni Lab Created 4Q2000

3 Internet2 Fall 2001 Meeting: HEPKI3 Dartmouth PKI Lab Objectives Exploring how to effectively use public-key cryptography to build trusted information services in the real world. Enable effective trust judgements, in systems that are heterogeneous on every level. In users, roles, computer hardware and software, organizations, administrative domains, application contexts What are the appropriate pieces of information for trust judgments in different contexts at different times?

4 Internet2 Fall 2001 Meeting: HEPKI4 End to End Approach Server How do we establish foundation for this trust, when computation is vulnerable to insider attack? Client How can user tools enable effective trust judgments? Infrastructure How do we deploy and manage the certificates, keys, etc., that enables this trust communication Applications How can applications engage in PKI-based trust judgments?

5 Internet2 Fall 2001 Meeting: HEPKI5 Status, October 2001 Server Trusted Third Parties, immune to insider attack –Private Information Retrieval (PIR) –Armored Vault –WebALPS Client Web/SSL/Certificate Spoofing Requirements for Secure Web Client

6 Internet2 Fall 2001 Meeting: HEPKI6 Status, October 2001 Infrastructure Setup COTS, open-source testbeds. LDAP Campus PKI planning –PKI/Lite: Web Authn/Authz & S/MIME –S/MIME Private Key Server Applications Hardened Box Office Web Application authentication/authorizatio local replacement Voting (demo of WebAlps)

7 Internet2 Fall 2001 Meeting: HEPKI7 Private Information Retrieval Protecting query privacy from insider attack Server that efficiently provides material to authorized users… …so that the server operator learns nothing, not even statistics! Domains with sensitive data Health information, expensive research data

8 Internet2 Fall 2001 Meeting: HEPKI8 Armored Vault Protecting archived private material from insider attack Prove to stakeholders that policy is followed Prototype domain: network data Archive is encrypted and bound to policy Built with Snort and IBM 4758-2

9 Internet2 Fall 2001 Meeting: HEPKI9 WebALPS Protecting SSL Web Servers from insider attack SSL doesn’t help if armored pipe to cardboard box! Move server end of SSL into securer co- processor Built from Apache, OpenSSL and IBM 4758-2

10 Internet2 Fall 2001 Meeting: HEPKI10 Hardened Box Office Protect operator from liability Campus agents want to sell tickets, etc. online Server operator wants to minimize risk of exposing private customer data Uses WebALPS hardened server Internal application catches customer data, then signs and encrypts for entity and e-mails it

11 Internet2 Fall 2001 Meeting: HEPKI11 S/MIME Private Key Server Protecting user private keys from insider attack and provides mobility Problem: Web based e-mail offers client mobility… … but adding PKI requires trusting the server with the private keys Solution: uses WebALPS- hardened server Generates, certifies, stores user keys… … and applies them only when authorized by user Neither bribery nor subpoena reveals the user keys!

12 Internet2 Fall 2001 Meeting: HEPKI12 Client: Good Trust Judgements? Web/SSL provides server identity, not attributes URL? Location bar information SSL Icon? SSL warning window? Certificate information? Status bar www.cs.dartmouth.edu/~pkilab/demos/spoofing/

13 Internet2 Fall 2001 Meeting: HEPKI13 Client Research Questions Should attributes attest to name of server, or content offered? What are semantics of “independent windows”? Who is really providing this service? Which certificate is being used? Why? What information does the server acquire about the user? Requirements for “better” browser

14 Internet2 Fall 2001 Meeting: HEPKI14 Infrastructure Developing Familiarity with tools for application development Defining strategies to setup and administer institution scale PKI environment Interactions with Central LDAP directory Tools to support Research projects Compatibility testing of PKI vendors and client applications Studies of end-user behavior, eg. Why passwords are shared Research goal: real applications, solving real problems!

15 Internet2 Fall 2001 Meeting: HEPKI15 Futures PKI more than X.509 SDSI/SPKI. PGP, XML... Trust Judgment in Applications Rights Management, expressions of policy Critical Mass, academic community as prototype lab

16 Internet2 Fall 2001 Meeting: HEPKI16 For More Information www.cs.dartmouth.edu/~pkilab Sean Smith sws@cs.dartmouth.edu Ed Feustel efeustel@ists.dartmouth.edu Robert Brentrup Robert.J.Brentrup@dartmouth.edu

Download ppt "PKI in Higher Education: Dartmouth PKI Lab Update Internet2 Virtual Meeting 5 October 2001."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Copyright Statement Copyright Robert J. Brentrup and Sean W. Smith 2002. This work is the intellectual property of the authors. Permission is granted for.

Copyright Statement Copyright Robert J. Brentrup and Sean W. Smith This work is the intellectual property of the authors. Permission is granted for.
Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.

Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS526 Semester Project.

SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS526 Semester Project.
June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park

June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall 2003 1 Security Systems Lecture notes Dr.

Copyright © B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall Security Systems Lecture notes Dr.
About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.

About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.

Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Similar presentations

Ads by Google