Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKIX BASED CERTIFICATION INFRASTRUCTURE IMPLEMENTATION ADAPTED TO NON PERSONAL END ENTITIES Jacob E., Liberal F., Unzilla J. {jtpjatae, jtplimaf,

Similar presentations


Presentation on theme: "PKIX BASED CERTIFICATION INFRASTRUCTURE IMPLEMENTATION ADAPTED TO NON PERSONAL END ENTITIES Jacob E., Liberal F., Unzilla J. {jtpjatae, jtplimaf,"— Presentation transcript:

1

2 PKIX BASED CERTIFICATION INFRASTRUCTURE IMPLEMENTATION ADAPTED TO NON PERSONAL END ENTITIES Jacob E., Liberal F., Unzilla J. {jtpjatae, jtplimaf, Department of Electronics and Telecommunications Faculty of Engineering University of the Basque Country Bilbao (Spain)

3 2 SUMMARY INTRODUCTION MAIN GOALS IMPLEMENTATION STATUS OF THE PROJECT SYSTEM ARCHITECTURE WAY OF OPERATION FUTURE WORK

4 3 Introduction Need to set trust agents => PKI: certification services Background: Oriented to end users => www Inflexibility, interface-processing dependence Lack of interoperability Results => PKIs have been replaced by other systems: ssh, PGP, home made SSL Proposed system PKIX Automate standard interfaces Specific application scope

5 4 Main Goals Speed up procedures Guarantee scalability/interoperability Make services more flexible Ease users access Provide mechanisms for new services Develop a fully-functional PKI system

6 5 General Architecture RA RA CA CRLs & CERTIFICATES REPOSITORY END ENTITY (EE) REGISTER EEs AUTHENTICATE FORWARD REQUESTS REGISTER RAs OPERATIONS WITH CERTs

7 6 COMMANDS ANSWERS ACKs Administrative Data Way of operation: Registration I RA OPERATOR RA CERT. TYPES Password ID NEW USER

8 7 Way of operation: Registration I.a

9 8 Way of Operation: Registration II End User OPERATIONS WITH CERTIFICATES CHECK CERTIFICATES SECURE CONNECTIONS MANAGEMENT DOWNLOAD CERTIFICATES OPERATIONS WITH CERTIFICATES GENERAL FUNCTIONS (CERTIFICATES MANAGEMENT) ID CMP PASS Registration Authority

10 9 Entidad Registro ID CMP PASS ID PASS ADMINISTRATIVE DATA ADMINISTRATIVE DATA Way of Operation: Registration II.a

11 10 Registration Authority ID CMP PASS ID CMP PRE- REQUESTS PRE- REQUESTS ID CMP P SEND TO CAS ID CMP RA CA Way of Operation: Registration II.b

12 11 Certification Authority ID CMP AUTHORIZED RAs CERTIFICATES CMP SEND BACK TO RA STORE IN REPOSITORY RA CA REPOSITORY Way of Operation: Registration III

13 12 Implementation Linux O.S. Daemon servers in C language Pthreads (Posix threads) MySQL DBMS cryptlib © cryptographic library OpenLDAP

14 13 SERVING THREADS REQUESTS Implementation: RA

15 14 DEBUG LOG #DEBUG1: Debug thread created #DEBUG1: Creating CMPSpareServer 0, line 166 #DEBUG3: Adding node to general list #DEBUG3: Adding node to idle list #DEBUG3: Number of CMP threads created: 1 #DEBUG3: Number of CMP threads idle: 1 #DEBUG3: Adding node to general list #DEBUG3: Adding node to idle list #DEBUG3: Number of CMP threads created: 2 #DEBUG3: Number of CMP threads idle: 2 #DEBUG1: Creating CMPSpareServer 1, line 166 #DEBUG1: Creating OCSPSpareServer 0 #DEBUG3: Adding node to general list #DEBUG3: Adding node to idle list #DEBUG3: Number of OCSP threads created: 1 #DEBUG3: Number of OCSP threads idle: 1 #DEBUG1: Creating OCSPSpareServer 1 #DEBUG3: Adding node to general list #DEBUG3: Adding node to idle list #DEBUG3: Number of OCSP threads created: 2 Implementation: RA II

16 15 Implementation: CA AUTOMATED OPERATION!!

17 16 Status of the project C code lines Functional system integrating RA and CA in one RA server, operator and administrator clients and Java© front-ends cryptlib © library Advantages: Ease of use due to standarized interfaces (cryptSetAttribute(), CRYPT_CERTIFICATE, CRYPT_SESSION...) Development period short Disadvantages: Very high-level interface : Development period longer for specific projects Lack of low-level documentation=> ~reverse engineering, bootstrapping. Network support MySQL support

18 17 Future work Adapt PSE access modules to hardware devices, such as smartcards, crypto-tokens… Integration with other certifications systems like PGP. Inclusion of attribute certificates. Development of Windows© family client libraries. Integration of certificate services. A real application?


Download ppt "PKIX BASED CERTIFICATION INFRASTRUCTURE IMPLEMENTATION ADAPTED TO NON PERSONAL END ENTITIES Jacob E., Liberal F., Unzilla J. {jtpjatae, jtplimaf,"

Similar presentations


Ads by Google