Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure hardware tokens David Groep DutchGrid CA. DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist)

Published byRandell Morgan Modified over 8 years ago

Similar presentations

Presentation on theme: "Secure hardware tokens David Groep DutchGrid CA. DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist)"— Presentation transcript:

1 Secure hardware tokens David Groep DutchGrid CA

2 DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist) –other BIG GRID application domains (e.g. astronomy) Supported classes of certificates (within the Classic X.509 secured profile) –Users: certificates for natural persons –Hosts: networked systems, applications or services – solely to identify network endpoints in communications –Servers: (internal) –Robots: agents that perform automated functions protected in a secure hardware token ~ FIPS140-2 level 2

3 Token grid application What should the token support web interaction (Firefox, IExplorer) –registration in VOs –connecting to collaborative Wiki’s, &c proxy generation –some grid proxy init’s have a PKCS#11 i/f –but grid-proxy-init can easily be mimicked with OpenSSL command-line tools –an ‘mkproxy’ script is available for both soft tokens (files) and eTokens (see http://ca.dutchgrid.nl/info/etokens)

4 Hardware Several alternatives Aladdin eTokens –price €20 – €65 /pc –support for latest firmware version is mixed can get them to work in Win, Linux, MacOS but there are some pitfalls with this version still –not yet FIPS certified (CardOS 4.01 is, 4.2B is not) Rainbow iKey 3000 –good OpenSC support –out of production, since they could not be eaten –version “4000” OpenSC support unknown …

5 Aladdin eToken Comes in several varieties eToken PRO USB 32k/64k –CardOS 4.01: OpenSC support, FIPS 140-2 lvl 2 (32k) 1024 bit keys only –CardOS 4.2: OpenSC supported, 64k version only 2048 bits with firmware upgrade recently got FIPS certified? –CardOS 4.21 (4.2B): NO OpenSC support  2048 bit keys native pending certification …

6 Guide around pitfalls ca.dutchgrid.nl/info/etokens

7 Software Aladdin PKCS#11 libraries avaialble for public download off the Aladdin.ru web site the rest of the software and a source-RPM-minus- etpkcs11.{dll,so} are available from the DutchGrid CA web site (full binary available for IGTF members, see web) a install-and-forget RPM/DEB really helps for user adoption –includes 32bit OpenSSL build for 64 bit platforms to get the Aladdin etpkcs11.so to link correctly questions? janjust@nikhef.nl supported by the Virtual Laboratory for e-Science Scaling and Validation programme

8 VOMS support Recently, a native version of ‘voms-proxy- init’ was ported to cygwin –with eToken support –complements the ‘eToken info’ documents

9 CP/CPS section 2.6.1 Secure hardware tokens, whenever referenced in this document, are those hardware security cryptographic devices or hardware security modules that operate on and hold asymmetric cryptographic key pairs in such a way that the private part of the key pair cannot ever be extracted in unencrypted form, can only be unencrypted inside the device, and the encrypted form, if available, uses 128 bit symmetric key encryption or equivalent or stronger, and where the key pair has been generated inside the cryptographic device. Any tampering, any substitution or extraction of keys, and any unauthorized modification of the activation data, must leave evidence on the secure hardware token.

10 section 2.6.1 (cntd) Secure hardware tokens and hardware security modules that comply with the requirements of FIPS 140-1 level 2 or higher, or FIPS 140-2 level 2 or higher, and where the key pair has been generated inside the module, are adequate to meet the requirements set forth above. If not FIPS certified, implementation of an equivalent security level and appropriate mechanisms on the token must be demonstrated: the vendor must have built the device with the intention of obtaining FIPS 140-2 certification at level 2 or higher, and must either intend to submit the device for certification, or have it in process of certification.

11 Implementation Got new CP/CPS approved –Add appropriate 1 SCP OID to the issued certificates (will do once we issue the frist robot cert) Train RAs to help generate keypairs on the tokens –initially only the central RA service and the roving RAs –in parallel to the ‘dumb’ RAs at most institutions –targetted at the ‘robot’ use case, i.e. portals –and individuals in grid operations to gain experience ‘limited fieldtest’ for the next few months Deployment model: users get the token ‘on loan’ from the CA, so no direct cost to the subscribers

Download ppt "Secure hardware tokens David Groep DutchGrid CA. DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist)"

Similar presentations

Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
A l a d d i n. c o m eToken NG-OTP Combined PKI - OTP Authentication Solution November, 2008.

A l a d d i n. c o m eToken NG-OTP Combined PKI - OTP Authentication Solution November, 2008.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.

1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.
About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.

About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.
Aircraft is a Node on the Internet

Aircraft is a Node on the Internet
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.

TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.

IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Portals and Credentials David Groep Physics Data Processing group NIKHEF.

Portals and Credentials David Groep Physics Data Processing group NIKHEF.
1 The SpaceWire Internet Tunnel and the Advantages It Provides For Spacecraft Integration Stuart Mills, Steve Parkes Space Technology Centre University.

1 The SpaceWire Internet Tunnel and the Advantages It Provides For Spacecraft Integration Stuart Mills, Steve Parkes Space Technology Centre University.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Similar presentations

Ads by Google