PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

Slides:

Advertisements

Similar presentations

Digital Certificate Installation & User Guide For Class-2 Certificates.

Advertisements

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

Digital Certificate Installation & User Guide For Class-2 Certificates.

Dartmouth PKI Certificate Deployment June 2004 Fed Ed Meeting.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

1 Network Authentication with PKI EDUCAUSE/Dartmouth PKI Summit July 27, 2005 Jim Jokl University of Virginia.

INFORMATION SYSTEMS SERVICES UNIVERSITY OF LEEDS Presentation to the UK e-Science Grid Workshop ‘Managing Access to Resources on the Grid’ e-Science Institute,

Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

1 NMI Testbed Activities at Virginia SURA NMI Testbed Workshop October 1, 2004 Jim Jokl

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

The PKI Lab at Dartmouth. Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon.

Some Common Campus PKI Applications January 2004 CSG Meeting Jim Jokl.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005.

PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.

1 11 th Fed/Ed PKI Meeting Some quick updates from recent HEPKI-TAG and SURA work Jim Jokl

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

Inside the PKI Framework: * Activating the Puzzle Pieces PKI Summit Snowmass August

Public Key Infrastructure from the Most Trusted Name in e-Security.

Public Key Infrastructure Ammar Hasayen ….

1 Grids and PKI Bridges (Globus Toolkit) EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Shelley Henderson - USC Jim Jokl - Virginia.

Windows 2003 and 802.1x Secure Wireless Deployments.

Technical Issues that Challenge PKI Deployments Jim Jokl University of Virginia PKI Meeting August 12, 2004.

HEPKI-TAG Activities & Globus and Bridges Jim Jokl University of Virginia Fed/ED PKI Meeting June 16, 2004.

Virginia Tech Overview of Tech Secure Enterprise Technology Initiatives e-Provisioning Group Frank Galligan Fed/Ed.

1 PKI Update September 2002 CSG Meeting Jim Jokl

Deploying PKI Inside Microsoft The experience of Microsoft in deploying its own corporate PKI Published: December 2003.

The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.

CREN Certificate Authority Project: Update from Georgia Tech Ron Hutchins 28 March 2000.

HEPKI-TAG UPDATE Jim Jokl University of Virginia

1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005.

Configuring Directory Certificate Services Lesson 13.

CAMP PKI UPDATE August 2002 Jim Jokl

Co Chairs C. W. Goldsmith University of Alabama at Birmingham David L. Wasley University of California Office of the President.

Digital Signatures A Brief Overview by Tim Sigmon April, 2001.

Module 9: Fundamentals of Securing Network Communication.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.

Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.

Dartmouth PKI Update Robert Brentrup Internet2 Member Meeting April 21, 2004.

Module 9: Designing Public Key Infrastructure in Windows Server 2008.

PKI Activities at Virginia September 2000 Jim Jokl

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

Module 13: Enterprise PKI Active Directory Certificate Services (AD CS)

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.

The Hierarchical Trust Model. PGP Certificate Server details Fast, efficient key repository –LDAP, HTTP interfaces Secure remote administration –“Pending”

Encryption and Security Tools for IA Management Nick Hornick COSC 481 Spring 2007.

1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia.

GRID-FR French CA Alice de Bignicourt.

Secure Enterprise Technology Initiatives e-Provisioning Group

Public Key Infrastructure from the Most Trusted Name in e-Security

Fed/ED December 2007 Jim Jokl University of Virginia

September 2002 CSG Meeting Jim Jokl

Presentation transcript:

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl

University of Virginia PKI Project Goal –Enable PKI support for a range of applications Deploy two campus CAs –Standard Assurance CA Based on the PKI-Lite Policy and Practices document Uses CREN root – will migrate to USHER –High Assurance CA Based on the Higher Education Certificate Policy Expect to cross-certify this CA via HEBCA

UVa Standard Assurance CA (PKI-lite) Focus: new applications & ease of use Designed to support many common applications –Web authentication –VPN authentication –S/MIME: signed and encrypted –SSL server certificates –EAP/TLS for wireless access control –Grid authentication

UVa Standard Assurance CA (PKI-Lite) Uses existing account information to validate user request Computing ID, password, and some some database info checked Simple subscriber agreementsubscriber agreement

UVa Standard Assurance CA (PKI-Lite) Simple user interface –Internet Explorer or Netscape –Fill in ID check form –Key pair automatically generated, certificate issued, and the whole certificate chain is installed –Supports hardware tokens for mobility if desired –Certificate validity period Students – until the next September Faculty and staff – one year Others – through the end of the current semester

UVa Standard Assurance CA (PKI-Lite) Other Design Decisions Certificate Revocation List (CRL) support –Yes/no, partitioning, LDAP/HTTP Privacy and FERPA Key Usage settings –S/MIME & key escrow question Directory integration –Users often obtain multiple certificates –Preferred certificate

Applications Cisco VPN services –UVa-Anywhere remote access VPN –“More Secure” network VPN Uses LDAP authorization to prevent student access Wireless authentication migration –LEAP supported now for secure wireless –Adding EAP-TLS VLAN as quickly as possible –Eventually phase out LEAP and its account management

Applications S/MIME –Client support now available in our main clients Mulberry 3.1 Communigate Pro webmail –Integration with our anti-spam solution –Considering sending signed official announcements

UVa High Assurance CA Focus on applications needing higher assurance levels using 2-factor authentication –SSH authentication for sysadmins of critical systems –VPN authentication for access to special purpose networks (ERP, HIPAA, etc) –Web authentication –Windows 2000/XP authentication? –Digital signatures?

UVa High Assurance CA Two-step Registration Authority (RA) Process –In-person photo identification check –Web form and dbase validation protects against a RA Mostly off-line CA Hardware for CA private key protection Hardware token use required –2-factor authentication –Strong private key protection –Enables easy mobility –Provides idle use timeout

VPN PKI 2-factor Authentication with LDAP Authorization VPN Concentrators Firewall LDAP AuthZ Servers Oracle ERP S1 S2 S3 Sn Hospital Net INOUT Main Campus Network OUT IN

High Assurance Applications 2-factor SSH authentication for ERP System Admins and DBAs HiPAA access VPN Service Departmental network admin delegation Internal management applications Future –ERP users with direct database access –Windows domain authentication? –Digital signatures –HEBCA applications