X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster

Project Goals n Transparent Web Authentication n Eliminate password prompts n Lotus Notes Authentication n Position for inter-institution Authentication

Non-Goals n Not a complete PKI n Not to be used for document signing n Not to be used for encryption n Not a complete replacement of the current cookie method

Why X.509? n An accepted standard n Application support out of the box –Web servers, web browsers, directory servers, IMAP servers, etc. n Allows the possibility for inter-institution authentication n No need for N²-1 cross-realm trusts

Description n Use short-term (approximately 1 day) certificates - “Junk Keys” n Obtain certificates securely n For Authentication ONLY! n Use OpenSSL for creating and signing certificates

Why “Junk Keys”? n Revocation becomes a non-issue n Private Key storage is less an issue n Certificate publication for sharing is not necessary n Certificate management is less critical

Drawbacks n Cannot be used for signing or encryption n Not possible to verify certificate via LDAP

Options for obtaining the CA’s Certificate n Bake it into browsers we distribute n Via a web interface using SSL and Verisign Certificate n Store it in the file-system

Obtaining CA Certificate via Web CA Apache + OpenSSL + Scripts + Verisign Certificate Browser Netscape or Internet Explorer Certificate Green lines imply SSL Protected

Options for obtaining the User Certificate n Via a web-based interface [ SSL ] n Pam / Gina / Login [ TGT or SSL ] n Standalone program [ TGT (or SSL) ] n Leave it up to application [ TGT (or SSL) ]

Obtaining User Certificate via Web (Netscape) User selects URL ID and password?? ID and password Lookup full name Lookup Entity ID Generate and Sign Certificate Verify identity keyGen Public Key Signed Certificate Generate key pair and store keys Store Certificate Netscape Browser Web server / CA

Obtaining User Certificate via Web (IE part 1) User selects URL ID ?? Send a VBScript asking for user’s unique ID ieReq.pl Web server / CA Internet Explorer Browser

Obtaining User Certificate via Web (IE part 2) password ?? ieGenReq.pl Web server / CA Internet Explorer Browser ID (uniqname) Lookup full name Lookup Entity ID Generate VBScript to create key pair and PKCS #10 request Run VBScript to generate key pair and PKCS #10 request

Obtaining User Certificate via Web (IE part 3) PKCS #7 Check password Generate certificate and wrap it in PKCS #7 format Generate VBScript to accept PKCS #7 ieTreatReq.pl Web server / CA Internet Explorer Browser password + PKCS #10 Run VBSript to accept PKCS #7 Phew! Done!

Obtaining User Certificate via Standalone Pgm (Netscape) public key signed certificate Client Machine Certificate Authority getcert keyutilcertutil key3.dbcert7.db Lookup full name Lookup Entity ID Generate and sign certificate Orange lines imply Kerberized exchange

Obtaining User Certificate via Standalone Program (IE) signed certificate Certificate Authority Client Machine Use OpenSSL to generate key pair public key Store key pair Store certificate Lookup full name Lookup Entity ID Generate and sign certificate

Storing the Certificates n How to destroy the certificates after use? n NT 4.0 w/SP3 and later has special storage classes that lives only for the life of a login n Make use of Kerberos credential storage? n Internet Explorer vs. Netscape

Problems n Documentation - Flood or Drought n Macintosh support lags other platforms

Current Status n Internet Explorer (Windows only) looks promising n Netscape (Windows, Solaris) do-able but not clean n Macintosh support does not currently look promising for either browser

References n This presentation: – n OpenSSL: – n Netscape Security Services: – n Microsoft CryptoAPI: –

?? Questions / Discussion ??