CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.
PKI and Academic Applications Robert Brentrup, Mark Franklin Dartmouth College PKI Lab CAMP June 5, 2003
CAMP - June 4-6, Why PKI? Comprehensive way to address securing many applications No passwords on the wire No need for shared secrets Strong underlying security technology Widely included in Technology Products
CAMP - June 4-6, PKI and Passwords Technology –Passwords NOT even sent to server –Still using password to unlock key Only user knows password (harder to share) Even Central IT can’t recover the password Policy - Process –Registration: How individual is identified –Individual education of best practice –Generating and storing key pair –Stronger AuthN strengthens AuthZ
CAMP - June 4-6, Key Validity Duration needs –Limited as defense against compromise –Retain for future decryption –History of Public keys for signature verification Kerberos authn application –PK technology with short lifetime Can issue X.509 certs with timeframes chosen based on use
CAMP - June 4-6, Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon Foundation Dual objectives: –Deploy existing PKI technology to improve network applications –Improve the current state of the art identify security issues in current products develop solutions to the problems
CAMP - June 4-6, What is PKI? PKI is Public Key Infrastructure A pair of asymmetric keys is used, one to encrypt, the other to decrypt
CAMP - June 4-6, Public and Private Keys The "public" key is published The "private" key is kept a secret No need to exchange a secret "key" by some other channel Invented in 1976 by Whit Diffie and Martin Hellman Commercialized by RSA Security
CAMP - June 4-6, Basic applications of PKI Authentication and Authorization of Web users and servers –It is the basis for the SSL protocol used to secure web connections Secure (signed and encrypted) Electronic signatures Data encryption –Business documents, databases, executable code Network data protection (VPN, wireless)
CAMP - June 4-6, What is X.509? A standard for the format of a public key certificate and related standards for how certificates are used. Current PKI product offerings inter-operate through this standard There are many other possible formulations, eg SDSI/SPKI Is X.509 THE solution?
CAMP - June 4-6, What is a certificate? Signed data structure that binds some information to a public key Trusted entity asserts validity of information in certificate The information is usually a personal identity or a server name Think of it as an electronic ID card
CAMP - June 4-6, Basic Public Key Operations Encryption –encrypt with public key of recipient –only the recipient can decrypt with their private key
CAMP - June 4-6, Signature –Compute message digest, encrypt with your private key –Reader decrypts with your public key –Re-compute the digest and compare the results, Match? Basic Public Key Operations
CAMP - June 4-6, What is a certificate authority? An organization that creates and publishes certificates Verifies the information in the certificate Protects general security and policies of the system and its records Allows you to check certificates and decide to use them in business transactions
CAMP - June 4-6, What is a CA certificate? A certificate authority generates a key pair used to sign the certificates it issues Multiple institutions can collaborate via: –Hierachical structure among their CAs –Bridge Certification Authorities "peer to peer" approach
CAMP - June 4-6, Hierarchy
CAMP - June 4-6, Bridge
CAMP - June 4-6, Dartmouth PKI Deployment PKI applications in use Web authentication alternative to Kerberos/Sidecar Banner SIS, other Oracle apps, same mechanism Library resource access control, local and JSTOR Secure Mail S/MIME, Sympa Electronic document signatures NIH pilot, replace paper forms Wireless Network Access WPA, 802.1x EAP-TLS
CAMP - June 4-6, Next Steps Applications of –Workflow, signatures –Secure mail for Student health Services -HIPAA –PKI enhanced List-server –Wireless network data protection –Databases and E-commerce Improvements in Infrastructure –Key storage hardening Tokens, smartcards, coprocessors –In-person contact in Enrollment –Trusted Third Party Services –Higher Ed Bridge CA –Authorization and Delegation
CAMP - June 4-6, Questions? Dartmouth PKI Lab –