Virginia Tech Overview of Tech Secure Enterprise Technology Initiatives e-Provisioning Group Frank Galligan Fed/Ed XV PKI Coordination Meeting June 14, 2007
Virginia Tech Background Secure Enterprise Technology InitiativesSecure Enterprise Technology Initiatives eProvisioning GroupeProvisioning Group –Technical Support for University PKI Initiatives Sponsorship For PKI InitiativesSponsorship For PKI Initiatives –Vice President for Information Technology –Funding from Executive Vice President Virginia TechVirginia Tech Blacksburg, Virginia - Southwestern VABlacksburg, Virginia - Southwestern VA Research University - Ranking 56 th in USResearch University - Ranking 56 th in US 28,000 Full Time Students - Largest in VA28,000 Full Time Students - Largest in VA 7,000 Faculty and Staff - PKI Target Group7,000 Faculty and Staff - PKI Target Group Corporate Research Center - Location of CCCorporate Research Center - Location of CC
VTCA Architecture Virginia Tech User CA Server CA Virginia Tech Root CA SSL Web Server Certificates Middleware Certificates Middleware CA Personal Certificates 4/10/2003 7/23/20049/20/ Issued105 Issued 444 Issued Subordinate CAs Offline CA Online CA Other CAs As Needed Aladdin eToken
Virginia Tech PKI Project Structure Six Projects: A Coordination Challenge Infrastructure Integration Token Administration System Policy Device Selection Documentation and Communication
Virginia Tech VTCA Design Methodology Architecture: Hierarchical Model High Assurance Level: FIPS Level 3 HSM Standards: PKCS, CryptoAPI, PCSC, X509 v3 Commercial or OpenSource: OpenCA 0.9.x Deployment Model: Phased, Smart Devices Scope: Initially for Internal Use Administration: RA,CA,HSM,SYS,APP CP and CPS Documents: PMA, RFC 2527
Virginia Tech VT Personal Digital Certificates Token Administration System - TAS Two Phase Certificate Enrollment Process - Phase I Registration Authority Admin Station Applicant Hokie ID scanned to retrieve LDAP record Applicant provides two photo IDs for validation Applicant creates a password for their eToken - Phase II Certification Authority Admin Station Applicant authenticates using their eToken password TAS generates RSA keys onboard eToken and creates CSR TAS sends CSR to User CA, returned cert stored on eToken Applicant digitally signs VT Usage Agreement TAS automatically sends with instructions to applicant eToken Password Resets, Certificate Revocation
Virginia Tech PKI Integration Virginia Tech Personal Certificate Profile –Encryption Disabled VT PKI Applications –Digitally Signed Leave Reports/Work Flow –VPN Authentication –S/MIME , MS Office Word and Excel, Adobe Acrobat –Client SSL Authentication, CAS (Central Authentication Server) Other Digital Signature Applications –Grant Proposals –Travel Vouchers –Various Departmental Forms –Phone Bills
Virginia Tech References Virginia Tech Home Page Virginia Tech PKI Virginia Tech PDCs Virginia Tech Certificate Policy Virginia Tech eAladdin eToken News Personal Digital Certificates at Virginia Tech – Internet2 Presentation Dunker.htm Dunker.htm
Virginia Tech Overview of Tech Secure Enterprise Technology Initiatives e-Provisioning Group Frank Galligan Fed/Ed XV PKI Coordination Meeting June 14, 2007