1 Personal Digital Certificates at Virginia Tech: Who Are You? Mary Dunker Internet-2 December 4, 2006

Slides:



Advertisements
Similar presentations
Digital Certificate Installation & User Guide For Class-2 Certificates.
Advertisements

Installation & User Guide
Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Digital Certificate Installation & User Guide For Class-2 Certificates.
Digital Certificate Installation & User Guide For Class-2 Certificates.
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Deploying and Managing Active Directory Certificate Services
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
PKI Implementation in the Real World
ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.
Chapter 11: Active Directory Certificate Services
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.
Rural Development Department Government of Tripura Venue: Conference Hall #1, Pragna Bhawan, Gorkhabasti Date: 7 th March, 2014.
1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.
Smart Card Deployment David Gautrey IT Manager – Microsoft New Zealaand Microsoft Corporation.
Certificate and Key Storage Tokens and Software
Configuring Active Directory Certificate Services Lesson 13.
Public Key Infrastructure Ammar Hasayen ….
EToken TMS 5.0 CA June 09. eToken TMS 5.0 Agenda  The challenge: Authenticator life-cycle management  eToken TMS (Token Management System)  eToken.
Virginia Tech Overview of Tech Secure Enterprise Technology Initiatives e-Provisioning Group Frank Galligan Fed/Ed.
Who Are You? Leveraging PKI for Digital Signatures at Virginia Tech Mary Dunker Educause Security Professionals Conference 2008 May 4, 2008
Digital Certificate Installation & User Guide For Class - 2 Certificates.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
Overview of Access and Information Protection
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
6/1/2001 Supplementing Aleph Reports Using The Crystal Reports Web Component Server Presented by Bob Gerrity Head.
Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02.
© NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Troubleshooting Windows Vista Security Chapter 4.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
HEPKI-TAG UPDATE Jim Jokl University of Virginia
Gregorio Martínez Pérez University of Murcia PROVIDING SECURITY TO UNIVERSITY ENVIRONMENT COMMUNICATIONS.
Configuring Directory Certificate Services Lesson 13.
CAMP PKI UPDATE August 2002 Jim Jokl
U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.
Module 9: Fundamentals of Securing Network Communication.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
One Platform, One Solution: eToken TMS 5.1 Customer Presentation November 2009.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
How to Deploy and Get the Most Out of Tokens Paul Caskey PKI Deployment Forum 2008.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Creating and Managing Digital Certificates Chapter Eleven.
Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.
Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.
The Trusted Network · · · LEFIS PKI · · · 2 nd June, 2006 · Sofia by Leonardo Catalinas · May 2006
Secure Enterprise Technology Initiatives e-Provisioning Group
CERN Certificates platform Emmanuel Ormancey / Anatoly Gladkov
Installation & User Guide
CLASP Project AAI Workshop, Nov 2000 Denise Heagerty, CERN
Install AD Certificate Services
Presentation transcript:

1 Personal Digital Certificates at Virginia Tech: Who Are You? Mary Dunker Internet-2 December 4, 2006

2 Personal Digital Certificates at VT Background Implementation –Application Selection –Sponsorship –Six Projects Future Challenges

3 Personal Digital Certificates at VT: Background Why issue VT Personal Digital Certificates? Move processes online where ID/Password is not good enough to replace pen and ink. Implement two-factor authentication, per recommendation from VT IT Security Task Force. Establish VT issuance procedure.

4 Personal Digital Certificates at VT How do we know who you are?

5 Personal Digital Certificates at VT Challenge: Application Selection Leave Reports Grant Proposals Travel Vouchers S/MIME Various departmental forms Phone Bills ~20 more ideas…

6 Personal Digital Certificates at VT Digital Signatures for Leave Reports: an ambitious endeavor All employees (a challenge as well as a plus) Secure online process improvement Does not require key escrow Departments would create their own leave solutions anyway if we did nothing centrally. Phased approach. HR required all employees in a department to sign leave report the same way. Phase I: IT organization, ~400 employees

7 Personal Digital Certificates at VT Sponsorship Vice President for Information Technology Funding from Executive Vice President

8 Personal Digital Certificates at VT Six Projects: A coordination challenge 1.Infrastructure 2.Policy 3.Device Selection 4.Integration 5.Token Administration System 6.Documentation and Communication

9 Personal Digital Certificates at VT Infrastructure Project Root CA – offline, already in place Class 1 Server CA – offline, already in place Middleware CA – offline, already in place User CA – online, needed to be created

10 Personal Digital Certificates at VT Infrastructure Project IBM xSeries 335 and Dell PowerEdge 1850 class servers. Redundant, manual fail-over. Redhat Linux OpenCA for Root, Class 1 and Middleware OpenCA for User CA

11 Personal Digital Certificates at VT Infrastructure Project OpenCA software works as designed performance increase over Documentation needs work. User interface needs work. VT end users do not interact with OpenCA.

12 Personal Digital Certificates at VT Hardware Security Modules 1 offline, 1 online for User CA LunaCA3 and LunaSA, FIPS Level 3 Strong multifactor authentication CA Administrator uses key token and PIN to access private area of HSM that contains private keys. Very secure, but requires m of n people in order to sign or change.

13 Personal Digital Certificates at VT Policy Project VT Certification Policy created before PKI- Lite was completed. Modeled on RFC 2527, obsoleted by Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework Policy Management Authority created to approve policies, resolve issues.

14 Personal Digital Certificates at VT Policy Project Policy Project team drafted CPS, brought questions to PMA. User CPS drove development and administration of Token Administration System (TAS). Lengthy process but extremely valuable VT Internal Audit involved

15 Personal Digital Certificates at VT Device Selection Project Preliminary Work by eProvisioning group Form Factor considerations Must work on Windows, Macintosh, Linux. Integration with Hokie Passport card considered but rejected for now.

16 Personal Digital Certificates at VT Device Selection Project Aladdin eToken Works with I.E., Firefox, Netscape on required platforms. Safari not supported, but planned. USB token form factor does not require reader IT already had purchased a few hundred More research for phase II. Will eToken hold up? What form factor for students? Lost tokens Installation scripts had to be written to download VT certificates.

17 Personal Digital Certificates at VT Integration Project Digital signature added to existing leave report application. Sign vs. submit. Leave information stored in data base Does not require Adobe Acrobat Pro/Writer HTML -> PDF -> Base 64 encoded file signed/stored-> PDF for display. Web service validates signature. Workflow for approval

18 Personal Digital Certificates at VT Digitally signed leave report Required close work with HR. Departmental phase-in Requirement: entire department convert to digital signature Exceptions for people on disability leave Departmental leave representatives key players

19 Personal Digital Certificates at VT Digitally signed leave report Generated lots of questions about how leave system worked that no one had asked for years. How to handle leave that one person enters for another? What about people without computers? Approvals not based on known supervisory structure.

20 Personal Digital Certificates at VT Token Administration System (TAS) Issues personal digital certificate (PDC) on Aladdin eToken Multiple roles. Procedures documented in User CPS, approved by PMA Uses information from VT Enterprise Directory, not active Directory as did Aladdin administrative tool Allows distributed operation Works great when it works

21 Personal Digital Certificates at VT Token Administration System (TAS) LOTS of policy and procedural decisions. Two-person process 1.Verify identity information using 2 picture IDs and questions. 2.Write certificate and private key onto eToken Private key not exported off of token. Terms and conditions digitally signed by applicant. No sharing of passwords. Extension agents at > 100 sites!!!

22 Personal Digital Certificates at VT Documentation and Communication Project How do you explain all this? Project Plans Web site – “internal use” updates to communications from VP for IT FAQs Knowledge base articles Scheduling groups to pick up PDCs Presentations to end users

23 Personal Digital Certificates at VT Future Challenges Phase II of leave report: entire university (6500 employees) –Re-evaluation of device –How to issue PDCs at remote sites? –Employees who do not use computers Supporting other applications – , Word documents –Departmental applications –Two-factor authentication, CAS Recognizing VT PDCs outside of VT

24 Personal Digital Certificates at VT Future Challenges Students (28,000) –Device selection –Support Switching devices requires: –Re-testing –TAS support –New policies/procedures? –New installation scripts –New training

25 Personal Digital Certificates at VT References X.509 specification Educause Effective Security Practice TEM_ID=286 TEM_ID=286

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.