Secure hardware tokens David Groep DutchGrid CA. DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist)

Slides:



Advertisements
Similar presentations
Digital Certificate Installation & User Guide For Class-2 Certificates.
Advertisements

Installation & User Guide
Digital Certificate Installation & User Guide For Class-2 Certificates.
Digital Certificate Installation & User Guide For Class-2 Certificates.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
A l a d d i n. c o m eToken NG-OTP Combined PKI - OTP Authentication Solution November, 2008.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.
About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.
Aircraft is a Node on the Internet
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Course 201 – Administration, Content Inspection and SSL VPN
IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Portals and Credentials David Groep Physics Data Processing group NIKHEF.
1 The SpaceWire Internet Tunnel and the Advantages It Provides For Spacecraft Integration Stuart Mills, Steve Parkes Space Technology Centre University.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007.
1 Personal Digital Certificates at Virginia Tech: Who Are You? Mary Dunker Internet-2 December 4, 2006
Large-scale issuing of host certs in a member-integrated or institutional CA environment.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Networks ∙ Services ∙ People David Groep TCS TNC2015 Workshop TCS SAML demo background June 16, 2015 TCS PMA.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.
Module 9: Fundamentals of Securing Network Communication.
1 FAQ’S ABOUT WAP Presented By Abhilash Pillai CSCI 5939-Independent Study.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.
Jens G Jensen UK e-Science Alternative CA software Jens G Jensen UK e-Science CA Rutherford Appleton Laboratory.
CHECO Jared Owensby – Technical Paul Herbka – Pricing & Purchasing South Seas Corporation.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
Next Steps: becoming users of the NGS Mike Mineter
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Grid technology Security issues Andrey Nifatov A hacker.
FriendFinder Location-aware social networking on mobile phones.
Secure hardware tokens David Groep DutchGrid CA. DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist)
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
On Robots J Jensen STFC Rutherford Appleton Lab Banff, July 2007.
NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK
VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.
Tutorial on "GRID Computing“ EMBnet Conference 2008 CNR - ITB Authenticated Grid access with robot certificates Giuseppe LA ROCCA INFN.
©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Endpoint Security VPN R75 (SecureClient Next Generation)
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
PKI for improved cybersecurity in NATO Partner countries Software Arsen Hayrapetyan, ArmeSFo CA.
Information Systems Design and Development Security Precautions Computing Science.
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
GRID-FR French CA Alice de Bignicourt.
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, Jan 2009.
UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.
Operations Management Board 19th Dec. 2013
Giuseppe LA ROCCA INFN - Catania, Italy
Installation & User Guide
Installation & User Guide
BG.ACAD CA Self-audit report 2018
Presentation transcript:

Secure hardware tokens David Groep DutchGrid CA

DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist) –other BIG GRID application domains (e.g. astronomy) Supported classes of certificates (within the Classic X.509 secured profile) –Users: certificates for natural persons –Hosts: networked systems, applications or services – solely to identify network endpoints in communications –Servers: (internal) –Robots: agents that perform automated functions protected in a secure hardware token ~ FIPS140-2 level 2

Token grid application What should the token support web interaction (Firefox, IExplorer) –registration in VOs –connecting to collaborative Wiki’s, &c proxy generation –some grid proxy init’s have a PKCS#11 i/f –but grid-proxy-init can easily be mimicked with OpenSSL command-line tools –an ‘mkproxy’ script is available for both soft tokens (files) and eTokens (see

Hardware Several alternatives Aladdin eTokens –price €20 – €65 /pc –support for latest firmware version is mixed can get them to work in Win, Linux, MacOS but there are some pitfalls with this version still –not yet FIPS certified (CardOS 4.01 is, 4.2B is not) Rainbow iKey 3000 –good OpenSC support –out of production, since they could not be eaten –version “4000” OpenSC support unknown …

Aladdin eToken Comes in several varieties eToken PRO USB 32k/64k –CardOS 4.01: OpenSC support, FIPS lvl 2 (32k) 1024 bit keys only –CardOS 4.2: OpenSC supported, 64k version only 2048 bits with firmware upgrade recently got FIPS certified? –CardOS 4.21 (4.2B): NO OpenSC support  2048 bit keys native pending certification …

Guide around pitfalls ca.dutchgrid.nl/info/etokens

Software Aladdin PKCS#11 libraries avaialble for public download off the Aladdin.ru web site the rest of the software and a source-RPM-minus- etpkcs11.{dll,so} are available from the DutchGrid CA web site (full binary available for IGTF members, see web) a install-and-forget RPM/DEB really helps for user adoption –includes 32bit OpenSSL build for 64 bit platforms to get the Aladdin etpkcs11.so to link correctly questions? supported by the Virtual Laboratory for e-Science Scaling and Validation programme

VOMS support Recently, a native version of ‘voms-proxy- init’ was ported to cygwin –with eToken support –complements the ‘eToken info’ documents

CP/CPS section Secure hardware tokens, whenever referenced in this document, are those hardware security cryptographic devices or hardware security modules that operate on and hold asymmetric cryptographic key pairs in such a way that the private part of the key pair cannot ever be extracted in unencrypted form, can only be unencrypted inside the device, and the encrypted form, if available, uses 128 bit symmetric key encryption or equivalent or stronger, and where the key pair has been generated inside the cryptographic device. Any tampering, any substitution or extraction of keys, and any unauthorized modification of the activation data, must leave evidence on the secure hardware token.

section (cntd) Secure hardware tokens and hardware security modules that comply with the requirements of FIPS level 2 or higher, or FIPS level 2 or higher, and where the key pair has been generated inside the module, are adequate to meet the requirements set forth above. If not FIPS certified, implementation of an equivalent security level and appropriate mechanisms on the token must be demonstrated: the vendor must have built the device with the intention of obtaining FIPS certification at level 2 or higher, and must either intend to submit the device for certification, or have it in process of certification.

Implementation Got new CP/CPS approved –Add appropriate 1 SCP OID to the issued certificates (will do once we issue the frist robot cert) Train RAs to help generate keypairs on the tokens –initially only the central RA service and the roving RAs –in parallel to the ‘dumb’ RAs at most institutions –targetted at the ‘robot’ use case, i.e. portals –and individuals in grid operations to gain experience ‘limited fieldtest’ for the next few months Deployment model: users get the token ‘on loan’ from the CA, so no direct cost to the subscribers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.