1. X509 Web Authentication From the perspective of security or An Introduction to Certificates.

2. For the Impatient Strategic Direction: –User Certificates are good. –We should use them. Should all Fermilab staff & users know about certificates? –Yes! What needs to be done? –User education –Improve browser support

3. Authentication Identification of user Kerberos is Fermilab’s chosen authentication service Certificates provide authentication services for Grid and Web Authorization is permission to access and utilize a resource after authentication

4. X.509 Standard for Public Key Certificates –CCITT Recommendation X.509 Coupled with X500 Naming Conventions Part of Public Key Infrastructure (PKI) Uses Asymmetric Encryption Digital signatures Expiration and Revocation Lists

5. Components of a Certificate Distinguished Names of Issuer and Subject –/DC=org/DC=doegrids/OU=People/CN=Frank J. Nagy 442270 –/DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 Serial Number Validity Interval (start and end dates) Extensions –E-mail address, Subject type, Policy Information, etc. Public key of the Subject Signature to make tamper-evident

6. Public Key Encryption Alice has published her public key and Bill has a copy. Alice encrypts message with her private key, Bill (or anyone) can decrypt message with her public key –This message can be a digital signature that identifies the rest of the message as from Alice Bill encrypts message with Alice’s public key but only Alice can decrypt with her private key. Computationally Intensive, often used to securely exchange Symmetric key for use in the remainder of the communication session

7. Digital Signature Use to sign messages –Identify sender –Make message tamper-evident Take hash function or checksum of message text Encrypt the hash with private key and send with message Receiver decrypts signature with public key and compares to his hash of message text

8. Certificate Authority Certificates are issued by a Certificate Authority (CA) Trust Chains Root Certificates Update is sometimes seen when doing Windows Update is getting new CA certificates that establish this trust chain for well known root CAs Publish Certificate Revocation List (CRL) –Serial numbers of revoked certificates

9. Trust Chain and Root CA...

10. Issue: Who to Trust? Fermilab Kerberized-CA – tied to our infrastructure, –KCA uid=fred is uid=fred in CNAS, etc. DOEGrid CA –Many Fermi people have certs –Is DOEGrid's John Doe our John Doe? Other Grid CA's Commercial CA's?

11. Fermilab Kerberos CA (KCA) Get a certificate based on having a Kerberos principal With a Kerberos ticket, KCA issues a certificate to the user valid for the maximum lifetime (7 days) of the Kerberos ticket Use kinit followed by kx509 under Linux then typically import certificate into browser- - or “dokx509” Use Get-Cert.bat under Windows which automatically loads certificate into browser

12. Typical KCA Certificate Uses Nessus scanner Import into browser to access some Fermilab Web sites Use to access Grid resources Not generally useful for signing E-mail due to limited lifetime of the certificate

13. DOEGrids CA Can issue personal or host/service certificates good for 1 year. Home site is ttp://ww.doegrids.org for instructions and other informationttp://ww.doegrids.org Request via their Web site –ttps://pki1.doegrids.org/ttps://pki1.doegrids.org/ –As Fermilab employee or visitor use FNAL as the affiliation on the request form –Keep your private key secret! Keep it offline!

14. Certificates and the Web Web servers send a server certificate to your browser to establish secure communications –Secure Sockets Layer (SSL) –https: instead of http: in the URL –Remember those Root CA Certificates Brower is authenticating the server in this case Note: SSL only secures internet link, not data resident at E-commerce site!

15. Certificates and the Web Personal certificate (or KCA certificate) can be loaded into browser and used to authenticate the user for access to some sites. Some Fermilab Web sites use KCA certificates in this manner –Gate pass requests –Network blocking pages –Plone sites

16. Host/Service Certificates Fermilab system administrators can get host or service certificates from DOEGrids for Grid resources or Web servers. –ttp://computing.fnal.gov/security/pki/Get-DOEGrids-Cert.htmlttp://computing.fnal.gov/security/pki/Get-DOEGrids-Cert.html You will need OpenSSH utility (see above web page) Get KCA CA Certificates to authenticate KCA user certificates –ttp://omputing.fnal.gov/security/pki/index.htmlttp://omputing.fnal.gov/security/pki/index.html

17. Configuring Webservers Apache – setup is well known http://www.fnal.gov/docs/products/apache/SSLNotes.html http://www.fnal.gov/docs/products/apache/SSLNotes.html IIS – no current installations Other applications often proxied –Zope/Plone –Oracle Application Server

18. Proxying Mechanics Application listens on “localhost”, (not reachable from outside of machine) Apache server receives requests, and sends them on to the application User certificate information (issuer, client id info) sent via headers or parameters

19. Configuring Browsers Web Documentation avaliable onhttp://computing.fnal.gov/security/http://computing.fnal.gov/security/ –How to get a personal certificate from the DOEGrids CA –How to get a Fermilab KCA certificate Browsers don't deal well with multiple certificates –Perhaps hire consultant(s) to develop better certificate management plugins for popular browsers?

20. References Planning for PKI –By Russ Housley and Tim Polk, pub by Wiley What is a Digital Signature? –http://www.youdzone.com/signature.htmlhttp://www.youdzone.com/signature.html OpenSSL Certificate Cookbook –http://www.pseudonym.org/ssl/ssl_cook.htmlhttp://www.pseudonym.org/ssl/ssl_cook.html The PKI Page (lots of links) –http://www.pki-page.org/http://www.pki-page.org/ The NIST PKI Program –http://csrc.nist.gov/pki/http://csrc.nist.gov/pki/