Presentation is loading. Please wait.

Presentation is loading. Please wait.

HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl

Published byJulie Bertina Reeves Modified over 9 years ago

Similar presentations

Presentation on theme: "HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl"— Presentation transcript:

1 HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl jaj@Virginia.EDU

2 HEPKI-TAG Activities Sponsors: I2, Educause, CREN, NET@EDU Charter – Technical Activities Group (TAG) –Certificate profiles, CA software –Private key protection –Mobility, client issues –Interactions with directories –Testbed projects –Communicate results http://www.educause.edu/hepki

3 Survey of Anticipated Campus PKI Applications Schools participating in the HEPKI work were surveyed on anticipated uses for PKI on campus HEPKI-TAG PKI Applications Survey

4 Certificate Profile Work A per-field description of certificate contents –Standard and extension fields –Criticality flags –Syntax of values permitted per field Spreadsheet & text formatsSpreadsheettext Higher education profile repository –http://middleware.internet2.edu/certprofileshttp://middleware.internet2.edu/certprofiles

5 Certificate Profiles Validity Period –Wide variation from per-session to one year –Long term: expiration synchronized to semester Some form of assurance level indicator –Explicit extension –Policy OID –In issuer field Key usage –Some certificates employ Key Usage field

6 PKI Complexity and Applications You often hear of PKI as a solution for: –Authentication for high-assurance processes Funds transfer Medical records Student grades –Digital signatures Contracts Other legal documents But, can’t it also be a good fit as a technology that is better than passwords but less than a high-assurance CA?

7 PKI-lite Project Premise: many useful PKI applications can be supported using a relatively simple PKI –Simplified policy & practices Do we have large complex policies and practices for we operate our existing systems? –Examples of existing campus assurance levels Passwords on large central systems ID card system

8 PKI-lite Project Assumptions Overarching goal – simplify –Use PKI technology with existing application policy and practices PKI-lite design objectives –S/MIME –Web authentication Specify as little as possible –But provide suggested answers and templates

9 PKI-lite Technical Assumptions Certificate revocation capability is up to the institution and is not required Key usage will not be specified No requirement for separate signing and encryption certificates No requirements for key escrow Fully on-line CAs are allowed. PKI-lite does not specify the level of protection for the campus CA Simplified user identity assurance

10 PKI-lite Certificate Profile Single common profile supporting –Web authentication –S/MIME Relatively stable –in final review since December PKI-lite Certificate Profile

11 S/MIME Testing Outlook, Outlook Express, Netscape –General interoperability OK at the email level –Users can choose to sign, encrypt, or both –Clients use different certificate stores Certificate management issues Eudora with tumbleweed plug-in S/MIME support in other clients lacking

12 S/MIME Testing Outlook certificate quirk –Requires both signing and encryption certificates –So, watch key usage field Encryption issues –Folder storage Sent mail Inbox Folders –Private key backup and management Escrow Backup

13 S/MIME Testing Message forwarding to alternate inbox –Some mailers may tamper with the message contents Mailing list software –Conversion of tabs to spaces –Deletion of trailing blanks, tabs –List configuration options Opaque signing –A solution –Interoperability S/MIME & perfect privacy? – The address book problem

14 PKI-lite Campus Infrastructure Issue certificates –Contract with commercial CA –CA Software –Freely available certificates for testing Authentication for web applications –Many ways: mod_ssl & Apache S/MIME –Clients –Directory –Documentation & certificate management recommendations

15 HEPKI-Tag Projects and Demonstrations Certificate Profile Maker –Web interface –Generates XML HEPKI-CA –A demonstration CA PKI Authentication Demo –Accepts certificates from various participating schools Institutional root certificate repository –Download institutional/organizational root certificates

16 CA Private Key Protection Issues –CA Private Key is the root of all trust –Private key storage options Clear text storage on disk Encrypted storage on disk On hardware device –Physical protection of CA Locked doors and racks OS Configuration –Multi-level solutions –Jeff Schiller draft on TAG websitedraft

17 The Mobility Problem A definition: the ability to use the same cert/key-pair from multiple computers Some scenarios: –Move to a new computer –Users with work and home computers –Students and a public lab environment

18 The Mobility Problem Do mobility requirements depend on the application? –Web-auth and an on-line CA –S/MIME Mobility needs and assurance levels –Impact on non-repudiation? Solution space: hardware and software mechanisms

19 Hardware Tokens External hardware devices –Memory-only devices –Key-pair generation Private key import? –PIN protection scheme –Physical security –Provides dual-factor authentication –USB and various other reader interfaces

20 Hardware Token Examples: Smart Cards Default behaviors –Customized programming can change behavior Dual user/admin PIN systems –Card locks after x user-pin attempts –Fuse opens after y admin pin attempts Single PIN/Reinitialize systems –Card blocks after x user-pin attempts –Card can be reset back to factory state and reused

21 Software-based Solutions Issues –Overall level of protection –Authenticating the user –Non-repudiation? Floppy disk and import/export IETF SACRED SingleSignon.net

22 Discussions and projects HEPKI-TAG Website –Recommendations –Information for those starting on PKI References How-to information Certificate profiles Minutes and survey data –www.educause.edu/hepki/www.educause.edu/hepki/

23 Project Participation Much work remains –Research and recommendations –Pilot projects –Mobility –S/MIME Project –Consider participating in HEPKI-TAG if you are working on a PKI deployment

24 Where to watch www.educause.edu/hepki middleware.internet2.edu www.cren.net/ca NET@EDU PKI for Networked Higher EdNET@EDU –www.educause.edu/netatedu/groups/pkiwww.educause.edu/netatedu/groups/pki PKI Labs –middleware.internet2.edu/pkilabs

Download ppt "HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl"

Similar presentations

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.

DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.

PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Some Common Campus PKI Applications January 2004 CSG Meeting Jim Jokl.

Some Common Campus PKI Applications January 2004 CSG Meeting Jim Jokl.

Similar presentations

Ads by Google