Presentation is loading. Please wait.

Presentation is loading. Please wait.

Some Common Campus PKI Applications January 2004 CSG Meeting Jim Jokl.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Some Common Campus PKI Applications January 2004 CSG Meeting Jim Jokl."— Presentation transcript:

1 Some Common Campus PKI Applications January 2004 CSG Meeting Jim Jokl

2 S/MIME: Secure Email Leverages PKI for email security –Sign and/or encrypt email messages Why S/MIME –Support in many email clients –Why not PGP –Multiple modes User to user Application-to-user, user-to-application

3 Some Potential Drivers for Campus S/MIME Support Email spoofing –Problems with forged email –Students canceling classes, impersonating professors, etc –Official announcements Campus anti-spam strategy For some business processes –Protect sensitive documents –S/MIME-based applications

4 S/MIME client interoperability testing Common signing algorithms: SHA-1 & MD5 Common encryption algorithms: DES, 3DES, RC4 Default client configurations basically just work –SHA-1 & 3DES Dual-key support Support for certificates in LDAP directory Client capabilities tablecapabilities

5 Some Generic S/MIME Client Issues for Encryption Folder storage is encrypted –Sent mail, inbox, folders –Good or bad depending your definition Private key management –Escrow & backup A cc: server to archive critical messages?

6 Some selected S/MIME issues –Message forwarding to alternate inbox Some mailers may tamper with the message contents –Mailing list software Conversion of spaces to spaces Deletion of trailing blanks, tab expansion List configuration options –Opaque signing A solution Interoperability

7 Some selected S/MIME issues S/MIME & message privacy – The address book problem & user behavior Clients use different certificate stores Certificate management problems for users Multi-platform issues Microsoft Outlook –Signing/encryption cert problem –Watch the Key Usage field in your certificates –S/MIME Challenges documentS/MIME Challenges

8 VPN Authentication Useful in both PKI-lite and “heavier” environments –Great ease of use for simple applications –2-factor available for higher security uses No password/account management Eliminates the radius shared secret Mutual authentication CRL support & directory-based authorization

9 SSH Authentication Digital certificates for SSH authentication –Extension to public key method to use certificates Supported in the commercial ssh.com server –Cost probably limits use to special applications Client support –ssh.com clients –Van Dyke SecureCRT & SecureFX

10 SSH Authentication Certificate names rarely match Unix logins –Mapping file support Serial and issuer  Unix login-id Email wildcard –External validator Hands off validated certificate Validator returns Unix login-id or NAK

11 Wireless LAN Access Control EAP- MD5 LEAPEAP-TLSEAP- TTLS PEAP Server Authentic ation NonePassword Hash Public Key Supplicant Authentica tion Password Hash Public Key CHAP, PAP, MS-CHAP(v2), EAP Any EAP, like EAP-MS- CHAPv2 or Public Key Dynamic Key Delivery NoYes Security Risks Identity exposed, Dictionary attack, MitM attack, Session hijacking Identity exposed, Dictionary attack Identity exposed MitM attack Source: wi-fiplanet.com

12 EAP-TLS Process User verifies the Radius server’s identity using PKI The Radius server verifies the user’s identity using PKI An authorization step may happen Association is allowed and dynamic session keys are exchanged User Access Point Radius Server LDAP AuthZ

13 Support for EAP-TLS Operating System Support –Windows XP, Windows 2000 SP-4 –MacOS (latest version) –3 rd party software available Very easy to use –No account management, passwords, etc –AuthZ step makes it easy to keep hacked machines off of the WLAN

14 EAP-TLS and the Microsoft Clients Microsoft field in certificate for AuthN –Subject Alt Name / Other Name / Principal Name OID 1.3.6.1.4.1.311.20.2.3 –If not present, uses CN Uniqueness issues for many CAs –Easy to add to your certificate profile

15 PKI for Web Authentication Perhaps the easiest of all client cert applications Supported by browsers and servers Validated client cert fields available in CGI environment

16 Campus Globus Implementations The Globus toolkit uses PKI for authentication of users and resources Campus CA integration is complicated by the Globus interface –Campus CAs and OS-exported certificates are generally in PKCS-12 format –Globus expects raw PEM files for the certificate and the private key A file maps certificates to login names

17 Globus Implementations Certificate profile –Standard profile (e.g. PKI-lite) works well with Globus Use of Campus CA with Globus –Different research groups on campus can share resources Intercampus applications –Campus CA part of a hierarchy –Cross certificates

Download ppt "Some Common Campus PKI Applications January 2004 CSG Meeting Jim Jokl."

Similar presentations

Authentication.

Authentication.
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl

HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
1 Network Authentication with PKI EDUCAUSE/Dartmouth PKI Summit July 27, 2005 Jim Jokl University of Virginia.

1 Network Authentication with PKI EDUCAUSE/Dartmouth PKI Summit July 27, 2005 Jim Jokl University of Virginia.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Similar presentations

Ads by Google