Presentation is loading. Please wait.

Presentation is loading. Please wait.

X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster"— Presentation transcript:

1 X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman (kwc@umich.edu) Bill Doster (billdo@umich.edu)

2 Project Goals n Transparent Web Authentication n Eliminate password prompts n Lotus Notes Authentication n Position for inter-institution Authentication

3 Non-Goals n Not a complete PKI n Not to be used for document signing n Not to be used for encryption n Not a complete replacement of the current cookie method

4 Why X.509? n An accepted standard n Application support out of the box –Web servers, web browsers, directory servers, IMAP servers, etc. n Allows the possibility for inter-institution authentication n No need for N²-1 cross-realm trusts

5 Description n Use short-term (approximately 1 day) certificates - “Junk Keys” n Obtain certificates securely n For Authentication ONLY! n Use OpenSSL for creating and signing certificates

6 Why “Junk Keys”? n Revocation becomes a non-issue n Private Key storage is less an issue n Certificate publication for sharing is not necessary n Certificate management is less critical

7 Drawbacks n Cannot be used for signing or encryption n Not possible to verify certificate via LDAP

8 Options for obtaining the CA’s Certificate n Bake it into browsers we distribute n Via a web interface using SSL and Verisign Certificate n Store it in the file-system

9 Obtaining CA Certificate via Web CA Apache + OpenSSL + Scripts + Verisign Certificate Browser Netscape or Internet Explorer Certificate Green lines imply SSL Protected

10 Options for obtaining the User Certificate n Via a web-based interface [ SSL ] n Pam / Gina / Login [ TGT or SSL ] n Standalone program [ TGT (or SSL) ] n Leave it up to application [ TGT (or SSL) ]

11 Obtaining User Certificate via Web (Netscape) User selects URL ID and password?? ID and password Lookup full name Lookup Entity ID Generate and Sign Certificate Verify identity keyGen Public Key Signed Certificate Generate key pair and store keys Store Certificate Netscape Browser Web server / CA

12 Obtaining User Certificate via Web (IE part 1) User selects URL ID ?? Send a VBScript asking for user’s unique ID ieReq.pl Web server / CA Internet Explorer Browser

13 Obtaining User Certificate via Web (IE part 2) password ?? ieGenReq.pl Web server / CA Internet Explorer Browser ID (uniqname) Lookup full name Lookup Entity ID Generate VBScript to create key pair and PKCS #10 request Run VBScript to generate key pair and PKCS #10 request

14 Obtaining User Certificate via Web (IE part 3) PKCS #7 Check password Generate certificate and wrap it in PKCS #7 format Generate VBScript to accept PKCS #7 ieTreatReq.pl Web server / CA Internet Explorer Browser password + PKCS #10 Run VBSript to accept PKCS #7 Phew! Done!

15 Obtaining User Certificate via Standalone Pgm (Netscape) public key signed certificate Client Machine Certificate Authority getcert keyutilcertutil key3.dbcert7.db Lookup full name Lookup Entity ID Generate and sign certificate Orange lines imply Kerberized exchange

16 Obtaining User Certificate via Standalone Program (IE) signed certificate Certificate Authority Client Machine Use OpenSSL to generate key pair public key Store key pair Store certificate Lookup full name Lookup Entity ID Generate and sign certificate

17 Storing the Certificates n How to destroy the certificates after use? n NT 4.0 w/SP3 and later has special storage classes that lives only for the life of a login n Make use of Kerberos credential storage? n Internet Explorer vs. Netscape

18 Problems n Documentation - Flood or Drought n Macintosh support lags other platforms

19 Current Status n Internet Explorer (Windows only) looks promising n Netscape (Windows, Solaris) do-able but not clean n Macintosh support does not currently look promising for either browser

20 References n This presentation: –http://www.citi.umich.edu/u/kwc/Presentations/X509June1999 n OpenSSL: –http://www.openssl.org/ n Netscape Security Services: –http://home.netscape.com/nss/v1.2/index.html n Microsoft CryptoAPI: –http://www.microsoft.com/security/tech/CryptoAPI/default.asp

21 ?? Questions / Discussion ??

Download ppt "X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster"

Similar presentations

INFN CA1 active since July 1998 manager: –Roberto Cecchini types of certificates released: –personal –server –object signing.

INFN CA1 active since July manager: –Roberto Cecchini types of certificates released: –personal –server –object signing.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Inter-Institutional Registration UNC Cause December 4, 2007.

Inter-Institutional Registration UNC Cause December 4, 2007.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.

Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Introduction to PKI, Certificates & Public Key Cryptography Erwan Lemonnier.

Introduction to PKI, Certificates & Public Key Cryptography Erwan Lemonnier.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

Similar presentations

Ads by Google