Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 PKI Update September 2002 CSG Meeting Jim Jokl

Published byPhyllis O’Connor’ Modified over 8 years ago

Similar presentations

Presentation on theme: "1 PKI Update September 2002 CSG Meeting Jim Jokl"— Presentation transcript:

1 1 PKI Update September 2002 CSG Meeting Jim Jokl jaj@Virginia.EDU

2 2 Public Key Infrastructure Basis - a pair of cryptographically related keys are generated –Your public and private keys Usage –Data encrypted using a public key can only be decrypted with the matching private key –Data signed by a private key can only be verified by the matching public key

3 3 Public Key Infrastructure: Digital Certificates A certificate is: –An object signed by a Certification Authority (CA) –Binds a user’s identity to their public key –Contains some attributes about the person –Contains some information about the CA Level of assurance –How well did the CA identify the person? –How is the CA run? –Who vouches for the CA?

4 4 Public Key Infrastructure: Policy and Practices How is the CA run? –Certification Policy & Practices documents –Registration Authority (RA) operation Who vouches for the CA? –Relying parties –Trust hierarchies –Certificate chains and root certificates

5 5 Some reasons campuses are deploying PKI Authentication –Client certificates for Web application authentication –VPN authentication & EAP-TLS for wireless –Higher assurance / two-factor authentication Digital signatures & business applications Signed and encrypted email - S/MIME SSL server certificates etc

6 6 Higher Education PKI Activities - HEPKI Sponsors –Internet2, EDUCAUSE, CREN, NET@EDU HEPKI - Technical Activities Group (TAG) –Open-source PKI software –Certificate profiles –Directory / PKI interaction –Validity periods –Client customization issues –Mobility –Inter-institution test projects –Technical issues with cross-certification

7 7 Some Drivers for Campus S/MIME Support Prevent email spoofing –Problems with forged email –Students canceling classes, impersonating professors, etc –Official announcements –Anti-spam filter bypass? Business processes –Protect sensitive messages & documents –Signed messages –S/MIME-based applications

8 8 S/MIME Project –Two project phases: User to user Application-to-user, user-to-application –Client interoperability testing Common signing and encryption algorithms Dual-key support LDAP support –Issues documentation Mailing list software, encryption: folders, escrow, cc: repository

9 9 Some Potential S/MIME Applications –Mailing lists: access and expansion of encrypted messages –Travel expense reports & direct deposit notification –Online forms routing – signed workflow –Trouble ticket submissions –Password resets –Library notices – guard circulation data –Timesheet submission –Student debit card & long distance billing privacy –FERPA opt-in/opt-out –Sysadmin confirmation of batch jobs

10 10 Certificate Profiles A per-field description of certificate content –Standard and extension fields –Criticality flags –Syntax of values permitted per field Spreadsheet & text formats Higher education profile repository –http://middleware.internet2.edu/certprofiles

11 11 PKI-lite Full function but lightweight  A normal PKI technical infrastructure  Authenticate users  Issue certificates, perhaps revoke certificates  A comparatively simple certificate profile  Support applications, directories, etc  A lightweight administrative/policy structure  Supports applications without high assurance needs  One or two page certification policy  Assurance levels per existing campus practice  Campus evolution towards full featured PKI

12 12 PKI-lite Project Status PKI-lite certificate profiles completed –Designed to support web authentication & S/MIME –End Entity profile –CA certificate profile PKI-lite Policy and Practices Statement –Individual documents prepared – then merged –Reviewed by many people –Template-based fill in the blanks approach Certificate repository started

13 13 Some other work in progress Hardware tokens –Mobility –Private key protection –Two-factor authentication Signing tools –Web & client-based –The active content problem Other items –Root cert downloads, PKI in XP, docs, demo CA projects, information sharing, etc

14 14 Where to watch –middleware.internet2.edu/hepki-tag –www.educause.edu/hepkiwww.educause.edu/hepki –middleware.internet2.edu/hepki-tag/smime –www.cren.net/cawww.cren.net/ca –NET@EDU PKI for Networked Higher EdNET@EDU www.educause.edu/netatedu/groups/pki –PKI Labs middleware.internet2.edu/pkilabs

Download ppt "1 PKI Update September 2002 CSG Meeting Jim Jokl"

Similar presentations

April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.

April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl

HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl
1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.
Copyright Statement Copyright Robert J. Brentrup and Sean W. Smith 2002. This work is the intellectual property of the authors. Permission is granted for.

Copyright Statement Copyright Robert J. Brentrup and Sean W. Smith This work is the intellectual property of the authors. Permission is granted for.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.

PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

Similar presentations

Ads by Google