View
221
Download
4
Category
Tags:
Preview:
Citation preview
04/18/23 1
UPKI projectupdate
Yasuo OkabeAcademic Center for Computing and Media Studies
Kyoto University
04/18/23 2
UPKI ― Inter-University Authentication
and Authorization Platform for CSI Conducted by NII and the information infrastructure
centers in 7 universities• Supported by Ministry of Education, Science and Technology
Campus AAI Campus AAI Campus AAI
UPKI common specification
UPKI
A 大アクセスポイント
B 大の教授 B 大職員
A 大学 B 大学 C 大学
C 大電子コンテンツ
B 大アクセスポイント
Wireles LAN roaming
C 大事務システム
04/18/23 NII International Workshop on Cyber Science Infrastructure
3
UPKI: concept
Targets various applications• SSO of Web services• E-mail Digital Signature/Encryption by S/MIME• Network Services
• wireless LAN roaming and VPN
• Grid computing Utilization of PKI
• “U” stands University/Universal/Ubiquitous• Deployment of Grid/PKI middleware for national
academic AA infrastructure
04/18/23 4
Planned Schedule of UPKI
Developing, deploying and fostering new applications
UPKI common Specification
Applications
UPKIInitiative
2006 FY 2007 FY 2008 FY
founded ・ Gathering common interests and opinions, and feedback, ・ Interoperability check, knowledge transfer, publicity, tutorial works, …
Campus PKI specification Model designOutsource model
Campus PKI CP/CPS template
Outsource model
2009 FY and later
CAsoftware
Development ofCA software package
Distribution and support for deployment ofCA software package
Insource model, multi-university cooperative model
Insource model, multi-university cooperative model
Wireless LAN roaming
Single Sign On to Web Services
S/MIME
・ Deployment of campus PKI at each university・ Connecting universities・ Federation of applications etc.
04/18/23 5
Ongoing Subprojects Designing Common CP/CPS, Profiles, … Development and Deployment of “NAREGI-CA”
Certificate Authority Middleware PKI based Applications
• InterUniversity Web SSO• SAML2.0/Shibboleth + PKI
• Wireless LAN Roaming• 802.1X, EduRoam compatible (www.eduroam.jp)• VPN
• Secure E-mail Service via S/MIME• Supercomputing Grid
etc.
04/18/23 6
UPKI three layer ArchitectureUPKI three layer Architecture
EEEE
A Univ.NAREGI CA
EEEE
B Univ.NAREGI CA
Grid PKI
Grid Computing
ProxyProxyProxy EEProxyProxyProxy EE
学内用学内用
A Univ.CA
EE学内用学内用
B Univ.CA
EE
CampusPKI
Auth, Sign, Encrpt. Auth, Sign, Encrpt.
Student,Faculty
Server, Super Computer
Student,Faculty
Server, Super Computer
Webサ ー ハ ゙Webサ ー ハ ゙
NIIPub CA
Web Srv.Webサ ー ハ ゙Webサ ー ハ ゙ S/ MIMES/ MIME
OtherPub CA
S/ MIMEWeb Srv.
OpenDomainPKI
S/ MIMES/ MIMES/ MIME
Sign, Encrpt.
Future plan
Shibboleth/SAML
04/18/23 7
Subprojects by NII
UPKI common CP/CPS【WP1】 Public server certificate【WP2】 Inter-University W-LAN roaming【WP3】 SSO for Digital Library Service by NII and
other universities via Shibboleth/SAML【WP4】
Development of CA middleware【WP5】 Deployment of S/MIME e-mail
signature/encryption architecture【WP6】
04/18/23 8
Operation Models of CA
Insource
Univ
RA IA
Univ. providerFull outsource
RA IA
IA outsourceUniv provider
IARA
CP/CPS
04/18/23 9
NAREGINational Research Grid Initiative http://www.naregi.org/ collaboration projects among industry, academic sector and the
government.
04/18/23 10
NAREGI Grid Middleware stack
http://www.naregi.org/concept/index_e.html#05
04/18/23 11
Nationwide Academic Grid Networksover SuperSINET (experimental)
AIST(Tsukuba)
Kyushu I. Tech.
NAREGIGrid networkKyushu U.
I. Molecular Sci.(Okazaki)
Tokyo I. Tech.
Osaka U.
NIINAREGI
coreNAREGI NII
ClusterNAREGI IMSCluster
Doshisha SD
8-centerGrid Computing WG
network
Hokkaido U.
Tohoku U.
U. Tokyo
Nagoya U.
Doshisha U.
Kyoto U.
Kyushu U.
04/18/23 12
NAREGI Certification Service
CA SoftwareCA Software(NAREGI-CA)(NAREGI-CA)
PolicyPolicy ManagementManagement
(NAREGI-PMA)(NAREGI-PMA)
OperationOperation(NII GOC CA)(NII GOC CA)
- CP/CPS- CP/CPS-Satisfy APGridSatisfy APGrid minimum requirementminimum requirement
- CA/RA- CA/RA- UI (Character, Web)- UI (Character, Web)
- Operation of CAOperation of CA- Authorized by the APGridAuthorized by the APGrid PMA Production Level CAPMA Production Level CA
04/18/23 13
NAREGI-CA A full-fledged CA (Certificate Authority) Software
for PKI Originally developed for Grid computing, but can
be used for general purpose Free open source software
Ver2.0 (May.10.2006) Ver2.0 (May.10.2006) is available at http://www.naregi.org/download/
Research collaboration Research collaboration • Audit of CA :AIST, JapanAudit of CA :AIST, Japan• PMA for international cooperation : APGRIDPMA for international cooperation : APGRID
User SitesUser Sites• NAREGI, AIST, Several UniversitiesNAREGI, AIST, Several Universities
04/18/23 14
Comparison among CA softwares
Product name Issue of Certif.
CRL periodi
cal
LDAP HSM Multiple CA
Profile management
HWtoken
Operator
Logging
NAREGI CA file, bulk, WEB,
LCMP
○ ○ ○ ○ ○ ○ ○ ○
OpenSSL file × × × ○ × × × ×
Microsoft
Certificate
Server
WEB, LDAP ○ △(Active
Directory only)
△(Domain Controller onlu)
× △(Domain
Controller only)
○ × △(Event
logging)
Entrust Authority
CMP, bulk, LDAP,WEB,
SCEP
○ ○ ○ × ○ ○ ○ ○
○: available、 ×: not available、△: some restriction
04/18/23 15
License ID management• Transfer authentication responsibility to Local RA
Grid operation extensions• Assistance of Grid-mapfile creation
Dual interfaces for certificate request• Web & command line enrollment
CA/RA architecture• Independent Registration Authority (RA) Server• Practical CP/CPS Template
NAREGI-CA Software Features
04/18/23 16
NAREGI-CA Architecture
RA (Registration Authority)
CA(CertificateAuthority)
Local RA(Site Administrator)
End User &Host Administrator
Site Administrator
①Get License ID
②Authorize to pass License ID
④Pass License ID& Public Key
⑦Get Certificate
⑤Send CSR
⑥Issue Certificate
③Generate a Key Pair
⑧Get Grid Map file
04/18/23 17
CA Administrator
CA RA
RA Administrator
TARO SUZUKITARO SUZUKI 08/07
IC Card
Enhanced procedure to issue certificate
User
CA Administrator
RA Administrator
RA Operator
User
License IDIdentify
Issue Certificate
RACA
Apply
Apply
License ID
IdentifyAuthorize
Issue Certificate
Application Server (web)
Management Server (web)
Delegate
Challenge PINChallenge PIN
Challenge PINChallenge PIN
Challenge PINChallenge PIN
License ID
04/18/23 18
CampusCA
Issue Certificate
Campus PKI Grid PKI
NAREGI CA
Super Computer
Super Computer
Grid System
Super Computer
Issue Certificate
Request Certificate(Use IC Card as credential)
LDAP
NAREGI RA
TARO SUZUKITARO SUZUKI 08/07
IC Card
Certificate for Grid System
Access
User
Campus-Grid PKI Federation
04/18/23 19
UPKI Initiative Founded in 16 Aug 2006 Sponsored by NII AAI TWG Mission
• Gathering interests and opinions of not only universities but also industries
https://upki-portal.nii.ac.jp/
AAI TWG UPKI Initiative
Univ
Tech. College
J. College
Common specification
join
Research Institute
Hokkaido UTohoku UU. TokyoNagoya U
Kyoto U Osaka UKyushu U
KEK Tokyo Tech
NII
NII CSI Headquarter
Opinions and comments
etc.
04/18/23 NII International Workshop on Cyber Science Infrastructure
20
Summary UPKI national academic authentication and
authorization infrastructure project has started.• Conducted by NII and the information infrastructure
centers in the 7 universities• As a basic platform of Cyber Science Infrastructure
We have started later, so we have get some advantages
International federation/collaboration is a very important issue.
04/18/23 21
APAN Middleware Working GroupAPAN (Asia-Pacific Advanced Networking) 20th APAN (Taipei, Aug. 2005)
• National Authentication and Authorization Infrastructure and NREN (proposed session)
21st APAN (Tokyo, Jan. 2006)• Middleware Workshop (full day)• Middleware Working Group is approved for a period of
two years 22nd APAN (Singapore, today)
• Grid Middleware Workshop 23rd APAN (Manila, Jan. 2007)
• Grid Middleware Workshop 24th APAN (Xian, Aug. 2007)
• Middleware Workshop
Recommended