Embed Size (px)
Citation preview
2
Higher Education PKI Activities - HEPKI
•Sponsors• Internet2, EDUCAUSE, CREN, NET@EDU
•HEPKI - Technical Activities Group (TAG)• Open-source PKI software• Certificate profiles• Directory / PKI interaction• Validity periods• Client customization issues• Mobility• Inter-institution test projects• Technical issues with cross-certification
3
PKI-liteFull function but lightweight
A normal PKI technical infrastructure Authenticate users Issue certificates, perhaps revoke certificates A comparatively simple certificate profile Support applications, directories, etc
A lightweight administrative/policy structure Supports applications without high assurance needs One or two page certification policy Assurance levels per existing campus practice
Campus evolution towards full featured PKI
4
PKI-lite Project Status
•PKI-lite certificate profiles completed• Designed to support web authentication & S/MIME• End Entity profile• CA certificate profile
•PKI-lite Policy and Practices Statement• Individual documents prepared – then merged• Reviewed by many people• Template-based fill in the blanks approach
•HEPKI Demo CA• Source code available for examination
•Certificate repository
5
S/MIME Project Charter
Why S/MIME• Support in many email clients• Why not PGP• A business driver for PKI• Chicken & egg problem
Project goals• Demonstrate the technology• Show intercampus interoperability• Leverage the effort of multiple institutions working together
6
S/MIME Project Plan
Phase 1• Client interoperability testing• Certificate management • Documentation for users
Phase 2• Real campus users• PKI-lite profile certificates & assurance• User-to-application trials• Application-to-user trials
Goal: make S/MIME easy to deploy
7
S/MIME Project:Some Early Results
Email client interoperability testing results•Common signing algorithms: SHA-1 & MD5•Common encryption algorithms: DES, 3DES, RC4•Default client configurations basically just work
–SHA-1 & 3DES
• Interesting issues–Messages stored in folders are encrypted
• Key escrow issues–Opaque signing–Outlook & encryption certificate
8
S/MIME Project
Mailing List Software• List management software and signatures• Strong authentication for private email lists
–www.sympa.org
User-to-machine interactions• Software library for developers
Documentation on website• Project plan• S/MIME clients• Test CA pointers and the start of a FAQ
9
Possible S/MIME-based Applications
• Travel expense reports• Notification of direct deposits• Online forms routing – signed workflow• Trouble ticket submissions• Password resets• Library notices – guard circulation data• Student debit card statement privacy• Timesheet submission• Long distance billing privacy• FERPA opt-in/opt-out• Sysadmin confirmation of batch jobs• List server expansion of encrypted messages
10
HEPKI-TAG: next stepsThe Mobility Problem
• Private key access in a mobile environment
• Hardware tokens• Smart Cards & USB devices• For mobility, enhanced assurance, non-repudiation• On-device key generation v.s. memory• Pin Protection Schemes
– Dual user/admin PIN systems• Card locks after x user-pin attempts
• Fuse opens after y admin pin attempts
– Single PIN/Reinitialize systems• Card blocks after x user-pin attempts
• Card can be reset back to factory state and reused
11
HEPKI-TAG: next stepsCertificate-based SSH Authentication
•Motivation• Solves the initial key authentication problem• Enables use of smart cards/USB devices for two-factor
authentication
•SSH.com (commercial server)• Load CA certificate chain• Issue cert to server• Build file to map Unix users to certificate fields
– Fixed fields
– Regular expressions and substitution
•Interoperability• SSH.com server & clients, VanDyke SecureCRT
12
HEPKI-TAG: next steps
• Document and form signing tools• The active content problem• Web-based• Client tools
• Windows XP bridge functionality• Path construction & validation• Support for name and policy constraints• Applications
• S/MIME Project continued
• Browser Issues & Usability
13
HEPKI-TAG Resources
•PKI-Lite• EE certificate profile• CA certificate profile• Policy and Practices statement
•Demonstrations• HEPKI-CA• Client authentication• Certificate Repository
•Certificate profile repository
•S/MIME client interoperability testing chart
•Certificate Profile Maker
•DC Naming Recommendation
14
And, old problems don’t go away ….
• Trusted Root problem• An old issue• That isn’t fixed yet• Complete with intuitive user
interfaces
• Large support question• Get the whole campus to
download?• Support users one at a time?• Other options?• Who knows a lot about
keystore access?
15
References
Main HEPKI Site• http://www.educause.edu/hepki
HEPKI-TAG• http://middleware.internet2.edu/hepki-tag
S/MIME Project Site• http://middleware.internet2.edu/hepki-tag/smime
Demonstration Site• http://pkidev.internet2.edu
Many other links at the above sites
