UPKI ―Inter-University Authentication and Authorization Platform for Japanese Cyber-Science Infrastructure
Yasuo OKABEAcademic Center for Computing and Media St
udies,Kyoto University
Tohoku UniversityInformation
Synergy Center
Hokkaido UniversityInformation Initiative
Center
University of Tokyo
Information Technology Center
Nagoya UniversityInformation
Technology Center
Kyoto UniversityAcademic Center for
Computing and Media Studies
Osaka UniversityCybermedia Center
Kyushu UniversityComputing and
Communications Center
Sapporo
Sendai
TokyoKyoto
Osaka
Fukuoka
Information Infrastructure Centersin the Seven Universities in JAPAN
Nagoya
National Institute of Informatics
(NII)
Brief history of the federation among the Centers
1968~ 69Established as supercomputer centers for nation-wide service
1981Connected by commercial X.25 service
1986Dedicated interuniversity X.25 network service was started by NACSIS (predecessor of NII)Federated Identity Management (~ 2004)
• Unified ID• Online subscription to
secondary centers
1988JAIN (Japan Academic Inter-university Network) project started
• IP over X.251992
SINET, the academic Internet backbone service was started by NACSIS
2002Operation of SuperSINET was started
2003NAREGI (National Research Grid Initiative) project started
Fundamental Resources for Academic and Research Activities
Education and Training / Encouraging Young Talent
NAREGI (National Research Grid Initiative)
NII-REO (Repository of ElectronicJournals and Online Publications
NII: Toward Cyber-Science InfrastructureNII: Toward Cyber-Science Infrastructure Next-generation Academic Information Infrastructure for
Interuniversity Collaboration
UPKI: Authentication and Authorization Platform
Cyber-Science Infrastructure
● ★
★
★★★
★★
☆
SINET/SuperSINET
National Academic Internet Backbone
北海道大学
東北大学
東京大学NII
名古屋大学
京都大学
大阪大学
九州大学
GeNii (Global Environment forNetworked Intellectual Information)C
orp
ora
tion
with
In
du
stry
Inte
rnatio
nal
Colla
bora
tion
UPKI: concept
Authentication and Authorization platform for Cyber-Science Infrastructure in JapanTargets various applications
SSO of Web servicesNetwork service• wireless LAN roaming, VPN, public IP
phone/Web terminals
Grid computing
Utilization PKI
UPKI: project memberNII SINET Headquarter Authentication and Authorization Working Group
Yasuo Okabe, Kyoto University (chair)Noboru Sonehara, NII (vice chair)Yoshiaki Takai, Hokkaido UniversityHideaki Sone, Tohoku UniversityHiroyuki Sato, University of TokyoYasushi Hirano, Nagoya UniversityShinji Shimojo, Osaka UniversityTakahiro Suzuki, Kyushu UniversitySatoshi Matsuoka, Tokyo Institute of TechnologySetsuya Kawabata, KEK
CARA
repository
registrar
CampusPublic
WirelessAP
Certif.Prof. A
Pub key
Certf.
user( Prof. A)
Policy mapping
Hokkaido Univ.
register
Authentication for campus wireless LAN
PKI
Campus LAN
authenticatio
authorization
( private key)PKI token
Bridge CA
CA
Mutual auth
NII
Prof. A is visiting
other univ.
Roaming service
Mutual auth
UPKI: requirementsScalability
up to 800 universities in Japan• Centralized system will never work• Federated ID management is indispensable
Security against so many cyber attacks and increasing physical
attacksPrivacy
Compliant to the law of privacy protection in Japan• Enforced since April 2005.
MobilityBoth students and professors may visit other universities
CostNational Universities has become an independent agency since 2004.
UPKI: basic ideaDeployment of Grid/PKI middleware for national academic AA infrastructure
Management of faculty members, administrative staffs and studentsVirtual Organizations (VO) like committees, research groups or academic societies should be supported
Targets all ofEducational activities like E-learningAdministrative works like exchange of credits among universitiesResearch activities like Grid computingOther networking services like WLAN roaming
and a single infrastructure is by all applicationsAA based on Federated Identity Management is the key
PKI solves some authentication issues, but not allPKI itself has many problems in deployment
NAREGINational Research Grid Initiative
http://www.naregi.org/collaboration projects among industry, academic sector and the government.
NAREGI Grid Middleware stackhttp://www.naregi.org/concept/index_e.html#05
NAREGI CA
A full-fledged CA (Certificate Authority) Software for PKIOriginally developed for Grid computing, but can be used for general purposeFree open source software Version 1.0.1 is available at the download sitehttp://www.naregi.org/download/
Comparison among CA softwares
Producut name Issue of Certif.
CRL period
ical
LDAP HSM Multiple CA
Profile management
HWtoken
Operator
Logging
NAREGI CA
file, bulk, WEB,LCMP
○ ○ ○ ○ ○ ○ ○ ○
OpenSSL file × × × ○ × × × ×
MicrosoftCertificateServer
WEB, LDAP ○ △(Active
Directory only)
△(Domain Controller onlu)
× △(Domain
Controller only)
○ × △(Event logging
)
商用認証局Entrust Authority
CMP, bulk, LDAP,WEB,
SCEP
○ ○ ○ × ○ ○ ○ ○
○: available、 ×: not available、△: some restriction
Case studyThe Consortium of Universities in Kyoto
http://www.consortium.or.jp/Consortium of 50 universities in Kyoto
3 national, 2 prefectural, 2 municipal, 43 privateMost of them are in the center area of Kyoto City
ActivitiesShared lecture rooms near JR Kyoto Shinkansen station.
• Class for ordinary students, evening classes and classes for graduated adults
• Open Web terminals, WLAN servicesExchange of credits among universities
in very conventional manner
How academic AAI will help them?
UPKI: issues
How various services can be provided on a single AA infrastructure
Web servicesGrid computingNetwork services
Existing worksGridShib: Shibolleth for non-web-based applicationsEduRoam campus wireless roaming service architectureEGEE multi-VO support and delegation via MyProxyE-authentication by the U.S. governmentGPKI, LGPKI and JPKI for Japanese e-government
How we learn from and how we can collaborate with?
Summary
UPKI national academic authentication and authorization infrastructure project has just started.
Conducted by NII and the information infrastructure centers in 7 universitiesAs a basis of CSI (Cyber Science Infrastructure), the next generation of SINET/SuperSINET
Actually, federated identity management is unavoidable even in a (big) university
And political issues also existWe have started later, so we have get same advantageInternational federation/collaboration is a very important issue.