Dartmouth PKI Deployment Case Study: What Works and Doesn’t Work (so far) Presented by: Mark Franklin Sixth Annual PKI Summit at Snowmass, Colorado August.

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

MyProxy Jim Basney Senior Research Scientist NCSA

Pennsylvania Banner Users Group 2008 Fall Conference Campus Identity Management in a Banner World.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

Digital Certificate Installation & User Guide For Class-2 Certificates.

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

©2013 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Best Practices to Secure the Mobile Enterprise Macy Torrey

McAfee One Time Password

Useful Tips  How to quickly verify if you are logged on or not  Get the full navigation menu window for e- application  What is a time-out and how to.

- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)

Digital Certificate Installation & User Guide For Class-2 Certificates.

WEB CONNECT FOR EASYNVR : WEB CONNECT INCREASES YOUR PROFITABILITY BY REDUCING INSTALLATION LABOR COSTS WHILE SIMULTANEOUSLY CREATING NEW REVENUE.

MyProxy: A Multi-Purpose Grid Authentication Service

Dartmouth PKI Certificate Deployment June 2004 Fed Ed Meeting.

EToken PRO Anywhere. Agenda  eToken PRO Anywhere Overview  Market background and target markets  Identifying the opportunity  Implementation and Pricing.

Problems With Centralized Passwords Dartmouth College PKI Lab.

Grid Security. Typical Grid Scenario Users Resources.

Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Password?. Project CLASP: Common Login and Access rights across Services Plan

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

The PKI Lab at Dartmouth. Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.

About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.

Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Superhighway Robbery: The Real Cost of Cyber Security NACUBO July 18, 2004 Copyright Mark Franklin, This work is the intellectual property of the.

Web Authentication Nuts and Bolts: “Authentication Appliance” EDUCAUSE Dartmouth PKI Deployment Summit 7/27/2005 Presented by: Mark Franklin Dartmouth.

Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

Configuring Active Directory Certificate Services Lesson 13.

Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.

Virginia Tech Overview of Tech Secure Enterprise Technology Initiatives e-Provisioning Group Frank Galligan Fed/Ed.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam

PKI in Higher Education: Dartmouth PKI Lab Update Internet2 Virtual Meeting 5 October 2001.

F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

1 Personal Digital Certificates at Virginia Tech: Who Are You? Mary Dunker Internet-2 December 4, 2006

HEPKI-TAG UPDATE Jim Jokl University of Virginia

1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Configuring Directory Certificate Services Lesson 13.

Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.

Dartmouth PKI Update Robert Brentrup Internet2 Member Meeting April 21, 2004.

Module 9: Designing Public Key Infrastructure in Windows Server 2008.

One Platform, One Solution: eToken TMS 5.1 Customer Presentation November 2009.

PKI Activities at Virginia September 2000 Jim Jokl

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C.

Problems With Centralized Passwords Dartmouth College PKI Lab.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.

CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,

Secure Connected Infrastructure

Secure Enterprise Technology Initiatives e-Provisioning Group

Installation & User Guide

Federating and PKI: Case Studies Paul Hill, MIT

September 2002 CSG Meeting Jim Jokl

Presentation transcript:

Dartmouth PKI Deployment Case Study: What Works and Doesn’t Work (so far) Presented by: Mark Franklin Sixth Annual PKI Summit at Snowmass, Colorado August 2004

2 Dartmouth PKI Lab R&D to make end user PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon Foundation Dual objectives: –Deploy existing PKI technology to improve network applications (both at Dartmouth and elsewhere). –Improve the current state of the art. Identify security issues in current products. Develop solutions to the problems.

3 Production PKI Applications at Dartmouth Dartmouth certificate authority –Issued 850 end users have certificates, 575 of them are active students PKI authentication in production for: –Banner Student Information System –Library Electronic Journals –Tuck School of Business Portal –VPN Concentrator –Blackboard CMS –Software downloads S/MIME (Outlook, Mozilla, Thunderbird) AOL AIM (PKI-secured sys admin communications)

4 Lessons Learned at Dartmouth Start simple, fancier later Online enrollment Client-side SSL authN VPN authN PKI authN initially as an option USB tokens for security & portability Security incident inspires urgency User-initiated revocation Certificate renewal Fast conversion to PKI authN Complex CP/CPS documents Encryption (at least not yet) WorksDoesn’t Work

5 Works: Start simple, fancier later Don’t try to make it perfect right away Simplify, get started, adjust, etc. Avoid getting mired in making elaborate policies It is possible to adjust your policies later – just issue a new CPS (few read them anyway) How many institutions have formal username/password policy? Remember what you’re replacing and don’t make PKI a non- starter by holding it to too high standards.

6 Works: Online enrollment Self-service web enrollment for low assurance and short term certificates (2 minute operation, LDAP password authN) Higher assurance certificates still web enrollment, but also require authorized Dartmouth representative to check ID (5 minute operation)

7 Works: Client-side SSL authN Apache modssl easy to set up, IIS works out of the box Seamless failover to legacy Kerberos authN Oracle IAS integration works well PKI-only authN is easy to set up – more work to support failover to legacy authN and handle non compliant browsers gracefully.

8 Works: PKI authN initially as an option Reduce barriers to getting started Relatively risk free environment to refine PKI authN Conservative deployment avoids big glitches Earn confidence of system owners over time Our sys admin community wouldn’t allow requiring PKI right away anyway.

9 Works: USB tokens for security & portability Enforces password on private key in Windows CAPI Excellent portability for PKI credentials Also store legacy username/password securely – bridge to PKI future We’re just ramping up (700 Aladdin eTokens to freshmen next month) – talk to us in a year and we’ll know a lot more.

10 Works: Security incident inspires urgency Very recent incident – dust not settled yet USB tokens now very high priority We laid the groundwork… now we expect an urgent mandate to go into high gear. Don’t try this at home, kids! (Not recommended procedure to get priority!)

11 Doesn’t Work: User-initiated revocation Users simply don’t revoke their certificates Fortunately, they don’t lose control of their private key often either (tokens should virtually eliminate this) Still need institutional-initiated revocation

12 Doesn’t Work: Certificate renewal Application owners and users consider renewal an annoyance Troubles with renewal announcements in SunOne CA (discontinued, and one SP back) Glitches with renewal on tokens We’ve just moved to four year validity period (covers most undergraduates without renewal).

13 Doesn’t Work: Fast conversion to PKI authN Minimizing user disruption is paramount to our system administrators and application owners, and they refused to deploy PKI aggressively. Likely different now after our security incident and now that we have a good track record with the initial cautious deployment.

14 Doesn’t Work: Complex CP/CPS documents 8 pagers are hard enough to keep up with – 80 pages?!? PKI Lite is a good starting point Get more complicated only as needed

15 Doesn’t Work: Encryption (at least not yet) Key escrow complexity Separate signing and encryption keys causes complication in apps Complications arise from our strategy of issuing multiple sets of credentials for user convenience Nothing insurmountable – we just chose not to go there yet in the name of simplicity.

16 Conclusion Dartmouth’s first year of production client- side PKI has gone quite well, and we intend to refine and aggressively expand our deployment.

17 For More Information Outreach web: Dartmouth PKI Lab PKI Lab information: Dartmouth user information, getting a certificate: