The PKI Lab at Dartmouth Presentation for Mellon Retreat February 9, 2004.

Slides:



Advertisements
Similar presentations
April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.
Advertisements

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
3SKey 3SKey.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Dartmouth PKI Deployment Case Study: What Works and Doesn’t Work (so far) Presented by: Mark Franklin Sixth Annual PKI Summit at Snowmass, Colorado August.
Dartmouth PKI Certificate Deployment June 2004 Fed Ed Meeting.
PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Live! Web Seminar May 11, 2004.
PKI Implementation in the Real World
Problems With Centralized Passwords Dartmouth College PKI Lab.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Copyright Statement Copyright Robert J. Brentrup and Sean W. Smith This work is the intellectual property of the authors. Permission is granted for.
Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
The PKI Lab at Dartmouth. Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
Superhighway Robbery: The Real Cost of Cyber Security NACUBO July 18, 2004 Copyright Mark Franklin, This work is the intellectual property of the.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Public Key Infrastructure from the Most Trusted Name in e-Security.
Public Key Infrastructure Ammar Hasayen ….
Windows 2003 and 802.1x Secure Wireless Deployments.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
PKI in Higher Education: Dartmouth PKI Lab Update Internet2 Virtual Meeting 5 October 2001.
1 PKI Update September 2002 CSG Meeting Jim Jokl
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.
Bridge Certification Architecture A Brief Demo by Tim Sigmon and Yuji Shinozaki June, 2000.
Digital Signatures A Brief Overview by Tim Sigmon April, 2001.
Implementing EFECT Easy Fast Efficient Certification Technique Ivan Nestlerode Bell Labs Lucent Technologies Based on EFECT paper by: Phil MacKenzie, Bell.
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.
Dartmouth PKI Update Robert Brentrup Internet2 Member Meeting April 21, 2004.
PKI Activities at Virginia September 2000 Jim Jokl
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
An Introduction to Trusted Platform Technology Siani Pearson Hewlett Packard Laboratories, UK
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.
SACRED REQUIREMENTS DOCUMENT Stephen Farrell, Baltimore Alfred Arsenault, Diversinet.
Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.
Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.
PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Security Professionals Workshop May 17, 2004 Copyright Mark Franklin, This work.
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia.
Lecture 10 Page 1 CS 236 Online SSL and TLS SSL – Secure Socket Layer TLS – Transport Layer Security The common standards for securing network applications.
S/MIME T ANANDHAN.
Public Key Infrastructure from the Most Trusted Name in e-Security
Technical Approach Chris Louden Enspier
Fed/ED December 2007 Jim Jokl University of Virginia
September 2002 CSG Meeting Jim Jokl
Presentation transcript:

The PKI Lab at Dartmouth Presentation for Mellon Retreat February 9, 2004

2 Dartmouth PKI Lab Project Overview and Status

3 Dartmouth PKI Lab R&D to make PKI a practical component of campus networks Multi-campus collaboration sponsored by the Mellon Foundation Dual objectives: –Deploy existing PKI technology to improve network applications (both at Dartmouth and elsewhere). –Improve the current state of the art. Identify security issues in current products. Develop solutions to the problems.

4 Production PKI Applications at Dartmouth Dartmouth certificate authority –Over 600 end user certificates issued, 435 of them to students Authentication for: –Library Electronic Journals (including OVID) –Banner Student Information System –Tuck School of Business Portal –VPN Concentrator S/MIME (few users)

5 Second Wave of PKI Deployment at Dartmouth Actively developing: Authentication for: –Blackboard Course Management System –Software downloads Hardware tokens –Required for VPN access to secured subnets Higher assurance certificates (picture ID check) We plan to reach all Dartmouth users with PKI through continued deployment of applications and increasing incentives and requirement for its use

6 Investigation and Research Wireless authentication –802.1x authentication EAP-TLS (PKI) on Win and Mac –WEP encryption on Win with proper drivers –WPA encryption with latest wireless cards and firmware –multiple SSID access point for transition Greenpass: pilot of SDSI/SPKI authorization certificates for delegation of authentication credentials for wireless guest access –Now supported by Cisco and (we hope) by Intel

7 “Open Source CA in a Box” Provide a hardened open source CA bundle suitable for trial and (initially) simple deployment. Selecting an open source CA –OpenCA –Papyrus –pyCA Enforcer TPM-hardened Linux (available now) –Turns controversial TCPA technology “to the light” to secure Linux boot process and provide much enhanced run-time protection against hackers –Useful for any Linux server application (e.g. Apache, LDAP, mail, LionShare or Westwood “ultra peer”) –slashdot.org/article.pl?sid=03/09/10/ slashdot.org/article.pl?sid=03/09/10/ Packaging for easy installation (summer) Carefully chosen enhancements to the open source CA –Added features –Enhanced private key protection We welcome feedback on requirements, contributions, testing, etc!

8 Outreach Many presentations, papers – Planning a PKI Deployment Summit Working with schools deploying PKI –PKI’s inexpensive 2-factor authentication proving an attractive proposition Deployment partners: –University of Wisconsin –University of Minnesota –University of Texas –Others getting started (USC, Yale) March/April EDUCAUSE Review “New Horizons” article Outreach web:

9 Dartmouth PKI Lab Interrelation With Other Projects: “Off the shelf” PKI for projects with Web and non- Web client/server applications Specific P2P proposal for LionShare and Westwood

10 PKI and Other Mellon Projects (Overview) The PKI Lab helps provide PKI-based security to others in higher education. We can help enable appropriate integration and use of PKI in other Mellon projects. –Vision, ideas –Consultation, deployment examples and assistance –Vulnerability analysis –Design new applications of PKI –Possibly collaborate developing infrastructure code

11 PKI and Other Mellon Projects (Authentication) Each of the other projects require user authentication (at least to some degree) PKI provides a superior method for authentication to all of them: –Avoids pitfalls of username/password –Improved security with two-factor authentication, choice of key length, strong encryption –Interoperates with a host of commercial applications –Inter-institutional authentication

12 PKI and Other Mellon Projects (Digital Signatures) Beyond authentication for access, many of the other projects may require digital signatures: –Chandler/Westwood supports with S/MIME signatures for interoperability with other systems –LionShare requires signing data before posting in order to provide trace-ability of who posted it –SAKAI user posting to a course discussion list via standard S/MIME signed instead of having to log into the application every time

13 PKI and the Rest (Encryption) P2P applications can form a “network” of peers, forwarding queries through intermediary peers in the mesh (for example, gnutella does this). In some cases, peers want to forward data through the mesh (firewalls or address translation may prohibit a direct connection). BUT do we trust the intermediary peers with the data in the clear? PKI can encrypt this data so only the intended recipient can decrypt it. Now it’s secure on the intermediaries. SSL/TLS and other transport encryption schemes can’t do this.

14 Proposal for Other Projects (Non-P2P Projects) uPortal, ePortfolio, AAM, SAKAI, JSTOR, ARTstor –Web applications support PKI client-side authentication –It’s already built into most web servers - probably just document how to do it (refer to PKI Lab documentation) VUE, LionShare, Westwood –Non-Web applications implement PKI client authentication

15 Westwood and LionShare: P2P With PKI Specific proposal for Chandler and LionShare: PKI for P2P Authentication Without All the CA Hassles: A Proposal by the Dartmouth PKI Lab

16 LionShare and Westwood: P2P With PKI Detailed proposal at rit.mellon.org/twiki/bin/view/Main/PkiTwiki rit.mellon.org/twiki/bin/view/Main/PkiTwiki We propose that Westwood/Chandler and LionShare skip username/password authentication and implement certificates/Shibboleth based authentication right away.

17 Westwood and LionShare: P2P With PKI Both of these are P2P applications that need peer authentication. –Sharing data and services with some peers, but not all. –User wants to share calendar information with a spouse, but not the world. –Researchers share pre-publication project data with each other but not the entire school.

18 LionShare and Westwood: P2P With PKI If there is an institutional authentication service, then we can use Shibboleth to tie into whatever is available (LionShare plans to do this). Or an institutional PKI works too. How to handle the case where there is no cooperating institutional authority to manage authentication? –Collaborator at a different school. –Individual not associated with an institution. –Group of colleagues using Westwood/Chandler.

19 Westwood and LionShare: P2P With PKI Passwords don’t work well in the “no institutional infrastructure” case. –Everybody hates passwords. –This requires a potentially different username/password pair for each P2P pairing. –10 colleagues all sharing calendars with each other implies 100 username/password pairs. –Possibly automate managing all these passwords, but this is tricky and likely to be hard to use and/or easily hacked. What if each user could have at most one local and one institutional password?

20 LionShare and Westwood: P2P With PKI Certificates offer a way for each peer to have an identity that it can prove to other peers via public key encryption. Peer clients acquire these: –Certificates issued by peers –Temporary certificates via Shibboleth –Institutional or commercial Certification Authority issued certificates Certificates can carry actual identity information or can be anonymous. Same peer server code to validate and manage all types of certificates regardless of source.

21 Westwood and LionShare: P2P With PKI The Shibboleth/KCA and institutional CA certificates are standard solutions. Our proposed new concept is using self-signed certificates from client peers to authenticate to peers providing services. Challenge: How does the server peer know to trust the client peer’s certificate?

22 LionShare and Westwood: P2P With PKI Trusting self-signed client peer- issued certificates –There are reasonable ways to register these certificates for trust by another peer. –We can automate this with one easy dialog box. –PGP uses a similar model, but PKI is standards based.

23 Westwood and LionShare: P2P With PKI Advantages Mostly standard PKI – open source implementations available as starting point (NSS, OpenSSL) In P2P the “server” side only needs certificates to authenticate – no usernames and passwords Works with Shibboleth for federation and interoperability with legacy authentication servers Share implementation among multiple projects Solve all authentication scenarios without ever having to implement username/password

24 LionShare and Westwood: P2P With PKI Actions Westwood and LionShare collaborate with the PKI Lab on this Review and critique proposal (already started) Refine the proposed architecture for P2P authentication based on this concept Select open source crypto library (NSS?, OpenSSL?) Share underlying implementation Share GUI design and as much GUI implementation as possible Implement the proposed strategy as your authentication mechanism

25 For More Information Outreach web: Dartmouth PKI Lab PKI Lab information: Dartmouth user information, getting a certificate:

26 LionShare and Westwood: P2P With PKI More on trusting self-signed client peer-issued certificates –Register end user certificates for trust, not root certificates –Need to verify that it’s the right certificate before registering (thwart man in middle attack) –PKI allows for this - numerical “thumbprint” that users can manually verify via an out of band channel (phone call to compare on both sides, , IM, etc.) –Requires one manual step (verifying thumbprint) – can be as simple as a single dialog box in an otherwise automatic process