Comb-e-Chem PKI Mike Surridge, Steve Taylor IT Innovation.

Slides:

Advertisements

Similar presentations

© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.

Advertisements

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

Module 1 Evaluation Overview © Crown Copyright (2000)

© S.J. Coles 2006 Usability WS, NeSC Jan 06 Experiences in deploying a useable Grid-enabled service for the National Crystallography Service Simon J. Coles.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

March 6, 2012 SOC Reporting: What is New in the Audit Guides?

A responsibility based model EDG CA Managers Meeting June 13, 2003.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.

Lecture 23 Internet Authentication Applications

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

© IT Innovation Centre, 2002 Grid Security Overview Mike Surridge, IT Innovation Centre Grid Security Workshop, NESC,

National Center for Supercomputing Applications PKI and CKM ® Scaling Study NCASSR Kick-off Meeting June 11-12, 2003 Jim Basney

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

Interoperation Between a Conventional PKI and an ID-Based Infrastructure Geraint Price Royal Holloway University of London joint work with Chris Mitchell.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.

ISO 9001:2015 Revision overview - General users

SEC835 Database and Web application security Information Security Architecture.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

WebTrust SM/TM Principles and Criteria for Certification Authorities CA Trust Jeff

General Key Management Guidance. Key Management Policy  Governs the lifecycle for the keying material  Hope to minimize additional required documentation.

A DESCRIPTION OF CONCEPTS AND PLANS MAY 14, 2014 A. HUGHES FOR TFTM The Identity Ecosystem DISCUSSION DRAFT 1.

+1 (801) Standards for Registration Practices Statements IGTF Considerations.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Cryptography Encryption/Decryption Franci Tajnik CISA Franci Tajnik.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Proposal for device identification PAR. Scope Unique per-device identifiers (DevID) Method or methods for authenticating that device is bound to that.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Business Convergence WS#2 Smart Grid Technologies.

A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

Information Systems, Security, and e-Commerce* ACCT7320, Controllership C. Bailey *Ch in Controllership : The Work of the Managerial Accountant,

Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.

9-Oct-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) FNAL 9 October 2003 David Kelsey CCLRC/RAL, UK

E-Science Security Roadmap Grid Security Task Force From original presentation by Howard Chivers, University of York Brief content:  Seek feedback on.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.

A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research Eisaku SAKANE, Takeshi.

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.

CAISO Public Key Infrastructure: Supporting Secure ICCP Leslie DeAnda Senior Information Security Analyst, Information Security, CAISO EMS Users Group.

Team 1 – Incident Response

Grid Security Risks Mike Surridge

THE STEPS TO MANAGE THE GRID

جايگاه گواهی ديجيتالی در ايران

HIMSS National Conference New Orleans Convention Center

Intrusion Detection system

Presentation transcript:

Comb-e-Chem PKI Mike Surridge, Steve Taylor IT Innovation

Public Key Infrastructure (PKI) Requirements:Requirements: –be able to authenticate remote users –be easy to operate by Chemists (e.g. NCS) –be secure enough for academic users Analysis of existing NCS authentication:Analysis of existing NCS authentication: –uses personal knowledge of user community –uses contextual information (e.g. EPSRC project codes) –lightweight for both NCS and their customers Public key infrastructure developments:Public key infrastructure developments: –Comb-e-Chem certification policy agreed –procedures developed for NCS to certify remote users –operational responsibility transferred to Chemistry

PKI Roles Grid communityGrid community –defines security policy and certificate policy (CP) –approves certification authorities Certification Authority (CA)Certification Authority (CA) –defines certification practise statement (CPS) –engages registration authorities –issues certificates in accordance with policy Registration Authority (RA)Registration Authority (RA) –checks credentials of certificate applicants –enforces security and certificate policy

PKI Trust Network

Comb-e-Chem CP CP is Certification PolicyCP is Certification Policy –a set of rules by which a PKI must operate –follows a format described in RFC2527 –areas such as user registration, physical security, certificate life cycle, etc… Comb-e-Chem CP pays particular attention toComb-e-Chem CP pays particular attention to –user registration –certificate life cycle

NCS CPS CPS is Certificate Practice StatementCPS is Certificate Practice Statement A description of how the NCS CA (Sam) abides by and implements the rules in the CPA description of how the NCS CA (Sam) abides by and implements the rules in the CP –describes operational procedures for implementing the CP’s requirements –contains a number of agreement forms to be signed by the parties involved

PKI - Lessons Learned The PKI must have well-defined procedures and strict adherence to themThe PKI must have well-defined procedures and strict adherence to them –CP & CPS The CA must exercise rigour in operational proceduresThe CA must exercise rigour in operational procedures –checking of credentials –following procedures to the letter –physical security –audit trails –backups –revocation

PKI - Lessons Learned 2 User education must be addressedUser education must be addressed –the concepts of PKI are complex –the overhead of education can be a barrier to take-up –ill-informed users can worsen security –do users understand what is meant by (for example) a private key and a certificate? –do they understand their security obligations? –in the NCS case, users are guided by the RA

Comb-e-Chem Security Mike Surridge, Steve Taylor IT Innovation

Overview of Activities Security risk managementSecurity risk management –applied to the NCS service Security implementationSecurity implementation –operating policies and public key infrastructure –deployment of security features at NCS

Risk Management Risk Analysis Asset-Based Security Identify and value assets Identify threats and risks Identify and cost defences Define risk managementapproach Implementdefences

Risk Analysis Value assets based on impact of compromiseValue assets based on impact of compromise –high: likely to cause total business failure –med: significant but not fatal impact –low: irritating but no significant impact Threats based on likelihood of attackThreats based on likelihood of attack –high: attacks will definitely take place –med: attacks may occur from time to time –low: attacks are unlikely Risks based on likelihood of successRisks based on likelihood of success –taking account of existing defences

Risk Management Determine appropriate response to threatsDetermine appropriate response to threats –acceptance: live with the potential consequences –reduction: introduce defences –avoidance: don’t use the system Leads to cost-effective securityLeads to cost-effective security –as much security as you need –not more than you can afford

Risk Analysis Facilitation

Application to NCS Service Assets:Assets: –campus system and network integrity (med/high) –sample tracking data (med) –experimental result data (low/med) –grid service integrity (low/med) Risks:Risks: –system attacks from outside campus (high likelihood) –systems attacks from inside campus (med likelihood) –compromise of remote user credentials (high likelihood) –internal user error (med likelihood)

Security Threats

Conclusions Progress with core technology developmentsProgress with core technology developments –authorisation and WS-Security –relevant for service integration NCS security risks analysedNCS security risks analysed –appropriate defences identified Security procedures and infrastructure implementedSecurity procedures and infrastructure implemented –public key infrastructure (CA, RAs, policies) –firewalls and protocols for NCS deployment

Comb-e-Chem Security Mike Surridge, Steve Taylor IT Innovation

Conclusions Progress with core technology developmentsProgress with core technology developments –authorisation and WS-Security –relevant for service integration NCS security risks analysedNCS security risks analysed –appropriate defences identified Security procedures and infrastructure implementedSecurity procedures and infrastructure implemented –public key infrastructure (CA, RAs, policies) –firewalls and protocols for NCS deployment

PKI can have Multiple CAs UserUser ResourceResource CA1 CAn

Registration Procedure