Dartmouth PKI (Scott Rea) EDUCAUSE PKI Deployment Forum Madison, WI - April 16, 2008.

Slides:



Advertisements
Similar presentations
NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.
Advertisements

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
CREN-Mellon conference, December 1, 2001 University of Texas PKI Status.
Problems With Centralized Passwords Dartmouth College PKI Lab.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
EDUCAUSE Fed/Higher ED PKI Coordination Meeting
The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.
PKI in US Higher Education (Scott Rea) Fed/Ed June 2008.
The PKI Lab at Dartmouth. Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon.
Public Key Infrastructure at the University of Pittsburgh Robert F. Pack, Vice Provost Academic Planning and Resources Management March 27, 2000 CNI Spring.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.
HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Inside the PKI Framework: * Activating the Puzzle Pieces PKI Summit Snowmass August
1 Digital Credential for Higher Education John Gardiner August 11, 2004.
Windows 2003 and 802.1x Secure Wireless Deployments.
Technical Issues that Challenge PKI Deployments Jim Jokl University of Virginia PKI Meeting August 12, 2004.
Virginia Tech Overview of Tech Secure Enterprise Technology Initiatives e-Provisioning Group Frank Galligan Fed/Ed.
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.
Internet Trust Defined. Delivered. Electronic Business the Way It Was Meant to Be.
1 PKI Update September 2002 CSG Meeting Jim Jokl
Bridging Higher Education PKIs PKI Summit, August 2006 Snowmass, Colorado.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
1 Personal Digital Certificates at Virginia Tech: Who Are You? Mary Dunker Internet-2 December 4, 2006
1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005.
Lecture 5.3: Key Distribution: Public Key Setting CS 436/636/736 Spring 2012 Nitesh Saxena.
Configuring Directory Certificate Services Lesson 13.
Digital Signatures A Brief Overview by Tim Sigmon April, 2001.
The NIH PKI Pilots Peter Alterman, Ph.D. … again.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
Module 9: Fundamentals of Securing Network Communication.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.
Dartmouth PKI Update Robert Brentrup Internet2 Member Meeting April 21, 2004.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
Southeastern Universities Research Association (SURA) - Intro for Fed/Ed 18 Mary Fran Yafchak Senior Program Manager, IT
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.
HEBCA – The Operating Authority July 2005 Dartmouth PKI Summit.
Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.
1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia.
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
Dartmouth PKI: Plans & Challenges (Scott Rea – Dartmouth College) Internet2 Member Meeting, Dec 2006 PKI Implementers Workshop - Chicago, IL.
Secure Enterprise Technology Initiatives e-Provisioning Group
U.S. Federal e-Authentication Initiative
EDUCAUSE Fed/Higher ED PKI Coordination Meeting
PKI in US Higher Education (Scott Rea) Fed/Ed June 2008
Inter-institutional Trust Fabric Overview and Synergies
Fed/ED December 2007 Jim Jokl University of Virginia
September 2002 CSG Meeting Jim Jokl
Presentation transcript:

Dartmouth PKI (Scott Rea) EDUCAUSE PKI Deployment Forum Madison, WI - April 16, 2008

2 Contents PKI at Dartmouth – the details Some Dartmouth PKI history Conclusion

3 Dartmouth PKI - the Details Dartmouth started researching PKI including pilot implementations in 2000 CA products originally investigated –Entrust –RSA –Netscape Enterprise Service –Microsoft –OpenCA Successfully demonstrated a range of services: –S/MIME –Smartcard logon –Higher assurance authentication –Server/service authentication –Document digital signatures –Code signing –Data/file/drive encryption Created an on-going outreach program that has been very successful

4 Dartmouth PKI - the Details Dartmouth started production PKI in 2003 CA setup –Created CP/CPS with minimal policy –Netscape Enterprise Server (NES) Certificate Management System (became iPlanet became SunOne became Sun One, given to Red Hat) –Generated self-signed root + OCSP authorities –Keys in FIPS 140 level 3 HSM – Luna CA3 (was Chrysalis, became Rainbow, became SafeNet) –Solaris 8 – hardened OS –Open to public but firewalled for only HTTPS connections CA transition required due to lack of platform support –Sun One CMS end-of-life 30 June 2006 –Ran at risk until future PKI directions were finalized and implemented

5 Dartmouth PKI - the Details CA transition –Determine PKI future directions Evaluate possible replacement CA platforms Build or Buy? If build: commercial or opensource or roll-your-own Determine evaluation framework –Cost over 3 years for 15,000 active credentials Hardware, hosting, operations, licensing, support, local expertise –Cater for death, re-birth, or transition of existing CA –Smooth transition for 12,500 active credentials –Cater for desired future services (e.g. wireless authentication)

6 Dartmouth PKI - the Details CA transition –Process began in May 2006 –Decision from management to run at risk with existing platform for 12 months –Plan to be in production by 1 April 2007 to give us 3 months to transition existing users and well in time to handle freshman intake in mid- September –Run old infrastructure in parallel until end of September 2007 to mitigate any unforeseen issues –Platforms evaluated: Outsource Managed Services (BUY) –Verisign –CyberTrust (now Verizon Business Solutions) –Identrus (previously DST, now IdenTrust) –GeoTrust Inhouse Commercial Platform (BUILD-a) –Microsoft CA –RSA Inhouse Opensource Platform (BUILD-b) –OpenCA –EJBCA Inhouse Roll-your-own (BUILD-c) –CAPSO –OpenSSL

7 Dartmouth PKI - the Details CA transition –Outsource Managed Services (BUY) Quickly discounted as too expensive ($135K-$490K) –Inhouse Commercial Platform (BUILD-a) Microsoft CA – right price, but aversion to platform RSA – too expensive –Inhouse Opensource Platform (BUILD-b) OpenCA – too difficult to manage (Started working on OpenCA-NG) EJBCA – not enough support –Inhouse Roll-your-own (BUILD-c) CAPSO – negotiated free-to-higher-ed-and-research agreement OpenSSL – too much work CAPSO chosen as basis from which to roll-our-own CA –JCE based CA –Supports our particular HSM setup –Developed at University of Graz in Austria –Local expertise with base cryptographic modules and platform –Support available from Graz –Utilized for production in other places (e.g. Austrian Govt, UGraz) –Run on preferred enterprise OS platform – Red Hat (RHEL)

8 Dartmouth PKI - the Details CA transition –Decision made / management buy off by November 2006 –Resource constraints meant February 2007 was official build process start date –Additional functionality requested to support secured wireless after project started –Issues delayed production start until mid-August 2007, primarily to be ready for wireless lock down, transition of credentials from old system was done post this operation More modification of base code than anticipated in order to integrate with Dartmouth Identity Management systems –Single resource doing development Support from Graz was sporadic and limited –Their 1 resource was doing military service Existing HSM not really supported on RHEL –Choice of non-current Solaris or non-preferred Microsoft –Decision to migrate to newer netHSM Testing of new functionality with certs required CA changes to support the corresponding certificate profiles required Vista requirements added – new API from MS not well documented How to handle CRLs from 2 concurrent systems –Successful launch of new CA platform on August 2007 Handled issuance of 1200 high assurance eToken based credentials for incoming freshman class Transition of existing 12,300 active credentials successfully New CA platform issued more credentials in first 6 months than old CA has issued in 5 years

9 Dartmouth PKI - the Details CA transition Report Card –25,000 active certificates –3,500 certs issued on eTokens –100 TLS certs for internal facing services –21,000+ software certs (mostly for wireless authentication) Outstanding issues –Certificate publishing –Expanded certificate profile support –LRA integration –Self-service Revocation

10 Dartmouth PKI - the Details Credential Issuance Process: –Two levels of assurance on end user credentials Software certificate –Self-service using authentication to our central WebAuth system –Browser based issuance process IE (W2K, XP & Vista) FireFox, Mozilla on Win, OSX, *nix Safari eToken certificates –Face-2-face with local registration agent (LRA) –Requires LRA attestation of credentials checked –2 forms of ID required (1 photo ID) –Still have to authenticate to central directory –Keys generated onboard on the token –Browser based issuance process IE (W2K, XP & Vista) FireFox – under supervision on Win, OSX, *nix –Single high level on the SSL/TLS servers Manual process only after verification of admin identity and service authorization

11 Dartmouth PKI - the Details Current Production services: –S/MIME –Smartcard logon –Higher assurance authentication – including 2-factor authentication using eTokens (SSH, VPN, EAP-TLS) –Server authentication (for non-public facing web services) –Limited EFS use – but no “official” escrow services currently –Limited Document digital signatures Planned Production services: –EFS with supported escrow –Document paperless workflow

12 PKI at Dartmouth Dartmouth’s PKI History –Dartmouth has run a production Certificate Authority on campus for 5+ years (dev/pilot 3 years prior to that) –There are currently ~ 25,000 active certificates in circulation, issued by the Dartmouth CA –The default for WebAuth authentication on the Dartmouth campus is PKI –Dartmouth facilitates Two Factor Authentication through PKI and Aladdin eTokens –Distribution of over 3,500 eTokens to Faculty, Staff, and Students on campus –eToken distribution to Freshmen for past four years

13 PKI at Dartmouth Dartmouth’s PKI History –Dartmouth established a PKI Lab in 2000 and performs PKI Outreach to the HE community –Dartmouth built and operates the Higher Education Bridge Certificate Authority (HEBCA) for EDUCAUSE. HEBCA is a mechanism for allowing trust and interoperability between all US HE institutions, the US federal government, and other communities of interest –Dartmouth built the US Higher Education Root (USHER) infrastructure for Internet2, and created the first USHER CA – a common policy framework for establishing trust and PKIs in HE. –Dartmouth is a founding member of The Americas Grid Policy Management Authority (TAGPMA) who sets PKI policy and accredits grid authentication service providers within the International Grid Trust Federation

14 PKI at Dartmouth Dartmouth’s PKI History –Dartmouth developed the CA-in-a-box distribution to reduce the set up costs and complexity for entities wanting to run their own PKI Certification Authority This is used in Grid-related authentication services (a recent example is the Texas Advanced Computing Center) This is also used by institutions of higher education for CA services (e.g. Cornell University) –Dartmouth developed the AirGap solution to securely connect offline Certification Authorities with highly available online Directories This device was constructed for under $100 and provided the HEBCA and USHER projects with up to $200,000 in potential savings This solution is now used by federal agencies, commercial entities, and institutions of higher education This solution was voted the #1 beneficial hack or inspired workaround by InfoWorld in its May 2006 edition

15 PKI at Dartmouth Dartmouth’s PKI History –Dartmouth is the developer of the Greenpass project - a PKI based method of delegating access authorization to a restricted network for guests visiting another institution This project generated intense interest from industry giants such as Cisco and Intel, enough for them to provide large research grants for its further development and invite talks and demonstrations to their internal campuses –Dartmouth is the site for the development of the next generation of OpenCA for PKI services, partially funded by Sun Microsystems. Massimiliano Pala (the existing OpenCA Project Manager) is a visiting post- doctoral fellow for this purpose (from January 2007) –Dartmouth through Prof. Smith, was awarded a prestigious multi- million dollar "NSF CAREER" grant explicitly about making PKI usable The CAREER program recognizes and supports the early career-development activities of those teacher-scholars who are most likely to become the academic leaders of the 21st century. Prof. Smith is studying how to use PKI and trusted computing technology to build trustworthy relationships among users spanning many organizations.

16 Summary Dartmouth PKI has been central IdM on campus for past 5 years –Self-signed Root CA –25K active credentials currently New CA platform transitioned to last year, including migration of CA keys, we built it our self based on existing available JCE CA –Very successful –Low cost –High functionality Dartmouth has a long history of PKI achievements and leadership across many sectors – not just higher education: –Successful local PKI deployment –Operation of large PKI based communities of interest (HEBCA, USHER) –Establishment of PKI governance bodies (HEBCA, TAGPMA) –Development of PKI related technologies (CA-in-a-box, AirGap, Greenpass, OpenCA-NG) –Participation, leadership and establishment of PKI based conferences and workshops (NIST PKI R&D, EuroPKI, EDUCAUSE PKI Summit) –Prolific publishing of papers and invited talks and panels at PKI related conferences –Grants for PKI related research from large industry corporations and government agencies (NSF, DHS, Cisco, Intel, Sun, Mellon Foundation) –Dartmouth is sought after and recognized as a PKI leader by industries outside of higher education (government, finance, pharmaceutical, technology) PKI deployment success due to initial pilots and on-going education program

17 For More Information Dartmouth PKI Outreach: Dartmouth PKI Lab: Scott Rea -