PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security

Slides:



Advertisements
Similar presentations
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Advertisements

Guide to Network Defense and Countermeasures Second Edition
SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.
EToken PRO Anywhere. Agenda  eToken PRO Anywhere Overview  Market background and target markets  Identifying the opportunity  Implementation and Pricing.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
PKI Implementation in the Real World
1 Federated Identity and Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 15, 2013
1 Network Authentication with PKI EDUCAUSE/Dartmouth PKI Summit July 27, 2005 Jim Jokl University of Virginia.
Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Prepared by Dept. of Information Technology & Telecommunication, October 24, 2005 Enterprise Directory Services and Identity Management.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Product and Technology News Georg Bommer, Inter-Networking AG (Switzerland)
Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Dr. Sarbari Gupta Electrosoft Services Tel: (703) Security Characteristics of Cryptographic.
802.1x EAP Authentication Protocols
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
RSA SecurID November 10, 2005.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
File System and Full Volume Encryption Sachin Patel CSE 590TU 3/9/2006.
STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES Windows Encryption File System (EFS) Tech Briefing July 18 th 2008
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Public Key Infrastructure from the Most Trusted Name in e-Security.
Public Key Infrastructure Ammar Hasayen ….
RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
WIRELESS LAN SECURITY Using
© NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
Solutions for Secure and Trustworthy Authentication Ramesh Kesanupalli
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
Single Sign-On
PKI Activities at Virginia September 2000 Jim Jokl
Lieberman Software Random Password Manager & Two-Factor Authentication.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.
CHECO Jared Owensby – Technical Paul Herbka – Pricing & Purchasing South Seas Corporation.
Cyber Security Awareness Month Protecting Your Laptop’s Data Off-Campus Safe Computing Part 1.
Encryption Initiative – UW Madison McAfee Endpoint Encryption (formerly SafeBoot) CTIG – March 20, 2009.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 6 Implementing Infrastructure Controls.
User and Device Management
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.
Information Systems Design and Development Security Precautions Computing Science.
ADFS - Does it Still have a Place? Fitting into the EMS puzzle Frank C. Drewes III 2016 Redmond Summit | Identity.
Mobile Security for QlikView
Secure Connected Infrastructure
Web Applications Security Cryptography 1
Mobile Security for QlikView
Public Key Infrastructure from the Most Trusted Name in e-Security
Install AD Certificate Services
ONLINE SECURE DATA SERVICE
Technical Issues with Establishing Levels of Assurance
Presentation transcript:

PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security

Projects Strong VPN Authentication – Administrator access to restricted data networks via VPN Laptop/desktop full disk encryption – Data encryption for computers storing restricted data … the “lost” laptop problem

Strong VPN AuthN Passwords do not provide an adequate degree of safety for systems that process or store data elements defined as restricted. Password while easy to use are vulnerable to a wide variety of attacks and weaknesses including guessing, impersonation, observing, borrowing, snooping and dictionary attacks.

Strong VPN AuthN UW Madison adopted a modified version of the PCI DSS v 1.1 as the required security controls target for systems containing restricted data. PCI DSS 8.3 “Implement two factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as VPN with individual certificates”

Strong VPN AuthN UW Madison adopted a modified version of NIST as best practice. Authentication Level of Assurance 3 (LOA3) should be used for people who have access to restricted data. – LOA3 requires 2factor authentication – Can be achieved with either soft or hard tokens

Strong VPN AuthN How to get beyond simple password? – Do it ourselves first Administrators and DBAs How to accomplish 2 factor authentication? – One Time passwords (a la RSA SecurID) – X.509 certificate authentication

Strong VPN AuthN Already had existing PKI infrastructure – Mostly used for S/MIME – No infrastructure for one time passwords VPN approach there is no need to re- configure individual servers and other network devices. Many VPNs (cisco) are pki-capable

Strong VPN AuthN Do-able – Admins – Limited and known population Eases Identity proofing while we shore up infrastructure

Strong VPN AuthN

Cisco ASA 5510 (server side)

Strong VPN AuthN Cisco ASA 5510 (server side)

Strong VPN AuthN CISCO SSL VPN Client (client side) – Integrated with Microsoft certificate store – Use IE and/or certificates MMC to manage certificates – Clients for Windows, Macintosh and Linux – Windows works with hardware token – Using x.509 for administrative access to ASDM management console, as well.

Strong VPN AuthN Certificate Issues: – Soft or hard tokens Not all OSs support hardware token Hardware allows – Password enforcement and – Private key never leaves token – Still subject to many of same attacks Keyboard loggers Phishing? Weak passwords

Strong VPN AuthN Certificate Issues: – Using the same certificate for multiple purposes – Validity periods (too short?) – Lost token or certs … Temporary password access – CRLs

Strong VPN AuthN Non-PKI Issues: – Multi-cast – Redundancy – Performance – Usability – Politics – Process – Licensing  cost

Full Disk Encryption Primary Objective – Research and recommend a FDE product for pilot implementation Many requirements One Requirement of Solution – Integrate with existing PKI infrastructure

Full Disk Encryption Typically disk/file encryption is done with symmetric keys Use public keys to encrypt the symmetric key Microsoft EFS uses public keys to encrypt the file encryption key. Because of the “preboot” nature of disk encryption and performance

Full Disk Encryption Instead tend to support strong authentication mechanisms (tokens, smartcards) For effective full disk encryption, password strength is critical ie. protecting the strong with the weak. Use “already deployed” tokens/smartcards as a mechanism to do strong authentication i.e. two factors.

Full Disk Encryption Selected SafeBoot (McAfee) as the FDE product to pilot. Safeboot has two ways to leverage our pki infrastructure: – Use token to store user symmetric key. Token password allows you to get to symmetric key. – Use user’s public key to encrypt user’s symmetric key. Then use token (with private key) to decrypt symmetric key.

Full Disk Encryption Use as key store – Allows 2 factor authN to decrypt hard disk – Must sync token password via management console Use to send encrypted symmetric key – No need to physically handle token – Must have public keys/certs available via external source ---LDAP, AD

Common Characteristics Leverage existing PKI infrastructure Protect restricted data Provide for strong authentication – Attaining LOA3 authentication assurance

Futures Strong AuthN to enterprise systems -Peoplesoft signon code -Strong AuthN to Web single signon -Expand use of S/MIME

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.