Bridging Higher Education PKIs PKI Summit, August 2006 Snowmass, Colorado

2 Overview What are the drivers for PKI in Higher Education? –Stronger authentication to resources and services of an institution –Better protection of digital assets from disclosure, theft, tampering, and destruction –More efficient workflow in distributed environments –Greater ability to collaborate and reliably communicate with colleagues and peers –Greater access (and more efficient access) to external resources –Facilitation of funding opportunities –Compliance

3 Overview Potential Killer Apps for PKI in Higher Education –S/MIME –Paperless Office workflow –EFS –Shibboleth/Federations –GRID Computing Enabled for Federations –E-grants facilitation

4 Overview PKI Choices for Higher Education –Outsourced everything –Outsourced managed services, internal RAs –Internal operations: Community root | Campus root –Community Policy | Campus Policy CA software: commercial | vender | open source | RYO

5 Creating Silos of Trust Dept-1 Institution Dept-1 SubCA CA SubCA CA SubCA CA SubCA USHER

6 LOA: Levels of Assurance Not all CAs are created equal –Policies adhered to vary in detail and strength –Protection of private keys –Controls around private key operations –Separation of duties –Trustworthiness of Operators –Auditability –Authentication of end entities –Frequency of revocation updates

7 HEBCA : Higher Education Bridge Certificate Authority Bridge Certificate Authority for US Higher Education Modeled on FBCA Provides cross-certification between the subscribing institution and the HEBCA root CA Flexible policy implementations through the mapping process The HEBCA root CA and infrastructure hosted at Dartmouth College Facilitates inter-institutional trust between participating schools Facilitates inter-federation trust between US Higher Education community and external entities

8 HEBCA What is the value presented by this initiative? –HEBCA facilitates a trust fabric across all of US Higher Education so that credentials issued by participating institutions can be used (and trusted) globally e.g. signed and/or encrypted , digitally signed documents (paperless office), etc can all be trusted inter- institutionally and not just intra-institutionally –Extensions to the Higher Education trust infrastructure into external federations is also possible and proof of concept work with the FBCA (via BCA cross-certification) has demonstrated this inter-federation trust extension –Single credential accepted globally –Potential for stronger authentication and possibly authorization of participants in grid based applications –Contributions provided to the Path Validation and Path Discovery development efforts

9 Solving Silos of Trust Dept-1 Institution Dept-1 SubCA CA SubCA CA SubCA CA SubCA USHER HEBCA FBCA CAUDIT PKI

10 HEBCA Project - Progress What’s been done so far? –Operational Authority (OA) contractor engaged (Dartmouth PKI Lab) –MOA with commercial vendor for infrastructure hardware (Sun) –MOA with commercial vendor for CA software and licenses (RSA) –Policy Authority formed –Prototype HEBCA operational and cross-certified with the Prototype FBCA (new Prototype instantiated by HEBCA OA) –Prototype Registry of Directories (RoD) deployed at Dartmouth –Production HEBCA CP produced –Production HEBCA CPS produced –Preliminary Policy Mapping completed with FBCA –Test HEBCA CA deployed and cross-certified with the Prototype FBCA –Test HEBCA RoD deployed –Infrastructure has passed interoperability testing with FBCA

11 HEBCA Project - Progress What’s been done so far? –Production HEBCA development phase complete –Issues Resolved Discovery of a vulnerability in the protocol for indirect CRLs Inexpensive AirGap Citizenship requirements for Bridge-2-Bridge Interoperability –Majority of supporting documentation finalized HEBCA Cross-Certification Criteria and Methodolgy HEBCA Interoperability Guidelines Draft Memorandum of Understanding HEBCA Subscriber Agreement HEBCA Certificate Profiles HEBCA CRL Profiles HEBCA Secure Personnel Selection Procedures Business Continuity and Disaster Plans For HEBCA Operations –PKI Test Bed server instantiated –PKI Interoperability Pilot migrated –Reassessment of community needs –Audit process defined and Auditors engaged –Participation in industry working groups –Almost ready for audit and production operations

12 HEBCA Project – Next Steps What are the next steps? –HEBCA to operate at multiple LOAs over its lifetime –Update of policy documents and procedures required to reflect the above –HEBCA to operate at BASIC LOA initially –Issue the HEBCA Basic Root –Purchase final items and bring the infrastructure online –Cross-certify limited community of interested early adopters and key federations –Validate the model and continue to develop tools for bridge aware applications

13 Challenges and Opportunities Community applicability –If we build it they will come –Chicken & Egg profile for infrastructure and applications –An appropriate business plan Consolidation and synergy –Are USHER & HEBCA competing initiatives? –Benefits of a common infrastructure Alignment with policies of complimentary communities –Shibboleth / InCommon –Grids (TAGPMA)

14 Bridge-Aware Applications

15 Challenges and Opportunities Open Tasks –Audit –Updated Business Plan –Mapping Grid Profiles Classic PKI SLCS –Promotion of PKI Test bed –Validation Authority service –Cross-certification with FBCA –Cross-certification with other HE PKI communities CAUDIT PKI (AusCERT) HE JP HE BR

16 Proposed Inter-federations FBCA CA-1CA-2 CA-n Cross-cert HEBCA Dartmouth Wisconsin Texas Univ-N UVA USHER DST ACES Cross-certs SAFECertiPath NIH CA-1 CA-2CA-3 CA-4 HE JP AusCert CAUDIT PKI CA-1 CA-2 CA-3 HE BR Cross-certs Other Bridges

17 AirGap The Problem: –Offline CA –High Availability online Directory –CRLs generation and publish every 6 hours –Dual access/authorization for private key operations –Handling of after hours certificate revocation requests –Limited resources

18 AirGap The AirGap Solution: –Asynchronous storage device for schlurping signed data between the CA and the Directory (technically no different to a floppy based sneaker net used in similar situations in industry e.g. FBCA) –Storage is never connected to both devices at the same time – hardware enforces an “air gap” –Periodic checking to see if storage device is available Directory reads any new CRL and publishes it, posts a signed revocation request when it is received CA reads any new revocation requests, verifies signature, creates new CRL, deletes request –Storage connected to online Directory for 5 mins every 6 hours, otherwise connected to offline CA in order to minimize risk

19 AirGap Components: –Sewell Manual Share USB Switch –5V relay –5V AC adapter –Power Timer –Crucial 1Gb Flash Disk –Cron jobs running on both connection end points –Signed objects passed back and forth

20 AirGap MkI

21 AirGap MkII

22 AirGap Benefits: –Offline CA talking to an Online Directory automatically without bringing the CA online = reduced risk and reduced costs –Potential replacement for 4 operators (2 folks, 2 shifts per day to manually move files back and forth) - $200K savings? –Less work for Administrators due to automation of processes –Reduced Audit? Audit process once and then periodic checking of logs vs detailed scrutiny of logs may be required for manual process –Parts readily available, built for under $100

23 Discussion or Questions?

24 For More Information HEBCA Website: Scott Rea -