EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica.

Slides:

Advertisements

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Advertisements

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

Chapter 9 Deploying IIS and Active Directory Certificate Services

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

The UMU-PBNM Antonio F. Gomez Skarmeta Gregorio Martínez

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

European Signatures versus Global SignaturesRome, 7 April, 2003 EESSI open specifications and interoperability The state of the art in Italy Giovanni Manca.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

COMP3123 Internet Security Richard Henson University of Worcester October 2010.

Can PKI be made simple enough to be used by non-experts? Signature formats and context Antonio Lioy ( polito.it ) Politecnico di Torino Dip. Automatica.

SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS526 Semester Project.

Chapter 11: Active Directory Certificate Services

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

Maintaining Network Health Lesson 10. Skills Matrix Technology SkillObjective DomainObjective # Understanding the Components of NAP Configure Network.

Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:

Virginia Tech Overview of Tech Secure Enterprise Technology Initiatives e-Provisioning Group Frank Galligan Fed/Ed.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Building trust in networking in Newly Associated States through the use of secure information society technologies Aleksej Jerman Blazic TELEBALT 2002.

1 Lecture 11 Public Key Infrastructure (PKI) CIS CIS 5357 Network Security.

1 PKI Update September 2002 CSG Meeting Jim Jokl

OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.

Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.

David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Johnson & Johnson’s Public Key Infrastructure Bob Stahl

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Configuring Directory Certificate Services Lesson 13.

Certificate revocation list

06 APPLYING CRYPTOGRAPHY

EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica.

Digital Signatures A Brief Overview by Tim Sigmon April, 2001.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

Module 9: Fundamentals of Securing Network Communication.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.

Module 9: Designing Public Key Infrastructure in Windows Server 2008.

1 © SURFnet 2001 Roadmap to European Middleware Is it different? TERENA Networking Conference Antalya, May 2001.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, Amsterdam.

Security in ebXML Messaging CPP/CPA Elements. Elements of Security P rivacy –Protect against information being disclosed or revealed to any entity not.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

PKI Future Directions 29 November 2001 Russ Housley RSA Laboratories CS – Class of 1981.

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

Some Technical Issues in PKI Deployment David Chadwick

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.

Maintaining Network Health Lesson 10. Active Directory Certificates Services 2 A component of Microsoft Identity Lifecycle Management (ILM) ILM allow.

Secure Enterprise Technology Initiatives e-Provisioning Group

Security in ebXML Messaging

Presentation transcript:

EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica

secure Web secure secure remote access secure VPN secure DNS X.509 certificate The Copernican revolution Win2000 security secure boot no viruses & Trojan horses IP security role-based security

The actual (Ptolemaic) poor situation pwd (ISP) POP web login pwd (univ.) DBMS SSH (univ.) login file transfer PKI (X) S/MIME web

What is EuroPKI? EuroPKI is a spontaneous aggregation of certification authorities that share the vision of setting-up a pan-European PKI to support the deployment of effective interoperable network security techniques.

Background n ICE-TEL project ( ) n ICE-CAR project ( ) n various national projects ( ) n since January 1, 2000: EuroPKI

EuroPKI EuroPKI TLCA Politecnico di Torino CA City of Rome CA people servers EETIC CA EuroPKI Slovenia EuroPKI Italy EuroPKI Austria

Costituency n root + n AT (IAIK) n IE (TCD) n IT (POLITO) n Italian tree, with 4 City Halls n integration with the Italian identity chip-card n SI (IJS) n Slovenian tree n UK (UCL)

Prospective partners n there have been talks within the TERENA PKI-coord task force n expressions of interest from: n Surfnet (NL) n Rediris (ES) n Thessaloniki Univ. (GR) n Garr (IT)

Why a hierarchy? n it’s the only solution that works n now n for most applications (especially COTS) n EuroPKI might move to other schemas (e.g., cross-certification, bridge) if and when applications will be available

EuroPKI services n EuroPKI is not “selling” services although it provides: n certification n revocation n publication n data and cert validation n aggregation point for: n competence centre n coordination

Certification n X.509v3 certificates n global CP (Certification Policy) n local CPS (Certification Practice Statement)

Certification policy n current draft: n 28 pages n based on RFC-2527 (with extensions) n basic idea: n be as little restrictive as possible to allow anybody to join... n... while retaining a level of security useful for practical applications

Strong CP requirements n personal identification of the subject n secure management of the CA n periodic publication of CRL

Applications supported n Web: n SSL/TLS n signed applets n SSL-based applications: n telnet, FTP, SMTP, POP, IMAP,... n and secure documents: n S/MIME, PKCS-7, CMS, … n IPsec (also on routers via SCEP) n (looking into secure DNS)

Publication n certificates and CRLs n Web servers: n for humans n directory server: n for applications n LDAP (local) directories n X.500 (global) directory n X.521 schema

Revocation n CRL (Certificate Revocation List) n cumulative list of revoked certificates n issued periodically n updated as needed n OCSP (On-Line Certificate Status Protocol): n “is this cert valid now?” n unknown, valid, invalid

Time-stamping n proof of data existence at a given date n IETF-PKIX-TSP-draft-14 n TSP server (Win32, Unix) n TSP client (cmd-line, GUI only for Win32) TSP server

OCSP n OCSP server (Unix, Win32) n automatic CRL collection from several Cas n OCSP library + cmd-line client (Unix, NT) OCSP server CRL OCSP (embedded) client

SSL-telnet, SSL-ftp n SSL channel n server authentication n client authentication can supplement or replace passwords n server for Unix and Win32 (FTP only) n client for Unix (cmd-line) and Win32 (GUI) SSL-x server SSL-x client LDAP, OCSP

Authentication or authorization? n most of the problems are trust-related n often this is due to the wrong and unnecessary coupling of authentication with authorization n we need to cut this node: n authenticate only once and globally n authorization on a local basis, with local control

Attributes / roles / permissions … where should I put additional infos related to a certificate? in a directory, or in an attribute certificate in a directory, or in an attribute certificate inside the certificate, in order to keep all data together

Next steps n European digital signature law: n qualified certificates n voluntary accreditation n support for other EC projects: n NASTEC (PKI-based secure IS; PKI at least for Poland and Romania) n TESI (CDSA-based security middleware)

On-going technical work n cleanly separate authentication and authorization (local file, LDAP, AC, …) n DNS as a repository, DNSsec n automatic policy negotiation (L3 … L7): n policy description (XML-based language) n policy negotiation (ISPP) n policy compliance (enforcement gateway) n integration with Win2000: n LDAP n IPsec n DNSsec

Future n I have a dream... n... a pan-european open and public PKI to enable network security n who is interested? EuroPKI?