Secure hardware tokens David Groep DutchGrid CA. DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist)

Slides:



Advertisements
Similar presentations
Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/
Advertisements

Software Bundle ViPNet Secure Remote Access Arrangement using ViPNet Mobile © Infotecs.
Digital Certificate Installation & User Guide For Class-2 Certificates.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Digital Certificate Installation & User Guide For Class-2 Certificates.
Digital Certificate Installation & User Guide For Class-2 Certificates.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
Random Password Manager Centralized scalable password management security and recovery Joe Vachon Sales Engineer.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Aircraft is a Node on the Internet
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Course 201 – Administration, Content Inspection and SSL VPN
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Portals and Credentials David Groep Physics Data Processing group NIKHEF.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec.
“Secure” Remote Access Submitted To Mr.: Ahmed Abu Mosameh Preparation By: Mohammed N. Abu Shammala For telecommuters and roaming users.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007.
1 Personal Digital Certificates at Virginia Tech: Who Are You? Mary Dunker Internet-2 December 4, 2006
Network Security. Security Threats 8Intercept 8Interrupt 8Modification 8Fabrication.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
Networks ∙ Services ∙ People David Groep TCS TNC2015 Workshop TCS SAML demo background June 16, 2015 TCS PMA.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
David Spence GOSC Graphical Access to the NGS for All Java GSI-SSHTerm.
Module 9: Fundamentals of Securing Network Communication.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
Data Encryption using SSL Topic 5, Chapter 15 Network Programming Kansas State University at Salina.
DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
Action SecWG1012:9 “Investigate how role-based access, in compliance with FIPS 140-2, can be used by flight crypto systems.” Where this question comes.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Cybersecurity Computer Science Innovations, LLC. Certificates Generate Public and Private Key Sign the Public Key with a CA Private Key Append the Cert.
Grid technology Security issues Andrey Nifatov A hacker.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
Secure hardware tokens David Groep DutchGrid CA. DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist)
On Robots J Jensen STFC Rutherford Appleton Lab Banff, July 2007.
NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.
0 NAREGI CA Status Report APGrid F2F meeting in Singapore June 4, 2007 Rumiko Masuko.
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK
Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
PKI for improved cybersecurity in NATO Partner countries Software Arsen Hayrapetyan, ArmeSFo CA.
HKU Computer Centre Grid Certificate Authority Status Update Lilian Chan IT Services, The University of Hong Kong APGrid.
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, Jan 2009.
UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.
HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.
Install AD Certificate Services
The new EDAMIS and its security
BG.ACAD CA Self-audit report 2018
Presentation transcript:

Secure hardware tokens David Groep DutchGrid CA

DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist) –other BIG GRID application domains (e.g. astronomy) Supported classes of certificates (within the Classic X.509 secured profile) –Users: certificates for natural persons –Hosts: networked systems, applications or services – solely to identify network endpoints in communications –Servers: (internal) –Robots: agents that perform automated functions protected in a secure hardware token ~ FIPS140-2 level 2

Token grid application What should the token support web interaction (Firefox, IExplorer) –registration in VOs –connecting to collaborative Wiki’s, &c proxy generation –some grid proxy init’s have a PKCS#11 i/f –but grid-proxy-init can easily be mimicked with OpenSSL command-line tools –an ‘mkproxy’ script is available for both soft tokens (files) and eTokens (see

Hardware Several alternatives Aladdin eTokens –price €20 – €65 /pc –support for latest firmware version is mixed can get them to work in Win, Linux, MacOS but there are some pitfalls with this version still –not yet FIPS certified (CardOS 4.01 is, 4.2B is not) Rainbow iKey 3000 –good OpenSC support –out of production, since they could not be eaten –version “4000” OpenSC support unknown …

Guide around pitfalls ca.dutchgrid.nl/info/etokens

CP/CPS section Secure hardware tokens, whenever referenced in this document, are those hardware security cryptographic devices or hardware security modules that operate on and hold asymmetric cryptographic key pairs in such a way that the private part of the key pair cannot ever be extracted in unencrypted form, can only be unencrypted inside the device, and the encrypted form, if available, uses 128 bit symmetric key encryption or equivalent or stronger, and where the key pair has been generated inside the cryptographic device. Any tampering, any substitution or extraction of keys, and any unauthorized modification of the activation data, must leave evidence on the secure hardware token.

section (cntd) Secure hardware tokens and hardware security modules that comply with the requirements of FIPS level 2 or higher, or FIPS level 2 or higher, and where the key pair has been generated inside the module, are adequate to meet the requirements set forth above. If not FIPS certified, implementation of an equivalent security level and appropriate mechanisms on the token must be demonstrated: the vendor must have built the device with the intention of obtaining FIPS certification at level 2 or higher, and must either intend to submit the device for certification, or have it in process of certification.

Implementation Get the new CP/CPS approved –Add appropriate 1 SCP OID to the issued certificates Train RAs to help generate keypairs on the tokens –initially only the central RA service and the roving RAs –in parallel to the ‘dumb’ RAs at most institutions –targetted at the ‘robot’ use case, i.e. portals –and individuals in grid operations to gain experience ‘limited fieldtest’ for the next few months Deployment model: users get the token ‘on loan’ from the CA, so no direct cost to the subscribers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.