Presentation is loading. Please wait.

Presentation is loading. Please wait.

IGTF Risk Assessment Team 5/11/091.

Published byShannon Richards Modified over 8 years ago

Similar presentations

Presentation on theme: "IGTF Risk Assessment Team 5/11/091."— Presentation transcript:

1 IGTF Risk Assessment Team http://tagpma.es.net/wiki/bin/view/IGTF-RAT igtf-rat@eugridpma.org 5/11/091

2 MD5 MD5 hash collisions in X.509 certificates – Risk for new certificates issued using MD5 – IGTF should not have any of these… – http://www.eugridpma.org/newsletter/eugridpma-newsletter- 20090102.txt Also concern about MD5 weakness in general: – CA certificates (and subordinates) Old CNRS subordinate using MD5; new CNRS2 hierarchy using SHA1 released January – CRLs APACGrid, Grid-Ireland, UK eScience, KFKI RMKI, IUCC, Polish Grid, Grid Canada still using MD5 in CRLs Grid-Ireland and UK eScience will switch to SHA-1 by June – Proxy certificates (Globus, VOMS, MyProxy) Globus migrating away from MD5: http://bugzilla.globus.org/globus/show_bug.cgi?id=6613 5/11/092

3 (EC)DSA EE Keys OpenSSL client vulnerability Unlikely that IGTF CAs have certified (EC)DSA keys – http://www.eugridpma.org/newsletter/eugridpm a-newsletter-20090108.txt RAT requested CAs to audit – 2 CAs found (EC)DSA certificates 2 (EC)DSA certificates valid until August 5/11/093

4 Sanity Checking Requests RSA Exponent < 65537 – Hardware tokens (pkcs11-tool) tend to generate exponents 3 & 5 by default Known-weak (Debian OpenSSL) keys MD5 (EC)DSA 5/11/094

5 IGTF RAT Audit (2009-01) 5/11/095

6 IGTF RAT Audit (2009-01) http://tagpma.es.net/wiki/bin/view/IGTF- RAT/2009-01 Timeline: – 15 Jan: RAT begins drafting message – 11 Feb: Request sent to CA operators – 23 Feb: 57 of 80 CAs responded; reminder sent – 12 Mar: 75 of 80 CAs responded; reminder sent – 26 Mar: 77 of 80 CAs responded – 27 Apr: 77 of 80 CAs responded; reminder sent – 28 Apr: 78 of 80 CAs responded 5/11/096

7 IGTF RAT Audit (2009-01) Results: – 2 CAs issued certificates containing (EC)DSA keys, expiring by Aug 27 2009. – 10 CAs issued certificates using MD5. – No CAs are currently issuing certificates using MD5. – 17 CAs issued CRLs using MD5. 7 are currently issuing CRLs using MD5. – 29 CAs have implemented automated checks for RSA keys with weak exponents. – 30 CAs have implemented automated checks for known weak Debian OpenSSL keys. – 38 CAs have implemented automated checks for issued certificates using MD5. 5/11/097

8 IGTF RAT Audit (2009-01) Survey method – Email to CA contact address in distribution – Web survey (surveymonkey.com) One objection received; response sent by email instead – Responses considered private – Summary results published – Also publish response times for each CA? 5/11/098

9 SHA-1 -> SHA-2 MD5 weaknesses remind us about weaknesses in SHA- 1 – NIST advises to replace SHA-1 by end of 2010. – SHA-1 Collision search: http://www.iaik.tugraz.at/content/research/krypto/sha1/ What is our level of concern about SHA-1? Path forward: – Understand software support for SHA-2 – Work with middleware providers to support SHA-2 – Encourage upgrade to OpenSSL 0.9.8 – When relying parties support SHA-2 (in 2010?), begin issuing SHA-2 certificates 5/11/099

10 RPs Not Updating CRL URL DOEGrids CA reported (Apr 11) that about 25% of CRL requests are to the old URL – URL changed in IGTF distribution a month earlier Is this a concern? What action should we take? 5/11/0910

Download ppt "IGTF Risk Assessment Team 5/11/091."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.

CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.
1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.

1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March
Grid Computing Basics From the perspective of security or An Introduction to Certificates.

Grid Computing Basics From the perspective of security or An Introduction to Certificates.
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
IGTF and SHA-2 David Kelsey TAGPMA meeting, SDSC Feb 2012.

IGTF and SHA-2 David Kelsey TAGPMA meeting, SDSC Feb 2012.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
CVE-2008-0166, lessons learned and actions David Groep, Nov 7 nd, 2008.

CVE , lessons learned and actions David Groep, Nov 7 nd, 2008.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
AQA Computing A2 © Nelson Thornes 2009 Section 6.4 1 Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.

AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
OSG Security Review Mine Altunay June 19, 2008. June 19, 2008 2 Security Overview Current Initiatives  Incident response procedure – top priority (WBS.

OSG Security Review Mine Altunay June 19, June 19, Security Overview Current Initiatives  Incident response procedure – top priority (WBS.
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Similar presentations

Ads by Google