Presentation is loading. Please wait.

Presentation is loading. Please wait.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Published byDante Mutton Modified over 10 years ago

Similar presentations

Presentation on theme: "Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009."— Presentation transcript:

1 Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009

2 Public Key Infrastructure Asymetric cryptography Each user and service owns key-pair X.509 digital certificates PGP not suitable Certification Authority (CA) Network of Registration Authorities (RA) Relying parties

3 Distributed environments Ithanet project Network for medical research in Mediterranean countries Users were physicians with little knowledge about computers Grid infrastructure Facilitates collaborations, resource sharing support of research Basic services provided by grid operator Easy establishment of secure communication

4 PKI in large-scale environment PKI is good candidate for authN in large infrastructures Scalability Several aspects to be considered and addressed Operators Users General PKI not tied with applications

5 Operating PKI CA establishment is not technical problem Building trust is crucial Many administrative problems Proper applicants authentication Protection of signing keys Proper revocation requests handling Long-term support Incident resolution cooperation … CAs publish their policies

6 International Grid Trust Federation Easing orientation for relaying parties CA managers, identity providers, large relying parties involved IGTF builds a federation of trusted CAs approving procedures and minimal requirements reviews the CA policies (CP/CPS) Flat model – no root IGTF CA Unified name space for subject names User is uniquely identified by their subject name

7 Revocation checks Revocation is a must Often neglected by administrators or applications Its impossible to check CRLs with Firefox Certification Revocation Lists (CRLs) Online Certificate Status Protocol (OCSP) Overhead Latency penalty for online checks Large amount of data represented by aggregated CRLs transfers

8 Obtaining certificates The process consists of two phases Generating key-pair Identity vetting at RA Crucial for users perception Crucial for security of credentials

9 Online CAs Normal web page with simple form Registration is done first Browser is key component Perform cryptographic operations Communicates with CA Receives and stores new certificate New requirements Signing machine of CA is exposed Trust in browser

10 Online CAs in Identity Federations Identity federations leverage existing users management systems Access to internal systems of institution Users dont need additional credentials to access new services Online CA connected to federation No need for personal visits at RA

11 Private Key Protection Users dont protect their private keys Weak passphrases, file permissions Cant be checked by PKI operators Ideally not handled directly by users – transparent PKI Key repositories Specialized service maintaining keys for users Smart cards User support is difficult in general PKI

12 Conclusions Several aspects to address to operate secure PKI Established set of trusted CAs available General CAs, not tied with a particular application Keep users away from their private keys :-)

13 Backup slides

14 Single Sign-On User authenticates just once Proxy certificate Issued by user Only short-lived Standard X.509 short-lived certificates Issued by an on-line CA Can be obtained automatically after login

Download ppt "Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation 23-25 May 2012, Kish Island, I.R.IRAN.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI Administration Using EJBCA and OpenCA

PKI Administration Using EJBCA and OpenCA
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Similar presentations

Ads by Google