Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKI in US Higher Education (Scott Rea) Fed/Ed June 2008

Published byMatthew Adams Modified over 5 years ago

Similar presentations

Presentation on theme: "PKI in US Higher Education (Scott Rea) Fed/Ed June 2008"— Presentation transcript:

1 PKI in US Higher Education (Scott Rea) Fed/Ed June 2008

2 Agenda PKI at Dartmouth Larger community PKI interactions
New CA Platform Secure Wireless Infrastructure Digital Signatures Larger community PKI interactions USHER HEBCA TAGPMA

3 Dartmouth PKI - the Details
Dartmouth started researching PKI including pilot implementations in 2000 CA products originally investigated Entrust RSA Netscape Enterprise Service Microsoft OpenCA Successfully demonstrated a range of services: S/MIME Smartcard logon Higher assurance authentication Server/service authentication Document digital signatures Code signing Data/file/drive encryption Created an on-going outreach program that has been very successful

4 Dartmouth PKI - the Details
Dartmouth started production PKI in 2003 CA setup Created CP/CPS with minimal policy Netscape Enterprise Server (NES) Certificate Management System (became iPlanet became SunOne became Sun One, given to Red Hat) Generated self-signed root + OCSP authorities Keys in FIPS 140 level 3 HSM – Luna CA3 (was Chrysalis, became Rainbow, became SafeNet) Solaris 8 – hardened OS Open to public but firewalled for only HTTPS connections CA transition required due to lack of platform support Sun One CMS end-of-life 30 June 2006 Ran at risk until future PKI directions were finalized and implemented

5 Dartmouth PKI - the Details
CA transition Determine PKI future directions Evaluate possible replacement CA platforms Build or Buy? If build: commercial or opensource or roll-your-own Determine evaluation framework Cost over 3 years for 15,000 active credentials Hardware, hosting, operations, licensing, support, local expertise Cater for death, re-birth, or transition of existing CA Smooth transition for 12,500 active credentials Cater for desired future services (e.g. wireless authentication)

6 Dartmouth PKI - the Details
CA transition Process began in May 2006 Decision from management to run at risk with existing platform for 12 months Plan to be in production by 1 April 2007 to give us 3 months to transition existing users and well in time to handle freshman intake in mid-September Run old infrastructure in parallel until end of September 2007 to mitigate any unforeseen issues Platforms evaluated: Outsource Managed Services (BUY) Verisign CyberTrust (now Verizon Business Solutions) Identrus (previously DST, now IdenTrust) GeoTrust Inhouse Commercial Platform (BUILD-a) Microsoft CA RSA Inhouse Opensource Platform (BUILD-b) OpenCA EJBCA Inhouse Roll-your-own (BUILD-c) CAPSO OpenSSL

7 Dartmouth PKI - the Details
CA transition Outsource Managed Services (BUY) Quickly discounted as too expensive ($135K-$490K) Inhouse Commercial Platform (BUILD-a) Microsoft CA – right price, but aversion to platform RSA – too expensive Inhouse Opensource Platform (BUILD-b) OpenCA – too difficult to manage (Started working on OpenCA-NG) EJBCA – not enough support Inhouse Roll-your-own (BUILD-c) CAPSO – negotiated free-to-higher-ed-and-research agreement OpenSSL – too much work CAPSO chosen as basis from which to roll-our-own CA JCE based CA Supports our particular HSM setup Developed at University of Graz in Austria Local expertise with base cryptographic modules and platform Support available from Graz Utilized for production in other places (e.g. Austrian Govt, UGraz) Run on preferred enterprise OS platform – Red Hat (RHEL)

8 Dartmouth PKI - the Details
CA transition Decision made / management buy off by November 2006 Resource constraints meant February 2007 was official build process start date Additional functionality requested to support secured wireless after project started Issues delayed production start until mid-August 2007, primarily to be ready for wireless lock down, transition of credentials from old system was done post this operation More modification of base code than anticipated in order to integrate with Dartmouth Identity Management systems Single resource doing development Support from Graz was sporadic and limited Their 1 resource was doing military service Existing HSM not really supported on RHEL Choice of non-current Solaris or non-preferred Microsoft Decision to migrate to newer netHSM Testing of new functionality with certs required CA changes to support the corresponding certificate profiles required Vista requirements added – new API from MS not well documented How to handle CRLs from 2 concurrent systems Successful launch of new CA platform on August 2007 Handled issuance of 1200 high assurance eToken based credentials for incoming freshman class Transition of existing 12,300 active credentials successfully New CA platform issued more credentials in first 6 months than old CA has issued in 5 years

9 Dartmouth PKI - the Details
CA transition Report Card 26,500+ active certificates 3,500 certs issued on eTokens 100 TLS certs for internal facing services 23,000+ software certs (mostly for wireless authentication) Outstanding issues Certificate publishing Expanded certificate profile support LRA integration Self-service Revocation

10 Dartmouth PKI - the Details
Credential Issuance Process: Two levels of assurance on end user credentials Software certificate Self-service using authentication to our central WebAuth system Browser based issuance process IE (W2K, XP & Vista) FireFox, Mozilla on Win, OSX, *nix Safari eToken certificates Face-2-face with local registration agent (LRA) Requires LRA attestation of credentials checked 2 forms of ID required (1 photo ID) Still have to authenticate to central directory Keys generated onboard on the token FireFox – under supervision on Win, OSX, *nix Single high level on the SSL/TLS servers Manual process only after verification of admin identity and service authorization

11 Dartmouth PKI - the Details
Current Production services: S/MIME Smartcard logon Higher assurance authentication – including 2-factor authentication using eTokens (SSH, VPN, EAP-TLS) Server authentication (for non-public facing web services) Limited EFS use – but no “official” escrow services currently Limited Document digital signatures Planned Production services: EFS with supported escrow Document paperless workflow

12 Wireless Security CALEA motivated scrutiny of existing open wireless infrastructure Decision to move to private networks EAP-TLS for authentication 6 months cross-over between legacy & new infrastructure SSIDs Open SSIDs still as gateway to commercial ISP Some research & documentation work was required to support configuration of supplicants

13 Wireless Security Smooth successful roll out of new wireless infrastructure 1000’s of certificates issued with little negative impact Integrated with campus IdM Required some adjustments to CA Vista changes Profile changes Some adjustments for clients Apple OSX Leopard issues Registered SSID for devices that do not support EAP-TLS

14 Digital Signatures Due to wireless roll out - everyone has a credential now How do we speed up slow paper-based workflow processes on campus? Who is interested? Registrar Computer Science Financial Services Investigating use of Adobe as basis for facilitating electronic signatures Least invasive to existing processes

15 Community PKI Dartmouth engaged in many larger PKI communities USHER
Created USHER CA at Dartmouth Continued policy & administrative responsibilities HEBCA Created & still operates HEBCA Limited (test only use) currently TAGPMA Original founding member Continued policy & accreditation participation

16 Creating Silos of Trust
Institution Dept-1 Dept-1 Dept-1 USHER CA CA CA SubCA SubCA SubCA SubCA SubCA SubCA SubCA SubCA SubCA

17 Solving Silos of Trust Institution FBCA Dept-1 Dept-1 Dept-1 HEBCA
CAUDIT PKI USHER CA CA CA SubCA SubCA SubCA SubCA SubCA SubCA SubCA SubCA SubCA

18 Proposed Inter-federations CA-2 CA-1 HE BR AusCert CAUDIT PKI CA-n NIH
HE JP FBCA Cross-cert Cross-certs C-4 DST ACES Texas Dartmouth HEBCA Cross-certs IGTF Wisconsin UVA Univ-N USHER CertiPath SAFE CA-4 Other Bridges CA-1 CA-2 CA-3

19 International Grid Trust Federation
IGTF founded in Oct, 2005 at GGF 15 IGTF Purpose: Manage authentication services for global computational grids via policy and procedures IGTF goal: harmonize and synchronize member PMAs policies to establish and maintain global trust relationships IGTF members: 3 regional Policy Management Authorities EUgridPMA APgridPMA TAGPMA 100+ CAs, 100,000+ credentials

20 PKI Resource Query Protocol
Protocol to allow discovery of services and attributes offered by a particular CA Where to request certificate Where to request revocation What validation services are available Where to find policy Simple client-server based protocol Peer-to-peer or Central hub deployment options Experimental track IETF RFC

21 For More Information HEBCA Website: http://webteam.educause.edu/hebca/
Scott Rea -

Download ppt "PKI in US Higher Education (Scott Rea) Fed/Ed June 2008"

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
CREN-Mellon conference, December 1, 2001 University of Texas PKI Status.

CREN-Mellon conference, December 1, 2001 University of Texas PKI Status.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.

The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.
PKI in US Higher Education (Scott Rea) Fed/Ed June 2008.

PKI in US Higher Education (Scott Rea) Fed/Ed June 2008.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005.

HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005.
Dartmouth PKI (Scott Rea) EDUCAUSE PKI Deployment Forum Madison, WI - April 16, 2008.

Dartmouth PKI (Scott Rea) EDUCAUSE PKI Deployment Forum Madison, WI - April 16, 2008.
CAMP - June 4-6, 2003 1 Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin 2003. This work is the intellectual property of the authors.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.

1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

Similar presentations

Ads by Google