Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

Similar presentations


Presentation on theme: "PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl."— Presentation transcript:

1 PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl

2 University of Virginia PKI Project Goal –Enable PKI support for a range of applications Deploy two campus CAs –Standard Assurance CA Based on the PKI-Lite Policy and Practices document Uses CREN root – will migrate to USHER –High Assurance CA Based on the Higher Education Certificate Policy Expect to cross-certify this CA via HEBCA

3 UVa Standard Assurance CA (PKI-lite) Focus: new applications & ease of use Designed to support many common applications –Web authentication –VPN authentication –S/MIME: signed and encrypted email –SSL server certificates –EAP/TLS for wireless access control –Grid authentication

4 UVa Standard Assurance CA (PKI-Lite) Uses existing account information to validate user request Computing ID, password, and some some database info checked Simple subscriber agreementsubscriber agreement

5 UVa Standard Assurance CA (PKI-Lite) Simple user interface –Internet Explorer or Netscape –Fill in ID check form –Key pair automatically generated, certificate issued, and the whole certificate chain is installed –Supports hardware tokens for mobility if desired –Certificate validity period Students – until the next September Faculty and staff – one year Others – through the end of the current semester

6 UVa Standard Assurance CA (PKI-Lite) Other Design Decisions Certificate Revocation List (CRL) support –Yes/no, partitioning, LDAP/HTTP Privacy and FERPA Key Usage settings –S/MIME & key escrow question Directory integration –Users often obtain multiple certificates –Preferred certificate

7 Applications Cisco VPN services –UVa-Anywhere remote access VPN –“More Secure” network VPN Uses LDAP authorization to prevent student access Wireless authentication migration –LEAP supported now for secure wireless –Adding EAP-TLS VLAN as quickly as possible –Eventually phase out LEAP and its account management

8 Applications S/MIME –Client support now available in our main clients Mulberry 3.1 Communigate Pro webmail –Integration with our anti-spam solution –Considering sending signed official announcements

9 UVa High Assurance CA Focus on applications needing higher assurance levels using 2-factor authentication –SSH authentication for sysadmins of critical systems –VPN authentication for access to special purpose networks (ERP, HIPAA, etc) –Web authentication –Windows 2000/XP authentication? –Digital signatures?

10 UVa High Assurance CA Two-step Registration Authority (RA) Process –In-person photo identification check –Web form and dbase validation protects against a RA Mostly off-line CA Hardware for CA private key protection Hardware token use required –2-factor authentication –Strong private key protection –Enables easy mobility –Provides idle use timeout

11 VPN PKI 2-factor Authentication with LDAP Authorization VPN Concentrators Firewall LDAP AuthZ Servers Oracle ERP S1 S2 S3 Sn Hospital Net INOUT Main Campus Network OUT IN

12

13 High Assurance Applications 2-factor SSH authentication for ERP System Admins and DBAs HiPAA access VPN Service Departmental network admin delegation Internal management applications Future –ERP users with direct database access –Windows domain authentication? –Digital signatures –HEBCA applications


Download ppt "PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl."

Similar presentations


Ads by Google