Presentation is loading. Please wait.

Presentation is loading. Please wait.

The PKI Lab at Dartmouth Presentation for Mellon Retreat February 9, 2004.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "The PKI Lab at Dartmouth Presentation for Mellon Retreat February 9, 2004."— Presentation transcript:

1 The PKI Lab at Dartmouth Presentation for Mellon Retreat February 9, 2004

2 2 Dartmouth PKI Lab Project Overview and Status

3 3 Dartmouth PKI Lab R&D to make PKI a practical component of campus networks Multi-campus collaboration sponsored by the Mellon Foundation Dual objectives: –Deploy existing PKI technology to improve network applications (both at Dartmouth and elsewhere). –Improve the current state of the art. Identify security issues in current products. Develop solutions to the problems.

4 4 Production PKI Applications at Dartmouth Dartmouth certificate authority –Over 600 end user certificates issued, 435 of them to students Authentication for: –Library Electronic Journals (including OVID) –Banner Student Information System –Tuck School of Business Portal –VPN Concentrator S/MIME email (few users)

5 5 Second Wave of PKI Deployment at Dartmouth Actively developing: Authentication for: –Blackboard Course Management System –Software downloads Hardware tokens –Required for VPN access to secured subnets Higher assurance certificates (picture ID check) We plan to reach all Dartmouth users with PKI through continued deployment of applications and increasing incentives and requirement for its use

6 6 Investigation and Research Wireless authentication –802.1x authentication EAP-TLS (PKI) on Win and Mac –WEP encryption on Win with proper drivers –WPA encryption with latest wireless cards and firmware –multiple SSID access point for transition Greenpass: pilot of SDSI/SPKI authorization certificates for delegation of authentication credentials for wireless guest access –Now supported by Cisco and (we hope) by Intel

7 7 “Open Source CA in a Box” Provide a hardened open source CA bundle suitable for trial and (initially) simple deployment. Selecting an open source CA –OpenCA –Papyrus –pyCA Enforcer TPM-hardened Linux (available now) –Turns controversial TCPA technology “to the light” to secure Linux boot process and provide much enhanced run-time protection against hackers –Useful for any Linux server application (e.g. Apache, LDAP, mail, LionShare or Westwood “ultra peer”) –slashdot.org/article.pl?sid=03/09/10/0255245slashdot.org/article.pl?sid=03/09/10/0255245 Packaging for easy installation (summer) Carefully chosen enhancements to the open source CA –Added features –Enhanced private key protection We welcome feedback on requirements, contributions, testing, etc!

8 8 Outreach Many presentations, papers –www.dartmouth.edu/~deploypki/events.htmlwww.dartmouth.edu/~deploypki/events.html Planning a PKI Deployment Summit Working with schools deploying PKI –PKI’s inexpensive 2-factor authentication proving an attractive proposition Deployment partners: –University of Wisconsin –University of Minnesota –University of Texas –Others getting started (USC, Yale) March/April EDUCAUSE Review “New Horizons” article Outreach web: www.dartmouth.edu/~deploypkiwww.dartmouth.edu/~deploypki

9 9 Dartmouth PKI Lab Interrelation With Other Projects: “Off the shelf” PKI for projects with Web and non- Web client/server applications Specific P2P proposal for LionShare and Westwood

10 10 PKI and Other Mellon Projects (Overview) The PKI Lab helps provide PKI-based security to others in higher education. We can help enable appropriate integration and use of PKI in other Mellon projects. –Vision, ideas –Consultation, deployment examples and assistance –Vulnerability analysis –Design new applications of PKI –Possibly collaborate developing infrastructure code

11 11 PKI and Other Mellon Projects (Authentication) Each of the other projects require user authentication (at least to some degree) PKI provides a superior method for authentication to all of them: –Avoids pitfalls of username/password –Improved security with two-factor authentication, choice of key length, strong encryption –Interoperates with a host of commercial applications –Inter-institutional authentication

12 12 PKI and Other Mellon Projects (Digital Signatures) Beyond authentication for access, many of the other projects may require digital signatures: –Chandler/Westwood supports email with S/MIME signatures for interoperability with other systems –LionShare requires signing data before posting in order to provide trace-ability of who posted it –SAKAI user posting to a course discussion list via standard S/MIME signed email instead of having to log into the application every time

13 13 PKI and the Rest (Encryption) P2P applications can form a “network” of peers, forwarding queries through intermediary peers in the mesh (for example, gnutella does this). In some cases, peers want to forward data through the mesh (firewalls or address translation may prohibit a direct connection). BUT do we trust the intermediary peers with the data in the clear? PKI can encrypt this data so only the intended recipient can decrypt it. Now it’s secure on the intermediaries. SSL/TLS and other transport encryption schemes can’t do this.

14 14 Proposal for Other Projects (Non-P2P Projects) uPortal, ePortfolio, AAM, SAKAI, JSTOR, ARTstor –Web applications support PKI client-side authentication –It’s already built into most web servers - probably just document how to do it (refer to PKI Lab documentation) VUE, LionShare, Westwood –Non-Web applications implement PKI client authentication

15 15 Westwood and LionShare: P2P With PKI Specific proposal for Chandler and LionShare: PKI for P2P Authentication Without All the CA Hassles: A Proposal by the Dartmouth PKI Lab

16 16 LionShare and Westwood: P2P With PKI Detailed proposal at rit.mellon.org/twiki/bin/view/Main/PkiTwiki rit.mellon.org/twiki/bin/view/Main/PkiTwiki We propose that Westwood/Chandler and LionShare skip username/password authentication and implement certificates/Shibboleth based authentication right away.

17 17 Westwood and LionShare: P2P With PKI Both of these are P2P applications that need peer authentication. –Sharing data and services with some peers, but not all. –User wants to share calendar information with a spouse, but not the world. –Researchers share pre-publication project data with each other but not the entire school.

18 18 LionShare and Westwood: P2P With PKI If there is an institutional authentication service, then we can use Shibboleth to tie into whatever is available (LionShare plans to do this). Or an institutional PKI works too. How to handle the case where there is no cooperating institutional authority to manage authentication? –Collaborator at a different school. –Individual not associated with an institution. –Group of colleagues using Westwood/Chandler.

19 19 Westwood and LionShare: P2P With PKI Passwords don’t work well in the “no institutional infrastructure” case. –Everybody hates passwords. –This requires a potentially different username/password pair for each P2P pairing. –10 colleagues all sharing calendars with each other implies 100 username/password pairs. –Possibly automate managing all these passwords, but this is tricky and likely to be hard to use and/or easily hacked. What if each user could have at most one local and one institutional password?

20 20 LionShare and Westwood: P2P With PKI Certificates offer a way for each peer to have an identity that it can prove to other peers via public key encryption. Peer clients acquire these: –Certificates issued by peers –Temporary certificates via Shibboleth –Institutional or commercial Certification Authority issued certificates Certificates can carry actual identity information or can be anonymous. Same peer server code to validate and manage all types of certificates regardless of source.

21 21 Westwood and LionShare: P2P With PKI The Shibboleth/KCA and institutional CA certificates are standard solutions. Our proposed new concept is using self-signed certificates from client peers to authenticate to peers providing services. Challenge: How does the server peer know to trust the client peer’s certificate?

22 22 LionShare and Westwood: P2P With PKI Trusting self-signed client peer- issued certificates –There are reasonable ways to register these certificates for trust by another peer. –We can automate this with one easy dialog box. –PGP uses a similar model, but PKI is standards based.

23 23 Westwood and LionShare: P2P With PKI Advantages Mostly standard PKI – open source implementations available as starting point (NSS, OpenSSL) In P2P the “server” side only needs certificates to authenticate – no usernames and passwords Works with Shibboleth for federation and interoperability with legacy authentication servers Share implementation among multiple projects Solve all authentication scenarios without ever having to implement username/password

24 24 LionShare and Westwood: P2P With PKI Actions Westwood and LionShare collaborate with the PKI Lab on this Review and critique proposal (already started) Refine the proposed architecture for P2P authentication based on this concept Select open source crypto library (NSS?, OpenSSL?) Share underlying implementation Share GUI design and as much GUI implementation as possible Implement the proposed strategy as your authentication mechanism

25 25 For More Information Outreach web: www.dartmouth.edu/~deploypki Dartmouth PKI Lab PKI Lab information: www.dartmouth.edu/~pkilab Dartmouth user information, getting a certificate: www.dartmouth.edu/~pki Mark.J.Franklin@dartmouth.edu S.Bradley.Noblet@dartmouth.edu Lawrence.M.Levine@dartmouth.edu

26 26 LionShare and Westwood: P2P With PKI More on trusting self-signed client peer-issued certificates –Register end user certificates for trust, not root certificates –Need to verify that it’s the right certificate before registering (thwart man in middle attack) –PKI allows for this - numerical “thumbprint” that users can manually verify via an out of band channel (phone call to compare on both sides, email, IM, etc.) –Requires one manual step (verifying thumbprint) – can be as simple as a single dialog box in an otherwise automatic process

Download ppt "The PKI Lab at Dartmouth Presentation for Mellon Retreat February 9, 2004."

Similar presentations

April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.

April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
3SKey 3SKey.

3SKey 3SKey.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Dartmouth PKI Deployment Case Study: What Works and Doesn’t Work (so far) Presented by: Mark Franklin Sixth Annual PKI Summit at Snowmass, Colorado August.

Dartmouth PKI Deployment Case Study: What Works and Doesn’t Work (so far) Presented by: Mark Franklin Sixth Annual PKI Summit at Snowmass, Colorado August.
Dartmouth PKI Certificate Deployment June 2004 Fed Ed Meeting.

Dartmouth PKI Certificate Deployment June 2004 Fed Ed Meeting.
PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Live! Web Seminar May 11, 2004.

PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Live! Web Seminar May 11, 2004.
PKI Implementation in the Real World

PKI Implementation in the Real World
Problems With Centralized Passwords Dartmouth College PKI Lab.

Problems With Centralized Passwords Dartmouth College PKI Lab.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Copyright Statement Copyright Robert J. Brentrup and Sean W. Smith 2002. This work is the intellectual property of the authors. Permission is granted for.

Copyright Statement Copyright Robert J. Brentrup and Sean W. Smith This work is the intellectual property of the authors. Permission is granted for.
Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.

Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
The PKI Lab at Dartmouth. Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon.

The PKI Lab at Dartmouth. Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.

Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.

Similar presentations

Ads by Google