Presentation is loading. Please wait.

Presentation is loading. Please wait.

Comb-e-Chem PKI Mike Surridge, Steve Taylor IT Innovation.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Comb-e-Chem PKI Mike Surridge, Steve Taylor IT Innovation."— Presentation transcript:

1 Comb-e-Chem PKI Mike Surridge, Steve Taylor IT Innovation

2 Public Key Infrastructure (PKI) Requirements:Requirements: –be able to authenticate remote users –be easy to operate by Chemists (e.g. NCS) –be secure enough for academic users Analysis of existing NCS authentication:Analysis of existing NCS authentication: –uses personal knowledge of user community –uses contextual information (e.g. EPSRC project codes) –lightweight for both NCS and their customers Public key infrastructure developments:Public key infrastructure developments: –Comb-e-Chem certification policy agreed –procedures developed for NCS to certify remote users –operational responsibility transferred to Chemistry

3 PKI Roles Grid communityGrid community –defines security policy and certificate policy (CP) –approves certification authorities Certification Authority (CA)Certification Authority (CA) –defines certification practise statement (CPS) –engages registration authorities –issues certificates in accordance with policy Registration Authority (RA)Registration Authority (RA) –checks credentials of certificate applicants –enforces security and certificate policy

4 PKI Trust Network

5 Comb-e-Chem CP CP is Certification PolicyCP is Certification Policy –a set of rules by which a PKI must operate –follows a format described in RFC2527 –areas such as user registration, physical security, certificate life cycle, etc… Comb-e-Chem CP pays particular attention toComb-e-Chem CP pays particular attention to –user registration –certificate life cycle

6 NCS CPS CPS is Certificate Practice StatementCPS is Certificate Practice Statement A description of how the NCS CA (Sam) abides by and implements the rules in the CPA description of how the NCS CA (Sam) abides by and implements the rules in the CP –describes operational procedures for implementing the CP’s requirements –contains a number of agreement forms to be signed by the parties involved

7 PKI - Lessons Learned The PKI must have well-defined procedures and strict adherence to themThe PKI must have well-defined procedures and strict adherence to them –CP & CPS The CA must exercise rigour in operational proceduresThe CA must exercise rigour in operational procedures –checking of credentials –following procedures to the letter –physical security –audit trails –backups –revocation

8 PKI - Lessons Learned 2 User education must be addressedUser education must be addressed –the concepts of PKI are complex –the overhead of education can be a barrier to take-up –ill-informed users can worsen security –do users understand what is meant by (for example) a private key and a certificate? –do they understand their security obligations? –in the NCS case, users are guided by the RA

9 Comb-e-Chem Security Mike Surridge, Steve Taylor IT Innovation

10 Overview of Activities Security risk managementSecurity risk management –applied to the NCS service Security implementationSecurity implementation –operating policies and public key infrastructure –deployment of security features at NCS

11 Risk Management Risk Analysis Asset-Based Security Identify and value assets Identify threats and risks Identify and cost defences Define risk managementapproach Implementdefences

12 Risk Analysis Value assets based on impact of compromiseValue assets based on impact of compromise –high: likely to cause total business failure –med: significant but not fatal impact –low: irritating but no significant impact Threats based on likelihood of attackThreats based on likelihood of attack –high: attacks will definitely take place –med: attacks may occur from time to time –low: attacks are unlikely Risks based on likelihood of successRisks based on likelihood of success –taking account of existing defences

13 Risk Management Determine appropriate response to threatsDetermine appropriate response to threats –acceptance: live with the potential consequences –reduction: introduce defences –avoidance: don’t use the system Leads to cost-effective securityLeads to cost-effective security –as much security as you need –not more than you can afford

14 Risk Analysis Facilitation

15 Application to NCS Service Assets:Assets: –campus system and network integrity (med/high) –sample tracking data (med) –experimental result data (low/med) –grid service integrity (low/med) Risks:Risks: –system attacks from outside campus (high likelihood) –systems attacks from inside campus (med likelihood) –compromise of remote user credentials (high likelihood) –internal user error (med likelihood)

16 Security Threats

17 Conclusions Progress with core technology developmentsProgress with core technology developments –authorisation and WS-Security –relevant for service integration NCS security risks analysedNCS security risks analysed –appropriate defences identified Security procedures and infrastructure implementedSecurity procedures and infrastructure implemented –public key infrastructure (CA, RAs, policies) –firewalls and protocols for NCS deployment

18 Comb-e-Chem Security Mike Surridge, Steve Taylor IT Innovation

19 Conclusions Progress with core technology developmentsProgress with core technology developments –authorisation and WS-Security –relevant for service integration NCS security risks analysedNCS security risks analysed –appropriate defences identified Security procedures and infrastructure implementedSecurity procedures and infrastructure implemented –public key infrastructure (CA, RAs, policies) –firewalls and protocols for NCS deployment

20 PKI can have Multiple CAs UserUser ResourceResource CA1 CAn

21 Registration Procedure

Download ppt "Comb-e-Chem PKI Mike Surridge, Steve Taylor IT Innovation."

Similar presentations

© 1998-2003 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.

© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
© S.J. Coles 2006 Usability WS, NeSC Jan 06 Experiences in deploying a useable Grid-enabled service for the National Crystallography Service Simon J. Coles.

© S.J. Coles 2006 Usability WS, NeSC Jan 06 Experiences in deploying a useable Grid-enabled service for the National Crystallography Service Simon J. Coles.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
March 6, 2012 SOC Reporting: What is New in the Audit Guides?

March 6, 2012 SOC Reporting: What is New in the Audit Guides?
A responsibility based model EDG CA Managers Meeting June 13, 2003.

A responsibility based model EDG CA Managers Meeting June 13, 2003.
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.

ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:

Similar presentations

Ads by Google