Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bridging Higher Education PKIs PKI Summit, August 2006 Snowmass, Colorado.

Published byAngel Anthony Modified over 9 years ago

Similar presentations

Presentation on theme: "Bridging Higher Education PKIs PKI Summit, August 2006 Snowmass, Colorado."— Presentation transcript:

1 Bridging Higher Education PKIs PKI Summit, August 2006 Snowmass, Colorado

2 2 Overview What are the drivers for PKI in Higher Education? –Stronger authentication to resources and services of an institution –Better protection of digital assets from disclosure, theft, tampering, and destruction –More efficient workflow in distributed environments –Greater ability to collaborate and reliably communicate with colleagues and peers –Greater access (and more efficient access) to external resources –Facilitation of funding opportunities –Compliance

3 3 Overview Potential Killer Apps for PKI in Higher Education –S/MIME –Paperless Office workflow –EFS –Shibboleth/Federations –GRID Computing Enabled for Federations –E-grants facilitation

4 4 Overview PKI Choices for Higher Education –Outsourced everything –Outsourced managed services, internal RAs –Internal operations: Community root | Campus root –Community Policy | Campus Policy CA software: commercial | vender | open source | RYO

5 5 Creating Silos of Trust Dept-1 Institution Dept-1 SubCA CA SubCA CA SubCA CA SubCA USHER

6 6 LOA: Levels of Assurance Not all CAs are created equal –Policies adhered to vary in detail and strength –Protection of private keys –Controls around private key operations –Separation of duties –Trustworthiness of Operators –Auditability –Authentication of end entities –Frequency of revocation updates

7 7 HEBCA : Higher Education Bridge Certificate Authority Bridge Certificate Authority for US Higher Education Modeled on FBCA Provides cross-certification between the subscribing institution and the HEBCA root CA Flexible policy implementations through the mapping process The HEBCA root CA and infrastructure hosted at Dartmouth College Facilitates inter-institutional trust between participating schools Facilitates inter-federation trust between US Higher Education community and external entities

8 8 HEBCA What is the value presented by this initiative? –HEBCA facilitates a trust fabric across all of US Higher Education so that credentials issued by participating institutions can be used (and trusted) globally e.g. signed and/or encrypted email, digitally signed documents (paperless office), etc can all be trusted inter- institutionally and not just intra-institutionally –Extensions to the Higher Education trust infrastructure into external federations is also possible and proof of concept work with the FBCA (via BCA cross-certification) has demonstrated this inter-federation trust extension –Single credential accepted globally –Potential for stronger authentication and possibly authorization of participants in grid based applications –Contributions provided to the Path Validation and Path Discovery development efforts

9 9 Solving Silos of Trust Dept-1 Institution Dept-1 SubCA CA SubCA CA SubCA CA SubCA USHER HEBCA FBCA CAUDIT PKI

10 10 HEBCA Project - Progress What’s been done so far? –Operational Authority (OA) contractor engaged (Dartmouth PKI Lab) –MOA with commercial vendor for infrastructure hardware (Sun) –MOA with commercial vendor for CA software and licenses (RSA) –Policy Authority formed –Prototype HEBCA operational and cross-certified with the Prototype FBCA (new Prototype instantiated by HEBCA OA) –Prototype Registry of Directories (RoD) deployed at Dartmouth –Production HEBCA CP produced –Production HEBCA CPS produced –Preliminary Policy Mapping completed with FBCA –Test HEBCA CA deployed and cross-certified with the Prototype FBCA –Test HEBCA RoD deployed –Infrastructure has passed interoperability testing with FBCA

11 11 HEBCA Project - Progress What’s been done so far? –Production HEBCA development phase complete –Issues Resolved Discovery of a vulnerability in the protocol for indirect CRLs Inexpensive AirGap Citizenship requirements for Bridge-2-Bridge Interoperability –Majority of supporting documentation finalized HEBCA Cross-Certification Criteria and Methodolgy HEBCA Interoperability Guidelines Draft Memorandum of Understanding HEBCA Subscriber Agreement HEBCA Certificate Profiles HEBCA CRL Profiles HEBCA Secure Personnel Selection Procedures Business Continuity and Disaster Plans For HEBCA Operations –PKI Test Bed server instantiated –PKI Interoperability Pilot migrated –Reassessment of community needs –Audit process defined and Auditors engaged –Participation in industry working groups –Almost ready for audit and production operations

12 12 HEBCA Project – Next Steps What are the next steps? –HEBCA to operate at multiple LOAs over its lifetime –Update of policy documents and procedures required to reflect the above –HEBCA to operate at BASIC LOA initially –Issue the HEBCA Basic Root –Purchase final items and bring the infrastructure online –Cross-certify limited community of interested early adopters and key federations –Validate the model and continue to develop tools for bridge aware applications

13 13 Challenges and Opportunities Community applicability –If we build it they will come –Chicken & Egg profile for infrastructure and applications –An appropriate business plan Consolidation and synergy –Are USHER & HEBCA competing initiatives? –Benefits of a common infrastructure Alignment with policies of complimentary communities –Shibboleth / InCommon –Grids (TAGPMA)

14 14 Bridge-Aware Applications

15 15 Challenges and Opportunities Open Tasks –Audit –Updated Business Plan –Mapping Grid Profiles Classic PKI SLCS –Promotion of PKI Test bed –Validation Authority service –Cross-certification with FBCA –Cross-certification with other HE PKI communities CAUDIT PKI (AusCERT) HE JP HE BR

16 16 Proposed Inter-federations FBCA CA-1CA-2 CA-n Cross-cert HEBCA Dartmouth Wisconsin Texas Univ-N UVA USHER DST ACES Cross-certs SAFECertiPath NIH CA-1 CA-2CA-3 CA-4 HE JP AusCert CAUDIT PKI CA-1 CA-2 CA-3 HE BR Cross-certs Other Bridges

17 17 AirGap The Problem: –Offline CA –High Availability online Directory –CRLs generation and publish every 6 hours –Dual access/authorization for private key operations –Handling of after hours certificate revocation requests –Limited resources

18 18 AirGap The AirGap Solution: –Asynchronous storage device for schlurping signed data between the CA and the Directory (technically no different to a floppy based sneaker net used in similar situations in industry e.g. FBCA) –Storage is never connected to both devices at the same time – hardware enforces an “air gap” –Periodic checking to see if storage device is available Directory reads any new CRL and publishes it, posts a signed revocation request when it is received CA reads any new revocation requests, verifies signature, creates new CRL, deletes request –Storage connected to online Directory for 5 mins every 6 hours, otherwise connected to offline CA in order to minimize risk

19 19 AirGap Components: –Sewell Manual Share USB Switch –5V relay –5V AC adapter –Power Timer –Crucial 1Gb Flash Disk –Cron jobs running on both connection end points –Signed objects passed back and forth

20 20 AirGap MkI

21 21 AirGap MkII

22 22 AirGap Benefits: –Offline CA talking to an Online Directory automatically without bringing the CA online = reduced risk and reduced costs –Potential replacement for 4 operators (2 folks, 2 shifts per day to manually move files back and forth) - $200K savings? –Less work for Administrators due to automation of processes –Reduced Audit? Audit process once and then periodic checking of logs vs detailed scrutiny of logs may be required for manual process –Parts readily available, built for under $100

23 23 Discussion or Questions?

24 24 For More Information HEBCA Website: http://www.educause.edu/HEBCA/623 Scott Rea - Scott.Rea@dartmouth.eduScott.Rea@dartmouth.edu

Download ppt "Bridging Higher Education PKIs PKI Summit, August 2006 Snowmass, Colorado."

Similar presentations

NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.

NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Copyright Judith Spencer 2002. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
SAFE BioPharma Association CONFIDENTIAL1 SAFE Public Key Infrastructure (PKI) 2005 EDUCAUSE/Dartmouth PKI Deployment Summit.

SAFE BioPharma Association CONFIDENTIAL1 SAFE Public Key Infrastructure (PKI) 2005 EDUCAUSE/Dartmouth PKI Deployment Summit.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.
Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006.

Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006.
NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.

NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.
Higher Education PKIs (Scott Rea) Boulder CO November 15, 2007.

Higher Education PKIs (Scott Rea) Boulder CO November 15, 2007.
Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.

Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.
US Higher Ed PKI Activities Internet2/EDUCAUSE ++ TF-EMC2 November, 2004 Amsterdam Michael R Gettes, Duke University TF-EMC2 November, 2004 Amsterdam Michael.

US Higher Ed PKI Activities Internet2/EDUCAUSE ++ TF-EMC2 November, 2004 Amsterdam Michael R Gettes, Duke University TF-EMC2 November, 2004 Amsterdam Michael.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
The U.S. Federal PKI and the Federal Bridge Certification Authority

The U.S. Federal PKI and the Federal Bridge Certification Authority

Similar presentations

Ads by Google