Download presentation
Presentation is loading. Please wait.
Published byJonathan Rodgers Modified over 11 years ago
2
PKIX BASED CERTIFICATION INFRASTRUCTURE IMPLEMENTATION ADAPTED TO NON PERSONAL END ENTITIES Jacob E., Liberal F., Unzilla J. {jtpjatae, jtplimaf, jtpungaj}@bi.ehu.es Department of Electronics and Telecommunications Faculty of Engineering University of the Basque Country Bilbao (Spain) http://det.bi.ehu.es/git
3
2 SUMMARY INTRODUCTION MAIN GOALS IMPLEMENTATION STATUS OF THE PROJECT SYSTEM ARCHITECTURE WAY OF OPERATION FUTURE WORK
4
3 Introduction Need to set trust agents => PKI: certification services Background: Oriented to end users => www Inflexibility, interface-processing dependence Lack of interoperability Results => PKIs have been replaced by other systems: ssh, PGP, home made SSL Proposed system PKIX Automate standard interfaces Specific application scope
5
4 Main Goals Speed up procedures Guarantee scalability/interoperability Make services more flexible Ease users access Provide mechanisms for new services Develop a fully-functional PKI system
6
5 General Architecture RA RA CA CRLs & CERTIFICATES REPOSITORY END ENTITY (EE) REGISTER EEs AUTHENTICATE FORWARD REQUESTS REGISTER RAs OPERATIONS WITH CERTs
7
6 COMMANDS ANSWERS ACKs Administrative Data Way of operation: Registration I RA OPERATOR RA CERT. TYPES Password ID NEW USER
8
7 Way of operation: Registration I.a
9
8 Way of Operation: Registration II End User OPERATIONS WITH CERTIFICATES CHECK CERTIFICATES SECURE CONNECTIONS MANAGEMENT DOWNLOAD CERTIFICATES OPERATIONS WITH CERTIFICATES GENERAL FUNCTIONS (CERTIFICATES MANAGEMENT) ID CMP PASS Registration Authority
10
9 Entidad Registro ID CMP PASS ID PASS ADMINISTRATIVE DATA ADMINISTRATIVE DATA Way of Operation: Registration II.a
11
10 Registration Authority ID CMP PASS ID CMP PRE- REQUESTS PRE- REQUESTS ID CMP P SEND TO CAS ID CMP RA CA Way of Operation: Registration II.b
12
11 Certification Authority ID CMP AUTHORIZED RAs CERTIFICATES CMP SEND BACK TO RA STORE IN REPOSITORY RA CA REPOSITORY Way of Operation: Registration III
13
12 Implementation Linux O.S. Daemon servers in C language Pthreads (Posix threads) MySQL DBMS cryptlib © cryptographic library OpenLDAP
14
13 SERVING THREADS REQUESTS Implementation: RA
15
14 DEBUG LOG #DEBUG1: Debug thread created #DEBUG1: Creating CMPSpareServer 0, line 166 #DEBUG3: Adding node to general list #DEBUG3: Adding node to idle list #DEBUG3: Number of CMP threads created: 1 #DEBUG3: Number of CMP threads idle: 1 #DEBUG3: Adding node to general list #DEBUG3: Adding node to idle list #DEBUG3: Number of CMP threads created: 2 #DEBUG3: Number of CMP threads idle: 2 #DEBUG1: Creating CMPSpareServer 1, line 166 #DEBUG1: Creating OCSPSpareServer 0 #DEBUG3: Adding node to general list #DEBUG3: Adding node to idle list #DEBUG3: Number of OCSP threads created: 1 #DEBUG3: Number of OCSP threads idle: 1 #DEBUG1: Creating OCSPSpareServer 1 #DEBUG3: Adding node to general list #DEBUG3: Adding node to idle list #DEBUG3: Number of OCSP threads created: 2 Implementation: RA II
16
15 Implementation: CA AUTOMATED OPERATION!!
17
16 Status of the project 10.000 C code lines Functional system integrating RA and CA in one RA server, operator and administrator clients and Java© front-ends cryptlib © library Advantages: Ease of use due to standarized interfaces (cryptSetAttribute(), CRYPT_CERTIFICATE, CRYPT_SESSION...) Development period short Disadvantages: Very high-level interface : Development period longer for specific projects Lack of low-level documentation=> ~reverse engineering, bootstrapping. Network support MySQL support
18
17 Future work Adapt PSE access modules to hardware devices, such as smartcards, crypto-tokens… Integration with other certifications systems like PGP. Inclusion of attribute certificates. Development of Windows© family client libraries. Integration of certificate services. A real application?
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.