Presentation is loading. Please wait.

Presentation is loading. Please wait.

EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica.

Published byBrice Stevenson Modified over 9 years ago

Similar presentations

Presentation on theme: "EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica."— Presentation transcript:

1 EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica

2 secure Web secure e-mail secure remote access secure VPN secure DNS X.509 certificate The Copernican revolution Win2000 security secure boot no viruses & Trojan horses IP security role-based security

3 The actual (Ptolemaic) poor situation pwd (ISP) POP web login pwd (univ.) DBMS SSH (univ.) login file transfer PKI (X) S/MIME web

4 What is EuroPKI? EuroPKI is a spontaneous aggregation of certification authorities that share the vision of setting-up a pan-European PKI to support the deployment of effective interoperable network security techniques.

5 Background n ICE-TEL project (1997-1998) n ICE-CAR project (1999-2000) n various national projects (1996-2000) n since January 1, 2000: EuroPKI

6 EuroPKI EuroPKI TLCA Politecnico di Torino CA City of Rome CA people servers EETIC CA EuroPKI Slovenia EuroPKI Italy EuroPKI Austria

7 Costituency n root + n AT (IAIK) n IE (TCD) n IT (POLITO) n Italian tree, with 4 City Halls n integration with the Italian identity chip-card n SI (IJS) n Slovenian tree n UK (UCL)

8 Prospective partners n there have been talks within the TERENA PKI-coord task force n expressions of interest from: n Surfnet (NL) n Rediris (ES) n Thessaloniki Univ. (GR) n Garr (IT)

9 Why a hierarchy? n it’s the only solution that works n now n for most applications (especially COTS) n EuroPKI might move to other schemas (e.g., cross-certification, bridge) if and when applications will be available

10 EuroPKI services n EuroPKI is not “selling” services although it provides: n certification n revocation n publication n data and cert validation n aggregation point for: n competence centre n coordination

11 Certification n X.509v3 certificates n global CP (Certification Policy) n local CPS (Certification Practice Statement)

12 Certification policy n current draft: n 28 pages n based on RFC-2527 (with extensions) n basic idea: n be as little restrictive as possible to allow anybody to join... n... while retaining a level of security useful for practical applications

13 Strong CP requirements n personal identification of the subject n secure management of the CA n periodic publication of CRL

14 Applications supported n Web: n SSL/TLS n signed applets n SSL-based applications: n telnet, FTP, SMTP, POP, IMAP,... n e-mail and secure documents: n S/MIME, PKCS-7, CMS, … n IPsec (also on routers via SCEP) n (looking into secure DNS)

15 Publication n certificates and CRLs n Web servers: n for humans n directory server: n for applications n LDAP (local) directories n X.500 (global) directory n X.521 schema

16 Revocation n CRL (Certificate Revocation List) n cumulative list of revoked certificates n issued periodically n updated as needed n OCSP (On-Line Certificate Status Protocol): n “is this cert valid now?” n unknown, valid, invalid

17 Time-stamping n proof of data existence at a given date n IETF-PKIX-TSP-draft-14 n TSP server (Win32, Unix) n TSP client (cmd-line, GUI only for Win32) TSP server

18 OCSP n OCSP server (Unix, Win32) n automatic CRL collection from several Cas n OCSP library + cmd-line client (Unix, NT) OCSP server CRL OCSP (embedded) client

19 SSL-telnet, SSL-ftp n SSL channel n server authentication n client authentication can supplement or replace passwords n server for Unix and Win32 (FTP only) n client for Unix (cmd-line) and Win32 (GUI) SSL-x server SSL-x client LDAP, OCSP

20 Authentication or authorization? n most of the problems are trust-related n often this is due to the wrong and unnecessary coupling of authentication with authorization n we need to cut this node: n authenticate only once and globally n authorization on a local basis, with local control

21 Attributes / roles / permissions … where should I put additional infos related to a certificate? in a directory, or in an attribute certificate in a directory, or in an attribute certificate inside the certificate, in order to keep all data together

22 Next steps n European digital signature law: n qualified certificates n voluntary accreditation n support for other EC projects: n NASTEC (PKI-based secure IS; PKI at least for Poland and Romania) n TESI (CDSA-based security middleware)

23 On-going technical work n cleanly separate authentication and authorization (local file, LDAP, AC, …) n DNS as a repository, DNSsec n automatic policy negotiation (L3 … L7): n policy description (XML-based language) n policy negotiation (ISPP) n policy compliance (enforcement gateway) n integration with Win2000: n LDAP n IPsec n DNSsec

24 Future n I have a dream... n... a pan-european open and public PKI to enable network security n who is interested? EuroPKI?

Download ppt "EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica."

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation 23-25 May 2012, Kish Island, I.R.IRAN.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
The UMU-PBNM Antonio F. Gomez Skarmeta Gregorio Martínez

The UMU-PBNM Antonio F. Gomez Skarmeta Gregorio Martínez
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
European Signatures versus Global SignaturesRome, 7 April, 2003 EESSI open specifications and interoperability The state of the art in Italy Giovanni Manca.

European Signatures versus Global SignaturesRome, 7 April, 2003 EESSI open specifications and interoperability The state of the art in Italy Giovanni Manca.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
COMP3123 Internet Security Richard Henson University of Worcester October 2010.

COMP3123 Internet Security Richard Henson University of Worcester October 2010.
Can PKI be made simple enough to be used by non-experts? Signature formats and context Antonio Lioy ( polito.it ) Politecnico di Torino Dip. Automatica.

Can PKI be made simple enough to be used by non-experts? Signature formats and context Antonio Lioy ( polito.it ) Politecnico di Torino Dip. Automatica.
SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS526 Semester Project.

SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS526 Semester Project.
Chapter 11: Active Directory Certificate Services

Chapter 11: Active Directory Certificate Services
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Similar presentations

Ads by Google