Download presentation
Presentation is loading. Please wait.
Published byKerry Parsons Modified over 8 years ago
1
Copyright Statement Copyright Robert J. Brentrup 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
2
Academic Applications of PKI Robert Brentrup Educause Poster Session October 20, 2005
3
What is PKI? PKI is Public Key Infrastructure A pair of keys is used, one to encrypt, the other to decrypt
4
Public and Private Keys You publish the "public" key, You keep the "private" key a secret You don't need to exchange a secret "key" by some other channel Invented in 1976 by Whit Diffie and Martin Hellman Commercialized by RSA Security
5
Basic applications of PKI Authentication and Authorization of Web users and servers –It is the basis for the SSL protocol used to secure web connections Secure e-mail (signed and encrypted) Electronic document signatures Network link data protection (VPN, wireless) Signing Program Code
6
Why PKI? Comprehensive way to address securing many applications No passwords are transmitted No need for shared secrets Strong underlying security technology Widely supported in current Operating Systems and Applications
7
What is X.509? A standard for the format of a public key certificate RSA PKCS #1-15 are related standards for how certificates are stored and used Current PKI product offerings inter-operate through this standard There are other possible formulations, eg SDSI/SPKI
8
What is a certificate? Signed data structure that binds some information to a public key The information is usually a personal identity or a server name Think of it as an electronic ID card
9
Basic Public Key Operations Encryption –encrypt with public key of recipient –only the recipient can decrypt with their private key
10
Signature –Compute message digest, encrypt with your private key –Reader decrypts with your public key –Re-compute the digest and compare the results, Match? Basic Public Key Operations
11
What is a certificate authority? An organization that creates and publishes certificates Verifies the information in the certificate Provides security of the system and it's records Allows you to check certificates and decide to use them in business transactions
12
What is a CA certificate? A certificate authority generates a key pair used to sign the certificates it issues For multiple institutions to collaborate: –Hierachical structure is setup among their CAs –Bridge Certification Authorities Use a "peer to peer" approach
13
Dartmouth PKI Implementation Sun/iPlanet CA Software Sun 250 server Single Online CA Server –Hardware Key Storage (Crysalis) –Dedicated Firewall –Publishes CRLs and provides OCSP
14
LDAP Directory Maintained from Institutional Systems –SIS, HR, Sponsored Guests Automated Addition and Deletion CA Publishes Certificates and CRLs to LDAP
15
User Enrollment Key Generation by Web Browser –Internet Explorer and Netscape/Mozilla Cross platform –Software Key and Certificate Storage LDAP authorization, self-service Registration Officer for High Assurance –In-person verification of Photo ID –Store Keys on USB tokens
16
Production Applications Web Services Authentication –Student Information System –Library Journals –Business School Portal –Software Downloads –Course Management System (Blackboard) SSL for IMAP Servers VPN Authentication Shibboleth Authentication Hardware Key Storage (USB Tokens)
17
Pilot Applications Secure Mail and List Server Document Signatures –Acrobat, Office, XML (NIH) Wireless Network Authentication Application and OS Sign-on with Tokens Grids
18
PKI Deployment Timeline Planning late 2001 Staffing Jan - April 2002 HW/SW Acquisition began Feb 2002 CA Installation began June 2002 Test CA available Sept 2002 Production CA available Jan 2003 First Applications –Library Jun 2003, Banner Aug 2003
19
PKI Deployment Tokens issued to Freshman Students –Fall 2004 - ~400 over a semester –Fall 2005 - 807 in 2 days Fall 2005 –1649 Students have certificates April 15, 2004 –1542 Certificates Issued –749 Unique Individuals –542 Students (10%) –207 Faculty and Staff (8%) –68 Servers, Network Devices and CMS Admin
20
Rollout Activities Integrated user documentation on web, software downloads Support staff training and early adopters Add PKI functionality in System Updates Offer PKI as first authentication option Kerberos authentication error messages suggest PKI alternative PKI Configuration and SW on Disk images, for public computers and new purchases
21
Research Results Guest Authentication to Wireless Network Open Source CA software –Installation, Packaging, Features Secure Hardware Applications –TPM and IBM 4758 –Enforcer - Secure Linux Kernel (available at http://enforcer.sourceforge.net)
22
For More Information Dartmouth PKI Support: www.dartmouth.edu/~pki Dartmouth PKI Lab: www.dartmouth.edu/~pkilab PKI Lab Outreach: www.dartmouth.edu/~deploypki Robert.J.Brentrup@dartmouth.edu
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.