1 / 21

UPKI project update

UPKI project update. Yasuo Okabe Academic Center for Computing and Media Studies Kyoto University. UPKI . B 大の教授. B 大職員. A 大アクセスポイント. C 大電子コンテンツ. Wireles LAN roaming. C 大事務システム. B 大アクセスポイント. UPKI common specification. Campus AAI. Campus AAI. Campus AAI. C 大学. A 大学. B 大学.

betty_james
Download Presentation

UPKI project update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. UPKI projectupdate Yasuo Okabe Academic Center for Computing and Media Studies Kyoto University

  2. UPKI B大の教授 B大職員 A 大アクセスポイント C 大電子コンテンツ Wireles LAN roaming C 大事務システム B 大アクセスポイント UPKI common specification Campus AAI Campus AAI Campus AAI C 大学 A 大学 B 大学 UPKI ― Inter-University Authentication and Authorization Platform forCSI • Conducted by NII and the information infrastructure centers in 7 universities • Supported by Ministry of Education, Science and Technology

  3. UPKI: concept • Targets various applications • SSO of Web services • E-mail Digital Signature/Encryption by S/MIME • Network Services • wireless LAN roaming and VPN • Grid computing • Utilization of PKI • “U” stands University/Universal/Ubiquitous • Deployment of Grid/PKI middleware for national academic AA infrastructure NII International Workshop on Cyber Science Infrastructure

  4. 2006FY 2007FY 2008FY 2009FY and later UPKI Initiative founded ・Gathering common interests and opinions, and feedback, ・Interoperability check, knowledge transfer, publicity, tutorial works, … Campus PKI specification Model design Outsource model Insource model, multi-university cooperative model UPKI common Specification Campus PKI CP/CPS template ・Deployment of campus PKI at each university ・Connecting universities ・Federation of applications etc. Insource model, multi-university cooperative model Outsource model Developing, deploying and fostering new applications Wireless LAN roaming Applications Single Sign On to Web Services S/MIME CA software Development of CA software package Distribution and support for deployment of CA software package Planned Schedule of UPKI

  5. Ongoing Subprojects • Designing Common CP/CPS, Profiles, … • Development and Deployment of “NAREGI-CA” Certificate Authority Middleware • PKI based Applications • InterUniversity Web SSO • SAML2.0/Shibboleth + PKI • Wireless LAN Roaming • 802.1X, EduRoam compatible (www.eduroam.jp) • VPN • Secure E-mail Service via S/MIME • Supercomputing Grid etc.

  6. UPKI three layer Architecture Shibboleth/SAML

  7. Subprojects by NII • UPKI common CP/CPS【WP1】 • Public server certificate【WP2】 • Inter-University W-LAN roaming【WP3】 • SSO for Digital Library Service by NII and other universities via Shibboleth/SAML【WP4】 • Development of CA middleware【WP5】 • Deployment of S/MIME e-mail signature/encryption architecture【WP6】

  8. Full outsource provider • Univ. IA RA Insource IA outsource provider • Univ • Univ RA IA IA RA Operation Models of CA CP/CPS

  9. NAREGI National Research Grid Initiative • http://www.naregi.org/ • collaboration projects among industry, academic sector and the government.

  10. NAREGI Grid Middleware stack http://www.naregi.org/concept/index_e.html#05

  11. Nationwide Academic Grid Networksover SuperSINET (experimental) U. Tokyo Hokkaido U. Kyoto U. Tohoku U. 8-center Grid Computing WG network Nagoya U. Doshisha U. Doshisha SD Osaka U. Kyushu U. Kyushu I. Tech. Tokyo I. Tech. NAREGI Grid network Kyushu U. AIST (Tsukuba) I. Molecular Sci. (Okazaki) NAREGI NIICluster NII NAREGI core NAREGI IMSCluster

  12. NAREGI Certification Service CA Software (NAREGI-CA) - CA/RA - UI (Character, Web) Operation (NII GOC CA) Policy Management (NAREGI-PMA) • Operation of CA • Authorized by the APGrid • PMA Production Level CA • - CP/CPS • Satisfy APGrid • minimum requirement

  13. NAREGI-CA • A full-fledged CA (Certificate Authority) Software for PKI • Originally developed for Grid computing, but can be used for general purpose • Free open source software Ver2.0 (May.10.2006) is available at http://www.naregi.org/download/ • Research collaboration • Audit of CA :AIST, Japan • PMA for international cooperation : APGRID • User Sites • NAREGI, AIST, Several Universities

  14. Comparison among CA softwares ○:available、×:not available、△:some restriction

  15. NAREGI-CA Software Features • License ID management • Transfer authentication responsibility to Local RA • Grid operation extensions • Assistance of Grid-mapfile creation • Dual interfaces for certificate request • Web & command line enrollment • CA/RA architecture • Independent Registration Authority (RA) Server • Practical CP/CPS Template

  16. NAREGI-CA Architecture Local RA(Site Administrator) ⑤Send CSR ①Get License ID RA (Registration Authority) CA(CertificateAuthority) ⑥Issue Certificate ④Pass License ID& Public Key ②Authorize to pass License ID ⑦Get Certificate ⑧Get Grid Map file ③Generate a Key Pair End User &Host Administrator Site Administrator

  17. IC Card Enhanced procedure to issue certificate CA RA Apply Identify License ID License ID CA Administrator RA Administrator User License ID Issue Certificate CA RA Application Server (web) RA Administrator Challenge PIN Apply CA Administrator Delegate Identify User Authorize RA Operator Management Server (web) Challenge PIN Issue Certificate Challenge PIN

  18. CampusCA User IC Card Super Computer Super Computer Super Computer Campus-Grid PKI Federation Campus PKI Grid PKI NAREGI CA Issue Certificate Issue Certificate LDAP NAREGI RA Request Certificate (Use IC Card as credential) Grid System Access Certificate for Grid System

  19. Common specification NII CSI Headquarter AAI TWG UPKI Initiative Opinions and comments Hokkaido U Tohoku U U. Tokyo Nagoya U join Kyoto U Osaka U Kyushu U Univ J. College KEK Tokyo Tech Tech. College NII Research Institute etc. UPKI Initiative • Founded in 16 Aug 2006 • Sponsored by NII AAI TWG • Mission • Gathering interests and opinions of not only universities but also industries • https://upki-portal.nii.ac.jp/

  20. Summary • UPKI national academic authentication and authorization infrastructure project has started. • Conducted by NII and the information infrastructure centers in the 7 universities • As a basic platform of Cyber Science Infrastructure • We have started later, so we have get some advantages • International federation/collaboration is a very important issue. NII International Workshop on Cyber Science Infrastructure

  21. APAN Middleware Working Group APAN (Asia-Pacific Advanced Networking) • 20th APAN (Taipei, Aug. 2005) • National Authentication and Authorization Infrastructure and NREN (proposed session) • 21st APAN (Tokyo, Jan. 2006) • Middleware Workshop (full day) • Middleware Working Group is approved for a period of two years • 22nd APAN (Singapore, today) • Grid Middleware Workshop • 23rd APAN (Manila, Jan. 2007) • Grid Middleware Workshop • 24th APAN (Xian, Aug. 2007) • Middleware Workshop

More Related