1 / 17

Some Common Campus PKI Applications

Some Common Campus PKI Applications. January 2004 CSG Meeting Jim Jokl. S/MIME: Secure Email. Leverages PKI for email security Sign and/or encrypt email messages Why S/MIME Support in many email clients Why not PGP Multiple modes User to user Application-to-user, user-to-application.

cedric
Download Presentation

Some Common Campus PKI Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Some Common Campus PKI Applications January 2004 CSG Meeting Jim Jokl

  2. S/MIME: Secure Email • Leverages PKI for email security • Sign and/or encrypt email messages • Why S/MIME • Support in many email clients • Why not PGP • Multiple modes • User to user • Application-to-user, user-to-application

  3. Some Potential Drivers for Campus S/MIME Support • Email spoofing • Problems with forged email • Students canceling classes, impersonating professors, etc • Official announcements • Campus anti-spam strategy • For some business processes • Protect sensitive documents • S/MIME-based applications

  4. S/MIME client interoperability testing • Common signing algorithms: SHA-1 & MD5 • Common encryption algorithms: DES, 3DES, RC4 • Default client configurations basically just work • SHA-1 & 3DES • Dual-key support • Support for certificates in LDAP directory • Client capabilities table

  5. Some Generic S/MIME Client Issues for Encryption • Folder storage is encrypted • Sent mail, inbox, folders • Good or bad depending your definition • Private key management • Escrow & backup • A cc: server to archive critical messages?

  6. Some selected S/MIME issues • Message forwarding to alternate inbox • Some mailers may tamper with the message contents • Mailing list software • Conversion of spaces to spaces • Deletion of trailing blanks, tab expansion • List configuration options • Opaque signing • A solution • Interoperability

  7. Some selected S/MIME issues • S/MIME & message privacy • The address book problem & user behavior • Clients use different certificate stores • Certificate management problems for users • Multi-platform issues • Microsoft Outlook • Signing/encryption cert problem • Watch the Key Usage field in your certificates • S/MIME Challenges document

  8. VPN Authentication • Useful in both PKI-lite and “heavier” environments • Great ease of use for simple applications • 2-factor available for higher security uses • No password/account management • Eliminates the radius shared secret • Mutual authentication • CRL support & directory-based authorization

  9. SSH Authentication • Digital certificates for SSH authentication • Extension to public key method to use certificates • Supported in the commercial ssh.com server • Cost probably limits use to special applications • Client support • ssh.com clients • Van Dyke SecureCRT & SecureFX

  10. SSH Authentication • Certificate names rarely match Unix logins • Mapping file support • Serial and issuer  Unix login-id • Email wildcard • External validator • Hands off validated certificate • Validator returns Unix login-id or NAK

  11. EAP-MD5 LEAP EAP-TLS EAP-TTLS PEAP Server Authentication None Password Hash Public Key Public Key Public Key Supplicant Authentication Password Hash Password Hash Public Key CHAP, PAP, MS-CHAP(v2), EAP Any EAP, like EAP-MS-CHAPv2 or Public Key Dynamic Key Delivery No Yes Yes Yes Yes Security Risks Identity exposed, Dictionary attack, MitM attack, Session hijacking Identity exposed, Dictionary attack Identity exposed MitM attack MitM attack Wireless LAN Access Control Source: wi-fiplanet.com

  12. EAP-TLS Process • User verifies the Radius server’s identity using PKI • The Radius server verifies the user’s identity using PKI • An authorization step may happen • Association is allowed and dynamic session keys are exchanged User Access Point Radius Server LDAP AuthZ

  13. Support for EAP-TLS • Operating System Support • Windows XP, Windows 2000 SP-4 • MacOS (latest version) • 3rd party software available • Very easy to use • No account management, passwords, etc • AuthZ step makes it easy to keep hacked machines off of the WLAN

  14. EAP-TLS and the Microsoft Clients • Microsoft field in certificate for AuthN • Subject Alt Name / Other Name / Principal Name • OID 1.3.6.1.4.1.311.20.2.3 • If not present, uses CN • Uniqueness issues for many CAs • Easy to add to your certificate profile

  15. PKI for Web Authentication • Perhaps the easiest of all client cert applications • Supported by browsers and servers • Validated client cert fields available in CGI environment

  16. Campus Globus Implementations • The Globus toolkit uses PKI for authentication of users and resources • Campus CA integration is complicated by the Globus interface • Campus CAs and OS-exported certificates are generally in PKCS-12 format • Globus expects raw PEM files for the certificate and the private key • A file maps certificates to login names

  17. Globus Implementations • Certificate profile • Standard profile (e.g. PKI-lite) works well with Globus • Use of Campus CA with Globus • Different research groups on campus can share resources • Intercampus applications • Campus CA part of a hierarchy • Cross certificates

More Related