1 / 14

PKI Update

PKI Update. September 2002 CSG Meeting Jim Jokl jaj@Virginia.EDU. Public Key Infrastructure. Basis - a pair of cryptographically related keys are generated Your public and private keys Usage Data encrypted using a public key can only be decrypted with the matching private key

jayme-kennedy
Download Presentation

PKI Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PKI Update September 2002 CSG Meeting Jim Jokl jaj@Virginia.EDU

  2. Public Key Infrastructure • Basis - a pair of cryptographically related keys are generated • Your public and private keys • Usage • Data encrypted using a public key can only be decrypted with the matching private key • Data signed by a private key can only be verified by the matching public key

  3. Public Key Infrastructure: Digital Certificates • A certificate is: • An object signed by a Certification Authority (CA) • Binds a user’s identity to their public key • Contains some attributes about the person • Contains some information about the CA • Level of assurance • How well did the CA identify the person? • How is the CA run? • Who vouches for the CA?

  4. Public Key Infrastructure: Policy and Practices • How is the CA run? • Certification Policy & Practices documents • Registration Authority (RA) operation • Who vouches for the CA? • Relying parties • Trust hierarchies • Certificate chains and root certificates

  5. Some reasons campuses are deploying PKI • Authentication • Client certificates for Web application authentication • VPN authentication & EAP-TLS for wireless • Higher assurance / two-factor authentication • Digital signatures & business applications • Signed and encrypted email - S/MIME • SSL server certificates • etc

  6. Higher Education PKI Activities - HEPKI • Sponsors • Internet2, EDUCAUSE, CREN, NET@EDU • HEPKI - Technical Activities Group (TAG) • Open-source PKI software • Certificate profiles • Directory / PKI interaction • Validity periods • Client customization issues • Mobility • Inter-institution test projects • Technical issues with cross-certification

  7. Some Drivers for Campus S/MIME Support • Prevent email spoofing • Problems with forged email • Students canceling classes, impersonating professors, etc • Official announcements • Anti-spam filter bypass? • Business processes • Protect sensitive messages & documents • Signed messages • S/MIME-based applications

  8. S/MIME Project • Two project phases: • User to user • Application-to-user, user-to-application • Client interoperability testing • Common signing and encryption algorithms • Dual-key support • LDAP support • Issues documentation • Mailing list software, encryption: folders, escrow, cc: repository

  9. Some Potential S/MIME Applications • Mailing lists: access and expansion of encrypted messages • Travel expense reports & direct deposit notification • Online forms routing – signed workflow • Trouble ticket submissions • Password resets • Library notices – guard circulation data • Timesheet submission • Student debit card & long distance billing privacy • FERPA opt-in/opt-out • Sysadmin confirmation of batch jobs

  10. Certificate Profiles • A per-field description of certificate content • Standard and extension fields • Criticality flags • Syntax of values permitted per field • Spreadsheet & text formats • Higher education profile repository • http://middleware.internet2.edu/certprofiles

  11. PKI-liteFull function but lightweight • A normal PKI technical infrastructure • Authenticate users • Issue certificates, perhaps revoke certificates • A comparatively simple certificate profile • Support applications, directories, etc • A lightweight administrative/policy structure • Supports applications without high assurance needs • One or two page certification policy • Assurance levels per existing campus practice • Campus evolution towards full featured PKI

  12. PKI-lite Project Status • PKI-lite certificate profiles completed • Designed to support web authentication & S/MIME • End Entity profile • CA certificate profile • PKI-lite Policy and Practices Statement • Individual documents prepared – then merged • Reviewed by many people • Template-based fill in the blanks approach • Certificate repository started

  13. Some other work in progress • Hardware tokens • Mobility • Private key protection • Two-factor authentication • Signing tools • Web & client-based • The active content problem • Other items • Root cert downloads, PKI in XP, docs, demo CA projects, information sharing, etc

  14. Where to watch • middleware.internet2.edu/hepki-tag • www.educause.edu/hepki • middleware.internet2.edu/hepki-tag/smime • www.cren.net/ca • NET@EDU PKI for Networked Higher Ed • www.educause.edu/netatedu/groups/pki • PKI Labs • middleware.internet2.edu/pkilabs

More Related