1 / 14

Experiences with Massive PKI Deployment and Usage

Experiences with Massive PKI Deployment and Usage. Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009. Public Key Infrastructure. Asymetric cryptography Each user and service owns key-pair X.509 digital certificates PGP not suitable

Download Presentation

Experiences with Massive PKI Deployment and Usage

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009

  2. Public Key Infrastructure • Asymetric cryptography • Each user and service owns key-pair • X.509 digital certificates • PGP not suitable • Certification Authority (CA) • Network of Registration Authorities (RA) • Relying parties

  3. Distributed environments • Ithanet project • Network for medical research in Mediterranean countries • Users were physicians with little knowledge about computers • Grid infrastructure • Facilitates collaborations, resource sharing • support of research • Basic services provided by grid operator • Easy establishment of secure communication

  4. PKI in large-scale environment • PKI is good candidate for authN in large infrastructures • Scalability • Several aspects to be considered and addressed • Operators • Users • General PKI not tied with applications

  5. Operating PKI • CA establishment is not technical problem • Building trust is crucial • Many administrative problems • Proper applicants authentication • Protection of signing keys • Proper revocation requests handling • Long-term support • Incident resolution cooperation • … • CAs publish their policies

  6. International Grid Trust Federation • Easing orientation for relaying parties • CA managers, identity providers, large relying parties involved • IGTF builds a federation of „trusted“ CAs • approving procedures and minimal requirements • reviews the CA policies (CP/CPS) • Flat model – no root IGTF CA • Unified name space for subject names • User is uniquely identified by their subject name

  7. Revocation checks • Revocation is a must • Often neglected by administrators or applications • It‘s impossible to check CRLs with Firefox • Certification Revocation Lists (CRLs) • Online Certificate Status Protocol (OCSP) • Overhead • Latency penalty for online checks • Large amount of data represented by aggregated CRLs transfers

  8. Obtaining certificates • The process consists of two phases • Generating key-pair • Identity vetting at RA • Crucial for users‘ perception • Crucial for security of credentials

  9. Online CAs • Normal web page with simple form • Registration is done first • Browser is key component • Perform cryptographic operations • Communicates with CA • Receives and stores new certificate • New requirements • Signing machine of CA is exposed • Trust in browser

  10. Online CAs in Identity Federations • Identity federations leverage existing users management systems • Access to internal systems of institution • Users don‘t need additional credentials to access new services • Online CA connected to federation • No need for personal visits at RA

  11. Private Key Protection • Users don‘t protect their private keys • Weak passphrases, file permissions • Can‘t be checked by PKI operators • Ideally not handled directly by users – transparent PKI • Key repositories • Specialized service maintaining keys for users • Smart cards • User support is difficult in general PKI

  12. Conclusions • Several aspects to address to operate secure PKI • Established set of trusted CAs available • General CAs, not tied with a particular application • Keep users away from their private keys • :-)

  13. Backup slides

  14. Single Sign-On • User authenticates just once • Proxy certificate • Issued by user • Only short-lived • Standard X.509 short-lived certificates • Issued by an on-line CA • Can be obtained automatically after login

More Related