1 / 18

Dartmouth PKI Deployment

Dartmouth PKI Deployment. Robert Brentrup PKI Summit July 14, 2004. Dartmouth PKI Lab. R&D to make PKI a practical component of a campus network Dual objectives: Deploy existing PKI technology to improve network applications (both at Dartmouth and elsewhere).

Ava
Download Presentation

Dartmouth PKI Deployment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004

  2. Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Dual objectives: Deploy existing PKI technology to improve network applications (both at Dartmouth and elsewhere). Improve the current state of the art. Identify security issues in current products. Develop solutions to the problems. Sponsored by the Mellon Foundation, Cisco, Intel, Sun Labs, HP Labs, NSF, DHS, Intenet2/AT&T, IBM Research

  3. PKI Objectives Provide Authentication Alternative Ease of use important Similar security is adequate Don’t transmit passwords, directory enabled Scale as rapidly as possible Additional Applications PKI enables Secure Mail Document Signing Find out what was possible once infrastructure was available

  4. PKI Implementation • Commercial CA Software (Sun/iPlanet) • Sun 250 server • Single Online CA Server • Hardware Key Storage • Dedicated Firewall • Publishes CRLs and provides OCSP

  5. Simple Policies • Identification required for employment or matriculation • Maintained from Institutional Systems • SIS, HR, Sponsored Guests • LDAP Directory Authorization • Self Service • One year validity range • Also Temporary Certificate option • Balance Complexity with Security needs

  6. User Enrollment • Key Generation by Web Browser • Internet Explorer and Netscape/Mozilla • Cross platform • Software Key and Certificate Storage • USB Token option for better key protection and mobility • Increasing emphasis on Tokens and in-person registration

  7. LDAP Directory • Automated Addition and Deletion • New Persons added through normal procedures • Persons leaving removed in one month • Used for simple authorization checks • CA Publishes Certificates and CRLs to LDAP • As revoked and refreshed weekly

  8. Production Applications • Web Services Authentication • Student Information System • Library Journals • Business School Portal • Software Downloads • Course Management System (Blackboard) • SSL for IMAP Servers • VPN Authentication

  9. Pilot Applications • Shibboleth Authentication • Hardware Key Storage (Aladdin USB Tokens) • Distribute to Incoming Class • Secure Mail and List Server • Document Signatures • Acrobat, Office, XML (NIH) • Wireless Network Authentication • High Assurance VPN Access • Application and OS Sign-on with Tokens • Grids

  10. PKI Deployment Timeline • Planning late 2001 • Staffing Jan - April 2002 • HW/SW Acquisition began Feb 2002 • CA Installation began June 2002 • Test CA available Sept 2002 • Production CA available Jan 2003 • First Applications • Library Jun 2003, Banner Aug 2003

  11. Certificates Issued • On April 15, 2004 • 1542 Certificates Issued • 749 Unique Individuals • 542 Students (10%) • 207 Faculty and Staff (8%) • 68 Servers, Network Devices and CMS Admin • On July 14, 2004 • 1819 Certificates Issued • 885 Unique Individuals

  12. Devices with Certificates • Web Server Certificates (18) • Sponsored Research System (SRS) • Bio-Informatics • Eng. Course evaluation system • Letters of Evaluation On-line (LEO) • Computing Services Internal

  13. Devices with Certificates • Mail Servers (8) • Sympa List Server (S/MIME) • VPN Concentrators (2) • Grids (2) • fMRI, Physics • Directory Servers (5) • LDAP, Active Directory

  14. Rollout Activities • Integrated user documentation on web, software downloads • Support staff training and early adopters • Add PKI functionality in System Updates • Offer PKI as first authentication option • Kerberos authentication error messages suggest PKI alternative • PKI Configuration and SW on Disk images, for public computers and new purchases

  15. Issues • Application owners rightfully cautious • Displacing a system that worked well in the past • Support has proven to not be a burden • Has solved existing problems • Time available for new applications is limited • OS and client PKI support evolving • Inter-institutional infrastructure just starting to appear

  16. Research Projects • Guest Authentication to Secure Wireless Network • Open Source CA software • Installation, Packaging, Features • Secure Hardware Applications • TPM and IBM 4758 • Enforcer - Secure Linux Kernel • (available at http://enforcer.sourceforge.net)

  17. Future Directions • Move more advanced applications into production • Evolve infrastructure to match security needs of application • Universal local participation is a goal • Inter-institutional / Government e-Business

  18. For More Information • Dartmouth Support Web: www.dartmouth.edu/~pki • Dartmouth PKI Lab: www.dartmouth.edu/~pkilab • PKI Outreach web: www.dartmouth.edu/~deploypki Robert.J.Brentrup@dartmouth.edu Mark.Franklin@dartmouth.edu

More Related