390 likes | 543 Views
Public-Key Infrastructure for Higher Education. Mark Luker EDUCAUSE. EDUCAUSE is. An association of over 1,800 colleges, universities, and corporate partners professional education and best practice Net@EDU for advanced networking NLII for distributed learning Government and campus policy
E N D
Public-Key Infrastructure for Higher Education Mark LukerEDUCAUSE
EDUCAUSE is ... • An association of over 1,800 colleges, universities, and corporate partners • professional education and best practice • Net@EDU for advanced networking • NLII for distributed learning • Government and campus policy • Partner with I2 and SURA on NMI
What’s new in technology? • affordable “human” interactions • affordable digital content • affordable networked communications • This changes everything!
What is different this time? • Convergence to common digital forms • incredible reduction in unit costs • incredible resource sharing • speeds both innovation and production • Global sharing of opportunities • technology, information, human
Why critical for higher ed? • Our stock is in knowledge and information • Our core activities focus on learning, research, analysis, dissemination, preservation … • All can be improved through better, cheaper, broader, faster communications • Irrational exuberance?
Major barrier to success • Low level of “trust” on the Internet • Who are you really dealing with? • How do you know? • Is this signed document authentic? • Can you prove it? • Can the Internet support our core business?
Fact… Networked applications require an environment of rules and law: • Official and personal transactions • Shared resources and collaboration • Distributed systems and information • B2B and web services • Networked organization • Distributed learning • Networked research
Aspects of trusted communications • Authentication • Data integrity • Confidentiality • Non-repudiation • Authorization
All a matter of degree • Assurance of products and services • Liabilities and regulations • Balance costs and risks • Physical and network security • Policies and procedures • Penalty of regulations and law • Insurance and indemnification • Traditional business models
Passwords fail the test • Either hard to remember or easy to guess • Difficult and expensive to manage • Towers of Babel • Lock you into online transactions • Low level of trust
PKI - the only known solution • Issue a unique, digital “cert” to each person • Guard and manage it with high security • Use it automatically to prove identity • Can support digital signatures • Provides all five types of trust • For both transactions and documents • Fits normal business models
What is needed in a PKI? • A registration authority (RA) that performs the physical identity checks • A Certificate Authority (or CA) that issues, manages, and vouches for the certs • An “authoritative” directory of roles • Standards, policies, training, oversight
What else is needed? • “PKI Aware” applications that automatically use the certs and the directory • Browsers, email, online transactions • Digital signatures • Business rules for trusted communications • Re-engineer business workflow
The ROI? (Wrong term?) • Costs similar to ERP • Big bucks for full implementation • Hardware and software only a small part • A long-term, ongoing investment • Rewards even larger than ERP • Efficiency • A basic necessity for e-education
Mathematical underpinnings • Asymmetric or Public Key cryptography • Encode and decode messages using a common algorithm with pairs of “keys” • Only you have your private key • Everyone else has your public key • Either key can encode a message • Only the other key can then decode it • It is “impossible” to determine your private key from your public key
Confidentiality • To send a confidential message to Mary • Encode message with Mary’s public key • She decodes it with her private key • To save a confidential copy of a message • Encode message with your own public key • Decodes it later with your private key • What if you lose your private key? • Key escrow - a system to recover lost keys • Once a big policy flap with the feds
Non-repudiation • Send a message “guaranteed to be from you” • Send the message coded with your private key • Mary decodes it with your public key • If this works, it is really from you • Also called technical non-repudiation: • No one else could have sent the message • ASSUMING no one else has your private key
Integrity • Send a signed document to Mary • Compute a “1-way hash” of the message • Encode the hash using your private key • Send message + coded hash to Mary • Mary decodes hash with your public key • She recomputes the hash from the message and compares with the decoded hash • If they match, it guarantees integrity • Can do all combinations with Digital Signatures
What for? Authorization • Provide controlled access to resources • Use certificate to determine identity • Check for appropriate authorization using access lists, class membership rules, etc. • Store attributes in a directory • Problems? • Need expiration dates and revocation lists • Must be alert to privacy concerns • Need high quality, secure directory!
Assumptions • You and only you have your private key • Never escrow your private signing key • Must use two pairs of keys • Must revoke obsolete or lost keys • Keys are easy to use • PKI-enabled applications • Everyone has access to your public key • And they can trust that it is really yours
Challenges • Must prevent brute force attacks • Key size, algorithms, management, guard dogs • Where to keep your private key? • Your head? your hard drive? the network? • Smart cards, biometrics • How to publish your public key and guarantee it is yours?
How to share public keys? • Can share one-to-one, but does not scale • How can a published key be trusted? • Breakthrough • Send the public key in a Certificate signed by a trusted, third party • This Certificate Authority or CA vouches for the identity and public key of the sender • We recognize and trust the CA due to its process, rules, reputation, and liability
Managing trust in communities • Can’t have just one CA for the entire world • Hierarchical models have a rootCA that determines overall policy requirements • System, Campuses, Colleges • State, System, … • VeriSign, Campuses, … • Trust partners in a common framework • Trust, risk, and liability • Works like a family tree • Must validate certs through chains of trust
Early projects • University of Texas system • University of California system • University of Pittsburgh • CREN early adopters • Digital library federation • Federal agencies – especially Defense • Automotive Network Exchange • American Bankers Association • Health Key
Stepping up to the next level • Need to work with certs across communities • Difficult and expensive to manage separate certs for separate applications • Risk PKI Tower of Babel • Would like to use your “main” identity in most transactions • Need to validate certs from other root CAs
Collaboration between root CAs • Establish trust through “sufficient” commonality of process and policy • A job for lawyers and managers • Enforced by technology, management, contract • Cross-certify peer CAs • Trust each other, vouch for it • Examine detailed policy documents • Sign certificates for each other’s public keys
Implementing trust between CAs • The number of pairwise agreements between N CAs is about N squared / 2 • Pairwise trust between 1,000 root campus CAs requires the work of 1 million lawyers • Try to use a small number of root CAs • Breakthrough • Use a common “bridge CA” in the middle • Translate trust between N kinds of certificates • Requires only 2 x N lawyers
The bridge solution • Translates certs and levels of trust from one PKI to another • Provides online verification that a cert issued by another system is valid • Provides interoperability across vendors • (Solves the N-squared problem of trust)
Federal Bridge • FBCA connects CAs for federal agencies • Recognizes de facto autonomy • Supports common vendors • Authority of Federal CIO Council • 150-page detailed policy statement • New implementation by MitreTek • Online now
Higher Education Bridge • HEBCA proposed for higher ed CAs • Recognizes actual autonomy • Supports common vendors • Authority of ??? • Mimic federal policy statement • Prototype implementation by MitreTek • Online for testing now • Cross-certify to the federal bridge!
Example • Campuses join some hierarchical CA • Can interoperate through HEBCA • Big bonus • Can interoperate through FBCA with feds • NSF, NIH, VA, INS, DOD, Ed, HHS, … • Trial projects • Campus – HBCA – FBCA – NIH • Campus - FSA
EDUCAUSE / NIH pilot • Build bridges for Federal Government and Higher Education • Hook them together (with trust!) • Demonstrate that this model could support trusted communications between any campus and federal agency • Won the Pioneer “Best of the Best” award
HEBCA E-Lock Assured Office Digital Signed Grant App. Certificate Validation UA-B NIH Mail Server University of Alabama- Birmingham FBCA Internet Certificate Validation UW-M E-Lock Assured Office Digital Signed Grant App. University of Wisconsin- Madison Middleware: CAM with DAVE Certificate Validation Dart. C NIH Recipient E-Lock Assured Office Digital Signed Grant App. E-Lock Assured Office Digital Signed Grant App. Dartmouth College E-Lock Assured Office CAM-enabled A Picture is Worth Five Slides
Advantages of the bridge approach • Campuses and agencies can use their own PKI vendors, identification, and signatures. • They do not have to create new certificates or passwords for each new application. • They have a standard way to check credentials received from one another. • Could be used for trusted correspondence between higher education and NIH, NSF, NASA, FSA, INS, IRS, VA, DoD, ….
Role of EDUCAUSE • Implement the bridge for higher education • Interoperate with vendors and feds • Alliance with ACE for authority • Collaborate with Internet2 on technology • Focus in Net@EDU working group on PKI • Arranging trials with MitreTek, Feds, NIH, and several campuses
People Glue It All Together • Clair Goldsmith, University of Alabama-Birmingham • Jill Gemmill, University of Alabama-Birmingham • Keith Hazelton, University of Wisconsin-Madison • Eric Norman, University of Wisconsin-Madison • Bob Brentrup, Dartmouth College • Ed Feustel, Dartmouth College • Michael Gettes, Georgetown University; Internet2 • David Wasley, University of California Office of the President • Bill Weems, University of Texas – Houston Health Science Center
Campus next steps for PKI • Understand PKI as an institution • Implement initial components • CA services, directory, enabled applications • Policies, practices, contracts, business models • Stay within the emerging framework • The payoff • Efficiency and power of networked operations • Requisite capabilities for e-education
Whew! • Will it work? • Are there alternatives? • See • www.educause.edu/netatedu on PKI • NMI, I2, SURA, HEPKI • www.cio.gov/fbca, etc. • PKI by Tom Austin, Wiley Tech Brief, 2001