1 / 22

EuroPKI: Advanced PKI Services for Secure Transactions

EuroPKI offers basic and advanced certificate services like issuance, revocation, and OCSP. Their OCSP responder features configurable parameters and multi-platform support. The TSP architecture ensures secure time stamping. EuroPKI tools include RA client/server, SSLTelnet, and SSLFTP.

charlaw
Download Presentation

EuroPKI: Advanced PKI Services for Secure Transactions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EuroPKI • Corrado Derenale • < derenale@athena.polito.it > • Politecnico di Torino • Dip. Automatica e Informatica

  2. EuroPKI today

  3. EuroPKI tomorrow Naples

  4. IAKI TU-Graz Server The EuroPKI Tomorrow IAKI TU-Graz CRYPT Trade Pointr Slovenija Halcom IAIK EuroPKI Intranet za Svetovni Splet Austria Sloveni za Posameznike IAKI TU-GRAZ CRYPT Naples university Rumenia Root City of Modena Bucarest polithecnica Verona university IRIS-PCA City of Macerata Italy Macerata University RedIRIS- City of Rome Polland EETIC Legend: CSP Camerino University CA Turin polytechnic RA Calabria university

  5. EuroPKI - services • EuroPKI doesn’t sell services even though it distributes them • basic services • certificate applicant authentication • certificate issuance • certificate revocation • certificate renew • certificate publication • CRL issuance • CRL publication

  6. EuroPKI - advanced services • OCSP • TSA CRL CRL OCSP responder Relaying Party yes, no, what? CRL

  7. OCSP - players 1. cert request EE CA 2. certificate OCSP Responder 6. transaction response 5. OCSP response/error Relaing Party 3. transaction request 4. OCSP request

  8. EuroPKI - OCSP responder features • RFC-2560 compliant • based on OpenSSL-0.9.5a crypto library • OCSP patch for OpenSSL originally written by Tom Titchener for Cert Co. • OpenSSL-0.9.7 will incorporate support for OCSP • multiplatform, successfully built and running on • Win32 • Solaris 2.x • RedHat Linux 6.x/7.x

  9. EuroPKI - OCSP responder features • configurable parameters: • port number to listen for OCSP requests • transport mechanism to be used • CA certificate(s) for the CA for which the responder is providing the OCSP service • CRL(s) from which the responder extracts the revocation information (associated to the above CAs) • responder’s certificate and private key

  10. EuroPKI- OCSP responder characteristics • multi-threaded server for Win32 OS • multi-process server for Unix-like OS • responder configuration: • limited number of simultaneous connections (against DoS) • accepting signed / not signed OCSP requests • transport mechanism (HTTP is the default)

  11. EuroPKI - OCSP client • available in two forms: • as a command-line application (for scripting) • as a library (for integration into applications) • input parameters: • OCSP responder location (hostname, port, transport mechanism) • target certificate to verify • the requester can choose to sign or not the OCSP request

  12. EuroPKI - OCSP interoperability • responder successfully tested with: • PSM 1.4 – the personal security manager for Netscape 4.7x and 6.x (incorporated) • OpenSSL-0.9.7 (snapshot) OCSP test client • POLITO OCSP client • client successfully tested with: • Valicert test responder (http://www.valicert.com/) • OpenValidation test responder (http://www.openvalidation.org/) • OpenSSL-0.9.7 (snapshot) OCSP test responder

  13. TSP - architecture Document Time source 3. get time 1. digest 2. request EE TSA 4. response 5. verify/store Time stamp

  14. EuroPKI - TSP features • RFC-3161 compliant (implements the client-server model) • currently supports only socket-based protocol (will support HTTP too) • multiplatform (both client/verifier and server) • Win32 (server may run as a service under WinNT and Win2K using srvany tool) • Linux 6.2 (tested) • Solaris 8 (tested) • based on OpenSSL 0.9.6a

  15. EuroPKI - TSP server characteristics • acts as a Time Stamp Authority (TSA) • multi-threaded server for Win32 OS • multi-process server for Unix-like OS • configuration • limited number of simultaneous connections (against DoS) • external configuration file in text format

  16. EuroPKI - TSP client • client (command line) • built on a Client API • external configuration file in text format

  17. EuroPKI - tools • RA client/server • SSLTelnet • Unix server • the client is a win32 GUI application • SSLFTP • Unix server • the client is a win32 GUI application

  18. EuroPKI - tools • both the clients (SSLTelnet, SSLFTP) are smart cards compliant using the PKCS#11 interface

  19. EuroPKI - software • to manage the EuroPKI root, the Italia CA and the polito CA we use the “POLITO software” • CAFE • the Front End • Apache Web server secured with mod-SSL • with one server Apache is possible to serve more than one CA • CAMGR • the Back End • useful to sign the request and the CRL • can serve more than one CA

  20. 6. download 5. publish 1. request 4. sign 3. validate 2. verify EuroPKI - software architecture User Client CAMGR (CA) CAFE sigreq RAServer pending RAClient online off-line

  21. CSP • Secude • commercial product • support guaranteed • is possible to set up a legal CA • OpenSSL • low cost CA • fully functioning

  22. root CA CA Join legacy PKI ! AuthorityInfoAccess: KeyIdentifier authorityCertIssuer AuthorityCertSerialNumber

More Related