1 / 24

Bridging Higher Education PKIs PKI Summit, August 2006 Snowmass, Colorado

Bridging Higher Education PKIs PKI Summit, August 2006 Snowmass, Colorado. Overview. What are the drivers for PKI in Higher Education? Stronger authentication to resources and services of an institution Better protection of digital assets from disclosure, theft, tampering, and destruction

Download Presentation

Bridging Higher Education PKIs PKI Summit, August 2006 Snowmass, Colorado

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Bridging Higher Education PKIsPKI Summit, August 2006 Snowmass, Colorado

  2. Overview • What are the drivers for PKI in Higher Education? • Stronger authentication to resources and services of an institution • Better protection of digital assets from disclosure, theft, tampering, and destruction • More efficient workflow in distributed environments • Greater ability to collaborate and reliably communicate with colleagues and peers • Greater access (and more efficient access) to external resources • Facilitation of funding opportunities • Compliance

  3. Overview • Potential Killer Apps for PKI in Higher Education • S/MIME • Paperless Office workflow • EFS • Shibboleth/Federations • GRID Computing Enabled for Federations • E-grants facilitation

  4. Overview • PKI Choices for Higher Education • Outsourced everything • Outsourced managed services, internal RAs • Internal operations: • Community root | Campus root • Community Policy | Campus Policy • CA software: commercial | vender | open source | RYO

  5. Creating Silos of Trust Institution Dept-1 Dept-1 Dept-1 USHER CA CA CA SubCA SubCA SubCA SubCA SubCA SubCA SubCA SubCA SubCA

  6. LOA: Levels of Assurance • Not all CAs are created equal • Policies adhered to vary in detail and strength • Protection of private keys • Controls around private key operations • Separation of duties • Trustworthiness of Operators • Auditability • Authentication of end entities • Frequency of revocation updates

  7. HEBCA : Higher Education Bridge Certificate Authority • Bridge Certificate Authority for US Higher Education • Modeled on FBCA • Provides cross-certification between the subscribing institution and the HEBCA root CA • Flexible policy implementations through the mapping process • The HEBCA root CA and infrastructure hosted at Dartmouth College • Facilitates inter-institutional trust between participating schools • Facilitates inter-federation trust between US Higher Education community and external entities

  8. HEBCA • What is the value presented by this initiative? • HEBCA facilitates a trust fabric across all of US Higher Education so that credentials issued by participating institutions can be used (and trusted) globally e.g. signed and/or encrypted email, digitally signed documents (paperless office), etc can all be trusted inter-institutionally and not just intra-institutionally • Extensions to the Higher Education trust infrastructure into external federations is also possible and proof of concept work with the FBCA (via BCA cross-certification) has demonstrated this inter-federation trust extension • Single credential accepted globally • Potential for stronger authentication and possibly authorization of participants in grid based applications • Contributions provided to the Path Validation and Path Discovery development efforts

  9. Solving Silos of Trust Institution FBCA Dept-1 Dept-1 Dept-1 HEBCA CAUDIT PKI USHER CA CA CA SubCA SubCA SubCA SubCA SubCA SubCA SubCA SubCA SubCA

  10. HEBCA Project - Progress • What’s been done so far? • Operational Authority (OA) contractor engaged (Dartmouth PKI Lab) • MOA with commercial vendor for infrastructure hardware (Sun) • MOA with commercial vendor for CA software and licenses (RSA) • Policy Authority formed • Prototype HEBCA operational and cross-certified with the Prototype FBCA (new Prototype instantiated by HEBCA OA) • Prototype Registry of Directories (RoD) deployed at Dartmouth • Production HEBCA CP produced • Production HEBCA CPS produced • Preliminary Policy Mapping completed with FBCA • Test HEBCA CA deployed and cross-certified with the Prototype FBCA • Test HEBCA RoD deployed • Infrastructure has passed interoperability testing with FBCA

  11. HEBCA Project - Progress • What’s been done so far? • Production HEBCA development phase complete • Issues Resolved • Discovery of a vulnerability in the protocol for indirect CRLs • Inexpensive AirGap • Citizenship requirements for Bridge-2-Bridge Interoperability • Majority of supporting documentation finalized • HEBCA Cross-Certification Criteria and Methodolgy • HEBCA Interoperability Guidelines • Draft Memorandum of Understanding • HEBCA Subscriber Agreement • HEBCA Certificate Profiles • HEBCA CRL Profiles • HEBCA Secure Personnel Selection Procedures • Business Continuity and Disaster Plans For HEBCA Operations • PKI Test Bed server instantiated • PKI Interoperability Pilot migrated • Reassessment of community needs • Audit process defined and Auditors engaged • Participation in industry working groups • Almost ready for audit and production operations

  12. HEBCA Project – Next Steps • What are the next steps? • HEBCA to operate at multiple LOAs over its lifetime • Update of policy documents and procedures required to reflect the above • HEBCA to operate at BASIC LOA initially • Issue the HEBCA Basic Root • Purchase final items and bring the infrastructure online • Cross-certify limited community of interested early adopters and key federations • Validate the model and continue to develop tools for bridge aware applications

  13. Challenges and Opportunities • Community applicability • If we build it they will come • Chicken & Egg profile for infrastructure and applications • An appropriate business plan • Consolidation and synergy • Are USHER & HEBCA competing initiatives? • Benefits of a common infrastructure • Alignment with policies of complimentary communities • Shibboleth / InCommon • Grids (TAGPMA)

  14. Bridge-Aware Applications

  15. Challenges and Opportunities • Open Tasks • Audit • Updated Business Plan • Mapping Grid Profiles • Classic PKI • SLCS • Promotion of PKI Test bed • Validation Authority service • Cross-certification with FBCA • Cross-certification with other HE PKI communities • CAUDIT PKI (AusCERT) • HE JP • HE BR

  16. Proposed Inter-federations CA-2 CA-1 CA-2 CA-3 HE BR CA-1 AusCert CAUDIT PKI CA-n HE JP FBCA Cross-cert Cross-certs DST ACES NIH Texas Dartmouth HEBCA Cross-certs Wisconsin UVA Univ-N USHER CertiPath SAFE CA-4 Other Bridges CA-1 CA-2 CA-3

  17. AirGap • The Problem: • Offline CA • High Availability online Directory • CRLs generation and publish every 6 hours • Dual access/authorization for private key operations • Handling of after hours certificate revocation requests • Limited resources

  18. AirGap • The AirGap Solution: • Asynchronous storage device for schlurping signed data between the CA and the Directory (technically no different to a floppy based sneaker net used in similar situations in industry e.g. FBCA) • Storage is never connected to both devices at the same time – hardware enforces an “air gap” • Periodic checking to see if storage device is available • Directory reads any new CRL and publishes it, posts a signed revocation request when it is received • CA reads any new revocation requests, verifies signature, creates new CRL, deletes request • Storage connected to online Directory for 5 mins every 6 hours, otherwise connected to offline CA in order to minimize risk

  19. AirGap • Components: • Sewell Manual Share USB Switch • 5V relay • 5V AC adapter • Power Timer • Crucial 1Gb Flash Disk • Cron jobs running on both connection end points • Signed objects passed back and forth

  20. AirGap MkI

  21. AirGap MkII

  22. AirGap • Benefits: • Offline CA talking to an Online Directory automatically without bringing the CA online = reduced risk and reduced costs • Potential replacement for 4 operators (2 folks, 2 shifts per day to manually move files back and forth) - $200K savings? • Less work for Administrators due to automation of processes • Reduced Audit? Audit process once and then periodic checking of logs vs detailed scrutiny of logs may be required for manual process • Parts readily available, built for under $100

  23. Discussion or Questions?

  24. For More Information • HEBCA Website: http://www.educause.edu/HEBCA/623 Scott Rea - Scott.Rea@dartmouth.edu

More Related