1 / 25

Personal Digital Certificates at Virginia Tech: Who Are You?

Personal Digital Certificates at Virginia Tech: Who Are You?. Mary Dunker Internet-2 December 4, 2006 dunker@vt.edu. Personal Digital Certificates at VT. Background Implementation Application Selection Sponsorship Six Projects Future Challenges.

irish
Download Presentation

Personal Digital Certificates at Virginia Tech: Who Are You?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Personal Digital Certificates at Virginia Tech: Who Are You? Mary Dunker Internet-2 December 4, 2006 dunker@vt.edu

  2. Personal Digital Certificates at VT • Background • Implementation • Application Selection • Sponsorship • Six Projects • Future Challenges

  3. Personal Digital Certificates at VT: Background Why issue VT Personal Digital Certificates? • Move processes online where ID/Password is not good enough to replace pen and ink. • Implement two-factor authentication, per recommendation from VT IT Security Task Force. • Establish VT issuance procedure.

  4. Personal Digital Certificates at VT How do we know who you are?

  5. Personal Digital Certificates at VT Challenge: Application Selection • Leave Reports • Grant Proposals • Travel Vouchers • S/MIME e-mail • Various departmental forms • Phone Bills • ~20 more ideas…

  6. Personal Digital Certificates at VT Digital Signatures for Leave Reports: an ambitious endeavor • All employees (a challenge as well as a plus) • Secure online process improvement • Does not require key escrow • Departments would create their own leave solutions anyway if we did nothing centrally. • Phased approach. HR required all employees in a department to sign leave report the same way. • Phase I: IT organization, ~400 employees

  7. Personal Digital Certificates at VT Sponsorship • Vice President for Information Technology • Funding from Executive Vice President

  8. Personal Digital Certificates at VT Six Projects: A coordination challenge • Infrastructure • Policy • Device Selection • Integration • Token Administration System • Documentation and Communication

  9. Personal Digital Certificates at VT Infrastructure Project • Root CA – offline, already in place • Class 1 Server CA – offline, already in place • Middleware CA – offline, already in place • User CA – online, needed to be created

  10. Personal Digital Certificates at VT Infrastructure Project • IBM xSeries 335 and Dell PowerEdge 1850 class servers. Redundant, manual fail-over. • Redhat Linux • OpenCA 0.9.1 for Root, Class 1 and Middleware • OpenCA 0.9.2 for User CA

  11. Personal Digital Certificates at VT Infrastructure Project • OpenCA software works as designed. • 0.9.2 performance increase over 0.9.1. • Documentation needs work. • User interface needs work. • VT end users do not interact with OpenCA.

  12. Personal Digital Certificates at VT Hardware Security Modules • 1 offline, 1 online for User CA • LunaCA3 and LunaSA, FIPS 140-2 Level 3 • Strong multifactor authentication • CA Administrator uses key token and PIN to access private area of HSM that contains private keys. • Very secure, but requires m of n people in order to sign or change.

  13. Personal Digital Certificates at VT Policy Project • VT Certification Policy created before PKI-Lite was completed. • Modeled on RFC 2527, obsoleted by Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework • Policy Management Authority created to approve policies, resolve issues.

  14. Personal Digital Certificates at VT Policy Project • Policy Project team drafted CPS, brought questions to PMA. • User CPS drove development and administration of Token Administration System (TAS). • Lengthy process but extremely valuable • VT Internal Audit involved

  15. Personal Digital Certificates at VT Device Selection Project • Preliminary Work by eProvisioning group • Form Factor considerations • Must work on Windows, Macintosh, Linux. • Integration with Hokie Passport card considered but rejected for now.

  16. Personal Digital Certificates at VT Device Selection Project Aladdin eToken • Works with I.E., Firefox, Netscape on required platforms. Safari not supported, but planned. • USB token form factor does not require reader • IT already had purchased a few hundred • More research for phase II. Will eToken hold up? • What form factor for students? • Lost tokens • Installation scripts had to be written to download VT certificates.

  17. Personal Digital Certificates at VT Integration Project • Digital signature added to existing leave report application. Sign vs. submit. • Leave information stored in data base • Does not require Adobe Acrobat Pro/Writer • HTML -> PDF -> Base 64 encoded file signed/stored-> PDF for display. • Web service validates signature. • Workflow for approval

  18. Personal Digital Certificates at VT Digitally signed leave report • Required close work with HR. • Departmental phase-in • Requirement: entire department convert to digital signature • Exceptions for people on disability leave • Departmental leave representatives key players

  19. Personal Digital Certificates at VT Digitally signed leave report • Generated lots of questions about how leave system worked that no one had asked for years. • How to handle leave that one person enters for another? • What about people without computers? • Approvals not based on known supervisory structure.

  20. Personal Digital Certificates at VT Token Administration System (TAS) • Issues personal digital certificate (PDC) on Aladdin eToken • Multiple roles. Procedures documented in User CPS, approved by PMA • Uses information from VT Enterprise Directory, not active Directory as did Aladdin administrative tool • Allows distributed operation • Works great when it works

  21. Personal Digital Certificates at VT Token Administration System (TAS) • LOTS of policy and procedural decisions. • Two-person process • Verify identity information using 2 picture IDs and questions. • Write certificate and private key onto eToken • Private key not exported off of token. • Terms and conditions digitally signed by applicant. No sharing of passwords. • Extension agents at > 100 sites!!!

  22. Personal Digital Certificates at VT Documentation and Communication Project • How do you explain all this? • Project Plans • Web site – “internal use” updates to http://www.pki.vt.edu/pdc • E-mail communications from VP for IT • FAQs • Knowledge base articles • Scheduling groups to pick up PDCs • Presentations to end users

  23. Personal Digital Certificates at VT Future Challenges • Phase II of leave report: entire university (6500 employees) • Re-evaluation of device • How to issue PDCs at remote sites? • Employees who do not use computers • Supporting other applications • E-mail, Word documents • Departmental applications • Two-factor authentication, CAS • Recognizing VT PDCs outside of VT

  24. Personal Digital Certificates at VT Future Challenges • Students (28,000) • Device selection • Support • Switching devices requires: • Re-testing • TAS support • New policies/procedures? • New installation scripts • New training

  25. Personal Digital Certificates at VT References • www.pki.vt.edu/pdc • X.509 specification http://www.ietf.org/rfc/rfc2459.txt • Educause Effective Security Practice http://www.educause.edu/Browse/705&ITEM_ID=286

More Related