1 / 28

Japanese University PKI (UPKI) Update and Single Sign-On Trial

Learn about the University PKI project in Japan, its architecture, pilot projects, server certificates, and the Single Sign-On trial using Shibboleth for inter-university cooperation. Explore the challenges, outcomes, and future plans for optimized operations and certification issuance.

jmoffett
Download Presentation

Japanese University PKI (UPKI) Update and Single Sign-On Trial

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dec 4, 2008 TERENA 12th TF-EMC2 meeting Japanese University PKI (UPKI) Update andSingle Sign-On Trial Yasuo Okabe Kyoto University/ National Institute of Informatics

  2. OUTLINE Overview of UPKI Server Certificate Pilot Project Single Sing-On Trial Shibboleth using PKI Authentication

  3. What is UPKI? • We are undertaking the construction of University Public Key Infrastructure (UPKI), which is intended to achieve an inter-university cooperation that makes use of educational and research computing systems, digital contents, networks, and business systems at almost 800 universities and other institutions in Japan, in safe, convenient, and effective ways. • We are promoting an Inter-university authentication federation by developing UPKI common specifications, and by developing applications using the PKI.

  4. Overview of UPKI

  5. UPKI Three-layer Architecture

  6. UPKI Three-Layer Architecture • Open Domain PKI (Public PKI) • Using for authentication, signature and encryption on the internet. • Issuing public certs for servers and individuals in the internet by PKI service provider. • Campus PKI • Using to campus network for secure access and secure transaction. • SSO, VPN, 802.1X, e-Approval, etc. • Issuing certs for server and faculty staff/students in campus network by each organization. • Grid PKI • Using to authentication for NAREGI. • Issuing certs for HPC resources and NAREGI users by NAREGI-CA.

  7. Sign, Encrypt. NII Pub CA Other Pub CA Open Domain PKI Webサーバ S/MIME Webサーバ S/MIME Webサーバ S/MIME Webサーバ S/MIME Web Srv. S/MIME Web Srv. S/MIME Auth, Sign, Encrypt. Auth, Sign, Encrypt. Campus PKI B Univ.CA A Univ.CA 学内用 学内用 学内用 学内用 EE EE Grid Computing NAREGI PKI A Univ.NAREGI CA B Univ.NAREGI CA Proxy EE Proxy EE Proxy EE Proxy EE Proxy EE Proxy EE Server, Super Computer Server, Super Computer Student,Faculty Student,Faculty UPKI Activities Server Certificates S/MIME Certificates UPKI Common Specification Eduroam Shibboleth CA Start-Pack NAREGI-CA Enhancement

  8. Server Certificate Pilot project • NII is addressing the operation of "Server Certificate Pilot Project" for the promotion of public server certificates and the evaluation of registration scheme in Higher-Education institutions since May 2007. • At this project, NII is operating "NII Open Domain CA" subordinated by Public Root CA, for issuing public server certificates to High-Ed institutions.

  9. Quick view of Pilot project (cont’d) • Challenges • Optimization of RA operation for High-Ed • Customization of local operation in each institution • Automization of RA operation by using Campus PKI certs as a credential (planning stage) • Expected outcomes • Best practice of local operation optimized for High-Ed • Tips for server certificate installation (for niche implementation) • Tips for local operations improvement in institutions • Demand of stimulation for S/MIME (using for Local Operators)

  10. Schemes for Registration and Issuance Provider Offline Online IA Cert chain Root CA Registration & Issuance NII Organization identity Domain ownership Local operator acceptance Open Domain CA RA operator Bulk request Bulk recipience High-Ed Institution Web Server Installation Subscriber Identity Subscriber Acceptance Server ownership CSR Certificate Local Operator Subscriber

  11. 2500 # issued certs # request of re-issue # request 2000 1500 1000 500 0 2007 2007 2007 2007 2007 2007 2007 2007 2008 2008 2008 2008 2008 2008 2008 2008 2008 2008 2008 2008 2008 2008 2008 prelimi May Jun Jul Aug Sept Oct Nov Dec Jan Feb Mar Mar Apr Apr May Jun Jul Sept Sept Oct Oct Nov Dec nary 1 1 1 1 1 1 1 1 1 1 12 26 11 25 16 24 11 9 26 1 3 1 1 111 114 121 157 178 232 287 330 388 434 519 552 586 634 727 777 1234 1265 1426 1456 1531 1567 1629 1707 Total number of issued certificates 19 19 19 27 35 37 43 54 70 78 85 86 96 104 111 114 144 145 165 172 192 197 198 198 Total numer of requests for re-issue 130 133 140 184 213 269 330 384 458 512 604 638 682 738 838 891 1378 1410 1591 1628 1723 1764 1827 1905 Total number of requests Issuance of UPKI Public Certificates

  12. Number of Participant Organizations

  13. Issuing S/MIME Client Certificates based on Federation via Shibboleth/SAML (plan) RA Operator (Universities) Identification of the subscriber and the server Subscribers (Universities) Request of server certificate ① ② ③ Issuing an assertion IdP Notification of download URL (one time) Authentication and authorization by the assertion ⑥ ⑧ Notification of a passcode ⑨ ④ Downloading Certificates SP ⑤ ⑦ SOAP/HTTP client authentication Generating a passcode Sending CSR NII Open Domain CA Secretariat (NII)

  14. UPKI Single Sign-On Testbed • Leveraging PKI and Shibboleth (SAML) technologies, UPKI-Federation that enables secure Single Sign-On for inter-Universities services such as electronic journals is under development. • The project is trial stage since Sept. 2008.

  15. Participant Organization Number of participants: 26 organizations IdP: 18 orgs, 20 sites SP: 9 orgs, 10 sites (3 are public) IdP 20sites SP 10sites 10sites AugSeptOctNov

  16. Current Status (11 Nov 2008) ○ : done 2  : 2sites △ : testing * : automatic update of meta data

  17. Issuing Grid certificates by federation of MICS-profile complient Shibboleth IdP/SP (by Osaka University) CA RA RA Osaka Univ. 4 5 ID: Kerberos Shib SP Shib IdP Operational sysytem 2 3 DS: W.A.Y.F. grid-certreq 7 User Certificate License ID 1 6 ID: LDAP Shib IdP Operational system UMS MyProxy Other universities

  18. Location privacy issuesin eduroam roaming access International RADIUS proxy X national RADIUS proxy Japan national RADIUS proxy Kyoto Univ.RADIUS XY Univ.RADIUS XX Univ.RADIUS ID:okabe@kyoto-u.ac.jp パスワード:******

  19. Location Privacy issuesin eduroam roaming access International RADIUS proxy X national RADIUS proxy Japan national RADIUS proxy Kyoto Univ.RADIUS XY Univ.RADIUS XX Univ.RADIUS ID:okabe@kyoto-u.ac.jp パスワード:******

  20. Solution • Use of a tentative account with specified duration • The ccount carries no privacy information like • Who he is (or what is his e-mail address) • Which university he belongs

  21. Use of “anonymous” tentative account ID: ymdslnnn@upkiroam.csi.jp y: Year of issue (last digit of A.D.) m: Month of issue (123456789abc) d: Date of issue (123456789a bcdefghijk lmnopqrstu v ) s: Date of duration starts (offset from issued date) l: Term of varidity (012345678; 2^l) nnn: Serial number of accounts issued at the day Issuing roaming acconts (2) Redirection with pseudonym based authN ticket (3) Tentative roaming accont is issued (1) Authentition via campus ID

  22. Authentication International RADIUS proxy NII RADIUS X national RADIUS proxy Kyoto University Campas AuthN system XY Univ.RADIUS XX Univ.RADIUS ID:88j11001@upki.csi.jp パスワード:******

  23. Incident response International RADIUS proxy XX Univ.RADIUS

  24. Shibboleth using PKI authentication • Objectives; • To design architecture for Japanese Academic Federation that is suitable for Japanese institutions base on UPKI PKI infrastructure • Challenges; • To develop necessary functions to connect Shibboleth and UPKI PKI infrastructure • To evaluate usability and operability of Shib-PKI architecture

  25. Shib-PKI connecting function IdP  (University) SP (e-Journal, e-Learning,,,) Shib-PKI DS (Discovery Service) (4) Redirect (1) Access (2) Redirect (5) Authentication (3) Cert (Subject DN) USER

  26. Testbed using Shib-PKI Internet Auto redirect Auto redirect Issuance of Server Cert. Univ. A Univ. B Open Domain CA Campus CA Campus CA SP DS + Shib-PKI IdP1 IdP2 EE Certificate EE Certificate PKIAuthN PKIAuthN Access User1 User2 Access Japanese Academic Federation Testbed

  27. Summary • UPKI: Japanese Academic Federation • Architecture design; Develop suitable architecture on UPKI PKI infrastructure (three layers) taking institutions situations into consideration. Deployment of Shibboleth/SAML • Roadmap; FY2007 Develop Shib-PKI and testbed FY2008 Evaluate and develop architecture using testbed Small start with a few SP services FY2009 Pilot Operation FY2010~ Operational

More Related