170 likes | 304 Views
Technical Issues that Challenge PKI Deployments. Jim Jokl jaj@Virginia.EDU University of Virginia NET@EDU PKI Meeting August 12, 2004. Hardware Tokens. Uses 2-factor authentication System administrators, HiPAA data access Mobility Public labs, work at home
E N D
Technical Issues that Challenge PKI Deployments Jim Jokljaj@Virginia.EDUUniversity of Virginia NET@EDU PKI Meeting August 12, 2004
Hardware Tokens • Uses • 2-factor authentication • System administrators, HiPAA data access • Mobility • Public labs, work at home • Old problems of OS registration are fixed • Issues • Still expensive: ~$30 to ~$50 • Token management system • Generally must install client software for the tokens that we actually use • Token accessories are critical to acceptance
S/MIME • Client support • Good: Outlook/Outlook Express, Netscape, Mozilla, etc • OK: Mulberry, CGatePro webmail • None: Eudora • Seeking HEPKI-TAG letter endorsements • Other issues • Main client issue: encryption in sentmail folder • Webmail should at least verify signed email • Root certificate problem • Signed email for official announcements • “incompatibility” during the roll out
Some Generic Application Issues(its not the PKI …..) • SSH • Support available from ssh.com, VanDyke • Server authorization stage well done • A couple of simple mechanisms, wildcard matching • Certificate handoff to external application • Client certificate selection done well • Tries all of the certs in the OS store • Not available in OpenSSL ($$$)
Some Generic Application Issues(its not the PKI …..) • 802.1x EAP-TLS wireless authentication • Usability • Very clean for windows users • OK for Macintosh users • Linux? • Back-end infrastructure still somewhat painful • Our authentication server • Does path validation fine, however users still need an account in the database • Should have LDAP search for authorization • We have needs for different authorization for the same user for different wireless VLANs • Going to look at Funk Software radius servers
EAP-TLS and the Microsoft Clients • Microsoft field in certificate for AuthN • Subject Alt Name / Other Name / Principal Name • OID 1.3.6.1.4.1.311.20.2.3 • If not present, uses CN • Uniqueness issues for our CA • Added OID to our certificate profile • Impact on the PKI-Lite certificate profiles • Agreed to add this extension to EE cert profile
Hospital Net Some Generic Application Issues(its not the PKI …..) Main Campus Network Oracle ERP IN VPN Concentrators Firewall OUT S1 S2 Firewall OUT IN S3 LDAP AuthZ Servers Sn
Operating System Support • Windows • Good internal support • Primarily user interface issues • Certificate import & export • Root certificate installation (see HEPKI-TAG web site) • Root certificate program audits expensive • Apple Macintosh • Personal and root certificate installation issues • Need ties into Safari for key generation & cert import • Had to implement a PKCS-12 proxy for our campus CA • Few applications use the emerging OS support • Linux? • Bridge path validation
Certificate Profiles • Profiles change to support new applications • Key Usage and the Outlook problem • PKI-Lite • Spent a lot of time/effort to get it right at first • Added AIA based on XP path validation work • Added Microsoft OID for EAP-TLS support • Add smart card login attribute next? • What is next? new user certs needed each time • Could some of this type of authorization be done outside of the identity certificate?
Digital Signatures • Document signing • The active content problem • Interoperability between applications • Key: choose the right tool for your application • Web form signing • Want to sign the both the form and the data that the user submitted • Products are very expensive
Ease of Use Comes from Widespread PKI Enabling of Applications • All standard applications supporting and using PKI for all aspects of their operation • E.g., certificates for IMAP/SMTP authentication instead of just for use with S/MIME • All instead of some of the campus VPN services • All instead of a few web-based applications • Is there a reason why clients shouldn’t simply try all available personal certificates?
Campus Globus Implementations • The Globus toolkit uses PKI for authentication of users and resources • The PKI-Lite profile works well • A proxy certificate is used internally • A file maps certificates to login names • Campus CA integration is complicated by the Globus interface • Campus CAs and OS-exported certificates are generally in PKCS-12 format • Globus expects raw PEM files for key and cert • Grids are often intercampus applications • Most campuses not part of hierarchy now • Bridges or PKI hierarchy needed
Schematic of Grid TestbedPKI Integration Goal Shibbolized Testbed CA Testbed Bridge CA Campus F Grid User Certs Cross-cert pairs Campus E Grid A’s PKI B’s PKI C’s PKI Campus D Grid Campus A Grid Campus B Grid Campus C Grid
Globus and Bridges • 2nd phase testing now • Built “production” bridge for testbed • Dedicated laptop/OpenSSL • Cross-certified UVa, UAB, USC, and TACC • Results (so far) • Bridge path validation ok for EE certs • Server certificate validation not working via bridge • Digging into OpenSSL interface • Bridge itself is fine; e.g. XP validates both directions • Tools being created • Chase down cross certificates via AIA pointer, populate Globus certificate and signing policy directory • Credential converter web site: PKCS12 to PEM
What is not a significant problem • Issuing certificates • Deployed our own CAs • Standard: on-line, tied into our databases/AuthN, LDAP • High assurance: tokens only, ID check, etc, etc • Available CAs • Papyrus, OpenCA, kX509, etc • See HEPKI-TAG web site • SSL Server Certificates • Prices down to $39/server; $300/wildcard • Authentication apps with good ease of use • Web applications • VPN • Wireless
HEPKI-TAG Projects(a list of other issues) • Must-do items • Support the USHER / InCommon projects • Maintain & update existing documents and services • Potential projects discussed and ranked at our meeting • Update work on S/MIME • Windows domain authentication • CA Audits - preparing your internal audit department • EAP-TLS for wireless authentication • Update on hardware tokens • survey, documentation, recommendations • Introductory materials for sites getting started (CA software, applications, cookbook, etc) • Other possibilities discussed more briefly • Grid integration • survey • bridge testing • Document and webform signing • Profiles • AIA, EPPN, Smart Card Login
Some Reference URLs • middleware.internet2.edu/hepki-tag • PKI-Lite documents (profiles, policy & practices), S/MIME, links to other sites, CA software, etc, etc • NET@EDU PKI for Networked Higher Ed • www.educause.edu/netatedu/groups/pki • www.educause.edu/hepki • pkidev.internet2.edu • PKI Labs • middleware.internet2.edu/pkilabs