1 / 12

John Douglass Systems Support Specialist Office of Information Technology

John Douglass Systems Support Specialist Office of Information Technology. Rolling Your Own PKI. Who the heck is this guy?. Primary developer for the Georgia Tech PKI . Assisted in the development of the CREN CA Services Author of “Papyrus” (now called “Kalamos”) a PHP based CA application.

peers
Download Presentation

John Douglass Systems Support Specialist Office of Information Technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. John DouglassSystems Support SpecialistOffice of Information Technology Rolling Your Own PKI

  2. Who the heck is this guy? • Primary developer for the Georgia Tech PKI  • Assisted in the development of the CREN CA Services • Author of “Papyrus” (now called “Kalamos”) a PHP based CA application. • Co-Author of the GT LAWN wireless authentication system and our residential network registration system START.

  3. Custom vs. Established • Advantages • You are in control of your own destiny • Definitely cheaper • Can often use tools and methods that your technical groups currently understand • Disadvantages • Technical expertise is required • User education is PIVOTAL to success • Client issues abound (if you don’t prepare for it)

  4. So You Have a Custom Root • Hierarchical vs. Flat Architecture • Are you your own root? • Is anyone besides you a relying party? • What features of PKI are you attempting to use? • Client Authentication? • Encryption? • Object Sign? • Web Server Certificates? • What client software can you support?

  5. Browser and OS Support vs

  6. Browser and OS Interaction • Mozilla • Multiplatform • Utilizes its own internal certdatabase • Can use smartcards via PKCS11 • Internet Explorer • Utilizes operating system cert management • Can use smartcards via PKCS11 • NO cert functions are supported on MacOS • Safari • Utilizes OS cert management via keychain • Can use smartcards via PKCS11 • Opera • Works like Mozilla

  7. OpenSSL is the Core • OpenSSL was not necessarily designed to BE a CA…but we can force it to be • It relies heavily upon a very mysterious configuration file (TBD) • It utilizes a text file as a “cert database” though there are simple ways around this (TBD) • It is usable from a system() or exec() call in any scripting language. • Freely available for many OS

  8. Software Certs vs. Smartcards Phase 1: Software Certs Mozilla <FORM name="ReqForm" method="POST" action="user-sign-cert.php"> <KEYGEN NAME="csr" CHALLENGE="challengePassword”> <INPUT tabindex="3" name="submit" type=submit value="Generate Private Key"> </FORM> commonName = CN emailAddress = EMAIL … stateOrProvinceName = Georgia countryName = US SPKAC = $_POST[‘csr’]; $OPENSSL ca -config $OPENSSL_CONF -name $ca -extensions $extensions -startdate $certStartDate -days $days -spkac -in $requestFile -out $certFile –key $passphrase -batch

  9. Software Certs vs. Smartcards Phase 1: Software Certs Internet Explorer <SCRIPT language="VBScript"> <!-- Dim Enroll On Error Resume Next Set Enroll = CreateObject("CEnroll.CEnroll.2") if ( (Err.Number = 438) OR (Err.Number = 429) ) Then Err.Clear Set Enroll = CreateObject("CEnroll.CEnroll.1") End If if Err.Number <> 0 then document.write("<h2 align=center>Can't instantiate the CEnroll control: " & Hex(err) ) End If Function GetProviderList() Dim CspList, cspIndex, ProviderName On Error Resume Next ' initialize all our values base = 0 count = 0 enhanced = 0 CspList = "" ProviderName = "" For ProvType = 0 to 13 cspIndex = 0 Enroll.ProviderType = ProvType ProviderName = Enroll.enumProviders(cspIndex, 0) while ProviderName <> "" Set oOption = document.createElement("OPTION") oOption.text = ProviderName oOption.value = ProvType ' This is a personal "hack" to limit the crypto providers. if ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" Then Document.ReqForm.CspProvider.add(oOption) end if if ProviderName = "Microsoft Base Cryptographic Provider v1.0" Then base = count end if if ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" Then enhanced = count end if cspIndex = cspIndex + 1 ProviderName = "" ProviderName = Enroll.enumProviders(cspIndex, 0) count = count + 1 wend Next Document.ReqForm.CspProvider.selectedIndex = base if enhanced then ' Document.ReqForm.CspProvider.selectedIndex = enhanced DOcument.ReqForm.CspProvider.selectedIndex = 0 end if End Function Function CSR(keyflags) CSR = "" szName = "<? print($DN); ?>" Enroll.HashAlgorithm = "MD5" err.clear On Error Resume Next set options = document.all.CspProvider.options index = options.selectedIndex Enroll.providerName = options(index).text tmpProviderType = options(index).value Enroll.providerType = tmpProviderType Enroll.KeySpec = 2 if tmpProviderType < 2 Then Enroll.KeySpec = 1 end if Enroll.GenKeyFlags = &h04000001 OR keyflags CSR = Enroll.createPKCS10(szname, "1.3.6.1.5.5.7.3.2") if len(CSR) <> 0 then Exit Function Enroll.GenKeyFlags = &h04000000 OR keyflags CSR = Enroll.createPKCS10(szname, "1.3.6.1.5.5.7.3.2") if len(CSR) <> 0 then Exit Function if Enroll.providerName = "Microsoft Enhanced Cryptographic Provider v1.0" Then MsgBox("The 1024-bit key generation failed. Please upgrade your browser to the latest version.") Exit Function end if Enroll.GenKeyFlags = 2 OR keyflags CSR = Enroll.createPKCS10(szName, "1.3.6.1.5.5.7.3.2") if len(CSR) <> 0 then Exit Function Enroll.GenKeyFlags = keyflags CSR = Enroll.createPKCS10(szName, "1.3.6.1.5.5.7.3.2") if len(CSR) <> 0 then Exit Function Enroll.GenKeyFlags = 0 CSR = Enroll.createPKCS10(szName, "1.3.6.1.5.5.7.3.2") End Function Sub REQUEST_OnClick Dim Form Set Form = Document.ReqForm err.clear result = CSR(2) if len(result) = 0 Then result = MsgBox("Unable to generate PKCS10.", 0, "Alert") Exit Sub end if Form.csr.value = result Form.Submit End Sub --> </SCRIPT> <INPUT TYPE="hidden" NAME="csr" VALUE=""> <input type="hidden" name="cert" value="<? print($certtype); ?>"> <SELECT NAME="CspProvider"> </SELECT> <input type="button" name="btnRequest" value="Generate Private Key" onClick="REQUEST_OnClick" language="VBSCRIPT" border=1> </FORM> • Well… • ActiveX + VBScript • You need to designate the DN components$OPENSSL ca -config $OPENSSL_CONFIG -name $myca -extensions $extensions -startdate $certStartDate -enddate $certEndDate -out $certfile -key $passphrase -in $requestfile -batch

  10. Software Certs vs. Smartcards Phase 2: Smartcard Certs • Smartcards • If you want to use an open source CA…your vendor almost definitely will need to agree and modify their product. • Enter “Kalamos” an XML-RPC based certificate request signing code base.

  11. Browser and OS Support vs

  12. Right down to it… • Pick your battles • Attempt one thing at a time • Plan as best you can, but expect changes • Expect limitations

More Related