90 likes | 228 Views
Overview of PKI@Virginia Tech. Secure Enterprise Technology Initiatives. e-Provisioning Group. Frank Galligan frankg@vt.edu Fed/Ed XV PKI Coordination Meeting June 14, 2007. Background. Secure Enterprise Technology Initiatives eProvisioning Group
E N D
Overview of PKI@Virginia Tech Secure Enterprise Technology Initiatives e-Provisioning Group Frank Galligan frankg@vt.edu Fed/Ed XV PKI Coordination Meeting June 14, 2007
Background • Secure Enterprise Technology Initiatives • eProvisioning Group • Technical Support for University PKI Initiatives • Sponsorship For PKI Initiatives • Vice President for Information Technology • Funding from Executive Vice President • Virginia Tech • Blacksburg, Virginia - Southwestern VA • Research University - Ranking 56th in US • 28,000 Full Time Students - Largest in VA • 7,000 Faculty and Staff - PKI Target Group • Corporate Research Center - Location of CC
VTCA Architecture Offline CA Virginia Tech Root CA 4/10/2003 Online CA Subordinate CAs Server CA Middleware CA User CA 4/10/2003 7/23/2004 9/20/2006 Other CAs As Needed 417 Issued 105 Issued 444 Issued Personal Certificates Aladdin eToken SSL Web Server Certificates Middleware Certificates
PKI Project Structure Six Projects: A Coordination Challenge • Infrastructure • Integration • Token Administration System • Policy • Device Selection • Documentation and Communication
VTCA Design Methodology • Architecture: Hierarchical Model • High Assurance Level: FIPS 140-2 Level 3 HSM • Standards: PKCS, CryptoAPI, PCSC, X509 v3 • Commercial or OpenSource: OpenCA 0.9.x • Deployment Model: Phased, Smart Devices • Scope: Initially for Internal Use • Administration: RA,CA,HSM,SYS,APP • CP and CPS Documents: PMA, RFC 2527
VT Personal Digital Certificates • Token Administration System - TAS • Two Phase Certificate Enrollment Process - Phase I Registration Authority Admin Station • Applicant Hokie ID scanned to retrieve LDAP record • Applicant provides two photo IDs for validation • Applicant creates a password for their eToken - Phase II Certification Authority Admin Station • Applicant authenticates using their eToken password • TAS generates RSA keys onboard eToken and creates CSR • TAS sends CSR to User CA, returned cert stored on eToken • Applicant digitally signs VT Usage Agreement • TAS automatically sends email with instructions to applicant • eToken Password Resets, Certificate Revocation
PKI Integration • Virginia Tech Personal Certificate Profile • Encryption Disabled • VT PKI Applications • DigitallySigned Leave Reports/Work Flow • VPN Authentication • S/MIME e-Mail, MS Office Word and Excel, Adobe Acrobat • Client SSL Authentication, CAS (Central Authentication Server) • Other Digital Signature Applications • Grant Proposals • Travel Vouchers • Various Departmental Forms • Phone Bills
References • Virginia Tech Home Page • www.vt.edu • Virginia Tech PKI • www.pki.vt.edu • Virginia Tech PDCs • www.pki.vt.edu/PDC • Virginia Tech Certificate Policy • www.pki.vt.edu/rootca/cp • Virginia Tech eAladdin eToken News • www.aladdin.com/news/2006/etoken/Virginia_Tech.asp • Personal Digital Certificates at Virginia Tech – Internet2 Presentation • www.internet2.edu/presentations/fall06/20061204-PKIwksp-Dunker.htm
Overview of PKI@Virginia Tech Secure Enterprise Technology Initiatives e-Provisioning Group Frank Galligan frankg@vt.edu Fed/Ed XV PKI Coordination Meeting June 14, 2007