1 / 13

Improved Secure Communication System for RIPE NCC Members

Improved Secure Communication System for RIPE NCC Members. Tiago Rodrigues Antao RIPE NCC tiago@ripe.net. Outline. Objectives Introduction to PKI Roadmap Current status Next steps. How do we interact now?. Very weak authentication, lack of confidentiality. Very weak authentication.

watson
Download Presentation

Improved Secure Communication System for RIPE NCC Members

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Improved Secure Communication System for RIPE NCC Members Tiago Rodrigues Antao RIPE NCC tiago@ripe.net

  2. Outline • Objectives • Introduction to PKI • Roadmap • Current status • Next steps

  3. How do we interact now? Very weak authentication, lack of confidentiality Very weak authentication hostmaster@ripe.net RIPE NCC member Rev DNS Not Unified LIR portal Password authentication Weak auth schemes with webupdates RIPE DB

  4. Objectives • Easy to use, faster interaction with RIPE NCC’s services • Stronger unified security mechanisms • Support for privilege/credentials management • Low deployment and maintenance costs for users • Optional for LIRs • Supported by industry-standards (X.509 PKI)

  5. Roadmap • Project presentation – RIPE 44 • LIR Portal, administrative system, infrastructure setup • Database integration • Registration Services

  6. A PKI primer • Infrastructure to support public key cryptography • Fundamental problem: Trust a public key tie with an user. That is: This user says that his public key represents LIR zz.example, is this true? • X.509 PKI based solutions use a centralised approach: there is an entity that certifies that a certain tie is trustable – The Certificate Authority • After having a certificate the user can use it to authenticate herself and pursue secure (authenticated, encrypted and non-reputable) communications with the other party

  7. A PKI primer – the NCC way • RIPE NCC developed and operates a Certificate Authority • Caveat:The certificates issued by the RIPE NCC are only to be trusted by the RIPE NCC. LIRs cannot use them to communicate with other parties, so … • The PKI is used not for its certification merits, but as a standard, universally available technology mechanism for secure communication

  8. Current implementation • Infrastructure for the management of certificates by LIRs. This management can be done via the LIR Portal. • First use case: Logging into the LIR Portal… • … As an alternative to username/password pair • … No benefits of unification are shown (still only one service)

  9. Certificate management cycle Request certificate for key linked with LIR ID LIR Portal Certificate Authority Certificate Revocation request Certificate is included in the Certificate Revocation List (CRL) Request a certificate Send browser form Send public key Certificate LIR User RIPE NCC never sees the private key Certificate Some time later the user wants to revoke the certificate…

  10. LIR Portal use case • When a user logs in, she can choose either to use a certificate or login with a username/password pair

  11. What’s next • Database integration • X.509 mail authentication • Webupdates X.509 client-side authentication • PGP is not in practice possible via the web, so: • X.509 authentication will be the strongest mechanism for webupdates • Single sign-on between LIR Portal and webupdates

  12. Community involvement • Draft document available http://www.ripe.net/ripe/draft-documents/pki-20030429.html • Comments are requested • After each milestone the project will be evaluated • Can take a different direction, or even stop completely

  13. tiago@ripe.net

More Related