90 likes | 111 Views
This overview provides insights into the PKI initiatives at Virginia Tech, highlighting the infrastructure, integration, token administration system, policy, device selection, and documentation. It also discusses the VTCA design methodology and the deployment model based on the hierarchical architecture model.
E N D
Overview of PKI@Virginia Tech Secure Enterprise Technology Initiatives e-Provisioning Group Frank Galligan frankg@vt.edu Fed/Ed XV PKI Coordination Meeting June 14, 2007
Background • Secure Enterprise Technology Initiatives • eProvisioning Group • Technical Support for University PKI Initiatives • Sponsorship For PKI Initiatives • Vice President for Information Technology • Funding from Executive Vice President • Virginia Tech • Blacksburg, Virginia - Southwestern VA • Research University - Ranking 56th in US • 28,000 Full Time Students - Largest in VA • 7,000 Faculty and Staff - PKI Target Group • Corporate Research Center - Location of CC
VTCA Architecture Offline CA Virginia Tech Root CA 4/10/2003 Online CA Subordinate CAs Server CA Middleware CA User CA 4/10/2003 7/23/2004 9/20/2006 Other CAs As Needed 417 Issued 105 Issued 444 Issued Personal Certificates Aladdin eToken SSL Web Server Certificates Middleware Certificates
PKI Project Structure Six Projects: A Coordination Challenge • Infrastructure • Integration • Token Administration System • Policy • Device Selection • Documentation and Communication
VTCA Design Methodology • Architecture: Hierarchical Model • High Assurance Level: FIPS 140-2 Level 3 HSM • Standards: PKCS, CryptoAPI, PCSC, X509 v3 • Commercial or OpenSource: OpenCA 0.9.x • Deployment Model: Phased, Smart Devices • Scope: Initially for Internal Use • Administration: RA,CA,HSM,SYS,APP • CP and CPS Documents: PMA, RFC 2527
VT Personal Digital Certificates • Token Administration System - TAS • Two Phase Certificate Enrollment Process - Phase I Registration Authority Admin Station • Applicant Hokie ID scanned to retrieve LDAP record • Applicant provides two photo IDs for validation • Applicant creates a password for their eToken - Phase II Certification Authority Admin Station • Applicant authenticates using their eToken password • TAS generates RSA keys onboard eToken and creates CSR • TAS sends CSR to User CA, returned cert stored on eToken • Applicant digitally signs VT Usage Agreement • TAS automatically sends email with instructions to applicant • eToken Password Resets, Certificate Revocation
PKI Integration • Virginia Tech Personal Certificate Profile • Encryption Disabled • VT PKI Applications • DigitallySigned Leave Reports/Work Flow • VPN Authentication • S/MIME e-Mail, MS Office Word and Excel, Adobe Acrobat • Client SSL Authentication, CAS (Central Authentication Server) • Other Digital Signature Applications • Grant Proposals • Travel Vouchers • Various Departmental Forms • Phone Bills
References • Virginia Tech Home Page • www.vt.edu • Virginia Tech PKI • www.pki.vt.edu • Virginia Tech PDCs • www.pki.vt.edu/PDC • Virginia Tech Certificate Policy • www.pki.vt.edu/rootca/cp • Virginia Tech eAladdin eToken News • www.aladdin.com/news/2006/etoken/Virginia_Tech.asp • Personal Digital Certificates at Virginia Tech – Internet2 Presentation • www.internet2.edu/presentations/fall06/20061204-PKIwksp-Dunker.htm
Overview of PKI@Virginia Tech Secure Enterprise Technology Initiatives e-Provisioning Group Frank Galligan frankg@vt.edu Fed/Ed XV PKI Coordination Meeting June 14, 2007