1 / 16

PKI in Higher Education: Dartmouth PKI Lab Update

PKI in Higher Education: Dartmouth PKI Lab Update. Internet2 Virtual Meeting 5 October 2001. Researchers. Dartmouth College Computer Science Institute for Security and Technology Studies Dartmouth College Computing Services David Nicol, Sean Smith: CS/ISTS Ed Feustel: ISTS

wyome
Download Presentation

PKI in Higher Education: Dartmouth PKI Lab Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PKI in Higher Education:Dartmouth PKI Lab Update Internet2 Virtual Meeting 5 October 2001

  2. Researchers • Dartmouth College Computer Science • Institute for Security and Technology Studies • Dartmouth College Computing Services • David Nicol, Sean Smith: CS/ISTS • Ed Feustel: ISTS • Robert Brentrup, Larry Levine: Computing Services • Yasir Ali, Alex Iliev, John Marchesini, Eileen Ye: CS Students • Shan Jiang, Evan Knop: Alumni • Lab Created 4Q2000 Internet2 Fall 2001 Meeting: HEPKI

  3. Dartmouth PKI Lab Objectives • Exploring how to effectively use public-key cryptography to build trusted information services in the real world. • Enable effective trust judgements, in systems that are heterogeneous on every level. • In users, roles, computer hardware and software, organizations, administrative domains, application contexts • What are the appropriate pieces of information for trust judgments in different contexts at different times? Internet2 Fall 2001 Meeting: HEPKI

  4. End to End Approach • Server • How do we establish foundation for this trust, when computation is vulnerable to insider attack? • Client • How can user tools enable effective trust judgments? • Infrastructure • How do we deploy and manage the certificates, keys, etc., that enables this trust communication • Applications • How can applications engage in PKI-based trust judgments? Internet2 Fall 2001 Meeting: HEPKI

  5. Status, October 2001 • Server • Trusted Third Parties, immune to insider attack • Private Information Retrieval (PIR) • Armored Vault • WebALPS • Client • Web/SSL/Certificate Spoofing • Requirements for Secure Web Client Internet2 Fall 2001 Meeting: HEPKI

  6. Status, October 2001 • Infrastructure • Setup COTS, open-source testbeds. LDAP • Campus PKI planning • PKI/Lite: Web Authn/Authz & S/MIME • S/MIME Private Key Server • Applications • Hardened Box Office • Web Application authentication/authorizatiolocal replacement • Voting (demo of WebAlps) Internet2 Fall 2001 Meeting: HEPKI

  7. Private Information Retrieval • Protecting query privacy from insider attack • Server that efficiently provides material to authorized users… • …so that the server operator learns nothing, not even statistics! • Domains with sensitive data • Health information, expensive research data Internet2 Fall 2001 Meeting: HEPKI

  8. Armored Vault • Protecting archived private material from insider attack • Prove to stakeholders that policy is followed • Prototype domain: network data • Archive is encrypted and bound to policy • Built with Snort and IBM 4758-2 Internet2 Fall 2001 Meeting: HEPKI

  9. WebALPS • Protecting SSL Web Servers from insider attack • SSL doesn’t help if armored pipe to cardboard box! • Move server end of SSL into securer co-processor • Built from Apache, OpenSSL and IBM 4758-2 Internet2 Fall 2001 Meeting: HEPKI

  10. Hardened Box Office • Protect operator from liability • Campus agents want to sell tickets, etc. online • Server operator wants to minimize risk of exposing private customer data • Uses WebALPS hardened server • Internal application catches customer data, then signs and encrypts for entity and e-mails it Internet2 Fall 2001 Meeting: HEPKI

  11. S/MIME Private Key Server • Protecting user private keys from insider attack and provides mobility • Problem: Web based e-mail offers client mobility… • … but adding PKI requires trusting the server with the private keys • Solution: uses WebALPS- hardened server • Generates, certifies, stores user keys… • … and applies them only when authorized by user • Neither bribery nor subpoena reveals the user keys! Internet2 Fall 2001 Meeting: HEPKI

  12. Client: Good Trust Judgements? • Web/SSL provides server identity, not attributes • URL? • Location bar information • SSL Icon? • SSL warning window? • Certificate information? • Status bar • www.cs.dartmouth.edu/~pkilab/demos/spoofing/ Internet2 Fall 2001 Meeting: HEPKI

  13. Client Research Questions • Should attributes attest to name of server, or content offered? • What are semantics of “independent windows”? • Who is really providing this service? • Which certificate is being used? Why? • What information does the server acquire about the user? • Requirements for “better” browser Internet2 Fall 2001 Meeting: HEPKI

  14. Infrastructure • Developing Familiarity with tools for application development • Defining strategies to setup and administer institution scale PKI environment • Interactions with Central LDAP directory • Tools to support Research projects • Compatibility testing of PKI vendors and client applications • Studies of end-user behavior, eg. Why passwords are shared • Research goal: real applications, solving real problems! Internet2 Fall 2001 Meeting: HEPKI

  15. Futures • PKI more than X.509 • SDSI/SPKI. PGP, XML... • Trust Judgment in Applications • Rights Management, expressions of policy • Critical Mass, academic community as prototype lab Internet2 Fall 2001 Meeting: HEPKI

  16. For More Information • www.cs.dartmouth.edu/~pkilab • Sean Smith • sws@cs.dartmouth.edu • Ed Feustel • efeustel@ists.dartmouth.edu • Robert Brentrup • Robert.J.Brentrup@dartmouth.edu Internet2 Fall 2001 Meeting: HEPKI

More Related