Скачать презентацию Improved Secure Communication System for RIPE NCC Members Скачать презентацию Improved Secure Communication System for RIPE NCC Members

c22a8d512fb25bba30f36b7635a5d66f.ppt

  • Количество слайдов: 13

Improved Secure Communication System for RIPE NCC Members Tiago Rodrigues Antao RIPE NCC tiago@ripe. Improved Secure Communication System for RIPE NCC Members Tiago Rodrigues Antao RIPE NCC [email protected] net Tiago Rodrigues Antao . RIPE 45, May 2003, Barcelona . http: //www. ripe. net 1

Outline • • • Objectives Introduction to PKI Roadmap Current status Next steps Tiago Outline • • • Objectives Introduction to PKI Roadmap Current status Next steps Tiago Rodrigues Antao . RIPE 45, May 2003, Barcelona . http: //www. ripe. net 2

How do we interact now? Very weak authentication, lack of confidentiality Very weak authentication How do we interact now? Very weak authentication, lack of confidentiality Very weak authentication RIPE NCC member [email protected] net Rev DNS Password authentication Not Unified Weak auth schemes with webupdates Tiago Rodrigues Antao . RIPE 45, May 2003, Barcelona LIR portal RIPE DB . http: //www. ripe. net 3

Objectives • Easy to use, faster interaction with RIPE NCC’s services • Stronger unified Objectives • Easy to use, faster interaction with RIPE NCC’s services • Stronger unified security mechanisms • Support for privilege/credentials management • Low deployment and maintenance costs for users • Optional for LIRs • Supported by industry-standards (X. 509 PKI) Tiago Rodrigues Antao . RIPE 45, May 2003, Barcelona . http: //www. ripe. net 4

Roadmap • Project presentation – RIPE 44 • LIR Portal, administrative system, infrastructure setup Roadmap • Project presentation – RIPE 44 • LIR Portal, administrative system, infrastructure setup • Database integration • Registration Services Tiago Rodrigues Antao . RIPE 45, May 2003, Barcelona . http: //www. ripe. net 5

A PKI primer • Infrastructure to support public key cryptography • Fundamental problem: Trust A PKI primer • Infrastructure to support public key cryptography • Fundamental problem: Trust a public key tie with an user. That is: This user says that his public key represents LIR zz. example, is this true? • X. 509 PKI based solutions use a centralised approach: there is an entity that certifies that a certain tie is trustable – The Certificate Authority • After having a certificate the user can use it to authenticate herself and pursue secure (authenticated, encrypted and non-reputable) communications with the other party Tiago Rodrigues Antao . RIPE 45, May 2003, Barcelona . http: //www. ripe. net 6

A PKI primer – the NCC way • RIPE NCC developed and operates a A PKI primer – the NCC way • RIPE NCC developed and operates a Certificate Authority • Caveat: The certificates issued by the RIPE NCC are only to be trusted by the RIPE NCC. LIRs cannot use them to communicate with other parties, so … • The PKI is used not for its certification merits, but as a standard, universally available technology mechanism for secure communication Tiago Rodrigues Antao . RIPE 45, May 2003, Barcelona . http: //www. ripe. net 7

Current implementation • Infrastructure for the management of certificates by LIRs. This management can Current implementation • Infrastructure for the management of certificates by LIRs. This management can be done via the LIR Portal. • First use case: Logging into the LIR Portal… • … As an alternative to username/password pair • … No benefits of unification are shown (still only one service) Tiago Rodrigues Antao . RIPE 45, May 2003, Barcelona . http: //www. ripe. net 8

Certificate management cycle Request certificate Certificate for key linked with LIR ID Certificate Authority Certificate management cycle Request certificate Certificate for key linked with LIR ID Certificate Authority LIR Portal Revocation request Certificate is included Request a certificate in the Certificate Revocation List (CRL) Send browser form Send public key Certificate RIPE NCC never sees the private key LIR User Certificate Some time later the user wants to revoke the certificate… Tiago Rodrigues Antao . RIPE 45, May 2003, Barcelona . http: //www. ripe. net 9

LIR Portal use case • When a user logs in, she can choose either LIR Portal use case • When a user logs in, she can choose either to use a certificate or login with a username/password pair Tiago Rodrigues Antao . RIPE 45, May 2003, Barcelona . http: //www. ripe. net 10

What’s next • Database integration – X. 509 mail authentication – Webupdates X. 509 What’s next • Database integration – X. 509 mail authentication – Webupdates X. 509 client-side authentication • PGP is not in practice possible via the web, so: • X. 509 authentication will be the strongest mechanism for webupdates – Single sign-on between LIR Portal and webupdates Tiago Rodrigues Antao . RIPE 45, May 2003, Barcelona . http: //www. ripe. net 11

Community involvement • Draft document available http: //www. ripe. net/ripe/draft-documents/pki-20030429. html – Comments are Community involvement • Draft document available http: //www. ripe. net/ripe/draft-documents/pki-20030429. html – Comments are requested • After each milestone the project will be evaluated – Can take a different direction, or even stop completely Tiago Rodrigues Antao . RIPE 45, May 2003, Barcelona . http: //www. ripe. net 12

tiago@ripe. net Tiago Rodrigues Antao . RIPE 45, May 2003, Barcelona . http: //www. [email protected] net Tiago Rodrigues Antao . RIPE 45, May 2003, Barcelona . http: //www. ripe. net 13