Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004
Dartmouth PKI Lab • R&D to make PKI a practical component of a campus network • Dual objectives: – Deploy existing PKI technology to improve network applications (both at Dartmouth and elsewhere). – Improve the current state of the art. • Identify security issues in current products. • Develop solutions to the problems. • Sponsored by the Mellon Foundation, Cisco, Intel, Sun Labs, HP Labs, NSF, DHS, Intenet 2/AT&T, IBM Research
PKI Objectives • Provide Authentication Alternative – Ease of use important – Similar security is adequate • Don’t transmit passwords, directory enabled – Scale as rapidly as possible • Additional Applications PKI enables – Secure Mail – Document Signing • Find out what was possible once infrastructure was available
PKI Implementation • Commercial CA Software (Sun/i. Planet) • Sun 250 server • Single Online CA Server – Hardware Key Storage – Dedicated Firewall – Publishes CRLs and provides OCSP
Simple Policies • Identification required for employment or matriculation • Maintained from Institutional Systems – SIS, HR, Sponsored Guests • LDAP Directory Authorization • Self Service • One year validity range – Also Temporary Certificate option • Balance Complexity with Security needs
User Enrollment • Key Generation by Web Browser – Internet Explorer and Netscape/Mozilla • Cross platform – Software Key and Certificate Storage – USB Token option for better key protection and mobility – Increasing emphasis on Tokens and in-person registration
LDAP Directory • Automated Addition and Deletion – New Persons added through normal procedures – Persons leaving removed in one month – Used for simple authorization checks • CA Publishes Certificates and CRLs to LDAP – As revoked and refreshed weekly
Production Applications • Web Services Authentication – Student Information System – Library Journals – Business School Portal – Software Downloads – Course Management System (Blackboard) • SSL for IMAP Servers • VPN Authentication
Pilot Applications • Shibboleth Authentication • Hardware Key Storage (Aladdin USB Tokens) – Distribute to Incoming Class • Secure Mail and List Server • Document Signatures – Acrobat, Office, XML (NIH) • • Wireless Network Authentication High Assurance VPN Access Application and OS Sign-on with Tokens Grids
PKI Deployment Timeline • • Planning late 2001 Staffing Jan - April 2002 HW/SW Acquisition began Feb 2002 CA Installation began June 2002 Test CA available Sept 2002 Production CA available Jan 2003 First Applications – Library Jun 2003, Banner Aug 2003
Certificates Issued • On April 15, 2004 – 1542 Certificates Issued – 749 Unique Individuals – 542 Students (10%) – 207 Faculty and Staff (8%) – 68 Servers, Network Devices and CMS Admin • On July 14, 2004 – 1819 Certificates Issued – 885 Unique Individuals
Devices with Certificates • Web Server Certificates (18) – Sponsored Research System (SRS) – Bio-Informatics – Eng. Course evaluation system – Letters of Evaluation On-line (LEO) – Computing Services Internal
Devices with Certificates • • Mail Servers (8) Sympa List Server (S/MIME) VPN Concentrators (2) Grids (2) – f. MRI, Physics • Directory Servers (5) – LDAP, Active Directory
Rollout Activities • Integrated user documentation on web, software downloads • Support staff training and early adopters • Add PKI functionality in System Updates • Offer PKI as first authentication option • Kerberos authentication error messages suggest PKI alternative • PKI Configuration and SW on Disk images, for public computers and new purchases
Issues • Application owners rightfully cautious – Displacing a system that worked well in the past – Support has proven to not be a burden – Has solved existing problems • Time available for new applications is limited • OS and client PKI support evolving • Inter-institutional infrastructure just starting to appear
Research Projects • Guest Authentication to Secure Wireless Network • Open Source CA software – Installation, Packaging, Features • Secure Hardware Applications – TPM and IBM 4758 – Enforcer - Secure Linux Kernel • (available at http: //enforcer. sourceforge. net)
Future Directions • Move more advanced applications into production • Evolve infrastructure to match security needs of application • Universal local participation is a goal • Inter-institutional / Government e-Business
For More Information • Dartmouth Support Web: www. dartmouth. edu/~pki • Dartmouth PKI Lab: www. dartmouth. edu/~pkilab • PKI Outreach web: www. dartmouth. edu/~deploypki Robert. J. Brentrup@dartmouth. edu Mark. Franklin@dartmouth. edu
Скачать презентацию Dartmouth PKI Deployment Robert Brentrup PKI Summit July
d4df3f094795279baf9381e86895a4db.ppt