Dartmouth PKI Update Robert Brentrup Internet 2 Member Meeting April 21, 2004
Dartmouth PKI Lab • R&D to make PKI a practical component of a campus network • Dual objectives: – Deploy existing PKI technology to improve network applications (both at Dartmouth and elsewhere). – Improve the current state of the art. • Identify security issues in current products. • Develop solutions to the problems. • Sponsored by the Mellon Foundation, Intenet 2/AT&T, NSF, DHS, Cisco, HP Labs, IBM Research
PKI Implementation • Commercial CA Software (Sun/i. Planet) • Sun 250 server • Single Online CA Server – Hardware Key Storage – Dedicated Firewall – Publishes CRLs and provides OCSP
LDAP Directory • Maintained from Institutional Systems – SIS, HR, Sponsored Guests • Automated Addition and Deletion • CA Publishes Certificates and CRLs to LDAP
User Enrollment • Key Generation by Web Browser – Internet Explorer and Netscape/Mozilla • Cross platform – Software Key and Certificate Storage • LDAP authorization, self-service
Production Applications • Web Services Authentication – Student Information System – Library Journals – Business School Portal – Software Downloads – Course Management System (Blackboard) • SSL for IMAP Servers • VPN Authentication
Pilot Applications • • Shibboleth Authentication Hardware Key Storage (USB Tokens) Secure Mail and List Server Document Signatures – Acrobat, Office, XML (NIH) • Wireless Network Authentication • Application and OS Sign-on with Tokens • Grids
PKI Deployment Timeline • • Planning late 2001 Staffing Jan - April 2002 HW/SW Acquisition began Feb 2002 CA Installation began June 2002 Test CA available Sept 2002 Production CA available Jan 2003 First Applications – Library Jun 2003, Banner Aug 2003
Certificates Issued • On April 15, 2004 – 1542 Certificates Issued – 749 Unique Individuals – 542 Students (10%) – 207 Faculty and Staff (8%) – 68 Servers, Network Devices and CMS Admin
Devices with Certificates • Web Server Certificates (18) – Sponsored Research System (SRS) – Bio-Informatics – Eng. Course evaluation system – Letters of Evaluation On-line (LEO) – Computing Service Internal
Devices with Certificates • • Mail Servers (8) Sympa List Server (S/MIME) VPN Concentrators (2) Grids (2) – f. MRI, Physics • Directory Servers (5) – LDAP, Active Directory
Rollout Activities • Integrated user documentation on web, software downloads • Support staff training and early adopters • Add PKI functionality in System Updates • Offer PKI as first authentication option • Kerberos authentication error messages suggest PKI alternative • PKI Configuration and SW on Disk images, for public computers and new purchases
Research Projects • Guest Authentication to Wireless Network • Open Source CA software – Installation, Packaging, Features • Secure Hardware Applications – TPM and IBM 4758 – Enforcer - Secure Linux Kernel • (available at http: //enforcer. sourceforge. net)
For More Information • Dartmouth Support Web: www. dartmouth. edu/~pki • Dartmouth PKI Lab: www. dartmouth. edu/~pkilab • PKI Outreach web: www. dartmouth. edu/~deploypki Robert. J. Brentrup@dartmouth. edu
Скачать презентацию Dartmouth PKI Update Robert Brentrup Internet 2 Member
82692f94b419565606d8e21bd2c0d8f7.ppt