bdbb28af66732b0cdce14b6f68ac3bbd.ppt
- Количество слайдов: 26
GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana Interworking Public-Key Certification Infrastructures for Commerce, Administration and Research ICE-CAR Wolfgang Schneider, schneider@gmd. de 1
Scope of this presentation GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana n Objectives n Applications n Security Technology n Major Achievements n Next Steps n Conclusions 2
ICE-CAR Objectives GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana n Promote technically compatible and interconnectable Public-Key Infrastructures for different applications n Foster development of European security technolgy for e-commerce, intra-organisation communication, research, administration, health care applications n Develop and deploy interoperable security technology components n Support real PKI applications and end users n Participation in the IETF standardisation 3
ICE-CAR Applications GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana n PK technology in the German health care system n Certification infrastructure for the European R&D n Secured internet applications with PKIs for the city administration of Torino and other Italian cities (Torino 2000) n CA for SMEs in Greater Manchester n CA services of the PTA in Austria n Secure Multimedia conferencing (with MECCANO) n Secured directory at the British DRA 4
ICE-CAR Security Technology GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana n CA tools, S/MIME e-mail clients, desktop security and security toolkits from Entrust, SECUDE and SSE n LDAP/X. 500 Enterprise Directory Server and Web to LDAP/X. 500 Access Server from Message. Direct n Java crypto toolkit, Java SSL-3. 0 and Java S/MIME tools from IAIK n CA servers, cardholder wallet, merchant servers and payment gateway for SET from SETECS n Secured video and audio tools from UCL 5
ICE-CAR Partners GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana The 15 partners from 10 countries are a mixture of industrial, research institute and academic, broadly grouped into three categories n security technology providers n certification infrastructure service providers n Partners providing applications 6
ICE-CAR Partners GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana Uninett SETECS SSE Uni-C U Salford IC UCL Entrust CCI DFN GMD, SECUDE IAIK Polito IJS FCR 7
PKI for the European R&D GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana n Certification infrastructure based on X. 509 v 3 has been established in most participating countries n Certification hierarchy with a European top (at Uni-C) and national CAs, but other structures can be supported n Accessible through e-mail and WWW 8
Torino 2000 Security GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana n The Torino 2000 project will provide citizens and communal administrations with internetbased communication tools; they need security which ICE-CAR will provide n use IP over ATM/ISDN n application choosen is the application for building licenses at the municipality n need standard tools for web document exchange and secured e-mail n Piloting with ICE-CAR tools ongoing 9
Torino 2000 Security GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana n national PKI and security support center: nthe cities of Modena and Rome n. EETIC (European Entrapreneurs Telematics Initiative Committee) npublic PKI with LDAP and TSA n within the Torino-2000 project, digital administration at Politecnico di Torino: nfor students nfor staff nfor researchers 10
Torino 2000 Security GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana n every user will have a smart-card an X. 509 public-key certificate n interface via PKCS-11 n messages via S/MIME n on-line services via SSL-based Web, with authorizations handled on the basis of the X. 509 certificate n public-key computer authentication (NT domain logon, Unix SSL-telnet and SSL-ftp) 11
German Health Care Security GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana Dentist Hospital Pharmacy Hospital KZV KZV 100 % KBV Medical Other Health Care Provider Pharmacy KZBV KV KV Hessen Computer Center Co-operation ARZ Other Health Care Provider 90 % 100 % KK Copyright by ITSG Gmb. H / 11. 09. 96 Computer Center 10 % Clearingcenter 60% 80 % Care 20 %40 % Computer Center KK-RZ Care 12
German Health Care Security GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana ITSG Trust. Center X. 509 Certificate certification request Health Care Provider Clearing Center of public health insurances confirmation written request and printed public key fingerprint 13
CA for SMEs in Greater Manchester GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana n Have set up a CA using Entrust Technology n Working with Manchester Training and Enterprise Council and Chamber of Commerce n Trying to encourage Small and Medium Sized Enterprises to use the Internet for business data n Difficult task as SMEs are: n usually short of time, money and expertise n believe the Internet is OK as it is, or would never use it n Once you get a early adopter, still difficult as he then needs to persuade his business partners to sign up as well (cf Queen Victoria and the telephone) 14
Secure Directory GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana n Guardian DSA is an application proxy that sits in an organisation’s firewall n Filters traffic at the application level i. e. LDAP, DSP and DISP protocols n Makes it safe to allow external users to access certificates and CRLs without compromising any other directory information, or to replicate a portion of corporate directory to external site 15
Secure Directory GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana Interconnectivity of Directories Fully Filtered Access via Application Proxy The Organisation’s Firewall Organisations Directory Server Organization's Network (trusted) The Internet (untrusted) Guardian DSA Directory Application Proxy 16
Secure Directory GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana Pilot Sites n Sheffield Health Authority want to inter-connect hospital directory to social services directory held by local council n Ministry of Defence Highly secure. They want to replicate a subset of directory information outside the organisation’s firewall so no external users can gain access to internal directory. Will test the replication filtering (DISP) 17
Secure Conferencing GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana Mbone Conferencing n Have Conference tools: RAT (Audio), Vic (Video), NTE (Shared Editor) and WB (Shared workspace) n Start tools with SDR (Session Directory tool), which enters SD parameters: The SD parameters are acquired by SDR with Session Announcement (SAP), Session Invitation (SIP), or even from a depository 18
Secure Conferencing GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana n All tools use encrypted streams n Session Encryption Keys (SEKs) are distributed with, and part of, SD parameters n SD parameters are distributed encrypted, processed by Secured SDR (SSDR) which: authenticates and encrypts SD Parameters sends SD Parms via SAP, SIP or depository acquires, decrypts, authenticates SD Parameters and starts conference tools 19
Secure Conferencing GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana Current Status n Tools use only DES for encrypting streams DES key entered from Command line or SDR n Secure SDR uses only Secured SAP With PGP encoding of SD parameters with originators private key for authentication PGP encryption of SD parameters with Group public key pair for confidentiality Out-of-band secure distribution of Public/private group key pair 20
Secure Conferencing GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana Next steps n Use X. 509 encoding & ICE-CAR certification infrastructure for SDR security operations n Use secured SIP for distributing SD parameters n Use secured directories and Web stores from partners as depositories for SD parameters will need encrypted/signed repository access n Automate operations for managing groups will use smart cards to help automate operations 21 n Investigate IPSEC for media streams
Support of CEEC countries GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana 22
Support of CEEC countries GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana n Training and support programme for Central and Eastern European countries n One-week technical workshop on security im May next year together with NATO 23
Major Achievements GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana n Certification services began in most participating countries, based on WWW and email n improved security toolkits available for Unix and Windows 95/NT commercially n improved CA tools available commercially n various security components available commercially (e-mail plug-ins, directory components, WWW components, Java implementations) n piloting with these tools ongoing n Several European projects are using our technology 24
Conclusions GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana n ICE-TEL providing infrastructure - but also end user tools and tools for end user applications n Users clearly need three different things which ICE-TEL is going to provide: nsecurity toolkits for large own applications n e. g. secured SAP R/3 with ICE-CAR technology n e. g. Data exchange in the German health care n. CA tools to build up their own infrastructure n e. g. German Federal Government n e. g. German Health Care system nend user tools and security plug-ins for standard tools 25
GMD, Darmstadt SECUDE, Darmstadt UCL, London Message. Direct, London SSE, Dublin SETECS, Stockholm Entrust, Zürich IAIK, Graz Politecnico Torino CCI, Meppen U Salford, Manchester Uni-C, Copenhagen Uninett, Trondheim FCR, Barcelona IJS, Ljubljana http: //ice-car. darmstadt. gmd. de 26