Скачать презентацию NASA PKI for PKI FORUM Presenters Paul Ma Скачать презентацию NASA PKI for PKI FORUM Presenters Paul Ma

bfab8c67220e469b28f9f14d1881363c.ppt

  • Количество слайдов: 14

NASA PKI for PKI FORUM Presenters: Paul Ma, NASA-Ames Research Center pma@mail. arc. nasa. NASA PKI for PKI FORUM Presenters: Paul Ma, NASA-Ames Research Center pma@mail. arc. nasa. gov 650 -604 -3586 3/6/2000 Applied IT Division 1

Outline Background Information on Information Technology Security Development Group (ITSDG) NASA PKI Deployment Plan Outline Background Information on Information Technology Security Development Group (ITSDG) NASA PKI Deployment Plan – Objectives and Scope NASA Public Key Infrastructure (PKI) – PKI Components – NASA PKI Components and Architecture NASA Issues for the PKI Forum 3/6/2000 Applied IT Division 2

NASA has 11 major Centers distributed all over United States: – – – – NASA has 11 major Centers distributed all over United States: – – – – – 3/6/2000 Ames Research Center (ARC) at Moffett Field, CA Dryden Flight Research Center (DFRC) at Southern CA Glenn Space Flight Center (GRC) at Cleveland, OH Goddard Space Flight Center (GSFC) at Greenbelt, MD Jet Propulsion Laboratory (JPL) at Pasadena, CA Johnson Space Center (JSC) at Houston, TX Kennedy Space Center (KSC) at Cape Canaveral, FL Langley Research Center (La. RC) at Hampton, VA Marshall Space Flight Center (MSFC) at Huntsville, AL Stennis Space Center (SSC) at Bay St. Louis, MI Applied IT Division 3

Principal Center for IT Security Principal Center IT Security GSFC IT Security Notifications, Incident Principal Center for IT Security Principal Center IT Security GSFC IT Security Notifications, Incident Coordination & Response Expert Center GRC Incident(s) Identification Curriculum Requirements Network Audit Tools Architecture Planning Intrusion Tracking IT Security Workshops Firewalls Application Security Enabling Applications Response Teams IT Security Awareness Internet Security Req. Virus Detection Threat Evaluate On-Line Courses Incident Tracking Tools WWW Secure Applications Threat Resolution ITS Technical Training Monitoring & Testing Secure O/S Configurations IT Security Training and Awareness MSFC IT Security Networks & Communications Expert Center IT Security Tools JPL IT Security Systems & Applications Expert Center Work. Flow Secure Processes ARC IT Security Development Expert Center (ITSDG) Secure Video Conferences Crypto-Technology Demonstrations Liaison System Testing Tools 3/6/2000 Applied IT Division 4

NASA PKI Deployment Plan Objectives – To implement a public key infrastructure contains the NASA PKI Deployment Plan Objectives – To implement a public key infrastructure contains the following components: » A common NASA directory or repository for certificates » A certificate authority (CA) » Agents of the CA, registration authorities (RA) » Policies to guide the operation of the PKI 3/6/2000 Applied IT Division 5

PKI Deployment Plan Scope – Establishing one central CA located at ARC and RA PKI Deployment Plan Scope – Establishing one central CA located at ARC and RA at ARC – Assist the setup of RAs at other Centers – Providing PKI services to secure sensitive but unclassified electronic information – Creating documents for CA operation; Certificate Policy Statement, Certificate Practice Statement, and Security Plan – Implementing security mechanisms and procedures for secure CA operation – Establishing a disaster recovery plan – Establishing a technical support service 3/6/2000 Applied IT Division 6

NASA PKI Components The NASA PKI services are provided by: – – 3/6/2000 Certification NASA PKI Components The NASA PKI services are provided by: – – 3/6/2000 Certification Authority (CA) – Ames manages the NASA CA. The software used is Entrust Technologies’ Entrust Infrastructure version 4. 0. Registration Authority (RA) – Each NASA Center manages its own RA operation using Entrust Technologies’ Administration Software. Certificate Repository – Certificates are stored in the existing NASA X. 500 infrastructure. Policy – NASA’s policies are defined in the X. 509 Certificate Policy for NASA PKI and the NASA Certification Authority Certification Practice Statement. Applied IT Division 7

NASA PKI Architecture Certificates are stored here RAs sends requests Center for certificates to NASA PKI Architecture Certificates are stored here RAs sends requests Center for certificates to the CA RA NASA Center Certificates are managed by the CA Entrust Authority (Entrust CA) Main System Ames 3/6/2000 Applied IT Division Backup Data Entrust Authority (Entrust CA) Backup System MSFC 8

User Access End users retrieve certificates from the distributed directories for use by their User Access End users retrieve certificates from the distributed directories for use by their PKI-enabled applications. ARC MSFC DFRC JSC NASA GSC GSFC KSC JPL La. RC HQ SSC USER COMMUNITY Entrust Authority (Entrust CA) Main System Ames 3/6/2000 Applied IT Division End users access the CA During certificate creation/ recovery/update operations. 9

PKI Status Secure CA at ARC and backup CA at MSFC have been tested PKI Status Secure CA at ARC and backup CA at MSFC have been tested and have been operational. Seven Centers have been passed through the ORR Audit. 2 Centers need more documentation before the final ORR approval. 2 more Centers are preparing for the ORR. Currently we are hoping to finish the ORR by the end of March providing the Centers are ready. 3/6/2000 Applied IT Division 10

NASA Applications Secure E-Mail Secure E-Forms Secure Networking 3/6/2000 Secure Web NASA PKI Secure NASA Applications Secure E-Mail Secure E-Forms Secure Networking 3/6/2000 Secure Web NASA PKI Secure File Transfer Applied IT Division Secure Desktop Secure E-Grant Secure Remote Access 11

Information Integrity: Key To A Safe Free-Flight Airspace System 01 11 00 0010 0111 Information Integrity: Key To A Safe Free-Flight Airspace System 01 11 00 0010 0111 0101 0 1 01 00 11 01 3/6/2000 0101010 10 0101010011100 11 01 10 0 01 01 1 11 0 10 1 00 1001 1100 10110 10111 1 10 0 01 10010 0 11 1 00 10011 10 1 01 1011 1 10 1 01 10011 0 1 10 10 0 11 01010 1 00 1 11 010101001 Applied IT Division 10011100 12

NASA Issues Interoperability between CAs, e-mail applications (Eudora and MS Exchange/Outlook) Directory Service was NASA Issues Interoperability between CAs, e-mail applications (Eudora and MS Exchange/Outlook) Directory Service was a major problem internally Policy issues gave us more troubles or as much troubles as technically issues – export, auditing, archiving, license tracking, etc – how to deal with external partners 3/6/2000 Applied IT Division 13

Issues for PKI Forum needs to deal with scalability issues as well as interoperability Issues for PKI Forum needs to deal with scalability issues as well as interoperability issues – Heavy client – Directory lookup – CRL distribution How is PKI is going to deal with all the millions of IPSec devices that are coming that require security? 3/6/2000 Applied IT Division 14