UPKI Inter-University Authentication and Authorization Platform for

UPKI ― Inter-University Authentication and Authorization Platform for Japanese Cyber-Science Infrastructure Yasuo OKABE Academic Center for Computing and Media Studies, Kyoto University okabe@i. kyoto-u. ac. jp

Information Infrastructure Centers in the Seven Universities in JAPAN Sapporo Hokkaido University Information Initiative Center Kyoto University Academic Center for Computing and Media Studies Sendai Kyushu University Computing and Communications Center Kyoto Osaka Tohoku University Information Synergy Center Tokyo University of Tokyo Information Technology Center Nagoya Fukuoka National Institute of Informatics (NII) Osaka University Cybermedia Center Nagoya University Information Technology Center

Brief history of the federation among the Centers 1968～ 69 Established as supercomputer centers for nation-wide service 1988 JAIN (Japan Academic Interuniversity Network) project started • IP over X. 25 1981 Connected by commercial X. 25 service 1986 Dedicated interuniversity X. 25 network service was started by NACSIS (predecessor of NII) Federated Identity Management (～ 2004) • Unified ID • Online subscription to secondary centers 1992 SINET, the academic Internet backbone service was started by NACSIS 2002 Operation of Super. SINET was started 2003 NAREGI (National Research Grid Initiative) project started

NII: Toward Cyber-Science Infrastructure　 Next-gneration cademic e A Information Infrastructure for Interuniversity Collaboration Cyber-Science Infrastructure Ge. Nii (Global Environment for Networked Intellectual Information) NII-REO (Repository of Electronic Journals and Online Publications UPKI: Authentication and Authorization Platform 北海道大学 SINET/Super. SINET National Academic Internet Backbone 京都大学 ★ ★ 九州大学 ★ ● ★ 名古屋大学 ★ ★ 東北大学 ☆ ★ ＮＩＩ 東京大学 大阪大学 Fundamental Resources for Academic and Research Activities Education and Training / Encouraging Young Talent International Collaboration Corporation with Industry NAREGI (National Research Grid Initiative)

UPKI: concept Authentication and Authorization platform for Cyber-Science Infrastructure in Japan Targets various applications SSO of Web services Network service • wireless LAN roaming, VPN, public IP phone/Web terminals Grid computing Utilization PKI

UPKI: project member NII SINET Headquarter Authentication and Authorization Working Group Yasuo Okabe, Kyoto University (chair) Noboru Sonehara, NII (vice chair) Yoshiaki Takai, Hokkaido University Hideaki Sone, Tohoku University Hiroyuki Sato, University of Tokyo Yasushi Hirano, Nagoya University Shinji Shimojo, Osaka University Takahiro Suzuki, Kyushu University Satoshi Matsuoka, Tokyo Institute of Technology Setsuya Kawabata, KEK

Authentication for campus wireless LAN Hokkaido Univ. ＲＡ ＣＡ Pub key Mutual auth Bridge CA Policy mapping registrar Certif. Prof. A register PKI Campus Public Wireless AP PKI token user （Prof. A） ＮＩＩ repository Mutual auth Certf. CA Campus LAN authenticatio authorization （private key） Roaming service Prof. A is visiting other univ.

UPKI: requirements Scalability up to 800 universities in Japan • Centralized system will never work • Federated ID management is indispensable Security against so many cyber attacks and increasing physical attacks Privacy Compliant to the law of privacy protection in Japan • Enforced since April 2005. Mobility Both students and professors may visit other universities Cost National Universities has become an independent agency since 2004.

UPKI: basic idea Deployment of Grid/PKI middleware for national academic AA infrastructure Management of faculty members, administrative staffs and students Virtual Organizations (VO) like committees, research groups or academic societies should be supported Targets all of Educational activities like E-learning Administrative works like exchange of credits among universities Research activities like Grid computing Other networking services like WLAN roaming 　and a single infrastructure is by all applications AA based on Federated Identity Management is the key PKI solves some authentication issues, but not all PKI itself has many problems in deployment

NAREGI National Research Grid Initiative http: //www. naregi. org/ collaboration projects among industry, academic sector and the government.

NAREGI Grid Middleware stack http: //www. naregi. org/concept/index_e. html#05

NAREGI CA A full-fledged CA (Certificate Authority) Software for PKI Originally developed for Grid computing, but can be used for general purpose Free open source software Version 1. 0. 1 is available at the download site http: //www. naregi. org/download/

Comparison among CA softwares Producut name CRL periodic al LDAP file, bulk, WEB, LCMP ○ ○ Open. SSL file × Microsoft Certificate Server WEB, LDAP ○ 商用認証局 Entrust Authority CMP, bulk, LDAP, WEB, SCEP NAREGI CA Issue of Certif. Multipl e CA Profile managem ent ○ ○ ○ × × ○ △ △ × (Active Directory only) ○ HSM (Domain Controlle r onlu) ○ ○ HW Operat or Loggin g ○ ○ ○ × × △ ○ × △ token (Domain Controller only) × ○ (Event logging) ○ ○ ○：available、×：not available、△：some restriction ○

Case study The Consortium of Universities in Kyoto http: //www. consortium. or. jp/ Consortium of 50 universities in Kyoto 3 national, 2 prefectural, 2 municipal, 43 private Most of them are in the center area of Kyoto City Activities Shared lecture rooms near JR Kyoto Shinkansen station. • Class for ordinary students, evening classes and classes for graduated adults • Open Web terminals, WLAN services Exchange of credits among universities in very conventional manner How academic AAI will help them?

UPKI: issues How various services can be provided on a single AA infrastructure Web services Grid computing Network services Existing works Grid. Shib: Shibolleth for non-web-based applications Edu. Roam campus wireless roaming service architecture EGEE multi-VO support and delegation via My. Proxy E-authentication by the U. S. government GPKI, LGPKI and JPKI for Japanese e-government How we learn from and how we can collaborate with?

Summary UPKI national academic authentication and authorization infrastructure project has just started. Conducted by NII and the information infrastructure centers in 7 universities As a basis of CSI (Cyber Science Infrastructure), the next generation of SINET/Super. SINET Actually, federated identity management is unavoidable even in a (big) university And political issues also exist We have started later, so we have get same advantage International federation/collaboration is a very important issue.