03f7822d4cb2ac81dc199afb64935379.ppt
- Количество слайдов: 20
X 509 Web Authentication From the perspective of security or An Introduction to Certificates.
For the Impatient • Strategic Direction: – User Certificates are good. – We should use them. • Should all Fermilab staff & users know about certificates? – Yes! • What needs to be done? – User education – Improve browser support
Authentication • Identification of user • Kerberos is Fermilab’s chosen authentication service • Certificates provide authentication services for Grid and Web • Authorization is permission to access and utilize a resource after authentication
X. 509 • Standard for Public Key Certificates – CCITT Recommendation X. 509 • • • Coupled with X 500 Naming Conventions Part of Public Key Infrastructure (PKI) Uses Asymmetric Encryption Digital signatures Expiration and Revocation Lists
Components of a Certificate • Distinguished Names of Issuer and Subject – /DC=org/DC=doegrids/OU=People/CN=Frank J. Nagy 442270 – /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 • Serial Number • Validity Interval (start and end dates) • Extensions – E-mail address, Subject type, Policy Information, etc. • Public key of the Subject • Signature to make tamper-evident
Public Key Encryption • Alice has published her public key and Bill has a copy. • Alice encrypts message with her private key, Bill (or anyone) can decrypt message with her public key – This message can be a digital signature that identifies the rest of the message as from Alice • Bill encrypts message with Alice’s public key but only Alice can decrypt with her private key. • Computationally Intensive, often used to securely exchange Symmetric key for use in the remainder of the communication session
Digital Signature • Use to sign messages – Identify sender – Make message tamper-evident • Take hash function or checksum of message text • Encrypt the hash with private key and send with message • Receiver decrypts signature with public key and compares to his hash of message text
Certificate Authority • Certificates are issued by a Certificate Authority (CA) • Trust Chains • Root Certificates Update is sometimes seen when doing Windows Update is getting new CA certificates that establish this trust chain for well known root CAs • Publish Certificate Revocation List (CRL) – Serial numbers of revoked certificates
Trust Chain and Root CA . . .
Issue: Who to Trust? • Fermilab Kerberized-CA – tied to our infrastructure, – KCA uid=fred is uid=fred in CNAS, etc. • DOEGrid CA – Many Fermi people have certs – Is DOEGrid's John Doe our John Doe? • Other Grid CA's • Commercial CA's?
Fermilab Kerberos CA (KCA) • Get a certificate based on having a Kerberos principal • With a Kerberos ticket, KCA issues a certificate to the user valid for the maximum lifetime (7 days) of the Kerberos ticket • Use kinit followed by kx 509 under Linux then typically import certificate into browser -- or “dokx 509” • Use Get-Cert. bat under Windows which automatically loads certificate into browser
Typical KCA Certificate Uses • Nessus scanner • Import into browser to access some Fermilab Web sites • Use to access Grid resources • Not generally useful for signing E-mail due to limited lifetime of the certificate
DOEGrids CA • Can issue personal or host/service certificates good for 1 year. • Home site is ttp: //ww. doegrids. org for instructions and other information • Request via their Web site – ttps: //pki 1. doegrids. org/ – As Fermilab employee or visitor use FNAL as the affiliation on the request form – Keep your private key secret! Keep it offline!
Certificates and the Web • Web servers send a server certificate to your browser to establish secure communications – Secure Sockets Layer (SSL) – https: instead of http: in the URL – Remember those Root CA Certificates • Brower is authenticating the server in this case • Note: SSL only secures internet link, not data resident at E-commerce site!
Certificates and the Web • Personal certificate (or KCA certificate) can be loaded into browser and used to authenticate the user for access to some sites. • Some Fermilab Web sites use KCA certificates in this manner – Gate pass requests – Network blocking pages – Plone sites
Host/Service Certificates • Fermilab system administrators can get host or service certificates from DOEGrids for Grid resources or Web servers. – ttp: //computing. fnal. gov/security/pki/Get-DOEGrids-Cert. html • You will need Open. SSH utility (see above web page) • Get KCA CA Certificates to authenticate KCA user certificates – ttp: //omputing. fnal. gov/security/pki/index. html
Configuring Webservers • Apache – setup is well known http: //www. fnal. gov/docs/products/apache/SSLNotes. html • IIS – no current installations • Other applications often proxied – Zope/Plone – Oracle Application Server
Proxying Mechanics • Application listens on “localhost”, (not reachable from outside of machine) • Apache server receives requests, and sends them on to the application • User certificate information (issuer, client id info) sent via headers or parameters
Configuring Browsers • Web Documentation avaliable onhttp: //computing. fnal. gov/security/ – How to get a personal certificate from the DOEGrids CA – How to get a Fermilab KCA certificate • Browsers don't deal well with multiple certificates – Perhaps hire consultant(s) to develop better certificate management plugins for popular browsers?
References • Planning for PKI – By Russ Housley and Tim Polk, pub by Wiley • What is a Digital Signature? – http: //www. youdzone. com/signature. html • Open. SSL Certificate Cookbook – http: //www. pseudonym. org/ssl_cook. html • The PKI Page (lots of links) – http: //www. pki-page. org/ • The NIST PKI Program – http: //csrc. nist. gov/pki/
03f7822d4cb2ac81dc199afb64935379.ppt