X.509 at the University of Michigan

1,903 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,903
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
30
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Browser could use a startup page, signed java applet, or Authenticode program Application (such as video conferencing) would obtain certificate at startup
  • X.509 at the University of Michigan

    1. 1. X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman (kwc@umich.edu) Bill Doster (billdo@umich.edu)
    2. 2. Project Goals <ul><li>Transparent Web Authentication </li></ul><ul><li>Eliminate password prompts </li></ul><ul><li>Lotus Notes Authentication </li></ul><ul><li>Position for inter-institution Authentication </li></ul>
    3. 3. Non-Goals <ul><li>Not a complete PKI </li></ul><ul><li>Not to be used for document signing </li></ul><ul><li>Not to be used for encryption </li></ul><ul><li>Not a complete replacement of the current cookie method </li></ul>
    4. 4. Why X.509? <ul><li>An accepted standard </li></ul><ul><li>Application support out of the box </li></ul><ul><ul><li>Web servers, web browsers, directory servers, IMAP servers, etc. </li></ul></ul><ul><li>Allows the possibility for inter-institution authentication </li></ul><ul><li>No need for N²-1 cross-realm trusts </li></ul>
    5. 5. Description <ul><li>Use short-term (approximately 1 day) certificates - “Junk Keys” </li></ul><ul><li>Obtain certificates securely </li></ul><ul><li>For Authentication ONLY! </li></ul><ul><li>Use OpenSSL for creating and signing certificates </li></ul>
    6. 6. Why “Junk Keys”? <ul><li>Revocation becomes a non-issue </li></ul><ul><li>Private Key storage is less an issue </li></ul><ul><li>Certificate publication for sharing is not necessary </li></ul><ul><li>Certificate management is less critical </li></ul>
    7. 7. Drawbacks <ul><li>Cannot be used for signing or encryption </li></ul><ul><li>Not possible to verify certificate via LDAP </li></ul>
    8. 8. Options for obtaining the CA’s Certificate <ul><li>Bake it into browsers we distribute </li></ul><ul><li>Via a web interface using SSL and Verisign Certificate </li></ul><ul><li>Store it in the file-system </li></ul>
    9. 9. Obtaining CA Certificate via Web CA Apache + OpenSSL + Scripts + Verisign Certificate Browser Netscape or Internet Explorer Certificate Green lines imply SSL Protected
    10. 10. Options for obtaining the User Certificate <ul><li>Via a web-based interface [ SSL ] </li></ul><ul><li>Pam / Gina / Login [ TGT or SSL ] </li></ul><ul><li>Standalone program [ TGT (or SSL) ] </li></ul><ul><li>Leave it up to application [ TGT (or SSL) ] </li></ul>
    11. 11. Obtaining User Certificate via Web (Netscape) User selects URL ID and password?? ID and password <ul><li>Lookup full name </li></ul><ul><li>Lookup Entity ID </li></ul><ul><li>Generate and </li></ul><ul><li>Sign Certificate </li></ul>Verify identity keyGen Public Key Signed Certificate Generate key pair and store keys Store Certificate Netscape Browser Web server / CA
    12. 12. Obtaining User Certificate via Web (IE part 1) User selects URL ID ?? Send a VBScript asking for user’s unique ID ieReq.pl Web server / CA Internet Explorer Browser
    13. 13. Obtaining User Certificate via Web (IE part 2) password ?? ieGenReq.pl Web server / CA Internet Explorer Browser ID (uniqname) <ul><li>Lookup full name </li></ul><ul><li>Lookup Entity ID </li></ul><ul><li>Generate VBScript to create key pair and PKCS #10 request </li></ul>Run VBScript to generate key pair and PKCS #10 request
    14. 14. Obtaining User Certificate via Web (IE part 3) PKCS #7 <ul><li>Check password </li></ul><ul><li>Generate certificate and wrap it in PKCS #7 format </li></ul><ul><li>Generate VBScript to accept PKCS #7 </li></ul>ieTreatReq.pl Web server / CA Internet Explorer Browser password + PKCS #10 Run VBSript to accept PKCS #7 Phew! Done!
    15. 15. Obtaining User Certificate via Standalone Pgm (Netscape) public key signed certificate Client Machine Certificate Authority getcert keyutil certutil key3.db cert7.db <ul><li>Lookup full name </li></ul><ul><li>Lookup Entity ID </li></ul><ul><li>Generate and sign certificate </li></ul>Orange lines imply Kerberized exchange
    16. 16. Obtaining User Certificate via Standalone Program (IE) signed certificate Certificate Authority Client Machine Use OpenSSL to generate key pair public key <ul><li>Store key pair </li></ul><ul><li>Store certificate </li></ul><ul><li>Lookup full name </li></ul><ul><li>Lookup Entity ID </li></ul><ul><li>Generate and sign certificate </li></ul>
    17. 17. Storing the Certificates <ul><li>How to destroy the certificates after use? </li></ul><ul><li>NT 4.0 w/SP3 and later has special storage classes that lives only for the life of a login </li></ul><ul><li>Make use of Kerberos credential storage? </li></ul><ul><li>Internet Explorer vs. Netscape </li></ul>
    18. 18. Problems <ul><li>Documentation - Flood or Drought </li></ul><ul><li>Macintosh support lags other platforms </li></ul>
    19. 19. Current Status <ul><li>Internet Explorer (Windows only) looks promising </li></ul><ul><li>Netscape (Windows, Solaris) do-able but not clean </li></ul><ul><li>Macintosh support does not currently look promising for either browser </li></ul>
    20. 20. References <ul><li>This presentation: </li></ul><ul><ul><li>http://www.citi.umich.edu/u/kwc/Presentations/X509June1999 </li></ul></ul><ul><li>OpenSSL: </li></ul><ul><ul><li>http://www.openssl.org/ </li></ul></ul><ul><li>Netscape Security Services: </li></ul><ul><ul><li>http://home.netscape.com/nss/v1.2/index.html </li></ul></ul><ul><li>Microsoft CryptoAPI: </li></ul><ul><ul><li>http://www.microsoft.com/security/tech/CryptoAPI/default.asp </li></ul></ul>
    21. 21. ?? Questions / Discussion ??

    ×