HEPKI-TAG Activities


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • USHER not necessarily the name This is the context for the work that we did
  • Enhanced key usage: server and client authentication uSoft root program requires CRLs
  • Too gun-shy about marking extensions critical
  • http://www.wi-fiplanet.com/tutorials/print.php/3075481
  • If you run the Microsoft CA, this is already in your profile for Windows Login Funk Software and Cisco ACS
  • Domain Auth: technet article for Win2k; heard Win2003 different – investigating
  • HEPKI-TAG Activities

    1. 1. HEPKI-TAG Activities & Globus and Bridges Jim Jokl University of Virginia Fed/ED PKI Meeting June 16, 2004
    2. 2. HEPKI-TAG Activities <ul><li>Sponsors: I2, Educause, NET@EDU </li></ul><ul><li>Charter – Technical Activities Group (TAG) </li></ul><ul><ul><li>Certificate profiles, CA software </li></ul></ul><ul><ul><li>Private key protection </li></ul></ul><ul><ul><li>Mobility, client issues </li></ul></ul><ul><ul><li>Interactions with directories </li></ul></ul><ul><ul><li>Testbed projects </li></ul></ul><ul><ul><li>Communicate results </li></ul></ul><ul><li>Process </li></ul><ul><ul><li>Biweekly conference calls </li></ul></ul><ul><ul><li>Sessions at higher education events </li></ul></ul>
    3. 3. HEPKI-TAG Projects <ul><li>Must-do items </li></ul><ul><ul><li>Support the USHER / InCommon projects </li></ul></ul><ul><ul><li>Maintain & update existing documents and services </li></ul></ul><ul><li>Potential projects discussed and ranked at our meeting </li></ul><ul><ul><li>Update work on S/MIME </li></ul></ul><ul><ul><li>Windows domain authentication </li></ul></ul><ul><ul><li>CA Audits - preparing your internal audit department </li></ul></ul><ul><ul><li>EAP-TLS for wireless authentication </li></ul></ul><ul><ul><li>Update on hardware tokens </li></ul></ul><ul><ul><ul><li>survey, documentation, recommendations </li></ul></ul></ul><ul><ul><li>Introductory materials for sites getting started (CA software, applications, cookbook, etc) </li></ul></ul><ul><ul><li>Other possibilities discussed more briefly </li></ul></ul><ul><ul><ul><li>Grid integration </li></ul></ul></ul><ul><ul><ul><li>survey </li></ul></ul></ul><ul><ul><ul><li>bridge testing </li></ul></ul></ul><ul><ul><ul><li>Document and webform signing </li></ul></ul></ul>
    4. 4. One version of the US Higher Education Root (USHER) discussion USHER-Lite InCommon CA Shib Cert Shib Cert Shib Cert Shib Cert School CA School CA School CA School CA School CA USHER Basic/Medium School CA USHER Root
    5. 5. USHER/InCommon Profile Discussions <ul><li>Trivial root with no “dots” discussion: no </li></ul><ul><ul><li>AIA, CPS, CRL etc </li></ul></ul><ul><li>Authority Information Access: yes </li></ul><ul><ul><li>PKCS7 v.s. LDAP: both </li></ul></ul><ul><li>Domain Component Naming: no </li></ul><ul><li>Email addresses: no </li></ul><ul><li>Key Usage and CRLs: yes </li></ul><ul><li>Validity </li></ul><ul><ul><li>10 years for the roots, 3 for InCommon EE certs </li></ul></ul><ul><li>CPS Pointer: yes (to a redacted version) </li></ul>
    6. 6. Certificate Profiles <ul><li>InCommon EE Certificate </li></ul><ul><li>USHER Root Profile </li></ul><ul><li>InCommon Root Profile </li></ul><ul><li>Profiles were derived from </li></ul><ul><ul><li>PKI-Lite EE profile </li></ul></ul><ul><ul><li>PKI-Lite Root profile </li></ul></ul>
    7. 7. Introductory Materials Aiding Initial Campus Deployments <ul><li>Recall our PKI-Lite framework </li></ul><ul><ul><li>Using PKI for “standard” applications </li></ul></ul><ul><ul><li>Merged policy and practices document </li></ul></ul><ul><ul><li>Profiles with suggestions for implementers </li></ul></ul><ul><ul><ul><li>Designed to support S/MIME, VPN, Web Authentication, etc </li></ul></ul></ul><ul><ul><ul><li>Validated on other apps (e.g. Globus, document signing applications, etc). </li></ul></ul></ul><ul><ul><li>New addition: PKI-Lite Recipe </li></ul></ul><ul><ul><ul><li>by Steven Carmody at Brown </li></ul></ul></ul><ul><ul><li>Changes to Policy/Practices document </li></ul></ul><ul><ul><ul><li>Feedback from NMI testbed sites on language on the use of subordinate CAs on campus </li></ul></ul></ul>
    8. 8. PKI-Lite never seems to be quite finished <ul><li>Macintosh PKI and the PKI-Lite certificate profiles </li></ul><ul><ul><li>Working with early version of Apple PKI on MacOS 10 </li></ul></ul><ul><ul><li>Attempts to import PKI-Lite CREN-rooted certificates into Macintosh development release to test S/MIME and EAP-TLS failed </li></ul></ul><ul><ul><li>Problem: Basic Constraints not marked Critical </li></ul></ul><ul><ul><li>Many other root certificates with the same issue </li></ul></ul><ul><li>Result: </li></ul><ul><ul><li>Apple release does now accept these certificate profiles </li></ul></ul><ul><ul><li>More importantly: we modified the PKI-Lite profiles to more closely follow the RFCs </li></ul></ul>
    9. 9. EUDORA and S/MIME <ul><li>Eudora is the only significant remaining email client lacking native S/MIME support </li></ul><ul><ul><li>Mulberry and Apple now include support along with some WebMail products </li></ul></ul><ul><li>Qualcomm just released Eudora 6.1 </li></ul><ul><ul><li>Assumption is that they are now setting functionality goals for the next major release </li></ul></ul><ul><li>Plan </li></ul><ul><ul><li>HEPKI-TAG to coordinate as many parties as possible to endorse a letter to Qualcomm requesting S/MIME support </li></ul></ul>
    10. 10. Wireless LAN Access Control Source: wi-fiplanet.com EAP-MD5 LEAP EAP-TLS EAP-TTLS PEAP Server Authentication None Password Hash Public Key Public Key Public Key Supplicant Authentication Password Hash Password Hash Public Key CHAP, PAP, MS-CHAP(v2), EAP Any EAP, like EAP-MS-CHAPv2 or Public Key Dynamic Key Delivery No Yes Yes Yes Yes Security Risks Identity exposed, Dictionary attack, MitM attack, Session hijacking Identity exposed, Dictionary attack Identity exposed MitM attack MitM attack
    11. 11. EAP-TLS Process <ul><li>User verifies the Radius server’s identity using PKI </li></ul><ul><li>The Radius server verifies the user’s identity using PKI </li></ul><ul><li>An authorization step may happen </li></ul><ul><li>Association is allowed and dynamic session keys are exchanged </li></ul>User Access Point Radius Server LDAP AuthZ
    12. 12. Support for EAP-TLS <ul><li>Operating System Support </li></ul><ul><ul><li>Windows XP, Windows 2000 SP-4* </li></ul></ul><ul><ul><li>MacOS (10.3.3) </li></ul></ul><ul><ul><li>3 rd party software available </li></ul></ul><ul><li>Should be very easy to use </li></ul><ul><ul><li>No account management, passwords, etc </li></ul></ul><ul><ul><li>AuthZ step makes it easy to keep hacked machines off of the WLAN </li></ul></ul><ul><ul><li>*  base OS functionality only </li></ul></ul>
    13. 13. EAP-TLS and the Microsoft Clients <ul><li>Microsoft field in certificate for AuthN </li></ul><ul><ul><li>Subject Alt Name / Other Name / Principal Name </li></ul></ul><ul><ul><ul><li>OID </li></ul></ul></ul><ul><ul><li>If not present, uses CN </li></ul></ul><ul><ul><ul><li>Uniqueness issues for many CAs </li></ul></ul></ul><ul><ul><li>Easy to add to your certificate profile </li></ul></ul><ul><li>Impact on the PKI-Lite certificate profiles </li></ul><ul><ul><li>Agreed to add this extension to EE cert profile </li></ul></ul>
    14. 14. Other Projects on the “List” <ul><li>Some progress </li></ul><ul><ul><li>Update of S/MIME work </li></ul></ul><ul><ul><li>Grid integration </li></ul></ul><ul><ul><li>Bridge application testing </li></ul></ul><ul><li>In the queue </li></ul><ul><ul><li>CA audit preparation & education </li></ul></ul><ul><ul><li>Windows smart card login </li></ul></ul><ul><ul><li>Update hardware token work </li></ul></ul><ul><ul><li>Document and web form signing </li></ul></ul><ul><ul><li>Updated survey of schools and applications </li></ul></ul><ul><ul><li>Insert your item here </li></ul></ul>
    15. 15. Campus Globus Implementations <ul><li>The Globus toolkit uses PKI for authentication of users and resources </li></ul><ul><ul><li>A proxy certificate is used internally </li></ul></ul><ul><li>A file maps certificates to login names </li></ul><ul><li>Campus CA integration is complicated by the Globus interface </li></ul><ul><ul><li>Campus CAs and OS-exported certificates are generally in PKCS-12 format </li></ul></ul><ul><ul><li>Globus expects raw PEM files for the certificate and the private key </li></ul></ul>
    16. 16. Implementing Globus on Campus <ul><li>Certificate profile </li></ul><ul><ul><li>Standard profile (e.g. PKI-lite) works well with Globus </li></ul></ul><ul><li>Use of Campus CA with Globus </li></ul><ul><ul><li>Different research groups on campus can share resources </li></ul></ul><ul><li>Prepares for intercampus applications </li></ul><ul><ul><li>Campus CA part of a hierarchy </li></ul></ul><ul><ul><li>Cross certification </li></ul></ul>
    17. 17. NMI Testbed Globus Project Goals <ul><li>Support the use of native campus CAs in Globus so that users can do all of their work using one set of credentials </li></ul><ul><li>Create some tools and documentation to make this easier with Globus </li></ul><ul><li>Scope intercampus Grid trust issues preparing to leverage other Higher Education PKI efforts </li></ul><ul><ul><li>Higher Education Bridge CA (HEBCA) </li></ul></ul><ul><ul><li>US Higher Education Root CA (USHER) </li></ul></ul>
    18. 18. Schematic of Grid Testbed PKI Integration Goal Campus E Grid A’s PKI Testbed Bridge CA Shibbolized Testbed CA Campus B Grid Campus C Grid Campus D Grid Campus A Grid Campus F Grid B’s PKI C’s PKI Cross-cert pairs User Certs
    19. 19. PKI Bridge Path Validation
    20. 20. Globus and Bridges <ul><li>Initial Result: Globus appears to work with cross-certificates </li></ul><ul><ul><li>All needed cross certificates must be loaded into the /etc/grid-security/certificates directory </li></ul></ul><ul><ul><li>No directory-based discovery for cross certificates as in many bridge environments </li></ul></ul><ul><ul><li>It appears that the certificates for intermediate CAs in a hierarchy that is then bridged must also be preloaded </li></ul></ul><ul><ul><li>It would be great if Globus could use the Authority Information Access field to dynamically find needed certificates </li></ul></ul>
    21. 21. Globus and Bridges <ul><li>2 nd phase testing </li></ul><ul><ul><li>Built “ production ” bridge for testbed </li></ul></ul><ul><ul><ul><li>Dedicated laptop/openssl </li></ul></ul></ul><ul><ul><ul><li>Cross-certified UVa, UAB, USC, and TACC </li></ul></ul></ul><ul><ul><li>Results (so far) </li></ul></ul><ul><ul><ul><li>Bridge path validation ok for EE certs </li></ul></ul></ul><ul><ul><ul><li>Server certificate validation not working via bridge </li></ul></ul></ul><ul><ul><ul><ul><li>Bridge itself is fine; e.g. XP validates both directions </li></ul></ul></ul></ul><ul><ul><li>More work in progress </li></ul></ul><ul><ul><ul><li>Just installed latest NMI R5 Globus </li></ul></ul></ul>
    22. 22. NMI Testbed Project <ul><li>In addition to building the testbed grid via cross-certification, we plan to explore a few tools </li></ul><ul><ul><li>Credential converter web site that takes a PKCS-12 (as is available in most enterprise CAs) and returns the PEM files needed by Globus </li></ul></ul><ul><ul><li>A tool to chase down cross-certificates from AIA fields and build the needed Globus links and signing policy files </li></ul></ul><ul><ul><li>Potentially a Shibboleth-based CA that could provide certificates for campuses that are not yet operating an enterprise CA </li></ul></ul>
    23. 23. <ul><li>Where to watch </li></ul><ul><ul><li>middleware.internet2.edu/hepki-tag </li></ul></ul><ul><ul><ul><li>Links to other sites, CA software, etc </li></ul></ul></ul><ul><ul><li>NET@EDU PKI for Networked Higher Ed </li></ul></ul><ul><ul><ul><li>www.educause.edu/netatedu/groups/pki </li></ul></ul></ul><ul><ul><li>www.educause.edu/hepki </li></ul></ul><ul><ul><li>pkidev.internet2.edu </li></ul></ul><ul><ul><li>PKI Labs </li></ul></ul><ul><ul><ul><li>middleware.internet2.edu/pkilabs </li></ul></ul></ul>References