Experiences with Massive PKI Deployment and Usage
-
Upload
liberty-goodman -
Category
Documents
-
view
21 -
download
1
description
Transcript of Experiences with Massive PKI Deployment and Usage
![Page 1: Experiences with Massive PKI Deployment and Usage](https://reader035.fdocuments.in/reader035/viewer/2022072013/56812a97550346895d8e4925/html5/thumbnails/1.jpg)
Experiences with Massive PKI Deployment and Usage
Daniel Kouřil, Michal Procházka
Masaryk University & CESNET
Security and Protection of Information 2009
![Page 2: Experiences with Massive PKI Deployment and Usage](https://reader035.fdocuments.in/reader035/viewer/2022072013/56812a97550346895d8e4925/html5/thumbnails/2.jpg)
Public Key Infrastructure
• Asymetric cryptography• Each user and service owns key-pair
• X.509 digital certificates• PGP not suitable
• Certification Authority (CA)• Network of Registration Authorities
(RA)• Relying parties
![Page 3: Experiences with Massive PKI Deployment and Usage](https://reader035.fdocuments.in/reader035/viewer/2022072013/56812a97550346895d8e4925/html5/thumbnails/3.jpg)
Distributed environments
• Ithanet project• Network for medical research in
Mediterranean countries• Users were physicians with little knowledge
about computers• Grid infrastructure
• Facilitates collaborations, resource sharing• support of research
• Basic services provided by grid operator• Easy establishment of secure communication
![Page 4: Experiences with Massive PKI Deployment and Usage](https://reader035.fdocuments.in/reader035/viewer/2022072013/56812a97550346895d8e4925/html5/thumbnails/4.jpg)
PKI in large-scale environment
• PKI is good candidate for authN in large infrastructures• Scalability
• Several aspects to be considered and addressed• Operators• Users
• General PKI not tied with applications
![Page 5: Experiences with Massive PKI Deployment and Usage](https://reader035.fdocuments.in/reader035/viewer/2022072013/56812a97550346895d8e4925/html5/thumbnails/5.jpg)
Operating PKI• CA establishment is not technical
problem• Building trust is crucial
• Many administrative problems• Proper applicants authentication• Protection of signing keys• Proper revocation requests handling• Long-term support• Incident resolution cooperation• …
• CAs publish their policies
![Page 6: Experiences with Massive PKI Deployment and Usage](https://reader035.fdocuments.in/reader035/viewer/2022072013/56812a97550346895d8e4925/html5/thumbnails/6.jpg)
International Grid Trust Federation
• Easing orientation for relaying parties• CA managers, identity providers, large relying
parties involved• IGTF builds a federation of „trusted“ CAs
• approving procedures and minimal requirements
• reviews the CA policies (CP/CPS)• Flat model – no root IGTF CA• Unified name space for subject names
• User is uniquely identified by their subject name
![Page 7: Experiences with Massive PKI Deployment and Usage](https://reader035.fdocuments.in/reader035/viewer/2022072013/56812a97550346895d8e4925/html5/thumbnails/7.jpg)
Revocation checks
• Revocation is a must• Often neglected by administrators or
applications• It‘s impossible to check CRLs with Firefox
• Certification Revocation Lists (CRLs)• Online Certificate Status Protocol (OCSP)• Overhead
• Latency penalty for online checks• Large amount of data represented by
aggregated CRLs transfers
![Page 8: Experiences with Massive PKI Deployment and Usage](https://reader035.fdocuments.in/reader035/viewer/2022072013/56812a97550346895d8e4925/html5/thumbnails/8.jpg)
Obtaining certificates
• The process consists of two phases• Generating key-pair• Identity vetting at RA
• Crucial for users‘ perception• Crucial for security of credentials
![Page 9: Experiences with Massive PKI Deployment and Usage](https://reader035.fdocuments.in/reader035/viewer/2022072013/56812a97550346895d8e4925/html5/thumbnails/9.jpg)
Online CAs• Normal web page with simple form
• Registration is done first• Browser is key component
• Perform cryptographic operations• Communicates with CA• Receives and stores new certificate
• New requirements• Signing machine of CA is exposed• Trust in browser
![Page 10: Experiences with Massive PKI Deployment and Usage](https://reader035.fdocuments.in/reader035/viewer/2022072013/56812a97550346895d8e4925/html5/thumbnails/10.jpg)
Online CAs in Identity Federations
• Identity federations leverage existing users management systems• Access to internal systems of institution
• Users don‘t need additional credentials to access new services
• Online CA connected to federation• No need for personal visits at RA
![Page 11: Experiences with Massive PKI Deployment and Usage](https://reader035.fdocuments.in/reader035/viewer/2022072013/56812a97550346895d8e4925/html5/thumbnails/11.jpg)
Private Key Protection
• Users don‘t protect their private keys• Weak passphrases, file permissions• Can‘t be checked by PKI operators• Ideally not handled directly by users –
transparent PKI
• Key repositories• Specialized service maintaining keys for users
• Smart cards• User support is difficult in general PKI
![Page 12: Experiences with Massive PKI Deployment and Usage](https://reader035.fdocuments.in/reader035/viewer/2022072013/56812a97550346895d8e4925/html5/thumbnails/12.jpg)
Conclusions
• Several aspects to address to operate secure PKI
• Established set of trusted CAs available• General CAs, not tied with a particular
application
• Keep users away from their private keys• :-)
![Page 13: Experiences with Massive PKI Deployment and Usage](https://reader035.fdocuments.in/reader035/viewer/2022072013/56812a97550346895d8e4925/html5/thumbnails/13.jpg)
Backup slides
![Page 14: Experiences with Massive PKI Deployment and Usage](https://reader035.fdocuments.in/reader035/viewer/2022072013/56812a97550346895d8e4925/html5/thumbnails/14.jpg)
Single Sign-On
• User authenticates just once• Proxy certificate
• Issued by user• Only short-lived
• Standard X.509 short-lived certificates• Issued by an on-line CA• Can be obtained automatically after login