Gregorio Martínez Pérez

gremar@dif.um.es

University of Murcia

PROVIDING SECURITY TO UNIVERSITY ENVIRONMENT

COMMUNICATIONS

University of MurciaUniversity of Murcia

Distributed applications on TCP/IP: impressive growth

Services improvement Decreasing costs

Very important security problems when applications deal with confidential information

MOTIVATION (I)

University of MurciaUniversity of Murcia

University of Murcia: infrastructure to

provide secure communications Must warrant:

•Confidentiality•Authentication•Integrity

Complex task:•Broad community of users•Heterogeneous systems

MOTIVATION (II)

University of MurciaUniversity of Murcia

Certification Authority (CA) Trust foundation of the overall system We are using Netscape Certificate

Server•Problem: certification request is a public

operation•Solution: intermediate elements

– RQServer (Requests Server)– RQClient (Certification Requests Client)

PUBLIC KEY INFRASTRUCTURE (I)

University of MurciaUniversity of Murcia

Registration Authority (RA) Constituted by

•Administrative staff•Software applications

Performs the following tasks•To verify people identities •To generate the user private and public keys•To store the private key in the smart card•To create the certification requests •To create the revocation requests

PUBLIC KEY INFRASTRUCTURE (II)

University of MurciaUniversity of Murcia

Directory Server Main use:

•To get the information needed to make certification requests

•To store the final certificates

To get data stored in this server: LDAP protocol

PUBLIC KEY INFRASTRUCTURE (III)

University of MurciaUniversity of Murcia

Smart Cards Security device to store private keys Two kinds of smart cards:

•4 Kbytes smart cards

PUBLIC KEY INFRASTRUCTURE (IV)

1 KByte

Security Field

RSA Private Key

University of MurciaUniversity of Murcia

Smart Cards Two kinds of smart cards:

•2 Kbytes smart cards

PUBLIC KEY INFRASTRUCTURE (V)

16 Bytes

Security Field

Ciphered PrivateKeys DB

IDEAKey

CIPHERCiphered

Private Key

RSA Private Key

University of MurciaUniversity of Murcia

Certificate Request

Certificate Recovery

Certificate Revocation

MAIN OPERATIONS

University of MurciaUniversity of Murcia

CERTIFICATE REQUEST

Registration Authority

RSA PRIVATEOR IDEAKEY

LDAP

Certification Authority

SSL

RQServerClient Authent.

SSL

Ciphered Private Keys DB

SSLClient Authent.

IDNumber

DirectoryServer

USER PERSONAL DATA

RQClient

Client Authent.SSL

CRON

University of MurciaUniversity of Murcia

CERTIFICATE RECOVERY

PKCS#11 Module

Netscape Communicator

SSL Secure Server

PIN

RSAPRIVATEOR IDEAKEY

Ciphered Private Keys DB

SSL

DirectoryServer

University of MurciaUniversity of Murcia

CERTIFICATE REVOCATION

Registration Authority

RQServerClient Authent.

SSL

LDAPDirectoryServer

Certification Authority

SSL Client Authent.

RVKClient

Client Authent.SSL

CRON

Ciphered Private Keys DB

SSLClient Authent.

University of MurciaUniversity of Murcia

Complete security infrastructure Certification Authority Registration Authorities Smart cards Custom PKCS#11 Module Main security protocols: SSL and S/MIME

Framework to develop custom security applications

CONCLUSIONS

University of MurciaUniversity of Murcia

Custom CA developed in Java Solutions for other applications: Microsoft products (PC/SC) New smart cards approaches: OCF, JavaCards, VOP Parallel infrastructure that manages credentials: SPKI

FUTURE WORK

Gregorio Martínez Pérez

gremar@dif.um.es

University of Murcia

PROVIDING SECURITY TO UNIVERSITY ENVIRONMENT

COMMUNICATIONS