Experiences with Massive PKI Deployment and Usage
Daniel Kouřil, Michal Procházka
Masaryk University & CESNET
Security and Protection of Information 2009
Public Key Infrastructure
• Asymetric cryptography• Each user and service owns key-pair
• X.509 digital certificates• PGP not suitable
• Certification Authority (CA)• Network of Registration Authorities
(RA)• Relying parties
Distributed environments
• Ithanet project• Network for medical research in
Mediterranean countries• Users were physicians with little knowledge
about computers• Grid infrastructure
• Facilitates collaborations, resource sharing• support of research
• Basic services provided by grid operator• Easy establishment of secure communication
PKI in large-scale environment
• PKI is good candidate for authN in large infrastructures• Scalability
• Several aspects to be considered and addressed• Operators• Users
• General PKI not tied with applications
Operating PKI• CA establishment is not technical
problem• Building trust is crucial
• Many administrative problems• Proper applicants authentication• Protection of signing keys• Proper revocation requests handling• Long-term support• Incident resolution cooperation• …
• CAs publish their policies
International Grid Trust Federation
• Easing orientation for relaying parties• CA managers, identity providers, large relying
parties involved• IGTF builds a federation of „trusted“ CAs
• approving procedures and minimal requirements
• reviews the CA policies (CP/CPS)• Flat model – no root IGTF CA• Unified name space for subject names
• User is uniquely identified by their subject name
Revocation checks
• Revocation is a must• Often neglected by administrators or
applications• It‘s impossible to check CRLs with Firefox
• Certification Revocation Lists (CRLs)• Online Certificate Status Protocol (OCSP)• Overhead
• Latency penalty for online checks• Large amount of data represented by
aggregated CRLs transfers
Obtaining certificates
• The process consists of two phases• Generating key-pair• Identity vetting at RA
• Crucial for users‘ perception• Crucial for security of credentials
Online CAs• Normal web page with simple form
• Registration is done first• Browser is key component
• Perform cryptographic operations• Communicates with CA• Receives and stores new certificate
• New requirements• Signing machine of CA is exposed• Trust in browser
Online CAs in Identity Federations
• Identity federations leverage existing users management systems• Access to internal systems of institution
• Users don‘t need additional credentials to access new services
• Online CA connected to federation• No need for personal visits at RA
Private Key Protection
• Users don‘t protect their private keys• Weak passphrases, file permissions• Can‘t be checked by PKI operators• Ideally not handled directly by users –
transparent PKI
• Key repositories• Specialized service maintaining keys for users
• Smart cards• User support is difficult in general PKI
Conclusions
• Several aspects to address to operate secure PKI
• Established set of trusted CAs available• General CAs, not tied with a particular
application
• Keep users away from their private keys• :-)
Backup slides
Single Sign-On
• User authenticates just once• Proxy certificate
• Issued by user• Only short-lived
• Standard X.509 short-lived certificates• Issued by an on-line CA• Can be obtained automatically after login
Top Related