Bridging Higher Education PKIs

PKI Summit, August 2006 Snowmass, Colorado

2

Overview

• What are the drivers for PKI in Higher Education?– Stronger authentication to resources and services of an

institution– Better protection of digital assets from disclosure, theft,

tampering, and destruction– More efficient workflow in distributed environments– Greater ability to collaborate and reliably communicate

with colleagues and peers– Greater access (and more efficient access) to external

resources– Facilitation of funding opportunities– Compliance

3

Overview

• Potential Killer Apps for PKI in Higher Education– S/MIME– Paperless Office workflow– EFS– Shibboleth/Federations– GRID Computing Enabled for Federations– E-grants facilitation

4

Overview

• PKI Choices for Higher Education– Outsourced everything– Outsourced managed services, internal RAs– Internal operations:

• Community root | Campus root– Community Policy | Campus Policy

• CA software: commercial | vender | open source | RYO

5

Creating Silos of Trust

Dept-1

Institution

Dept-1Dept-1

SubCA

CA

SubCASubCA SubCA

CA

SubCASubCA SubCA

CA

SubCASubCA

USHER

6

LOA: Levels of Assurance

• Not all CAs are created equal– Policies adhered to vary in detail and strength– Protection of private keys– Controls around private key operations– Separation of duties– Trustworthiness of Operators– Auditability– Authentication of end entities– Frequency of revocation updates

7

HEBCA : Higher Education Bridge Certificate Authority

• Bridge Certificate Authority for US Higher Education• Modeled on FBCA• Provides cross-certification between the subscribing

institution and the HEBCA root CA• Flexible policy implementations through the mapping

process• The HEBCA root CA and infrastructure hosted at

Dartmouth College• Facilitates inter-institutional trust between participating

schools• Facilitates inter-federation trust between US Higher

Education community and external entities

8

HEBCA

• What is the value presented by this initiative?– HEBCA facilitates a trust fabric across all of US Higher Education

so that credentials issued by participating institutions can be used (and trusted) globally e.g. signed and/or encrypted email, digitally signed documents (paperless office), etc can all be trusted inter-institutionally and not just intra-institutionally

– Extensions to the Higher Education trust infrastructure into external federations is also possible and proof of concept work with the FBCA (via BCA cross-certification) has demonstrated this inter-federation trust extension

– Single credential accepted globally– Potential for stronger authentication and possibly authorization of

participants in grid based applications– Contributions provided to the Path Validation and Path Discovery

development efforts

9

Solving Silos of Trust

Dept-1

Institution

Dept-1Dept-1

SubCA

CA

SubCASubCA SubCA

CA

SubCASubCA SubCA

CA

SubCASubCA

USHER

HEBCA

FBCA

CAUDIT PKI

10

HEBCA Project - Progress• What’s been done so far?

– Operational Authority (OA) contractor engaged (Dartmouth PKI Lab)– MOA with commercial vendor for infrastructure hardware (Sun) – MOA with commercial vendor for CA software and licenses (RSA)– Policy Authority formed– Prototype HEBCA operational and cross-certified with the Prototype

FBCA (new Prototype instantiated by HEBCA OA)– Prototype Registry of Directories (RoD) deployed at Dartmouth– Production HEBCA CP produced– Production HEBCA CPS produced– Preliminary Policy Mapping completed with FBCA– Test HEBCA CA deployed and cross-certified with the Prototype

FBCA – Test HEBCA RoD deployed– Infrastructure has passed interoperability testing with FBCA

11

HEBCA Project - Progress• What’s been done so far?

– Production HEBCA development phase complete– Issues Resolved

• Discovery of a vulnerability in the protocol for indirect CRLs• Inexpensive AirGap• Citizenship requirements for Bridge-2-Bridge Interoperability

– Majority of supporting documentation finalized• HEBCA Cross-Certification Criteria and Methodolgy• HEBCA Interoperability Guidelines• Draft Memorandum of Understanding• HEBCA Subscriber Agreement• HEBCA Certificate Profiles• HEBCA CRL Profiles• HEBCA Secure Personnel Selection Procedures• Business Continuity and Disaster Plans For HEBCA Operations

– PKI Test Bed server instantiated– PKI Interoperability Pilot migrated– Reassessment of community needs– Audit process defined and Auditors engaged– Participation in industry working groups– Almost ready for audit and production operations

12

HEBCA Project – Next Steps• What are the next steps?

– HEBCA to operate at multiple LOAs over its lifetime

– Update of policy documents and procedures required to reflect the above

– HEBCA to operate at BASIC LOA initially

– Issue the HEBCA Basic Root

– Purchase final items and bring the infrastructure online

– Cross-certify limited community of interested early adopters and key federations

– Validate the model and continue to develop tools for bridge aware applications

13

Challenges and Opportunities• Community applicability

– If we build it they will come– Chicken & Egg profile for infrastructure and applications– An appropriate business plan

• Consolidation and synergy– Are USHER & HEBCA competing initiatives?– Benefits of a common infrastructure

• Alignment with policies of complimentary communities– Shibboleth / InCommon– Grids (TAGPMA)

14

Bridge-Aware Applications

15

Challenges and Opportunities• Open Tasks

– Audit

– Updated Business Plan

– Mapping Grid Profiles• Classic PKI

• SLCS

– Promotion of PKI Test bed

– Validation Authority service

– Cross-certification with FBCA

– Cross-certification with other HE PKI communities• CAUDIT PKI (AusCERT)

• HE JP

• HE BR

16

ProposedInter-federations

FBCA

CA-1CA-2

CA-n

Cross-cert

HEBCADartmouth

Wisconsin

Texas

Univ-N

UVA

USHER

DSTACES

Cross-certs

SAFECertiPath

NIH

CA-1

CA-2 CA-3

CA-4

HE JP

AusCertCAUDIT PKI

CA-1

CA-2 CA-3HE BR

Cross-certs

OtherBridges

17

AirGap • The Problem:

– Offline CA– High Availability online Directory– CRLs generation and publish every 6 hours– Dual access/authorization for private key

operations– Handling of after hours certificate revocation

requests– Limited resources

18

AirGap • The AirGap Solution:

– Asynchronous storage device for schlurping signed data between the CA and the Directory (technically no different to a floppy based sneaker net used in similar situations in industry e.g. FBCA)

– Storage is never connected to both devices at the same time – hardware enforces an “air gap”

– Periodic checking to see if storage device is available• Directory reads any new CRL and publishes it, posts a signed revocation

request when it is received

• CA reads any new revocation requests, verifies signature, creates new CRL, deletes request

– Storage connected to online Directory for 5 mins every 6 hours, otherwise connected to offline CA in order to minimize risk

19

AirGap • Components:

– Sewell Manual Share USB Switch– 5V relay– 5V AC adapter– Power Timer– Crucial 1Gb Flash Disk– Cron jobs running on both connection end points– Signed objects passed back and forth

20

AirGap MkI

21

AirGap MkII

22

AirGap • Benefits:

– Offline CA talking to an Online Directory automatically without bringing the CA online = reduced risk and reduced costs

– Potential replacement for 4 operators (2 folks, 2 shifts per day to manually move files back and forth) - $200K savings?

– Less work for Administrators due to automation of processes

– Reduced Audit? Audit process once and then periodic checking of logs vs detailed scrutiny of logs may be required for manual process

– Parts readily available, built for under $100

23

Discussion or Questions?

24

For More Information

• HEBCA Website: http://www.educause.edu/HEBCA/623

Scott Rea - Scott.Rea@dartmouth.edu