Upload
arron-horton
View
219
Download
0
Tags:
Embed Size (px)
Citation preview
HEPKI-TAG Activities & Globus
and Bridges
Jim JoklUniversity of Virginia
Fed/ED PKI MeetingJune 16, 2004
HEPKI-TAG Activities
Sponsors: I2, Educause, NET@EDU Charter – Technical Activities Group (TAG)
Certificate profiles, CA software Private key protection Mobility, client issues Interactions with directories Testbed projects Communicate results
Process Biweekly conference calls Sessions at higher education events
HEPKI-TAG Projects Must-do items
Support the USHER / InCommon projects Maintain & update existing documents and services
Potential projects discussed and ranked at our meeting Update work on S/MIME Windows domain authentication CA Audits - preparing your internal audit department EAP-TLS for wireless authentication Update on hardware tokens
survey, documentation, recommendations Introductory materials for sites getting started (CA software,
applications, cookbook, etc) Other possibilities discussed more briefly
Grid integration survey bridge testing Document and webform signing
One version of the US Higher Education Root (USHER)
discussion
USHER-LiteInCommon CA
Shib Cert
Shib Cert
Shib Cert
Shib Cert
School CA
School CA
School CA
School CA
School CA
USHER Basic/Medium
School CA
USHER Root
USHER/InCommonProfile Discussions
Trivial root with no “dots” discussion: nono AIA, CPS, CRL etc
Authority Information Access: yesyes PKCS7 v.s. LDAP: bothboth
Domain Component Naming: nono Email addresses: nono Key Usage and CRLs: yesyes Validity
10 years for the roots, 3 for InCommon EE certs CPS Pointer: yesyes (to a redacted version)
Certificate Profiles InCommon EE Certificate USHER Root Profile InCommon Root Profile
Profiles were derived from PKI-Lite EE profile PKI-Lite Root profile
Introductory MaterialsAiding Initial Campus
Deployments Recall our PKI-Lite framework
Using PKI for “standard” applications Merged policy and practices document Profiles with suggestions for implementers
Designed to support S/MIME, VPN, Web Authentication, etc
Validated on other apps (e.g. Globus, document signing applications, etc).
New addition: PKI-Lite Recipe by Steven Carmody at Brown
Changes to Policy/Practices document Feedback from NMI testbed sites on language on the
use of subordinate CAs on campus
PKI-Lite never seems to be quite finished
Macintosh PKI and the PKI-Lite certificate profiles Working with early version of Apple PKI on MacOS 10 Attempts to import PKI-Lite CREN-rooted certificates
into Macintosh development release to test S/MIME and EAP-TLS failed
Problem: Basic Constraints not marked Critical Many other root certificates with the same issue
Result: Apple release does now accept these certificate
profiles More importantly: we modified the PKI-Lite profiles to
more closely follow the RFCs
EUDORA and S/MIME Eudora is the only significant remaining
email client lacking native S/MIME support Mulberry and Apple now include support along
with some WebMail products Qualcomm just released Eudora 6.1
Assumption is that they are now setting functionality goals for the next major release
Plan HEPKI-TAG to coordinate as many parties as
possible to endorse a letter to Qualcomm requesting S/MIME support
Wireless LAN Access Control
EAP-MD5
LEAP EAP-TLS EAP-TTLS
PEAP
Server Authentication
None Password Hash
Public Key
Public Key
Public Key
Supplicant Authentication
Password Hash
Password Hash
Public Key
CHAP, PAP, MS-CHAP(v2),
EAP
Any EAP, like EAP-MS-
CHAPv2 or Public Key
Dynamic Key Delivery
No Yes Yes Yes Yes
Security Risks
Identity exposed, Dictionary
attack, MitM attack, Session
hijacking
Identity exposed, Dictionary
attack
Identity exposed
MitM attack
MitM attack
Source: wi-fiplanet.com
EAP-TLS Process
User verifies the Radius server’s identity using PKI
The Radius server verifies the user’s identity using PKI
An authorization step may happen
Association is allowed and dynamic session keys are exchanged
User
Access Point
Radius Server
LDAP AuthZ
Support for EAP-TLS
Operating System Support Windows XP, Windows 2000 SP-4* MacOS (10.3.3) 3rd party software available
Should be very easy to use No account management, passwords, etc AuthZ step makes it easy to keep hacked
machines off of the WLAN
* base OS functionality only
EAP-TLS and the Microsoft Clients
Microsoft field in certificate for AuthN Subject Alt Name / Other Name / Principal
Name OID 1.3.6.1.4.1.311.20.2.3
If not present, uses CN Uniqueness issues for many CAs
Easy to add to your certificate profile
Impact on the PKI-Lite certificate profiles Agreed to add this extension to EE cert profile
Other Projects on the “List” Some progress
Update of S/MIME work Grid integration Bridge application testing
In the queue CA audit preparation & education Windows smart card login Update hardware token work Document and web form signing Updated survey of schools and applications Insert your item here
Campus Globus Implementations
The Globus toolkit uses PKI for authentication of users and resources A proxy certificate is used internally
A file maps certificates to login names Campus CA integration is complicated
by the Globus interface Campus CAs and OS-exported certificates
are generally in PKCS-12 format Globus expects raw PEM files for the
certificate and the private key
Implementing Globus on Campus
Certificate profile Standard profile (e.g. PKI-lite) works well
with Globus Use of Campus CA with Globus
Different research groups on campus can share resources
Prepares for intercampus applications Campus CA part of a hierarchy Cross certification
NMI Testbed Globus Project Goals
Support the use of native campus CAs in Globus so that users can do all of their work using one set of credentials
Create some tools and documentation to make this easier with Globus
Scope intercampus Grid trust issues preparing to leverage other Higher Education PKI efforts Higher Education Bridge CA (HEBCA) US Higher Education Root CA (USHER)
Schematic of Grid TestbedPKI Integration Goal
Campus E Grid
A’s PKI
Testbed Bridge CA
Shibbolized Testbed CA
Campus B Grid
Campus C Grid
Campus D GridCampus A
Grid
Campus F Grid
B’s PKI C’s PKI
Cross-cert pairsUser Certs
PKI Bridge Path Validation
Globus and Bridges Initial Result: Globus appears to work with
cross-certificates All needed cross certificates must be loaded into
the /etc/grid-security/certificates directory No directory-based discovery for cross certificates
as in many bridge environments It appears that the certificates for intermediate CAs
in a hierarchy that is then bridged must also be preloaded
It would be great if Globus could use the Authority Information Access field to dynamically find needed certificates
Globus and Bridges 2nd phase testing
Built “production” bridge for testbed Dedicated laptop/openssl Cross-certified UVa, UAB, USC, and TACC
Results (so far) Bridge path validation ok for EE certs Server certificate validation not working via bridge
Bridge itself is fine; e.g. XP validates both directions
More work in progress Just installed latest NMI R5 Globus
NMI Testbed Project
In addition to building the testbed grid via cross-certification, we plan to explore a few tools Credential converter web site that takes a PKCS-12 (as is
available in most enterprise CAs) and returns the PEM files needed by Globus
A tool to chase down cross-certificates from AIA fields and build the needed Globus links and signing policy files
Potentially a Shibboleth-based CA that could provide certificates for campuses that are not yet operating an enterprise CA
Where to watch middleware.internet2.edu/hepki-tag
Links to other sites, CA software, etc NET@EDU PKI for Networked Higher Ed
www.educause.edu/netatedu/groups/pki www.educause.edu/hepki pkidev.internet2.edu PKI Labs
middleware.internet2.edu/pkilabs
References