logging in or signing up PKIforAcademia Educause2002 JJMiller Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 29 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: October 03, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Copyright Statement: Copyright Statement Copyright Robert J. Brentrup and Sean W. Smith 2002. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.Developing and Deploying a PKI for Academia: Developing and Deploying a PKI for Academia Robert Brentrup Sean Smith Educause Conference October 2002Dartmouth PKI Lab: Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon Foundation Dual objectives: Deploy existing PKI technology to improve network applications Improve the current state of the art identify security issues in current products develop solutions to the problems.Community: Many other institutions are working on PKI. Internet2 has been very active in promoting this work establishing PKI Labs at Dartmouth and the University of Wisconsin. I2 HEPKI-TAG, -PAG, -S/MIME Educause Net@EDU and CREN 1st Annual PKI Research Workshop Sean Smith: program chair, proceedings editor CommunityWhat is PKI?: What is PKI? PKI is Public Key Infrastructure A pair of keys is used, one to encrypt, the other to decryptPublic and Private Keys: Public and Private Keys You publish the "public" key, You keep the "private" key a secret You don't need to exchange a secret "key" by some other channel Invented in 1976 by Whit Diffie and Martin Hellman Commercialized by RSA SecurityBasic applications of PKI: Basic applications of PKI Authentication and Authorization of Web users and servers It is the basis for the SSL protocol used to secure web connections Secure e-mail (signed and encrypted) Electronic document signatures Network link data protection (VPN, wireless) Signing Program CodeWhy would I use PKI?: Why would I use PKI? Effective security has become crucial to extend electronic communication and business processes beyond the current state of the art. Legislative mandates are requiring it.What is X.509?: What is X.509? A standard for the format of a public key certificate and related standards for how certificates are used. Current PKI product offerings inter-operate through this standard There are many other possible formulations, eg SDSI/SPKI Is X.509 THE solution?What is a certificate?: What is a certificate? Signed data structure that binds some information to a public key The information is usually a personal identity or a server name Think of it as an electronic ID cardBasic Public Key Operations: Basic Public Key Operations Encryption encrypt with public key of recipient only the recipient can decrypt with their private keyBasic Public Key Operations: Signature Compute message digest, encrypt with your private key Reader decrypts with your public key Re-compute the digest and compare the results, Match? Basic Public Key OperationsWhat is a certificate authority?: What is a certificate authority? An organization that creates and publishes certificates Verifies the information in the certificate Protects general security of the system and it's records Allows you to check certificates and decide to use them in business transactionsWhat is a CA certificate?: What is a CA certificate? A certificate authority generates a key pair used to sign the certificates it issues For multiple institutions to collaborate: Hierachical structure is setup among their CAs Bridge Certification Authorities "peer to peer" approachHierarchy: Hierarchyor Bridge?: or Bridge?Deployment Results: Deployment Results PKI applications in production use develop more and scale up campus wide Electronically signed Payroll Applications Replace Web authentication Banner SIS, other Oracle apps, same mechanism Library resource access control, local and JSTOR Electronic document signatures NIH pilot, replace paper formsDeployment issues?: Deployment issues? Learning curve for planning a PKI is steep PKI is as much about Policy as Technology Commercial products have shortcomings: Many are expensive Some are hard to install and operate Many compatibility issues and user constraints Many applications only interesting if available to the entire "community" Many products have serious security issuesExternal Results: External Results Extensive compatibility testing results published on websites Implemented multiple PKI system products, notes available Publishing example code derived from new applications Notes on PKI libraries and tool kits Tools and additions to existing applications eg. browser mods and S/MIME pluginsNext Steps: Next Steps Applications Workflow, signatures Secure mail for Student health Services -HIPAA PKI enhanced List-servers Wireless network data protection Databases and E-commerce Improvements in Infrastructure Key storage hardening Tokens, smartcards, coprocessors Enrollment improvements Trusted Third Party ServicesResearch Agenda: Research Agenda Expression of Trust PKI system that can be managed and issued by different authorities, but from which many parties can draw judgments. Trust Attributes for Machines machines throughout network to actually have the right certs... Using Trust at Clients client tools that can reliably recognize and react to these properties… Using Trust in Applications applications to obtain, react, and respond to this information Foundations of Trust techniques to establish a basis for trust in computation in hostile places. End User Studies: End User Studies Understanding Incentives and Concerns User Concerns, Understanding, Behavior Vulnerability Analysis How easily can users be conned into revealing passphrases? Usability of trusted server techniques PKI Interface Dynamics, Usefulness, Reliability Perception of Privacy Institutional Evolution for Security/TrustResearch Results: Research Results User interface of most web applications is insecure Web browser display can be replaced SSL lock icon and the server certificate window! Prevent subverted window content Mozilla mods, synchronized reference window SSL is an "Armored pipe to a cardboard box" Secure Apache web server (WebAlps) Documents with active content are not secure Signed e-mails that display subverted content Methods for stealing private keyPapers: Trusted Paths for Browsers USENIX Security 2002 Prototyping an Armored Data Vault: Rights Management on Big Brother's Computer. Privacy-Enhancing Technology 2002 Digital Signature and Electronic Documents: A Cautionary Tale Sixth IFIP Conference on Communications and Multimedia Security PapersPapers: Virtual Hierarchies: An Architecture for Building and Maintaining Efficient and Resilient Trust Chains NORDSEC 2002 Web Spoofing Revisited: SSL and Beyond Outbound Authentication for Programmable Secure Coprocessors 7th European Symposium on Research in Computer Science PapersDemo -Digital Signatures: Demo -Digital Signatures People frequently take actions on paper documents for personal or official purposes : e.g., signing forms, expense sheets and contracts. PKI allows approval and verification of bits. Can PKI produce and verify electronic documents so that they work like virtual paper docs?Virtual Paper?: Virtual Paper? Paper documents and electronic documents are different. Do the same bits always generate the same virtual piece of paper? If not then PKI on electronic docs does not work!When viewed on 09/16/02: When viewed on 09/16/02 When viewed after 09/16/02: When viewed after 09/16/02Same bits different content: Same bits different contentDemos: Demos JSTOR Access Current: http://www.jstor.org/">http://www.jstor.org/ PKI: https://logon.jstor.org/logon/remote/">https://logon.jstor.org/logon/remote/ Web Browser Spoofing (IE or Netscape on Win and Linux) http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/ Misleading URLs E-mail site illusion Counter Measures http://www.cs.dartmouth.edu/~pkilab/demos/countermeasures/ Contacts: Contacts http://www.dartmouth.edu/~pkilab/ Mail: sws@cs.dartmouth.edu Robert.J.Brentrup@dartmouth.edu You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
PKIforAcademia Educause2002 JJMiller Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 29 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: October 03, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Copyright Statement: Copyright Statement Copyright Robert J. Brentrup and Sean W. Smith 2002. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.Developing and Deploying a PKI for Academia: Developing and Deploying a PKI for Academia Robert Brentrup Sean Smith Educause Conference October 2002Dartmouth PKI Lab: Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon Foundation Dual objectives: Deploy existing PKI technology to improve network applications Improve the current state of the art identify security issues in current products develop solutions to the problems.Community: Many other institutions are working on PKI. Internet2 has been very active in promoting this work establishing PKI Labs at Dartmouth and the University of Wisconsin. I2 HEPKI-TAG, -PAG, -S/MIME Educause Net@EDU and CREN 1st Annual PKI Research Workshop Sean Smith: program chair, proceedings editor CommunityWhat is PKI?: What is PKI? PKI is Public Key Infrastructure A pair of keys is used, one to encrypt, the other to decryptPublic and Private Keys: Public and Private Keys You publish the "public" key, You keep the "private" key a secret You don't need to exchange a secret "key" by some other channel Invented in 1976 by Whit Diffie and Martin Hellman Commercialized by RSA SecurityBasic applications of PKI: Basic applications of PKI Authentication and Authorization of Web users and servers It is the basis for the SSL protocol used to secure web connections Secure e-mail (signed and encrypted) Electronic document signatures Network link data protection (VPN, wireless) Signing Program CodeWhy would I use PKI?: Why would I use PKI? Effective security has become crucial to extend electronic communication and business processes beyond the current state of the art. Legislative mandates are requiring it.What is X.509?: What is X.509? A standard for the format of a public key certificate and related standards for how certificates are used. Current PKI product offerings inter-operate through this standard There are many other possible formulations, eg SDSI/SPKI Is X.509 THE solution?What is a certificate?: What is a certificate? Signed data structure that binds some information to a public key The information is usually a personal identity or a server name Think of it as an electronic ID cardBasic Public Key Operations: Basic Public Key Operations Encryption encrypt with public key of recipient only the recipient can decrypt with their private keyBasic Public Key Operations: Signature Compute message digest, encrypt with your private key Reader decrypts with your public key Re-compute the digest and compare the results, Match? Basic Public Key OperationsWhat is a certificate authority?: What is a certificate authority? An organization that creates and publishes certificates Verifies the information in the certificate Protects general security of the system and it's records Allows you to check certificates and decide to use them in business transactionsWhat is a CA certificate?: What is a CA certificate? A certificate authority generates a key pair used to sign the certificates it issues For multiple institutions to collaborate: Hierachical structure is setup among their CAs Bridge Certification Authorities "peer to peer" approachHierarchy: Hierarchyor Bridge?: or Bridge?Deployment Results: Deployment Results PKI applications in production use develop more and scale up campus wide Electronically signed Payroll Applications Replace Web authentication Banner SIS, other Oracle apps, same mechanism Library resource access control, local and JSTOR Electronic document signatures NIH pilot, replace paper formsDeployment issues?: Deployment issues? Learning curve for planning a PKI is steep PKI is as much about Policy as Technology Commercial products have shortcomings: Many are expensive Some are hard to install and operate Many compatibility issues and user constraints Many applications only interesting if available to the entire "community" Many products have serious security issuesExternal Results: External Results Extensive compatibility testing results published on websites Implemented multiple PKI system products, notes available Publishing example code derived from new applications Notes on PKI libraries and tool kits Tools and additions to existing applications eg. browser mods and S/MIME pluginsNext Steps: Next Steps Applications Workflow, signatures Secure mail for Student health Services -HIPAA PKI enhanced List-servers Wireless network data protection Databases and E-commerce Improvements in Infrastructure Key storage hardening Tokens, smartcards, coprocessors Enrollment improvements Trusted Third Party ServicesResearch Agenda: Research Agenda Expression of Trust PKI system that can be managed and issued by different authorities, but from which many parties can draw judgments. Trust Attributes for Machines machines throughout network to actually have the right certs... Using Trust at Clients client tools that can reliably recognize and react to these properties… Using Trust in Applications applications to obtain, react, and respond to this information Foundations of Trust techniques to establish a basis for trust in computation in hostile places. End User Studies: End User Studies Understanding Incentives and Concerns User Concerns, Understanding, Behavior Vulnerability Analysis How easily can users be conned into revealing passphrases? Usability of trusted server techniques PKI Interface Dynamics, Usefulness, Reliability Perception of Privacy Institutional Evolution for Security/TrustResearch Results: Research Results User interface of most web applications is insecure Web browser display can be replaced SSL lock icon and the server certificate window! Prevent subverted window content Mozilla mods, synchronized reference window SSL is an "Armored pipe to a cardboard box" Secure Apache web server (WebAlps) Documents with active content are not secure Signed e-mails that display subverted content Methods for stealing private keyPapers: Trusted Paths for Browsers USENIX Security 2002 Prototyping an Armored Data Vault: Rights Management on Big Brother's Computer. Privacy-Enhancing Technology 2002 Digital Signature and Electronic Documents: A Cautionary Tale Sixth IFIP Conference on Communications and Multimedia Security PapersPapers: Virtual Hierarchies: An Architecture for Building and Maintaining Efficient and Resilient Trust Chains NORDSEC 2002 Web Spoofing Revisited: SSL and Beyond Outbound Authentication for Programmable Secure Coprocessors 7th European Symposium on Research in Computer Science PapersDemo -Digital Signatures: Demo -Digital Signatures People frequently take actions on paper documents for personal or official purposes : e.g., signing forms, expense sheets and contracts. PKI allows approval and verification of bits. Can PKI produce and verify electronic documents so that they work like virtual paper docs?Virtual Paper?: Virtual Paper? Paper documents and electronic documents are different. Do the same bits always generate the same virtual piece of paper? If not then PKI on electronic docs does not work!When viewed on 09/16/02: When viewed on 09/16/02 When viewed after 09/16/02: When viewed after 09/16/02Same bits different content: Same bits different contentDemos: Demos JSTOR Access Current: http://www.jstor.org/">http://www.jstor.org/ PKI: https://logon.jstor.org/logon/remote/">https://logon.jstor.org/logon/remote/ Web Browser Spoofing (IE or Netscape on Win and Linux) http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/ Misleading URLs E-mail site illusion Counter Measures http://www.cs.dartmouth.edu/~pkilab/demos/countermeasures/ Contacts: Contacts http://www.dartmouth.edu/~pkilab/ Mail: sws@cs.dartmouth.edu Robert.J.Brentrup@dartmouth.edu