240 likes | 336 Vues
Bridging Higher Education PKIs PKI Summit, August 2006 Snowmass, Colorado. Overview. What are the drivers for PKI in Higher Education? Stronger authentication to resources and services of an institution Better protection of digital assets from disclosure, theft, tampering, and destruction
E N D
Bridging Higher Education PKIsPKI Summit, August 2006 Snowmass, Colorado
Overview • What are the drivers for PKI in Higher Education? • Stronger authentication to resources and services of an institution • Better protection of digital assets from disclosure, theft, tampering, and destruction • More efficient workflow in distributed environments • Greater ability to collaborate and reliably communicate with colleagues and peers • Greater access (and more efficient access) to external resources • Facilitation of funding opportunities • Compliance
Overview • Potential Killer Apps for PKI in Higher Education • S/MIME • Paperless Office workflow • EFS • Shibboleth/Federations • GRID Computing Enabled for Federations • E-grants facilitation
Overview • PKI Choices for Higher Education • Outsourced everything • Outsourced managed services, internal RAs • Internal operations: • Community root | Campus root • Community Policy | Campus Policy • CA software: commercial | vender | open source | RYO
Creating Silos of Trust Institution Dept-1 Dept-1 Dept-1 USHER CA CA CA SubCA SubCA SubCA SubCA SubCA SubCA SubCA SubCA SubCA
LOA: Levels of Assurance • Not all CAs are created equal • Policies adhered to vary in detail and strength • Protection of private keys • Controls around private key operations • Separation of duties • Trustworthiness of Operators • Auditability • Authentication of end entities • Frequency of revocation updates
HEBCA : Higher Education Bridge Certificate Authority • Bridge Certificate Authority for US Higher Education • Modeled on FBCA • Provides cross-certification between the subscribing institution and the HEBCA root CA • Flexible policy implementations through the mapping process • The HEBCA root CA and infrastructure hosted at Dartmouth College • Facilitates inter-institutional trust between participating schools • Facilitates inter-federation trust between US Higher Education community and external entities
HEBCA • What is the value presented by this initiative? • HEBCA facilitates a trust fabric across all of US Higher Education so that credentials issued by participating institutions can be used (and trusted) globally e.g. signed and/or encrypted email, digitally signed documents (paperless office), etc can all be trusted inter-institutionally and not just intra-institutionally • Extensions to the Higher Education trust infrastructure into external federations is also possible and proof of concept work with the FBCA (via BCA cross-certification) has demonstrated this inter-federation trust extension • Single credential accepted globally • Potential for stronger authentication and possibly authorization of participants in grid based applications • Contributions provided to the Path Validation and Path Discovery development efforts
Solving Silos of Trust Institution FBCA Dept-1 Dept-1 Dept-1 HEBCA CAUDIT PKI USHER CA CA CA SubCA SubCA SubCA SubCA SubCA SubCA SubCA SubCA SubCA
HEBCA Project - Progress • What’s been done so far? • Operational Authority (OA) contractor engaged (Dartmouth PKI Lab) • MOA with commercial vendor for infrastructure hardware (Sun) • MOA with commercial vendor for CA software and licenses (RSA) • Policy Authority formed • Prototype HEBCA operational and cross-certified with the Prototype FBCA (new Prototype instantiated by HEBCA OA) • Prototype Registry of Directories (RoD) deployed at Dartmouth • Production HEBCA CP produced • Production HEBCA CPS produced • Preliminary Policy Mapping completed with FBCA • Test HEBCA CA deployed and cross-certified with the Prototype FBCA • Test HEBCA RoD deployed • Infrastructure has passed interoperability testing with FBCA
HEBCA Project - Progress • What’s been done so far? • Production HEBCA development phase complete • Issues Resolved • Discovery of a vulnerability in the protocol for indirect CRLs • Inexpensive AirGap • Citizenship requirements for Bridge-2-Bridge Interoperability • Majority of supporting documentation finalized • HEBCA Cross-Certification Criteria and Methodolgy • HEBCA Interoperability Guidelines • Draft Memorandum of Understanding • HEBCA Subscriber Agreement • HEBCA Certificate Profiles • HEBCA CRL Profiles • HEBCA Secure Personnel Selection Procedures • Business Continuity and Disaster Plans For HEBCA Operations • PKI Test Bed server instantiated • PKI Interoperability Pilot migrated • Reassessment of community needs • Audit process defined and Auditors engaged • Participation in industry working groups • Almost ready for audit and production operations
HEBCA Project – Next Steps • What are the next steps? • HEBCA to operate at multiple LOAs over its lifetime • Update of policy documents and procedures required to reflect the above • HEBCA to operate at BASIC LOA initially • Issue the HEBCA Basic Root • Purchase final items and bring the infrastructure online • Cross-certify limited community of interested early adopters and key federations • Validate the model and continue to develop tools for bridge aware applications
Challenges and Opportunities • Community applicability • If we build it they will come • Chicken & Egg profile for infrastructure and applications • An appropriate business plan • Consolidation and synergy • Are USHER & HEBCA competing initiatives? • Benefits of a common infrastructure • Alignment with policies of complimentary communities • Shibboleth / InCommon • Grids (TAGPMA)
Challenges and Opportunities • Open Tasks • Audit • Updated Business Plan • Mapping Grid Profiles • Classic PKI • SLCS • Promotion of PKI Test bed • Validation Authority service • Cross-certification with FBCA • Cross-certification with other HE PKI communities • CAUDIT PKI (AusCERT) • HE JP • HE BR
Proposed Inter-federations CA-2 CA-1 CA-2 CA-3 HE BR CA-1 AusCert CAUDIT PKI CA-n HE JP FBCA Cross-cert Cross-certs DST ACES NIH Texas Dartmouth HEBCA Cross-certs Wisconsin UVA Univ-N USHER CertiPath SAFE CA-4 Other Bridges CA-1 CA-2 CA-3
AirGap • The Problem: • Offline CA • High Availability online Directory • CRLs generation and publish every 6 hours • Dual access/authorization for private key operations • Handling of after hours certificate revocation requests • Limited resources
AirGap • The AirGap Solution: • Asynchronous storage device for schlurping signed data between the CA and the Directory (technically no different to a floppy based sneaker net used in similar situations in industry e.g. FBCA) • Storage is never connected to both devices at the same time – hardware enforces an “air gap” • Periodic checking to see if storage device is available • Directory reads any new CRL and publishes it, posts a signed revocation request when it is received • CA reads any new revocation requests, verifies signature, creates new CRL, deletes request • Storage connected to online Directory for 5 mins every 6 hours, otherwise connected to offline CA in order to minimize risk
AirGap • Components: • Sewell Manual Share USB Switch • 5V relay • 5V AC adapter • Power Timer • Crucial 1Gb Flash Disk • Cron jobs running on both connection end points • Signed objects passed back and forth
AirGap • Benefits: • Offline CA talking to an Online Directory automatically without bringing the CA online = reduced risk and reduced costs • Potential replacement for 4 operators (2 folks, 2 shifts per day to manually move files back and forth) - $200K savings? • Less work for Administrators due to automation of processes • Reduced Audit? Audit process once and then periodic checking of logs vs detailed scrutiny of logs may be required for manual process • Parts readily available, built for under $100
For More Information • HEBCA Website: http://www.educause.edu/HEBCA/623 Scott Rea - Scott.Rea@dartmouth.edu