1 / 21

X.509 at the University of Michigan

X.509 at the University of Michigan. CIC-RPG Meeting June 7, 1999 Kevin Coffman (kwc@umich.edu) Bill Doster (billdo@umich.edu). Project Goals. Transparent Web Authentication Eliminate password prompts Lotus Notes Authentication Position for inter-institution Authentication. Non-Goals.

macha
Télécharger la présentation

X.509 at the University of Michigan

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. X.509 at theUniversity of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman (kwc@umich.edu) Bill Doster (billdo@umich.edu)

  2. Project Goals • Transparent Web Authentication • Eliminate password prompts • Lotus Notes Authentication • Position for inter-institution Authentication

  3. Non-Goals • Not a complete PKI • Not to be used for document signing • Not to be used for encryption • Not a complete replacement of the current cookie method

  4. Why X.509? • An accepted standard • Application support out of the box • Web servers, web browsers, directory servers, IMAP servers, etc. • Allows the possibility for inter-institution authentication • No need for N²-1 cross-realm trusts

  5. Description • Use short-term (approximately 1 day) certificates - “Junk Keys” • Obtain certificates securely • For Authentication ONLY! • Use OpenSSL for creating and signing certificates

  6. Why “Junk Keys”? • Revocation becomes a non-issue • Private Key storage is less an issue • Certificate publication for sharing is not necessary • Certificate management is less critical

  7. Drawbacks • Cannot be used for signing or encryption • Not possible to verify certificate via LDAP

  8. Options for obtaining theCA’s Certificate • Bake it into browsers we distribute • Via a web interface using SSL and Verisign Certificate • Store it in the file-system

  9. Obtaining CACertificate via Web Green lines imply SSL Protected Browser Netscape or Internet Explorer CA Apache + OpenSSL + Scripts + Verisign Certificate Certificate

  10. Options for obtaining theUser Certificate • Via a web-based interface [ SSL ] • Pam / Gina / Login [ TGT or SSL ] • Standalone program [ TGT (or SSL) ] • Leave it up to application [ TGT (or SSL) ]

  11. Obtaining User Certificate via Web (Netscape) Web server / CA Netscape Browser User selects URL ID and password?? ID and password Verify identity keyGen Generate key pairand store keys Public Key • Lookup full name • Lookup Entity ID • Generate and • Sign Certificate Signed Certificate Store Certificate

  12. Obtaining User Certificate via Web (IE part 1) Web server / CA Internet Explorer Browser ieReq.pl User selects URL Send a VBScriptasking for user’s unique ID ID ??

  13. Obtaining User Certificate via Web (IE part 2) Web server / CA Internet Explorer Browser ieGenReq.pl ID (uniqname) • Lookup full name • Lookup Entity ID • Generate VBScriptto create key pairand PKCS #10request password ?? Run VBScript togenerate key pairand PKCS #10 request

  14. Obtaining User Certificate via Web (IE part 3) Web server / CA Internet Explorer Browser password +PKCS #10 ieTreatReq.pl • Check password • Generate certificate and wrap it in PKCS #7 format • Generate VBScript to accept PKCS #7 PKCS #7 Run VBSript toaccept PKCS #7 Phew! Done!

  15. Obtaining User Certificate via Standalone Pgm (Netscape) Certificate Authority Client Machine public key • Lookup full name • Lookup Entity ID • Generate and signcertificate getcert signed certificate keyutil certutil key3.db cert7.db Orange lines imply Kerberized exchange

  16. Obtaining User Certificate via Standalone Program (IE) Certificate Authority Client Machine Use OpenSSL togenerate key pair public key • Lookup full name • Lookup Entity ID • Generate and signcertificate signed certificate • Store key pair • Store certificate

  17. Storing the Certificates • How to destroy the certificates after use? • NT 4.0 w/SP3 and later has special storage classes that lives only for the life of a login • Make use of Kerberos credential storage? • Internet Explorer vs. Netscape

  18. Problems • Documentation - Flood or Drought • Macintosh support lags other platforms

  19. Current Status • Internet Explorer (Windows only) looks promising • Netscape (Windows, Solaris) do-able but not clean • Macintosh support does not currently look promising for either browser

  20. References • This presentation: • http://www.citi.umich.edu/u/kwc/Presentations/X509June1999 • OpenSSL: • http://www.openssl.org/ • Netscape Security Services: • http://home.netscape.com/nss/v1.2/index.html • Microsoft CryptoAPI: • http://www.microsoft.com/security/tech/CryptoAPI/default.asp

  21. ?? Questions / Discussion ??

More Related