Public Key Infrastructure for a Higher Education Environment

Transcription

1 Public Key Infrastructure for a Higher Education Environment Eric Madden and Michael Jeffers 12/13/2001 ECE 646 Agenda Architectural Design Hierarchy Certificate Authority Key Management Applications/Hardware Windows 2000 Implementation Active Directory Service Certificate Services PKI-Enabled applications Questions 12/13/01 2 1

2 Architectural Design - Hierarchy Root Certificate Authority College of Business College of the Arts Finance College of Sciences College of Agriculture College of Engineering Administration Support Services 12/13/01 3 Architectural Design - Hierarchy University Functional Hierarchy Special Requirements Finance Administration Support Services 12/13/01 4 2

3 Architectural Design - CA Root Certificate Authority Subordinate Certificate Authority Certificate Repository 12/13/01 5 Architectural Design - Key Management Key Creation Size Expiration Registration Renewal Revocation Client Key Store 12/13/01 6 3

4 Architectural Design - Applications/Hardware Supported Applications Secure IPSec Secure Web Signatures Supported APIs Supported Hardware Tokens Smart Cards 12/13/01 7 Primary Components Within Windows 2000 using PKI Active Directory Service Certificate Services PKI-Enabled Applications 12/13/01 8 4

5 Active Directory Service Installed Root (CA) & Certificate Repository Servers LDAP Provides Access/Updates from the Root (CA) to Certificate Revocation List (CRL) Provide Interface for Client Users for Retrieving Certificates Use Security Group Policies to Compile components that make up the PKI 12/13/01 9 Certificate Services Provide Audit Procedures for the Root (CA) Server Displays the Certificate Services log and database Revoking Issued Certificates Configures the Certificate Authority Initial Stage Setup Designs Certificate Templates using X.509 v3 Creates Certificate Revocation Lists (CRLs) and Updates changes made to the Certificate Repository Stores the Root (CA) public Keys 12/13/

6 PKI-enabled applications Secure application Exchange Key Management Service (KMS) Configured using Exchange Server KMS database is used to store copies of the session keys and certificates First Time Users requested X.509 certificate from the Root (CA) for key Encryption and Decryption of S/MIME Messages handled by S/MIME client, not the server 12/13/01 11 Secure Web Communications Provides Secure Web Access SSL-Server Authentication used to Confirm the Root CA s identity SSL-Client Authentication is used to allow the User s identity Supports the various types of FIPS-140 Algorithms Operates between Transport & Session Layers 12/13/

7 PKI Implementation Design Certification Repository Root Certification Authority (CA) Network Client User s 12/13/01 13 Questions Questions??? 12/13/

8 Primary Components Within Windows 2000 using PKI Active Directory Service Certificate Services PKI-enabled applications 12/13/01 15 IPSec Provides Secure Protocols for Application Traffic between the users and the Root (CA) Uses Active Directory to Provide a Secure Environment for Group Policy assignments and Distribution IPSec Policy is created by the Root (CA) and Stored within Active Directory 12/13/

9 Smart Cards Provides the PKI User s a Tamper-Resistant Storage Device for Storing the Following: Private Keys for PKI Digital Signatures Key Exchanges Secure Session keys Resource Manager is Responsible for Controlling all Application Access Interfaces to the System using RS-232 Port, PS/2, PCMCIA, and USB Port 12/13/01 17 Encrypting File System Uses CrytoAPI Architecture in Windows 2000 Uses Random-Generated Key (Separate from the Public/Private Keys) for encrypting selected files within Window s Explorer Directory 12/13/

10 PKI Standard API CryptoAPI 1.0 Provides Pre-Written Public and Private Key Services. CryptoAPI 2.0 Provides Certificate Handling Services Gets related information about the requested Certificate from Active Directory Certificate Store SSPI Allows Developer s to use Windows Network Security Services 12/13/