Certificates in a Nutshell. Jens Jensen, STFC Leader of EUDAT AAI TF

Similar documents
Federated Authentication and Credential Translation in the EUDAT Collaborative Data Infrastructure

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

Federated Identity Management for the EUDAT Data e-infrastructure

PKI: Public Key Infrastructure

GT 6.0 GSI C Security: Key Concepts

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Trusted Certificate Service (TCS)

Digital Certificates Demystified

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

GRID COMPUTING Techniques and Applications BARRY WILKINSON

Savitribai Phule Pune University

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

IGI Portal architecture and interaction with a CA- online

GSI Credential Management with MyProxy

UNDERSTANDING PKI: CONCEPTS, STANDARDS, AND DEPLOYMENT CONSIDERATIONS, 2ND EDITION

CS 356 Lecture 28 Internet Authentication. Spring 2013

HMRC Secure Electronic Transfer (SET)

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015

Trusted Certificate Service

Certificate Policy and Certification Practice Statement CNRS/CNRS-Projets/Datagrid-fr

Key Management and Distribution

Public Key Infrastructure

Certification Practice Statement

Globus Toolkit: Authentication and Credential Translation

Key Management Interoperability Protocol (KMIP)

Introduction to Network Security Key Management and Distribution

SwissSign Certificate Policy and Certification Practice Statement for Gold Certificates

NIST PKI 06: Integrating PKI and Kerberos (updated April 2007) Jeffrey Altman

SWITCHaai Metadata CA. Certificate Policy and Certification Practice Statement

Part III-a. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

7 Key Management and PKIs

CMS Illinois Department of Central Management Services

Public Key Infrastructure (PKI)

Using the MyProxy Online Credential Repository

TR-GRID CERTIFICATION AUTHORITY

TR-GRID CERTIFICATION AUTHORITY

An Introduction to Cryptography as Applied to the Smart Grid

Chapter 10. Cloud Security Mechanisms

Asymmetric cryptosystems fundamental problem: authentication of public keys

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

Netzwerksicherheit Übung 6 SSL/TLS, OpenSSL

Securing Service Access with Digital Certificates Best Practice Document

Registration Practices Statement. Grid Registration Authority Approved December, 2011 Version 1.00

SecureAuth Authentication: How SecureAuth performs what was previously impossible using X.509 certificates

ESnet SSL CA service Certificate Policy And Certification Practice Statement Version 1.0

PKI Made Easy: Managing Certificates with Dogtag. Ade Lee Sr. Software Engineer Red Hat, Inc

CSE543 - Introduction to Computer and Network Security. Module: Public Key Infrastructure

HKUST CA. Certification Practice Statement

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

Business Issues in the implementation of Digital signatures

End User Encryption Key Protection Policy

Security Model in E-government with Biometric based on PKI

AllSeen Summit 2015: IoT: Taking PKI Where No PKI Has Gone Before Presented by: Scott Rea DigiCert Sr. PKI Architect ALLSEEN ALLIANCE

THE RSA ROOT SIGNING SERVICE Certification Practice Statement For RSA Certificate Authorities (CAs) Published By: RSA Security Inc.

Abstract. 1. Introduction. Ohio State University Columbus, OH

Key Management and Distribution

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

National Certification Authority Framework in Sri Lanka

Message authentication and. digital signatures

How To Make A Trustless Certificate Authority Secure

apple WWDR Certification Practice Statement Version 1.8 June 11, 2012 Apple Inc.

Public Key Infrastructure. A Brief Overview by Tim Sigmon

Salesforce1 Mobile Security Guide

Kerberos and Active Directory symmetric cryptography in practice COSC412

Trustwave Holdings, Inc

Enterprise Access Control Patterns For REST and Web APIs

An Online Credential Repository for the Grid: MyProxy

EMI Security Architecture

Direct Issuance of Proxy Certificate on P-GRADE Grid Portal Without Using MyProxy

Security & Privacy on the WWW. Topic Outline. Information Security. Briefing for CS4173

NIST ITL July 2012 CA Compromise

Evaluation of Certificate Revocation in Microsoft Information Rights Management v1.0

TOPIC HIERARCHY. Distributed Environment. Security. Kerberos

Malaysian Identity Federation and Access Management Certification Authority Certificate Policy and Certification Practice Statement

Equens Certificate Policy

PKI : state of the art and future trends

VeriSign Trust Network Certificate Policies

Authentication Application

A Standards-based Approach to IP Protection for HDLs

Department of Defense PKI Use Case/Experiences

ARTL PKI. Certificate Policy PKI Disclosure Statement

Overview. SSL Cryptography Overview CHAPTER 1

Rights Management Services

Trust Service Principles and Criteria for Certification Authorities

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

Transcription:

Certificates in a Nutshell Jens Jensen, STFC Leader of EUDAT AAI TF

In a nutshell... Mature, Robust, Ubiquitous Have been around for decades Interoperable supported by every OS, every language Used everywhere (e.g. e-commerce, banking) Very, very, secure... if done right! Two factor authentication Something you have Something you know... don t get distracted by the technical and implementation details

In a nutshell... A certificate is an authoritative timely assertion of the association of a public key with an identity Where the identity is a global name and a description of what it is or more precisely what it can do

Public Key Cryptography Two halves of key: Public can be shared with everyone (usually) Private secret, must be protected Need to link public key to identity In a PKI, this is the role of the CA (hierarchy)... done with the certificate (Contrast PGP with its anarchy) Zero knowledge proof Prove possession of the private key Without revealing it ( NP

Asymmetric Cryptography If E is encrypt (encode with public key) And D is decrypt (encode with private key) Then E(D(x)) = x = D(E(x)) Except for pathological cases And E contains (almost) no information about D Depends on maths Slower than symmetric key encrypt/decrypt Use E, D, to agree symmetric key

Anatomy of a certificate Public Key ABCDEFGHIJKLMNOPQRSTUV A text string Validity Data Signature from CA s private key Extensions X.509: original specification for certificates

How a Certificate is Issued Create key pair (public, private)

How a Certificate is Issued Create CSR: certificate signing request

How a Certificate is Issued Submit request to a Certification Authority

How a Certificate is Issued Persuade the CA to bless the certificate (via a Registration Authority)

How a Certificate is Issued The certificate is issued by the Authority

How a Certificate is Issued By personal contact with Registration Authority Or linking identity management system to CA Shib X.509 (e.g. UK) Kerberos X.509 (e.g. FNAL) Or certificates can be issued to a community Sometimes... Shared certificate, e.g. via a portal Lower level of assurance (usually) Restrict user actions via portal (= policy)

What Are Certificates Used For? Authentication Identifying the entity at the end of a remote connection Ensuring that it is the same entity every time Digital signatures (/electronic signatures) Non-repudiation (maybe) Code signing Timestamping services Encryption short time, short messages E.g. signed email (S/MIME) Robots (Grid) automated agents acting for user

Timeliness of Information Re-check at renewal/rekey End of certificate lifetime Revoke if compromised Certificate revocation lists take a while to get distributed (~hours) OCSP slowly increasing use Circumstances for revocation Compromise of private key urgent! Certificate no longer needed Information no longer correct

Timeliness of Information CA long lived certificates 3-20 years Are they secure on this timescale? End entity Long lived certificates (1-3 years) Identity doesn t change (often) Separate authentication and authorisation Authorisation is short lived... End entity SLCS Conventionally (=grid) up to 1 Ms Could contain authorisation information (cf proxies)

Signatures: Current Issues MD5 based signatures vulnerable/broken SHA1 based signatures increasingly vulnerable SHA2 secure but not widely supported Naming UTF-8 in common names (from printablestring) Using string representations of names Good enough software

Delegating Certificates Getting credentials to some remote entity... Globus approach (GSI, RFC 3820) Proxy certificates MyProxy glite (EMI) delegation API mod_gridsite Contrail: use OAuth2 OGF working group: IDEL-WG

Delegating with GSI proxies CA User Proxy AC... greatly simplified Private key never crosses the network VOMS uses attribute certificates (RFC 3281) User certs are not allowed to sign other certs Hack for Globus, using name restr. How to interpret multiple VOMS extn s OGF VOMSPROC-WG VOMS can also embed SAML

A CA certificate Anatomy of a CA Which signs users (or rather end entities) certificates A certificate policy A certification practices statement Infrastructure Archive User Support Handling notifications Audits, compliance, certification

All need to trust the CA Community View (or rather each other s CAs) Occasional rekeys and rollover New certificates, same names Invalidates old signatures Only names are persistent Naming: X.500 And domaincomponents (RFC 2247) /DC=eu/DC=eudat/DC=federation/CN=jens jensen

Infrastructure CAs: CAs for EUDAT Reuse the ones for grids IGTF (www.igtf.net), NRENs (www.terena.org) Browser-facing certificates Comodo via Terena Personal certificates EUDAT-internal CA Hide from users Use external identity assertions and attributes

2 2 OpenID Shib SSPhp Username /password CA DB Web Fed Services

Certificates in EUDAT Demonstrators in Stockholm Reusing Contrail portal Challenge: integrate with user portals Need to distribute CA certificates Trusted repositories (compare web browser)

Further Experimenting Get your browser to save a remote certificate Or inspect - Experimenting with certificates OpenSSL openssl x509 text noout in cert.pem openssl ca in req.pem out cert.pem openssl asn1parse i in cert.pem

Certificate profile Further Reading RFC 5280 GFD.125 (soon to be updated) Want to know more about CAs? RFC 3647 Delegation...

In a nutshell... Mature, Robust, Ubiquitous Have been around for decades Interoperable supported by every OS, every language Used everywhere (e.g. e-commerce, banking) Very, very, secure... if done right! Two factor authentication Something you have Something you know

Questions, Comments,... jens.jensen<>stfc.ac.uk

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information