Update of the Certification Authority project
Download
Report
Transcript Update of the Certification Authority project
APNIC Open Policy Meeting
SIG: Whois Database
October 2000
APNIC Certificate Authority
Status Report
ASIA PACIFIC NETWORK
INFORMATION CENTRE
APNIC CA Project
Part 1
APNIC CA project
Benefits and costs
Project plans
Future developments
References
Part 2 (if requested)
Cryptography and PKI Overview
ASIA PACIFIC NETWORK
INFORMATION CENTRE
APNIC CA - Why?
In response to
Membership concern for greater security
Confidential info exchange with APNIC
Is my database transaction secure?
Whose prefixes do you accept?
Internet community interest in security, PKI,
digital certificates
e.g. rps-auth
IETF working group: PKIX
ASIA PACIFIC NETWORK
INFORMATION CENTRE
APNIC CA - Overview
Certificate issued to APNIC member
Corresponds to Membership of APNIC
Provides uniform mechanism for all security
needs:
Encryption and signature of email with APNIC
Authentication of access to APNIC web site
Secure maintainer mechanism for APNIC database
Future authorisation mechanism for Internet
resources
Authentication of resource custodianship
ASIA PACIFIC NETWORK
INFORMATION CENTRE
APNIC CA - Benefits/Costs
Benefits
Uniform industry-standard mechanism for “single
password” security, authentication and authorisation
Strong public key cryptography, end-to-end
Costs
Server and client software
Change to current procedures
New policies
Establishment: software purchase and/or development
ASIA PACIFIC NETWORK
INFORMATION CENTRE
APNIC CA - Roadmap
ASIA PACIFIC NETWORK
INFORMATION CENTRE
APNIC CA - Timeline
Scoping project
Oct 1999 - Jan 2000
Phase 1
Apr – Nov 2000
Phase 2
Jan – Jun 2001
ASIA PACIFIC NETWORK
INFORMATION CENTRE
APNIC CA - Scoping Project
October 1999 - January 2000
Objectives
Analyse impact of introducing PKI
Provide focus for discussions
Raise awareness of PKI in general
Conclusions
Significant benefits for members’ security
Growing standards support for PKI
See: http://www.apnic.net/ca
ASIA PACIFIC NETWORK
INFORMATION CENTRE
APNIC CA – Phase 1 Timeline
Requirements Document
April – May
Programming and Testing May – Sep
Initial deployment
ASIA PACIFIC NETWORK
Sep - Nov
INFORMATION CENTRE
APNIC CA – Phase 1
April – November 2000
Deliverables
Selection of CA software
Procedures for issuance and revocation of
Identity certificates to members
Policies for use of APNIC Certificates
Issue trial certificates at APNIC Meeting
October 2000
Risk Analysis
ASIA PACIFIC NETWORK
INFORMATION CENTRE
CA Software
CA Architecture based on OpenCA
OpenCA uses OpenSSL for PKI API
Apache-SSL with OpenSSL
APNIC developed client certificate layer
Supported Clients:
Netscape 4.x Navigator and Messenger
Microsoft [4|5].x Internet Explorer
Microsoft 5.x Outlook and Outlook Express
Any client using OpenSSL 0.9.[5|6] toolkit
ASIA PACIFIC NETWORK
INFORMATION CENTRE
Certificate Issuance Workflow
APNIC
Certificate
Authority
APNIC
Member
Online Certificate
Request
RA Verifies
and Signs
request
APNIC
Member
Offline Identity
Confirmation
Member downloads certificate
into browser or mail client
ASIA PACIFIC NETWORK
RA makes certificate available
for download
and notifies member
INFORMATION CENTRE
CA signs request
creating certificate
CA Architecture
DMZ
Internal Network
Offline
Member’s
Browser
Registration
Authority
Certificate
Authority
Low trust
Medium trust
High trust
ASIA PACIFIC NETWORK
INFORMATION CENTRE
Certificate Policy Statement (CPS)
Draft CPS available for download at:
http://www.apnic.net/ca
Member feedback welcome
Once completed CPS will be handed to Executive
Council for final approval
Future certificates will be issued under this CPS
NOTE: Certificates issued this week as part of
pilot testing are NOT issued under this CPS
ASIA PACIFIC NETWORK
INFORMATION CENTRE
APNIC CA – Phase 2
January – June 2001
Deliverables
Browser and deployment issues analysis
Certificates used for website access control
Prototype X509 certificates in whois database
Strong encryption for member correspondence
Trial issuance of Attribute Certificates with
resource allocation
ASIA PACIFIC NETWORK
INFORMATION CENTRE
APNIC CA - Future
Generalised CA function
APNIC Certificates may be used for general
purposes
Requires tight policy and quality framework for
APNIC certificates to be trusted
Hierarchical certification
APNIC Members may use their certificates to
certify their own members or customers
May be applicable for ISPs and NIRs
ASIA PACIFIC NETWORK
INFORMATION CENTRE
APNIC CA - Future
Public Key Certificates
X.509 certificate linking a Public Key to an
identity, issued by CA
Attribute Certificates
X.509 certificate linking Attributes to an identity,
issued by CA or other authority
Provides authorisation, rather than
authentication, information
Not yet widely deployed or supported
ASIA PACIFIC NETWORK
INFORMATION CENTRE
APNIC CA - Consultation
Mailing list open after Apricot2000
[email protected]
http://www.apnic.net/wilma-bin/wilma/pki-wg
Further developments
See: http://www.apnic.net/ca
ASIA PACIFIC NETWORK
INFORMATION CENTRE
APNIC CA - Documents
IETF PKIX drafts:
draft-ietf-pkix-roadmap-04.txt
“Internet X.509 Public Key Infrastructure PKIX Roadmap”
draft-clynn-bgp-x509-auth-01.txt
“X.509 Extensions for Authorization of IP Addresses AS
Numbers, and Routers within an AS”
draft-ietf-pkix-ac509prof-01.txt
“An Internet Attribute Certificate Profile for Authorization”
http://www.ietf.org/html.charters/pkix-charter.html
ASIA PACIFIC NETWORK
INFORMATION CENTRE
Questions?
ASIA PACIFIC NETWORK
INFORMATION CENTRE
APNIC Open Policy Meeting
October 2000
Part 2
PKI Overview
ASIA PACIFIC NETWORK
INFORMATION CENTRE
Cryptography - Terms
Public key cryptography
Cryptography technique using different keys for
encoding and decoding messages
Keypair
Private key and public key, generated together,
used in public key cryptography
Encryption/Decryption
To encode/decode a message using a public or
private key
ASIA PACIFIC NETWORK
INFORMATION CENTRE
Public Key Cryptography
- Encryption
Retrieve Public Key
Keypair
Encrypted
Message
Message
Encrypted
Message
Message
Transmit
Encrypt
ASIA PACIFIC NETWORK
Decrypt
INFORMATION CENTRE
Public Key Cryptography
- Encryption
Retrieve Public Key
Keypair
“Signed”
Message
Message
“Signed”
Message
Message
Transmit
Encrypt
ASIA PACIFIC NETWORK
Decrypt
INFORMATION CENTRE
Public Key Cryptography
- Digital Signature
Keypair
Signed
Message
Message
Assemble
Hash
Digest
Encrypt
ASIA PACIFIC NETWORK
Signature
INFORMATION CENTRE
Public Key Cryptography
- Digital Signature
Retrieve Public Key
Message
Signed
Message
Digest
Valid?
Signature
ASIA PACIFIC NETWORK
Decrypt
INFORMATION CENTRE
Digest
PKI - Terminology
Public Key Infrastructure (PKI)
Administrative structure for support of public
key cryptography
Public Key Certificate (Digital Certificate)
Document linking a Public Key to an identity,
signed by a CA, defined by X.509
Certificate Authority (CA)
Trusted authority which issues digital
certificates
ASIA PACIFIC NETWORK
INFORMATION CENTRE
Digital Certificates
A digital certificate contains:
Identity details
eg Personal ID, email address, web site URL
Public key of identity
Issuer (Certification Authority)
Validity period
Attributes
The certificate is signed by the CA
ASIA PACIFIC NETWORK
INFORMATION CENTRE
Digital Certificate - Example
Certificate ::= SEQUENCE {
tbsCertificate
signatureAlgorithm
signature
}
TBSCertificate,
AlgorithmIdentifier,
BIT STRING
TBSCertificate ::= SEQUENCE {
version
serialNumber
signature
issuer
validity
subject
subjectPublicKeyInfo
issuerUniqueID [1]
subjectUniqueID [2]
extensions
[3]
}
ASIA PACIFIC NETWORK
[0]
EXPLICIT Version DEFAULT v1,
CertificateSerialNumber,
AlgorithmIdentifier,
Name,
Validity,
Name,
SubjectPublicKeyInfo,
IMPLICIT UniqueIdentifier OPTIONAL,
IMPLICIT UniqueIdentifier OPTIONAL,
EXPLICIT Extensions OPTIONAL
INFORMATION CENTRE
Digital Certificate - Lifecycle
Key Pair Generated
Certificate Issued
Recertify
Certificate valid
and in use
Certificate Expires
Keypair Expired
ASIA PACIFIC NETWORK
INFORMATION CENTRE
Private Key
compromised
Certificate
Revoked